Workaround: conditional time default value can result in
multiple time unit suffixes. Files: global/conv_time.c
global/mail_conf_time.c.
+
+20150712
+
+ Cleanup: code indentation. Viktor Dukhovni. File:
+ smtp/smtp_addr.c.
+
+ Workaround: With Solaris10, write_wait() hangs in poll()
+ until timeout, when invoked after peekfd() has received an
+ ECONNRESET error indication. This happens when a client
+ sends QUIT and closes the connection immediately. File:
+ util/peekfd.c.
Things to do after the stable release:
- Make the dns_res_query() workaround on/off configurable.
-
TLS certificate provenance: indicate whether a subject
name/issuer are verified or not (for example, change the
attribute name to unverified_ccert_subject etc.). This is
Update the list of Sendmail macros that Postfix can send
to Milters (auth_ssf and TLS-related).
- replace str*casecmp() calls with _utf8() equivalents
- for trivial-rewrite lookups.
-
Update smtpd command count when rejecting input before
command-table lookup.
support for regexp: and cidr: tables. Factor out and reuse
code that already exists in inline: and other tables.
- Solaris poll() does not work as expected. With Solaris10,
- write_wait() hangs until timeout when invoked after peekfd()
- has received an ECONNRESET error indication. This happens
- when a client sends QUIT and closes the connection immediately.
- Apparently the ECONNRESET error condition is not persistent.
-
Log command=good/bad statistics in postscreen?
Implement smtpd_client_auth_rate limit?
P.O. Box 704
Yorktown Heights, NY 10598, USA
+ Wietse Venema
+ Google, Inc.
+ 111 8th Avenue
+ New York, NY 10011, USA
+
DNSBLOG(8)
</pre> </body> </html>
P.O. Box 704
Yorktown Heights, NY 10598, USA
+ Wietse Venema
+ Google, Inc.
+ 111 8th Avenue
+ New York, NY 10011, USA
+
OQMGR(8)
</pre> </body> </html>
</pre>
+</DD>
+
+<DT><b><a name="dns_ncache_ttl_fix_enable">dns_ncache_ttl_fix_enable</a>
+(default: no)</b></DT><DD>
+
+<p> Enable a workaround for future libc incompatibility. The Postfix
+implementation of <a href="http://tools.ietf.org/html/rfc2308">RFC 2308</a> negative reply caching relies on the
+promise that res_query() and res_search() invoke res_send(), which
+returns the server response in an application buffer even if the
+requested record does not exist. If this promise is broken, specify
+"yes" to enable a workaround for DNS reputation lookups. </p>
+
+
</DD>
<DT><b><a name="dnsblog_reply_delay">dnsblog_reply_delay</a>
auth, etc.) that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server will not send in the
EHLO response to a remote SMTP client.
+ Available in Postfix version 3.1 and later:
+
+ <b><a href="postconf.5.html#dns_ncache_ttl_fix_enable">dns_ncache_ttl_fix_enable</a> (no)</b>
+ Enable a workaround for future libc incompatibility.
+
<b>TROUBLE SHOOTING CONTROLS</b>
<b><a href="postconf.5.html#postscreen_expansion_filter">postscreen_expansion_filter</a> (see 'postconf -d' output)</b>
List of characters that are permitted in
P.O. Box 704
Yorktown Heights, NY 10598, USA
+ Wietse Venema
+ Google, Inc.
+ 111 8th Avenue
+ New York, NY 10011, USA
+
POSTSCREEN(8)
</pre> </body> </html>
Modra 6
155 00, Prague, Czech Republic
+ Wietse Venema
+ Google, Inc.
+ 111 8th Avenue
+ New York, NY 10011, USA
+
QMGR(8)
</pre> </body> </html>
# Non-production: needs thorough testing, or major changes are still
# needed before the code stabilizes.
-CCARGS="$CCARGS -DNONPROD"
+#CCARGS="$CCARGS -DNONPROD"
# Workaround: prepend Postfix include files before other include files.
CCARGS="-I. -I../../include $CCARGS"
.fi
.ad
.ft R
+.SH dns_ncache_ttl_fix_enable (default: no)
+Enable a workaround for future libc incompatibility. The Postfix
+implementation of RFC 2308 negative reply caching relies on the
+promise that res_query() and res_search() invoke res_send(), which
+returns the server response in an application buffer even if the
+requested record does not exist. If this promise is broken, specify
+"yes" to enable a workaround for DNS reputation lookups.
.SH dnsblog_reply_delay (default: 0s)
A debugging aid to artificially delay DNS responses.
.PP
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
+
+Wietse Venema
+Google, Inc.
+111 8th Avenue
+New York, NY 10011, USA
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
+
+Wietse Venema
+Google, Inc.
+111 8th Avenue
+New York, NY 10011, USA
A case insensitive list of EHLO keywords (pipelining, starttls,
auth, etc.) that the \fBpostscreen\fR(8) server will not send in the EHLO
response to a remote SMTP client.
+.PP
+Available in Postfix version 3.1 and later:
+.IP "\fBdns_ncache_ttl_fix_enable (no)\fR"
+Enable a workaround for future libc incompatibility.
.SH "TROUBLE SHOOTING CONTROLS"
.na
.nf
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
+
+Wietse Venema
+Google, Inc.
+111 8th Avenue
+New York, NY 10011, USA
Patrik Rak
Modra 6
155 00, Prague, Czech Republic
+
+Wietse Venema
+Google, Inc.
+111 8th Avenue
+New York, NY 10011, USA
s;\bmulti_instance_enable\b;<a href="postconf.5.html#multi_instance_enable">$&</a>;g;
# postscreen
+ s;\bdns_ncache_ttl_fix_enable\b;<a href="postconf.5.html#dns_ncache_ttl_fix_enable">$&</a>;g;
s;\bdnsblog_reply_delay\b;<a href="postconf.5.html#dnsblog_reply_delay">$&</a>;g;
s;\bpostscreen_cache_map\b;<a href="postconf.5.html#postscreen_cache_map">$&</a>;g;
s;\bpostscreen_cache_cleanup_interval\b;<a href="postconf.5.html#postscreen_cache_cleanup_interval">$&</a>;g;
This feature is available in Postfix 3.0 and later.
</p>
-
+%PARAM dns_ncache_ttl_fix_enable no
+
+<p> Enable a workaround for future libc incompatibility. The Postfix
+implementation of RFC 2308 negative reply caching relies on the
+promise that res_query() and res_search() invoke res_send(), which
+returns the server response in an application buffer even if the
+requested record does not exist. If this promise is broken, specify
+"yes" to enable a workaround for DNS reputation lookups. </p>
dns_lookup.o: ../../include/argv.h
dns_lookup.o: ../../include/check_arg.h
dns_lookup.o: ../../include/dict.h
+dns_lookup.o: ../../include/mail_params.h
dns_lookup.o: ../../include/maps.h
dns_lookup.o: ../../include/msg.h
dns_lookup.o: ../../include/myaddrinfo.h
/* int lflags;
/* unsigned *ltype;
/* AUXILIARY FUNCTIONS
-/* int dns_ncache_ttl_fix_enable;
+/* extern int var_dns_ncache_ttl_fix;
/*
/* int dns_lookup_r(name, type, rflags, list, fqdn, why, rcode)
/* const char *name;
/* dns_lookup_x, dns_lookup_r(), dns_lookup_rl() and dns_lookup_rv()
/* accept or return additional information.
/*
-/* The dns_ncache_ttl_fix_enable variable controls a workaround
+/* The var_dns_ncache_ttl_fix variable controls a workaround
/* for res_search(3) implementations that break the
/* DNS_REQ_FLAG_NCACHE_TTL feature. The workaround does not
/* support EDNS0 or DNSSEC, but it should be sufficient for
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
#include <valid_hostname.h>
#include <stringops.h>
+/* Global library. */
+
+#include <mail_params.h>
+
/* DNS library. */
#define LIBDNS_INTERNAL
* Unfortunately, the res_search() and res_query() API gets in the way. These
* functions overload their result value, the server reply length, and
* return -1 when the requested record does not exist. With libbind-based
- * res_search() implementations, the server response is still available in a
- * caller-supplied buffer, thanks to a promise made by res_send() and the
- * functions that depend on it. With some creativity we can still use the
- * server response.
+ * implementations, the server response is still available in an application
+ * buffer, thanks to the promise that res_query() and res_search() invoke
+ * res_send(), which returns the full server response even if the requested
+ * record does not exist.
*
- * If this should stop working (for example, res_search() does not call
+ * If this promise is broken (for example, res_search() does not call
* res_send(), but some non-libbind implementation that updates the
- * caller-supplied buffer only when the requested record exists), then we
- * have a way out by setting the dns_ncache_ttl_fix_enable variable. This
- * enables a limited res_query() clone that should be sufficient for DNSBL /
- * DNSWL lookups.
+ * application buffer only when the requested record exists), then we have a
+ * way out by setting the var_dns_ncache_ttl_fix variable. This enables a
+ * limited res_query() clone that should be sufficient for DNSBL / DNSWL
+ * lookups.
*
* The libunbound API does not comingle the reply length and reply status
* information, but that will have to wait until it is safe to make
* libunbound a mandatory dependency for Postfix.
*/
-int dns_ncache_ttl_fix_enable = 0;
/* dns_res_query - a res_query() clone that can return negative replies */
for (;;) {
_res.options &= ~saved_options;
_res.options |= flags;
- if (keep_notfound && dns_ncache_ttl_fix_enable) {
+ if (keep_notfound && var_dns_ncache_ttl_fix) {
len = dns_res_query((char *) name, C_IN, type, reply->buf,
reply->buf_len);
} else {
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
bool var_multi_enable;
bool var_long_queue_ids;
bool var_daemon_open_fatal;
+bool var_dns_ncache_ttl_fix;
char *var_dsn_filter;
int var_smtputf8_enable;
int var_strict_smtputf8;
static const CONFIG_BOOL_TABLE first_bool_defaults[] = {
/* read and process the following before opening tables. */
VAR_DAEMON_OPEN_FATAL, DEF_DAEMON_OPEN_FATAL, &var_daemon_open_fatal,
+ VAR_DNS_NCACHE_TTL_FIX, DEF_DNS_NCACHE_TTL_FIX, &var_dns_ncache_ttl_fix,
0,
};
static const CONFIG_NBOOL_TABLE first_nbool_defaults[] = {
MAIL_SRC_NAME_VERIFY
extern char *var_smtputf8_autoclass;
+ /*
+ * Workaround for future incompatibility. Our implementation of RFC 2308
+ * negative reply caching relies on the promise that res_query() and
+ * res_search() invoke res_send(), which returns the server response in an
+ * application buffer even if the requested record does not exist. If this
+ * promise is broken, we have a workaround that is good enough for DNS
+ * reputation lookups.
+ */
+#define VAR_DNS_NCACHE_TTL_FIX "dns_ncache_ttl_fix_enable"
+#define DEF_DNS_NCACHE_TTL_FIX 0
+extern bool var_dns_ncache_ttl_fix;
+
/* LICENSE
/* .ad
/* .fi
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20150711"
+#define MAIL_RELEASE_DATE "20150712"
#define MAIL_VERSION_NUMBER "3.1"
#ifdef SNAPSHOT
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* A case insensitive list of EHLO keywords (pipelining, starttls,
/* auth, etc.) that the \fBpostscreen\fR(8) server will not send in the EHLO
/* response to a remote SMTP client.
+/* .PP
+/* Available in Postfix version 3.1 and later:
+/* .IP "\fBdns_ncache_ttl_fix_enable (no)\fR"
+/* Enable a workaround for future libc incompatibility.
/* TROUBLE SHOOTING CONTROLS
/* .ad
/* .fi
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* Patrik Rak
/* Modra 6
/* 155 00, Prague, Czech Republic
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* Patrik Rak
/* Modra 6
/* 155 00, Prague, Czech Republic
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* Patrik Rak
/* Modra 6
/* 155 00, Prague, Czech Republic
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
struct addrinfo *res0;
struct addrinfo *res;
INET_PROTO_INFO *proto_info = inet_proto_info();
+ unsigned char *proto_family_list = proto_info->sa_family_list;
int found;
if (msg_verbose)
* Interpret a numerical name as an address.
*/
if (hostaddr_to_sockaddr(host, (char *) 0, 0, &res0) == 0) {
- if (strchr((char *) proto_info->sa_family_list, res0->ai_family) != 0) {
- if ((addr = dns_sa_to_rr(host, pref, res0->ai_addr)) == 0)
- msg_fatal("host %s: conversion error for address family %d: %m",
- host, ((struct sockaddr *) (res0->ai_addr))->sa_family);
- addr_list = dns_rr_append(addr_list, addr);
- freeaddrinfo(res0);
- return (addr_list);
- }
+ if (strchr((char *) proto_family_list, res0->ai_family) != 0) {
+ if ((addr = dns_sa_to_rr(host, pref, res0->ai_addr)) == 0)
+ msg_fatal("host %s: conversion error for address family "
+ "%d: %m", host, res0->ai_addr->sa_family);
+ addr_list = dns_rr_append(addr_list, addr);
+ freeaddrinfo(res0);
+ return (addr_list);
+ }
freeaddrinfo(res0);
}
host, MAI_STRERROR(aierr));
} else {
for (found = 0, res = res0; res != 0; res = res->ai_next) {
- if (strchr((char *) proto_info->sa_family_list, res->ai_family) == 0) {
+ if (strchr((char *) proto_family_list, res->ai_family) == 0) {
msg_info("skipping address family %d for host %s",
res->ai_family, host);
continue;
}
found++;
if ((addr = dns_sa_to_rr(host, pref, res->ai_addr)) == 0)
- msg_fatal("host %s: conversion error for address family %d: %m",
- host, ((struct sockaddr *) (res0->ai_addr))->sa_family);
+ msg_fatal("host %s: conversion error for address family "
+ "%d: %m", host, res0->ai_addr->sa_family);
addr_list = dns_rr_append(addr_list, addr);
}
freeaddrinfo(res0);
#endif
#include <unistd.h>
+#ifndef SHUT_RDWR
+#define SHUT_RDWR 2
+#endif
+
/* Utility library. */
#include "iostuff.h"
#ifdef FIONREAD
int count;
+#ifdef SUNOS5
+
+ /*
+ * With Solaris10, write_wait() hangs in poll() until timeout, when
+ * invoked after peekfd() has received an ECONNRESET error indication.
+ * This happens when a client sends QUIT and closes the connection
+ * immediately.
+ */
+ if (ioctl(fd, FIONREAD, (char *) &count) < 0) {
+ (void) shutdown(fd, SHUT_RDWR);
+ return (-1);
+ } else {
+ return (count);
+ }
+#else /* SUNOS5 */
return (ioctl(fd, FIONREAD, (char *) &count) < 0 ? -1 : count);
+#endif /* SUNOS5 */
#else
#error "don't know how to look ahead"
#endif
projects / thirdparty / postfix.git / commitdiff
