diff --git a/postfix/.indent.pro b/postfix/.indent.pro
index 0cdf6722e..5a3608b54 100644
--- a/postfix/.indent.pro
+++ b/postfix/.indent.pro
@@ -29,6 +29,8 @@
-TCONFIG_BOOL_TABLE
-TCONFIG_INT_FN_TABLE
-TCONFIG_INT_TABLE
+-TCONFIG_LONG_FN_TABLE
+-TCONFIG_LONG_TABLE
-TCONFIG_STR_FN_TABLE
-TCONFIG_STR_TABLE
-TCONFIG_TIME_FN_TABLE
diff --git a/postfix/HISTORY b/postfix/HISTORY
index 97dd138dc..a2c77fa9f 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -10969,7 +10969,7 @@ Apologies for any names omitted.
20050706
- Robustness: the connection cache client now disables caching
+ Robustness: the SMTP client now disables connection caching
when it is unable to communicate with the scache(8) server,
instead of looping forever. File: global/scache_clnt.c.
@@ -11028,8 +11028,35 @@ Apologies for any names omitted.
Bugfix: the smtpd_sasl_authenticated_header code did not
check if SASL was actually enabled. File: smtpd/smtpd.c.
+20050720
+
+ Feature: reverse client hostname. This is set at connection
+ time with information from the SMTP client address->name
+ mapping, and can be overruled with the REVERSE_NAME attribute
+ in the XCLIENT command. File: smtpd/smtpd_peer.c.
+
+ Cleanup: renaming of several confusing restriction names:
+ reject_unknown_client -> reject_unknown_client_hostname,
+ reject_unknown_hostname -> reject_unknown_helo_hostname,
+ reject_invalid_hostname -> reject_invalid_helo_hostname,
+ and reject_non_fqdn_hostname -> reject_non_fqdn_helo_hostname.
+ The old names are still recognized and documented. Files:
+ global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c.
+
+ Feature: reject_unknown_reverse_client_hostname. This rejects
+ clients that have no address to name mapping (unlike the
+ reject_unknown_client_hostname feature which requires that
+ the address->name and name->address mappings resolve to the
+ client IP address). Files: global/mail_params.h,
+ smtpd/smtpd_peer.c, smtpd/smtpd.c, smtpd/smtpd_check.c.
+
Open problems:
+ Med: when the cleanup server bounces local mail that should
+ be content inspected, the resulting DSN should be content
+ inspected, otherwise a local user can bypass content
+ inspection.
+
Look for systems with XPG basename() declared in The Postfix SMTP server supports access restrictions such as
-reject_rbl_client or reject_unknown_client on the right-hand side
+reject_rbl_client or reject_unknown_client_hostname on the right-hand side
of SMTP server access(5) tables. This allows you to implement
different junk mail restrictions for different clients or users.
Postfix restriction classes
/etc/postfix/main.cf: smtpd_restriction_classes = restrictive, permissive - restrictive = reject_unknown_sender_domain reject_unknown_client ... + # With Postfix < 2.3 specify reject_unknown_client. + restrictive = reject_unknown_sender_domain reject_unknown_client_hostname ... permissive = permit smtpd_recipient_restrictions = diff --git a/postfix/html/SMTPD_ACCESS_README.html b/postfix/html/SMTPD_ACCESS_README.html index 84621f45c..3d542816a 100644 --- a/postfix/html/SMTPD_ACCESS_README.html +++ b/postfix/html/SMTPD_ACCESS_README.html @@ -172,7 +172,8 @@ described in the postconf(5) manual page. smtpd_client_restrictions = permit_mynetworks, reject # Don't talk to mail systems that don't know their own hostname. - smtpd_helo_restrictions = reject_unknown_hostname + # With Postfix < 2.3, specify reject_unknown_hostname. + smtpd_helo_restrictions = reject_unknown_helo_hostname # Don't accept mail from domains that don't exist. smtpd_sender_restrictions = reject_unknown_sender_domain @@ -307,7 +308,7 @@ in too much access permission: 2 smtpd_recipient_restrictions = 3 permit_mynetworks 4 check_helo_access hash:/etc/postfix/helo_access -5 reject_unknown_hostname +5 reject_unknown_helo_hostname 6 reject_unauth_destination 7 8 /etc/postfix/helo_access: @@ -315,7 +316,8 @@ in too much access permission:
Line 5 rejects mail from hosts that don't specify a proper -hostname in the HELO command. Lines 4 and 9 make an exception to +hostname in the HELO command (with Postfix < 2.3, specify +reject_unknown_hostname). Lines 4 and 9 make an exception to allow mail from some machine that announces itself with "HELO localhost.localdomain".
diff --git a/postfix/html/SMTPD_POLICY_README.html b/postfix/html/SMTPD_POLICY_README.html index e4ee237aa..325e7e8f7 100644 --- a/postfix/html/SMTPD_POLICY_README.html +++ b/postfix/html/SMTPD_POLICY_README.html @@ -80,6 +80,7 @@ sender=foo@bar.tld recipient=bar@foo.tld client_address=1.2.3.4 client_name=another.domain.tld +reverse_client_name=another.domain.tld instance=123.456.7 sasl_method=plain sasl_username=you @@ -115,6 +116,11 @@ size=12345 1.2.3.4 or it is an IPv6 address in the form 1:2:3::4:5:6. +For a discussion of the differences between reverse + and verified client_name information, see the + reject_unknown_client_hostname discussion in the postconf(5) + document.
+An attribute name must not contain "=", null or newline, and an attribute value must not contain null or newline.
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 0194bfc38..63556b069 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -1696,7 +1696,13 @@ The template is subject to exactly one level of $name substitution:-The names of message delivery transports that should not be delivered -to unless someone issues "sendmail -q" or equivalent. Specify zero +The names of message delivery transports that should not deliver mail +unless someone issues "sendmail -q" or equivalent. Specify zero or more names of mail delivery transports names that appear in the first field of master.cf.
@@ -2567,7 +2573,7 @@ home directory.-Specify a pathname ending "/" for qmail-style delivery. +Specify a pathname ending in "/" for qmail-style delivery.
@@ -2816,7 +2822,7 @@ block all mail to a site.
The numerical Postfix SMTP server response code when the client -HELO or EHLO command parameter is rejected by the reject_invalid_hostname +HELO or EHLO command parameter is rejected by the reject_invalid_helo_hostname restriction.
@@ -3373,7 +3379,7 @@ is suitable for, e.g., pop-before-smtp lookup tables.Examples:
-The Postfix < 2.2 backwards compatible setting: always rewrite +
The Postfix < 2.2 backwards compatible setting: always rewrite message headers, and always append my own domain to incomplete header addresses.
@@ -4450,7 +4456,7 @@ Sendmail compatibility feature that specifies the location of theThe numerical Postfix SMTP server reply code when a client request -is rejected by the reject_non_fqdn_hostname, reject_non_fqdn_sender +is rejected by the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender or reject_non_fqdn_recipient restriction.
@@ -7273,14 +7279,30 @@ any A record under rbl_domain. See the reject_unknown_client +-smtpd_client_restrictions = permit_mynetworks, reject_unknown_client +smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname@@ -7745,24 +7767,24 @@ Note: a result of "OK" is not allowed for safety reasons. Instead, use DUNNO in order to exclude specific hosts from blacklists. This feature is available in Postfix 2.1 and later. -
-smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname -smtpd_helo_restrictions = permit_mynetworks, reject_unknown_hostname +smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname +smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname@@ -8116,7 +8138,7 @@ address.
diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html index 37208aa0a..142aa8884 100644 --- a/postfix/html/smtpd.8.html +++ b/postfix/html/smtpd.8.html @@ -781,8 +781,8 @@ SMTPD(8) SMTPD(8) invalid_hostname_reject_code (501) The numerical Postfix SMTP server response code when the client HELO or EHLO command parameter is - rejected by the reject_invalid_hostname restric- - tion. + rejected by the reject_invalid_helo_hostname + restriction. maps_rbl_reject_code (554) The numerical Postfix SMTP server response code @@ -794,46 +794,47 @@ SMTPD(8) SMTPD(8) non_fqdn_reject_code (504) The numerical Postfix SMTP server reply code when a client request is rejected by the - reject_non_fqdn_hostname, reject_non_fqdn_sender or - reject_non_fqdn_recipient restriction. + reject_non_fqdn_helo_hostname, + reject_non_fqdn_sender or reject_non_fqdn_recipient + restriction. reject_code (554) - The numerical Postfix SMTP server response code - when a remote SMTP client request is rejected by + The numerical Postfix SMTP server response code + when a remote SMTP client request is rejected by the "reject" restriction. relay_domains_reject_code (554) - The numerical Postfix SMTP server response code - when a client request is rejected by the + The numerical Postfix SMTP server response code + when a client request is rejected by the reject_unauth_destination recipient restriction. unknown_address_reject_code (450) - The numerical Postfix SMTP server response code - when a sender or recipient address is rejected by + The numerical Postfix SMTP server response code + when a sender or recipient address is rejected by the reject_unknown_sender_domain or reject_unknown_recipient_domain restriction. unknown_client_reject_code (450) - The numerical Postfix SMTP server response code - when a client without valid address <=> name map- - ping is rejected by the reject_unknown_client - restriction. + The numerical Postfix SMTP server response code + when a client without valid address <=> name map- + ping is rejected by the reject_unknown_client_host- + name restriction. unknown_hostname_reject_code (450) - The numerical Postfix SMTP server response code - when the hostname specified with the HELO or EHLO - command is rejected by the reject_unknown_hostname - restriction. + The numerical Postfix SMTP server response code + when the hostname specified with the HELO or EHLO + command is rejected by the + reject_unknown_helo_hostname restriction. Available in Postfix version 2.0 and later: default_rbl_reply (see 'postconf -d' output) - The default SMTP server response template for a - request that is rejected by an RBL-based restric- + The default SMTP server response template for a + request that is rejected by an RBL-based restric- tion. multi_recipient_bounce_reject_code (550) - The numerical Postfix SMTP server response code + The numerical Postfix SMTP server response code when a remote SMTP client request is blocked by the reject_multi_recipient_bounce restriction. @@ -842,16 +843,16 @@ SMTPD(8) SMTPD(8) MISCELLANEOUS CONTROLS config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and + The default location of the Postfix main.cf and master.cf configuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to - handle a request before it is terminated by a + How much time a Postfix daemon process may take to + handle a request before it is terminated by a built-in watchdog timer. command_directory (see 'postconf -d' output) - The location of all postfix administrative com- + The location of all postfix administrative com- mands. double_bounce_sender (double-bounce) @@ -872,36 +873,36 @@ SMTPD(8) SMTPD(8) and most Postfix daemon processes. max_idle (100s) - The maximum amount of time that an idle Postfix - daemon process waits for the next service request + The maximum amount of time that an idle Postfix + daemon process waits for the next service request before exiting. max_use (100) - The maximal number of connection requests before a + The maximal number of connection requests before a Postfix daemon process terminates. myhostname (see 'postconf -d' output) The internet hostname of this mail system. mynetworks (see 'postconf -d' output) - The list of "trusted" SMTP clients that have more + The list of "trusted" SMTP clients that have more privileges than "strangers". myorigin ($myhostname) The domain name that locally-posted mail appears to - come from, and that locally posted mail is deliv- + come from, and that locally posted mail is deliv- ered to. process_id (read-only) - The process ID of a Postfix command or daemon + The process ID of a Postfix command or daemon process. process_name (read-only) - The process name of a Postfix command or daemon + The process name of a Postfix command or daemon process. queue_directory (see 'postconf -d' output) - The location of the Postfix top-level queue direc- + The location of the Postfix top-level queue direc- tory. recipient_delimiter (empty) @@ -909,22 +910,22 @@ SMTPD(8) SMTPD(8) sions (user+foo). smtpd_banner ($myhostname ESMTP $mail_name) - The text that follows the 220 status code in the + The text that follows the 220 status code in the SMTP greeting banner. syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (postfix) - The mail system name that is prepended to the - process name in syslog records, so that "smtpd" + The mail system name that is prepended to the + process name in syslog records, so that "smtpd" becomes, for example, "postfix/smtpd". Available in Postfix version 2.2 and later: smtpd_forbidden_commands (CONNECT, GET, POST) - List of commands that causes the Postfix SMTP - server to immediately terminate the session with a + List of commands that causes the Postfix SMTP + server to immediately terminate the session with a 221 code. SEE ALSO @@ -953,7 +954,7 @@ SMTPD(8) SMTPD(8) XFORWARD_README, Postfix XFORWARD extension LICENSE - The Secure Mailer license must be distributed with this + The Secure Mailer license must be distributed with this software. AUTHOR(S) diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index be80a2de3..9963a365f 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -921,7 +921,11 @@ The client hostname and IP address, formatted as name[address]. .IP "\fB$client_address\fR" The client IP address. .IP "\fB$client_name\fR" -The client hostname or "unknown". +The client hostname or "unknown". See reject_unknown_client_hostname +for more details. +.IP "\fB$reverse_client_name\fR" +The client hostname from address->name lookup, or "unknown". +See reject_unknown_reverse_client_hostname for more details. .IP "\fB$helo_name\fR" The hostname given in HELO or EHLO command or empty string. .IP "\fB$rbl_class\fR" @@ -1016,8 +1020,8 @@ of failed delivery attempts and generates non-delivery notifications. .PP This feature is available in Postfix 2.0 and later. .SH defer_transports (default: empty) -The names of message delivery transports that should not be delivered -to unless someone issues "\fBsendmail -q\fR" or equivalent. Specify zero +The names of message delivery transports that should not deliver mail +unless someone issues "\fBsendmail -q\fR" or equivalent. Specify zero or more names of mail delivery transports names that appear in the first field of master.cf. .PP @@ -1343,7 +1347,7 @@ This feature is available in Postfix 2.0 and later. Optional pathname of a mailbox file relative to a \fBlocal\fR(8) user's home directory. .PP -Specify a pathname ending "/" for qmail-style delivery. +Specify a pathname ending in "/" for qmail-style delivery. .PP The precedence of \fBlocal\fR(8) delivery features from high to low is: aliases, .forward files, mailbox_transport, mailbox_command_maps, @@ -1504,7 +1508,7 @@ Warning: with concurrency of 1, one bad message can be enough to block all mail to a site. .SH invalid_hostname_reject_code (default: 501) The numerical Postfix SMTP server response code when the client -HELO or EHLO command parameter is rejected by the reject_invalid_hostname +HELO or EHLO command parameter is rejected by the reject_invalid_helo_hostname restriction. .PP Do not change this unless you have a complete understanding of RFC 821. @@ -2434,7 +2438,7 @@ Sendmail compatibility feature that specifies the location of the \fBlocal\fR(8) \fBaliases\fR(5) database. .SH non_fqdn_reject_code (default: 504) The numerical Postfix SMTP server reply code when a client request -is rejected by the reject_non_fqdn_hostname, reject_non_fqdn_sender +is rejected by the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender or reject_non_fqdn_recipient restriction. .SH notify_classes (default: resource, software) The list of error classes that are reported to the postmaster. The @@ -4103,15 +4107,36 @@ the request when the reversed client network address is listed with any A record under \fIrbl_domain\fR. See the reject_rbl_client description above for additional RBL related configuration parameters. This feature is available in Postfix 2.0 and later. -.IP "\fBreject_unknown_client\fR" -Reject the request when the client IP address has no PTR (address -to name) record in the DNS, or when the PTR record does not have -a matching A (name to address) record. +.IP "\fBreject_unknown_client_hostname\fR (with Postfix < 2.3: reject_unknown_client)" +Reject the request when 1) the client IP address->name mapping +fails, 2) the name->address mapping fails, or 3) the name->address +mapping does not match the client IP address. .br -The unknown_client_reject_code -parameter specifies the response code for rejected requests (default: -450). The reply is always 450 in case the hostname lookup failed -due to a temporary problem. +This is a +stronger restriction than the reject_unknown_reverse_client_hostname +feature, which triggers only under condition 1) above. +.br +The +unknown_client_reject_code parameter specifies the response code +for rejected requests (default: 450). The reply is always 450 in +case the address->name or name->address lookup failed due to +a temporary problem. +.IP "\fBreject_unknown_reverse_client_hostname\fR" +Reject the request when the client IP address has no address->name +mapping. +.br +This is a weaker restriction than the +reject_unknown_client_hostname feature, which requires not only +that the address->name and name->address mappings exist, but +also that the two mappings reproduce the client IP address. +.br +The unknown_client_reject_code parameter specifies the response +code for rejected requests (default: 450). The reply is always 450 +in case the address->name lookup failed due to a temporary +problem. +.br +This feature is available in Postfix version 2.3 and +later. .PP In addition, you can use any of the following generic restrictions. These restrictions are applicable in @@ -4211,7 +4236,7 @@ Example: .nf .na .ft C -smtpd_client_restrictions = permit_mynetworks, reject_unknown_client +smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname .fi .ad .ft R @@ -4405,25 +4430,25 @@ for the HELO or EHLO hostname, and execute the corresponding action. Note: a result of "OK" is not allowed for safety reasons. Instead, use DUNNO in order to exclude specific hosts from blacklists. This feature is available in Postfix 2.1 and later. -.IP "\fBreject_invalid_hostname\fR" +.IP "\fBreject_invalid_helo_hostname\fR (with Postfix < 2.3: reject_invalid_hostname)" Reject the request when the HELO or EHLO hostname syntax is invalid. .br The invalid_hostname_reject_code specifies the response code to rejected requests (default: 501). -.IP "\fBreject_non_fqdn_hostname\fR" +.IP "\fBreject_non_fqdn_helo_hostname\fR (with Postfix < 2.3: reject_non_fqdn_hostname)" Reject the request when the HELO or EHLO hostname is not in fully-qualified domain form, as required by the RFC. .br The non_fqdn_reject_code parameter specifies the response code to rejected requests (default: 504). -.IP "\fBreject_unknown_hostname\fR" -Reject the request when the HELO or EHLO hostname has no DNS -A or MX record. +.IP "\fBreject_unknown_helo_hostname\fR (with Postfix < 2.3: reject_unknown_hostname)" +Reject the request when the HELO or EHLO hostname has no DNS A +or MX record. .br -The unknown_hostname_reject_code specifies -the response code to rejected requests (default: 450). +The unknown_hostname_reject_code specifies the +response code to rejected requests (default: 450). .PP Other restrictions that are valid in this context: .IP \(bu @@ -4445,8 +4470,8 @@ Examples: .nf .na .ft C -smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname -smtpd_helo_restrictions = permit_mynetworks, reject_unknown_hostname +smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname +smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname .fi .ad .ft R @@ -4630,7 +4655,7 @@ address. The unknown_address_reject_code parameter specifies the response code for rejected requests (default: 450). The response is always 450 in case of a temporary DNS error. -.IP "\fBreject_unlisted_recipient\fR (Postfix 2.0 name: check_recipient_maps)" +.IP "\fBreject_unlisted_recipient\fR (with Postfix 2.0: check_recipient_maps)" Reject the request when the RCPT TO address is not listed in the list of valid recipients for its domain class. See the smtpd_reject_unlisted_recipient parameter description for details. @@ -5450,14 +5475,14 @@ Do not change this unless you have a complete understanding of RFC 821. .SH unknown_client_reject_code (default: 450) The numerical Postfix SMTP server response code when a client without valid address <=> name mapping is rejected by the -reject_unknown_client restriction. The SMTP server always replies +reject_unknown_client_hostname restriction. The SMTP server always replies with 450 when the mapping failed due to a temporary error condition. .PP Do not change this unless you have a complete understanding of RFC 821. .SH unknown_hostname_reject_code (default: 450) The numerical Postfix SMTP server response code when the hostname specified with the HELO or EHLO command is rejected by the -reject_unknown_hostname restriction. +reject_unknown_helo_hostname restriction. .PP Do not change this unless you have a complete understanding of RFC 821. .SH unknown_local_recipient_reject_code (default: 550) diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8 index a07f82035..f4ea87057 100644 --- a/postfix/man/man8/smtpd.8 +++ b/postfix/man/man8/smtpd.8 @@ -632,7 +632,7 @@ The numerical Postfix SMTP server response code when a remote SMTP client request is rejected by the "defer" restriction. .IP "\fBinvalid_hostname_reject_code (501)\fR" The numerical Postfix SMTP server response code when the client -HELO or EHLO command parameter is rejected by the reject_invalid_hostname +HELO or EHLO command parameter is rejected by the reject_invalid_helo_hostname restriction. .IP "\fBmaps_rbl_reject_code (554)\fR" The numerical Postfix SMTP server response code when a remote SMTP @@ -640,7 +640,7 @@ client request is blocked by the reject_rbl_client, reject_rhsbl_client, reject_rhsbl_sender or reject_rhsbl_recipient restriction. .IP "\fBnon_fqdn_reject_code (504)\fR" The numerical Postfix SMTP server reply code when a client request -is rejected by the reject_non_fqdn_hostname, reject_non_fqdn_sender +is rejected by the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender or reject_non_fqdn_recipient restriction. .IP "\fBreject_code (554)\fR" The numerical Postfix SMTP server response code when a remote SMTP @@ -656,11 +656,11 @@ or reject_unknown_recipient_domain restriction. .IP "\fBunknown_client_reject_code (450)\fR" The numerical Postfix SMTP server response code when a client without valid address <=> name mapping is rejected by the -reject_unknown_client restriction. +reject_unknown_client_hostname restriction. .IP "\fBunknown_hostname_reject_code (450)\fR" The numerical Postfix SMTP server response code when the hostname specified with the HELO or EHLO command is rejected by the -reject_unknown_hostname restriction. +reject_unknown_helo_hostname restriction. .PP Available in Postfix version 2.0 and later: .IP "\fBdefault_rbl_reply (see 'postconf -d' output)\fR" diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index 885f5e713..aef029374 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -605,16 +605,22 @@ while (<>) { s;\bpermit_sasl_authenticated\b;$&;g; s;\bpermit_tls_clientcerts\b;$&;g; s;\bpermit_tls_all_clientcerts\b;$&;g; - s;\breject_unknown_client\b;$&;g; + s;\breject_unknown_client_hostname\b;$&;g; + s;\breject_unknown_client\b;$&;g; + s;\breject_unknown_reverse_client_hostname\b;$&;g; + s;\breject_unknown_forward_client_hostname\b;$&;g; s;\breject_rbl_client\b;$&;g; s;\breject_rhsbl_client\b;$&;g; # Access restrictions - helo s;\bcheck_helo_access\b;$&;g; - s;\breject_invalid_hostname\b;$&;g; - s;\breject_non_fqdn_hostname\b;$&;g; - s;\breject_unknown_hostname\b;$&;g; + s;\breject_invalid_helo_hostname\b;$&;g; + s;\breject_invalid_hostname\b;$&;g; + s;\breject_non_fqdn_helo_hostname\b;$&;g; + s;\breject_non_fqdn_hostname\b;$&;g; + s;\breject_unknown_helo_hostname\b;$&;g; + s;\breject_unknown_hostname\b;$&;g; # Access restrictions - sender diff --git a/postfix/proto/MAILDROP_README.html b/postfix/proto/MAILDROP_README.html index 8ce2c402f..e41e127f5 100644 --- a/postfix/proto/MAILDROP_README.html +++ b/postfix/proto/MAILDROP_README.html @@ -149,7 +149,7 @@ use the Postfix local(8) delivery agent's mailbox_command_maps feature:
/etc/postfix/main.cf: - mailbox_command_maps = /etc/postfix/mailbox_commands + mailbox_command_maps = hash:/etc/postfix/mailbox_commands /etc/postfix/mailbox_commands: you /path/to/maildrop -d ${USER} diff --git a/postfix/proto/RESTRICTION_CLASS_README.html b/postfix/proto/RESTRICTION_CLASS_README.html index c3d85dd15..93ab72983 100644 --- a/postfix/proto/RESTRICTION_CLASS_README.html +++ b/postfix/proto/RESTRICTION_CLASS_README.html @@ -21,7 +21,7 @@ Per-Client/User/etc. Access ControlPostfix restriction classes
The Postfix SMTP server supports access restrictions such as -reject_rbl_client or reject_unknown_client on the right-hand side +reject_rbl_client or reject_unknown_client_hostname on the right-hand side of SMTP server access(5) tables. This allows you to implement different junk mail restrictions for different clients or users.
@@ -43,7 +43,8 @@ care about these low-level details./etc/postfix/main.cf: smtpd_restriction_classes = restrictive, permissive - restrictive = reject_unknown_sender_domain reject_unknown_client ... + # With Postfix < 2.3 specify reject_unknown_client. + restrictive = reject_unknown_sender_domain reject_unknown_client_hostname ... permissive = permit smtpd_recipient_restrictions = diff --git a/postfix/proto/SMTPD_ACCESS_README.html b/postfix/proto/SMTPD_ACCESS_README.html index c5176b41b..c97e34b36 100644 --- a/postfix/proto/SMTPD_ACCESS_README.html +++ b/postfix/proto/SMTPD_ACCESS_README.html @@ -172,7 +172,8 @@ described in the postconf(5) manual page. smtpd_client_restrictions = permit_mynetworks, reject # Don't talk to mail systems that don't know their own hostname. - smtpd_helo_restrictions = reject_unknown_hostname + # With Postfix < 2.3, specify reject_unknown_hostname. + smtpd_helo_restrictions = reject_unknown_helo_hostname # Don't accept mail from domains that don't exist. smtpd_sender_restrictions = reject_unknown_sender_domain @@ -307,7 +308,7 @@ in too much access permission: 2 smtpd_recipient_restrictions = 3 permit_mynetworks 4 check_helo_access hash:/etc/postfix/helo_access -5 reject_unknown_hostname +5 reject_unknown_helo_hostname 6 reject_unauth_destination 7 8 /etc/postfix/helo_access: @@ -315,7 +316,8 @@ in too much access permission:Line 5 rejects mail from hosts that don't specify a proper -hostname in the HELO command. Lines 4 and 9 make an exception to +hostname in the HELO command (with Postfix < 2.3, specify +reject_unknown_hostname). Lines 4 and 9 make an exception to allow mail from some machine that announces itself with "HELO localhost.localdomain".
diff --git a/postfix/proto/SMTPD_POLICY_README.html b/postfix/proto/SMTPD_POLICY_README.html index fb2bcb83e..884d0de52 100644 --- a/postfix/proto/SMTPD_POLICY_README.html +++ b/postfix/proto/SMTPD_POLICY_README.html @@ -80,6 +80,7 @@ sender=foo@bar.tld recipient=bar@foo.tld client_address=1.2.3.4 client_name=another.domain.tld +reverse_client_name=another.domain.tld instance=123.456.7 sasl_method=plain sasl_username=you @@ -115,6 +116,11 @@ size=12345 1.2.3.4 or it is an IPv6 address in the form 1:2:3::4:5:6. +For a discussion of the differences between reverse + and verified client_name information, see the + reject_unknown_client_hostname discussion in the postconf(5) + document.
+An attribute name must not contain "=", null or newline, and an attribute value must not contain null or newline.
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 5068d3fdd..09b0a5569 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -978,7 +978,19 @@ The template is subject to exactly one level of $name substitution:$client_name -The client hostname or "unknown". +The client hostname or "unknown". See reject_unknown_client_hostname +for more details. + +$reverse_client_name + +The client hostname from address->name lookup, or "unknown". +See reject_unknown_reverse_client_hostname for more details. + +#$forward_client_name +# +#The client hostname from address->name lookup followed by +#name->address lookup, or "unknown". See +#reject_unknown_forward_client_hostname for more details. $helo_name @@ -1121,8 +1133,8 @@ Do not change this unless you have a complete understanding of RFC 821. %PARAM defer_transports-The names of message delivery transports that should not be delivered -to unless someone issues "sendmail -q" or equivalent. Specify zero +The names of message delivery transports that should not deliver mail +unless someone issues "sendmail -q" or equivalent. Specify zero or more names of mail delivery transports names that appear in the first field of master.cf.
@@ -1545,7 +1557,7 @@ home directory.-Specify a pathname ending "/" for qmail-style delivery. +Specify a pathname ending in "/" for qmail-style delivery.
@@ -1751,7 +1763,7 @@ block all mail to a site.
The numerical Postfix SMTP server response code when the client -HELO or EHLO command parameter is rejected by the reject_invalid_hostname +HELO or EHLO command parameter is rejected by the reject_invalid_helo_hostname restriction.
@@ -4476,14 +4488,43 @@ any A record under rbl_domain. See the reject_rbl_client description above for additional RBL related configuration parameters. This feature is available in Postfix 2.0 and later.
-smtpd_client_restrictions = permit_mynetworks, reject_unknown_client +smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname%CLASS smtpd-tarpit Tarpit features @@ -4839,24 +4880,24 @@ Note: a result of "OK" is not allowed for safety reasons. Instead, use DUNNO in order to exclude specific hosts from blacklists. This feature is available in Postfix 2.1 and later. -
-smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname -smtpd_helo_restrictions = permit_mynetworks, reject_unknown_hostname +smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname +smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname%PARAM smtpd_history_flush_threshold 100 @@ -5115,7 +5156,7 @@ address.
The numerical Postfix SMTP server response code when a client without valid address <=> name mapping is rejected by the -reject_unknown_client restriction. The SMTP server always replies +reject_unknown_client_hostname restriction. The SMTP server always replies with 450 when the mapping failed due to a temporary error condition.
@@ -5707,7 +5748,7 @@ Do not change this unless you have a complete understanding of RFC 821.The numerical Postfix SMTP server response code when the hostname specified with the HELO or EHLO command is rejected by the -reject_unknown_hostname restriction. +reject_unknown_helo_hostname restriction.
@@ -6757,7 +6798,7 @@ local(8) aliases(5) database.
The numerical Postfix SMTP server reply code when a client request -is rejected by the reject_non_fqdn_hostname, reject_non_fqdn_sender +is rejected by the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender or reject_non_fqdn_recipient restriction.
@@ -7798,7 +7839,7 @@ is suitable for, e.g., pop-before-smtp lookup tables.Examples:
-The Postfix < 2.2 backwards compatible setting: always rewrite +
The Postfix < 2.2 backwards compatible setting: always rewrite message headers, and always append my own domain to incomplete header addresses.
diff --git a/postfix/src/global/Makefile.in b/postfix/src/global/Makefile.in index cdb30dae0..e950671e5 100644 --- a/postfix/src/global/Makefile.in +++ b/postfix/src/global/Makefile.in @@ -27,7 +27,7 @@ SRCS = abounce.c anvil_clnt.c been_here.c bounce.c bounce_log.c \ ehlo_mask.c \ wildcard_inet_addr.c valid_mailhost_addr.c dsn_util.c dsn_mask.c \ dsn_attr_map.c dsn.c dsn_buf.c rcpt_buf.c rcpt_print.c dsn_print.c \ - dsb_scan.c + dsb_scan.c mail_conf_long.c OBJS = abounce.o anvil_clnt.o been_here.o bounce.o bounce_log.o \ canon_addr.o cfg_parser.o cleanup_strerror.o cleanup_strflags.o \ clnt_stream.o debug_peer.o debug_process.o defer.o db_common.o \ @@ -56,7 +56,7 @@ OBJS = abounce.o anvil_clnt.o been_here.o bounce.o bounce_log.o \ ehlo_mask.o \ wildcard_inet_addr.o valid_mailhost_addr.o dsn_util.o dsn_mask.o \ dsn_attr_map.o dsn.o dsn_buf.o rcpt_buf.o rcpt_print.o dsn_print.o \ - dsb_scan.o + dsb_scan.o mail_conf_long.o HDRS = abounce.h anvil_clnt.h been_here.h bounce.h bounce_log.h \ canon_addr.h cfg_parser.h cleanup_user.h clnt_stream.h config.h \ debug_peer.h debug_process.h defer.h deliver_completed.h \ @@ -968,6 +968,17 @@ mail_conf_int.o: ../../include/vstream.h mail_conf_int.o: ../../include/vstring.h mail_conf_int.o: mail_conf.h mail_conf_int.o: mail_conf_int.c +mail_conf_long.o: ../../include/argv.h +mail_conf_long.o: ../../include/dict.h +mail_conf_long.o: ../../include/msg.h +mail_conf_long.o: ../../include/mymalloc.h +mail_conf_long.o: ../../include/stringops.h +mail_conf_long.o: ../../include/sys_defs.h +mail_conf_long.o: ../../include/vbuf.h +mail_conf_long.o: ../../include/vstream.h +mail_conf_long.o: ../../include/vstring.h +mail_conf_long.o: mail_conf.h +mail_conf_long.o: mail_conf_long.c mail_conf_raw.o: ../../include/msg.h mail_conf_raw.o: ../../include/mymalloc.h mail_conf_raw.o: ../../include/sys_defs.h diff --git a/postfix/src/global/mail_conf.h b/postfix/src/global/mail_conf.h index 25406e8da..29a2830f1 100644 --- a/postfix/src/global/mail_conf.h +++ b/postfix/src/global/mail_conf.h @@ -46,11 +46,13 @@ extern const char *mail_conf_lookup_eval(const char *); */ extern char *get_mail_conf_str(const char *, const char *, int, int); extern int get_mail_conf_int(const char *, int, int, int); +extern long get_mail_conf_long(const char *, long, long, long); extern int get_mail_conf_bool(const char *, int); extern int get_mail_conf_time(const char *, const char *, int, int); extern char *get_mail_conf_raw(const char *, const char *, int, int); extern int get_mail_conf_int2(const char *, const char *, int, int, int); +extern long get_mail_conf_long2(const char *, const char *, long, long, long); extern int get_mail_conf_time2(const char *, const char *, const char *, int, int); /* @@ -58,6 +60,7 @@ extern int get_mail_conf_time2(const char *, const char *, const char *, int, in */ extern char *get_mail_conf_str_fn(const char *, const char *(*) (void), int, int); extern int get_mail_conf_int_fn(const char *, int (*) (void), int, int); +extern long get_mail_conf_long_fn(const char *, long (*) (void), long, long); extern int get_mail_conf_bool_fn(const char *, int (*) (void)); extern int get_mail_conf_time_fn(const char *, const char *(*) (void), int, int, int); extern char *get_mail_conf_raw_fn(const char *, const char *(*) (void), int, int); @@ -67,6 +70,7 @@ extern char *get_mail_conf_raw_fn(const char *, const char *(*) (void), int, int */ extern void set_mail_conf_str(const char *, const char *); extern void set_mail_conf_int(const char *, int); +extern void set_mail_conf_long(const char *, long); extern void set_mail_conf_bool(const char *, int); extern void set_mail_conf_time(const char *, const char *); @@ -88,7 +92,7 @@ typedef struct { char **target; /* pointer to global variable */ int min; /* min length or zero */ int max; /* max length or zero */ -} CONFIG_RAW_TABLE; +} CONFIG_RAW_TABLE; typedef struct { const char *name; /* config variable name */ @@ -98,6 +102,14 @@ typedef struct { int max; /* upper bound or zero */ } CONFIG_INT_TABLE; +typedef struct { + const char *name; /* config variable name */ + long defval; /* default value */ + long *target; /* pointer to global variable */ + long min; /* lower bound or zero */ + long max; /* upper bound or zero */ +} CONFIG_LONG_TABLE; + typedef struct { const char *name; /* config variable name */ int defval; /* default value */ @@ -114,6 +126,7 @@ typedef struct { extern void get_mail_conf_str_table(CONFIG_STR_TABLE *); extern void get_mail_conf_int_table(CONFIG_INT_TABLE *); +extern void get_mail_conf_long_table(CONFIG_LONG_TABLE *); extern void get_mail_conf_bool_table(CONFIG_BOOL_TABLE *); extern void get_mail_conf_time_table(CONFIG_TIME_TABLE *); extern void get_mail_conf_raw_table(CONFIG_RAW_TABLE *); @@ -136,7 +149,7 @@ typedef struct { char **target; /* pointer to global variable */ int min; /* lower bound or zero */ int max; /* upper bound or zero */ -} CONFIG_RAW_FN_TABLE; +} CONFIG_RAW_FN_TABLE; typedef struct { const char *name; /* config variable name */ @@ -146,6 +159,14 @@ typedef struct { int max; /* upper bound or zero */ } CONFIG_INT_FN_TABLE; +typedef struct { + const char *name; /* config variable name */ + long (*defval) (void); /* default value provider */ + long *target; /* pointer to global variable */ + long min; /* lower bound or zero */ + long max; /* upper bound or zero */ +} CONFIG_LONG_FN_TABLE; + typedef struct { const char *name; /* config variable name */ int (*defval) (void); /* default value provider */ @@ -154,6 +175,7 @@ typedef struct { extern void get_mail_conf_str_fn_table(CONFIG_STR_FN_TABLE *); extern void get_mail_conf_int_fn_table(CONFIG_INT_FN_TABLE *); +extern void get_mail_conf_long_fn_table(CONFIG_LONG_FN_TABLE *); extern void get_mail_conf_bool_fn_table(CONFIG_BOOL_FN_TABLE *); extern void get_mail_conf_raw_fn_table(CONFIG_RAW_FN_TABLE *); diff --git a/postfix/src/global/mail_conf_long.c b/postfix/src/global/mail_conf_long.c new file mode 100644 index 000000000..91e488a55 --- /dev/null +++ b/postfix/src/global/mail_conf_long.c @@ -0,0 +1,193 @@ +/*++ +/* NAME +/* mail_conf_long 3 +/* SUMMARY +/* long integer-valued configuration parameter support +/* SYNOPSIS +/* #include