From 1cec1f9f1a370df1d11f0e2502e52594b51fc4f4 Mon Sep 17 00:00:00 2001 From: Wietse Venema Date: Sun, 7 Oct 2012 00:00:00 -0500 Subject: [PATCH] postfix-2.10-20121007 --- postfix/HISTORY | 34 ++ .../README_FILES/ADDRESS_VERIFICATION_README | 5 +- postfix/README_FILES/FILTER_README | 2 + postfix/README_FILES/LINUX_README | 14 + postfix/README_FILES/MULTI_INSTANCE_README | 2 + postfix/README_FILES/POSTSCREEN_README | 4 +- postfix/README_FILES/RESTRICTION_CLASS_README | 17 +- postfix/README_FILES/SASL_README | 31 +- postfix/README_FILES/SMTPD_ACCESS_README | 138 +++-- postfix/README_FILES/SMTPD_POLICY_README | 34 +- postfix/README_FILES/SMTPD_PROXY_README | 6 +- .../STANDARD_CONFIGURATION_README | 92 +-- postfix/README_FILES/TLS_README | 17 +- postfix/README_FILES/VERP_README | 2 +- postfix/RELEASE_NOTES | 114 +++- postfix/WISHLIST | 13 +- postfix/conf/post-install | 29 +- postfix/html/ADDRESS_VERIFICATION_README.html | 39 +- postfix/html/FILTER_README.html | 20 +- postfix/html/LINUX_README.html | 18 + postfix/html/MULTI_INSTANCE_README.html | 2 + postfix/html/POSTSCREEN_README.html | 4 +- postfix/html/RESTRICTION_CLASS_README.html | 17 +- postfix/html/SASL_README.html | 35 +- postfix/html/SMTPD_ACCESS_README.html | 108 +++- postfix/html/SMTPD_POLICY_README.html | 29 +- postfix/html/SMTPD_PROXY_README.html | 66 +-- .../html/STANDARD_CONFIGURATION_README.html | 94 ++-- postfix/html/TLS_README.html | 19 +- postfix/html/VERP_README.html | 2 +- postfix/html/postconf.5.html | 163 ++++-- postfix/html/smtpd.8.html | 59 +- postfix/man/man5/postconf.5 | 531 ++++++++++++++++-- postfix/man/man8/smtpd.8 | 24 +- postfix/mantools/postconf2man | 6 +- postfix/mantools/postlink | 6 +- .../proto/ADDRESS_VERIFICATION_README.html | 39 +- postfix/proto/FILTER_README.html | 20 +- postfix/proto/LINUX_README.html | 18 + postfix/proto/MULTI_INSTANCE_README.html | 2 + postfix/proto/POSTSCREEN_README.html | 4 +- postfix/proto/RESTRICTION_CLASS_README.html | 17 +- postfix/proto/SASL_README.html | 35 +- postfix/proto/SMTPD_ACCESS_README.html | 108 +++- postfix/proto/SMTPD_POLICY_README.html | 29 +- postfix/proto/SMTPD_PROXY_README.html | 66 +-- .../proto/STANDARD_CONFIGURATION_README.html | 94 ++-- postfix/proto/TLS_README.html | 19 +- postfix/proto/VERP_README.html | 2 +- postfix/proto/postconf.proto | 159 ++++-- postfix/src/global/mail_params.h | 8 +- postfix/src/global/mail_version.h | 2 +- postfix/src/global/server_acl.c | 4 +- postfix/src/smtpd/smtpd.c | 26 +- postfix/src/smtpd/smtpd_check.c | 50 +- postfix/src/trivial-rewrite/resolve.c | 2 +- postfix/src/util/dict.h | 19 +- postfix/src/util/dict_alloc.c | 7 +- postfix/src/util/dict_open.c | 23 +- 59 files changed, 1951 insertions(+), 598 deletions(-) diff --git a/postfix/HISTORY b/postfix/HISTORY index c26b33053..e9dff859d 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -17978,3 +17978,37 @@ Apologies for any names omitted. Laptop-friendliness: avoid disk spin-up on idle systems by s/fifo/unix/ in master.cf. Files: conf/master.cf. + +20120928-30 + + Feature: smtpd_relay_restrictions, proposed long ago by + Victor. The idea is to separate the mail relay policy from + the spam blocking policy, so that a permissive spam blocking + policy under smtpd_recipient_restrictions will no longer + unexpectedly result in a permissive mail relay policy. + + This involves a change in default settings. Similar to the + way that local_recipient_maps was introduced, there is a + safety net that prevents unexpected mail bounces when a + site upgrades to Postfix 2.10 or later, and there is no + change in documented smtpd_recipient_restrictions behavior. + See the RELEASE_NOTES file for details. Files: + global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c, + proto/postconf.proto, proto/SMTPD_ACCESS_README.html, + mantools/postlink, conf/post-install, RELEASE_NOTES. + +20120931-1001 + + Documentation: updated the remainder of the README files + and manual pages that discuss smtpd_recipient_restrictions. + +20121001 + + Cleanup: prepend 5.1.1 status code to "User unknown in + virtual alias table". File: trivial-rewrite/resolve.c. + +20121003 + + Bugfix: the postscreen_access_list feature was case-sensitive + in the first character of permit, reject, etc. Reported by + Francis Picabia. File: global/server_acl.c. diff --git a/postfix/README_FILES/ADDRESS_VERIFICATION_README b/postfix/README_FILES/ADDRESS_VERIFICATION_README index 8a19731b7..1241d875b 100644 --- a/postfix/README_FILES/ADDRESS_VERIFICATION_README +++ b/postfix/README_FILES/ADDRESS_VERIFICATION_README @@ -152,6 +152,9 @@ same address repeatedly. /etc/postfix/main.cf: smtpd_recipient_restrictions = permit_mynetworks + # reject_unauth_destination is not needed here if the mail + # relay policy is specified under smtpd_relay_restrictions + # (available with Postfix 2.10 and later). reject_unauth_destination ... reject_unknown_recipient_domain @@ -273,7 +276,7 @@ probe fails with some temporary error. Specify a valid 2xx or 4xx code. The unverified_sender_reject_reason parameter (default: empty) specifies fixed text that Postfix will send to remote SMTP clients, instead of sending actual -addres verification details. Do not specify the SMTP status code or enhanced +address verification details. Do not specify the SMTP status code or enhanced status code. The unverified_sender_tempfail_action parameter (default: defer_if_permit) diff --git a/postfix/README_FILES/FILTER_README b/postfix/README_FILES/FILTER_README index abee2a526..bbe2adba1 100644 --- a/postfix/README_FILES/FILTER_README +++ b/postfix/README_FILES/FILTER_README @@ -442,6 +442,8 @@ without sending `.' on the connection that injects mail back into Postfix. -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= + # Postfix 2.10 and later: specify empty smtpd_relay_restrictions. + -o smtpd_relay_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o smtpd_authorized_xforward_hosts=127.0.0.0/8 diff --git a/postfix/README_FILES/LINUX_README b/postfix/README_FILES/LINUX_README index 432accbd0..dd9a81373 100644 --- a/postfix/README_FILES/LINUX_README +++ b/postfix/README_FILES/LINUX_README @@ -2,6 +2,20 @@ PPoossttffiixx aanndd LLiinnuuxx ------------------------------------------------------------------------------- +HHoosstt llooookkuupp iissssuueess + +By default Linux /etc/hosts lookups do not support multiple IP address per +hostname. This causes warnings from the Postfix SMTP server that "hostname XXX +does not resolve to address YYY", and is especially a problem with hosts that +have both IPv4 and IPv6 addresses. To fix, turn on support for multiple IP +addresses: + + /etc/host.conf: + ... + # We have machines with multiple IP addresses. + multi on + ... + BBeerrkkeelleeyy DDBB iissssuueess If you can't compile Postfix because the file "db.h" isn't found, then you MUST diff --git a/postfix/README_FILES/MULTI_INSTANCE_README b/postfix/README_FILES/MULTI_INSTANCE_README index b6e15d2e3..6186d59cb 100644 --- a/postfix/README_FILES/MULTI_INSTANCE_README +++ b/postfix/README_FILES/MULTI_INSTANCE_README @@ -290,6 +290,8 @@ injection SMTP service. Typical additions include: # With multiple instances, rarely need "-o param=value" overrides # in master.cf, each instance gets its own main.cf file. # + # Postfix 2.10 and later: specify empty smtpd_relay_restrictions. + smtpd_relay_restrictions = smtpd_recipient_restrictions = permit_mynetworks, reject # Tolerate occasional high latency in the content filter. diff --git a/postfix/README_FILES/POSTSCREEN_README b/postfix/README_FILES/POSTSCREEN_README index 4931e1adc..4a1d66498 100644 --- a/postfix/README_FILES/POSTSCREEN_README +++ b/postfix/README_FILES/POSTSCREEN_README @@ -772,8 +772,8 @@ for sites that require TLS support. The implementation introduces the tlsproxy SMTP clients. The tlsproxy(8) implementation led to the discovery of a "new" class of -vulnerability (CVE-2011-0411) that affected multiple implementations of TLS -over SMTP, POP, IMAP, NNTP, and FTP. +vulnerability (CVE-2011-0411) that affected multiple implementations of SMTP, +POP, IMAP, NNTP, and FTP over TLS. postscreen(8) was officially released as part of the Postfix 2.8 stable release in January 2011. diff --git a/postfix/README_FILES/RESTRICTION_CLASS_README b/postfix/README_FILES/RESTRICTION_CLASS_README index 884c7112f..109c3d40b 100644 --- a/postfix/README_FILES/RESTRICTION_CLASS_README +++ b/postfix/README_FILES/RESTRICTION_CLASS_README @@ -29,13 +29,17 @@ Example: permissive = permit smtpd_recipient_restrictions = - permit_mynetworks - reject_unauth_destination - check_recipient_access hash:/etc/postfix/recipient_access + permit_mynetworks + # reject_unauth_destination is not needed here if the mail + # relay policy is specified with smtpd_relay_restrictions + # (available with Postfix 2.10 and later). + reject_unauth_destination + check_recipient_access hash:/etc/postfix/recipient_access + ... /etc/postfix/recipient_access: - joe@my.domain permissive - jane@my.domain restrictive + joe@my.domain permissive + jane@my.domain restrictive With this in place, you can use "restrictive" or "permissive" on the right-hand side of your per-client, helo, sender, or recipient SMTPD access tables. @@ -63,6 +67,7 @@ SMTP client IP address, and therefore is subject to IP spoofing. /etc/postfix/main.cf: smtpd_recipient_restrictions = + ... check_recipient_access hash:/etc/postfix/access ...the usual stuff... @@ -88,6 +93,7 @@ subject to SMTP sender spoofing. /etc/postfix/main.cf: smtpd_recipient_restrictions = + ... check_recipient_access hash:/etc/postfix/protected_destinations ...the usual stuff... @@ -131,6 +137,7 @@ The example assumes DB/DBM files, but this could also be done with LDAP or SQL. /etc/postfix/main.cf: smtpd_recipient_restrictions = + ... check_sender_access hash:/etc/postfix/restricted_senders ...other stuff... diff --git a/postfix/README_FILES/SASL_README b/postfix/README_FILES/SASL_README index 282edc1d4..5d8bbaa6b 100644 --- a/postfix/README_FILES/SASL_README +++ b/postfix/README_FILES/SASL_README @@ -832,17 +832,26 @@ These permissions are not enabled by default. MMaaiill rreellaayy aauutthhoorriizzaattiioonn -The permit_sasl_authenticated restriction allows SASL-authenticated SMTP -clients to send mail to remote destinations. Add it to the list of -smtpd_recipient_restrictions as follows: +With permit_sasl_authenticated the Postfix SMTP server can allow SASL- +authenticated SMTP clients to send mail to remote destinations. Examples: + # With Postfix 2.10 and later, the mail relay policy is + # preferably specified under smtpd_relay_restrictions. + /etc/postfix/main.cf: + smtpd_relay_restrictions = + permit_mynetworks + ppeerrmmiitt__ssaassll__aauutthheennttiiccaatteedd + reject_unauth_destination + + # Older configurations combine relay control and spam control under + # smtpd_recipient_restrictions. To use this example with Postfix >= + # 2.10 specify "smtpd_relay_restrictions=". /etc/postfix/main.cf: smtpd_recipient_restrictions = - ... - permit_mynetworks - ppeerrmmiitt__ssaassll__aauutthheennttiiccaatteedd - reject_unauth_destination - ... + permit_mynetworks + ppeerrmmiitt__ssaassll__aauutthheennttiiccaatteedd + reject_unauth_destination + ...other rules... EEnnvveellooppee sseennddeerr aaddddrreessss aauutthhoorriizzaattiioonn @@ -862,9 +871,7 @@ authenticated client is allowed to use a particular envelope sender address: smtpd_recipient_restrictions = ... rreejjeecctt__sseennddeerr__llooggiinn__mmiissmmaattcchh - permit_sasl_authenticated - permit_mynetworks - reject_unauth_destination + permit_sasl_authenticated ... The controlled_envelope_senders table specifies the binding between a sender @@ -1209,7 +1216,7 @@ example. Information sent by the client (that is, you) is shown in bboolldd 250-STARTTLS ... -Instead of port 25 (smtp), specify port 587 (submission) where appriopriate. +Instead of port 25 (smtp), specify port 587 (submission) where appropriate. EEnnccrryypptteedd SSMMTTPP sseessssiioonn ((TTLLSS)) diff --git a/postfix/README_FILES/SMTPD_ACCESS_README b/postfix/README_FILES/SMTPD_ACCESS_README index cbe958ed1..f7547237a 100644 --- a/postfix/README_FILES/SMTPD_ACCESS_README +++ b/postfix/README_FILES/SMTPD_ACCESS_README @@ -27,10 +27,18 @@ abused systems end up on anti-spammer blacklists. See, for example, the information on http://www.mail-abuse.org/ and other websites. By default, Postfix has a moderately restrictive approach to mail relaying. -Postfix forwards mail only from clients in trusted networks, or to domains that -are configured as authorized relay destinations. For a description of the -default policy, see the smtpd_recipient_restrictions parameter in the postconf -(5) manual page, and the information that is referenced from there. +Postfix forwards mail only from clients in trusted networks, from clients that +have authenticated with SASL, or to domains that are configured as authorized +relay destinations. For a description of the default mail relay policy, see the +smtpd_relay_restrictions parameter in the postconf(5) manual page, and the +information that is referenced from there. + + NOTE: Postfix versions before 2.10 did not have smtpd_relay_restrictions. + They combined the mail relay and spam blocking policies, under + smtpd_recipient_restrictions. This could lead to unexpected results. For + example, a permissive spam blocking policy could unexpectedly result in a + permissive mail relay policy. An example of this is documented under + "Dangerous use of smtpd_recipient_restrictions". Most of the Postfix SMTP server access controls are targeted at stopping junk email. @@ -123,8 +131,23 @@ Examples of simple restriction lists are: # Don't accept mail from domains that don't exist. smtpd_sender_restrictions = reject_unknown_sender_domain - # Whitelisting: local clients may specify any destination domain. - smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination + # Relay control (Postfix 2.10 and later): local clients and + # authenticated clients may specify any destination domain. + smtpd_relay_restrictions = permit_mynetworks, + permit_sasl_authenticated, + reject_unauth_destination + + # Spam control: exclude local clients and authenticated clients + # from DNSBL lookups. + smtpd_recipient_restrictions = permit_mynetworks, + permit_sasl_authenticated, + # reject_unauth_destination is not needed here if the mail + # relay policy is specified under smtpd_relay_restrictions + # (available with Postfix 2.10 and later). + reject_unauth_destination + reject_rbl_client zen.spamhaus.org, + reject_rhsbl_helo dbl.spamhaus.org, + reject_rhsbl_sender dbl.spamhaus.org # Block clients that speak too early. smtpd_data_restrictions = reject_unauth_pipelining @@ -143,23 +166,52 @@ The table below summarizes the purpose of each SMTP access restriction list. All lists use the exact same syntax; they differ only in the time of evaluation and in the effect of a REJECT or DEFER result. - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - |RReessttrriiccttiioonn lliisstt nnaammee |SSttaattuuss |EEffffeecctt ooff RREEJJEECCTT oorr DDEEFFEERR rreessuulltt| - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |smtpd_client_restrictions |Optional|Reject all client commands | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |smtpd_helo_restrictions |Optional|Reject HELO/EHLO information | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |smtpd_sender_restrictions |Optional|Reject MAIL FROM information | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |smtpd_recipient_restrictions |Required|Reject RCPT TO information | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |smtpd_data_restrictions |Optional|Reject DATA command | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |smtpd_end_of_data_restrictions|Optional|Reject END-OF-DATA command | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |smtpd_etrn_restrictions |Optional|Reject ETRN command | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ + | | | |EEffffeecctt ooff | + |RReessttrriiccttiioonn lliisstt nnaammee |VVeerrssiioonn|SSttaattuuss |RREEJJEECCTT oorr | + | | | |DDEEFFEERR | + | | | |rreessuulltt | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ | + | | | |Reject all | + |smtpd_client_restrictions |All |Optional |client | + | | | |commands | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ | + | | | |Reject | + |smtpd_helo_restrictions |All |Optional |HELO/EHLO | + | | | |information| + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ | + | | | |Reject MAIL| + |smtpd_sender_restrictions |All |Optional |FROM | + | | | |information| + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ | + | | |Required if | | + | |>= 2.10|smtpd_recipient_restrictions| | + | | |does not enforce relay |Reject RCPT| + |smtpd_relay_restrictions | |policy |TO | + | |_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |information| + | | | | | + | |< 2.10 |Not available | | + | | | | | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ | + | | |Required if | | + | |>= 2.10|smtpd_relay_restrictions | | + | | |does not enforce relay |Reject RCPT| + |smtpd_recipient_restrictions | |policy |TO | + | |_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |information| + | | | | | + | |< 2.10 |Required | | + | | | | | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ | + |smtpd_data_restrictions |>= 2.0 |Optional |Reject DATA| + | | | |command | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ | + | | | |Reject END-| + |smtpd_end_of_data_restrictions|>= 2.2 |Optional |OF-DATA | + | | | |command | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ | + |smtpd_etrn_restrictions |All |Optional |Reject ETRN| + | | | |command | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ | DDeellaayyeedd eevvaalluuaattiioonn ooff SSMMTTPP aacccceessss rreessttrriiccttiioonn lliissttss @@ -174,9 +226,9 @@ Current Postfix versions postpone the evaluation of client, helo and sender restriction lists until the RCPT TO or ETRN command. This behavior is controlled by the smtpd_delay_reject parameter. Restriction lists are still evaluated in the proper order of (client, helo, etrn) or (client, helo, sender, -recipient, data, or end-of-data) restrictions. When a restriction list -(example: client) evaluates to REJECT or DEFER the other restriction lists -(example: helo, sender, etc.) are skipped. +relay, recipient, data, or end-of-data) restrictions. When a restriction list +(example: client) evaluates to REJECT or DEFER the restriction lists that +follow (example: helo, sender, etc.) are skipped. Around the time that smtpd_delay_reject was introduced, Postfix was also changed to support mixed restriction lists that combine information about the @@ -215,6 +267,12 @@ REJECT or DEFER, the recipient address is rejected; no surprises here. If the result is PERMIT, then the recipient address is accepted. And this is where surprises can happen. +The problem is that Postfix versions before 2.10 did not have +smtpd_relay_restrictions. They combined the mail relay and spam blocking +policies, under smtpd_recipient_restrictions. The result is that a permissive +spam blocking policy could unexpectedly result in a permissive mail relay +policy. + Here is an example that shows when a PERMIT result can result in too much access permission: @@ -223,7 +281,7 @@ access permission: 3 permit_mynetworks 4 check_helo_access hash:/etc/postfix/helo_access 5 reject_unknown_helo_hostname -6 reject_unauth_destination +6 rreejjeecctt__uunnaauutthh__ddeessttiinnaattiioonn 7 8 /etc/postfix/helo_access: 9 localhost.localdomain PERMIT @@ -237,12 +295,26 @@ The problem with this configuration is that smtpd_recipient_restrictions evaluates to PERMIT for EVERY host that announces itself as "localhost.localdomain", making Postfix an open relay for all such hosts. -In order to avoid surprises like these with smtpd_recipient_restrictions, you -should place non-recipient restrictions AFTER the reject_unauth_destination -restriction, not before. In the above example, the HELO based restrictions -should be placed AFTER reject_unauth_destination, or better, the HELO based -restrictions should be placed under smtpd_helo_restrictions where they can do -no harm. +With Postfix before version 2.10 you should place non-recipient restrictions +AFTER the reject_unauth_destination restriction, not before. In the above +example, the HELO based restrictions should be placed AFTER +reject_unauth_destination, or better, the HELO based restrictions should be +placed under smtpd_helo_restrictions where they can do no harm. + +1 /etc/postfix/main.cf: +2 smtpd_recipient_restrictions = +3 permit_mynetworks +4 rreejjeecctt__uunnaauutthh__ddeessttiinnaattiioonn +5 check_helo_access hash:/etc/postfix/helo_access +6 reject_unknown_helo_hostname +7 +8 /etc/postfix/helo_access: +9 localhost.localdomain PERMIT + +The above mistake will not happen with Postfix 2.10 and later, when the relay +policy is specified under smtpd_relay_restrictions, and the spam blocking +policy under smtpd_recipient_restrictions. Then, a permissive spam blocking +policy will not result in a permissive mail relay policy. SSMMTTPP aacccceessss rruullee tteessttiinngg diff --git a/postfix/README_FILES/SMTPD_POLICY_README b/postfix/README_FILES/SMTPD_POLICY_README index 5dd321021..70c6bd0a6 100644 --- a/postfix/README_FILES/SMTPD_POLICY_README +++ b/postfix/README_FILES/SMTPD_POLICY_README @@ -206,6 +206,10 @@ NOTES: "connection refused" and other problems when you increase the smtpd process limit. + * Line 8: reject_unauth_destination is not needed here if the mail relay + policy is specified with smtpd_relay_restrictions (available with Postfix + 2.10 and later). + * Lines 8, 9: always specify "check_policy_service" AFTER "reject_unauth_destination" or else your system could become an open relay. @@ -221,7 +225,8 @@ NOTES: (in the above example, "policy") and a built-in suffix (in the above example: "_time_limit"). - * Solaris UNIX-domain sockets do not work reliably. Use TCP sockets instead: + * With Solaris < 9, or Postfix < 2.10 on any Solaris version, use TCP sockets + instead of UNIX-domain sockets: 1 /etc/postfix/master.cf: 2 127.0.0.1:9998 inet n n n - 0 spawn @@ -323,14 +328,19 @@ Notes: it. See the spawn(8) manpage for more information about the transport_time_limit parameter. + * Line 9: reject_unauth_destination is not needed here if the mail relay + policy is specified with smtpd_relay_restrictions (available with Postfix + 2.10 and later). + Note: the "greylist_time_limit" parameter will not show up in "postconf" command output before Postfix version 2.9. This limitation applies to many parameters whose name is a combination of a master.cf service name (in the above example, "greylist") and a built-in suffix (in the above example: "_time_limit"). -On Solaris you must use inet: style sockets instead of unix: style, as detailed -in the "Policy client/server configuration" section above. +With Solaris < 9, or Postfix < 2.10 on any Solaris version, use inet: style +sockets instead of unix: style, as detailed in the "Policy client/server +configuration" section above. 1 /etc/postfix/master.cf: 2 127.0.0.1:9998 inet n n n - 0 spawn @@ -369,8 +379,13 @@ filtering/sender-domain-validate.in. NOTES: - * Line 9: On Solaris you must use inet: style sockets instead of unix: style, - as detailed in the "Example: greylist policy server" section above. + * Line 9: On Solaris < 9, or Postfix < 2.10 on any Solaris version, use inet: + style sockets instead of unix: style, as detailed in the "Example: greylist + policy server" section above. + + * Line 5: reject_unauth_destination is not needed here if the mail relay + policy is specified with smtpd_relay_restrictions (available with Postfix + 2.10 and later). * Line 6: Be sure to specify "check_sender_access" AFTER "reject_unauth_destination" or else your system could become an open mail @@ -407,8 +422,13 @@ avoids most of the delays and most of the database pollution problem. NOTES: - * Line 7: On Solaris you must use inet: style sockets instead of unix: style, - as detailed in the "Example: greylist policy server" section above. + * Line 7: On Solaris < 9, or Postfix < 2.10 on any Solaris version, use inet: + style sockets instead of unix: style, as detailed in the "Example: greylist + policy server" section above. + + * Line 5: reject_unauth_destination is not needed here if the mail relay + policy is specified with smtpd_relay_restrictions (available with Postfix + 2.10 and later). * Lines 6-7: Be sure to specify check_sender_access and check_policy_service AFTER reject_unauth_destination or else your system could become an open diff --git a/postfix/README_FILES/SMTPD_PROXY_README b/postfix/README_FILES/SMTPD_PROXY_README index 8aadb4a9a..c26b5a850 100644 --- a/postfix/README_FILES/SMTPD_PROXY_README +++ b/postfix/README_FILES/SMTPD_PROXY_README @@ -125,8 +125,8 @@ This is configured by editing the master.cf file: smtp inet n - n - 20 smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o smtpd_client_connection_count_limit=10 - # Postfix 2.7 and later performance feature. - # -o smtpd_proxy_options=speed_adjust + # Postfix 2.7 and later performance feature. + # -o smtpd_proxy_options=speed_adjust # # After-filter SMTP server. Receive mail from the content filter # on localhost port 10026. @@ -136,6 +136,8 @@ This is configured by editing the master.cf file: -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= + # Postfix 2.10 and later: specify empty smtpd_relay_restrictions. + -o smtpd_relay_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions= -o mynetworks=127.0.0.0/8 diff --git a/postfix/README_FILES/STANDARD_CONFIGURATION_README b/postfix/README_FILES/STANDARD_CONFIGURATION_README index e347c8828..ee823aaaf 100644 --- a/postfix/README_FILES/STANDARD_CONFIGURATION_README +++ b/postfix/README_FILES/STANDARD_CONFIGURATION_README @@ -242,34 +242,44 @@ purpose of the firewall email function. 3 relay_domains = example.com 4 parent_domain_matches_subdomains = 5 debug_peer_list smtpd_access_maps - 6 smtpd_recipient_restrictions = - 7 permit_mynetworks reject_unauth_destination - 8 - 9 relay_recipient_maps = hash:/etc/postfix/relay_recipients - 10 transport_maps = hash:/etc/postfix/transport - 11 - 12 /etc/postfix/relay_recipients: - 13 user1@example.com x - 14 user2@example.com x - 15 . . . - 16 - 17 /etc/postfix/transport: - 18 example.com smtp:[inside-gateway.example.com] + + 6a # Postfix 2.10 and later support separate relay control and + 7a # spam control. + 8a smtpd_relay_restrictions = + 9a permit_mynetworks reject_unauth_destination + 10a smtpd_recipient_restrictions = ...spam blocking rules.... + + 6b # Older configurations combine relay control and spam control. To + 7b # use this with Postfix >= 2.10 specify "smtpd_relay_restrictions=". + 8b smtpd_recipient_restrictions = + 9b permit_mynetworks reject_unauth_destination + 10b ...spam blocking rules.... + + 11 relay_recipient_maps = hash:/etc/postfix/relay_recipients + 12 transport_maps = hash:/etc/postfix/transport + 13 + 14 /etc/postfix/relay_recipients: + 15 user1@example.com x + 16 user2@example.com x + 17 . . . + 18 + 19 /etc/postfix/transport: + 20 example.com smtp:[inside-gateway.example.com] Translation: - * Lines 1-7: Accept mail from local systems in $mynetworks, and accept mail + * Lines 1-10: Accept mail from local systems in $mynetworks, and accept mail from outside for "user@example.com" but not for "user@anything.example.com". The magic is in lines 4-5. - * Lines 9, 12-14: Define the list of valid addresses in the "example.com" + * Lines 11, 13-16: Define the list of valid addresses in the "example.com" domain that can receive mail from the Internet. This prevents the mail queue from filling up with undeliverable MAILER-DAEMON messages. If you can't maintain a list of valid recipients then you must specify "relay_recipient_maps =" (that is, an empty value), or you must specify an "@example.com x" wild-card in the relay_recipients table. - * Lines 10, 17-18: Route mail for "example.com" to the inside gateway + * Lines 12, 19-20: Route mail for "example.com" to the inside gateway machine. The [] forces Postfix to do no MX lookup. Specify ddbbmm instead of hhaasshh if your system uses ddbbmm files instead of ddbb files. @@ -379,26 +389,36 @@ When your system is SECONDARY MX host for a remote site this is all you need: 3 4 /etc/postfix/main.cf: 5 relay_domains = . . . the.backed-up.domain.tld - 6 smtpd_recipient_restrictions = - 7 permit_mynetworks reject_unauth_destination - 8 - 9 # You must specify your NAT/proxy external address. - 10 #proxy_interfaces = 1.2.3.4 - 11 - 12 relay_recipient_maps = hash:/etc/postfix/relay_recipients + + 6a # Postfix 2.10 and later support separate relay control and + 7a # spam control. + 8a smtpd_relay_restrictions = + 9a permit_mynetworks reject_unauth_destination + 10a smtpd_recipient_restrictions = ...spam blocking rules.... + + 6b # Older configurations combine relay control and spam control. To + 7b # use this with Postfix >= 2.10 specify "smtpd_relay_restrictions=". + 8b smtpd_recipient_restrictions = + 9b permit_mynetworks reject_unauth_destination + 10b ...spam blocking rules.... + + 11 # You must specify your NAT/proxy external address. + 12 #proxy_interfaces = 1.2.3.4 13 - 14 /etc/postfix/relay_recipients: - 15 user1@the.backed-up.domain.tld x - 16 user2@the.backed-up.domain.tld x - 17 . . . + 14 relay_recipient_maps = hash:/etc/postfix/relay_recipients + 15 + 16 /etc/postfix/relay_recipients: + 17 user1@the.backed-up.domain.tld x + 18 user2@the.backed-up.domain.tld x + 19 . . . When your system is PRIMARY MX host for a remote site you need the above, plus: - 18 /etc/postfix/main.cf: - 19 transport_maps = hash:/etc/postfix/transport - 20 - 21 /etc/postfix/transport: - 22 the.backed-up.domain.tld relay:[their.mail.host.tld] + 20 /etc/postfix/main.cf: + 21 transport_maps = hash:/etc/postfix/transport + 22 + 23 /etc/postfix/transport: + 24 the.backed-up.domain.tld relay:[their.mail.host.tld] Important notes: @@ -408,20 +428,20 @@ Important notes: * Do not list the.backed-up.domain.tld in virtual_mailbox_domains. - * Lines 1-7: Forward mail from the Internet for "the.backed-up.domain.tld" to + * Lines 1-9: Forward mail from the Internet for "the.backed-up.domain.tld" to the primary MX host for that domain. - * Line 10: This is a must if Postfix receives mail via a NAT relay or proxy + * Line 12: This is a must if Postfix receives mail via a NAT relay or proxy that presents a different IP address to the world than the local machine. - * Lines 12-16: Define the list of valid addresses in the "the.backed- + * Lines 14-18: Define the list of valid addresses in the "the.backed- up.domain.tld" domain. This prevents your mail queue from filling up with undeliverable MAILER-DAEMON messages. If you can't maintain a list of valid recipients then you must specify "relay_recipient_maps =" (that is, an empty value), or you must specify an "@the.backed-up.domain.tld x" wild- card in the relay_recipients table. - * Line 22: The [] forces Postfix to do no MX lookup. + * Line 24: The [] forces Postfix to do no MX lookup. Specify ddbbmm instead of hhaasshh if your system uses ddbbmm files instead of ddbb files. To find out what lookup tables Postfix supports, use the command "ppoossttccoonnff --mm". diff --git a/postfix/README_FILES/TLS_README b/postfix/README_FILES/TLS_README index d48c89d0c..c716989ea 100644 --- a/postfix/README_FILES/TLS_README +++ b/postfix/README_FILES/TLS_README @@ -445,12 +445,23 @@ employee leaving). Example: + # With Postfix 2.10 and later, the mail relay policy is + # preferably specified under smtpd_relay_restrictions. + /etc/postfix/main.cf: + smtpd_relay_restrictions = + permit_mynetworks + permit_tls_clientcerts + reject_unauth_destination + + # Older configurations combine relay control and spam control under + # smtpd_recipient_restrictions. To use this example with Postfix >= + # 2.10 specify "smtpd_relay_restrictions=". /etc/postfix/main.cf: smtpd_recipient_restrictions = - ... + permit_mynetworks permit_tls_clientcerts reject_unauth_destination - ... + ...other rules... Example: Postfix lookup tables are in the form of (key, value) pairs. Since we only need the key, the value can be chosen freely, e.g. the name of the user or @@ -551,7 +562,7 @@ By default, the OpenSSL server selects the client's most preferred cipher that the server supports. With SSLv3 and later, the server may choose its own most preferred cipher that is supported (offered) by the client. Setting "tls_preempt_cipherlist = yes" enables server cipher preferences. The default -OpenSSL behaviour applies with "tls_preempt_cipherlist = no". +OpenSSL behavior applies with "tls_preempt_cipherlist = no". While server cipher selection may in some cases lead to a more secure or performant cipher choice, there is some risk of interoperability issues. In the diff --git a/postfix/README_FILES/VERP_README b/postfix/README_FILES/VERP_README index 5a5a1c2b1..a721ececa 100644 --- a/postfix/README_FILES/VERP_README +++ b/postfix/README_FILES/VERP_README @@ -138,7 +138,7 @@ The first form uses the default main.cf VERP delimiters, the second form overrides them explicitly. The values shown are the recommended ones. You can use the smtpd_command_filter feature to append XVERP to SMTP commands -from legacy sofware. This requires Postfix 2.7 or later. +from legacy software. This requires Postfix 2.7 or later. /etc/postfix/main.cf: smtpd_command_filter = pcre:/etc/postfix/append_verp.pcre diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 0fb18079c..117af91e9 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -14,6 +14,116 @@ specifies the release date of a stable release or snapshot release. If you upgrade from Postfix 2.8 or earlier, read RELEASE_NOTES-2.9 before proceeding. +Incompatible changes with snapshot 20121007 +=========================================== + +As part of a forward compatibility safety net, the Postfix installation +procedure adds the following smtpd_relay_restrictions entry to +main.cf when there is none: + + smtpd_relay_restrictions = + permit_mynetworks + permit_sasl_authenticated + defer_unauth_destination + +If your site has a complex mail relay policy configured under +smtpd_recipient_restrictions, this safety net will defer mail that +the built-in smtpd_relay_restrictions setting would bounce. + +To eliminate this safety net, take one of the following three +actions: + +- Set smtpd_relay_restrictions empty, and keep using the existing + mail relay authorization policy in smtpd_recipient_restrictions. + +- Copy the existing mail relay authorization policy from + smtpd_recipient_restrictions to smtpd_relay_restrictions. + +- Set smtpd_relay_restrictions by hand to the new built-in + policy: permit_mynetworks reject_unauth_destination. + +There is no need to change the value of smtpd_recipient_restrictions. + + +Major changes with snapshot 20121007 +==================================== + +This version introduces the smtpd_relay_restrictions feature +for mail relay control. The new built-in default settings are: + + smtpd_relay_restrictions = + permit_mynetworks + reject_unauth_destination + + smtpd_recipient_restrictions = + ( optional spam blocking rules would go here ) + +For comparison, this is the Postfix before 2.10 default: + + smtpd_recipient_restrictions = + permit_mynetworks + reject_unauth_destination + ( optional spam blocking rules would go here ) + +With Postfix versions before 2.10, the mail relay policy and spam +blocking policy were combined under smtpd_recipient_restrictions, +resulting in error-prone configuration. + +As of Postfix 2.10, the mail relay policy is preferably implemented +with smtpd_relay_restrictions, so that a permissive spam blocking +policy under smtpd_recipient_restrictions will not unexpectedly +result in a permissive mail relay policy. + +As usual, this new feature is introduced with safety nets to prevent +surprises when a site upgrades from an earlier Postfix release. + +1 - FORWARD COMPATIBILITY SAFETY NET: the Postfix installation + procedure adds the following smtpd_relay_restrictions entry to + main.cf when there is none: + + smtpd_relay_restrictions = + permit_mynetworks + permit_sasl_authenticated + defer_unauth_destination + + If your site has a complex mail relay policy configured under + smtpd_recipient_restrictions, this safety net will defer mail + that the built-in smtpd_relay_restrictions setting would bounce. + + To eliminate this safety net, take one of the following three + actions: + + - Set smtpd_relay_restrictions empty, and keep using the existing + mail relay authorization policy in smtpd_recipient_restrictions. + + - Copy the existing mail relay authorization policy from + smtpd_recipient_restrictions to smtpd_relay_restrictions. + + - Set smtpd_relay_restrictions by hand to the new built-in + policy: permit_mynetworks reject_unauth_destination. + + There is no need to change the value of smtpd_recipient_restrictions. + +2 - BACKWARDS COMPATIBILITY SAFETY NET: sites that migrate from + Postfix versions before 2.10 can set smtpd_relay_restrictions + to the empty value, and use smtpd_recipient_restrictions exactly + as they used it before. + +Incompatible changes with snapshot 20120924 +=========================================== + +Postfix no longer uses FIFOs to emulate UNIX-domain sockets on +Solaris 9 (Vintage 2002!) and later. If you install Postfix for +the first time on an older Solaris system, edit the master.cf file +and replace "unix" with "fifo" for the pickup and qmgr services. + +Major changes with snapshot 20120924 +==================================== + +Laptop-friendliness: the default master.cf file now uses "unix" +instead of "fifo" for the pickup and qmgr services. This avoids +periodic disk drive spin-up. + Incompatible changes with snapshot 20120625 =========================================== @@ -32,7 +142,9 @@ following: postscreen_upstream_proxy_protocol = haproxy smtpd_upstream_proxy_protocol = haproxy -Note 1: smtpd_upstream_proxy_protocol can't be used behind postscreen. +Note 1: smtpd_upstream_proxy_protocol can't be used in smtpd processes +that are behind postscreen. Configure postscreen_upstream_proxy_protocol +instead. Note 2: To use the nginx proxy with smtpd(8), enable the XCLIENT protocol with smtpd_authorized_xclient_hosts. This supports SASL diff --git a/postfix/WISHLIST b/postfix/WISHLIST index 077258562..8a5399412 100644 --- a/postfix/WISHLIST +++ b/postfix/WISHLIST @@ -6,23 +6,14 @@ Wish list: Things to do after the stable release: + Spellcheck and double-word check. + Don't forget Apple's code donation for fetching mail from IMAP server. Make "rename" the default when postmapping a DB file (later: use copy+rename for postmap -i, postmap -d). - On most systems, switching the qmgr and pickup services - from "fifo" to "unix" endpoints can avoid disk spin-up due - to mtime changes. However, Postfix on Solaris emulates - UNIX-domain sockets by sending a file handle through a FIFO. - Either we need to a) find out if a Solaris FIFO is a "unix" - or "fifo" endpoint (parsing master.cf is not an option for - chrooted daemons), or b) silently implement a Solaris "fifo" - endpoint as if master.cf says "unix", so that all Solaris - FIFOs are emulated UNIX-domain endpoints. Or, we bite the - bullet and stop emulating UNIX-domain onver FIFOs. - Service-name parameters aren't documented in daemon manpages. When faking up the DSN ORCPT, don't send bare usernames diff --git a/postfix/conf/post-install b/postfix/conf/post-install index 63ad8a0bd..a6a4aeba0 100644 --- a/postfix/conf/post-install +++ b/postfix/conf/post-install @@ -800,11 +800,34 @@ EOF test "`$POSTCONF -dh inet_protocols`" = "ipv4" || test -n "`$POSTCONF -c $config_directory -nh inet_protocols`" || { - echo COMPATIBILITY: editing main.cf, setting inet_protocols=ipv4. - echo Specify inet_protocols explicitly if you want to enable IPv6. - echo In a future release IPv6 will be enabled by default. + cat < -> - probe
- message + probe
+ message -> - - Postfix
mail
queue + + Postfix
mail
queue @@ -115,15 +115,15 @@ always discarded.

-> - - Postfix
SMTP
server + + Postfix
SMTP
server <-> - - Postfix
verify
server - + + Postfix
verify
server + @@ -141,14 +141,14 @@ always discarded.

<- - probe
- status + probe
+ status <- - - Postfix
delivery
agents + + Postfix
delivery
agents -> Local
-> Remote @@ -160,8 +160,8 @@ always discarded.

  - - ^
|
v + + ^
|
v @@ -173,8 +173,8 @@ always discarded.

  - - Address
verification
database + + Address
verification
database @@ -282,6 +282,9 @@ the same address repeatedly.

/etc/postfix/main.cf: smtpd_recipient_restrictions = permit_mynetworks + # reject_unauth_destination is not needed here if the mail + # relay policy is specified under smtpd_relay_restrictions + # (available with Postfix 2.10 and later). reject_unauth_destination ... reject_unknown_recipient_domain @@ -431,7 +434,7 @@ verification probe fails with some temporary error. Specify a valid

The unverified_sender_reject_reason parameter (default: empty) specifies fixed text that Postfix will send to remote SMTP -clients, instead of sending actual addres verification details. +clients, instead of sending actual address verification details. Do not specify the SMTP status code or enhanced status code.

The unverified_sender_tempfail_action parameter (default: diff --git a/postfix/html/FILTER_README.html b/postfix/html/FILTER_README.html index 85ca1f888..5910669ae 100644 --- a/postfix/html/FILTER_README.html +++ b/postfix/html/FILTER_README.html @@ -218,24 +218,24 @@ document for an introduction to the Postfix architecture.

- - maildrop
- queue + + maildrop
+ queue <- - Postfix
- postdrop(1) + Postfix
+ postdrop(1) <- - Postfix
- sendmail(1) + Postfix
+ sendmail(1) <- - Content -
filter + Content +
filter @@ -750,6 +750,8 @@ that injects mail back into Postfix.

-o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= + # Postfix 2.10 and later: specify empty smtpd_relay_restrictions. + -o smtpd_relay_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o smtpd_authorized_xforward_hosts=127.0.0.0/8 diff --git a/postfix/html/LINUX_README.html b/postfix/html/LINUX_README.html index 507cc7c3b..f6f7bbef6 100644 --- a/postfix/html/LINUX_README.html +++ b/postfix/html/LINUX_README.html @@ -17,6 +17,24 @@
+

Host lookup issues

+ +

By default Linux /etc/hosts lookups do not support multiple IP +address per hostname. This causes warnings from the Postfix SMTP +server that "hostname XXX does not resolve to address YYY", and is +especially a problem with hosts that have both IPv4 and IPv6 +addresses. To fix, turn on support for multiple IP addresses:

+ +
+
+/etc/host.conf:
+    ...
+    # We have machines with multiple IP addresses.
+    multi on
+    ...
+
+
+

Berkeley DB issues

If you can't compile Postfix because the file "db.h" diff --git a/postfix/html/MULTI_INSTANCE_README.html b/postfix/html/MULTI_INSTANCE_README.html index f22433874..37a708577 100644 --- a/postfix/html/MULTI_INSTANCE_README.html +++ b/postfix/html/MULTI_INSTANCE_README.html @@ -374,6 +374,8 @@ post-filter re-injection SMTP service. Typical additions include:

# With multiple instances, rarely need "-o param=value" overrides # in master.cf, each instance gets its own main.cf file. # + # Postfix 2.10 and later: specify empty smtpd_relay_restrictions. + smtpd_relay_restrictions = smtpd_recipient_restrictions = permit_mynetworks, reject # Tolerate occasional high latency in the content filter. diff --git a/postfix/html/POSTSCREEN_README.html b/postfix/html/POSTSCREEN_README.html index 06b8dce50..f2ded3c7c 100644 --- a/postfix/html/POSTSCREEN_README.html +++ b/postfix/html/POSTSCREEN_README.html @@ -1071,8 +1071,8 @@ that decrypts/encrypts the sessions for multiple SMTP clients.

The tlsproxy(8) implementation led to the discovery of a "new" class of vulnerability (CVE-2011-0411) that affected multiple implementations of TLS -over SMTP, POP, IMAP, NNTP, and FTP.

+>CVE-2011-0411) that affected multiple implementations of SMTP, +POP, IMAP, NNTP, and FTP over TLS.

postscreen(8) was officially released as part of the Postfix 2.8 stable release in January 2011.

diff --git a/postfix/html/RESTRICTION_CLASS_README.html b/postfix/html/RESTRICTION_CLASS_README.html index 4035994ec..6b85f8d8f 100644 --- a/postfix/html/RESTRICTION_CLASS_README.html +++ b/postfix/html/RESTRICTION_CLASS_README.html @@ -48,13 +48,17 @@ care about these low-level details.

permissive = permit smtpd_recipient_restrictions = - permit_mynetworks - reject_unauth_destination - check_recipient_access hash:/etc/postfix/recipient_access + permit_mynetworks + # reject_unauth_destination is not needed here if the mail + # relay policy is specified with smtpd_relay_restrictions + # (available with Postfix 2.10 and later). + reject_unauth_destination + check_recipient_access hash:/etc/postfix/recipient_access + ... /etc/postfix/recipient_access: - joe@my.domain permissive - jane@my.domain restrictive + joe@my.domain permissive + jane@my.domain restrictive @@ -102,6 +106,7 @@ to IP spoofing. 

 /etc/postfix/main.cf:
     smtpd_recipient_restrictions =
+        ...
         check_recipient_access hash:/etc/postfix/access
         ...the usual stuff...
 
@@ -133,6 +138,7 @@ therefore is subject to SMTP sender spoofing. 

 
 /etc/postfix/main.cf:
     smtpd_recipient_restrictions =
+        ...
         check_recipient_access hash:/etc/postfix/protected_destinations
         ...the usual stuff...
 
@@ -193,6 +199,7 @@ with LDAP or SQL. 

 
 /etc/postfix/main.cf:
     smtpd_recipient_restrictions =
+        ...
         check_sender_access hash:/etc/postfix/restricted_senders
         ...other stuff...
 
diff --git a/postfix/html/SASL_README.html b/postfix/html/SASL_README.html
index f76ca860f..18ed0cf01 100644
--- a/postfix/html/SASL_README.html
+++ b/postfix/html/SASL_README.html
@@ -1367,20 +1367,33 @@ for. Examples of possible SMTP clients authorizations are: 

 
 
Mail relay authorization

 
-
 The permit_sasl_authenticated restriction allows
+
 With permit_sasl_authenticated the Postfix SMTP
+server can allow
 SASL-authenticated SMTP clients to send mail to remote destinations.
-Add it to the list of smtpd_recipient_restrictions as
-follows: 

+Examples:
+

 
 

 
+# With Postfix 2.10 and later, the mail relay policy is
+# preferably specified under smtpd_relay_restrictions.
+/etc/postfix/main.cf:
+    smtpd_relay_restrictions =
+	permit_mynetworks
+	permit_sasl_authenticated
+	reject_unauth_destination
+

+
+
+# Older configurations combine relay control and spam control under
+# smtpd_recipient_restrictions. To use this example with Postfix ≥
+# 2.10 specify "smtpd_relay_restrictions=".
 /etc/postfix/main.cf:
     smtpd_recipient_restrictions =
-    ...
-    permit_mynetworks
-    permit_sasl_authenticated
-    reject_unauth_destination
-    ...
+	permit_mynetworks
+	permit_sasl_authenticated
+	reject_unauth_destination
+	...other rules...
 

 

 
@@ -1406,9 +1419,7 @@ use a particular envelope sender address: 

     smtpd_recipient_restrictions =
         ...
         reject_sender_login_mismatch
-        permit_sasl_authenticated
-        permit_mynetworks
-        reject_unauth_destination
+	permit_sasl_authenticated
         ...
 

 
@@ -1926,7 +1937,7 @@ font.  

 
 
 
 Instead of port 25 (smtp), specify port 587 (submission) where
-appriopriate. 

+appropriate. 

 
 
Encrypted SMTP session (TLS)

 
diff --git a/postfix/html/SMTPD_ACCESS_README.html b/postfix/html/SMTPD_ACCESS_README.html
index 5560a3727..6d8a81a52 100644
--- a/postfix/html/SMTPD_ACCESS_README.html
+++ b/postfix/html/SMTPD_ACCESS_README.html
@@ -60,10 +60,19 @@ anti-spammer blacklists.  See, for example, the information on
 
 
 By default, Postfix has a moderately restrictive approach to
 mail relaying. Postfix forwards mail only from clients in trusted
-networks, or to domains that are configured as authorized relay
-destinations. For a description of the default policy, see the
-smtpd_recipient_restrictions parameter in the postconf(5) manual
-page, and the information that is referenced from there.  

+networks, from clients that have authenticated with SASL, or to
+domains that are configured as authorized relay
+destinations. For a description of the default mail relay policy,
+see the smtpd_relay_restrictions parameter in the postconf(5) manual
+page, and the information that is referenced from there. 

+
+
 
 NOTE: Postfix versions before 2.10 did not have
+smtpd_relay_restrictions. They combined the mail relay and spam
+blocking policies, under smtpd_recipient_restrictions.  This could
+lead to unexpected results.  For example, a permissive spam blocking
+policy could unexpectedly result in a permissive mail relay policy.
+An example of this is documented under "Dangerous
+use of smtpd_recipient_restrictions".  
 

 
 
 Most of the Postfix SMTP server access controls are targeted
 at stopping junk email. 

@@ -178,8 +187,23 @@ described in the postconf(5) manual page. 

     # Don't accept mail from domains that don't exist.
     smtpd_sender_restrictions = reject_unknown_sender_domain
 
-    # Whitelisting: local clients may specify any destination domain.
-    smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
+    # Relay control (Postfix 2.10 and later): local clients and
+    # authenticated clients may specify any destination domain.
+    smtpd_relay_restrictions = permit_mynetworks, 
+	permit_sasl_authenticated,
+	reject_unauth_destination
+
+    # Spam control: exclude local clients and authenticated clients
+    # from DNSBL lookups.
+    smtpd_recipient_restrictions = permit_mynetworks, 
+	permit_sasl_authenticated,
+	# reject_unauth_destination is not needed here if the mail
+	# relay policy is specified under smtpd_relay_restrictions
+	# (available with Postfix 2.10 and later).
+	reject_unauth_destination
+	reject_rbl_client zen.spamhaus.org,
+	reject_rhsbl_helo dbl.spamhaus.org,
+	reject_rhsbl_sender dbl.spamhaus.org
 
     # Block clients that speak too early.
     smtpd_data_restrictions = reject_unauth_pipelining
@@ -205,28 +229,47 @@ DEFER result. 

 
 
 
-
 
-
 
-
 
-
 
-
-
+
+
 
- 
+
+
+
+
+
+
+
+
 
-
+
 
-
  Restriction list name   Status   Effect
+
  Restriction list name   Version   Status
+  Effect
 of REJECT or DEFER result  
  smtpd_client_restrictions   Optional  
+
  smtpd_client_restrictions   All  
+Optional  
 Reject all client commands  
  smtpd_helo_restrictions   Optional  
+
  smtpd_helo_restrictions   All   Optional
+ 
 Reject HELO/EHLO information  
  smtpd_sender_restrictions   Optional  
+
  smtpd_sender_restrictions   All  
+Optional  
 Reject MAIL FROM information  
  smtpd_recipient_restrictions   Required  Reject RCPT TO information  
  smtpd_relay_restrictions   ≥ 2.10
+  Required if smtpd_recipient_restrictions does not enforce
+relay policy Reject RCPT TO information  
  smtpd_data_restrictions   Optional  
+
  < 2.10  Not available 
  smtpd_recipient_restrictions   ≥
+2.10   Required if smtpd_relay_restrictions does not enforce
+relay policy Reject RCPT TO information  
  < 2.10  Required  
  smtpd_data_restrictions   ≥ 2.0  
+Optional  
 Reject DATA command  
  smtpd_end_of_data_restrictions   Optional  
+
  smtpd_end_of_data_restrictions   ≥ 2.2  Optional  
 Reject END-OF-DATA command  
  smtpd_etrn_restrictions   Optional  
+
  smtpd_etrn_restrictions   All   Optional
+ 
 Reject ETRN command  

 
 

@@ -248,10 +291,10 @@ and so on. This approach turned out to be difficult to use. 

 helo and sender restriction lists until the RCPT TO or ETRN command.
 This behavior is controlled by the smtpd_delay_reject parameter.
 Restriction lists are still evaluated in the proper order of (client,
-helo, etrn) or (client, helo, sender, recipient, data, or end-of-data)
-restrictions.
+helo, etrn) or (client, helo, sender, relay, recipient, data, or
+end-of-data) restrictions.
 When a restriction list (example: client) evaluates to REJECT or
-DEFER the other restriction lists (example: helo, sender, etc.)
+DEFER the restriction lists that follow (example: helo, sender, etc.)
 are skipped.  

 
 
 Around the time that smtpd_delay_reject was introduced, Postfix
@@ -300,6 +343,12 @@ list evaluates to REJECT or DEFER, the recipient address is rejected;
 no surprises here. If the result is PERMIT, then the recipient
 address is accepted. And this is where surprises can happen.  

 
+
 The problem is that Postfix versions before 2.10 did not have
+smtpd_relay_restrictions. They combined the mail relay and spam
+blocking policies, under smtpd_recipient_restrictions.  The result
+is that a permissive spam blocking policy could unexpectedly result
+in a permissive mail relay policy. 

+
 
 Here is an example that shows when a PERMIT result can result
 in too much access permission: 

 
@@ -309,7 +358,7 @@ in too much access permission: 

 3         permit_mynetworks
 4         check_helo_access hash:/etc/postfix/helo_access
 5         reject_unknown_helo_hostname
-6         reject_unauth_destination
+6         reject_unauth_destination
 7 
 8 /etc/postfix/helo_access:
 9     localhost.localdomain PERMIT
@@ -326,14 +375,31 @@ localhost.localdomain".  

 that announces itself as "localhost.localdomain", making Postfix
 an open relay for all such hosts. 

 
-
 In order to avoid surprises like these with
-smtpd_recipient_restrictions, you should place non-recipient
+
 With Postfix before version 2.10 you should place non-recipient
 restrictions AFTER the reject_unauth_destination restriction, not
 before. In the above example, the HELO based restrictions should
 be placed AFTER reject_unauth_destination, or better, the HELO
 based restrictions should be placed under smtpd_helo_restrictions
 where they can do no harm. 

 
+
+1 /etc/postfix/main.cf:
+2     smtpd_recipient_restrictions = 
+3         permit_mynetworks
+4         reject_unauth_destination
+5         check_helo_access hash:/etc/postfix/helo_access
+6         reject_unknown_helo_hostname
+7 
+8 /etc/postfix/helo_access:
+9     localhost.localdomain PERMIT
+

+
+
 The above mistake will not happen with Postfix 2.10 and later,
+when the relay policy is specified under smtpd_relay_restrictions,
+and the spam blocking policy under smtpd_recipient_restrictions.
+Then, a permissive spam blocking policy will not result in a
+permissive mail relay policy. 

+
 
  SMTP access rule testing  

 
 
 Postfix has several features that aid in SMTP access rule
diff --git a/postfix/html/SMTPD_POLICY_README.html b/postfix/html/SMTPD_POLICY_README.html
index bfe3859f4..3bdd4305a 100644
--- a/postfix/html/SMTPD_POLICY_README.html
+++ b/postfix/html/SMTPD_POLICY_README.html
@@ -281,6 +281,10 @@ specified with the user attribute. 

 "-", to avoid "connection refused" and other problems when you
 increase the smtpd process limit. 

 
+
  •  
     Line 8: reject_unauth_destination is not needed here if
+the mail relay policy is specified with smtpd_relay_restrictions
+(available with Postfix 2.10 and later). 
    
+
 
  •  
     Lines 8, 9: always specify "check_policy_service" AFTER
 "reject_unauth_destination" or else your system could become an
 open relay. 
    
@@ -299,8 +303,8 @@ of a master.cf service name (in the above example, "
 built-in suffix (in the above example: "_time_limit").  
    
 
 
-
  •  
     Solaris UNIX-domain sockets do not work reliably. Use
-TCP sockets instead: 
    
+
  •  
     With Solaris < 9, or Postfix < 2.10 on any Solaris
+version, use TCP sockets instead of UNIX-domain sockets: 
    
 
 
 
@@ -436,6 +440,10 @@ SMTP server process that talks to it.
 See the spawn(8) manpage for more information about the
 transport_time_limit parameter.  
    
 
+
  •  
     Line 9: reject_unauth_destination is not needed here if
+the mail relay policy is specified with smtpd_relay_restrictions
+(available with Postfix 2.10 and later). 
    
+
 
     
     Note: the "greylist_time_limit" parameter will not
 show up in "postconf" command output before Postfix version 2.9.
 This limitation applies to many parameters whose name is a combination
@@ -445,7 +453,8 @@ a built-in suffix (in the above example: "_time_limit").  
    
 
 
 
-
     On Solaris you must use inet: style sockets instead of unix:
+
     With Solaris < 9, or Postfix < 2.10 on any Solaris
+version, use inet: style sockets instead of unix:
 style, as detailed in the "Policy
 client/server configuration" section above.  
    
 
@@ -497,10 +506,15 @@ forged MAIL FROM domains could be found at
 
 
    • 
 
 
 
     Translation:
    @@ -541,11 +561,11 @@ need the above, plus: 

    -18 /etc/postfix/main.cf:
-19     transport_maps = hash:/etc/postfix/transport
-20 
-21 /etc/postfix/transport:
-22     the.backed-up.domain.tld       relay:[their.mail.host.tld]
+20 /etc/postfix/main.cf:
+21     transport_maps = hash:/etc/postfix/transport
+22 
+23 /etc/postfix/transport:
+24     the.backed-up.domain.tld       relay:[their.mail.host.tld]
    @@ -559,15 +579,15 @@ need the above, plus:

  • Do not list the.backed-up.domain.tld in virtual_mailbox_domains.

    -

  • Lines 1-7: Forward mail from the Internet for +

  • Lines 1-9: Forward mail from the Internet for "the.backed-up.domain.tld" to the primary MX host for that domain.

    -

  • Line 10: This is a must if Postfix receives mail via a +

  • Line 12: This is a must if Postfix receives mail via a NAT relay or proxy that presents a different IP address to the world than the local machine.

    -

  • Lines 12-16: Define the list of valid addresses in the +

  • Lines 14-18: Define the list of valid addresses in the "the.backed-up.domain.tld" domain. This prevents your mail queue from filling up with undeliverable MAILER-DAEMON messages. If you can't maintain a list of valid recipients then you must specify @@ -575,7 +595,7 @@ can't maintain a list of valid recipients then you must specify specify an "@the.backed-up.domain.tld x" wild-card in the relay_recipients table.

    -

  • Line 22: The [] forces Postfix to do no MX lookup.

    +

  • Line 24: The [] forces Postfix to do no MX lookup.

    diff --git a/postfix/html/TLS_README.html b/postfix/html/TLS_README.html index fad43a337..8459dc318 100644 --- a/postfix/html/TLS_README.html +++ b/postfix/html/TLS_README.html @@ -654,12 +654,25 @@ certificate must no longer be used (e.g. an employee leaving). 

    +# With Postfix 2.10 and later, the mail relay policy is
+# preferably specified under smtpd_relay_restrictions.
+/etc/postfix/main.cf:
+    smtpd_relay_restrictions = 
+        permit_mynetworks
+        permit_tls_clientcerts 
+        reject_unauth_destination
+
    + +
    +# Older configurations combine relay control and spam control under
+# smtpd_recipient_restrictions. To use this example with Postfix ≥
+# 2.10 specify "smtpd_relay_restrictions=".
 /etc/postfix/main.cf:
     smtpd_recipient_restrictions = 
-        ... 
+        permit_mynetworks
         permit_tls_clientcerts 
         reject_unauth_destination
-        ...
+        ...other rules...
    @@ -787,7 +800,7 @@ chooses the cipher from a list supplied by the server.

    cipher that the server supports. With SSLv3 and later, the server may choose its own most preferred cipher that is supported (offered) by the client. Setting "tls_preempt_cipherlist = yes" enables server -cipher preferences. The default OpenSSL behaviour applies with +cipher preferences. The default OpenSSL behavior applies with "tls_preempt_cipherlist = no".

    While server cipher selection may in some cases lead to a more secure diff --git a/postfix/html/VERP_README.html b/postfix/html/VERP_README.html index 3ae4ab161..61f34e772 100644 --- a/postfix/html/VERP_README.html +++ b/postfix/html/VERP_README.html @@ -218,7 +218,7 @@ second form overrides them explicitly. The values shown are the recommended ones.

    You can use the smtpd_command_filter feature to append XVERP -to SMTP commands from legacy sofware. This requires Postfix 2.7 +to SMTP commands from legacy software. This requires Postfix 2.7 or later.

    diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 52a5f4749..62b7fe703 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -2688,7 +2688,7 @@ Example:
    dnsblog_reply_delay (default: 0s)
    -

    A debugging aid to artifically delay DNS responses.

    +

    A debugging aid to artificially delay DNS responses.

    This feature is available in Postfix 2.8.

    @@ -3776,7 +3776,7 @@ configuration parameter. See there for details.

    the server performs final delivery, and send "delivered" delivery status notifications instead of "relayed". The default setting is backwards -compatible to avoid the infinetisimal possibility of breaking +compatible to avoid the infinitesimal possibility of breaking existing LMTP-based content filters.

    @@ -6532,7 +6532,7 @@ The list of "trusted" remote SMTP clients that have more privileges than

    In particular, "trusted" SMTP clients are allowed to relay mail -through Postfix. See the smtpd_recipient_restrictions parameter +through Postfix. See the smtpd_relay_restrictions parameter description in the postconf(5) manual.

    @@ -7632,7 +7632,7 @@ one-letter suffix that specifies the time unit). Time units: s

    The number of clients that can be waiting for service from a real Postfix SMTP server process. When this queue is full, all clients will -receive a 421 reponse.

    +receive a 421 response.

    This feature is available in Postfix 2.8.

    @@ -7646,7 +7646,7 @@ receive a 421 reponse.

    a decision whether they will receive service from a real Postfix SMTP server process. When this queue is full, all non-whitelisted clients will -receive a 421 reponse.

    +receive a 421 response.

    This feature is available in Postfix 2.8.

    @@ -11168,7 +11168,7 @@ protocol exclusions. One can now explicitly exclude SSLv2 by setting SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing the protocols to include, rather than protocols to exclude, is supported, but not recommended. The exclusion form more closely -matches the behaviour when the OpenSSL library is newer than Postfix. +matches the behavior when the OpenSSL library is newer than Postfix.

    Since SSL version 2 has known protocol weaknesses and is now @@ -11452,7 +11452,7 @@ with a "!" character. To exclude SSLv2 even for opportunistic TLS set "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to include, rather than protocols to exclude, is supported, but not -recommended. The exclusion form more closely matches the behaviour +recommended. The exclusion form more closely matches the behavior when the OpenSSL library is newer than Postfix.

    Example:

    @@ -12196,8 +12196,8 @@ Example: (default: empty)

    -Optional Postfix SMTP server access restrictions in the context of -a remote SMTP client connection request. +Optional restrictions that the Postfix SMTP server applies in the +context of a client connection request. See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access restriction lists" for a discussion of evaluation context and time.

    @@ -12832,8 +12832,8 @@ mail.

    (default: empty)

    -Optional SMTP server access restrictions in the context of a client -ETRN request. +Optional restrictions that the Postfix SMTP server applies in the +context of a client ETRN command. See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access restriction lists" for a discussion of evaluation context and time.

    @@ -12969,7 +12969,7 @@ Example:

    Optional restrictions that the Postfix SMTP server applies in the -context of the SMTP HELO command. +context of a client HELO command. See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access restriction lists" for a discussion of evaluation context and time.

    @@ -13407,42 +13407,43 @@ for each excess recipient.

    smtpd_recipient_restrictions -(default: permit_mynetworks, reject_unauth_destination)
    +(default: see "postconf -d" output)

    -The access restrictions that the Postfix SMTP server applies in -the context of the RCPT TO command. +Optional restrictions that the Postfix SMTP server applies in the +context of a client RCPT TO command, after smtpd_relay_restrictions. See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access restriction lists" for a discussion of evaluation context and time.

    -

    -By default, the Postfix SMTP server accepts: -

    +

    With Postfix versions before 2.10, the rules for relay permission +and spam blocking were combined under smtpd_recipient_restrictions, +resulting in error-prone configuration. As of Postfix 2.10, relay +permission rules are preferably implemented with smtpd_relay_restrictions, +so that a permissive spam blocking policy under +smtpd_recipient_restrictions will no longer result in a permissive +mail relay policy.

    - +

    For backwards compatibility, sites that migrate from Postfix +versions before 2.10 can set smtpd_relay_restrictions to the empty +value, and use smtpd_recipient_restrictions exactly as before.

    -IMPORTANT: If you change this parameter setting, you must specify +IMPORTANT: Either the smtpd_relay_restrictions or the +smtpd_recipient_restrictions parameter must specify at least one of the following restrictions. Otherwise Postfix will refuse to receive mail: 

    -reject, defer, defer_if_permit, reject_unauth_destination
+reject, reject_unauth_destination
+
    +
    + +
    +
    +defer, defer_if_permit, defer_unauth_destination
    @@ -13562,9 +13563,15 @@ matches $mydestination, $virtual_alias_domains, or $virtual_mailbox_domains, and contains no sender-specified routing (user@elsewhere@domain). - The relay_domains_reject_code parameter specifies the response +The relay_domains_reject_code parameter specifies the response code for rejected requests (default: 554).
    +
    defer_unauth_destination
    + +
    Reject the same requests as reject_unauth_destination, with a +non-permanent error code. This feature is available in Postfix +2.10 and later.
    +
    reject_unknown_recipient_domain
    Reject the request when Postfix is not final destination for @@ -13623,6 +13630,8 @@ Example: 

    +# The Postfix before 2.10 default mail relay policy. Later Postfix
+# versions implement this preferably with smtpd_relay_restrictions.
 smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
    @@ -13792,6 +13801,77 @@ This feature is available in Postfix 2.1 and later.

    +
    + +
    smtpd_relay_restrictions +(default: permit_mynetworks, reject_unauth_destination)
    + +

    Access restrictions for mail relay control that the Postfix +SMTP server applies in the context of the RCPT TO command, before +smtpd_recipient_restrictions. +See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access +restriction lists" for a discussion of evaluation context and time. +

    + +

    With Postfix versions before 2.10, the rules for relay permission +and spam blocking were combined under smtpd_recipient_restrictions, +resulting in error-prone configuration. As of Postfix 2.10, relay +permission rules are preferably implemented with smtpd_relay_restrictions, +so that a permissive spam blocking policy under +smtpd_recipient_restrictions will no longer result in a permissive +mail relay policy.

    + +

    For backwards compatibility, sites that migrate from Postfix +versions before 2.10 can set smtpd_relay_restrictions to the empty +value, and use smtpd_recipient_restrictions exactly as before.

    + +

    +By default, the Postfix SMTP server accepts: +

    + + + +

    +IMPORTANT: Either the smtpd_relay_restrictions or the +smtpd_recipient_restrictions parameter must specify +at least one of the following restrictions. Otherwise Postfix will +refuse to receive mail: +

    + +
    +
    +reject, reject_unauth_destination
+
    +
    + +
    +
    +defer, defer_if_permit, defer_unauth_destination
+
    +
    + +

    +Specify a list of restrictions, separated by commas and/or whitespace. +Continue long lines by starting the next line with whitespace. +The same restrictions are available as documented under +smtpd_recipient_restrictions. +

    + +

    This feature is available in Postix 2.10 and later.

    + +
    smtpd_restriction_classes @@ -13845,6 +13925,15 @@ access restriction can be used to permit relay access, like this: 
    +# With Postfix 2.10 and later, the mail relay policy is
+# preferably specified under smtpd_relay_restrictions.
+smtpd_relay_restrictions =
+    permit_mynetworks, permit_sasl_authenticated, ...
+
    + +
    +# With Postfix before 2.10, the relay policy can be
+# specified only under smtpd_recipient_restrictions.
 smtpd_recipient_restrictions =
     permit_mynetworks, permit_sasl_authenticated, ...
    @@ -14109,7 +14198,7 @@ or a list of SASL login names separated by comma and/or whitespace.

    Optional restrictions that the Postfix SMTP server applies in the -context of the MAIL FROM command. +context of a client MAIL FROM command. See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access restriction lists" for a discussion of evaluation context and time.

    @@ -15031,7 +15120,7 @@ protocol exclusions. One can now explicitly exclude SSLv2 by setting SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing the protocols to include, rather than protocols to exclude, is supported, but not recommended. The exclusion form more closely -matches the behaviour when the OpenSSL library is newer than Postfix. +matches the behavior when the OpenSSL library is newer than Postfix.

    Since SSL version 2 has known protocol weaknesses and is now @@ -15076,7 +15165,7 @@ with a "!" character. To exclude SSLv2 even for opportunistic TLS set "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to include, rather than protocols to exclude, is supported, but not -recommended. The exclusion form more closely matches the behaviour +recommended. The exclusion form more closely matches the behavior when the OpenSSL library is newer than Postfix.

    Example:

    diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html index 788cfec5f..1bde6223c 100644 --- a/postfix/html/smtpd.8.html +++ b/postfix/html/smtpd.8.html @@ -958,8 +958,8 @@ SMTPD(8) SMTPD(8) explicit ".domain.tld" pattern. smtpd_client_restrictions (empty) - Optional Postfix SMTP server access restrictions in - the context of a remote SMTP client connection + Optional restrictions that the Postfix SMTP server + applies in the context of a client connection request. smtpd_helo_required (no) @@ -970,72 +970,81 @@ SMTPD(8) SMTPD(8) smtpd_helo_restrictions (empty) Optional restrictions that the Postfix SMTP server - applies in the context of the SMTP HELO command. + applies in the context of a client HELO command. smtpd_sender_restrictions (empty) Optional restrictions that the Postfix SMTP server - applies in the context of the MAIL FROM command. - - smtpd_recipient_restrictions (permit_mynetworks, - reject_unauth_destination) - The access restrictions that the Postfix SMTP - server applies in the context of the RCPT TO com- + applies in the context of a client MAIL FROM com- mand. + smtpd_recipient_restrictions (see 'postconf -d' output) + Optional restrictions that the Postfix SMTP server + applies in the context of a client RCPT TO command, + after smtpd_relay_restrictions. + smtpd_etrn_restrictions (empty) - Optional SMTP server access restrictions in the - context of a client ETRN request. + Optional restrictions that the Postfix SMTP server + applies in the context of a client ETRN command. allow_untrusted_routing (no) - Forward mail with sender-specified routing - (user[@%!]remote[@%!]site) from untrusted clients + Forward mail with sender-specified routing + (user[@%!]remote[@%!]site) from untrusted clients to destinations matching $relay_domains. smtpd_restriction_classes (empty) - User-defined aliases for groups of access restric- + User-defined aliases for groups of access restric- tions. smtpd_null_access_lookup_key (<>) - The lookup key to be used in SMTP access(5) tables + The lookup key to be used in SMTP access(5) tables instead of the null sender address. permit_mx_backup_networks (empty) Restrict the use of the permit_mx_backup SMTP - access feature to only domains whose primary MX + access feature to only domains whose primary MX hosts match the listed networks. Available in Postfix version 2.0 and later: smtpd_data_restrictions (empty) - Optional access restrictions that the Postfix SMTP + Optional access restrictions that the Postfix SMTP server applies in the context of the SMTP DATA com- mand. smtpd_expansion_filter (see 'postconf -d' output) - What characters are allowed in $name expansions of + What characters are allowed in $name expansions of RBL reply templates. Available in Postfix version 2.1 and later: smtpd_reject_unlisted_sender (no) - Request that the Postfix SMTP server rejects mail - from unknown sender addresses, even when no - explicit reject_unlisted_sender access restriction + Request that the Postfix SMTP server rejects mail + from unknown sender addresses, even when no + explicit reject_unlisted_sender access restriction is specified. smtpd_reject_unlisted_recipient (yes) - Request that the Postfix SMTP server rejects mail + Request that the Postfix SMTP server rejects mail for unknown recipient addresses, even when no - explicit reject_unlisted_recipient access restric- + explicit reject_unlisted_recipient access restric- tion is specified. Available in Postfix version 2.2 and later: smtpd_end_of_data_restrictions (empty) - Optional access restrictions that the Postfix SMTP - server applies in the context of the SMTP END-OF- + Optional access restrictions that the Postfix SMTP + server applies in the context of the SMTP END-OF- DATA command. + Available in Postfix version 2.10 and later: + + smtpd_relay_restrictions (permit_mynetworks, + reject_unauth_destination) + Access restrictions for mail relay control that the + Postfix SMTP server applies in the context of the + RCPT TO command, before smtpd_recipient_restric- + tions. + SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS Postfix version 2.1 introduces sender and recipient address verification. This feature is implemented by diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 67797c874..0bc50986f 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -395,6 +395,7 @@ $local_header_rewrite_clients, .IP \(bu The message is received from the network, and the remote_header_rewrite_domain parameter specifies a non-empty value. +.br .PP To get the behavior before Postfix version 2.2, specify "local_header_rewrite_clients = static:all". @@ -483,6 +484,7 @@ $local_header_rewrite_clients, .IP \(bu The message is received from the network, and the remote_header_rewrite_domain parameter specifies a non-empty value. +.br .PP To get the behavior before Postfix version 2.2, specify "local_header_rewrite_clients = static:all". @@ -506,6 +508,7 @@ $local_header_rewrite_clients, .IP \(bu The message is received from the network, and the remote_header_rewrite_domain parameter specifies a non-empty value. +.br .PP To get the behavior before Postfix version 2.2, specify "local_header_rewrite_clients = static:all". @@ -715,6 +718,7 @@ mime_nesting_limit value proportionally. Be careful when making changes. Excessively large values will result in the loss of non-delivery notifications, when a bounce message size exceeds a local or remote MTA's message size limit. +.br .SH bounce_template_file (default: empty) Pathname of a configuration file with bounce message templates. These override the built-in templates of delivery status notification @@ -771,6 +775,7 @@ $local_header_rewrite_clients, .IP \(bu The message is received from the network, and the remote_header_rewrite_domain parameter specifies a non-empty value. +.br .PP To get the behavior before Postfix version 2.2, specify "local_header_rewrite_clients = static:all". @@ -805,24 +810,35 @@ with the character set that is specified with the execution_directory_expansion_filter parameter. .IP "\fB$user\fR" The recipient's username. +.br .IP "\fB$shell\fR" The recipient's login shell pathname. +.br .IP "\fB$home\fR" The recipient's home directory. +.br .IP "\fB$recipient\fR" The full recipient address. +.br .IP "\fB$extension\fR" The optional recipient address extension. +.br .IP "\fB$domain\fR" The recipient domain. +.br .IP "\fB$local\fR" The entire recipient localpart. +.br .IP "\fB$recipient_delimiter\fR" The system-wide recipient address extension delimiter. +.br .IP "\fB${name?value}\fR" Expands to \fIvalue\fR when \fI$name\fR is non-empty. +.br .IP "\fB${name:value}\fR" Expands to \fIvalue\fR when \fI$name\fR is empty. +.br +.br .PP Instead of $name you can also specify ${name} or $(name). .PP @@ -848,6 +864,7 @@ The MAIL_CONFIG environment variable (daemon processes and commands). .IP \(bu The "-c" command-line option (commands only). +.br .PP With Postfix command that run with set-gid privileges, a config_directory override requires either root privileges, or it @@ -895,6 +912,7 @@ domain; earlier versions will use $myhostname. Specify "default_filter_nexthop = $myhostname" for compatibility with Postfix 2.6 or earlier, or specify a content_filter value with an explicit next-hop \fIdestination\fR. +.br .SH cyrus_sasl_config_path (default: empty) Search path for Cyrus SASL application configuration files, currently used only to locate the $smtpd_sasl_path.conf file. @@ -921,12 +939,15 @@ When the notify_classes parameter value contains the "data" class, the Postfix SMTP server and client will report transcripts of sessions with an error because a table is unavailable. +.br .IP "\fB yes \fR (historical behavior)" Immediate termination: a daemon process logs a type "fatal" message and terminates immediately. This option reduces the number of possible code paths through Postfix, and may therefore be slightly more secure than the default. +.br +.br .PP For the sake of sanity, the number of type "error" messages is limited to 13 over the lifetime of a daemon process. @@ -1129,11 +1150,14 @@ The default setting of "1" is compatible with Postfix versions before 2.5, where a destination's delivery concurrency is throttled down to zero (and further delivery suspended) after a single failed pseudo-cohort. +.br .IP "\fB\fInumber\fR / concurrency \fR" Variable feedback of "\fInumber\fR / (delivery concurrency)". The \fInumber\fR must be in the range 0..1 inclusive. With \fInumber\fR equal to "1", a destination's delivery concurrency is decremented by 1 after each failed pseudo-cohort. +.br +.br .PP A pseudo-cohort is the number of deliveries equal to a destination's delivery concurrency. @@ -1162,11 +1186,14 @@ Constant feedback. The value must be in the range 0..1 inclusive. The default setting of "1" is compatible with Postfix versions before 2.5, where a destination's delivery concurrency doubles after each successful pseudo-cohort. +.br .IP "\fB\fInumber\fR / concurrency \fR" Variable feedback of "\fInumber\fR / (delivery concurrency)". The \fInumber\fR must be in the range 0..1 inclusive. With \fInumber\fR equal to "1", a destination's delivery concurrency is incremented by 1 after each successful pseudo-cohort. +.br +.br .PP A pseudo-cohort is the number of deliveries equal to a destination's delivery concurrency. @@ -1190,6 +1217,7 @@ With a corresponding per-destination recipient limit equal to 1, the rate delay specifies the time between deliveries to the \fIsame recipient\fR. Different recipients are delivered in parallel, subject to the process limits specified in master.cf. +.br .PP To enable the delay, specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time @@ -1236,6 +1264,7 @@ It changes the meaning of other corresponding per-destination settings in a similar manner, from settings for delivery to the \fIsame domain\fR into settings for delivery to the \fIsame recipient\fR. +.br .PP Use \fItransport\fR_destination_recipient_limit to specify a transport-specific override, where \fItransport\fR is the master.cf @@ -1289,48 +1318,67 @@ This feature is available in Postfix 2.0 and later. The template is subject to exactly one level of $name substitution: .IP "\fB$client\fR" The client hostname and IP address, formatted as name[address]. +.br .IP "\fB$client_address\fR" The client IP address. +.br .IP "\fB$client_name\fR" The client hostname or "unknown". See reject_unknown_client_hostname for more details. +.br .IP "\fB$reverse_client_name\fR" The client hostname from address->name lookup, or "unknown". See reject_unknown_reverse_client_hostname for more details. +.br .IP "\fB$helo_name\fR" The hostname given in HELO or EHLO command or empty string. +.br .IP "\fB$rbl_class\fR" The blacklisted entity type: Client host, Helo command, Sender address, or Recipient address. +.br .IP "\fB$rbl_code\fR" The numerical SMTP response code, as specified with the maps_rbl_reject_code configuration parameter. Note: The numerical SMTP response code is required, and must appear at the start of the reply. With Postfix version 2.3 and later this information may be followed by an RFC 3463 enhanced status code. +.br .IP "\fB$rbl_domain\fR" The RBL domain where $rbl_what is blacklisted. +.br .IP "\fB$rbl_reason\fR" The reason why $rbl_what is blacklisted, or an empty string. +.br .IP "\fB$rbl_what\fR" The entity that is blacklisted (an IP address, a hostname, a domain name, or an email address whose domain was blacklisted). +.br .IP "\fB$recipient\fR" The recipient address or <> in case of the null address. +.br .IP "\fB$recipient_domain\fR" The recipient domain or empty string. +.br .IP "\fB$recipient_name\fR" The recipient address localpart or <> in case of null address. +.br .IP "\fB$sender\fR" The sender address or <> in case of the null address. +.br .IP "\fB$sender_domain\fR" The sender domain or empty string. +.br .IP "\fB$sender_name\fR" The sender address localpart or <> in case of the null address. +.br .IP "\fB${name?text}\fR" Expands to `text' if $name is not empty. +.br .IP "\fB${name:text}\fR" Expands to `text' if $name is empty. +.br +.br .PP Instead of $name you can also specify ${name} or $(name). .PP @@ -1347,6 +1395,7 @@ When rejecting non-address information (such as the HELO command argument or the client hostname/address), the Postfix SMTP server will transform a sender or recipient DSN status into a generic non-address DSN status (e.g., 4.0.0). +.br .SH default_recipient_limit (default: 20000) The default per-transport upper limit on the number of in-memory recipients. These limits take priority over the global @@ -1459,6 +1508,7 @@ b = time from last active queue entry to connection setup c = time in connection setup, including DNS, EHLO and STARTTLS .IP \(bu d = time in message transmission +.br .PP This feature is available in Postfix 2.3 and later. .SH delay_notice_recipient (default: postmaster) @@ -1539,7 +1589,7 @@ disable_vrfy_command = no .ad .ft R .SH dnsblog_reply_delay (default: 0s) -A debugging aid to artifically delay DNS responses. +A debugging aid to artificially delay DNS responses. .PP This feature is available in Postfix 2.8. .SH dnsblog_service_name (default: dnsblog) @@ -1615,6 +1665,7 @@ of the queue file creation time in microseconds, after conversion into hexadecimal representation. This produces the same queue hashing behavior as if the queue file name was created with "enable_long_queue_ids = no". +.br .PP Changing the parameter value to "no" has the following effects: .IP \(bu @@ -1637,6 +1688,7 @@ with Postfix <= 2.8. The hash_queue_depth algorithm uses the first characters of the queue file name, with the hexadecimal representation of the file creation time in microseconds. +.br .PP Before migration to Postfix <= 2.8, the following commands are required to convert long queue file names into short names: @@ -1742,6 +1794,7 @@ the end of the relay entry. .IP \(bu In transport maps, specify "relay:\fInexthop...\fR" as the right-hand side for backup or primary MX domain entries. +.br .PP Postfix version 2.2 and later will not use the fallback_relay feature for destinations that it is MX host for. @@ -1833,24 +1886,35 @@ filtered with the character set that is specified with the forward_expansion_filter parameter. .IP "\fB$user\fR" The recipient's username. +.br .IP "\fB$shell\fR" The recipient's login shell pathname. +.br .IP "\fB$home\fR" The recipient's home directory. +.br .IP "\fB$recipient\fR" The full recipient address. +.br .IP "\fB$extension\fR" The optional recipient address extension. +.br .IP "\fB$domain\fR" The recipient domain. +.br .IP "\fB$local\fR" The entire recipient localpart. +.br .IP "\fB$recipient_delimiter\fR" The system-wide recipient address extension delimiter. +.br .IP "\fB${name?value}\fR" Expands to \fIvalue\fR when \fI$name\fR is non-empty. +.br .IP "\fB${name:value}\fR" Expands to \fIvalue\fR when \fI$name\fR is empty. +.br +.br .PP Instead of $name you can also specify ${name} or $(name). .PP @@ -1965,12 +2029,17 @@ import from a non-Postfix parent process. Examples of relevant parameters: .IP "\fBTZ\fR" Needed for sane time keeping on most System-V-ish systems. +.br .IP "\fBDISPLAY\fR" Needed for debugging Postfix daemons with an X-windows debugger. +.br .IP "\fBXAUTHORITY\fR" Needed for debugging Postfix daemons with an X-windows debugger. +.br .IP "\fBMAIL_CONFIG\fR" Needed to make "\fBpostfix -c\fR" work. +.br +.br .PP Specify a list of names and/or name=value pairs, separated by whitespace or comma. The name=value form is supported with @@ -2107,9 +2176,12 @@ by whitespace or comma. .IP "\fBbounce\fR" Inspect the content of delivery status notifications. +.br .IP "\fBnotify\fR" Inspect the content of postmaster notifications by the \fBsmtp\fR(8) and \fBsmtpd\fR(8) processes. +.br +.br .PP NOTE: It's generally not safe to enable content inspection of Postfix-generated email messages. The user is warned. @@ -2163,7 +2235,7 @@ When a remote LMTP server announces no DSN support, assume that the server performs final delivery, and send "delivered" delivery status notifications instead of "relayed". The default setting is backwards -compatible to avoid the infinetisimal possibility of breaking +compatible to avoid the infinitesimal possibility of breaking existing LMTP-based content filters. .SH lmtp_bind_address (default: empty) The LMTP-specific version of the smtp_bind_address configuration @@ -2207,6 +2279,7 @@ configuration parameter. Upon the onset of another delivery request, the remote LMTP server associated with the current session does not respond to the RSET command. +.br .PP Most of these limitations have been with the Postfix a connection cache that is shared among multiple LMTP client @@ -2322,6 +2395,7 @@ this action from being logged. .IP \(bu Use the lmtp_discard_lhlo_keyword_address_maps feature to discard LHLO keywords selectively. +.br .SH lmtp_dns_resolver_options (default: empty) The LMTP-specific version of the smtp_dns_resolver_options configuration parameter. See there for details. @@ -2510,14 +2584,19 @@ The following security features are defined for the \fBcyrus\fR client SASL implementation: .IP "\fBnoplaintext\fR" Disallow authentication methods that use plaintext passwords. +.br .IP "\fBnoactive\fR" Disallow authentication methods that are vulnerable to non-dictionary active attacks. +.br .IP "\fBnodictionary\fR" Disallow authentication methods that are vulnerable to passive dictionary attack. +.br .IP "\fBnoanonymous\fR" Disallow anonymous logins. +.br +.br .PP Example: .PP @@ -2799,16 +2878,19 @@ Specify a list of zero or more of the following: Append the domain name in $myorigin or $mydomain when the client IP address matches $inet_interfaces. This is enabled by default. +.br .IP "\fBpermit_mynetworks\fR" Append the domain name in $myorigin or $mydomain when the client IP address matches any network or network address listed in $mynetworks. This setting will not prevent remote mail header address rewriting when mail from a remote client is forwarded by a neighboring system. +.br .IP "\fBpermit_sasl_authenticated \fR" Append the domain name in $myorigin or $mydomain when the client is successfully authenticated via the RFC 4954 (AUTH) protocol. +.br .IP "\fBpermit_tls_clientcerts \fR" Append the domain name in $myorigin or $mydomain when the remote SMTP client TLS certificate fingerprint or public key fingerprint @@ -2816,17 +2898,21 @@ remote SMTP client TLS certificate fingerprint or public key fingerprint The fingerprint digest algorithm is configurable via the smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to Postfix version 2.5). +.br .IP "\fBpermit_tls_all_clientcerts \fR" Append the domain name in $myorigin or $mydomain when the remote SMTP client TLS certificate is successfully verified, regardless of whether it is listed on the server, and regardless of the certifying authority. +.br .IP "\fBcheck_address_map \fItype:table\fR \fR" .IP "\fB\fItype:table\fR \fR" Append the domain name in $myorigin or $mydomain when the client IP address matches the specified lookup table. The lookup result is ignored, and no subnet lookup is done. This is suitable for, e.g., pop-before-smtp lookup tables. +.br +.br .PP Examples: .PP @@ -2901,6 +2987,7 @@ You redefine the "local_transport" setting in main.cf. .IP \(bu You use the "luser_relay", "mailbox_transport", or "fallback_transport" feature of the Postfix \fBlocal\fR(8) delivery agent. +.br .PP Details are described in the LOCAL_RECIPIENT_README file. .PP @@ -2944,24 +3031,35 @@ as undeliverable. The following $name expansions are done on luser_relay: .IP "\fB$domain\fR" The recipient domain. +.br .IP "\fB$extension\fR" The recipient address extension. +.br .IP "\fB$home\fR" The recipient's home directory. +.br .IP "\fB$local\fR" The entire recipient address localpart. +.br .IP "\fB$recipient\fR" The full recipient address. +.br .IP "\fB$recipient_delimiter\fR" The system-wide recipient address extension delimiter. +.br .IP "\fB$shell\fR" The recipient's login shell. +.br .IP "\fB$user\fR" The recipient username. +.br .IP "\fB${name?value}\fR" Expands to \fIvalue\fR when \fI$name\fR has a non-empty value. +.br .IP "\fB${name:value}\fR" Expands to \fIvalue\fR when \fI$name\fR has an empty value. +.br +.br .PP Instead of $name you can also specify ${name} or $(name). .PP @@ -3036,43 +3134,61 @@ The following environment variables are exported to the command: .IP "\fBCLIENT_ADDRESS\fR" Remote client network address. Available in Postfix version 2.2 and later. +.br .IP "\fBCLIENT_HELO\fR" Remote client EHLO command parameter. Available in Postfix version 2.2 and later. +.br .IP "\fBCLIENT_HOSTNAME\fR" Remote client hostname. Available in Postfix version 2.2 and later. +.br .IP "\fBCLIENT_PROTOCOL\fR" Remote client protocol. Available in Postfix version 2.2 and later. +.br .IP "\fBDOMAIN\fR" The domain part of the recipient address. +.br .IP "\fBEXTENSION\fR" The optional address extension. +.br .IP "\fBHOME\fR" The recipient home directory. +.br .IP "\fBLOCAL\fR" The recipient address localpart. +.br .IP "\fBLOGNAME\fR" The recipient's username. +.br .IP "\fBORIGINAL_RECIPIENT\fR" The entire recipient address, before any address rewriting or aliasing. +.br .IP "\fBRECIPIENT\fR" The full recipient address. +.br .IP "\fBSASL_METHOD\fR" SASL authentication method specified in the remote client AUTH command. Available in Postfix version 2.2 and later. +.br .IP "\fBSASL_SENDER\fR" SASL sender address specified in the remote client MAIL FROM command. Available in Postfix version 2.2 and later. +.br .IP "\fBSASL_USER\fR" SASL username specified in the remote client AUTH command. Available in Postfix version 2.2 and later. +.br .IP "\fBSENDER\fR" The full sender address. +.br .IP "\fBSHELL\fR" The recipient's login shell. +.br .IP "\fBUSER\fR" The recipient username. +.br +.br .PP Unlike other Postfix configuration parameters, the mailbox_command parameter is not subjected to $name substitutions. This is to make @@ -3226,6 +3342,7 @@ $local_header_rewrite_clients, .IP \(bu The message is received from the network, and the remote_header_rewrite_domain parameter specifies a non-empty value. +.br .PP To get the behavior before Postfix version 2.2, specify "local_header_rewrite_clients = static:all". @@ -3431,15 +3548,20 @@ The default action when a Milter (mail filter) application is unavailable or mis-configured. Specify one of the following: .IP "accept" Proceed as if the mail filter was not present. +.br .IP "reject" Reject all further commands in this session with a permanent status code. +.br .IP "tempfail" Reject all further commands in this session with a temporary status code. +.br .IP "quarantine" Like "accept", but freeze the message in the "hold" queue. Available with Postfix 2.6 and later. +.br +.br .PP This feature is available in Postfix 2.3 and later. .SH milter_end_of_data_macros (default: see "postconf -d" output) @@ -3524,18 +3646,25 @@ Protocol versions: Use Sendmail 8 mail filter protocol version 2 (default with Sendmail version 8.11 .. 8.13 and Postfix version 2.3 .. 2.5). +.br .IP "3" Use Sendmail 8 mail filter protocol version 3. +.br .IP "4" Use Sendmail 8 mail filter protocol version 4. +.br .IP "6" Use Sendmail 8 mail filter protocol version 6 (default with Sendmail version 8.14 and Postfix version 2.6). +.br +.br .PP Protocol extensions: .IP "no_header_reply" Specify this when the Milter application will not reply for each individual message header. +.br +.br .PP This feature is available in Postfix 2.3 and later. .SH milter_rcpt_macros (default: see "postconf -d" output) @@ -3670,6 +3799,7 @@ By default, the Postfix SMTP server rejects mail for recipients not listed with the local_recipient_maps parameter. See the \fBpostconf\fR(5) manual for a description of the local_recipient_maps and unknown_local_recipient_reject_code parameters. +.br .PP Specify a list of host or domain names, "/file/name" or "type:table" patterns, separated by commas and/or whitespace. A "/file/name" @@ -3724,7 +3854,7 @@ The list of "trusted" remote SMTP clients that have more privileges than "strangers". .PP In particular, "trusted" SMTP clients are allowed to relay mail -through Postfix. See the smtpd_recipient_restrictions parameter +through Postfix. See the smtpd_relay_restrictions parameter description in the \fBpostconf\fR(5) manual. .PP You can specify the list of "trusted" network addresses by hand @@ -3786,6 +3916,7 @@ local machine. Don't do this with a dialup site - it would cause Postfix to "trust" your entire provider's network. Instead, specify an explicit mynetworks list by hand, as described with the mynetworks configuration parameter. +.br .SH myorigin (default: $myhostname) The domain name that locally-posted mail appears to come from, and that locally posted mail is delivered to. The default, @@ -3842,10 +3973,12 @@ Send the postmaster copies of the headers of bounced mail, and send transcripts of SMTP sessions when Postfix rejects mail. The notification is sent to the address specified with the bounce_notice_recipient configuration parameter (default: postmaster). +.br .IP "\fB2bounce\fR" Send undeliverable bounced mail to the postmaster. The notification is sent to the address specified with the 2bounce_notice_recipient configuration parameter (default: postmaster). +.br .IP "\fBdata\fR" Send the postmaster a transcript of the SMTP session with an error because a critical data file was unavailable. The notification @@ -3854,30 +3987,37 @@ configuration parameter (default: postmaster). .br This feature is available in Postfix 2.9 and later. +.br .IP "\fBdelay\fR" Send the postmaster copies of the headers of delayed mail. The notification is sent to the address specified with the delay_notice_recipient configuration parameter (default: postmaster). +.br .IP "\fBpolicy\fR" Send the postmaster a transcript of the SMTP session when a client request was rejected because of (UCE) policy. The notification is sent to the address specified with the error_notice_recipient configuration parameter (default: postmaster). +.br .IP "\fBprotocol\fR" Send the postmaster a transcript of the SMTP session in case of client or server protocol errors. The notification is sent to the address specified with the error_notice_recipient configuration parameter (default: postmaster). +.br .IP "\fBresource\fR" Inform the postmaster of mail not delivered due to resource problems. The notification is sent to the address specified with the error_notice_recipient configuration parameter (default: postmaster). +.br .IP "\fBsoftware\fR" Inform the postmaster of mail not delivered due to software problems. The notification is sent to the address specified with the error_notice_recipient configuration parameter (default: postmaster). +.br +.br .PP Examples: .PP @@ -3945,6 +4085,7 @@ Whitelist the client and terminate the search if the client IP address matches $mynetworks. Do not subject the client to any before/after 220 greeting tests. Pass the connection immediately to a Postfix SMTP server process. +.br .IP "\fB type:table \fR" Query the specified lookup table. Each table lookup result is an access list, except that @@ -3953,15 +4094,18 @@ access lists inside a table cannot specify type:table entries. To discourage the use of hash, btree, etc. tables, there is no support for substring matching like \fBsmtpd\fR(8). Use CIDR tables instead. +.br .IP "\fB permit \fR" Whitelist the client and terminate the search. Do not subject the client to any before/after 220 greeting tests. Pass the connection immediately to a Postfix SMTP server process. +.br .IP "\fB reject \fR" Blacklist the client and terminate the search. Subject the client to the action configured with the postscreen_blacklist_action configuration parameter. +.br .IP "\fB dunno \fR" All \fBpostscreen\fR(8) access lists implicitly have this command at the end. @@ -3973,6 +4117,8 @@ evaluate the next command. When \fB dunno \fR is executed outside a lookup table, terminate the search, and subject the client to the configured before/after 220 greeting tests. +.br +.br .PP Example: .PP @@ -4010,13 +4156,17 @@ Do \fInot\fR repeat this test before some the result from some other test expires. This option is useful for testing and collecting statistics without blocking mail permanently. +.br .IP "\fBenforce\fR" Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects. +.br .IP "\fBdrop\fR" Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects. +.br +.br .PP This feature is available in Postfix 2.8. .SH postscreen_bare_newline_enable (default: no) @@ -4048,13 +4198,17 @@ Ignore this result. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail. +.br .IP "\fBenforce\fR" Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects. +.br .IP "\fBdrop\fR" Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects. +.br +.br .PP This feature is available in Postfix 2.8. .SH postscreen_cache_cleanup_interval (default: 12h) @@ -4153,13 +4307,17 @@ Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail. +.br .IP "\fBenforce\fR" Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects. +.br .IP "\fBdrop\fR" Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects. +.br +.br .PP This feature is available in Postfix 2.8. .SH postscreen_dnsbl_reply_map (default: empty) @@ -4227,6 +4385,7 @@ whitelisting. .IP \(bu When one postscreen_dnsbl_sites entry produces multiple DNSBL responses, \fBpostscreen\fR(8) applies the weight at most once. +.br .PP Examples: .PP @@ -4298,13 +4457,17 @@ Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail. +.br .IP "\fBenforce\fR" Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects. +.br .IP "\fBdrop\fR" Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects. +.br +.br .PP In either case, \fBpostscreen\fR(8) will not whitelist the remote SMTP client IP address. @@ -4358,15 +4521,19 @@ Do \fInot\fR repeat this test before some the result from some other test expires. This option is useful for testing and collecting statistics without blocking mail permanently. +.br .IP "\fBenforce\fR" Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects. +.br .IP "\fBdrop\fR" Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects. This action is the same as with the Postfix SMTP server's smtpd_forbidden_commands feature. +.br +.br .PP This feature is available in Postfix 2.8. .SH postscreen_non_smtp_command_enable (default: no) @@ -4398,13 +4565,17 @@ Do \fInot\fR repeat this test before some the result from some other test expires. This option is useful for testing and collecting statistics without blocking mail permanently. +.br .IP "\fBenforce\fR" Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects. +.br .IP "\fBdrop\fR" Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects. +.br +.br .PP This feature is available in Postfix 2.8. .SH postscreen_pipelining_enable (default: no) @@ -4430,7 +4601,7 @@ This feature is available in Postfix 2.8. The number of clients that can be waiting for service from a real Postfix SMTP server process. When this queue is full, all clients will -receive a 421 reponse. +receive a 421 response. .PP This feature is available in Postfix 2.8. .SH postscreen_pre_queue_limit (default: $default_process_limit) @@ -4438,7 +4609,7 @@ The number of non-whitelisted clients that can be waiting for a decision whether they will receive service from a real Postfix SMTP server process. When this queue is full, all non-whitelisted clients will -receive a 421 reponse. +receive a 421 response. .PP This feature is available in Postfix 2.8. .SH postscreen_reject_footer (default: $smtpd_reject_footer) @@ -4789,17 +4960,22 @@ cleanup server. .IP "\fBno_unknown_recipient_checks\fR" Do not try to reject unknown recipients (SMTP server only). This is typically specified AFTER an external content filter. +.br .IP "\fBno_address_mappings\fR" Disable canonical address mapping, virtual alias map expansion, address masquerading, and automatic BCC (blind carbon-copy) recipients. This is typically specified BEFORE an external content filter. +.br .IP "\fBno_header_body_checks\fR" Disable header/body_checks. This is typically specified AFTER an external content filter. +.br .IP "\fBno_milters\fR" Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter. +.br +.br .PP Note: when the "BEFORE content filter" receive_override_options setting is specified in the main.cf file, specify the "AFTER content @@ -4842,6 +5018,7 @@ Look up the "user" address local part when the recipient domain equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces. .IP \(bu Look up the "@domain.tld" part. +.br .PP Specify the types and names of databases to use. After change, run "\fBpostmap /etc/postfix/recipient_bcc\fR". @@ -5258,6 +5435,7 @@ Look up the "user" address local part when the sender domain equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces. .IP \(bu Look up the "@domain.tld" part. +.br .PP Specify the types and names of databases to use. After change, run "\fBpostmap /etc/postfix/sender_bcc\fR". @@ -5344,14 +5522,18 @@ line endings from into UNIX format (). Always convert message lines ending in . This setting is the default with Postfix 2.9 and later. +.br .IP "\fBstrict\fR" Convert message lines ending in only if the first input line ends in . This setting is backwards-compatible with Postfix 2.8 and earlier. +.br .IP "\fBnever\fR" Never convert message lines ending in . This setting exists for completeness only. +.br +.br .PP This feature is available in Postfix 2.9 and later. .SH sendmail_path (default: see "postconf -d" output) @@ -5507,6 +5689,7 @@ defined above, a "type:table" with domain names and/or relay host names on the left-hand side. The right-hand side result from "type:table" lookups is ignored. +.br .PP This feature is available in Postfix 2.2 and later. .SH smtp_connection_cache_on_demand (default: yes) @@ -5647,6 +5830,7 @@ this action from being logged. .IP \(bu Use the smtp_discard_ehlo_keyword_address_maps feature to discard EHLO keywords selectively. +.br .SH smtp_dns_resolver_options (default: empty) DNS Resolver options for the Postfix SMTP client. Specify zero or more of the following options, separated by comma or whitespace. @@ -5656,10 +5840,13 @@ that are specified in the file /etc/resolv.conf or equivalent. Append the current domain name to single-component names (those that do not contain a "." character). This can produce incorrect results, and is the hard-coded behavior prior to Postfix 2.8. +.br .IP "\fBres_dnsrch\fR" Search for host names in the current domain and in parent domains. This can produce incorrect results and is therefore not recommended. +.br +.br .PP This feature is available in Postfix 2.8 and later. .SH smtp_enforce_tls (default: no) @@ -5759,11 +5946,15 @@ address. This parameter is ignored when DNS lookups are disabled Specify one of the following: .IP "\fBdns\fR" Hosts can be found in the DNS (preferred). +.br .IP "\fBnative\fR" Use the native naming service only (nsswitch.conf, or equivalent mechanism). +.br .IP "\fBdns, native\fR" Use the native service for hosts not found in the DNS. +.br +.br .PP This feature is available in Postfix 2.1 and later. .SH smtp_line_length_limit (default: 998) @@ -5871,9 +6062,12 @@ Insert a delay before sending "." after the end of the message content. The delay is subject to the smtp_pix_workaround_delay_time and smtp_pix_workaround_threshold_time parameter settings. +.br .IP "\fBdisable_esmtp\fR Disable all extended SMTP commands: send HELO instead of EHLO. +.br +.br .PP This feature is available in Postfix 2.4 and later. The default settings are backwards compatible with earlier Postfix versions. @@ -5934,6 +6128,7 @@ the enhanced status code (X.Y.Z). When the enhanced status code initial digit differs from the SMTP reply code initial digit, or when no enhanced status code is present, the Postfix SMTP client uses a generic enhanced status code (X.0.0) instead. +.br .PP Specify the name of a "type:table" lookup table. The search string is a single SMTP reply line as received from the remote SMTP @@ -6110,15 +6305,21 @@ client SASL implementation: Specify zero or more of the following: .IP "\fBnoplaintext\fR" Disallow methods that use plaintext passwords. +.br .IP "\fBnoactive\fR" Disallow methods subject to active (non-dictionary) attack. +.br .IP "\fBnodictionary\fR" Disallow methods subject to passive (dictionary) attack. +.br .IP "\fBnoanonymous\fR" Disallow methods that allow anonymous authentication. +.br .IP "\fBmutual_auth\fR" Only allow methods that provide mutual authentication (not available with SASL version 1). +.br +.br .PP Example: .PP @@ -6644,18 +6845,24 @@ a lower logging level. — no logging of remote SMTP server certificate trust-chain verification errors if server certificate verification is not required. With Postfix 2.8 and earlier, disable logging of TLS activity. +.br .IP "" 1 Also log remote SMTP server trust-chain verification errors and peer certificate summary information. With Postfix 2.8 and earlier, log TLS handshake and certificate information. +.br .IP "" 2 Also log levels during TLS negotiation. +.br .IP "" 3 Also log hexadecimal and ASCII dump of TLS negotiation process. +.br .IP "" 4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS. +.br +.br .PP Do not use "smtp_tls_loglevel = 2" or higher except in case of problems. Use of loglevel 4 is strongly discouraged. @@ -6678,15 +6885,18 @@ not recommended for mandatory encryption unless you must enforce TLS with "crippled" peers. The underlying cipherlist is specified via the tls_export_cipherlist configuration parameter, which you are strongly encouraged to not change. +.br .IP "\fBlow\fR" Enable "LOW" grade or better OpenSSL ciphers. This setting is only appropriate for internal mail servers. The underlying cipherlist is specified via the tls_low_cipherlist configuration parameter, which you are strongly encouraged to not change. +.br .IP "\fBmedium\fR" Enable "MEDIUM" grade or better OpenSSL ciphers. The underlying cipherlist is specified via the tls_medium_cipherlist configuration parameter, which you are strongly encouraged to not change. +.br .IP "\fBhigh\fR" Enable only "HIGH" grade OpenSSL ciphers. This setting may be appropriate when all mandatory TLS destinations (e.g. when all @@ -6694,6 +6904,7 @@ mail is routed to a suitably capable relayhost) support at least one "HIGH" grade cipher. The underlying cipherlist is specified via the tls_high_cipherlist configuration parameter, which you are strongly encouraged to not change. +.br .IP "\fBnull\fR" Enable only the "NULL" OpenSSL ciphers, these provide authentication without encryption. This setting is only appropriate in the rare case @@ -6703,6 +6914,8 @@ UNIX-domain socket that is configured to support "NULL" ciphers. The underlying cipherlist is specified via the tls_null_cipherlist configuration parameter, which you are strongly encouraged to not change. +.br +.br .PP The underlying cipherlists for grades other than "null" include anonymous ciphers, but these are automatically filtered out if the @@ -6745,7 +6958,7 @@ protocol exclusions. One can now explicitly exclude SSLv2 by setting SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing the protocols to include, rather than protocols to exclude, is supported, but not recommended. The exclusion form more closely -matches the behaviour when the OpenSSL library is newer than Postfix. +matches the behavior when the OpenSSL library is newer than Postfix. .PP Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2". This means that by @@ -6809,6 +7022,7 @@ Don't use TLS at all. This overrides a less specific \fBMAY\fR lookup result from the alternate host or next-hop lookup key, and overrides the global smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername settings. +.br .IP "MAY" Try to use TLS if the server announces support, otherwise use the unencrypted connection. This has less precedence @@ -6816,6 +7030,7 @@ than a more specific result (including \fBNONE\fR) from the alternate host or next-hop lookup key, and has less precedence than the more specific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peername = yes". +.br .IP "MUST_NOPEERMATCH" Require TLS encryption, but do not require that the remote SMTP server hostname matches the information @@ -6824,6 +7039,7 @@ was issued by a trusted CA. This overrides a less secure \fBNONE\fR or a less specific \fBMAY\fR lookup result from the alternate host or next-hop lookup key, and overrides the global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername settings. +.br .IP "MUST" Require TLS encryption, require that the remote SMTP server hostname matches the information in the remote SMTP @@ -6833,6 +7049,8 @@ and \fBMUST_NOPEERMATCH\fR or a less specific \fBMAY\fR lookup result from the alternate host or next-hop lookup key, and overrides the global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername settings. +.br +.br .PP The above keywords correspond to the "none", "may", "encrypt" and "verify" security levels for the new smtp_tls_security_level parameter @@ -6885,6 +7103,7 @@ related main.cf settings. The TLS security levels in order of increasing security are: .IP "\fBnone\fR" No TLS. No additional attributes are supported at this level. +.br .IP "\fBmay\fR" Opportunistic TLS. Since sending in the clear is acceptable, demanding stronger than default TLS security merely reduces @@ -6895,6 +7114,7 @@ override the "smtp_tls_ciphers", "smtp_tls_exclude_ciphers" and handshakes fail, Postfix retries the connection with TLS disabled. This allows mail delivery to sites with non-interoperable TLS implementations. +.br .IP "\fBencrypt\fR" Mandatory TLS encryption. At this level and higher, the optional "protocols" attribute overrides the main.cf @@ -6904,6 +7124,7 @@ optional "exclude" attribute (Postfix >= 2.6) overrides the main.cf smtp_tls_mandatory_exclude_ciphers parameter. In the policy table, multiple protocols or excluded ciphers must be separated by colons, as attribute values may not contain whitespace or commas. +.br .IP "\fBfingerprint\fR" Certificate fingerprint verification. Available with Postfix 2.5 and later. At this security @@ -6919,6 +7140,7 @@ be combined with a "|" delimiter in a single match attribute, or multiple match attributes can be employed. The ":" character is not used as a delimiter as it occurs between each pair of fingerprint (hexadecimal) digits. +.br .IP "\fBverify\fR" Mandatory TLS verification. At this security level, DNS MX lookups are trusted to be secure enough, and the name @@ -6928,6 +7150,7 @@ the main.cf smtp_tls_verify_cert_match parameter. In the policy table, multiple match patterns and strategies must be separated by colons. In practice explicit control over matching is more common with the "secure" policy, described below. +.br .IP "\fBsecure\fR" Secure-channel TLS. At this security level, DNS MX lookups, though potentially used to determine the candidate next-hop @@ -6945,6 +7168,8 @@ verification, they risk delivery to the wrong destination when domains change hands or are re-assigned to new gateways. With the "match" attribute approach, routing is not perturbed, and mail is deferred if verification of a new MX host fails. +.br +.br .PP Example: .PP @@ -7007,7 +7232,7 @@ with a "!" character. To exclude SSLv2 even for opportunistic TLS set "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to include, rather than protocols to exclude, is supported, but not -recommended. The exclusion form more closely matches the behaviour +recommended. The exclusion form more closely matches the behavior when the OpenSSL library is newer than Postfix. .PP Example: @@ -7088,6 +7313,7 @@ Specify one of the following security levels: .IP "\fBnone\fR" TLS will not be used unless enabled for specific destinations via smtp_tls_policy_maps. +.br .IP "\fBmay\fR" Opportunistic TLS. Use TLS if this is supported by the remote SMTP server, otherwise use plaintext. Since @@ -7101,6 +7327,7 @@ are disabled. When TLS handshakes fail, the connection is retried with TLS disabled. This allows mail delivery to sites with non-interoperable TLS implementations. +.br .IP "\fBencrypt\fR" Mandatory TLS encryption. Since a minimum level of security is intended, it is reasonable to be specific about @@ -7110,6 +7337,7 @@ smtp_tls_mandatory_ciphers specify the TLS protocols and minimum cipher grade which the administrator considers secure enough for mandatory encrypted sessions. This security level is not an appropriate default for systems delivering mail to the Internet. +.br .IP "\fBfingerprint\fR" Certificate fingerprint verification. Available with Postfix 2.5 and later. At this security @@ -7120,6 +7348,7 @@ fingerprint or public key fingerprint (Postfix 2.9 and later) of the valid server certificate. The digest algorithm used to calculate the fingerprint is selected by the \fBsmtp_tls_fingerprint_digest\fR parameter. +.br .IP "\fBverify\fR" Mandatory TLS verification. At this security level, DNS MX lookups are trusted to be secure enough, and the name @@ -7129,6 +7358,7 @@ parameter controls how the server name is verified. In practice explicit control over matching is more common at the "secure" level, described below. This security level is not an appropriate default for systems delivering mail to the Internet. +.br .IP "\fBsecure\fR" Secure-channel TLS. At this security level, DNS MX lookups, though potentially used to determine the candidate @@ -7139,6 +7369,8 @@ in the smtp_tls_secure_cert_match configuration parameter. The default matching rule is that a server certificate matches when its name is equal to or is a sub-domain of the nexthop domain. This security level is not an appropriate default for systems delivering mail to the Internet. +.br +.br .PP Examples: .PP @@ -7279,11 +7511,14 @@ Patterns specify domain names, or domain name suffixes: Match the \fIexample.com\fR domain, i.e. one of the names the server certificate must be \fIexample.com\fR, upper and lower case distinctions are ignored. +.br .IP "\fI.example.com\fR" Match subdomains of the \fIexample.com\fR domain, i.e. match a name in the server certificate that consists of a non-zero number of labels followed by a \fI.example.com\fR suffix. Case distinctions are ignored. +.br +.br .PP Strategies specify a transformation from the next-hop domain to the expected name in the server certificate: @@ -7296,9 +7531,11 @@ domain prior to the MX lookup, not the result of the MX lookup. For LMTP delivery via UNIX-domain sockets, the verified next-hop name is $myhostname. This strategy is suitable for use with the "secure" policy. Case is ignored. +.br .IP "dot-nexthop" As above, but match server certificate names that are subdomains of the next-hop domain. Case is ignored. +.br .IP "hostname" Match against the hostname of the server, often obtained via an unauthenticated DNS MX lookup. For LMTP delivery via @@ -7308,6 +7545,8 @@ smtp_tls_per_site table, and is suitable for use with the "verify" security level. When the next-hop name is enclosed in square brackets to suppress MX lookups, the "hostname" strategy is the same as the "nexthop" strategy. Case is ignored. +.br +.br .PP Sample main.cf setting: .PP @@ -7582,8 +7821,8 @@ smtpd_client_recipient_rate_limit = 1000 .ad .ft R .SH smtpd_client_restrictions (default: empty) -Optional Postfix SMTP server access restrictions in the context of -a remote SMTP client connection request. +Optional restrictions that the Postfix SMTP server applies in the +context of a client connection request. See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access restriction lists" for a discussion of evaluation context and time. .PP @@ -7605,22 +7844,26 @@ The fingerprint digest algorithm is configurable via the smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to Postfix version 2.5). This feature is available with Postfix version 2.2 and later. +.br .IP "\fBcheck_client_access \fItype:table\fR\fR" Search the specified access database for the client hostname, parent domains, client IP address, or networks obtained by stripping least significant octets. See the \fBaccess\fR(5) manual page for details. +.br .IP "\fBcheck_client_mx_access \fItype:table\fR\fR" Search the specified \fBaccess\fR(5) database for the MX hosts for the client hostname, and execute the corresponding action. Note: a result of "OK" is not allowed for safety reasons. Instead, use DUNNO in order to exclude specific hosts from blacklists. This feature is available in Postfix 2.7 and later. +.br .IP "\fBcheck_client_ns_access \fItype:table\fR\fR" Search the specified \fBaccess\fR(5) database for the DNS servers for the client hostname, and execute the corresponding action. Note: a result of "OK" is not allowed for safety reasons. Instead, use DUNNO in order to exclude specific hosts from blacklists. This feature is available in Postfix 2.7 and later. +.br .IP "\fBcheck_reverse_client_hostname_access \fItype:table\fR\fR" Search the specified access database for the unverified reverse client hostname, parent domains, client IP address, or networks @@ -7629,27 +7872,33 @@ manual page for details. Note: a result of "OK" is not allowed for safety reasons. Instead, use DUNNO in order to exclude specific hosts from blacklists. This feature is available in Postfix 2.6 and later. +.br .IP "\fBcheck_reverse_client_hostname_mx_access \fItype:table\fR\fR" Search the specified \fBaccess\fR(5) database for the MX hosts for the unverified reverse client hostname, and execute the corresponding action. Note: a result of "OK" is not allowed for safety reasons. Instead, use DUNNO in order to exclude specific hosts from blacklists. This feature is available in Postfix 2.7 and later. +.br .IP "\fBcheck_reverse_client_hostname_ns_access \fItype:table\fR\fR" Search the specified \fBaccess\fR(5) database for the DNS servers for the unverified reverse client hostname, and execute the corresponding action. Note: a result of "OK" is not allowed for safety reasons. Instead, use DUNNO in order to exclude specific hosts from blacklists. This feature is available in Postfix 2.7 and later. +.br .IP "\fBpermit_inet_interfaces\fR" Permit the request when the client IP address matches $inet_interfaces. +.br .IP "\fBpermit_mynetworks\fR" Permit the request when the client IP address matches any network or network address listed in $mynetworks. +.br .IP "\fBpermit_sasl_authenticated\fR" Permit the request when the client is successfully authenticated via the RFC 4954 (AUTH) protocol. +.br .IP "\fBpermit_tls_all_clientcerts\fR" Permit the request when the remote SMTP client certificate is verified successfully. This option must be used only if a special @@ -7659,6 +7908,7 @@ be allowed to relay. Specify "tls_append_default_CA = no" when the trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath, to prevent Postfix from appending the system-supplied default CAs. This feature is available with Postfix version 2.2. +.br .IP "\fBpermit_tls_clientcerts\fR" Permit the request when the remote SMTP client certificate fingerprint or public key fingerprint (Postfix 2.9 and later) is @@ -7667,6 +7917,7 @@ The fingerprint digest algorithm is configurable via the smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to Postfix version 2.5). This feature is available with Postfix version 2.2. +.br .IP "\fBreject_rbl_client \fIrbl_domain=d.d.d.d\fR\fR" Reject the request when the reversed client network address is listed with the A record "\fId.d.d.d\fR" under \fIrbl_domain\fR @@ -7682,6 +7933,7 @@ rejected requests (default: 554), the default_rbl_reply parameter specifies the default server reply, and the rbl_reply_maps parameter specifies tables with server replies indexed by \fIrbl_domain\fR. This feature is available in Postfix 2.0 and later. +.br .IP "\fBpermit_dnswl_client \fIdnswl_domain=d.d.d.d\fR\fR" Accept the request when the reversed client network address is listed with the A record "\fId.d.d.d\fR" under \fIdnswl_domain\fR. @@ -7695,6 +7947,7 @@ For safety, permit_dnswl_client is silently ignored when it would override reject_unauth_destination. The result is DEFER_IF_REJECT when whitelist lookup fails. This feature is available in Postfix 2.8 and later. +.br .IP "\fBreject_rhsbl_client \fIrbl_domain=d.d.d.d\fR\fR" Reject the request when the client hostname is listed with the A record "\fId.d.d.d\fR" under \fIrbl_domain\fR (Postfix version @@ -7708,6 +7961,7 @@ description above for additional RBL related configuration parameters. This feature is available in Postfix 2.0 and later; with Postfix version 2.8 and later, reject_rhsbl_reverse_client will usually produce better results. +.br .IP "\fBpermit_rhswl_client \fIrhswl_domain=d.d.d.d\fR\fR" Accept the request when the client hostname is listed with the A record "\fId.d.d.d\fR" under \fIrhswl_domain\fR. Each "\fId\fR" @@ -7725,6 +7979,7 @@ For safety, permit_rhswl_client is silently ignored when it would override reject_unauth_destination. The result is DEFER_IF_REJECT when whitelist lookup fails. This feature is available in Postfix 2.8 and later. +.br .IP "\fBreject_rhsbl_reverse_client \fIrbl_domain=d.d.d.d\fR\fR" Reject the request when the unverified reverse client hostname is listed with the A record "\fId.d.d.d\fR" under \fIrbl_domain\fR. @@ -7735,6 +7990,7 @@ unverified reverse client hostname is listed with any A record under \fIrbl_domain\fR. See the reject_rbl_client description above for additional RBL related configuration parameters. This feature is available in Postfix 2.8 and later. +.br .IP "\fBreject_unknown_client_hostname\fR (with Postfix < 2.3: reject_unknown_client)" Reject the request when 1) the client IP address->name mapping fails, 2) the name->address mapping fails, or 3) the name->address @@ -7749,6 +8005,7 @@ unknown_client_reject_code parameter specifies the response code for rejected requests (default: 450). The reply is always 450 in case the address->name or name->address lookup failed due to a temporary problem. +.br .IP "\fBreject_unknown_reverse_client_hostname\fR" Reject the request when the client IP address has no address->name mapping. @@ -7765,6 +8022,8 @@ problem. .br This feature is available in Postfix 2.3 and later. +.br +.br .PP In addition, you can use any of the following generic restrictions. These restrictions are applicable in @@ -7773,6 +8032,7 @@ any SMTP command context. Query the specified policy server. See the SMTPD_POLICY_README document for details. This feature is available in Postfix 2.1 and later. +.br .IP "\fBdefer\fR" Defer the request. The client is told to try again later. This restriction is useful at the end of a restriction list, to make @@ -7780,19 +8040,23 @@ the default policy explicit. .br The defer_code parameter specifies the SMTP server reply code (default: 450). +.br .IP "\fBdefer_if_permit\fR" Defer the request if some later restriction would result in an explicit or implicit PERMIT action. This is useful when a blacklisting feature fails due to a temporary problem. This feature is available in Postfix version 2.1 and later. +.br .IP "\fBdefer_if_reject\fR" Defer the request if some later restriction would result in a REJECT action. This is useful when a whitelisting feature fails due to a temporary problem. This feature is available in Postfix version 2.1 and later. +.br .IP "\fBpermit\fR" Permit the request. This restriction is useful at the end of a restriction list, to make the default policy explicit. +.br .IP "\fBreject_multi_recipient_bounce\fR" Reject the request when the envelope sender is the null address, and the message has multiple envelope recipients. This usage has @@ -7809,6 +8073,7 @@ Use at the RCPT stage will only reject the second etc. recipient. The multi_recipient_bounce_reject_code parameter specifies the response code for rejected requests (default: 550). This feature is available in Postfix 2.1 and later. +.br .IP "\fBreject_plaintext_session\fR" Reject the request when the connection is not encrypted. This restriction should not be used before the client has had a chance @@ -7817,6 +8082,7 @@ to negotiate encryption with the AUTH or STARTTLS commands. The plaintext_reject_code parameter specifies the response code for rejected requests (default: 450). This feature is available in Postfix 2.3 and later. +.br .IP "\fBreject_unauth_pipelining\fR" Reject the request when the client sends SMTP commands ahead of time where it is not allowed, or when the client sends SMTP @@ -7834,11 +8100,13 @@ session. With older Postfix versions, reject_unauth_pipelining checks the current status of the input read queue, and its usage is not recommended in contexts other than smtpd_data_restrictions. +.br .IP "\fBreject\fR" Reject the request. This restriction is useful at the end of a restriction list, to make the default policy explicit. The reject_code configuration parameter specifies the response code for rejected requests (default: 554). +.br .IP "\fBsleep \fIseconds\fR\fR" Pause for the specified number of seconds and proceed with the next restriction in the list, if any. This may stop zombie @@ -7854,6 +8122,7 @@ mail when used as: .ad .ft R This feature is available in Postfix 2.3. +.br .IP "\fBwarn_if_reject\fR" A safety net for testing. When "warn_if_reject" is placed before a reject-type restriction, access table query, or @@ -7863,6 +8132,8 @@ due to a temporary error, this logs a "reject_warning" message for any implicit "defer_if_permit" actions that would normally prevent mail from being accepted by some later access restriction). This feature has no effect on defer_if_reject restrictions. +.br +.br .PP Other restrictions that are valid in this context: .IP \(bu @@ -7873,6 +8144,7 @@ recipient restrictions are listed under smtpd_client_restrictions, they have effect only with "smtpd_delay_reject = yes", so that $smtpd_client_restrictions is evaluated at the time of the RCPT TO command. +.br .PP Example: .PP @@ -7908,6 +8180,7 @@ to translate these into domain names if necessary. Use "strict_rfc821_envelopes = no" to accept "RCPT TO:<\fIUser Name >\fR". Postfix will ignore the "\fIUser Name\fR" part and deliver to the \fI\fR address. +.br .PP Examples of problems that can be solved with the smtpd_command_filter feature: @@ -7999,6 +8272,7 @@ multi-recipient mail. Acting on only one recipient would be misleading, because any decision will affect all recipients equally. Acting on all recipients would require a possibly very large amount of memory, and would also be misleading for the reasons mentioned before. +.br .PP Examples: .PP @@ -8061,6 +8335,7 @@ this action from being logged. .IP \(bu Use the smtpd_discard_ehlo_keyword_address_maps feature to discard EHLO keywords selectively. +.br .SH smtpd_end_of_data_restrictions (default: empty) Optional access restrictions that the Postfix SMTP server applies in the context of the SMTP END-OF-DATA command. @@ -8094,8 +8369,8 @@ sending a reject (4xx or 5xx) response, when the client has made fewer than $smtpd_soft_error_limit errors without delivering mail. .SH smtpd_etrn_restrictions (default: empty) -Optional SMTP server access restrictions in the context of a client -ETRN request. +Optional restrictions that the Postfix SMTP server applies in the +context of a client ETRN command. See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access restriction lists" for a discussion of evaluation context and time. .PP @@ -8113,6 +8388,8 @@ received with the ETRN command. .IP "\fBcheck_etrn_access \fItype:table\fR\fR" Search the specified access database for the ETRN domain name or its parent domains. See the \fBaccess\fR(5) manual page for details. +.br +.br .PP Other restrictions that are valid in this context: .IP \(bu @@ -8121,6 +8398,7 @@ in any SMTP command context, described under smtpd_client_restrictions. .IP \(bu SMTP command specific restrictions described under smtpd_client_restrictions and smtpd_helo_restrictions. +.br .PP Example: .PP @@ -8169,7 +8447,7 @@ smtpd_helo_required = yes .ft R .SH smtpd_helo_restrictions (default: empty) Optional restrictions that the Postfix SMTP server applies in the -context of the SMTP HELO command. +context of a client HELO command. See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access restriction lists" for a discussion of evaluation context and time. .PP @@ -8192,6 +8470,7 @@ hostname or parent domains, and execute the corresponding action. Note: specify "smtpd_helo_required = yes" to fully enforce this restriction (without "smtpd_helo_required = yes", a client can simply skip check_helo_access by not sending HELO or EHLO). +.br .IP "\fBcheck_helo_mx_access \fItype:table\fR\fR" Search the specified \fBaccess\fR(5) database for the MX hosts for the HELO or EHLO hostname, and execute the corresponding action. @@ -8201,6 +8480,7 @@ use DUNNO in order to exclude specific hosts from blacklists. Note restriction (without "smtpd_helo_required = yes", a client can simply skip check_helo_mx_access by not sending HELO or EHLO). This feature is available in Postfix 2.1 and later. +.br .IP "\fBcheck_helo_ns_access \fItype:table\fR\fR" Search the specified \fBaccess\fR(5) database for the DNS servers for the HELO or EHLO hostname, and execute the corresponding action. @@ -8210,6 +8490,7 @@ use DUNNO in order to exclude specific hosts from blacklists. Note restriction (without "smtpd_helo_required = yes", a client can simply skip check_helo_ns_access by not sending HELO or EHLO). This feature is available in Postfix 2.1 and later. +.br .IP "\fBreject_invalid_helo_hostname\fR (with Postfix < 2.3: reject_invalid_hostname)" Reject the request when the HELO or EHLO hostname is malformed. Note: specify "smtpd_helo_required = yes" to fully enforce @@ -8218,6 +8499,7 @@ skip reject_invalid_helo_hostname by not sending HELO or EHLO). .br The invalid_hostname_reject_code specifies the response code for rejected requests (default: 501). +.br .IP "\fBreject_non_fqdn_helo_hostname\fR (with Postfix < 2.3: reject_non_fqdn_hostname)" Reject the request when the HELO or EHLO hostname is not in fully-qualified domain form, as required by the RFC. Note: specify @@ -8227,6 +8509,7 @@ reject_non_fqdn_helo_hostname by not sending HELO or EHLO). .br The non_fqdn_reject_code parameter specifies the response code for rejected requests (default: 504). +.br .IP "\fBreject_rhsbl_helo \fIrbl_domain=d.d.d.d\fR\fR" Reject the request when the HELO or EHLO hostname hostname is listed with the A record "\fId.d.d.d\fR" under \fIrbl_domain\fR @@ -8242,6 +8525,7 @@ enforce this restriction (without "smtpd_helo_required = yes", a client can simply skip reject_rhsbl_helo by not sending HELO or EHLO). This feature is available in Postfix 2.0 and later. +.br .IP "\fBreject_unknown_helo_hostname\fR (with Postfix < 2.3: reject_unknown_hostname)" Reject the request when the HELO or EHLO hostname has no DNS A or MX record. @@ -8256,6 +8540,8 @@ defer_if_permit). Note: specify "smtpd_helo_required = yes" to fully enforce this restriction (without "smtpd_helo_required = yes", a client can simply skip reject_unknown_helo_hostname by not sending HELO or EHLO). +.br +.br .PP Other restrictions that are valid in this context: .IP \(bu @@ -8271,6 +8557,7 @@ sender or recipient restrictions are listed under smtpd_helo_restrictions, they have effect only with "smtpd_delay_reject = yes", so that $smtpd_helo_restrictions is evaluated at the time of the RCPT TO command. +.br .PP Examples: .PP @@ -8421,6 +8708,8 @@ is accepting all recipients. NOTE 2: This feature increases the minimum amount of free queue space by $message_size_limit. The extra space is needed to save the message to a temporary file. +.br +.br .PP This feature is available in Postfix 2.7 and later. .SH smtpd_proxy_timeout (default: 100s) @@ -8441,25 +8730,26 @@ The number of recipients that a remote SMTP client can send in excess of the limit specified with $smtpd_recipient_limit, before the Postfix SMTP server increments the per-session error count for each excess recipient. -.SH smtpd_recipient_restrictions (default: permit_mynetworks, reject_unauth_destination) -The access restrictions that the Postfix SMTP server applies in -the context of the RCPT TO command. +.SH smtpd_recipient_restrictions (default: see "postconf -d" output) +Optional restrictions that the Postfix SMTP server applies in the +context of a client RCPT TO command, after smtpd_relay_restrictions. See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access restriction lists" for a discussion of evaluation context and time. .PP -By default, the Postfix SMTP server accepts: -.IP \(bu -Mail from clients whose IP address matches $mynetworks, or: -.IP \(bu -Mail to remote destinations that match $relay_domains, except -for addresses that contain sender-specified routing -(user@elsewhere@domain), or: -.IP \(bu -Mail to local destinations that match $inet_interfaces -or $proxy_interfaces, $mydestination, $virtual_alias_domains, or -$virtual_mailbox_domains. +With Postfix versions before 2.10, the rules for relay permission +and spam blocking were combined under smtpd_recipient_restrictions, +resulting in error-prone configuration. As of Postfix 2.10, relay +permission rules are preferably implemented with smtpd_relay_restrictions, +so that a permissive spam blocking policy under +smtpd_recipient_restrictions will no longer result in a permissive +mail relay policy. .PP -IMPORTANT: If you change this parameter setting, you must specify +For backwards compatibility, sites that migrate from Postfix +versions before 2.10 can set smtpd_relay_restrictions to the empty +value, and use smtpd_recipient_restrictions exactly as before. +.PP +IMPORTANT: Either the smtpd_relay_restrictions or the +smtpd_recipient_restrictions parameter must specify at least one of the following restrictions. Otherwise Postfix will refuse to receive mail: .sp @@ -8467,7 +8757,17 @@ refuse to receive mail: .nf .na .ft C -reject, defer, defer_if_permit, reject_unauth_destination +reject, reject_unauth_destination +.fi +.ad +.ft R +.in -4 +.sp +.in +4 +.nf +.na +.ft C +defer, defer_if_permit, defer_unauth_destination .fi .ad .ft R @@ -8484,18 +8784,21 @@ that is received with the RCPT TO command. Search the specified \fBaccess\fR(5) database for the resolved RCPT TO address, domain, parent domains, or localpart@, and execute the corresponding action. +.br .IP "\fBcheck_recipient_mx_access \fItype:table\fR\fR" Search the specified \fBaccess\fR(5) database for the MX hosts for the RCPT TO domain, and execute the corresponding action. Note: a result of "OK" is not allowed for safety reasons. Instead, use DUNNO in order to exclude specific hosts from blacklists. This feature is available in Postfix 2.1 and later. +.br .IP "\fBcheck_recipient_ns_access \fItype:table\fR\fR" Search the specified \fBaccess\fR(5) database for the DNS servers for the RCPT TO domain, and execute the corresponding action. Note: a result of "OK" is not allowed for safety reasons. Instead, use DUNNO in order to exclude specific hosts from blacklists. This feature is available in Postfix 2.1 and later. +.br .IP "\fBpermit_auth_destination\fR" Permit the request when one of the following is true: .IP \(bu @@ -8507,6 +8810,8 @@ Postfix is the final destination: the resolved RCPT TO domain matches $mydestination, $inet_interfaces, $proxy_interfaces, $virtual_alias_domains, or $virtual_mailbox_domains, and the address contains no sender-specified routing (user@elsewhere@domain). +.br +.br .IP "\fBpermit_mx_backup\fR" Permit the request when the local mail system is backup MX for the RCPT TO domain, or when the domain is an authorized destination @@ -8526,6 +8831,8 @@ for definition). .IP \(bu Limitation: mail may be rejected in case of a temporary DNS lookup problem with Postfix prior to version 2.0. +.br +.br .IP "\fBreject_non_fqdn_recipient\fR" Reject the request when the RCPT TO address is not in fully-qualified domain form, as required by the RFC. @@ -8533,6 +8840,7 @@ fully-qualified domain form, as required by the RFC. The non_fqdn_reject_code parameter specifies the response code for rejected requests (default: 504). +.br .IP "\fBreject_rhsbl_recipient \fIrbl_domain=d.d.d.d\fR\fR" Reject the request when the RCPT TO domain is listed with the A record "\fId.d.d.d\fR" under \fIrbl_domain\fR (Postfix version @@ -8549,6 +8857,7 @@ parameter specifies the response code for rejected requests (default: reply; and the rbl_reply_maps parameter specifies tables with server replies indexed by \fIrbl_domain\fR. This feature is available in Postfix version 2.0 and later. +.br .IP "\fBreject_unauth_destination\fR" Reject the request unless one of the following is true: .IP \(bu @@ -8560,8 +8869,15 @@ Postfix is the final destination: the resolved RCPT TO domain matches $mydestination, $inet_interfaces, $proxy_interfaces, $virtual_alias_domains, or $virtual_mailbox_domains, and contains no sender-specified routing (user@elsewhere@domain). - The relay_domains_reject_code parameter specifies the response +.br +The relay_domains_reject_code parameter specifies the response code for rejected requests (default: 554). +.br +.IP "\fBdefer_unauth_destination\fR" +Reject the same requests as reject_unauth_destination, with a +non-permanent error code. This feature is available in Postfix +2.10 and later. +.br .IP "\fBreject_unknown_recipient_domain\fR" Reject the request when Postfix is not final destination for the recipient domain, and the RCPT TO domain has 1) no DNS A or MX @@ -8576,11 +8892,13 @@ is always 450 in case of a temporary DNS error. The unknown_address_tempfail_action parameter specifies the action after a temporary DNS error (default: defer_if_permit). +.br .IP "\fBreject_unlisted_recipient\fR (with Postfix version 2.0: check_recipient_maps)" Reject the request when the RCPT TO address is not listed in the list of valid recipients for its domain class. See the smtpd_reject_unlisted_recipient parameter description for details. This feature is available in Postfix 2.1 and later. +.br .IP "\fBreject_unverified_recipient\fR" Reject the request when mail to the RCPT TO address is known to bounce, or when the recipient address destination is not reachable. @@ -8603,6 +8921,8 @@ defer_if_permit). .br This feature is available in Postfix 2.1 and later. +.br +.br .PP Other restrictions that are valid in this context: .IP \(bu @@ -8612,12 +8932,15 @@ in any SMTP command context, described under smtpd_client_restrictions. SMTP command specific restrictions described under smtpd_client_restrictions, smtpd_helo_restrictions and smtpd_sender_restrictions. +.br .PP Example: .PP .nf .na .ft C +# The Postfix before 2.10 default mail relay policy. Later Postfix +# versions implement this preferably with smtpd_relay_restrictions. smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination .fi .ad @@ -8673,17 +8996,22 @@ SMTP session: .IP "\fBclient_address\fR" The Client IP address that is logged in the maillog file. +.br .IP "\fBclient_port\fR" The client TCP port that is logged in the maillog file. +.br .IP "\fBlocaltime\fR" The server local time (Mmm dd hh:mm:ss) that is logged in the maillog file. +.br .IP "\fBserver_name\fR" The server's myhostname value. This attribute is made available for sites with multiple MTAs (perhaps behind a load-balancer), where the server name can help the server support team to quickly find the right log files. +.br +.br .PP Notes: .IP \(bu @@ -8692,6 +9020,7 @@ or main.cf parameters. .IP \(bu For safety reasons, text that does not match $smtpd_expansion_filter is censored. +.br .PP This feature supports the two-character sequence \en as a request for a line break in the footer text. Postfix automatically inserts @@ -8727,6 +9056,7 @@ is not null. The recipient domain matches $relay_domains but the recipient is not listed in $relay_recipient_maps, and $relay_recipient_maps is not null. +.br .PP This feature is available in Postfix 2.1 and later. .SH smtpd_reject_unlisted_sender (default: no) @@ -8752,8 +9082,72 @@ is not null. The sender domain matches $relay_domains but the sender is not listed in $relay_recipient_maps, and $relay_recipient_maps is not null. +.br .PP This feature is available in Postfix 2.1 and later. +.SH smtpd_relay_restrictions (default: permit_mynetworks, reject_unauth_destination) +Access restrictions for mail relay control that the Postfix +SMTP server applies in the context of the RCPT TO command, before +smtpd_recipient_restrictions. +See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access +restriction lists" for a discussion of evaluation context and time. +.PP +With Postfix versions before 2.10, the rules for relay permission +and spam blocking were combined under smtpd_recipient_restrictions, +resulting in error-prone configuration. As of Postfix 2.10, relay +permission rules are preferably implemented with smtpd_relay_restrictions, +so that a permissive spam blocking policy under +smtpd_recipient_restrictions will no longer result in a permissive +mail relay policy. +.PP +For backwards compatibility, sites that migrate from Postfix +versions before 2.10 can set smtpd_relay_restrictions to the empty +value, and use smtpd_recipient_restrictions exactly as before. +.PP +By default, the Postfix SMTP server accepts: +.IP \(bu +Mail from clients whose IP address matches $mynetworks, or: +.IP \(bu +Mail to remote destinations that match $relay_domains, except +for addresses that contain sender-specified routing +(user@elsewhere@domain), or: +.IP \(bu +Mail to local destinations that match $inet_interfaces +or $proxy_interfaces, $mydestination, $virtual_alias_domains, or +$virtual_mailbox_domains. +.br +.PP +IMPORTANT: Either the smtpd_relay_restrictions or the +smtpd_recipient_restrictions parameter must specify +at least one of the following restrictions. Otherwise Postfix will +refuse to receive mail: +.sp +.in +4 +.nf +.na +.ft C +reject, reject_unauth_destination +.fi +.ad +.ft R +.in -4 +.sp +.in +4 +.nf +.na +.ft C +defer, defer_if_permit, defer_unauth_destination +.fi +.ad +.ft R +.in -4 +.PP +Specify a list of restrictions, separated by commas and/or whitespace. +Continue long lines by starting the next line with whitespace. +The same restrictions are available as documented under +smtpd_recipient_restrictions. +.PP +This feature is available in Postix 2.10 and later. .SH smtpd_restriction_classes (default: empty) User-defined aliases for groups of access restrictions. The aliases can be specified in smtpd_recipient_restrictions etc., and on the @@ -8781,6 +9175,19 @@ access restriction can be used to permit relay access, like this: .nf .na .ft C +# With Postfix 2.10 and later, the mail relay policy is +# preferably specified under smtpd_relay_restrictions. +smtpd_relay_restrictions = + permit_mynetworks, permit_sasl_authenticated, ... +.fi +.ad +.ft R +.PP +.nf +.na +.ft C +# With Postfix before 2.10, the relay policy can be +# specified only under smtpd_recipient_restrictions. smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, ... .fi @@ -8885,17 +9292,24 @@ mechanisms is system dependent. Specify zero or more of the following: .IP "\fBnoplaintext\fR" Disallow methods that use plaintext passwords. +.br .IP "\fBnoactive\fR" Disallow methods subject to active (non-dictionary) attack. +.br .IP "\fBnodictionary\fR" Disallow methods subject to passive (dictionary) attack. +.br .IP "\fBnoanonymous\fR" Disallow methods that allow anonymous authentication. +.br .IP "\fBforward_secrecy\fR" Only allow methods that support forward secrecy (Dovecot only). +.br .IP "\fBmutual_auth\fR" Only allow methods that provide mutual authentication (not available with Cyrus SASL version 1). +.br +.br .PP By default, the Postfix SMTP server accepts plaintext passwords but not anonymous logins. @@ -8937,18 +9351,22 @@ NIS, LDAP or SQL, the following search operations are done with a sender address of \fIuser@domain\fR: .IP "1) \fIuser@domain\fR" This table lookup is always done and has the highest precedence. +.br .IP "2) \fIuser\fR" This table lookup is done only when the \fIdomain\fR part of the sender address matches $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces. +.br .IP "3) \fI@domain\fR" This table lookup is done last and has the lowest precedence. +.br +.br .PP In all cases the result of table lookup must be either "not found" or a list of SASL login names separated by comma and/or whitespace. .SH smtpd_sender_restrictions (default: empty) Optional restrictions that the Postfix SMTP server applies in the -context of the MAIL FROM command. +context of a client MAIL FROM command. See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access restriction lists" for a discussion of evaluation context and time. .PP @@ -8965,22 +9383,26 @@ received with the MAIL FROM command. Search the specified \fBaccess\fR(5) database for the MAIL FROM address, domain, parent domains, or localpart@, and execute the corresponding action. +.br .IP "\fBcheck_sender_mx_access \fItype:table\fR\fR" Search the specified \fBaccess\fR(5) database for the MX hosts for the MAIL FROM address, and execute the corresponding action. Note: a result of "OK" is not allowed for safety reasons. Instead, use DUNNO in order to exclude specific hosts from blacklists. This feature is available in Postfix 2.1 and later. +.br .IP "\fBcheck_sender_ns_access \fItype:table\fR\fR" Search the specified \fBaccess\fR(5) database for the DNS servers for the MAIL FROM address, and execute the corresponding action. Note: a result of "OK" is not allowed for safety reasons. Instead, use DUNNO in order to exclude specific hosts from blacklists. This feature is available in Postfix 2.1 and later. +.br .IP "\fBreject_authenticated_sender_login_mismatch\fR" Enforces the reject_sender_login_mismatch restriction for authenticated clients only. This feature is available in Postfix version 2.1 and later. +.br .IP "\fBreject_non_fqdn_sender\fR" Reject the request when the MAIL FROM address is not in fully-qualified domain form, as required by the RFC. @@ -8988,6 +9410,7 @@ fully-qualified domain form, as required by the RFC. The non_fqdn_reject_code parameter specifies the response code for rejected requests (default: 504). +.br .IP "\fBreject_rhsbl_sender \fIrbl_domain=d.d.d.d\fR\fR" Reject the request when the MAIL FROM domain is listed with the A record "\fId.d.d.d\fR" under \fIrbl_domain\fR (Postfix @@ -9004,16 +9427,19 @@ rejected requests (default: 554); the default_rbl_reply parameter specifies the default server reply; and the rbl_reply_maps parameter specifies tables with server replies indexed by \fIrbl_domain\fR. This feature is available in Postfix 2.0 and later. +.br .IP "\fBreject_sender_login_mismatch\fR" Reject the request when $smtpd_sender_login_maps specifies an owner for the MAIL FROM address, but the client is not (SASL) logged in as that MAIL FROM address owner; or when the client is (SASL) logged in, but the client login name doesn't own the MAIL FROM address according to $smtpd_sender_login_maps. +.br .IP "\fBreject_unauthenticated_sender_login_mismatch\fR" Enforces the reject_sender_login_mismatch restriction for unauthenticated clients only. This feature is available in Postfix version 2.1 and later. +.br .IP "\fBreject_unknown_sender_domain\fR" Reject the request when Postfix is not final destination for the sender address, and the MAIL FROM domain has 1) no DNS A or MX @@ -9028,11 +9454,13 @@ is always 450 in case of a temporary DNS error. The unknown_address_tempfail_action parameter specifies the action after a temporary DNS error (default: defer_if_permit). +.br .IP "\fBreject_unlisted_sender\fR" Reject the request when the MAIL FROM address is not listed in the list of valid recipients for its domain class. See the smtpd_reject_unlisted_sender parameter description for details. This feature is available in Postfix 2.1 and later. +.br .IP "\fBreject_unverified_sender\fR" Reject the request when mail to the MAIL FROM address is known to bounce, or when the sender address destination is not reachable. @@ -9054,6 +9482,8 @@ problem (default: defer_if_permit). .br This feature is available in Postfix 2.1 and later. +.br +.br .PP Other restrictions that are valid in this context: .IP \(bu @@ -9068,6 +9498,7 @@ smtpd_recipient_restrictions. When recipient restrictions are listed under smtpd_sender_restrictions, they have effect only with "smtpd_delay_reject = yes", so that $smtpd_sender_restrictions is evaluated at the time of the RCPT TO command. +.br .PP Examples: .PP @@ -9096,6 +9527,7 @@ delays all responses by $smtpd_error_sleep_time seconds. .IP \(bu With Postfix versions 2.0 and earlier, the Postfix SMTP server delays all responses by (number of errors) seconds. +.br .SH smtpd_starttls_timeout (default: see "postconf -d" output) The time limit for Postfix SMTP server write and read operations during TLS startup and shutdown handshake procedures. The current @@ -9463,17 +9895,21 @@ The available choices are: Don't use EECDH. Ciphers based on EECDH key exchange will be disabled. This is the default in Postfix versions 2.6 and 2.7. +.br .IP "\fBstrong\fR" Use EECDH with approximately 128 bits of security at a reasonable computational cost. This is the current best-practice trade-off between security and computational efficiency. This is the default in Postfix version 2.8 and later. +.br .IP "\fBultra\fR" Use EECDH with approximately 192 bits of security at computational cost that is approximately twice as high as 128 bit strength ECC. Barring significant progress in attacks on elliptic curve crypto-systems, the "strong" curve is sufficient for most users. +.br +.br .PP This feature is available in Postfix 2.6 and later, when it is compiled and linked with OpenSSL 1.0.0 or later. @@ -9608,18 +10044,24 @@ a lower logging level. errors if client certificate verification is not required. With Postfix 2.8 and earlier, disable logging of TLS activity. +.br .IP "" 1 Also log trust-chain verification errors and peer certificate name and issuer. With Postfix 2.8 and earlier, log TLS handshake and certificate information. +.br .IP "" 2 Also log levels during TLS negotiation. +.br .IP "" 3 Also log hexadecimal and ASCII dump of TLS negotiation process. +.br .IP "" 4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS. +.br +.br .PP Do not use "smtpd_tls_loglevel = 2" or higher except in case of problems. Use of loglevel 4 is strongly discouraged. @@ -9645,22 +10087,26 @@ This is the most appropriate setting for public MX hosts, and is always used with opportunistic TLS encryption. The underlying cipherlist is specified via the tls_export_cipherlist configuration parameter, which you are strongly encouraged to not change. +.br .IP "\fBlow\fR" Enable "LOW" grade or stronger OpenSSL ciphers. The underlying cipherlist is specified via the tls_low_cipherlist configuration parameter, which you are strongly encouraged to not change. +.br .IP "\fBmedium\fR" Enable "MEDIUM" grade or stronger OpenSSL ciphers. These use 128-bit or longer symmetric bulk-encryption keys. This is the default minimum strength for mandatory TLS encryption. The underlying cipherlist is specified via the tls_medium_cipherlist configuration parameter, which you are strongly encouraged to not change. +.br .IP "\fBhigh\fR" Enable only "HIGH" grade OpenSSL ciphers. The underlying cipherlist is specified via the tls_high_cipherlist configuration parameter, which you are strongly encouraged to not change. +.br .IP "\fBnull\fR" Enable only the "NULL" OpenSSL ciphers, these provide authentication without encryption. This setting is only appropriate in the rare @@ -9668,6 +10114,8 @@ case that all clients are prepared to use NULL ciphers (not normally enabled in TLS clients). The underlying cipherlist is specified via the tls_null_cipherlist configuration parameter, which you are strongly encouraged to not change. +.br +.br .PP Cipher types listed in smtpd_tls_mandatory_exclude_ciphers or smtpd_tls_exclude_ciphers are @@ -9712,7 +10160,7 @@ protocol exclusions. One can now explicitly exclude SSLv2 by setting SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing the protocols to include, rather than protocols to exclude, is supported, but not recommended. The exclusion form more closely -matches the behaviour when the OpenSSL library is newer than Postfix. +matches the behavior when the OpenSSL library is newer than Postfix. .PP Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2". This means that @@ -9754,7 +10202,7 @@ with a "!" character. To exclude SSLv2 even for opportunistic TLS set "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to include, rather than protocols to exclude, is supported, but not -recommended. The exclusion form more closely matches the behaviour +recommended. The exclusion form more closely matches the behavior when the OpenSSL library is newer than Postfix. .PP Example: @@ -9794,15 +10242,19 @@ smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with Specify one of the following security levels: .IP "\fBnone\fR" TLS will not be used. +.br .IP "\fBmay\fR" Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do not require that clients use TLS encryption. +.br .IP "\fBencrypt\fR" Mandatory TLS encryption: announce STARTTLS support to remote SMTP clients, and require that clients use TLS encryption. According to RFC 2487 this MUST NOT be applied in case of a publicly-referenced SMTP server. Instead, this option should be used only on dedicated servers. +.br +.br .PP Note 1: the "fingerprint", "verify" and "secure" levels are not supported here. @@ -9999,6 +10451,7 @@ $local_header_rewrite_clients, .IP \(bu The message is received from the network, and the remote_header_rewrite_domain parameter specifies a non-empty value. +.br .PP To get the behavior before Postfix version 2.2, specify "local_header_rewrite_clients = static:all". @@ -10122,43 +10575,57 @@ added after your Postfix source code was last updated, in that case you can only disable one of these via the hexadecimal syntax above. .IP "\fBMICROSOFT_SESS_ID_BUG\fR" See SSL_CTX_\fBset_options\fR(3) +.br .IP "\fBNETSCAPE_CHALLENGE_BUG\fR" See SSL_CTX_\fBset_options\fR(3) +.br .IP "\fBLEGACY_SERVER_CONNECT\fR" See SSL_CTX_\fBset_options\fR(3) +.br .IP "\fBNETSCAPE_REUSE_CIPHER_CHANGE_BUG\fR" also aliased as \fBCVE-2010-4180\fR. Postfix 2.8 disables this work-around by default with OpenSSL versions that may predate the fix. Fixed in OpenSSL 0.9.8q and OpenSSL 1.0.0c. +.br .IP "\fBSSLREF2_REUSE_CERT_TYPE_BUG\fR" See SSL_CTX_\fBset_options\fR(3) +.br .IP "\fBMICROSOFT_BIG_SSLV3_BUFFER\fR" See SSL_CTX_\fBset_options\fR(3) +.br .IP "\fBMSIE_SSLV2_RSA_PADDING\fR" also aliased as \fBCVE-2005-2969\fR. Postfix 2.8 disables this work-around by default with OpenSSL versions that may predate the fix. Fixed in OpenSSL 0.9.7h and OpenSSL 0.9.8a. +.br .IP "\fBSSLEAY_080_CLIENT_DH_BUG\fR" See SSL_CTX_\fBset_options\fR(3) +.br .IP "\fBTLS_D5_BUG\fR" See SSL_CTX_\fBset_options\fR(3) +.br .IP "\fBTLS_BLOCK_PADDING_BUG\fR" See SSL_CTX_\fBset_options\fR(3) +.br .IP "\fBTLS_ROLLBACK_BUG\fR" See SSL_CTX_\fBset_options\fR(3). This is disabled in OpenSSL 0.9.7 and later. Nobody should still be using 0.9.6! +.br .IP "\fBDONT_INSERT_EMPTY_FRAGMENTS\fR" See SSL_CTX_\fBset_options\fR(3) +.br .IP "\fBCRYPTOPRO_TLSEXT_BUG\fR" New with GOST support in OpenSSL 1.0.0. +.br +.br .PP This feature is available in Postfix 2.8 and later. .SH tls_eecdh_strong_curve (default: prime256v1) diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8 index b57b9c9bd..fc0f81655 100644 --- a/postfix/man/man8/smtpd.8 +++ b/postfix/man/man8/smtpd.8 @@ -778,24 +778,24 @@ evaluating $smtpd_client_restrictions and $smtpd_helo_restrictions. What Postfix features match subdomains of "domain.tld" automatically, instead of requiring an explicit ".domain.tld" pattern. .IP "\fBsmtpd_client_restrictions (empty)\fR" -Optional Postfix SMTP server access restrictions in the context of -a remote SMTP client connection request. +Optional restrictions that the Postfix SMTP server applies in the +context of a client connection request. .IP "\fBsmtpd_helo_required (no)\fR" Require that a remote SMTP client introduces itself with the HELO or EHLO command before sending the MAIL command or other commands that require EHLO negotiation. .IP "\fBsmtpd_helo_restrictions (empty)\fR" Optional restrictions that the Postfix SMTP server applies in the -context of the SMTP HELO command. +context of a client HELO command. .IP "\fBsmtpd_sender_restrictions (empty)\fR" Optional restrictions that the Postfix SMTP server applies in the -context of the MAIL FROM command. -.IP "\fBsmtpd_recipient_restrictions (permit_mynetworks, reject_unauth_destination)\fR" -The access restrictions that the Postfix SMTP server applies in -the context of the RCPT TO command. +context of a client MAIL FROM command. +.IP "\fBsmtpd_recipient_restrictions (see 'postconf -d' output)\fR" +Optional restrictions that the Postfix SMTP server applies in the +context of a client RCPT TO command, after smtpd_relay_restrictions. .IP "\fBsmtpd_etrn_restrictions (empty)\fR" -Optional SMTP server access restrictions in the context of a client -ETRN request. +Optional restrictions that the Postfix SMTP server applies in the +context of a client ETRN command. .IP "\fBallow_untrusted_routing (no)\fR" Forward mail with sender-specified routing (user[@%!]remote[@%!]site) from untrusted clients to destinations matching $relay_domains. @@ -830,6 +830,12 @@ Available in Postfix version 2.2 and later: .IP "\fBsmtpd_end_of_data_restrictions (empty)\fR" Optional access restrictions that the Postfix SMTP server applies in the context of the SMTP END-OF-DATA command. +.PP +Available in Postfix version 2.10 and later: +.IP "\fBsmtpd_relay_restrictions (permit_mynetworks, reject_unauth_destination)\fR" +Access restrictions for mail relay control that the Postfix +SMTP server applies in the context of the RCPT TO command, before +smtpd_recipient_restrictions. .SH "SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS" .na .nf diff --git a/postfix/mantools/postconf2man b/postfix/mantools/postconf2man index 29afb04a8..71bc32480 100755 --- a/postfix/mantools/postconf2man +++ b/postfix/mantools/postconf2man @@ -60,10 +60,10 @@ while(<>) { $block =~ s/
      /\n/g; #$block =~ s/<\/dl>/\n.PP\n/g; #$block =~ s/<\/ul>/\n.PP\n/g; - $block =~ s/<\/dl>/\n/g; - $block =~ s/<\/ul>/\n/g; + $block =~ s/<\/dl>/\n.br\n/g; + $block =~ s/<\/ul>/\n.br\n/g; $block =~ s/
      \s*/\n/g; - $block =~ s/<\/dd>/\n/g; + $block =~ s/<\/dd>/\n.br\n/g; $block =~ s/
    • \s*/\n.IP \\(bu\n/g; $block =~ s/
      \s*/\n.IP "/g; $block =~ s/\s*<\/dt>/"/g; diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index 2500420fb..933c2361d 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -525,7 +525,8 @@ while (<>) { s;\bsmtpd_proxy_timeout\b;$&;g; s;\bsmtpd_proxy_options\b;$&;g; s;\bsmtpd_recip[-]*\n* *[]*ient_limit\b;$&;g; - s;\bsmtpd_recip[-]*\n* *[]*ient_restrictions\b;$&;g; + s;\bsmtpd_recip[-]*\n* *[]*ient_restric[-]*\n* *[]*tions\b;$&;g; + s;\bsmtpd_relay_restrictions\b;$&;g; s;\bsmtpd_reject_unlisted_recip[-]*\n* *[]*ient\b;$&;g; s;\bsmtpd_reject_unlisted_sender\b;$&;g; s;\bsmtpd_restriction_classes\b;$&;g; @@ -839,7 +840,7 @@ while (<>) { s;\bcheck_reverse_client_hostname_ns_access\b;$&;g; s;\bpermit_inet_interfaces\b;$&;g; s;\bpermit_mynetworks\b;$&;g; - s;\bpermit_sasl_authenticated\b;$&;g; + s;\bper[-]*\n* *[]*mit_sasl_authenticated\b;$&;g; s;\bpermit_tls_clientcerts\b;$&;g; s;\bpermit_tls_all_clientcerts\b;$&;g; s;\breject_unknown_client_hostname\b;$&;g; @@ -889,6 +890,7 @@ while (<>) { s;\breject_non_fqdn_recip[-]*\n* *[]*ient\b;$&;g; s;\breject_rhsbl_recip[-]*\n* *[]*ient\b;$&;g; s;\breject_unauth_destination\b;$&;g; + s;\bdefer_unauth_destination\b;$&;g; s;\breject_unknown_recipi[-]*\n*[ ]*ent_domain\b;$&;g; s;\breject_unlisted_recip[-]*\n* *[]*ient\b;$&;g; s;\breject_unver[-]*\n*[ ]*ified_recip[-]*\n* *[]*ient\b;$&;g; diff --git a/postfix/proto/ADDRESS_VERIFICATION_README.html b/postfix/proto/ADDRESS_VERIFICATION_README.html index d39e887ab..f79ebc672 100644 --- a/postfix/proto/ADDRESS_VERIFICATION_README.html +++ b/postfix/proto/ADDRESS_VERIFICATION_README.html @@ -95,14 +95,14 @@ always discarded.

      -> - probe
      - message + probe
      + message -> - - Postfix
      mail
      queue + + Postfix
      mail
      queue @@ -115,15 +115,15 @@ always discarded.

      -> - - Postfix
      SMTP
      server       + + Postfix
      SMTP
      server       <-> - - Postfix
      verify
      server       - + + Postfix
      verify
      server       + @@ -141,14 +141,14 @@ always discarded.

      <- - probe
      - status + probe
      + status <- - - Postfix
      delivery
      agents + + Postfix
      delivery
      agents -> Local
      -> Remote @@ -160,8 +160,8 @@ always discarded.

        - - ^
      |
      v + + ^
      |
      v @@ -173,8 +173,8 @@ always discarded.

        - - Address
      verification
      database + + Address
      verification
      database @@ -282,6 +282,9 @@ the same address repeatedly.

      /etc/postfix/main.cf: smtpd_recipient_restrictions = permit_mynetworks + # reject_unauth_destination is not needed here if the mail + # relay policy is specified under smtpd_relay_restrictions + # (available with Postfix 2.10 and later). reject_unauth_destination ... reject_unknown_recipient_domain @@ -431,7 +434,7 @@ verification probe fails with some temporary error. Specify a valid

      The unverified_sender_reject_reason parameter (default: empty) specifies fixed text that Postfix will send to remote SMTP -clients, instead of sending actual addres verification details. +clients, instead of sending actual address verification details. Do not specify the SMTP status code or enhanced status code.

      The unverified_sender_tempfail_action parameter (default: diff --git a/postfix/proto/FILTER_README.html b/postfix/proto/FILTER_README.html index 4635b7159..522e72890 100644 --- a/postfix/proto/FILTER_README.html +++ b/postfix/proto/FILTER_README.html @@ -218,24 +218,24 @@ document for an introduction to the Postfix architecture.

      - - maildrop
      - queue       + + maildrop
      + queue       <- - Postfix
      - postdrop(1) + Postfix
      + postdrop(1) <- - Postfix
      - sendmail(1) + Postfix
      + sendmail(1) <- - Content -
      filter + Content +
      filter @@ -750,6 +750,8 @@ that injects mail back into Postfix.

      -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= + # Postfix 2.10 and later: specify empty smtpd_relay_restrictions. + -o smtpd_relay_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o smtpd_authorized_xforward_hosts=127.0.0.0/8 diff --git a/postfix/proto/LINUX_README.html b/postfix/proto/LINUX_README.html index efcd35338..a29e4f610 100644 --- a/postfix/proto/LINUX_README.html +++ b/postfix/proto/LINUX_README.html @@ -17,6 +17,24 @@
      +

      Host lookup issues

      + +

      By default Linux /etc/hosts lookups do not support multiple IP +address per hostname. This causes warnings from the Postfix SMTP +server that "hostname XXX does not resolve to address YYY", and is +especially a problem with hosts that have both IPv4 and IPv6 +addresses. To fix, turn on support for multiple IP addresses:

      + +
      +
      +/etc/host.conf:
+    ...
+    # We have machines with multiple IP addresses.
+    multi on
+    ...
+
      +
      +

      Berkeley DB issues

      If you can't compile Postfix because the file "db.h" diff --git a/postfix/proto/MULTI_INSTANCE_README.html b/postfix/proto/MULTI_INSTANCE_README.html index fe6fc7c6d..2b72d1b45 100644 --- a/postfix/proto/MULTI_INSTANCE_README.html +++ b/postfix/proto/MULTI_INSTANCE_README.html @@ -374,6 +374,8 @@ post-filter re-injection SMTP service. Typical additions include:

      # With multiple instances, rarely need "-o param=value" overrides # in master.cf, each instance gets its own main.cf file. # + # Postfix 2.10 and later: specify empty smtpd_relay_restrictions. + smtpd_relay_restrictions = smtpd_recipient_restrictions = permit_mynetworks, reject # Tolerate occasional high latency in the content filter. diff --git a/postfix/proto/POSTSCREEN_README.html b/postfix/proto/POSTSCREEN_README.html index b4aa01f21..fb10721af 100644 --- a/postfix/proto/POSTSCREEN_README.html +++ b/postfix/proto/POSTSCREEN_README.html @@ -1071,8 +1071,8 @@ that decrypts/encrypts the sessions for multiple SMTP clients.

      The tlsproxy(8) implementation led to the discovery of a "new" class of vulnerability (CVE-2011-0411) that affected multiple implementations of TLS -over SMTP, POP, IMAP, NNTP, and FTP.

      +>CVE-2011-0411) that affected multiple implementations of SMTP, +POP, IMAP, NNTP, and FTP over TLS.

      postscreen(8) was officially released as part of the Postfix 2.8 stable release in January 2011.

      diff --git a/postfix/proto/RESTRICTION_CLASS_README.html b/postfix/proto/RESTRICTION_CLASS_README.html index 705d10693..0ebce0fe8 100644 --- a/postfix/proto/RESTRICTION_CLASS_README.html +++ b/postfix/proto/RESTRICTION_CLASS_README.html @@ -48,13 +48,17 @@ care about these low-level details.

      permissive = permit smtpd_recipient_restrictions = - permit_mynetworks - reject_unauth_destination - check_recipient_access hash:/etc/postfix/recipient_access + permit_mynetworks + # reject_unauth_destination is not needed here if the mail + # relay policy is specified with smtpd_relay_restrictions + # (available with Postfix 2.10 and later). + reject_unauth_destination + check_recipient_access hash:/etc/postfix/recipient_access + ... /etc/postfix/recipient_access: - joe@my.domain permissive - jane@my.domain restrictive + joe@my.domain permissive + jane@my.domain restrictive
    @@ -102,6 +106,7 @@ to IP spoofing. 

     /etc/postfix/main.cf:
     smtpd_recipient_restrictions =
+        ...
         check_recipient_access hash:/etc/postfix/access
         ...the usual stuff...
 
@@ -133,6 +138,7 @@ therefore is subject to SMTP sender spoofing. 
    
 
     /etc/postfix/main.cf:
     smtpd_recipient_restrictions =
+        ...
         check_recipient_access hash:/etc/postfix/protected_destinations
         ...the usual stuff...
 
@@ -193,6 +199,7 @@ with LDAP or SQL. 
    
 
     /etc/postfix/main.cf:
     smtpd_recipient_restrictions =
+        ...
         check_sender_access hash:/etc/postfix/restricted_senders
         ...other stuff...
 
diff --git a/postfix/proto/SASL_README.html b/postfix/proto/SASL_README.html
index a3320be86..1581b5efb 100644
--- a/postfix/proto/SASL_README.html
+++ b/postfix/proto/SASL_README.html
@@ -1367,20 +1367,33 @@ for. Examples of possible SMTP clients authorizations are: 
    
 
 
    Mail relay authorization
    
 
-
     The permit_sasl_authenticated restriction allows
+
     With permit_sasl_authenticated the Postfix SMTP
+server can allow
 SASL-authenticated SMTP clients to send mail to remote destinations.
-Add it to the list of smtpd_recipient_restrictions as
-follows: 
    
+Examples:
+
    
 
 
    
 
    +# With Postfix 2.10 and later, the mail relay policy is
+# preferably specified under smtpd_relay_restrictions.
+/etc/postfix/main.cf:
+    smtpd_relay_restrictions =
+	permit_mynetworks
+	permit_sasl_authenticated
+	reject_unauth_destination
+
    
+
+
    +# Older configurations combine relay control and spam control under
+# smtpd_recipient_restrictions. To use this example with Postfix ≥
+# 2.10 specify "smtpd_relay_restrictions=".
 /etc/postfix/main.cf:
     smtpd_recipient_restrictions =
-    ...
-    permit_mynetworks
-    permit_sasl_authenticated
-    reject_unauth_destination
-    ...
+	permit_mynetworks
+	permit_sasl_authenticated
+	reject_unauth_destination
+	...other rules...
 
    
 
    
 
@@ -1406,9 +1419,7 @@ use a particular envelope sender address: 
    
     smtpd_recipient_restrictions =
         ...
         reject_sender_login_mismatch
-        permit_sasl_authenticated
-        permit_mynetworks
-        reject_unauth_destination
+	permit_sasl_authenticated
         ...
    @@ -1926,7 +1937,7 @@ font.

    Instead of port 25 (smtp), specify port 587 (submission) where -appriopriate.

    +appropriate.

    Encrypted SMTP session (TLS)

    diff --git a/postfix/proto/SMTPD_ACCESS_README.html b/postfix/proto/SMTPD_ACCESS_README.html index 3cd23cd2f..0e68b0d5e 100644 --- a/postfix/proto/SMTPD_ACCESS_README.html +++ b/postfix/proto/SMTPD_ACCESS_README.html @@ -60,10 +60,19 @@ http://www.mail-abuse.org/ and other websites.

    By default, Postfix has a moderately restrictive approach to mail relaying. Postfix forwards mail only from clients in trusted -networks, or to domains that are configured as authorized relay -destinations. For a description of the default policy, see the -smtpd_recipient_restrictions parameter in the postconf(5) manual -page, and the information that is referenced from there.

    +networks, from clients that have authenticated with SASL, or to +domains that are configured as authorized relay +destinations. For a description of the default mail relay policy, +see the smtpd_relay_restrictions parameter in the postconf(5) manual +page, and the information that is referenced from there.

    + +

    NOTE: Postfix versions before 2.10 did not have +smtpd_relay_restrictions. They combined the mail relay and spam +blocking policies, under smtpd_recipient_restrictions. This could +lead to unexpected results. For example, a permissive spam blocking +policy could unexpectedly result in a permissive mail relay policy. +An example of this is documented under "Dangerous +use of smtpd_recipient_restrictions".

    Most of the Postfix SMTP server access controls are targeted at stopping junk email.

    @@ -178,8 +187,23 @@ described in the postconf(5) manual page.

    # Don't accept mail from domains that don't exist. smtpd_sender_restrictions = reject_unknown_sender_domain - # Whitelisting: local clients may specify any destination domain. - smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination + # Relay control (Postfix 2.10 and later): local clients and + # authenticated clients may specify any destination domain. + smtpd_relay_restrictions = permit_mynetworks, + permit_sasl_authenticated, + reject_unauth_destination + + # Spam control: exclude local clients and authenticated clients + # from DNSBL lookups. + smtpd_recipient_restrictions = permit_mynetworks, + permit_sasl_authenticated, + # reject_unauth_destination is not needed here if the mail + # relay policy is specified under smtpd_relay_restrictions + # (available with Postfix 2.10 and later). + reject_unauth_destination + reject_rbl_client zen.spamhaus.org, + reject_rhsbl_helo dbl.spamhaus.org, + reject_rhsbl_sender dbl.spamhaus.org # Block clients that speak too early. smtpd_data_restrictions = reject_unauth_pipelining @@ -205,28 +229,47 @@ DEFER result.

    - - - - - - + + - + + + + + + + + - + -
    Restriction list name Status Effect +
    Restriction list name Version Status + Effect of REJECT or DEFER result
    smtpd_client_restrictions Optional +
    smtpd_client_restrictions All +Optional Reject all client commands
    smtpd_helo_restrictions Optional +
    smtpd_helo_restrictions All Optional + Reject HELO/EHLO information
    smtpd_sender_restrictions Optional +
    smtpd_sender_restrictions All +Optional Reject MAIL FROM information
    smtpd_recipient_restrictions Required Reject RCPT TO information
    smtpd_relay_restrictions ≥ 2.10 + Required if smtpd_recipient_restrictions does not enforce +relay policy Reject RCPT TO information
    smtpd_data_restrictions Optional +
    < 2.10 Not available
    smtpd_recipient_restrictions ≥ +2.10 Required if smtpd_relay_restrictions does not enforce +relay policy Reject RCPT TO information
    < 2.10 Required
    smtpd_data_restrictions ≥ 2.0 +Optional Reject DATA command
    smtpd_end_of_data_restrictions Optional +
    smtpd_end_of_data_restrictions ≥ 2.2 Optional Reject END-OF-DATA command
    smtpd_etrn_restrictions Optional +
    smtpd_etrn_restrictions All Optional + Reject ETRN command
    @@ -248,10 +291,10 @@ and so on. This approach turned out to be difficult to use.

    helo and sender restriction lists until the RCPT TO or ETRN command. This behavior is controlled by the smtpd_delay_reject parameter. Restriction lists are still evaluated in the proper order of (client, -helo, etrn) or (client, helo, sender, recipient, data, or end-of-data) -restrictions. +helo, etrn) or (client, helo, sender, relay, recipient, data, or +end-of-data) restrictions. When a restriction list (example: client) evaluates to REJECT or -DEFER the other restriction lists (example: helo, sender, etc.) +DEFER the restriction lists that follow (example: helo, sender, etc.) are skipped.

    Around the time that smtpd_delay_reject was introduced, Postfix @@ -300,6 +343,12 @@ list evaluates to REJECT or DEFER, the recipient address is rejected; no surprises here. If the result is PERMIT, then the recipient address is accepted. And this is where surprises can happen.

    +

    The problem is that Postfix versions before 2.10 did not have +smtpd_relay_restrictions. They combined the mail relay and spam +blocking policies, under smtpd_recipient_restrictions. The result +is that a permissive spam blocking policy could unexpectedly result +in a permissive mail relay policy.

    +

    Here is an example that shows when a PERMIT result can result in too much access permission:

    @@ -309,7 +358,7 @@ in too much access permission:

    3 permit_mynetworks 4 check_helo_access hash:/etc/postfix/helo_access 5 reject_unknown_helo_hostname -6 reject_unauth_destination +6 reject_unauth_destination 7 8 /etc/postfix/helo_access: 9 localhost.localdomain PERMIT @@ -326,14 +375,31 @@ smtpd_recipient_restrictions evaluates to PERMIT for EVERY host that announces itself as "localhost.localdomain", making Postfix an open relay for all such hosts.

    -

    In order to avoid surprises like these with -smtpd_recipient_restrictions, you should place non-recipient +

    With Postfix before version 2.10 you should place non-recipient restrictions AFTER the reject_unauth_destination restriction, not before. In the above example, the HELO based restrictions should be placed AFTER reject_unauth_destination, or better, the HELO based restrictions should be placed under smtpd_helo_restrictions where they can do no harm.

    +
    +1 /etc/postfix/main.cf:
+2     smtpd_recipient_restrictions = 
+3         permit_mynetworks
+4         reject_unauth_destination
+5         check_helo_access hash:/etc/postfix/helo_access
+6         reject_unknown_helo_hostname
+7 
+8 /etc/postfix/helo_access:
+9     localhost.localdomain PERMIT
+
    + +

    The above mistake will not happen with Postfix 2.10 and later, +when the relay policy is specified under smtpd_relay_restrictions, +and the spam blocking policy under smtpd_recipient_restrictions. +Then, a permissive spam blocking policy will not result in a +permissive mail relay policy.

    +

    SMTP access rule testing

    Postfix has several features that aid in SMTP access rule diff --git a/postfix/proto/SMTPD_POLICY_README.html b/postfix/proto/SMTPD_POLICY_README.html index 678db37f3..8a38c0ee1 100644 --- a/postfix/proto/SMTPD_POLICY_README.html +++ b/postfix/proto/SMTPD_POLICY_README.html @@ -281,6 +281,10 @@ specified with the user attribute.

    "-", to avoid "connection refused" and other problems when you increase the smtpd process limit.

    +

  • Line 8: reject_unauth_destination is not needed here if +the mail relay policy is specified with smtpd_relay_restrictions +(available with Postfix 2.10 and later).

    +

  • Lines 8, 9: always specify "check_policy_service" AFTER "reject_unauth_destination" or else your system could become an open relay.

    @@ -299,8 +303,8 @@ of a master.cf service name (in the above example, "policy") and a built-in suffix (in the above example: "_time_limit").

    -

  • Solaris UNIX-domain sockets do not work reliably. Use -TCP sockets instead:

    +

  • With Solaris < 9, or Postfix < 2.10 on any Solaris +version, use TCP sockets instead of UNIX-domain sockets:

    @@ -436,6 +440,10 @@ SMTP server process that talks to it. See the spawn(8) manpage for more information about the transport_time_limit parameter.

    +

  • Line 9: reject_unauth_destination is not needed here if +the mail relay policy is specified with smtpd_relay_restrictions +(available with Postfix 2.10 and later).

    +

    Note: the "greylist_time_limit" parameter will not show up in "postconf" command output before Postfix version 2.9. This limitation applies to many parameters whose name is a combination @@ -445,7 +453,8 @@ a built-in suffix (in the above example: "_time_limit").

    -

    On Solaris you must use inet: style sockets instead of unix: +

    With Solaris < 9, or Postfix < 2.10 on any Solaris +version, use inet: style sockets instead of unix: style, as detailed in the "Policy client/server configuration" section above.

    @@ -497,10 +506,15 @@ http://www.monkeys.com/anti-spam/filtering/sender-domain-validate.in.
      -

    • Line 9: On Solaris you must use inet: style sockets +

    • Line 9: On Solaris < 9, or Postfix < 2.10 on any +Solaris version, use inet: style sockets instead of unix: style, as detailed in the "Example: greylist policy server" section above.

      +

    • Line 5: reject_unauth_destination is not needed here if +the mail relay policy is specified with smtpd_relay_restrictions +(available with Postfix 2.10 and later).

      +

    • Line 6: Be sure to specify "check_sender_access" AFTER "reject_unauth_destination" or else your system could become an open mail relay.

      @@ -547,10 +561,15 @@ most of the delays and most of the database pollution problem.

        -

      • Line 7: On Solaris you must use inet: style sockets +

      • Line 7: On Solaris < 9, or Postfix < 2.10 on any +Solaris version, use inet: style sockets instead of unix: style, as detailed in the "Example: greylist policy server" section above.

        +

      • Line 5: reject_unauth_destination is not needed here if +the mail relay policy is specified with smtpd_relay_restrictions +(available with Postfix 2.10 and later).

        +

      • Lines 6-7: Be sure to specify check_sender_access and check_policy_service AFTER reject_unauth_destination or else your system could become an open mail relay.

        diff --git a/postfix/proto/SMTPD_PROXY_README.html b/postfix/proto/SMTPD_PROXY_README.html index b76ff82e8..3fa8d216a 100644 --- a/postfix/proto/SMTPD_PROXY_README.html +++ b/postfix/proto/SMTPD_PROXY_README.html @@ -40,43 +40,43 @@ except that the latter uses a dedicated protocol instead of SMTP. - Internet + Internet -> - Postfix SMTP server - + Postfix SMTP server + -> - Before queue filter + Before queue filter -> - Postfix SMTP server - + Postfix SMTP server + -> - Postfix cleanup - server + Postfix cleanup + server -> - Postfix queue + Postfix queue -< - smtp
        local
        virtual + smtp
        local
        virtual @@ -213,26 +213,26 @@ http://bent.latency.net/smtpprox/.

        -> - Postfix SMTP server on - port 25 + Postfix SMTP server on + port 25 -> - filter on localhost port 10025 + filter on localhost port 10025 -> - Postfix SMTP server on - localhost port 10026 + Postfix SMTP server on + localhost port 10026 -> - Postfix cleanup - server + Postfix cleanup + server -> @@ -261,8 +261,8 @@ http://bent.latency.net/smtpprox/.

        smtp inet n - n - 20 smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o smtpd_client_connection_count_limit=10 - # Postfix 2.7 and later performance feature. - # -o smtpd_proxy_options=speed_adjust + # Postfix 2.7 and later performance feature. + # -o smtpd_proxy_options=speed_adjust # # After-filter SMTP server. Receive mail from the content filter # on localhost port 10026. @@ -272,6 +272,8 @@ http://bent.latency.net/smtpprox/.

        -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= + # Postfix 2.10 and later: specify empty smtpd_relay_restrictions. + -o smtpd_relay_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions= -o mynetworks=127.0.0.0/8 diff --git a/postfix/proto/STANDARD_CONFIGURATION_README.html b/postfix/proto/STANDARD_CONFIGURATION_README.html index c3333d0ee..e306f8d04 100644 --- a/postfix/proto/STANDARD_CONFIGURATION_README.html +++ b/postfix/proto/STANDARD_CONFIGURATION_README.html @@ -347,31 +347,41 @@ is the real purpose of the firewall email function.

        3 relay_domains = example.com 4 parent_domain_matches_subdomains = 5 debug_peer_list smtpd_access_maps - 6 smtpd_recipient_restrictions = - 7 permit_mynetworks reject_unauth_destination - 8 - 9 relay_recipient_maps = hash:/etc/postfix/relay_recipients -10 transport_maps = hash:/etc/postfix/transport -11 -12 /etc/postfix/relay_recipients: -13 user1@example.com x -14 user2@example.com x -15 . . . -16 -17 /etc/postfix/transport: -18 example.com smtp:[inside-gateway.example.com] +
        + 6a # Postfix 2.10 and later support separate relay control and + 7a # spam control. + 8a smtpd_relay_restrictions = + 9a permit_mynetworks reject_unauth_destination +10a smtpd_recipient_restrictions = ...spam blocking rules.... +
        + 6b # Older configurations combine relay control and spam control. To + 7b # use this with Postfix ≥ 2.10 specify "smtpd_relay_restrictions=". + 8b smtpd_recipient_restrictions = + 9b permit_mynetworks reject_unauth_destination +10b ...spam blocking rules.... +
        +11 relay_recipient_maps = hash:/etc/postfix/relay_recipients +12 transport_maps = hash:/etc/postfix/transport +13 +14 /etc/postfix/relay_recipients: +15 user1@example.com x +16 user2@example.com x +17 . . . +18 +19 /etc/postfix/transport: +20 example.com smtp:[inside-gateway.example.com]

    Translation:

      - -

    • Lines 1-7: Accept mail from local systems in $mynetworks, + +

    • Lines 1-10: Accept mail from local systems in $mynetworks, and accept mail from outside for "user@example.com" but not for "user@anything.example.com". The magic is in lines 4-5.

      -

    • Lines 9, 12-14: Define the list of valid addresses in the +

    • Lines 11, 13-16: Define the list of valid addresses in the "example.com" domain that can receive mail from the Internet. This prevents the mail queue from filling up with undeliverable MAILER-DAEMON messages. If you can't maintain a list of valid @@ -379,7 +389,7 @@ recipients then you must specify "relay_recipient_maps =" (that is, an empty value), or you must specify an "@example.com x" wild-card in the relay_recipients table.

      -

    • Lines 10, 17-18: Route mail for "example.com" to the inside +

    • Lines 12, 19-20: Route mail for "example.com" to the inside gateway machine. The [] forces Postfix to do no MX lookup.

      @@ -521,18 +531,28 @@ is all you need:

      3 4 /etc/postfix/main.cf: 5 relay_domains = . . . the.backed-up.domain.tld - 6 smtpd_recipient_restrictions = - 7 permit_mynetworks reject_unauth_destination - 8 - 9 # You must specify your NAT/proxy external address. -10 #proxy_interfaces = 1.2.3.4 -11 -12 relay_recipient_maps = hash:/etc/postfix/relay_recipients +
      + 6a # Postfix 2.10 and later support separate relay control and + 7a # spam control. + 8a smtpd_relay_restrictions = + 9a permit_mynetworks reject_unauth_destination +10a smtpd_recipient_restrictions = ...spam blocking rules.... +
      + 6b # Older configurations combine relay control and spam control. To + 7b # use this with Postfix ≥ 2.10 specify "smtpd_relay_restrictions=". + 8b smtpd_recipient_restrictions = + 9b permit_mynetworks reject_unauth_destination +10b ...spam blocking rules.... +
      +11 # You must specify your NAT/proxy external address. +12 #proxy_interfaces = 1.2.3.4 13 -14 /etc/postfix/relay_recipients: -15 user1@the.backed-up.domain.tld x -16 user2@the.backed-up.domain.tld x -17 . . . +14 relay_recipient_maps = hash:/etc/postfix/relay_recipients +15 +16 /etc/postfix/relay_recipients: +17 user1@the.backed-up.domain.tld x +18 user2@the.backed-up.domain.tld x +19 . . . @@ -541,11 +561,11 @@ need the above, plus: 

      -18 /etc/postfix/main.cf:
-19     transport_maps = hash:/etc/postfix/transport
-20 
-21 /etc/postfix/transport:
-22     the.backed-up.domain.tld       relay:[their.mail.host.tld]
+20 /etc/postfix/main.cf:
+21     transport_maps = hash:/etc/postfix/transport
+22 
+23 /etc/postfix/transport:
+24     the.backed-up.domain.tld       relay:[their.mail.host.tld]
      @@ -559,15 +579,15 @@ need the above, plus:

    • Do not list the.backed-up.domain.tld in virtual_mailbox_domains.

      -

    • Lines 1-7: Forward mail from the Internet for +

    • Lines 1-9: Forward mail from the Internet for "the.backed-up.domain.tld" to the primary MX host for that domain.

      -

    • Line 10: This is a must if Postfix receives mail via a +

    • Line 12: This is a must if Postfix receives mail via a NAT relay or proxy that presents a different IP address to the world than the local machine.

      -

    • Lines 12-16: Define the list of valid addresses in the +

    • Lines 14-18: Define the list of valid addresses in the "the.backed-up.domain.tld" domain. This prevents your mail queue from filling up with undeliverable MAILER-DAEMON messages. If you can't maintain a list of valid recipients then you must specify @@ -575,7 +595,7 @@ can't maintain a list of valid recipients then you must specify specify an "@the.backed-up.domain.tld x" wild-card in the relay_recipients table.

      -

    • Line 22: The [] forces Postfix to do no MX lookup.

      +

    • Line 24: The [] forces Postfix to do no MX lookup.

    diff --git a/postfix/proto/TLS_README.html b/postfix/proto/TLS_README.html index 118db3adb..960f7d299 100644 --- a/postfix/proto/TLS_README.html +++ b/postfix/proto/TLS_README.html @@ -654,12 +654,25 @@ certificate must no longer be used (e.g. an employee leaving). 

    +# With Postfix 2.10 and later, the mail relay policy is
+# preferably specified under smtpd_relay_restrictions.
+/etc/postfix/main.cf:
+    smtpd_relay_restrictions = 
+        permit_mynetworks
+        permit_tls_clientcerts 
+        reject_unauth_destination
+
    + +
    +# Older configurations combine relay control and spam control under
+# smtpd_recipient_restrictions. To use this example with Postfix ≥
+# 2.10 specify "smtpd_relay_restrictions=".
 /etc/postfix/main.cf:
     smtpd_recipient_restrictions = 
-        ... 
+        permit_mynetworks
         permit_tls_clientcerts 
         reject_unauth_destination
-        ...
+        ...other rules...
    @@ -787,7 +800,7 @@ chooses the cipher from a list supplied by the server.

    cipher that the server supports. With SSLv3 and later, the server may choose its own most preferred cipher that is supported (offered) by the client. Setting "tls_preempt_cipherlist = yes" enables server -cipher preferences. The default OpenSSL behaviour applies with +cipher preferences. The default OpenSSL behavior applies with "tls_preempt_cipherlist = no".

    While server cipher selection may in some cases lead to a more secure diff --git a/postfix/proto/VERP_README.html b/postfix/proto/VERP_README.html index 8f0e248b3..a4b1b3810 100644 --- a/postfix/proto/VERP_README.html +++ b/postfix/proto/VERP_README.html @@ -218,7 +218,7 @@ second form overrides them explicitly. The values shown are the recommended ones.

    You can use the smtpd_command_filter feature to append XVERP -to SMTP commands from legacy sofware. This requires Postfix 2.7 +to SMTP commands from legacy software. This requires Postfix 2.7 or later.

    diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 90f1be402..f03af4909 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -2974,7 +2974,7 @@ The list of "trusted" remote SMTP clients that have more privileges than

    In particular, "trusted" SMTP clients are allowed to relay mail -through Postfix. See the smtpd_recipient_restrictions parameter +through Postfix. See the smtpd_relay_restrictions parameter description in the postconf(5) manual.

    @@ -4830,8 +4830,8 @@ smtpd_client_new_tls_session_rate_limit = 100 %PARAM smtpd_client_restrictions

    -Optional Postfix SMTP server access restrictions in the context of -a remote SMTP client connection request. +Optional restrictions that the Postfix SMTP server applies in the +context of a client connection request. See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access restriction lists" for a discussion of evaluation context and time.

    @@ -5291,8 +5291,8 @@ for each excess recipient.

    %PARAM smtpd_etrn_restrictions

    -Optional SMTP server access restrictions in the context of a client -ETRN request. +Optional restrictions that the Postfix SMTP server applies in the +context of a client ETRN command. See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access restriction lists" for a discussion of evaluation context and time.

    @@ -5397,7 +5397,7 @@ smtpd_helo_required = yes

    Optional restrictions that the Postfix SMTP server applies in the -context of the SMTP HELO command. +context of a client HELO command. See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access restriction lists" for a discussion of evaluation context and time.

    @@ -5651,42 +5651,43 @@ The maximal number of recipients that the Postfix SMTP server accepts per message delivery request.

    -%PARAM smtpd_recipient_restrictions permit_mynetworks, reject_unauth_destination +%PARAM smtpd_recipient_restrictions see "postconf -d" output

    -The access restrictions that the Postfix SMTP server applies in -the context of the RCPT TO command. +Optional restrictions that the Postfix SMTP server applies in the +context of a client RCPT TO command, after smtpd_relay_restrictions. See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access restriction lists" for a discussion of evaluation context and time.

    -

    -By default, the Postfix SMTP server accepts: -

    - -
      - -
    • Mail from clients whose IP address matches $mynetworks, or: +

      With Postfix versions before 2.10, the rules for relay permission +and spam blocking were combined under smtpd_recipient_restrictions, +resulting in error-prone configuration. As of Postfix 2.10, relay +permission rules are preferably implemented with smtpd_relay_restrictions, +so that a permissive spam blocking policy under +smtpd_recipient_restrictions will no longer result in a permissive +mail relay policy.

      -
    • Mail to remote destinations that match $relay_domains, except -for addresses that contain sender-specified routing -(user@elsewhere@domain), or: - -
    • Mail to local destinations that match $inet_interfaces -or $proxy_interfaces, $mydestination, $virtual_alias_domains, or -$virtual_mailbox_domains. - -
    +

    For backwards compatibility, sites that migrate from Postfix +versions before 2.10 can set smtpd_relay_restrictions to the empty +value, and use smtpd_recipient_restrictions exactly as before.

    -IMPORTANT: If you change this parameter setting, you must specify +IMPORTANT: Either the smtpd_relay_restrictions or the +smtpd_recipient_restrictions parameter must specify at least one of the following restrictions. Otherwise Postfix will refuse to receive mail: 

    -reject, defer, defer_if_permit, reject_unauth_destination
+reject, reject_unauth_destination
+
    +
    + +
    +
    +defer, defer_if_permit, defer_unauth_destination
    @@ -5806,9 +5807,15 @@ matches $mydestination, $inet_interfaces, $proxy_interfaces, $virtual_alias_domains, or $virtual_mailbox_domains, and contains no sender-specified routing (user@elsewhere@domain). - The relay_domains_reject_code parameter specifies the response +The relay_domains_reject_code parameter specifies the response code for rejected requests (default: 554). +
    defer_unauth_destination
    + +
    Reject the same requests as reject_unauth_destination, with a +non-permanent error code. This feature is available in Postfix +2.10 and later.
    +
    reject_unknown_recipient_domain
    Reject the request when Postfix is not final destination for @@ -5867,9 +5874,78 @@ Example: 

    +# The Postfix before 2.10 default mail relay policy. Later Postfix
+# versions implement this preferably with smtpd_relay_restrictions.
 smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
    +%PARAM smtpd_relay_restrictions permit_mynetworks, reject_unauth_destination + +

    Access restrictions for mail relay control that the Postfix +SMTP server applies in the context of the RCPT TO command, before +smtpd_recipient_restrictions. +See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access +restriction lists" for a discussion of evaluation context and time. +

    + +

    With Postfix versions before 2.10, the rules for relay permission +and spam blocking were combined under smtpd_recipient_restrictions, +resulting in error-prone configuration. As of Postfix 2.10, relay +permission rules are preferably implemented with smtpd_relay_restrictions, +so that a permissive spam blocking policy under +smtpd_recipient_restrictions will no longer result in a permissive +mail relay policy.

    + +

    For backwards compatibility, sites that migrate from Postfix +versions before 2.10 can set smtpd_relay_restrictions to the empty +value, and use smtpd_recipient_restrictions exactly as before.

    + +

    +By default, the Postfix SMTP server accepts: +

    + +
      + +
    • Mail from clients whose IP address matches $mynetworks, or: + +
    • Mail to remote destinations that match $relay_domains, except +for addresses that contain sender-specified routing +(user@elsewhere@domain), or: + +
    • Mail to local destinations that match $inet_interfaces +or $proxy_interfaces, $mydestination, $virtual_alias_domains, or +$virtual_mailbox_domains. + +
    + +

    +IMPORTANT: Either the smtpd_relay_restrictions or the +smtpd_recipient_restrictions parameter must specify +at least one of the following restrictions. Otherwise Postfix will +refuse to receive mail: +

    + +
    +
    +reject, reject_unauth_destination
+
    +
    + +
    +
    +defer, defer_if_permit, defer_unauth_destination
+
    +
    + +

    +Specify a list of restrictions, separated by commas and/or whitespace. +Continue long lines by starting the next line with whitespace. +The same restrictions are available as documented under +smtpd_recipient_restrictions. +

    + +

    This feature is available in Postix 2.10 and later.

    + %CLASS sasl-auth SASL Authentication

    @@ -5893,6 +5969,15 @@ access restriction can be used to permit relay access, like this: 

    +# With Postfix 2.10 and later, the mail relay policy is
+# preferably specified under smtpd_relay_restrictions.
+smtpd_relay_restrictions =
+    permit_mynetworks, permit_sasl_authenticated, ...
+
    + +
    +# With Postfix before 2.10, the relay policy can be
+# specified only under smtpd_recipient_restrictions.
 smtpd_recipient_restrictions =
     permit_mynetworks, permit_sasl_authenticated, ...
    @@ -6095,7 +6180,7 @@ or a list of SASL login names separated by comma and/or whitespace.

    Optional restrictions that the Postfix SMTP server applies in the -context of the MAIL FROM command. +context of a client MAIL FROM command. See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access restriction lists" for a discussion of evaluation context and time.

    @@ -10560,7 +10645,7 @@ protocol exclusions. One can now explicitly exclude SSLv2 by setting SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing the protocols to include, rather than protocols to exclude, is supported, but not recommended. The exclusion form more closely -matches the behaviour when the OpenSSL library is newer than Postfix. +matches the behavior when the OpenSSL library is newer than Postfix.

    Since SSL version 2 has known protocol weaknesses and is now @@ -10748,7 +10833,7 @@ protocol exclusions. One can now explicitly exclude SSLv2 by setting SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing the protocols to include, rather than protocols to exclude, is supported, but not recommended. The exclusion form more closely -matches the behaviour when the OpenSSL library is newer than Postfix. +matches the behavior when the OpenSSL library is newer than Postfix.

    Since SSL version 2 has known protocol weaknesses and is now @@ -11786,7 +11871,7 @@ with a "!" character. To exclude SSLv2 even for opportunistic TLS set "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to include, rather than protocols to exclude, is supported, but not -recommended. The exclusion form more closely matches the behaviour +recommended. The exclusion form more closely matches the behavior when the OpenSSL library is newer than Postfix.

    Example:

    @@ -11820,7 +11905,7 @@ with a "!" character. To exclude SSLv2 even for opportunistic TLS set "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to include, rather than protocols to exclude, is supported, but not -recommended. The exclusion form more closely matches the behaviour +recommended. The exclusion form more closely matches the behavior when the OpenSSL library is newer than Postfix.

    Example:

    @@ -12854,7 +12939,7 @@ these commands, disabled instances are skipped.

    the server performs final delivery, and send "delivered" delivery status notifications instead of "relayed". The default setting is backwards -compatible to avoid the infinetisimal possibility of breaking +compatible to avoid the infinitesimal possibility of breaking existing LMTP-based content filters.

    %PARAM always_add_missing_headers no @@ -12946,7 +13031,7 @@ classes of SMTP service.

    The number of clients that can be waiting for service from a real Postfix SMTP server process. When this queue is full, all clients will -receive a 421 reponse.

    +receive a 421 response.

    This feature is available in Postfix 2.8.

    @@ -12956,7 +13041,7 @@ receive a 421 reponse.

    a decision whether they will receive service from a real Postfix SMTP server process. When this queue is full, all non-whitelisted clients will -receive a 421 reponse.

    +receive a 421 response.

    This feature is available in Postfix 2.8.

    @@ -13787,7 +13872,7 @@ dummy SMTP protocol engine.

    %PARAM dnsblog_reply_delay 0s -

    A debugging aid to artifically delay DNS responses.

    +

    A debugging aid to artificially delay DNS responses.

    This feature is available in Postfix 2.8.

    diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 5a3d2f899..57135a0f7 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -1957,8 +1957,13 @@ extern char *var_helo_checks; #define DEF_MAIL_CHECKS "" extern char *var_mail_checks; +#define VAR_RELAY_CHECKS "smtpd_relay_restrictions" +#define DEF_RELAY_CHECKS PERMIT_MYNETWORKS ", " \ + REJECT_UNAUTH_DEST +extern char *var_relay_checks; + #define VAR_RCPT_CHECKS "smtpd_recipient_restrictions" -#define DEF_RCPT_CHECKS PERMIT_MYNETWORKS ", " REJECT_UNAUTH_DEST +#define DEF_RCPT_CHECKS "" extern char *var_rcpt_checks; #define VAR_ETRN_CHECKS "smtpd_etrn_restrictions" @@ -2113,6 +2118,7 @@ extern int var_mul_rcpt_code; #define PERMIT_AUTH_DEST "permit_auth_destination" #define REJECT_UNAUTH_DEST "reject_unauth_destination" +#define DEFER_UNAUTH_DEST "defer_unauth_destination" #define CHECK_RELAY_DOMAINS "check_relay_domains" #define PERMIT_TLS_CLIENTCERTS "permit_tls_clientcerts" #define PERMIT_TLS_ALL_CLIENTCERTS "permit_tls_all_clientcerts" diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 91d8a26d0..4ec82995b 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20120924" +#define MAIL_RELEASE_DATE "20121007" #define MAIL_VERSION_NUMBER "2.10" #ifdef SNAPSHOT diff --git a/postfix/src/global/server_acl.c b/postfix/src/global/server_acl.c index 4ef0eec69..3855c6fe0 100644 --- a/postfix/src/global/server_acl.c +++ b/postfix/src/global/server_acl.c @@ -112,8 +112,8 @@ SERVER_ACL *server_acl_parse(const char *extern_acl, const char *origin) char *bp = saved_acl; char *acl; -#define STREQ(x,y) ((*x) == (*y) && strcasecmp((x), (y)) == 0) -#define STRNE(x,y) ((*x) != (*y) || strcasecmp((x), (y)) != 0) +#define STREQ(x,y) (strcasecmp((x), (y)) == 0) +#define STRNE(x,y) (strcasecmp((x), (y)) != 0) /* * Nested tables are not allowed. Tables are opened before entering the diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c index 83d1e7330..ce0b937bc 100644 --- a/postfix/src/smtpd/smtpd.c +++ b/postfix/src/smtpd/smtpd.c @@ -728,24 +728,24 @@ /* What Postfix features match subdomains of "domain.tld" automatically, /* instead of requiring an explicit ".domain.tld" pattern. /* .IP "\fBsmtpd_client_restrictions (empty)\fR" -/* Optional Postfix SMTP server access restrictions in the context of -/* a remote SMTP client connection request. +/* Optional restrictions that the Postfix SMTP server applies in the +/* context of a client connection request. /* .IP "\fBsmtpd_helo_required (no)\fR" /* Require that a remote SMTP client introduces itself with the HELO /* or EHLO command before sending the MAIL command or other commands /* that require EHLO negotiation. /* .IP "\fBsmtpd_helo_restrictions (empty)\fR" /* Optional restrictions that the Postfix SMTP server applies in the -/* context of the SMTP HELO command. +/* context of a client HELO command. /* .IP "\fBsmtpd_sender_restrictions (empty)\fR" /* Optional restrictions that the Postfix SMTP server applies in the -/* context of the MAIL FROM command. -/* .IP "\fBsmtpd_recipient_restrictions (permit_mynetworks, reject_unauth_destination)\fR" -/* The access restrictions that the Postfix SMTP server applies in -/* the context of the RCPT TO command. +/* context of a client MAIL FROM command. +/* .IP "\fBsmtpd_recipient_restrictions (see 'postconf -d' output)\fR" +/* Optional restrictions that the Postfix SMTP server applies in the +/* context of a client RCPT TO command, after smtpd_relay_restrictions. /* .IP "\fBsmtpd_etrn_restrictions (empty)\fR" -/* Optional SMTP server access restrictions in the context of a client -/* ETRN request. +/* Optional restrictions that the Postfix SMTP server applies in the +/* context of a client ETRN command. /* .IP "\fBallow_untrusted_routing (no)\fR" /* Forward mail with sender-specified routing (user[@%!]remote[@%!]site) /* from untrusted clients to destinations matching $relay_domains. @@ -780,6 +780,12 @@ /* .IP "\fBsmtpd_end_of_data_restrictions (empty)\fR" /* Optional access restrictions that the Postfix SMTP server /* applies in the context of the SMTP END-OF-DATA command. +/* .PP +/* Available in Postfix version 2.10 and later: +/* .IP "\fBsmtpd_relay_restrictions (permit_mynetworks, reject_unauth_destination)\fR" +/* Access restrictions for mail relay control that the Postfix +/* SMTP server applies in the context of the RCPT TO command, before +/* smtpd_recipient_restrictions. /* SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS /* .ad /* .fi @@ -1136,6 +1142,7 @@ char *var_notify_classes; char *var_client_checks; char *var_helo_checks; char *var_mail_checks; +char *var_relay_checks; char *var_rcpt_checks; char *var_etrn_checks; char *var_data_checks; @@ -5326,6 +5333,7 @@ int main(int argc, char **argv) VAR_CLIENT_CHECKS, DEF_CLIENT_CHECKS, &var_client_checks, 0, 0, VAR_HELO_CHECKS, DEF_HELO_CHECKS, &var_helo_checks, 0, 0, VAR_MAIL_CHECKS, DEF_MAIL_CHECKS, &var_mail_checks, 0, 0, + VAR_RELAY_CHECKS, DEF_RELAY_CHECKS, &var_relay_checks, 0, 0, VAR_RCPT_CHECKS, DEF_RCPT_CHECKS, &var_rcpt_checks, 0, 0, VAR_ETRN_CHECKS, DEF_ETRN_CHECKS, &var_etrn_checks, 0, 0, VAR_DATA_CHECKS, DEF_DATA_CHECKS, &var_data_checks, 0, 0, diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c index 76229f977..09ea4bf96 100644 --- a/postfix/src/smtpd/smtpd_check.c +++ b/postfix/src/smtpd/smtpd_check.c @@ -320,6 +320,7 @@ static int access_parent_style; static ARGV *client_restrctions; static ARGV *helo_restrctions; static ARGV *mail_restrctions; +static ARGV *relay_restrctions; static ARGV *rcpt_restrctions; static ARGV *etrn_restrctions; static ARGV *data_restrctions; @@ -552,7 +553,7 @@ static void fail_required(const char *name, const char **required) for (reqd = required; *reqd; reqd++) vstring_sprintf_append(example, "%s%s", *reqd, reqd[1] == 0 ? "" : reqd[2] == 0 ? " or " : ", "); - msg_fatal("parameter \"%s\": specify at least one working instance of: %s", + msg_fatal("in parameter %s, specify at least one working instance of: %s", name, STR(example)); } @@ -565,11 +566,12 @@ void smtpd_check_init(void) const char *value; char *cp; static const char *rcpt_required[] = { - CHECK_RELAY_DOMAINS, REJECT_UNAUTH_DEST, + DEFER_UNAUTH_DEST, REJECT_ALL, DEFER_ALL, DEFER_IF_PERMIT, + CHECK_RELAY_DOMAINS, 0, }; static NAME_CODE tempfail_actions[] = { @@ -662,6 +664,8 @@ void smtpd_check_init(void) var_helo_checks); mail_restrctions = smtpd_check_parse(SMTPD_CHECK_PARSE_ALL, var_mail_checks); + relay_restrctions = smtpd_check_parse(SMTPD_CHECK_PARSE_ALL, + var_relay_checks); rcpt_restrctions = smtpd_check_parse(SMTPD_CHECK_PARSE_ALL, var_rcpt_checks); etrn_restrctions = smtpd_check_parse(SMTPD_CHECK_PARSE_ALL, @@ -703,11 +707,14 @@ void smtpd_check_init(void) /* * People screw up the relay restrictions too often. Require that they - * list at least one restriction that rejects mail by default. + * list at least one restriction that rejects mail by default. We allow + * relay restrictions to be empty for sites that require backwards + * compatibility. */ #ifndef TEST - if (!has_required(rcpt_restrctions, rcpt_required)) - fail_required(VAR_RCPT_CHECKS, rcpt_required); + if (!has_required(rcpt_restrctions, rcpt_required) + && !has_required(relay_restrctions, rcpt_required)) + fail_required(VAR_RELAY_CHECKS " or " VAR_RCPT_CHECKS, rcpt_required); #endif /* @@ -1438,7 +1445,8 @@ static int permit_auth_destination(SMTPD_STATE *state, char *recipient) /* reject_unauth_destination - FAIL for message relaying */ -static int reject_unauth_destination(SMTPD_STATE *state, char *recipient) +static int reject_unauth_destination(SMTPD_STATE *state, char *recipient, + int reply_code, const char *reply_dsn) { const char *myname = "reject_unauth_destination"; @@ -1455,7 +1463,7 @@ static int reject_unauth_destination(SMTPD_STATE *state, char *recipient) * Reject relaying to sites that are not listed in relay_domains. */ return (smtpd_check_reject(state, MAIL_ERROR_POLICY, - var_relay_code, "5.7.1", + reply_code, reply_dsn, "<%s>: Relay access denied", recipient)); } @@ -4066,7 +4074,12 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions, } } else if (strcasecmp(name, REJECT_UNAUTH_DEST) == 0) { if (state->recipient) - status = reject_unauth_destination(state, state->recipient); + status = reject_unauth_destination(state, state->recipient, + var_relay_code, "5.7.1"); + } else if (strcasecmp(name, DEFER_UNAUTH_DEST) == 0) { + if (state->recipient) + status = reject_unauth_destination(state, state->recipient, + var_relay_code - 100, "4.7.1"); } else if (strcasecmp(name, CHECK_RELAY_DOMAINS) == 0) { if (state->recipient) status = check_relay_domains(state, state->recipient, @@ -4191,7 +4204,7 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions, if (state->defer_if_permit.active && state->defer_if_reject.active) break; } - if (msg_verbose && name == 0) + if (msg_verbose) msg_info(">>> END %s RESTRICTIONS <<<", reply_class); state->recursion = saved_recursion; @@ -4450,6 +4463,8 @@ char *smtpd_check_rcpt(SMTPD_STATE *state, char *recipient) int status; char *saved_recipient; char *err; + ARGV *restrctions[2]; + int n; /* * Initialize. @@ -4498,13 +4513,21 @@ char *smtpd_check_rcpt(SMTPD_STATE *state, char *recipient) state->defer_if_permit.active = state->defer_if_permit_sender; /* - * Apply restrictions in the order as specified. + * Apply restrictions in the order as specified. We allow relay + * restrictions to be empty, for sites that require backwards + * compatibility. */ SMTPD_CHECK_RESET(); - status = setjmp(smtpd_check_buf); - if (status == 0 && rcpt_restrctions->argc) - status = generic_checks(state, rcpt_restrctions, + restrctions[0] = relay_restrctions; + restrctions[1] = rcpt_restrctions; + for (n = 0; n < 2; n++) { + status = setjmp(smtpd_check_buf); + if (status == 0 && restrctions[n]->argc) + status = generic_checks(state, restrctions[n], recipient, SMTPD_NAME_RECIPIENT, CHECK_RECIP_ACL); + if (status == SMTPD_CHECK_REJECT) + break; + } /* * Force permission into deferral when some earlier temporary error may @@ -5435,6 +5458,7 @@ int main(int argc, char **argv) } if (*bp == '#') continue; + if (*bp == '!') { vstream_printf("exit %d\n", system(bp + 1)); continue; diff --git a/postfix/src/trivial-rewrite/resolve.c b/postfix/src/trivial-rewrite/resolve.c index c237b312f..c0b6d9964 100644 --- a/postfix/src/trivial-rewrite/resolve.c +++ b/postfix/src/trivial-rewrite/resolve.c @@ -453,7 +453,7 @@ static void resolve_addr(RES_CONTEXT *rp, char *sender, char *addr, #endif } vstring_strcpy(channel, MAIL_SERVICE_ERROR); - vstring_sprintf(nexthop, "User unknown%s", + vstring_sprintf(nexthop, "5.1.1 User unknown%s", var_show_unk_rcpt_table ? " in virtual alias table" : ""); *flags |= RESOLVE_CLASS_ALIAS; diff --git a/postfix/src/util/dict.h b/postfix/src/util/dict.h index 850e07c73..db3be4a4c 100644 --- a/postfix/src/util/dict.h +++ b/postfix/src/util/dict.h @@ -65,16 +65,19 @@ extern DICT *dict_debug(DICT *); #define DICT_DEBUG(d) ((d)->flags & DICT_FLAG_DEBUG ? dict_debug(d) : (d)) + /* + * See dict_open.c embedded manpage for flag definitions. + */ #define DICT_FLAG_NONE (0) -#define DICT_FLAG_DUP_WARN (1<<0) /* if file, warn about dups */ -#define DICT_FLAG_DUP_IGNORE (1<<1) /* if file, ignore dups */ +#define DICT_FLAG_DUP_WARN (1<<0) /* warn about dups if not supported */ +#define DICT_FLAG_DUP_IGNORE (1<<1) /* ignore dups if not supported */ #define DICT_FLAG_TRY0NULL (1<<2) /* do not append 0 to key/value */ #define DICT_FLAG_TRY1NULL (1<<3) /* append 0 to key/value */ #define DICT_FLAG_FIXED (1<<4) /* fixed key map */ #define DICT_FLAG_PATTERN (1<<5) /* keys are patterns */ -#define DICT_FLAG_LOCK (1<<6) /* temp lock before each access */ -#define DICT_FLAG_DUP_REPLACE (1<<7) /* if file, replace dups */ -#define DICT_FLAG_SYNC_UPDATE (1<<8) /* if file, sync updates */ +#define DICT_FLAG_LOCK (1<<6) /* use temp lock before access */ +#define DICT_FLAG_DUP_REPLACE (1<<7) /* replace dups if supported */ +#define DICT_FLAG_SYNC_UPDATE (1<<8) /* sync updates if supported */ #define DICT_FLAG_DEBUG (1<<9) /* log access */ /*#define DICT_FLAG_FOLD_KEY (1<<10) /* lowercase the lookup key */ #define DICT_FLAG_NO_REGSUB (1<<11) /* disallow regexp substitution */ @@ -125,12 +128,16 @@ extern DICT *dict_debug(DICT *); #define DICT_ERR_CONFIG (-2) /* configuration error */ /* - * FAIL/ERROR are suggested result values, not meant for use in comparisons. + * Result values for exposed functions except lookup. FAIL/ERROR are + * suggested values, not for use in comparisons for equality. */ #define DICT_STAT_FAIL 1 /* any value > 0: notfound, conflict */ #define DICT_STAT_SUCCESS 0 /* request satisfied */ #define DICT_STAT_ERROR (-1) /* any value < 0: database error */ + /* + * Set an error code and return a result value. + */ #define DICT_ERR_VAL_RETURN(dict, err, val) do { \ (dict)->error = (err); \ return (val); \ diff --git a/postfix/src/util/dict_alloc.c b/postfix/src/util/dict_alloc.c index 588868309..a5cbd204c 100644 --- a/postfix/src/util/dict_alloc.c +++ b/postfix/src/util/dict_alloc.c @@ -26,9 +26,10 @@ /* One exception is the default lock function. When the /* dictionary provides a file handle for locking, the default /* lock function returns the result from myflock(), otherwise -/* it returns 0. The lock function is called to implement the -/* DICT_FLAG_OPEN_LOCK feature (lock database on open) when -/* a database is not multi-writer safe. +/* it returns 0. Presently, the lock function is used only to +/* implement the DICT_FLAG_OPEN_LOCK feature (lock the database +/* exclusively after it is opened) for databases that are not +/* multi-writer safe. /* /* dict_free() releases memory and cleans up after dict_alloc(). /* It is up to the caller to dispose of any memory that was allocated diff --git a/postfix/src/util/dict_open.c b/postfix/src/util/dict_open.c index 62dd60a02..0f1778574 100644 --- a/postfix/src/util/dict_open.c +++ b/postfix/src/util/dict_open.c @@ -82,11 +82,11 @@ /* before writing, and acquire a shared lock before reading. /* .IP DICT_FLAG_OPEN_LOCK /* With databases that are not multi-writer safe, request that -/* dict_open() acquires an exclusive lock, or that it reports -/* a fatal run-time error otherwise. +/* dict_open() acquires an exclusive lock, or that it terminates +/* with a fatal run-time error. /* .IP DICT_FLAG_FOLD_FIX /* With databases whose lookup fields are fixed-case strings, -/* fold the search key to lower case before accessing the +/* fold the search string to lower case before accessing the /* database. This includes hash:, cdb:, dbm:. nis:, ldap:, /* *sql. /* .IP DICT_FLAG_FOLD_MUL @@ -99,18 +99,21 @@ /* With file-based maps, flush I/O buffers to file after each update. /* Thus feature is not supported with some file-based dictionaries. /* .IP DICT_FLAG_NO_REGSUB -/* Disallow regular expression substitution from left-hand side data -/* into the right-hand side. +/* Disallow regular expression substitution from the lookup string +/* into the lookup result, to block data injection attacks. /* .IP DICT_FLAG_NO_PROXY -/* Disallow access through the \fBproxymap\fR service. +/* Disallow access through the unprivileged \fBproxymap\fR +/* service, to block privilege escalation attacks. /* .IP DICT_FLAG_NO_UNAUTH -/* Disallow network lookup mechanisms that lack any form of -/* authentication (example: tcp_table; even NIS can be secured -/* to some extent by requiring that the server binds to a -/* privileged port). +/* Disallow lookup mechanisms that lack any form of authentication, +/* to block privilege escalation attacks (example: tcp_table; +/* even NIS can be secured to some extent by requiring that +/* the server binds to a privileged port). /* .IP DICT_FLAG_PARANOID /* A combination of all the paranoia flags: DICT_FLAG_NO_REGSUB, /* DICT_FLAG_NO_PROXY and DICT_FLAG_NO_UNAUTH. +/* .IP DICT_FLAG_DEBUG +/* Enable additional logging. /* .PP /* Specify DICT_FLAG_NONE for no special processing. /* -- 2.47.3