mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-30 13:48:06 +00:00
Code Issues Releases Wiki Activity

postfix-2.12-20150117

Browse Source
This commit is contained in:
Wietse Venema 2015-01-17 00:00:00 -05:00 committed by Viktor Dukhovni
parent 19b6598b23
commit 07c5e9a196
143 changed files with 3344 additions and 1373 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
postfix/.indent.pro vendored
View File

@ -125,6 +125,7 @@
-TDICT_THASH
-TDICT_UNION
-TDICT_UNIX
-TDICT_UTF8_BACKUP
-TDNS_FIXED
-TDNS_REPLY
-TDNS_RR

203
postfix/HISTORY
View File

@ -21209,3 +21209,206 @@ Apologies for any names omitted.
either their result is a valid ASCII domain name or that
it converts into a valid ASCII domain name. Files:
util/midna.c, util/midna_test.in, util/midna_test.ref.
20141230
Cleanup: s/midna/midna_domain/ for better specificity,
because we also need functions that act only on the domain
portion of an email address. Files: bounce/bounce_template.c,
global/midna_adomain.c, posttls-finger/posttls-finger.c,
smtp/smtp_addr.c, smtpd/smtpd_check.c, tls/tls_client.c,
util/midna_domain.[hc], util/valid_utf8_hostname.c.
Infrastructure: function midna_adomain_to_utf8() (and
midna_adomain_to_ascii) to convert the domain portion of
an email address before table lookup. Files:
global/midna_adomain.[hc].
20141230-20140109
What is described here is the result of four iterations to
deal with malformed UTF-8 without massively contaminating
every Postfix program with new error-handling code paths,
in particular without triggering fatal errors that didn't
happen before.
Infrastructure: function casefold() to support caseless
string comparison, primarily for table lookups. This function
supports two modes: case folding a la lowercase() for ASCII
byte values, and UTF-8 case folding. As recommended at
http://www.w3.org/International/wiki/Case_folding for
caseless string comparison, this uses the en_US locale to
avoid surprises. The implementatin handles
the entire RFC 3629 Unicode range (code points U+0000..U+10FFFF
including surrogates) and is chroot(2) safe. Files: casefold.c, stringops.h.
Infrastructure: revised the midna_domain_to_ascii and
midna_domain_to_utf8 domain name conversion functions after
careful reading of the UTS #46 specification, and after
observing that ICU 4.8 library functions indeed implement
this spec, at least with default options. In particular,
midna_domain_to_utf8 takes an UTF-8 domain name and verifies
that its A-label form will pass the valid_hostname() test.
File: util/midna_domain.c.
Infrastructure: handle UTF-8 errors in lookup table keys
or values without massively contaminating every Postfix
program with new error-handling code paths, in particular
without triggering fatal errors that didn't happen before.
The lookup/update/delete functions log a warning and ignore
a request with a bad key (it cannot exist); the update
functions ignore a request to store a bad value (it cannot
exist); and the lookup function reports a bad value as a
configuration error (it should not exist, but there it is).
Table iterators still report all (key, value) pairs in a
table. Files: util/dict.h, util/dict_open.c, util/dict_utf8.c,
global/mkmap_open.c.
Note that with SMTPUTF8 turned on, each table-driven mechanism
(access, aliases, etc.) needs to make its own decision
whether UTF-8 syntax is required. We cannot blindly require
that everything has valid UTF-8 syntax. That would make
header/body_checks useless for content inspection, because
headers may be malformed and bodies may contain legitimate
binary content that isn't UTF-8.
Note that with SMTPUTF8 turned off, Postfix must remain
8-bit clean as it always has been. Table operations must
not complain that something violates UTF-8 syntax rules.
UTF-8 sanitization in the Postfix SMTP server. With
smtputf8_enable=yes, SMTP commands with UTF-8 syntax errors
are rejected, table lookup results with invalid UTF-8 syntax
are handled as configuration errors, and UTF-8 syntax errors
in policy server replies result in execution of the policy
server's default action.
20150102
Cleanup: propagate DICT_ERR_CONFIG through the proxymap
protocol. Files: global/dict_proxy.[hc], proxymap/proxymap.c.
20150106
Robustness: don't segfault due to excessive recursion in
tok822_free_tree() after a faulty configuration runs into
the virtual_alias_recursion_limit. File: global/tok822_tree.c.
20150109
Cleanup: the dict debug module now proxies dict flags.
File: util/dict_debug.c.
With "smtputf8_enable = yes", the postmap and postalias
commands now enable UTF-8 by default (use "-u" to disable)
with one exception: UTF-8 remains disabled for header/body_checks
emulation (use "-U" to enable). Files: postmap/postmap.c,
postalias/postalias.c.
20150110
Cleanup: the "inline" and "texthash" implementations now
reuse the "internal" database instead of reinventing the
wheel. Files: util/dict_inline.c, util/dict_thash.c.
As a first step, with "smtputf8_enable = yes" all features
based on Postfix matchlists enable UTF-8 syntax checks and
UTF-8 casefolding for table patterns, but NOT YET for string
patterns. The list of features includes authorized_flush_users,
authorized_mailq_users, authorized_submit_users, debug_peer_list,
fast_flush_domains, mydestination, permit_mx_backup_networks,
qmqpd_authorized_clients, smtp_connection_cache_destinations,
smtpd_authorized_verp_clients, smtpd_authorized_xclient_hosts,
smtpd_authorized_xforward_hosts,
smtpd_client_event_limit_exceptions,
smtpd_log_access_permit_actions, smtpd_sasl_exceptions_networks,
the "domains" feature in ldap_table(5), memcache_table(5)
mysql_table(5), pgsql_table(5) and sqlite_table(5),
virtual_alias_domains, virtual_mailbox_domains.
20150111
Cleanup: simplified the interposition layer that adds UTF-8
support to Postfix lookup tables. Files: util/dict_utf8.c.
With "smtputf8_enable = yes", Enable UTF-8 syntax checks
and UTF-8 casefolding for SMTP server access maps, alias_maps,
canonical_maps, fallback_transport_maps,
lmtp_tls_session_cache_database, local_recipient_maps,
mailbox_command_maps, mailbox_transport_maps, rbl_reply_maps,
recipient_bcc_maps, recipient_canonical_maps, relay_recipient_maps,
relocated_maps, sender_bcc_maps, sender_canonical_maps,
sender_dependent_relayhost_maps, sender_dependent_transport_maps,
smtp_generic_maps, smtp_sasl_auth_cache_name,
smtp_sasl_password_maps, smtp_tls_per_site, smtp_tls_policy_maps,
smtp_tls_session_cache_database, smtpd_sender_login_maps,
smtpd_tls_session_cache_database, transport_maps,
virtual_alias_maps, virtual_gid_maps, virtual_mailbox_maps,
virtual_uid_maps.
20150112
Infrastructure: support for UTF-8 casefolding in match_lists.
Instead of using strcasecmp(), casefold all fixed-string
patterns during initialization, casefold a search string
at the beginning of the search, and use strcmp() for
comparison. Files: util/casefold.c util/dict.h, util/dict_utf8.c,
util/match_list.c, util/match_list.h, util/match_ops.c,
util/stringops.h, global/addr_match_list.c, global/domain_list.c,
global/namadr_list.c, global/string_list.c.
20150113
Cleanup: show the configuration parameter name in error
messages while parsing or searching match_list-based features
such as mydestination, relay_domains and a few dozen more.
Files: cleanup/cleanup_init.c, flush/flush.c,
global/addr_match_list.c, global/debug_peer.c,
global/domain_list.c, global/flush_clnt.c,
global/match_parent_style.c, global/namadr_list.c,
global/resolve_local.c, global/string_list.c, global/user_acl.[hc],
postdrop/postdrop.c, postqueue/postqueue.c,
postscreen/postscreen.c, qmqpd/qmqpd.c, sendmail/sendmail.c.,
smtp/smtp.c, smtp/smtp_sasl_glue.c, smtpd/smtpd.c,
smtpd/smtpd_check.c, trivial-rewrite/resolve.c,
util/match_list.[hc], util/match_ops.c.
Cleanup: apply printable() to all bounce(8) service
string-valued protocol fields. File: bounce/bounce.c.
Apparenly the UCI 4.8 ucasemap_utf8FoldCase() function does
not complain about UTF-8 syntax errors, so we add our own
redundant check. File: util/casefold.c.
20150115
Bitrot: prepare for future changes in OpenSSL. Viktor
Dukhovni. Files: tls/tls.h, tls/tls_dh.c, tls/tls_misc.c,
tls/tls_rsa.c, tls/tls_server.c.
Documentation: "avoid hash files here, use btree or lmdb
instead". File: proto/ADDRESS_VERIFICATION_README.html.
Safety: virtual_alias_address_length_limit (default: 1000)
to stop aliasing loops that exponentially increase the
address length with each iteration. Files: global/mail_params.h,
mantools/postlink, proto/postconf.proto, cleanup/cleanup.c,
cleanup/cleanup_init.c, cleanup/cleanup_map1n.c.
20150116
TLS wrappermode in the Postfix smtp(8) client. This introduces
a new parameter "smtp_tls_wrappermode" (default: no). Files:
global/mail_params.h, mantools/postlink, proto/postconf.proto,
smtp/lmtp_params.c, smtp/smtp.[hc], smtp/smtp_connect.c,
smtp/smtp_params.c, smtp/smtp_proto.c.
TLS wrappermode in posttls-finger(1), and some DANE-related
cleanups. This introduces a new option "-w". Viktor Dukhovni.
Files: posttls-finger/posttls-finger.c, smtp/smtp_tls_policy.c,
tls/tls.h, tls/tls_client.c, tls/tls_fprint.c.
20150117
Cleanup: missing " in \%s\" in postscreen(8) fatal error
messages. Iain Hibbert. File: postconf/postconf_master.c.

6
postfix/README_FILES/ADDRESS_VERIFICATION_README
View File

@ -204,7 +204,7 @@ verification for specific domains that often appear in forged email.
# Default setting for Postfix 2.7 and later.
# Note 1: Be sure to read the "Caching" section below!
# Note 2: Avoid hash files here. Use btree instead.
# Note 2: Avoid hash files here. Use btree or lmdb instead.
address_verify_map = btree:/var/lib/postfix/verify
/etc/postfix/sender_access:
@ -245,7 +245,7 @@ be blocked:
# Default setting for Postfix 2.7 and later.
# Note 1: Be sure to read the "Caching" section below!
# Note 2: Avoid hash files here. Use btree instead.
# Note 2: Avoid hash files here. Use btree or lmdb instead.
address_verify_map = btree:/var/lib/postfix/verify
This is also a good way to populate your cache with address verification
@ -297,7 +297,7 @@ verification results. If you specify an empty value, all address verification
results are lost after "postfix reload" or "postfix stop".
# Example 1: Default setting for Postfix 2.7 and later.
# Note: avoid hash files here. Use btree instead.
# Note: avoid hash files here. Use btree or lmdb instead.
/etc/postfix/main.cf:
address_verify_map = btree:$data_directory/verify_cache

101
postfix/README_FILES/SMTPUTF8_README
View File

@ -65,8 +65,25 @@ With SMTPUTF8 support enabled, Postfix changes behavior with respect to earlier
Postfix releases:
* UTF-8 is permitted in the myorigin parameter value. However, the myhostname
and mydomain parameters must specify ASCII-only domain names. This
limitation may be removed later.
and mydomain parameters must currently specify ASCII-only domain names.
This limitation may be removed later.
* UTF-8 is the only form of non-ASCII text that Postfix supports in access
tables, address rewriting tables, and other tables that are indexed with an
email address, hostname, or domain name.
* The header_checks-like and body_checks-like features are not UTF-8 enabled,
and therefore they do not enforce UTF-8 syntax rules on inputs and outputs.
The reason is that non-ASCII text may be sent in encodings other than UTF-
8, and that real email sometimes contains malformed headers. Instead of
skipping non-UTF-8 content, Postfix should be able to filter it. You may
try to enable UTF-8 processing by starting a PCRE pattern with the sequence
(*UTF8), but this is will result in "message not accepted, try again later"
errors when the PCRE pattern matcher encounters non-UTF-8 input. Other
features that are not UTF-8 enabled are smtpd_command_filter,
smtp_reply_filter, the *_delivery_status_filter features, and the
*_dns_reply_filter features (the latter because DNS is by definition an
ASCII protocol).
* The Postfix SMTP server announces SMTPUTF8 support in the EHLO response.
@ -95,8 +112,8 @@ Postfix releases:
commands.
* The Postfix SMTP server accepts UTF-8 in email address domains, but only
after the remote SMTP client client issues the SMTPUTF8 request in MAIL
FROM or VRFY commands.
after the remote SMTP client issues the SMTPUTF8 request in MAIL FROM or
VRFY commands.
Postfix already permitted UTF-8 in message header values and in address
localparts. This does not change.
@ -180,26 +197,38 @@ disabled.
LLiimmiittaattiioonnss ooff tthhee ccuurrrreenntt iimmpplleemmeennttaattiioonn
The Postfix implementation is a work in progress; limitations are steadily
being removed. The text below describes the situation at one point in time.
NNoo aauuttoommaattiicc ccoonnvveerrssiioonnss bbeettwweeeenn AASSCCIIII aanndd UUTTFF--88 ddoommaaiinn nnaammeess..
Some background: According to RFC 6530 and related documents,
"Internationalized" domain names can appear in two forms: the UTF-8 form, and
the ASCII (xn--mumble) form. The initial Postfix SMTPUTF8 implementation
performs no automatic conversions on UTF8 strings beyond what is needed to
perform DNS lookups.
the ASCII (xn--mumble) form. "Internationalized" address localparts must be
encoded in UTF-8; the RFCs do not define an ASCII form for the same
information.
NNoo cchhaarraacctteerrsseett ccaannoonniiccaalliizzaattiioonn ffoorr nnoonn--AASSCCIIII ddoommaaiinn nnaammeess..
Postfix currently does not convert internationalized domain names from UTF-
8 into ASCII (or from ASCII into UTF-8) before using domain names in SMTP
commands and responses, before looking up domain names in mydestination,
relay_domains, access tables, etc., before using domain names in a policy
daemon or Milter request, or before logging domain names.
Postfix currently does not translate domain names from UTF-8 into ASCII (or
ASCII into UTF-8) before looking up the domain name in mydestination,
relay_domains, access tables, etc., before logging the domain name, or before
using the domain name in a policy daemon or Milter request. You will have to
configure both UTF-8 and ASCII forms in Postfix configuration files; and both
forms will have to be handled by logfile tools, policy daemons and Milters.
Postfix does, however, casefold domain names and email addresses before
matching them against a Postfix configuration parameter or lookup table.
NNoo ccaassee ccaannoonniiccaalliizzaattiioonn ffoorr nnoonn--AASSCCIIII cchhaarraacctteerrss..
* The Postfix parameters myhostname and mydomain must be in ASCII form. One
is a substring of the other, and the myhostname value is used in SMTP
commands and responses that require ASCII. The parameter myorigin (added to
local addresses without domain) supports UTF-8.
Postfix currently does not case-fold non-ASCII characters when looking up an
"Internationalized" domain name in mydestination, relay_domains, access maps,
etc. Some non-ASCII scripts do not distinguish between upper and lower case,
some have different numbers of upper and lower case characters.
* You need to configure both the ASCII and UTF-8 forms of an
Internationalized domain name in Postfix parameters such as mydestination
and relay_domains, as well as lookup table search keys.
* Milters, content filters, policy servers and logfile analysis tools need to
be able to handle both the ASCII and UTF-8 forms of Internationalized
domain names.
CCoommppaattiibbiilliittyy wwiitthh pprree--SSMMTTPPUUTTFF88 eennvviirroonnmmeennttss
@ -209,28 +238,30 @@ With Postfix, there is no need to split mailing lists into UTF-8 and non-UTF-
8 members. Postfix will try to deliver the non-UTF8 subscribers over
"traditional" non-SMTPUTF8 sessions, as long as the message has an ASCII
envelope sender address and all-ASCII header values. The mailing list manager
will have to apply RFC 2047 encoding to satisfy that last condition.
may have to apply RFC 2047 encoding to satisfy that last condition.
PPrree--eexxiissttiinngg nnoonn--AASSCCIIII eemmaaiill fflloowwss
In pre-SMTPUTF8 environments, email with UTF-8 in address localparts (and in
headers) works just fine. The vast majority of email software including Postfix
is perfectly capable of handling such email, even if pre-SMTPUTF8 standards do
not support this.
With "smtputf8_enable = no", Postfix handles email with non-ASCII in address
localparts (and in headers) as before. The vast majority of email software is
perfectly capable of handling such email, even if pre-SMTPUTF8 standards do not
support such practice.
Therefore, when Postfix SMTPUTF8 support is turned on, Postfix must not
suddenly start to break pre-existing email flows with UTF-8 in addres
localparts (and in headers).
Thus, Postfix continues to permit UTF-8 in address localparts (and in headers)
in email from and to pre-SMTPUTF8 systems. At least, that is the default (see
autodetection above).
However, when you specify "smtputf8_enable = yes", Postfix requires that non-
ASCII address information is encoded in UTF-8 and will reject other encodings
such as ISO-8859. It is not practical for Postfix to support multiple encodings
at the same time. There is no problem with RFC 2047 encodings such as "=?ISO-
8859-1?Q?text?=", because those use only characters from the ASCII
characterset.
CCrreeddiittss
* Arnt Gulbrandsen posted his patch for Unicode email support on May 15,
2014. This work was sponsored by CNNIC.
* May 15, 2014: Arnt Gulbrandsen posted his patch for Unicode email support.
This work was sponsored by CNNIC.
* Wietse integrated Arnt Gulbrandsen's code and released Postfix with
SMTPUTF8 support on July 15, 2014.
* July 15, 2014: Wietse integrated Arnt Gulbrandsen's code and released
Postfix with SMTPUTF8 support.
* January 2015: Wietse added UTF-8 support for casefolding in Postfix lookup
tables and caseless string comparison in Postfix list-based features.

65
postfix/README_FILES/TLS_README
View File

@ -1,3 +1,5 @@
-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
PPoossttffiixx TTLLSS SSuuppppoorrtt
-------------------------------------------------------------------------------
@ -1811,13 +1813,62 @@ Example:
CClliieenntt--ssiiddee SSMMTTPPSS ssuuppppoorrtt
Although the Postfix SMTP client by itself doesn't support TLS wrapper mode, it
These sections show how to send mail to a server that does not support
STARTTLS, but that provides the deprecated SMTPS service on TCP port 465.
Depending on the Postfix version, some additional tooling may be required.
PPoossttffiixx >>== 22..1122
The Postfix SMTP client has SMTPS support built-in as of version 2.12. Use one
of the following examples, to send all remote mail, or to send only some remote
mail, to an SMTPS server.
PPoossttffiixx >>== 22..1122:: SSeennddiinngg aallll rreemmoottee mmaaiill ttoo aann SSMMTTPPSS sseerrvveerr
The first example will send all remote mail over SMTPS through a provider's
server called "mail.example.com":
/etc/postfix/main.cf:
# Client-side SMTPS requires "encrypt" or stronger.
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
# The [] suppress MX lookups.
relayhost = [mail.example.com]:465
Use "postfix reload" to make the change effective.
See SOHO_README for additional information about SASL authentication.
PPoossttffiixx >>== 22..1122:: SSeennddiinngg oonnllyy mmaaiill ffoorr aa ssppeecciiffiicc ddeessttiinnaattiioonn vviiaa SSMMTTPPSS
The second example will send only mail for "example.com" via SMTPS. This time,
Postfix uses a transport map to deliver only mail for "example.com" via SMTPS:
/etc/postfix/main.cf:
transport_maps = hash:/etc/postfix/transport
/etc/postfix/transport:
example.com relay-smtps:example.com:465
/etc/postfix/master.cf:
relay-smtps unix - - n - - smtp
# Client-side SMTPS requires "encrypt" or stronger.
-o smtp_tls_security_level=encrypt
-o smtp_tls_wrappermode=yes
Use "postmap hash:/etc/postfix/transport" and "postfix reload" to make the
change effective.
See SOHO_README for additional information about SASL authentication.
PPoossttffiixx << 22..1122
Although older Postfix SMTP client versions do not support TLS wrapper mode, it
is relatively easy to forward a connection through the stunnel program if
Postfix needs to deliver mail to some legacy system that doesn't support
STARTTLS. Use one of the following two examples, to send only some remote mail,
or to send all remote mail, to an SMTPS server.
STARTTLS.
SSeennddiinngg aallll rreemmoottee mmaaiill ttoo aann SSMMTTPPSS sseerrvveerr
PPoossttffiixx << 22..1122:: SSeennddiinngg aallll rreemmoottee mmaaiill ttoo aann SSMMTTPPSS sseerrvveerr
The first example uses SMTPS to send all remote mail to a provider's mail
server called "mail.example.com".
@ -1847,7 +1898,9 @@ local stunnel listener on port 11125:
Use "postfix reload" to make the change effective.
SSeennddiinngg oonnllyy mmaaiill ffoorr aa ssppeecciiffiicc ddeessttiinnaattiioonn vviiaa SSMMTTPPSS
See SOHO_README for additional information about SASL authentication.
PPoossttffiixx << 22..1122:: SSeennddiinngg oonnllyy mmaaiill ffoorr aa ssppeecciiffiicc ddeessttiinnaattiioonn vviiaa SSMMTTPPSS
The second example will use SMTPS to send only mail for "example.com" via
SMTPS. It uses the same stunnel configuration file as the first example, so it
@ -1865,6 +1918,8 @@ This time, the Postfix side uses a transport map to direct only mail for
Use "postmap hash:/etc/postfix/transport" and "postfix reload" to make the
change effective.
See SOHO_README for additional information about SASL authentication.
MMiisscceellllaanneeoouuss cclliieenntt ccoonnttrroollss
The smtp_starttls_timeout parameter limits the time of Postfix SMTP client

14
postfix/WISHLIST
View File

@ -8,6 +8,20 @@ Wish list:
Things to do after the stable release:
UTF8 DNS[BW]L domain name.
Consolidate maps flags in mail_params.h instead of having
multiple copies scattered across programs.
Try to allow UTF-8 myhostname/mydomain, at least in bounce
template expansion.
No enhanced status code when rejecting connection before
the HELO handshake is completed.
Maybe don't whitelist a client that has maxed out its
per-MTA connection count limit.
Inline support for pcre:{/pattern/=action, ...} and ditto
support for regexp: and cidr: tables. Factor out and reuse
code that already exists in inline: and other tables.

6
postfix/html/ADDRESS_VERIFICATION_README.html
View File

@ -346,7 +346,7 @@ in forged email. </p>
# Default setting for Postfix 2.7 and later.
# Note 1: Be sure to read the "<a href="#caching">Caching</a>" section below!
# Note 2: Avoid hash files here. Use btree instead.
# Note 2: Avoid hash files here. Use btree or lmdb instead.
<a href="postconf.5.html#address_verify_map">address_verify_map</a> = <a href="DATABASE_README.html#types">btree</a>:/var/lib/postfix/verify
/etc/postfix/sender_access:
@ -393,7 +393,7 @@ you can see what mail would be blocked: </p>
# Default setting for Postfix 2.7 and later.
# Note 1: Be sure to read the "<a href="#caching">Caching</a>" section below!
# Note 2: Avoid hash files here. Use btree instead.
# Note 2: Avoid hash files here. Use btree or lmdb instead.
<a href="postconf.5.html#address_verify_map">address_verify_map</a> = <a href="DATABASE_README.html#types">btree</a>:/var/lib/postfix/verify
</pre>
</blockquote>
@ -461,7 +461,7 @@ results are lost after "postfix reload" or "postfix stop". </p>
<blockquote>
<pre>
# Example 1: Default setting for Postfix 2.7 and later.
# Note: avoid hash files here. Use btree instead.
# Note: avoid hash files here. Use btree or lmdb instead.
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#address_verify_map">address_verify_map</a> = <a href="DATABASE_README.html#types">btree</a>:$<a href="postconf.5.html#data_directory">data_directory</a>/verify_cache

116
postfix/html/SMTPUTF8_README.html
View File

@ -110,8 +110,27 @@ respect to earlier Postfix releases: </p>
<ul>
<li> <p> UTF-8 is permitted in the <a href="postconf.5.html#myorigin">myorigin</a> parameter value. However,
the <a href="postconf.5.html#myhostname">myhostname</a> and <a href="postconf.5.html#mydomain">mydomain</a> parameters must specify ASCII-only
domain names. This limitation may be removed later. </p>
the <a href="postconf.5.html#myhostname">myhostname</a> and <a href="postconf.5.html#mydomain">mydomain</a> parameters must currently specify
ASCII-only domain names. This limitation may be removed later. </p>
<li> <p> UTF-8 is the only form of non-ASCII text that Postfix
supports in access tables, address rewriting tables, and other
tables that are indexed with an email address, hostname, or domain
name. </p>
<li> <p> The <a href="postconf.5.html#header_checks">header_checks</a>-like and <a href="postconf.5.html#body_checks">body_checks</a>-like features are
not UTF-8 enabled, and therefore they do not enforce UTF-8 syntax
rules on inputs and outputs. The reason is that non-ASCII text may
be sent in encodings other than UTF-8, and that real email sometimes
contains malformed headers. Instead of skipping non-UTF-8 content,
Postfix should be able to filter it. You may try to enable UTF-8
processing by starting a PCRE pattern with the sequence (*UTF8),
but this is will result in "message not accepted, try again later"
errors when the PCRE pattern matcher encounters non-UTF-8 input.
Other features that are not UTF-8 enabled are <a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a>,
<a href="postconf.5.html#smtp_reply_filter">smtp_reply_filter</a>, the *_delivery_status_filter features, and the
*_dns_reply_filter features (the latter because DNS is by definition
an ASCII protocol). </p>
<li> <p> The Postfix SMTP server announces SMTPUTF8 support in the
EHLO response. </p>
@ -145,7 +164,7 @@ MAIL FROM and VRFY commands. </p>
MAIL FROM commands. </p>
<li> <p> The Postfix SMTP server accepts UTF-8 in email address
domains, but only after the remote SMTP client client issues the
domains, but only after the remote SMTP client issues the
SMTPUTF8 request in MAIL FROM or VRFY commands. </p>
</ul>
@ -257,29 +276,47 @@ delivered it if SMTPUTF8 support was disabled. </p>
<h2> <a name="limitations">Limitations of the current implementation</a>
</h2>
<p> "Internationalized" domain names can appear in two forms: the
UTF-8 form, and the ASCII (xn--mumble) form. The initial Postfix
SMTPUTF8 implementation performs no automatic conversions on UTF8
strings beyond what is needed to perform DNS lookups. </p>
<p> The Postfix implementation is a work in progress; limitations
are steadily being removed. The text below describes the situation
at one point in time. </p>
<h3> No characterset canonicalization for non-ASCII domain names.
</h3>
<h3> No automatic conversions between ASCII and UTF-8 domain names. </h3>
<p> Postfix currently does not translate domain names from UTF-8
into ASCII (or ASCII into UTF-8) before looking up the domain name
in <a href="postconf.5.html#mydestination">mydestination</a>, <a href="postconf.5.html#relay_domains">relay_domains</a>, access tables, etc., before logging
the domain name, or before using the domain name in a policy daemon
or Milter request. You will have to configure both UTF-8 and ASCII
forms in Postfix configuration files; and both forms will have to
be handled by logfile tools, policy daemons and Milters. </p>
<p> Some background: According to <a href="http://tools.ietf.org/html/rfc6530">RFC 6530</a> and related documents,
"Internationalized" domain names can appear in two forms: the UTF-8
form, and the ASCII (xn--mumble) form. "Internationalized" address
localparts must be encoded in UTF-8; the RFCs do not define an ASCII
form for the same information. </p>
<h3> No case canonicalization for non-ASCII characters. </h3>
<p> Postfix currently does not convert internationalized domain
names from UTF-8 into ASCII (or from ASCII into UTF-8) before using
domain names in SMTP commands and responses, before looking up
domain names in <a href="postconf.5.html#mydestination">mydestination</a>, <a href="postconf.5.html#relay_domains">relay_domains</a>, access tables, etc.,
before using domain names in a policy daemon or Milter request,
or before logging domain names. </p>
<p> Postfix currently does not case-fold non-ASCII characters when
looking up an "Internationalized" domain name in <a href="postconf.5.html#mydestination">mydestination</a>,
<a href="postconf.5.html#relay_domains">relay_domains</a>, access maps, etc. Some non-ASCII scripts do not
distinguish between upper and lower case, some have different numbers
of upper and lower case characters. </p>
<p> Postfix does, however, casefold domain names and email addresses
before matching them against a Postfix configuration parameter or
lookup table. </p>
<ul>
<li> <p> The Postfix parameters <a href="postconf.5.html#myhostname">myhostname</a> and <a href="postconf.5.html#mydomain">mydomain</a> must be in
ASCII form. One is a substring of the other, and the <a href="postconf.5.html#myhostname">myhostname</a>
value is used in SMTP commands and responses that require ASCII.
The parameter <a href="postconf.5.html#myorigin">myorigin</a> (added to local addresses without domain)
supports UTF-8. </p>
<li> <p> You need to configure both the ASCII and UTF-8 forms of
an Internationalized domain name in Postfix parameters such as
<a href="postconf.5.html#mydestination">mydestination</a> and <a href="postconf.5.html#relay_domains">relay_domains</a>, as well as lookup table search
keys. </p>
<li> <p> Milters, content filters, policy servers and logfile
analysis tools need to be able to handle both the ASCII and UTF-8
forms of Internationalized domain names. </p>
</ul>
<h2> <a name="compatibility">Compatibility with pre-SMTPUTF8
environments</a> </h2>
@ -290,33 +327,36 @@ environments</a> </h2>
non-UTF-8 members. Postfix will try to deliver the non-UTF8 subscribers
over "traditional" non-SMTPUTF8 sessions, as long as the message
has an ASCII envelope sender address and all-ASCII header values.
The mailing list manager will have to apply <a href="http://tools.ietf.org/html/rfc2047">RFC 2047</a> encoding to
The mailing list manager may have to apply <a href="http://tools.ietf.org/html/rfc2047">RFC 2047</a> encoding to
satisfy that last condition. </p>
<h3> Pre-existing non-ASCII email flows </h3>
<p> In pre-SMTPUTF8 environments, email with UTF-8 in address
localparts (and in headers) works just fine. The vast majority
of email software including Postfix is perfectly capable of handling
such email, even if pre-SMTPUTF8 standards do not support this. </p>
<p> With "<a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> = no", Postfix handles email with non-ASCII
in address localparts (and in headers) as before. The vast majority
of email software is perfectly capable of handling such email, even
if pre-SMTPUTF8 standards do not support such practice. </p>
<p> Therefore, when Postfix SMTPUTF8 support is turned on, Postfix
must not suddenly start to break pre-existing email flows with UTF-8
in addres localparts (and in headers). </p>
<p> Thus, Postfix continues to permit UTF-8 in address localparts
(and in headers) in email from and to pre-SMTPUTF8 systems. At
least, that is the default (see autodetection above). </p>
<p> However, when you specify "<a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> = yes", Postfix
requires that non-ASCII address information is encoded in UTF-8 and
will reject other encodings such as ISO-8859. It is not practical
for Postfix to support multiple encodings at the same time. There
is no problem with <a href="http://tools.ietf.org/html/rfc2047">RFC 2047</a> encodings such as "=?ISO-8859-1?Q?text?=",
because those use only characters from the ASCII characterset. </p>
<h2> <a name="credits">Credits</a> </h2>
<ul>
<li> <p> Arnt Gulbrandsen posted his patch for Unicode email support
on May 15, 2014. This work was sponsored by CNNIC. </p>
<li> <p> May 15, 2014: Arnt Gulbrandsen posted his patch for Unicode
email support. This work was sponsored by CNNIC. </p>
<li> <p> Wietse integrated Arnt Gulbrandsen's code and released
Postfix with SMTPUTF8 support on July 15, 2014. </p>
<li> <p> July 15, 2014: Wietse integrated Arnt Gulbrandsen's code
and released Postfix with SMTPUTF8 support. </p>
<li> <p> January 2015: Wietse added UTF-8 support for casefolding
in Postfix lookup tables and caseless string comparison in Postfix
list-based features. </p>
</ul>

81
postfix/html/TLS_README.html
View File

@ -1,4 +1,4 @@
<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
<doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
@ -2370,14 +2370,75 @@ the SSL/TLS protocols used with opportunistic TLS. </p>
<h3> <a name="client_smtps">Client-side SMTPS support </a> </h3>
<p> Although the Postfix SMTP client by itself doesn't support TLS
<p> These sections show how to send mail to a server that does not
support STARTTLS, but that provides the deprecated SMTPS service
on TCP port 465. Depending on the Postfix version, some additional
tooling may be required. </p>
<h4> Postfix &ge; 2.12 </h4>
<p> The Postfix SMTP client has SMTPS support built-in as of version
2.12. Use one of the following examples, to send all remote mail,
or to send only some remote mail, to an SMTPS server. </p> </p>
<h5> Postfix &ge; 2.12: Sending all remote mail to an SMTPS server </h5>
<p> The first example will send all remote mail over SMTPS through
a provider's server called "mail.example.com": </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
# Client-side SMTPS requires "encrypt" or stronger.
<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt
<a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> = yes
# The [] suppress MX lookups.
<a href="postconf.5.html#relayhost">relayhost</a> = [mail.example.com]:465
</pre>
</blockquote>
<p> Use "postfix reload" to make the change effective. </p>
<p> See <a href="SOHO_README.html">SOHO_README</a> for additional information about SASL authentication.
</p>
<h5> Postfix &ge; 2.12: Sending only mail for a specific destination
via SMTPS </h5>
<p> The second example will send only mail for "example.com" via
SMTPS. This time, Postfix uses a transport map to deliver only
mail for "example.com" via SMTPS: </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#transport_maps">transport_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/transport
/etc/postfix/transport:
example.com relay-smtps:example.com:465
/etc/postfix/<a href="master.5.html">master.cf</a>:
relay-smtps unix - - n - - smtp
# Client-side SMTPS requires "encrypt" or stronger.
-o <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>=encrypt
-o <a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a>=yes
</pre>
</blockquote>
<p> Use "postmap <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/transport" and "postfix reload"
to make the change effective. </p>
<p> See <a href="SOHO_README.html">SOHO_README</a> for additional information about SASL
authentication. </p>
<h4> Postfix &lt; 2.12 </h4>
<p> Although older Postfix SMTP client versions do not support TLS
wrapper mode, it is relatively easy to forward a connection through
the stunnel program if Postfix needs to deliver mail to some legacy
system that doesn't support STARTTLS. Use one of the following two
examples, to send only some remote mail, or to send all remote mail,
to an SMTPS server. </p>
system that doesn't support STARTTLS. </p>
<h4> Sending all remote mail to an SMTPS server </h4>
<h5> Postfix &lt; 2.12: Sending all remote mail to an SMTPS server </h5>
<p> The first example uses SMTPS to send all remote mail to a
provider's mail server called "mail.example.com". </p>
@ -2420,7 +2481,10 @@ mail through the local stunnel listener on port 11125: </p>
<p> Use "postfix reload" to make the change effective. </p>
<h4> Sending only mail for a specific destination via SMTPS </h4>
<p> See <a href="SOHO_README.html">SOHO_README</a> for additional information about SASL
authentication. </p>
<h4> Postfix &lt; 2.12: Sending only mail for a specific destination via SMTPS </h4>
<p> The second example will use SMTPS to send only mail for
"example.com" via SMTPS. It uses the same stunnel configuration
@ -2442,6 +2506,9 @@ mail for "example.com" through the tunnel: </p>
<p> Use "postmap <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/transport" and "postfix reload"
to make the change effective. </p>
<p> See <a href="SOHO_README.html">SOHO_README</a> for additional information about SASL authentication.
</p>
<h3> <a name="client_misc"> Miscellaneous client controls </a> </h3>
<p> The <a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> parameter limits the time of Postfix

26
postfix/html/cleanup.8.html
View File

@ -390,29 +390,35 @@ CLEANUP(8) CLEANUP(8)
<b><a href="postconf.5.html#virtual_alias_recursion_limit">virtual_alias_recursion_limit</a> (1000)</b>
The maximal nesting depth of virtual alias expansion.
Available in Postfix version 2.12 and later:
<b>virtual_alias_address_length_limit (1000)</b>
The maximal length of an email address after virtual alias
expansion.
<b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
figuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
How much time a Postfix daemon process may take to handle a
How much time a Postfix daemon process may take to handle a
request before it is terminated by a built-in watchdog timer.
<b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
The maximal number of digits after the decimal point when log-
The maximal number of digits after the decimal point when log-
ging sub-second delay values.
<b><a href="postconf.5.html#delay_warning_time">delay_warning_time</a> (0h)</b>
The time after which the sender receives a copy of the message
The time after which the sender receives a copy of the message
headers of mail that is still queued.
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
The time limit for sending or receiving information over an
The time limit for sending or receiving information over an
internal communication channel.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix daemon process
The maximum amount of time that an idle Postfix daemon process
waits for an incoming connection before terminating voluntarily.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
@ -423,7 +429,7 @@ CLEANUP(8) CLEANUP(8)
The internet hostname of this mail system.
<b><a href="postconf.5.html#myorigin">myorigin</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
The domain name that locally-posted mail appears to come from,
The domain name that locally-posted mail appears to come from,
and that locally posted mail is delivered to.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
@ -436,15 +442,15 @@ CLEANUP(8) CLEANUP(8)
The location of the Postfix top-level queue directory.
<b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b>
Safety net to keep mail queued that would otherwise be returned
Safety net to keep mail queued that would otherwise be returned
to the sender.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the process name in
syslog records, so that "smtpd" becomes, for example, "post-
The mail system name that is prepended to the process name in
syslog records, so that "smtpd" becomes, for example, "post-
fix/smtpd".
Available in Postfix version 2.1 and later:

112
postfix/html/lmtp.8.html
View File

@ -555,50 +555,56 @@ SMTP(8) SMTP(8)
<b><a href="postconf.5.html#tlsmgr_service_name">tlsmgr_service_name</a> (tlsmgr)</b>
The name of the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>.
Available in Postfix version 2.12 and later:
<b><a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> (no)</b>
Request that the Postfix SMTP client connects using the legacy
SMTPS protocol instead of using the STARTTLS command.
<b>OBSOLETE STARTTLS CONTROLS</b>
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a
future release.
<b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
Opportunistic mode: use TLS when a remote SMTP server announces
Opportunistic mode: use TLS when a remote SMTP server announces
STARTTLS support, otherwise send the mail in the clear.
<b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
Enforcement mode: require that remote SMTP servers use TLS
Enforcement mode: require that remote SMTP servers use TLS
encryption, and never send mail in the clear.
<b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
With mandatory TLS encryption, require that the remote SMTP
server hostname matches the information in the remote SMTP
With mandatory TLS encryption, require that the remote SMTP
server hostname matches the information in the remote SMTP
server certificate.
<b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
Optional lookup tables with the Postfix SMTP client TLS usage
policy by next-hop destination and by remote SMTP server host-
Optional lookup tables with the Postfix SMTP client TLS usage
policy by next-hop destination and by remote SMTP server host-
name.
<b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
Obsolete Postfix &lt; 2.3 control for the Postfix SMTP client TLS
Obsolete Postfix &lt; 2.3 control for the Postfix SMTP client TLS
cipher list.
<b>RESOURCE AND RATE CONTROLS</b>
<b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b>
<b><a href="postconf.5.html#default_destination_concurrency_limit">rency_limit</a>)</b>
The maximal number of parallel deliveries to the same destina-
The maximal number of parallel deliveries to the same destina-
tion via the smtp message delivery transport.
<b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipient_limit</a>)</b>
The maximal number of recipients per message for the smtp mes-
The maximal number of recipients per message for the smtp mes-
sage delivery transport.
<b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
The Postfix SMTP client time limit for completing a TCP connec-
The Postfix SMTP client time limit for completing a TCP connec-
tion, or zero (use the operating system built-in time limit).
<b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the HELO or EHLO
command, and for receiving the initial remote SMTP server
The Postfix SMTP client time limit for sending the HELO or EHLO
command, and for receiving the initial remote SMTP server
response.
<b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
@ -610,19 +616,19 @@ SMTP(8) SMTP(8)
mand, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the MAIL FROM
The Postfix SMTP client time limit for sending the MAIL FROM
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the SMTP RCPT TO
The Postfix SMTP client time limit for sending the SMTP RCPT TO
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
The Postfix SMTP client time limit for sending the SMTP DATA
The Postfix SMTP client time limit for sending the SMTP DATA
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
The Postfix SMTP client time limit for sending the SMTP message
The Postfix SMTP client time limit for sending the SMTP message
content.
<b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
@ -636,13 +642,13 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b>
The maximal number of MX (mail exchanger) IP addresses that can
result from Postfix SMTP client mail exchanger lookups, or zero
The maximal number of MX (mail exchanger) IP addresses that can
result from Postfix SMTP client mail exchanger lookups, or zero
(no limit).
<b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
The maximal number of SMTP sessions per delivery request before
the Postfix SMTP client gives up or delivers to a fall-back
The maximal number of SMTP sessions per delivery request before
the Postfix SMTP client gives up or delivers to a fall-back
<a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
<b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
@ -652,17 +658,17 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.2 and earlier:
<b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b>
Keep Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
Keep Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
seconds.
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
Permanently enable SMTP connection caching for the specified
Permanently enable SMTP connection caching for the specified
destinations.
<b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
Temporarily enable SMTP connection caching while a destination
Temporarily enable SMTP connection caching while a destination
has a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>.
<b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b>
@ -676,23 +682,23 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
Time limit for connection cache connect, send or receive opera-
Time limit for connection cache connect, send or receive opera-
tions.
Available in Postfix version 2.9 and later:
<b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
Change the behavior of the smtp_*_timeout time limits, from a
time limit per read or write system call, to a time limit to
send or receive a complete record (an SMTP command line, SMTP
response line, SMTP message content line, or TLS protocol mes-
Change the behavior of the smtp_*_timeout time limits, from a
time limit per read or write system call, to a time limit to
send or receive a complete record (an SMTP command line, SMTP
response line, SMTP message content line, or TLS protocol mes-
sage).
Available in Postfix version 2.11 and later:
<b><a href="postconf.5.html#smtp_connection_reuse_count_limit">smtp_connection_reuse_count_limit</a> (0)</b>
When SMTP connection caching is enabled, the number of times
that an SMTP session may be reused before it is closed, or zero
When SMTP connection caching is enabled, the number of times
that an SMTP session may be reused before it is closed, or zero
(no limit).
<b>SMTPUTF8 CONTROLS</b>
@ -703,21 +709,21 @@ SMTP(8) SMTP(8)
in <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
<b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
Detect that a message requires SMTPUTF8 support for the speci-
Detect that a message requires SMTPUTF8 support for the speci-
fied mail origin classes.
<b>TROUBLE SHOOTING CONTROLS</b>
<b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
The increment in verbose logging level when a remote client or
The increment in verbose logging level when a remote client or
server matches a pattern in the <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
<b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
Optional list of remote client or server hostname or network
Optional list of remote client or server hostname or network
address patterns that cause the verbose logging level to
increase by the amount specified in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
<b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
The recipient of postmaster notifications about mail delivery
The recipient of postmaster notifications about mail delivery
problems that are caused by policy, resource, software or proto-
col errors.
@ -731,46 +737,46 @@ SMTP(8) SMTP(8)
<b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
Where the Postfix SMTP client should deliver mail when it
Where the Postfix SMTP client should deliver mail when it
detects a "mail loops back to myself" error condition.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
figuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
How much time a Postfix daemon process may take to handle a
How much time a Postfix daemon process may take to handle a
request before it is terminated by a built-in watchdog timer.
<b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
The maximal number of digits after the decimal point when log-
The maximal number of digits after the decimal point when log-
ging sub-second delay values.
<b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
Disable DNS lookups in the Postfix SMTP and LMTP clients.
<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
The network interface addresses that this mail system receives
The network interface addresses that this mail system receives
mail on.
<b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (all)</b>
The Internet protocols Postfix will attempt to use when making
The Internet protocols Postfix will attempt to use when making
or accepting connections.
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
The time limit for sending or receiving information over an
The time limit for sending or receiving information over an
internal communication channel.
<b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b>
When a remote LMTP server announces no DSN support, assume that
the server performs final delivery, and send "delivered" deliv-
When a remote LMTP server announces no DSN support, assume that
the server performs final delivery, and send "delivered" deliv-
ery status notifications instead of "relayed".
<b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
The default TCP port that the Postfix LMTP client connects to.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix daemon process
The maximum amount of time that an idle Postfix daemon process
waits for an incoming connection before terminating voluntarily.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
@ -784,20 +790,20 @@ SMTP(8) SMTP(8)
The process name of a Postfix command or daemon process.
<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
The network interface addresses that this mail system receives
The network interface addresses that this mail system receives
mail on by way of a proxy or network address translation unit.
<b><a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> (any)</b>
The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP
client will try first, when a destination has IPv6 and IPv4
client will try first, when a destination has IPv6 and IPv4
addresses with equal MX preference.
<b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
An optional numerical network address that the Postfix SMTP
An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv4 connection.
<b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
An optional numerical network address that the Postfix SMTP
An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv6 connection.
<b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
@ -817,8 +823,8 @@ SMTP(8) SMTP(8)
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the process name in
syslog records, so that "smtpd" becomes, for example, "post-
The mail system name that is prepended to the process name in
syslog records, so that "smtpd" becomes, for example, "post-
fix/smtpd".
Available with Postfix 2.2 and earlier:
@ -836,7 +842,7 @@ SMTP(8) SMTP(8)
Available with Postfix 2.12 and later:
<b><a href="postconf.5.html#smtp_address_verify_target">smtp_address_verify_target</a> (rcpt)</b>
In the context of email address verification, the SMTP protocol
In the context of email address verification, the SMTP protocol
stage that determines whether an email address is deliverable.
<b>SEE ALSO</b>

14
postfix/html/postalias.1.html
View File

@ -10,7 +10,7 @@ POSTALIAS(1) POSTALIAS(1)
postalias - Postfix alias database maintenance
<b>SYNOPSIS</b>
<b>postalias</b> [<b>-Nfinoprsvw</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>] [<b>-d</b> <i>key</i>] [<b>-q</b> <i>key</i>]
<b>postalias</b> [<b>-Nfinoprsuvw</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>] [<b>-d</b> <i>key</i>] [<b>-q</b> <i>key</i>]
[<i>file</i><b>_</b><i>type</i>:]<i>file</i><b>_</b><i>name</i> ...
<b>DESCRIPTION</b>
@ -95,6 +95,10 @@ POSTALIAS(1) POSTALIAS(1)
order. This feature is available in Postfix version 2.2 and
later, and is not available for all database types.
<b>-u</b> Disable UTF-8 support. UTF-8 support is enabled by default when
"<a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> = yes". It requires that keys and values are
valid UTF-8 strings.
<b>-v</b> Enable verbose logging for debugging purposes. Multiple <b>-v</b>
options make the software increasingly verbose.
@ -183,12 +187,16 @@ POSTALIAS(1) POSTALIAS(1)
The default database type for use in <a href="newaliases.1.html"><b>newaliases</b>(1)</a>, <a href="postalias.1.html"><b>postalias</b>(1)</a>
and <a href="postmap.1.html"><b>postmap</b>(1)</a> commands.
<b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
Enable experimental SMTPUTF8 support for the protocols described
in <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the process name in
syslog records, so that "smtpd" becomes, for example, "post-
The mail system name that is prepended to the process name in
syslog records, so that "smtpd" becomes, for example, "post-
fix/smtpd".
<b>STANDARDS</b>

49
postfix/html/postconf.5.html
View File

@ -9891,8 +9891,8 @@ SMTP servers that reject recipients after the DATA command. Use
<blockquote>
<pre>
/etc/postfix/transport:
smtp-domain_that_verifies_after_data smtp-data-target:
lmtp-domain_that_verifies_after_data lmtp-data-target:
smtp-domain-that-verifies-after-data smtp-data-target:
lmtp-domain-that-verifies-after-data lmtp-data-target:
</pre>
</blockquote>
@ -12916,6 +12916,35 @@ example.com verify match=hostname:nexthop
<p> This feature is available in Postfix 2.3 and later. </p>
</DD>
<DT><b><a name="smtp_tls_wrappermode">smtp_tls_wrappermode</a>
(default: no)</b></DT><DD>
<p> Request that the Postfix SMTP client connects using the
legacy SMTPS protocol instead of using the STARTTLS command. </p>
<p> This mode requires "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt" or
stronger. </p>
<p> Example: deliver all remote mail via a provider's server
"mail.example.com". </p>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
# Client-side SMTPS requires "encrypt" or stronger.
<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt
<a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> = yes
# The [] suppress MX lookups.
<a href="postconf.5.html#relayhost">relayhost</a> = [mail.example.com]:465
</pre>
<p> More examples are in <a href="TLS_README.html">TLS_README</a>, including examples for older
Postfix versions. </p>
<p> This feature is available in Postfix 2.12 and later. </p>
</DD>
<DT><b><a name="smtp_use_tls">smtp_use_tls</a>
@ -18869,6 +18898,22 @@ This feature is available in Postfix 1.1 and later.
</p>
</DD>
<DT><b><a name="virtual_alias_address_length_limit">virtual_alias_address_length_limit</a>
(default: 1000)</b></DT><DD>
<p>
The maximal length of an email address after virtual alias expansion.
This stops virtual aliasing loops that increase the address length
exponentially.
</p>
<p>
This feature is available in Postfix 2.12 and later.
</p>
</DD>
<DT><b><a name="virtual_alias_domains">virtual_alias_domains</a>

57
postfix/html/postmap.1.html
View File

@ -10,7 +10,7 @@ POSTMAP(1) POSTMAP(1)
postmap - Postfix lookup table management
<b>SYNOPSIS</b>
<b>postmap</b> [<b>-Nbfhimnoprsvw</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>] [<b>-d</b> <i>key</i>] [<b>-q</b> <i>key</i>]
<b>postmap</b> [<b>-NbfhimnoprsuUvw</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>] [<b>-d</b> <i>key</i>] [<b>-q</b> <i>key</i>]
[<i>file</i><b>_</b><i>type</i>:]<i>file</i><b>_</b><i>name</i> ...
<b>DESCRIPTION</b>
@ -66,6 +66,10 @@ POSTMAP(1) POSTMAP(1)
style lookup keys for attachment MIME headers and for attached
message/* headers.
NOTE: with "<a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> = yes", the <b>-b</b> option option dis-
ables UTF-8 syntax checks on query keys and lookup results.
Specify the <b>-U</b> option to force UTF-8 syntax checks anyway.
This feature is available in Postfix version 2.6 and later.
<b>-c</b> <i>config</i><b>_</b><i>dir</i>
@ -99,6 +103,10 @@ POSTMAP(1) POSTMAP(1)
also generates header-style lookup keys for attachment MIME
headers and for attached message/* headers.
NOTE: with "<a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> = yes", the <b>-b</b> option option dis-
ables UTF-8 syntax checks on query keys and lookup results.
Specify the <b>-U</b> option to force UTF-8 syntax checks anyway.
This feature is available in Postfix version 2.6 and later.
<b>-i</b> Incremental mode. Read entries from standard input and do not
@ -145,10 +153,17 @@ POSTMAP(1) POSTMAP(1)
This feature is available in Postfix version 2.2 and later, and
is not available for all database types.
<b>-v</b> Enable verbose logging for debugging purposes. Multiple <b>-v</b>
<b>-u</b> Disable UTF-8 support. UTF-8 support is enabled by default when
"<a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> = yes". It requires that keys and values are
valid UTF-8 strings.
<b>-U</b> With "<a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> = yes", force UTF-8 syntax checks with the
<b>-b</b> and <b>-h</b> options.
<b>-v</b> Enable verbose logging for debugging purposes. Multiple <b>-v</b>
options make the software increasingly verbose.
<b>-w</b> When updating a table, do not complain about attempts to update
<b>-w</b> When updating a table, do not complain about attempts to update
existing entries, and ignore those attempts.
Arguments:
@ -160,32 +175,32 @@ POSTMAP(1) POSTMAP(1)
The <a href="postmap.1.html"><b>postmap</b>(1)</a> command can query any supported file type, but it
can create only the following file types:
<b>btree</b> The output file is a btree file, named <i>file</i><b>_</b><i>name</i><b>.db</b>.
This is available on systems with support for <b>db</b> data-
<b>btree</b> The output file is a btree file, named <i>file</i><b>_</b><i>name</i><b>.db</b>.
This is available on systems with support for <b>db</b> data-
bases.
<b>cdb</b> The output consists of one file, named <i>file</i><b>_</b><i>name</i><b>.cdb</b>.
This is available on systems with support for <b>cdb</b> data-
<b>cdb</b> The output consists of one file, named <i>file</i><b>_</b><i>name</i><b>.cdb</b>.
This is available on systems with support for <b>cdb</b> data-
bases.
<b>dbm</b> The output consists of two files, named <i>file</i><b>_</b><i>name</i><b>.pag</b> and
<i>file</i><b>_</b><i>name</i><b>.dir</b>. This is available on systems with support
for <b>dbm</b> databases.
<b>hash</b> The output file is a hashed file, named <i>file</i><b>_</b><i>name</i><b>.db</b>.
This is available on systems with support for <b>db</b> data-
<b>hash</b> The output file is a hashed file, named <i>file</i><b>_</b><i>name</i><b>.db</b>.
This is available on systems with support for <b>db</b> data-
bases.
<b>fail</b> A table that reliably fails all requests. The lookup ta-
ble name is used for logging only. This table exists to
<b>fail</b> A table that reliably fails all requests. The lookup ta-
ble name is used for logging only. This table exists to
simplify Postfix error tests.
<b>sdbm</b> The output consists of two files, named <i>file</i><b>_</b><i>name</i><b>.pag</b> and
<i>file</i><b>_</b><i>name</i><b>.dir</b>. This is available on systems with support
for <b>sdbm</b> databases.
When no <i>file</i><b>_</b><i>type</i> is specified, the software uses the database
type specified via the <b><a href="postconf.5.html#default_database_type">default_database_type</a></b> configuration
When no <i>file</i><b>_</b><i>type</i> is specified, the software uses the database
type specified via the <b><a href="postconf.5.html#default_database_type">default_database_type</a></b> configuration
parameter.
<i>file</i><b>_</b><i>name</i>
@ -194,11 +209,11 @@ POSTMAP(1) POSTMAP(1)
<b>DIAGNOSTICS</b>
Problems are logged to the standard error stream and to <b>syslogd</b>(8). No
output means that no problems were detected. Duplicate entries are
output means that no problems were detected. Duplicate entries are
skipped and are flagged with a warning.
<a href="postmap.1.html"><b>postmap</b>(1)</a> terminates with zero exit status in case of success (includ-
ing successful "<b>postmap -q</b>" lookup) and terminates with non-zero exit
ing successful "<b>postmap -q</b>" lookup) and terminates with non-zero exit
status in case of failure.
<b>ENVIRONMENT</b>
@ -209,12 +224,12 @@ POSTMAP(1) POSTMAP(1)
Enable verbose logging for debugging purposes.
<b>CONFIGURATION PARAMETERS</b>
The following <a href="postconf.5.html"><b>main.cf</b></a> parameters are especially relevant to this pro-
gram. The text below provides only a parameter summary. See <a href="postconf.5.html"><b>post-</b></a>
The following <a href="postconf.5.html"><b>main.cf</b></a> parameters are especially relevant to this pro-
gram. The text below provides only a parameter summary. See <a href="postconf.5.html"><b>post-</b></a>
<a href="postconf.5.html"><b>conf</b>(5)</a> for more details including examples.
<b><a href="postconf.5.html#berkeley_db_create_buffer_size">berkeley_db_create_buffer_size</a> (16777216)</b>
The per-table I/O buffer size for programs that create Berkeley
The per-table I/O buffer size for programs that create Berkeley
DB hash or btree tables.
<b><a href="postconf.5.html#berkeley_db_read_buffer_size">berkeley_db_read_buffer_size</a> (131072)</b>
@ -222,13 +237,17 @@ POSTMAP(1) POSTMAP(1)
hash or btree tables.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
figuration files.
<b><a href="postconf.5.html#default_database_type">default_database_type</a> (see 'postconf -d' output)</b>
The default database type for use in <a href="newaliases.1.html"><b>newaliases</b>(1)</a>, <a href="postalias.1.html"><b>postalias</b>(1)</a>
and <a href="postmap.1.html"><b>postmap</b>(1)</a> commands.
<b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
Enable experimental SMTPUTF8 support for the protocols described
in <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.

112
postfix/html/smtp.8.html
View File

@ -555,50 +555,56 @@ SMTP(8) SMTP(8)
<b><a href="postconf.5.html#tlsmgr_service_name">tlsmgr_service_name</a> (tlsmgr)</b>
The name of the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>.
Available in Postfix version 2.12 and later:
<b><a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> (no)</b>
Request that the Postfix SMTP client connects using the legacy
SMTPS protocol instead of using the STARTTLS command.
<b>OBSOLETE STARTTLS CONTROLS</b>
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a
future release.
<b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
Opportunistic mode: use TLS when a remote SMTP server announces
Opportunistic mode: use TLS when a remote SMTP server announces
STARTTLS support, otherwise send the mail in the clear.
<b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
Enforcement mode: require that remote SMTP servers use TLS
Enforcement mode: require that remote SMTP servers use TLS
encryption, and never send mail in the clear.
<b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
With mandatory TLS encryption, require that the remote SMTP
server hostname matches the information in the remote SMTP
With mandatory TLS encryption, require that the remote SMTP
server hostname matches the information in the remote SMTP
server certificate.
<b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
Optional lookup tables with the Postfix SMTP client TLS usage
policy by next-hop destination and by remote SMTP server host-
Optional lookup tables with the Postfix SMTP client TLS usage
policy by next-hop destination and by remote SMTP server host-
name.
<b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
Obsolete Postfix &lt; 2.3 control for the Postfix SMTP client TLS
Obsolete Postfix &lt; 2.3 control for the Postfix SMTP client TLS
cipher list.
<b>RESOURCE AND RATE CONTROLS</b>
<b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b>
<b><a href="postconf.5.html#default_destination_concurrency_limit">rency_limit</a>)</b>
The maximal number of parallel deliveries to the same destina-
The maximal number of parallel deliveries to the same destina-
tion via the smtp message delivery transport.
<b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipient_limit</a>)</b>
The maximal number of recipients per message for the smtp mes-
The maximal number of recipients per message for the smtp mes-
sage delivery transport.
<b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
The Postfix SMTP client time limit for completing a TCP connec-
The Postfix SMTP client time limit for completing a TCP connec-
tion, or zero (use the operating system built-in time limit).
<b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the HELO or EHLO
command, and for receiving the initial remote SMTP server
The Postfix SMTP client time limit for sending the HELO or EHLO
command, and for receiving the initial remote SMTP server
response.
<b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
@ -610,19 +616,19 @@ SMTP(8) SMTP(8)
mand, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the MAIL FROM
The Postfix SMTP client time limit for sending the MAIL FROM
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the SMTP RCPT TO
The Postfix SMTP client time limit for sending the SMTP RCPT TO
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
The Postfix SMTP client time limit for sending the SMTP DATA
The Postfix SMTP client time limit for sending the SMTP DATA
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
The Postfix SMTP client time limit for sending the SMTP message
The Postfix SMTP client time limit for sending the SMTP message
content.
<b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
@ -636,13 +642,13 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b>
The maximal number of MX (mail exchanger) IP addresses that can
result from Postfix SMTP client mail exchanger lookups, or zero
The maximal number of MX (mail exchanger) IP addresses that can
result from Postfix SMTP client mail exchanger lookups, or zero
(no limit).
<b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
The maximal number of SMTP sessions per delivery request before
the Postfix SMTP client gives up or delivers to a fall-back
The maximal number of SMTP sessions per delivery request before
the Postfix SMTP client gives up or delivers to a fall-back
<a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
<b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
@ -652,17 +658,17 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.2 and earlier:
<b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b>
Keep Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
Keep Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
seconds.
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
Permanently enable SMTP connection caching for the specified
Permanently enable SMTP connection caching for the specified
destinations.
<b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
Temporarily enable SMTP connection caching while a destination
Temporarily enable SMTP connection caching while a destination
has a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>.
<b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b>
@ -676,23 +682,23 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
Time limit for connection cache connect, send or receive opera-
Time limit for connection cache connect, send or receive opera-
tions.
Available in Postfix version 2.9 and later:
<b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
Change the behavior of the smtp_*_timeout time limits, from a
time limit per read or write system call, to a time limit to
send or receive a complete record (an SMTP command line, SMTP
response line, SMTP message content line, or TLS protocol mes-
Change the behavior of the smtp_*_timeout time limits, from a
time limit per read or write system call, to a time limit to
send or receive a complete record (an SMTP command line, SMTP
response line, SMTP message content line, or TLS protocol mes-
sage).
Available in Postfix version 2.11 and later:
<b><a href="postconf.5.html#smtp_connection_reuse_count_limit">smtp_connection_reuse_count_limit</a> (0)</b>
When SMTP connection caching is enabled, the number of times
that an SMTP session may be reused before it is closed, or zero
When SMTP connection caching is enabled, the number of times
that an SMTP session may be reused before it is closed, or zero
(no limit).
<b>SMTPUTF8 CONTROLS</b>
@ -703,21 +709,21 @@ SMTP(8) SMTP(8)
in <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
<b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
Detect that a message requires SMTPUTF8 support for the speci-
Detect that a message requires SMTPUTF8 support for the speci-
fied mail origin classes.
<b>TROUBLE SHOOTING CONTROLS</b>
<b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
The increment in verbose logging level when a remote client or
The increment in verbose logging level when a remote client or
server matches a pattern in the <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
<b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
Optional list of remote client or server hostname or network
Optional list of remote client or server hostname or network
address patterns that cause the verbose logging level to
increase by the amount specified in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
<b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
The recipient of postmaster notifications about mail delivery
The recipient of postmaster notifications about mail delivery
problems that are caused by policy, resource, software or proto-
col errors.
@ -731,46 +737,46 @@ SMTP(8) SMTP(8)
<b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
Where the Postfix SMTP client should deliver mail when it
Where the Postfix SMTP client should deliver mail when it
detects a "mail loops back to myself" error condition.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
figuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
How much time a Postfix daemon process may take to handle a
How much time a Postfix daemon process may take to handle a
request before it is terminated by a built-in watchdog timer.
<b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
The maximal number of digits after the decimal point when log-
The maximal number of digits after the decimal point when log-
ging sub-second delay values.
<b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
Disable DNS lookups in the Postfix SMTP and LMTP clients.
<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
The network interface addresses that this mail system receives
The network interface addresses that this mail system receives
mail on.
<b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (all)</b>
The Internet protocols Postfix will attempt to use when making
The Internet protocols Postfix will attempt to use when making
or accepting connections.
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
The time limit for sending or receiving information over an
The time limit for sending or receiving information over an
internal communication channel.
<b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b>
When a remote LMTP server announces no DSN support, assume that
the server performs final delivery, and send "delivered" deliv-
When a remote LMTP server announces no DSN support, assume that
the server performs final delivery, and send "delivered" deliv-
ery status notifications instead of "relayed".
<b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
The default TCP port that the Postfix LMTP client connects to.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix daemon process
The maximum amount of time that an idle Postfix daemon process
waits for an incoming connection before terminating voluntarily.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
@ -784,20 +790,20 @@ SMTP(8) SMTP(8)
The process name of a Postfix command or daemon process.
<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
The network interface addresses that this mail system receives
The network interface addresses that this mail system receives
mail on by way of a proxy or network address translation unit.
<b><a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> (any)</b>
The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP
client will try first, when a destination has IPv6 and IPv4
client will try first, when a destination has IPv6 and IPv4
addresses with equal MX preference.
<b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
An optional numerical network address that the Postfix SMTP
An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv4 connection.
<b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
An optional numerical network address that the Postfix SMTP
An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv6 connection.
<b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
@ -817,8 +823,8 @@ SMTP(8) SMTP(8)
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the process name in
syslog records, so that "smtpd" becomes, for example, "post-
The mail system name that is prepended to the process name in
syslog records, so that "smtpd" becomes, for example, "post-
fix/smtpd".
Available with Postfix 2.2 and earlier:
@ -836,7 +842,7 @@ SMTP(8) SMTP(8)
Available with Postfix 2.12 and later:
<b><a href="postconf.5.html#smtp_address_verify_target">smtp_address_verify_target</a> (rcpt)</b>
In the context of email address verification, the SMTP protocol
In the context of email address verification, the SMTP protocol
stage that determines whether an email address is deliverable.
<b>SEE ALSO</b>

9
postfix/man/man1/postalias.1
View File

@ -9,7 +9,7 @@ Postfix alias database maintenance
.na
.nf
.fi
\fBpostalias\fR [\fB-Nfinoprsvw\fR] [\fB-c \fIconfig_dir\fR]
\fBpostalias\fR [\fB-Nfinoprsuvw\fR] [\fB-c \fIconfig_dir\fR]
[\fB-d \fIkey\fR] [\fB-q \fIkey\fR]
[\fIfile_type\fR:]\fIfile_name\fR ...
.SH DESCRIPTION
@ -99,6 +99,10 @@ printed in database order, which is not necessarily the same
as the original input order.
This feature is available in Postfix version 2.2 and later,
and is not available for all database types.
.IP \fB-u\fR
Disable UTF-8 support. UTF-8 support is enabled by default
when "smtputf8_enable = yes". It requires that keys and
values are valid UTF-8 strings.
.IP \fB-v\fR
Enable verbose logging for debugging purposes. Multiple \fB-v\fR
options make the software increasingly verbose.
@ -188,6 +192,9 @@ hash or btree tables.
.IP "\fBdefault_database_type (see 'postconf -d' output)\fR"
The default database type for use in \fBnewaliases\fR(1), \fBpostalias\fR(1)
and \fBpostmap\fR(1) commands.
.IP "\fBsmtputf8_enable (yes)\fR"
Enable experimental SMTPUTF8 support for the protocols described
in RFC 6531..6533.
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
.IP "\fBsyslog_name (see 'postconf -d' output)\fR"

22
postfix/man/man1/postmap.1
View File

@ -9,7 +9,7 @@ Postfix lookup table management
.na
.nf
.fi
\fBpostmap\fR [\fB-Nbfhimnoprsvw\fR] [\fB-c \fIconfig_dir\fR]
\fBpostmap\fR [\fB-NbfhimnoprsuUvw\fR] [\fB-c \fIconfig_dir\fR]
[\fB-d \fIkey\fR] [\fB-q \fIkey\fR]
[\fIfile_type\fR:]\fIfile_name\fR ...
.SH DESCRIPTION
@ -81,6 +81,11 @@ parsing with \fB-m\fR. With this, the \fB-b\fR option
generates no body-style lookup keys for attachment MIME
headers and for attached message/* headers.
.sp
NOTE: with "smtputf8_enable = yes", the \fB-b\fR option
option disables UTF-8 syntax checks on query keys and
lookup results. Specify the \fB-U\fR option to force UTF-8
syntax checks anyway.
.sp
This feature is available in Postfix version 2.6 and later.
.IP "\fB-c \fIconfig_dir\fR"
Read the \fBmain.cf\fR configuration file in the named directory
@ -114,6 +119,11 @@ parsing with \fB-m\fR. With this, the \fB-h\fR option also
generates header-style lookup keys for attachment MIME
headers and for attached message/* headers.
.sp
NOTE: with "smtputf8_enable = yes", the \fB-b\fR option
option disables UTF-8 syntax checks on query keys and
lookup results. Specify the \fB-U\fR option to force UTF-8
syntax checks anyway.
.sp
This feature is available in Postfix version 2.6 and later.
.IP \fB-i\fR
Incremental mode. Read entries from standard input and do not
@ -161,6 +171,13 @@ as the original input order.
.sp
This feature is available in Postfix version 2.2 and later,
and is not available for all database types.
.IP \fB-u\fR
Disable UTF-8 support. UTF-8 support is enabled by default
when "smtputf8_enable = yes". It requires that keys and
values are valid UTF-8 strings.
.IP \fB-U\fR
With "smtputf8_enable = yes", force UTF-8 syntax checks
with the \fB-b\fR and \fB-h\fR options.
.IP \fB-v\fR
Enable verbose logging for debugging purposes. Multiple \fB-v\fR
options make the software increasingly verbose.
@ -245,6 +262,9 @@ configuration files.
.IP "\fBdefault_database_type (see 'postconf -d' output)\fR"
The default database type for use in \fBnewaliases\fR(1), \fBpostalias\fR(1)
and \fBpostmap\fR(1) commands.
.IP "\fBsmtputf8_enable (yes)\fR"
Enable experimental SMTPUTF8 support for the protocols described
in RFC 6531..6533.
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
.IP "\fBsyslog_name (see 'postconf -d' output)\fR"

37
postfix/man/man5/postconf.5
View File

@ -6113,8 +6113,8 @@ transport_maps to apply this feature selectively:
.na
.ft C
/etc/postfix/transport:
smtp-domain_that_verifies_after_data smtp-data-target:
lmtp-domain_that_verifies_after_data lmtp-data-target:
smtp-domain-that-verifies-after-data smtp-data-target:
lmtp-domain-that-verifies-after-data lmtp-data-target:
.fi
.ad
.ft R
@ -8538,6 +8538,33 @@ example.com verify match=hostname:nexthop
.ft R
.PP
This feature is available in Postfix 2.3 and later.
.SH smtp_tls_wrappermode (default: no)
Request that the Postfix SMTP client connects using the
legacy SMTPS protocol instead of using the STARTTLS command.
.PP
This mode requires "smtp_tls_security_level = encrypt" or
stronger.
.PP
Example: deliver all remote mail via a provider's server
"mail.example.com".
.PP
.nf
.na
.ft C
/etc/postfix/main.cf:
# Client-side SMTPS requires "encrypt" or stronger.
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
# The [] suppress MX lookups.
relayhost = [mail.example.com]:465
.fi
.ad
.ft R
.PP
More examples are in TLS_README, including examples for older
Postfix versions.
.PP
This feature is available in Postfix 2.12 and later.
.SH smtp_use_tls (default: no)
Opportunistic mode: use TLS when a remote SMTP server announces
STARTTLS support, otherwise send the mail in the clear. Beware:
@ -12884,6 +12911,12 @@ The characters Postfix accepts as VERP delimiter characters on the
Postfix \fBsendmail\fR(1) command line and in SMTP commands.
.PP
This feature is available in Postfix 1.1 and later.
.SH virtual_alias_address_length_limit (default: 1000)
The maximal length of an email address after virtual alias expansion.
This stops virtual aliasing loops that increase the address length
exponentially.
.PP
This feature is available in Postfix 2.12 and later.
.SH virtual_alias_domains (default: $virtual_alias_maps)
Postfix is final destination for the specified list of virtual
alias domains, that is, domains for which all addresses are aliased

4
postfix/man/man8/cleanup.8
View File

@ -348,6 +348,10 @@ The maximal number of addresses that virtual alias expansion produces
from each original recipient.
.IP "\fBvirtual_alias_recursion_limit (1000)\fR"
The maximal nesting depth of virtual alias expansion.
.PP
Available in Postfix version 2.12 and later:
.IP "\fBvirtual_alias_address_length_limit (1000)\fR"
The maximal length of an email address after virtual alias expansion.
.SH "MISCELLANEOUS CONTROLS"
.na
.nf

5
postfix/man/man8/smtp.8
View File

@ -494,6 +494,11 @@ not an alias and its address records lie in an unsigned zone.
RFC 6698 trust-anchor digest support in the Postfix TLS library.
.IP "\fBtlsmgr_service_name (tlsmgr)\fR"
The name of the \fBtlsmgr\fR(8) service entry in master.cf.
.PP
Available in Postfix version 2.12 and later:
.IP "\fBsmtp_tls_wrappermode (no)\fR"
Request that the Postfix SMTP client connects using the
legacy SMTPS protocol instead of using the STARTTLS command.
.SH "OBSOLETE STARTTLS CONTROLS"
.na
.nf

2
postfix/mantools/postlink
View File

@ -614,6 +614,7 @@ while (<>) {
s;\bunverified_recipient_reject_reason\b;<a href="postconf.5.html#unverified_recipient_reject_reason">$&</a>;g;
s;\bunverified_sender_reject_reason\b;<a href="postconf.5.html#unverified_sender_reject_reason">$&</a>;g;
s;\bverp_delimiter_filter\b;<a href="postconf.5.html#verp_delimiter_filter">$&</a>;g;
s;\bvir[-</bB>]*\n*[ <bB>]*tual_alias_address_length_limit\b;<a href="postconf.5.html#virtual_alias_address_length_limit">$&</a>;g;
s;\bvir[-</bB>]*\n*[ <bB>]*tual_alias_domains\b;<a href="postconf.5.html#virtual_alias_domains">$&</a>;g;
s;\bvir[-</bB>]*\n*[ <bB>]*tual_alias_expansion_limit\b;<a href="postconf.5.html#virtual_alias_expansion_limit">$&</a>;g;
s;\bvir[-</bB>]*\n*[ <bB>]*tual_alias_maps\b;<a href="postconf.5.html#virtual_alias_maps">$&</a>;g;
@ -667,6 +668,7 @@ while (<>) {
s;\bsmtp_tls_session_cache_timeout\b;<a href="postconf.5.html#smtp_tls_session_cache_timeout">$&</a>;g;
s;\bsmtp_tls_block_early_mail_reply\b;<a href="postconf.5.html#smtp_tls_block_early_mail_reply">$&</a>;g;
s;\bsmtp_tls_force_insecure_host_tlsa_lookup\b;<a href="postconf.5.html#smtp_tls_force_insecure_host_tlsa_lookup">$&</a>;g;
s;\bsmtp_tls_wrappermode\b;<a href="postconf.5.html#smtp_tls_wrappermode">$&</a>;g;
s;\bsmtp_use_tls\b;<a href="postconf.5.html#smtp_use_tls">$&</a>;g;
s;\bsmtp_header_checks\b;<a href="postconf.5.html#smtp_header_checks">$&</a>;g;
s;\bsmtp_mime_header_checks\b;<a href="postconf.5.html#smtp_mime_header_checks">$&</a>;g;

6
postfix/proto/ADDRESS_VERIFICATION_README.html
View File

@ -346,7 +346,7 @@ in forged email. </p>
# Default setting for Postfix 2.7 and later.
# Note 1: Be sure to read the "<a href="#caching">Caching</a>" section below!
# Note 2: Avoid hash files here. Use btree instead.
# Note 2: Avoid hash files here. Use btree or lmdb instead.
address_verify_map = btree:/var/lib/postfix/verify
/etc/postfix/sender_access:
@ -393,7 +393,7 @@ you can see what mail would be blocked: </p>
# Default setting for Postfix 2.7 and later.
# Note 1: Be sure to read the "<a href="#caching">Caching</a>" section below!
# Note 2: Avoid hash files here. Use btree instead.
# Note 2: Avoid hash files here. Use btree or lmdb instead.
address_verify_map = btree:/var/lib/postfix/verify
</pre>
</blockquote>
@ -461,7 +461,7 @@ results are lost after "postfix reload" or "postfix stop". </p>
<blockquote>
<pre>
# Example 1: Default setting for Postfix 2.7 and later.
# Note: avoid hash files here. Use btree instead.
# Note: avoid hash files here. Use btree or lmdb instead.
/etc/postfix/main.cf:
address_verify_map = btree:$data_directory/verify_cache

116
postfix/proto/SMTPUTF8_README.html
View File

@ -110,8 +110,27 @@ respect to earlier Postfix releases: </p>
<ul>
<li> <p> UTF-8 is permitted in the myorigin parameter value. However,
the myhostname and mydomain parameters must specify ASCII-only
domain names. This limitation may be removed later. </p>
the myhostname and mydomain parameters must currently specify
ASCII-only domain names. This limitation may be removed later. </p>
<li> <p> UTF-8 is the only form of non-ASCII text that Postfix
supports in access tables, address rewriting tables, and other
tables that are indexed with an email address, hostname, or domain
name. </p>
<li> <p> The header_checks-like and body_checks-like features are
not UTF-8 enabled, and therefore they do not enforce UTF-8 syntax
rules on inputs and outputs. The reason is that non-ASCII text may
be sent in encodings other than UTF-8, and that real email sometimes
contains malformed headers. Instead of skipping non-UTF-8 content,
Postfix should be able to filter it. You may try to enable UTF-8
processing by starting a PCRE pattern with the sequence (*UTF8),
but this is will result in "message not accepted, try again later"
errors when the PCRE pattern matcher encounters non-UTF-8 input.
Other features that are not UTF-8 enabled are smtpd_command_filter,
smtp_reply_filter, the *_delivery_status_filter features, and the
*_dns_reply_filter features (the latter because DNS is by definition
an ASCII protocol). </p>
<li> <p> The Postfix SMTP server announces SMTPUTF8 support in the
EHLO response. </p>
@ -145,7 +164,7 @@ MAIL FROM and VRFY commands. </p>
MAIL FROM commands. </p>
<li> <p> The Postfix SMTP server accepts UTF-8 in email address
domains, but only after the remote SMTP client client issues the
domains, but only after the remote SMTP client issues the
SMTPUTF8 request in MAIL FROM or VRFY commands. </p>
</ul>
@ -257,29 +276,47 @@ delivered it if SMTPUTF8 support was disabled. </p>
<h2> <a name="limitations">Limitations of the current implementation</a>
</h2>
<p> "Internationalized" domain names can appear in two forms: the
UTF-8 form, and the ASCII (xn--mumble) form. The initial Postfix
SMTPUTF8 implementation performs no automatic conversions on UTF8
strings beyond what is needed to perform DNS lookups. </p>
<p> The Postfix implementation is a work in progress; limitations
are steadily being removed. The text below describes the situation
at one point in time. </p>
<h3> No characterset canonicalization for non-ASCII domain names.
</h3>
<h3> No automatic conversions between ASCII and UTF-8 domain names. </h3>
<p> Postfix currently does not translate domain names from UTF-8
into ASCII (or ASCII into UTF-8) before looking up the domain name
in mydestination, relay_domains, access tables, etc., before logging
the domain name, or before using the domain name in a policy daemon
or Milter request. You will have to configure both UTF-8 and ASCII
forms in Postfix configuration files; and both forms will have to
be handled by logfile tools, policy daemons and Milters. </p>
<p> Some background: According to RFC 6530 and related documents,
"Internationalized" domain names can appear in two forms: the UTF-8
form, and the ASCII (xn--mumble) form. "Internationalized" address
localparts must be encoded in UTF-8; the RFCs do not define an ASCII
form for the same information. </p>
<h3> No case canonicalization for non-ASCII characters. </h3>
<p> Postfix currently does not convert internationalized domain
names from UTF-8 into ASCII (or from ASCII into UTF-8) before using
domain names in SMTP commands and responses, before looking up
domain names in mydestination, relay_domains, access tables, etc.,
before using domain names in a policy daemon or Milter request,
or before logging domain names. </p>
<p> Postfix currently does not case-fold non-ASCII characters when
looking up an "Internationalized" domain name in mydestination,
relay_domains, access maps, etc. Some non-ASCII scripts do not
distinguish between upper and lower case, some have different numbers
of upper and lower case characters. </p>
<p> Postfix does, however, casefold domain names and email addresses
before matching them against a Postfix configuration parameter or
lookup table. </p>
<ul>
<li> <p> The Postfix parameters myhostname and mydomain must be in
ASCII form. One is a substring of the other, and the myhostname
value is used in SMTP commands and responses that require ASCII.
The parameter myorigin (added to local addresses without domain)
supports UTF-8. </p>
<li> <p> You need to configure both the ASCII and UTF-8 forms of
an Internationalized domain name in Postfix parameters such as
mydestination and relay_domains, as well as lookup table search
keys. </p>
<li> <p> Milters, content filters, policy servers and logfile
analysis tools need to be able to handle both the ASCII and UTF-8
forms of Internationalized domain names. </p>
</ul>
<h2> <a name="compatibility">Compatibility with pre-SMTPUTF8
environments</a> </h2>
@ -290,33 +327,36 @@ environments</a> </h2>
non-UTF-8 members. Postfix will try to deliver the non-UTF8 subscribers
over "traditional" non-SMTPUTF8 sessions, as long as the message
has an ASCII envelope sender address and all-ASCII header values.
The mailing list manager will have to apply RFC 2047 encoding to
The mailing list manager may have to apply RFC 2047 encoding to
satisfy that last condition. </p>
<h3> Pre-existing non-ASCII email flows </h3>
<p> In pre-SMTPUTF8 environments, email with UTF-8 in address
localparts (and in headers) works just fine. The vast majority
of email software including Postfix is perfectly capable of handling
such email, even if pre-SMTPUTF8 standards do not support this. </p>
<p> With "smtputf8_enable = no", Postfix handles email with non-ASCII
in address localparts (and in headers) as before. The vast majority
of email software is perfectly capable of handling such email, even
if pre-SMTPUTF8 standards do not support such practice. </p>
<p> Therefore, when Postfix SMTPUTF8 support is turned on, Postfix
must not suddenly start to break pre-existing email flows with UTF-8
in addres localparts (and in headers). </p>
<p> Thus, Postfix continues to permit UTF-8 in address localparts
(and in headers) in email from and to pre-SMTPUTF8 systems. At
least, that is the default (see autodetection above). </p>
<p> However, when you specify "smtputf8_enable = yes", Postfix
requires that non-ASCII address information is encoded in UTF-8 and
will reject other encodings such as ISO-8859. It is not practical
for Postfix to support multiple encodings at the same time. There
is no problem with RFC 2047 encodings such as "=?ISO-8859-1?Q?text?=",
because those use only characters from the ASCII characterset. </p>
<h2> <a name="credits">Credits</a> </h2>
<ul>
<li> <p> Arnt Gulbrandsen posted his patch for Unicode email support
on May 15, 2014. This work was sponsored by CNNIC. </p>
<li> <p> May 15, 2014: Arnt Gulbrandsen posted his patch for Unicode
email support. This work was sponsored by CNNIC. </p>
<li> <p> Wietse integrated Arnt Gulbrandsen's code and released
Postfix with SMTPUTF8 support on July 15, 2014. </p>
<li> <p> July 15, 2014: Wietse integrated Arnt Gulbrandsen's code
and released Postfix with SMTPUTF8 support. </p>
<li> <p> January 2015: Wietse added UTF-8 support for casefolding
in Postfix lookup tables and caseless string comparison in Postfix
list-based features. </p>
</ul>

81
postfix/proto/TLS_README.html
View File

@ -1,4 +1,4 @@
<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
<doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
@ -2370,14 +2370,75 @@ the SSL/TLS protocols used with opportunistic TLS. </p>
<h3> <a name="client_smtps">Client-side SMTPS support </a> </h3>
<p> Although the Postfix SMTP client by itself doesn't support TLS
<p> These sections show how to send mail to a server that does not
support STARTTLS, but that provides the deprecated SMTPS service
on TCP port 465. Depending on the Postfix version, some additional
tooling may be required. </p>
<h4> Postfix &ge; 2.12 </h4>
<p> The Postfix SMTP client has SMTPS support built-in as of version
2.12. Use one of the following examples, to send all remote mail,
or to send only some remote mail, to an SMTPS server. </p> </p>
<h5> Postfix &ge; 2.12: Sending all remote mail to an SMTPS server </h5>
<p> The first example will send all remote mail over SMTPS through
a provider's server called "mail.example.com": </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
# Client-side SMTPS requires "encrypt" or stronger.
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
# The [] suppress MX lookups.
relayhost = [mail.example.com]:465
</pre>
</blockquote>
<p> Use "postfix reload" to make the change effective. </p>
<p> See SOHO_README for additional information about SASL authentication.
</p>
<h5> Postfix &ge; 2.12: Sending only mail for a specific destination
via SMTPS </h5>
<p> The second example will send only mail for "example.com" via
SMTPS. This time, Postfix uses a transport map to deliver only
mail for "example.com" via SMTPS: </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
transport_maps = hash:/etc/postfix/transport
/etc/postfix/transport:
example.com relay-smtps:example.com:465
/etc/postfix/master.cf:
relay-smtps unix - - n - - smtp
# Client-side SMTPS requires "encrypt" or stronger.
-o smtp_tls_security_level=encrypt
-o smtp_tls_wrappermode=yes
</pre>
</blockquote>
<p> Use "postmap hash:/etc/postfix/transport" and "postfix reload"
to make the change effective. </p>
<p> See SOHO_README for additional information about SASL
authentication. </p>
<h4> Postfix &lt; 2.12 </h4>
<p> Although older Postfix SMTP client versions do not support TLS
wrapper mode, it is relatively easy to forward a connection through
the stunnel program if Postfix needs to deliver mail to some legacy
system that doesn't support STARTTLS. Use one of the following two
examples, to send only some remote mail, or to send all remote mail,
to an SMTPS server. </p>
system that doesn't support STARTTLS. </p>
<h4> Sending all remote mail to an SMTPS server </h4>
<h5> Postfix &lt; 2.12: Sending all remote mail to an SMTPS server </h5>
<p> The first example uses SMTPS to send all remote mail to a
provider's mail server called "mail.example.com". </p>
@ -2420,7 +2481,10 @@ mail through the local stunnel listener on port 11125: </p>
<p> Use "postfix reload" to make the change effective. </p>
<h4> Sending only mail for a specific destination via SMTPS </h4>
<p> See SOHO_README for additional information about SASL
authentication. </p>
<h4> Postfix &lt; 2.12: Sending only mail for a specific destination via SMTPS </h4>
<p> The second example will use SMTPS to send only mail for
"example.com" via SMTPS. It uses the same stunnel configuration
@ -2442,6 +2506,9 @@ mail for "example.com" through the tunnel: </p>
<p> Use "postmap hash:/etc/postfix/transport" and "postfix reload"
to make the change effective. </p>
<p> See SOHO_README for additional information about SASL authentication.
</p>
<h3> <a name="client_misc"> Miscellaneous client controls </a> </h3>
<p> The smtp_starttls_timeout parameter limits the time of Postfix

43
postfix/proto/postconf.proto
View File

@ -15437,8 +15437,8 @@ transport_maps to apply this feature selectively: </p>
<blockquote>
<pre>
/etc/postfix/transport:
smtp-domain_that_verifies_after_data smtp-data-target:
lmtp-domain_that_verifies_after_data lmtp-data-target:
smtp-domain-that-verifies-after-data smtp-data-target:
lmtp-domain-that-verifies-after-data lmtp-data-target:
</pre>
</blockquote>
@ -16420,3 +16420,42 @@ with valid PTR etc. records. </p>
</pre>
<p> This feature is available in Postfix 2.12 and later. </p>
%PARAM smtp_tls_wrappermode no
<p> Request that the Postfix SMTP client connects using the
legacy SMTPS protocol instead of using the STARTTLS command. </p>
<p> This mode requires "smtp_tls_security_level = encrypt" or
stronger. </p>
<p> Example: deliver all remote mail via a provider's server
"mail.example.com". </p>
<pre>
/etc/postfix/main.cf:
# Client-side SMTPS requires "encrypt" or stronger.
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
# The [] suppress MX lookups.
relayhost = [mail.example.com]:465
</pre>
<p> More examples are in TLS_README, including examples for older
Postfix versions. </p>
<p> This feature is available in Postfix 2.12 and later. </p>
%PARAM virtual_alias_address_length_limit 1000
<p>
The maximal length of an email address after virtual alias expansion.
This stops virtual aliasing loops that increase the address length
exponentially.
</p>
<p>
This feature is available in Postfix 2.12 and later.
</p>

2
postfix/src/bounce/Makefile.in
View File

@ -326,7 +326,7 @@ bounce_template.o: ../../include/mac_parse.h
bounce_template.o: ../../include/mail_conf.h
bounce_template.o: ../../include/mail_params.h
bounce_template.o: ../../include/mail_proto.h
bounce_template.o: ../../include/midna.h
bounce_template.o: ../../include/midna_domain.h
bounce_template.o: ../../include/msg.h
bounce_template.o: ../../include/mymalloc.h
bounce_template.o: ../../include/nvtable.h

16
postfix/src/bounce/bounce.c
View File

@ -319,7 +319,9 @@ static int bounce_notify_proto(char *service_name, VSTREAM *client,
msg_warn("malformed queue id: %s", printable(STR(queue_id), '?'));
return (-1);
}
printable(STR(dsn_envid), '?');
VS_NEUTER(encoding);
VS_NEUTER(sender);
VS_NEUTER(dsn_envid);
if (msg_verbose)
msg_info("%s: flags=0x%x service=%s queue=%s id=%s encoding=%s smtputf8=%d sender=%s envid=%s ret=0x%x",
myname, flags, service_name, STR(queue_name), STR(queue_id),
@ -380,10 +382,12 @@ static int bounce_verp_proto(char *service_name, VSTREAM *client)
msg_warn("malformed queue id: %s", printable(STR(queue_id), '?'));
return (-1);
}
printable(STR(dsn_envid), '?');
VS_NEUTER(encoding);
VS_NEUTER(sender);
VS_NEUTER(dsn_envid);
VS_NEUTER(verp_delims);
if (strlen(STR(verp_delims)) != 2) {
msg_warn("malformed verp delimiter string: %s",
printable(STR(verp_delims), '?'));
msg_warn("malformed verp delimiter string: %s", STR(verp_delims));
return (-1);
}
if (msg_verbose)
@ -460,7 +464,9 @@ static int bounce_one_proto(char *service_name, VSTREAM *client)
msg_warn("malformed queue id: %s", printable(STR(queue_id), '?'));
return (-1);
}
printable(STR(dsn_envid), '?');
VS_NEUTER(encoding);
VS_NEUTER(sender);
VS_NEUTER(dsn_envid);
VS_NEUTER(rcpt_buf->address);
VS_NEUTER(rcpt_buf->orig_addr);
VS_NEUTER(rcpt_buf->dsn_orcpt);

4
postfix/src/bounce/bounce_template.c
View File

@ -118,7 +118,7 @@
#include <stringops.h>
#include <mymalloc.h>
#ifndef NO_EAI
#include <midna.h>
#include <midna_domain.h>
#endif
/* Global library. */
@ -462,7 +462,7 @@ static const char *bounce_template_lookup(const char *key, int unused_mode,
"non-ASCII input value: \"%s\"",
tp->origin, key, asc_val);
return (asc_val);
} else if ((utf8_val = midna_to_utf8(asc_val)) == 0) {
} else if ((utf8_val = midna_domain_to_utf8(asc_val)) == 0) {
msg_warn("%s: conversion \"%s\" failed: "
"input value: \"%s\"",
tp->origin, key, asc_val);

4
postfix/src/cleanup/cleanup.c
View File

@ -320,6 +320,10 @@
/* from each original recipient.
/* .IP "\fBvirtual_alias_recursion_limit (1000)\fR"
/* The maximal nesting depth of virtual alias expansion.
/* .PP
/* Available in Postfix version 2.12 and later:
/* .IP "\fBvirtual_alias_address_length_limit (1000)\fR"
/* The maximal length of an email address after virtual alias expansion.
/* MISCELLANEOUS CONTROLS
/* .ad
/* .fi

23
postfix/src/cleanup/cleanup_init.c
View File

@ -164,6 +164,7 @@ char *var_cleanup_milters; /* non-SMTP mail */
char *var_milt_head_checks; /* post-Milter header checks */
int var_auto_8bit_enc_hdr; /* auto-detect 8bit encoding header */
int var_always_add_hdrs; /* always add missing headers */
int var_virt_addrlen_limit; /* stop exponential growth */
const CONFIG_INT_TABLE cleanup_int_table[] = {
VAR_HOPCOUNT_LIMIT, DEF_HOPCOUNT_LIMIT, &var_hopcount_limit, 1, 0,
@ -171,6 +172,7 @@ const CONFIG_INT_TABLE cleanup_int_table[] = {
VAR_QATTR_COUNT_LIMIT, DEF_QATTR_COUNT_LIMIT, &var_qattr_count_limit, 1, 0,
VAR_VIRT_RECUR_LIMIT, DEF_VIRT_RECUR_LIMIT, &var_virt_recur_limit, 1, 0,
VAR_VIRT_EXPAN_LIMIT, DEF_VIRT_EXPAN_LIMIT, &var_virt_expan_limit, 1, 0,
VAR_VIRT_ADDRLEN_LIMIT, DEF_VIRT_ADDRLEN_LIMIT, &var_virt_addrlen_limit, 1, 0,
VAR_BODY_CHECK_LEN, DEF_BODY_CHECK_LEN, &var_body_check_len, 0, 0,
0,
};
@ -333,20 +335,24 @@ void cleanup_pre_jail(char *unused_name, char **unused_argv)
if (*var_canonical_maps)
cleanup_comm_canon_maps =
maps_create(VAR_CANONICAL_MAPS, var_canonical_maps,
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX);
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX
| DICT_FLAG_UTF8_REQUEST);
if (*var_send_canon_maps)
cleanup_send_canon_maps =
maps_create(VAR_SEND_CANON_MAPS, var_send_canon_maps,
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX);
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX
| DICT_FLAG_UTF8_REQUEST);
if (*var_rcpt_canon_maps)
cleanup_rcpt_canon_maps =
maps_create(VAR_RCPT_CANON_MAPS, var_rcpt_canon_maps,
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX);
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX
| DICT_FLAG_UTF8_REQUEST);
if (*var_virt_alias_maps)
cleanup_virt_alias_maps = maps_create(VAR_VIRT_ALIAS_MAPS,
var_virt_alias_maps,
DICT_FLAG_LOCK
| DICT_FLAG_FOLD_FIX);
| DICT_FLAG_FOLD_FIX
| DICT_FLAG_UTF8_REQUEST);
if (*var_canon_classes)
cleanup_comm_canon_flags =
name_mask(VAR_CANON_CLASSES, canon_class_table,
@ -375,18 +381,21 @@ void cleanup_pre_jail(char *unused_name, char **unused_argv)
maps_create(VAR_BODY_CHECKS, var_body_checks, DICT_FLAG_LOCK);
if (*var_masq_exceptions)
cleanup_masq_exceptions =
string_list_init(MATCH_FLAG_RETURN, var_masq_exceptions);
string_list_init(VAR_MASQ_EXCEPTIONS, MATCH_FLAG_RETURN,
var_masq_exceptions);
if (*var_masq_classes)
cleanup_masq_flags = name_mask(VAR_MASQ_CLASSES, masq_class_table,
var_masq_classes);
if (*var_send_bcc_maps)
cleanup_send_bcc_maps =
maps_create(VAR_SEND_BCC_MAPS, var_send_bcc_maps,
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX);
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX
| DICT_FLAG_UTF8_REQUEST);
if (*var_rcpt_bcc_maps)
cleanup_rcpt_bcc_maps =
maps_create(VAR_RCPT_BCC_MAPS, var_rcpt_bcc_maps,
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX);
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX
| DICT_FLAG_UTF8_REQUEST);
if (*var_cleanup_milters)
cleanup_milters = milter_create(var_cleanup_milters,
var_milt_conn_time,

9
postfix/src/cleanup/cleanup_map1n.c
View File

@ -139,6 +139,15 @@ ARGV *cleanup_map1n_internal(CLEANUP_STATE *state, const char *addr,
if ((lookup = mail_addr_map(maps, STR(state->temp1), propagate)) != 0) {
saved_lhs = mystrdup(argv->argv[arg]);
for (i = 0; i < lookup->argc; i++) {
if (strlen(lookup->argv[i]) > var_virt_addrlen_limit) {
msg_warn("%s: unreasonable %s result %.300s... -- "
"message not accepted, try again later",
state->queue_id, maps->title, lookup->argv[i]);
state->errs |= CLEANUP_STAT_DEFER;
UPDATE(state->reason, "4.6.0 Alias expansion error");
UNEXPAND(argv, addr);
RETURN(argv);
}
unquote_822_local(state->temp1, lookup->argv[i]);
if (i == 0) {
UPDATE(argv->argv[arg], STR(state->temp1));

3
postfix/src/cleanup/cleanup_masquerade.c
View File

@ -206,7 +206,8 @@ int main(int argc, char **argv)
var_masq_exceptions = argv[1];
cleanup_masq_exceptions =
string_list_init(MATCH_FLAG_RETURN, var_masq_exceptions);
string_list_init(VAR_MASQ_EXCEPTIONS, MATCH_FLAG_RETURN,
var_masq_exceptions);
masq_domains = argv_split(argv[2], CHARS_COMMA_SP);
addr = vstring_alloc(1);
if (strchr(argv[3], '@') == 0)

2
postfix/src/flush/flush.c
View File

@ -805,7 +805,7 @@ static void flush_service(VSTREAM *client_stream, char *unused_service,
static void pre_jail_init(char *unused_name, char **unused_argv)
{
flush_domains = domain_list_init(MATCH_FLAG_RETURN
flush_domains = domain_list_init(VAR_FFLUSH_DOMAINS, MATCH_FLAG_RETURN
| match_parent_style(VAR_FFLUSH_DOMAINS),
var_fflush_domains);
}

98
postfix/src/global/Makefile.in
View File

@ -33,7 +33,7 @@ SRCS = abounce.c anvil_clnt.c been_here.c bounce.c bounce_log.c \
smtp_reply_footer.c safe_ultostr.c verify_sender_addr.c \
dict_memcache.c mail_version.c memcache_proto.c server_acl.c \
mkmap_fail.c haproxy_srvr.c dsn_filter.c dynamicmaps.c uxtext.c \
smtputf8.c mail_conf_over.c mail_parm_split.c
smtputf8.c mail_conf_over.c mail_parm_split.c midna_adomain.c
OBJS = abounce.o anvil_clnt.o been_here.o bounce.o bounce_log.o \
canon_addr.o cfg_parser.o cleanup_strerror.o cleanup_strflags.o \
clnt_stream.o conv_time.o db_common.o debug_peer.o debug_process.o \
@ -68,40 +68,41 @@ OBJS = abounce.o anvil_clnt.o been_here.o bounce.o bounce_log.o \
smtp_reply_footer.o safe_ultostr.o verify_sender_addr.o \
dict_memcache.o mail_version.o memcache_proto.o server_acl.o \
mkmap_fail.o haproxy_srvr.o dsn_filter.o dynamicmaps.o uxtext.o \
smtputf8.o attr_override.o mail_parm_split.o $(NON_PLUGIN_MAP_OBJ)
# MAP_OBJ is for maps that may be dynamically loaded with dynamicmaps.cf.
# When hard-linking these maps, makedefs sets NON_PLUGIN_MAP_OBJ=$(MAP_OBJ),
# otherwise it sets the PLUGIN_* macros.
MAP_OBJ = dict_ldap.o dict_mysql.o dict_pgsql.o dict_sqlite.o mkmap_cdb.o \
mkmap_lmdb.o mkmap_sdbm.o
HDRS = abounce.h anvil_clnt.h been_here.h bounce.h bounce_log.h \
canon_addr.h cfg_parser.h cleanup_user.h clnt_stream.h config.h \
conv_time.h db_common.h debug_peer.h debug_process.h defer.h \
deliver_completed.h deliver_flock.h deliver_pass.h deliver_request.h \
dict_ldap.h dict_mysql.h dict_pgsql.h dict_proxy.h dict_sqlite.h domain_list.h \
dot_lockfile.h dot_lockfile_as.h dsb_scan.h dsn.h dsn_buf.h \
dsn_mask.h dsn_print.h dsn_util.h ehlo_mask.h ext_prop.h \
file_id.h flush_clnt.h header_opts.h header_token.h input_transp.h \
int_filt.h is_header.h lex_822.h log_adhoc.h mail_addr.h \
mail_addr_crunch.h mail_addr_find.h mail_addr_map.h mail_conf.h \
mail_copy.h mail_date.h mail_dict.h mail_error.h mail_flush.h \
mail_open_ok.h mail_params.h mail_proto.h mail_queue.h mail_run.h \
mail_scan_dir.h mail_stream.h mail_task.h mail_version.h maps.h \
mark_corrupt.h match_parent_style.h mbox_conf.h mbox_open.h \
mime_state.h mkmap.h msg_stats.h mynetworks.h mypwd.h namadr_list.h \
off_cvt.h opened.h own_inet_addr.h pipe_command.h post_mail.h \
qmgr_user.h qmqp_proto.h quote_821_local.h quote_822_local.h \
quote_flags.h rcpt_buf.h rcpt_print.h rec_attr_map.h rec_streamlf.h \
rec_type.h recipient_list.h record.h resolve_clnt.h resolve_local.h \
rewrite_clnt.h scache.h sent.h smtp_stream.h split_addr.h \
string_list.h strip_addr.h sys_exits.h timed_ipc.h tok822.h \
trace.h user_acl.h valid_mailhost_addr.h verify.h verify_clnt.h \
verp_sender.h wildcard_inet_addr.h xtext.h delivered_hdr.h \
fold_addr.h header_body_checks.h data_redirect.h match_service.h \
addr_match_list.h smtp_reply_footer.h safe_ultostr.h \
verify_sender_addr.h dict_memcache.h memcache_proto.h server_acl.h \
haproxy_srvr.h dsn_filter.h dynamicmaps.h uxtext.h smtputf8.h \
attr_override.h mail_parm_split.h
smtputf8.o attr_override.o mail_parm_split.o midna_adomain.o \
$(NON_PLUGIN_MAP_OBJ)
# MAP_OBJ is for maps that may be dynamically loaded with dynamicmaps.cf.
# When hard-linking these maps, makedefs sets NON_PLUGIN_MAP_OBJ=$(MAP_OBJ),
# otherwise it sets the PLUGIN_* macros.
MAP_OBJ = dict_ldap.o dict_mysql.o dict_pgsql.o dict_sqlite.o mkmap_cdb.o \
mkmap_lmdb.o mkmap_sdbm.o
HDRS = abounce.h anvil_clnt.h been_here.h bounce.h bounce_log.h \
canon_addr.h cfg_parser.h cleanup_user.h clnt_stream.h config.h \
conv_time.h db_common.h debug_peer.h debug_process.h defer.h \
deliver_completed.h deliver_flock.h deliver_pass.h deliver_request.h \
dict_ldap.h dict_mysql.h dict_pgsql.h dict_proxy.h dict_sqlite.h domain_list.h \
dot_lockfile.h dot_lockfile_as.h dsb_scan.h dsn.h dsn_buf.h \
dsn_mask.h dsn_print.h dsn_util.h ehlo_mask.h ext_prop.h \
file_id.h flush_clnt.h header_opts.h header_token.h input_transp.h \
int_filt.h is_header.h lex_822.h log_adhoc.h mail_addr.h \
mail_addr_crunch.h mail_addr_find.h mail_addr_map.h mail_conf.h \
mail_copy.h mail_date.h mail_dict.h mail_error.h mail_flush.h \
mail_open_ok.h mail_params.h mail_proto.h mail_queue.h mail_run.h \
mail_scan_dir.h mail_stream.h mail_task.h mail_version.h maps.h \
mark_corrupt.h match_parent_style.h mbox_conf.h mbox_open.h \
mime_state.h mkmap.h msg_stats.h mynetworks.h mypwd.h namadr_list.h \
off_cvt.h opened.h own_inet_addr.h pipe_command.h post_mail.h \
qmgr_user.h qmqp_proto.h quote_821_local.h quote_822_local.h \
quote_flags.h rcpt_buf.h rcpt_print.h rec_attr_map.h rec_streamlf.h \
rec_type.h recipient_list.h record.h resolve_clnt.h resolve_local.h \
rewrite_clnt.h scache.h sent.h smtp_stream.h split_addr.h \
string_list.h strip_addr.h sys_exits.h timed_ipc.h tok822.h \
trace.h user_acl.h valid_mailhost_addr.h verify.h verify_clnt.h \
verp_sender.h wildcard_inet_addr.h xtext.h delivered_hdr.h \
fold_addr.h header_body_checks.h data_redirect.h match_service.h \
addr_match_list.h smtp_reply_footer.h safe_ultostr.h \
verify_sender_addr.h dict_memcache.h memcache_proto.h server_acl.h \
haproxy_srvr.h dsn_filter.h dynamicmaps.h uxtext.h smtputf8.h \
attr_override.h mail_parm_split.h midna_adomain.h
TESTSRC = rec2stream.c stream2rec.c recdump.c
DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE)
CFLAGS = $(DEBUG) $(OPT) $(DEFS)
@ -687,8 +688,11 @@ abounce.o: mail_proto.h
abounce.o: msg_stats.h
abounce.o: recipient_list.h
addr_match_list.o: ../../include/argv.h
addr_match_list.o: ../../include/check_arg.h
addr_match_list.o: ../../include/match_list.h
addr_match_list.o: ../../include/sys_defs.h
addr_match_list.o: ../../include/vbuf.h
addr_match_list.o: ../../include/vstring.h
addr_match_list.o: addr_match_list.c
addr_match_list.o: addr_match_list.h
anvil_clnt.o: ../../include/attr.h
@ -877,9 +881,12 @@ db_common.o: db_common.c
db_common.o: db_common.h
db_common.o: string_list.h
debug_peer.o: ../../include/argv.h
debug_peer.o: ../../include/check_arg.h
debug_peer.o: ../../include/match_list.h
debug_peer.o: ../../include/msg.h
debug_peer.o: ../../include/sys_defs.h
debug_peer.o: ../../include/vbuf.h
debug_peer.o: ../../include/vstring.h
debug_peer.o: debug_peer.c
debug_peer.o: debug_peer.h
debug_peer.o: mail_params.h
@ -1106,8 +1113,11 @@ dict_sqlite.o: dict_sqlite.c
dict_sqlite.o: dict_sqlite.h
dict_sqlite.o: string_list.h
domain_list.o: ../../include/argv.h
domain_list.o: ../../include/check_arg.h
domain_list.o: ../../include/match_list.h
domain_list.o: ../../include/sys_defs.h
domain_list.o: ../../include/vbuf.h
domain_list.o: ../../include/vstring.h
domain_list.o: domain_list.c
domain_list.o: domain_list.h
dot_lockfile.o: ../../include/check_arg.h
@ -1841,8 +1851,11 @@ mark_corrupt.o: mark_corrupt.h
mark_corrupt.o: msg_stats.h
mark_corrupt.o: recipient_list.h
match_parent_style.o: ../../include/argv.h
match_parent_style.o: ../../include/check_arg.h
match_parent_style.o: ../../include/match_list.h
match_parent_style.o: ../../include/sys_defs.h
match_parent_style.o: ../../include/vbuf.h
match_parent_style.o: ../../include/vstring.h
match_parent_style.o: mail_params.h
match_parent_style.o: match_parent_style.c
match_parent_style.o: match_parent_style.h
@ -1895,6 +1908,14 @@ memcache_proto.o: ../../include/vstring.h
memcache_proto.o: ../../include/vstring_vstream.h
memcache_proto.o: memcache_proto.c
memcache_proto.o: memcache_proto.h
midna_adomain.o: ../../include/check_arg.h
midna_adomain.o: ../../include/midna_domain.h
midna_adomain.o: ../../include/stringops.h
midna_adomain.o: ../../include/sys_defs.h
midna_adomain.o: ../../include/vbuf.h
midna_adomain.o: ../../include/vstring.h
midna_adomain.o: midna_adomain.c
midna_adomain.o: midna_adomain.h
mime_state.o: ../../include/check_arg.h
mime_state.o: ../../include/msg.h
mime_state.o: ../../include/mymalloc.h
@ -1994,6 +2015,7 @@ mkmap_open.o: ../../include/msg.h
mkmap_open.o: ../../include/myflock.h
mkmap_open.o: ../../include/mymalloc.h
mkmap_open.o: ../../include/sigdelay.h
mkmap_open.o: ../../include/stringops.h
mkmap_open.o: ../../include/sys_defs.h
mkmap_open.o: ../../include/vbuf.h
mkmap_open.o: ../../include/vstream.h
@ -2080,8 +2102,11 @@ mypwd.o: ../../include/sys_defs.h
mypwd.o: mypwd.c
mypwd.o: mypwd.h
namadr_list.o: ../../include/argv.h
namadr_list.o: ../../include/check_arg.h
namadr_list.o: ../../include/match_list.h
namadr_list.o: ../../include/sys_defs.h
namadr_list.o: ../../include/vbuf.h
namadr_list.o: ../../include/vstring.h
namadr_list.o: namadr_list.c
namadr_list.o: namadr_list.h
off_cvt.o: ../../include/check_arg.h
@ -2481,8 +2506,11 @@ stream2rec.o: rec_type.h
stream2rec.o: record.h
stream2rec.o: stream2rec.c
string_list.o: ../../include/argv.h
string_list.o: ../../include/check_arg.h
string_list.o: ../../include/match_list.h
string_list.o: ../../include/sys_defs.h
string_list.o: ../../include/vbuf.h
string_list.o: ../../include/vstring.h
string_list.o: string_list.c
string_list.o: string_list.h
strip_addr.o: ../../include/mymalloc.h

9
postfix/src/global/addr_match_list.c
View File

@ -81,13 +81,15 @@
#ifdef TEST
#include <msg.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <msg.h>
#include <vstream.h>
#include <vstring_vstream.h>
#include <msg_vstream.h>
#include <dict.h>
#include <stringops.h> /* util_utf8_enable */
static void usage(char *progname)
{
@ -113,7 +115,10 @@ int main(int argc, char **argv)
}
if (argc != optind + 2)
usage(argv[0]);
list = addr_match_list_init(MATCH_FLAG_PARENT | MATCH_FLAG_RETURN, argv[optind]);
dict_allow_surrogate = 1;
util_utf8_enable = 1;
list = addr_match_list_init("command line", MATCH_FLAG_PARENT
| MATCH_FLAG_RETURN, argv[optind]);
addr = argv[optind + 1];
if (strcmp(addr, "-") == 0) {
VSTRING *buf = vstring_alloc(100);

4
postfix/src/global/addr_match_list.h
View File

@ -21,8 +21,8 @@
*/
#define ADDR_MATCH_LIST MATCH_LIST
#define addr_match_list_init(f, p) \
match_list_init((f), (p), 1, match_hostaddr)
#define addr_match_list_init(o, f, p) \
match_list_init((o), (f), (p), 1, match_hostaddr)
#define addr_match_list_match(l, a) \
match_list_match((l), (a))
#define addr_match_list_free match_list_free

1
postfix/src/global/cleanup_strflags.c
View File

@ -54,6 +54,7 @@ static struct cleanup_flag_map cleanup_flag_map[] = {
CLEANUP_FLAG_MILTER, "enable_milters",
CLEANUP_FLAG_SMTP_REPLY, "enable_smtp_reply",
CLEANUP_FLAG_SMTPUTF8, "smtputf8_requested",
CLEANUP_FLAG_AUTOUTF8, "smtputf8_autodetect",
};
/* cleanup_strflags - map flags code to printable string */

3
postfix/src/global/db_common.c
View File

@ -256,7 +256,8 @@ void db_common_parse_domain(CFG_PARSER *parser, void *ctxPtr)
domainlist = cfg_get_str(parser, "domain", "", 0, 0);
if (*domainlist) {
ctx->domain = string_list_init(MATCH_FLAG_RETURN, domainlist);
ctx->domain = string_list_init(parser->name, MATCH_FLAG_RETURN,
domainlist);
if (ctx->domain == 0)
/*

2
postfix/src/global/debug_peer.c
View File

@ -99,7 +99,7 @@ void debug_peer_init(void)
*/
if (*var_debug_peer_list)
debug_peer_list =
namadr_list_init(MATCH_FLAG_RETURN
namadr_list_init(VAR_DEBUG_PEER_LIST, MATCH_FLAG_RETURN
| match_parent_style(VAR_DEBUG_PEER_LIST),
var_debug_peer_list);
}

11
postfix/src/global/dict_ldap.c
View File

@ -1340,7 +1340,8 @@ static const char *dict_ldap_lookup(DICT *dict, const char *name)
/*
* Don't frustrate future attempts to make Postfix UTF-8 transparent.
*/
if (!valid_utf8_string(name, strlen(name))) {
if ((dict->flags & DICT_FLAG_UTF8_ACTIVE) == 0
&& !valid_utf8_string(name, strlen(name))) {
if (msg_verbose)
msg_info("%s: %s: Skipping lookup of non-UTF-8 key '%s'",
myname, dict_ldap->parser->name, name);
@ -1351,10 +1352,10 @@ static const char *dict_ldap_lookup(DICT *dict, const char *name)
* Optionally fold the key.
*/
if (dict->flags & DICT_FLAG_FOLD_FIX) {
if (dict->fold_buf == 0)
dict->fold_buf = vstring_alloc(10);
vstring_strcpy(dict->fold_buf, name);
name = lowercase(vstring_str(dict->fold_buf));
if (dict->fold_buf == 0)
dict->fold_buf = vstring_alloc(10);
vstring_strcpy(dict->fold_buf, name);
name = lowercase(vstring_str(dict->fold_buf));
}
/*

9
postfix/src/global/dict_proxy.c
View File

@ -156,6 +156,9 @@ static int dict_proxy_sequence(DICT *dict, int function,
case PROXY_STAT_RETRY:
*key = *value = 0;
DICT_ERR_VAL_RETURN(dict, DICT_ERR_RETRY, DICT_STAT_ERROR);
case PROXY_STAT_CONFIG:
*key = *value = 0;
DICT_ERR_VAL_RETURN(dict, DICT_ERR_CONFIG, DICT_STAT_ERROR);
default:
msg_warn("%s sequence failed for table \"%s\" function %d: "
"unexpected reply status %d",
@ -226,6 +229,8 @@ static const char *dict_proxy_lookup(DICT *dict, const char *key)
DICT_ERR_VAL_RETURN(dict, DICT_ERR_NONE, (char *) 0);
case PROXY_STAT_RETRY:
DICT_ERR_VAL_RETURN(dict, DICT_ERR_RETRY, (char *) 0);
case PROXY_STAT_CONFIG:
DICT_ERR_VAL_RETURN(dict, DICT_ERR_CONFIG, (char *) 0);
default:
msg_warn("%s lookup failed for table \"%s\" key \"%s\": "
"unexpected reply status %d",
@ -293,6 +298,8 @@ static int dict_proxy_update(DICT *dict, const char *key, const char *value)
DICT_ERR_VAL_RETURN(dict, DICT_ERR_NONE, DICT_STAT_FAIL);
case PROXY_STAT_RETRY:
DICT_ERR_VAL_RETURN(dict, DICT_ERR_RETRY, DICT_STAT_ERROR);
case PROXY_STAT_CONFIG:
DICT_ERR_VAL_RETURN(dict, DICT_ERR_CONFIG, DICT_STAT_ERROR);
default:
msg_warn("%s update failed for table \"%s\" key \"%s\": "
"unexpected reply status %d",
@ -360,6 +367,8 @@ static int dict_proxy_delete(DICT *dict, const char *key)
DICT_ERR_VAL_RETURN(dict, DICT_ERR_NONE, DICT_STAT_FAIL);
case PROXY_STAT_RETRY:
DICT_ERR_VAL_RETURN(dict, DICT_ERR_RETRY, DICT_STAT_ERROR);
case PROXY_STAT_CONFIG:
DICT_ERR_VAL_RETURN(dict, DICT_ERR_CONFIG, DICT_STAT_ERROR);
default:
msg_warn("%s delete failed for table \"%s\" key \"%s\": "
"unexpected reply status %d",

1
postfix/src/global/dict_proxy.h
View File

@ -37,6 +37,7 @@ extern DICT *dict_proxy_open(const char *, int, int);
#define PROXY_STAT_RETRY 2 /* try lookup again later */
#define PROXY_STAT_BAD 3 /* invalid request parameter */
#define PROXY_STAT_DENY 4 /* table not approved for proxying */
#define PROXY_STAT_CONFIG 5 /* DICT_ERR_CONFIG error */
/* LICENSE
/* .ad

3
postfix/src/global/dict_sqlite.c
View File

@ -165,7 +165,8 @@ static const char *dict_sqlite_lookup(DICT *dict, const char *name)
/*
* Don't frustrate future attempts to make Postfix UTF-8 transparent.
*/
if (!valid_utf8_string(name, strlen(name))) {
if ((dict->flags & DICT_FLAG_UTF8_ACTIVE) == 0
&& !valid_utf8_string(name, strlen(name))) {
if (msg_verbose)
msg_info("%s: %s: Skipping lookup of non-UTF-8 key '%s'",
myname, dict_sqlite->parser->name, name);

9
postfix/src/global/domain_list.c
View File

@ -83,11 +83,13 @@
#ifdef TEST
#include <msg.h>
#include <stdlib.h>
#include <unistd.h>
#include <msg.h>
#include <vstream.h>
#include <msg_vstream.h>
#include <dict.h>
#include <stringops.h> /* util_utf8_enable */
static void usage(char *progname)
{
@ -113,7 +115,10 @@ int main(int argc, char **argv)
}
if (argc != optind + 2)
usage(argv[0]);
list = domain_list_init(MATCH_FLAG_PARENT | MATCH_FLAG_RETURN, argv[optind]);
dict_allow_surrogate = 1;
util_utf8_enable = 1;
list = domain_list_init("command line", MATCH_FLAG_PARENT
| MATCH_FLAG_RETURN, argv[optind]);
host = argv[optind + 1];
vstream_printf("%s: %s\n", host, domain_list_match(list, host) ?
"YES" : list->error == 0 ? "NO" : "ERROR");

3
postfix/src/global/domain_list.h
View File

@ -21,7 +21,8 @@
*/
#define DOMAIN_LIST MATCH_LIST
#define domain_list_init(f, p) match_list_init((f), (p), 1, match_hostname)
#define domain_list_init(o, f, p)\
match_list_init((o), (f), (p), 1, match_hostname)
#define domain_list_match match_list_match
#define domain_list_free match_list_free

2
postfix/src/global/flush_clnt.c
View File

@ -103,7 +103,7 @@ static DOMAIN_LIST *flush_domains;
void flush_init(void)
{
flush_domains = domain_list_init(MATCH_FLAG_RETURN
flush_domains = domain_list_init(VAR_FFLUSH_DOMAINS, MATCH_FLAG_RETURN
| match_parent_style(VAR_FFLUSH_DOMAINS),
var_fflush_domains);
}

3
postfix/src/global/mail_addr_find.c
View File

@ -202,7 +202,8 @@ int main(int argc, char **argv)
* Initialize.
*/
mail_conf_read();
path = maps_create(argv[0], argv[1], DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX);
path = maps_create(argv[0], argv[1], DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX \
| DICT_FLAG_UTF8_REQUEST);
while (vstring_fgets_nonl(buffer, VSTREAM_IN)) {
extent = 0;
result = mail_addr_find(path, STR(buffer), &extent);

3
postfix/src/global/mail_addr_map.c
View File

@ -175,7 +175,8 @@ int main(int argc, char **argv)
msg_verbose = 1;
if (chdir(var_queue_dir) < 0)
msg_fatal("chdir %s: %m", var_queue_dir);
path = maps_create(argv[0], argv[1], DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX);
path = maps_create(argv[0], argv[1], DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX \
| DICT_FLAGS_UTF8_REQUEST);
while (vstring_fgets_nonl(buffer, VSTREAM_IN)) {
msg_info("=== Address extension on, extension propagation on ===");
UPDATE(var_rcpt_delim, "+");

37
postfix/src/global/mail_params.c
View File

@ -636,6 +636,11 @@ void mail_params_init()
VAR_DAEMON_OPEN_FATAL, DEF_DAEMON_OPEN_FATAL, &var_daemon_open_fatal,
0,
};
static const CONFIG_NBOOL_TABLE first_nbool_defaults[] = {
/* read and process the following before opening tables. */
VAR_SMTPUTF8_ENABLE, DEF_SMTPUTF8_ENABLE, &var_smtputf8_enable,
0,
};
static const CONFIG_STR_FN_TABLE function_str_defaults[] = {
VAR_MYHOSTNAME, check_myhostname, &var_myhostname, 1, 0,
VAR_MYDOMAIN, check_mydomainname, &var_mydomain, 1, 0,
@ -758,10 +763,6 @@ void mail_params_init()
VAR_STRICT_SMTPUTF8, DEF_STRICT_SMTPUTF8, &var_strict_smtputf8,
0,
};
static const CONFIG_NBOOL_TABLE nbool_defaults[] = {
VAR_SMTPUTF8_ENABLE, DEF_SMTPUTF8_ENABLE, &var_smtputf8_enable,
0,
};
const char *cp;
/*
@ -790,6 +791,23 @@ void mail_params_init()
if (var_daemon_open_fatal)
dict_allow_surrogate = 0;
/*
* Should we open tables with UTF8 support, or in the legacy 8-bit clean
* mode with ASCII-only casefolding?
*/
get_mail_conf_nbool_table(first_nbool_defaults);
/*
* Report run-time versus compile-time discrepancies.
*/
#ifdef NO_EAI
if (var_smtputf8_enable)
msg_warn("%s is true, but EAI support is not compiled in",
VAR_SMTPUTF8_ENABLE);
var_smtputf8_enable = 0;
#endif
util_utf8_enable = var_smtputf8_enable;
/*
* What protocols should we attempt to support? The result is stored in
* the global inet_proto_table variable.
@ -833,7 +851,6 @@ void mail_params_init()
get_mail_conf_int_table(other_int_defaults);
get_mail_conf_long_table(long_defaults);
get_mail_conf_bool_table(bool_defaults);
get_mail_conf_nbool_table(nbool_defaults);
get_mail_conf_time_table(time_defaults);
check_default_privs();
check_mail_owner();
@ -842,16 +859,6 @@ void mail_params_init()
dict_db_cache_size = var_db_read_buf;
dict_lmdb_map_size = var_lmdb_map_size;
inet_windowsize = var_inet_windowsize;
temp_utf8_kludge = var_smtputf8_enable;
/*
* Report run-time versus compile-time discrepancies.
*/
#ifdef NO_EAI
if (var_smtputf8_enable)
msg_warn("%s is true, but EAI support is not compiled in",
VAR_SMTPUTF8_ENABLE);
#endif
/*
* Variables whose defaults are determined at runtime, after other

10
postfix/src/global/mail_params.h
View File

@ -1396,6 +1396,12 @@ extern bool var_smtp_enforce_tls;
#define DEF_LMTP_TLS_ENFORCE_PN 1
extern bool var_smtp_tls_enforce_peername;
#define VAR_SMTP_TLS_WRAPPER "smtp_tls_wrappermode"
#define DEF_SMTP_TLS_WRAPPER 0
#define VAR_LMTP_TLS_WRAPPER "lmtp_tls_wrappermode"
#define DEF_LMTP_TLS_WRAPPER 0
extern bool var_smtp_tls_wrappermode;
#define VAR_SMTP_TLS_LEVEL "smtp_tls_security_level"
#define DEF_SMTP_TLS_LEVEL ""
#define VAR_LMTP_TLS_LEVEL "lmtp_tls_security_level"
@ -1874,6 +1880,10 @@ extern int var_virt_recur_limit;
#define DEF_VIRT_EXPAN_LIMIT 1000
extern int var_virt_expan_limit;
#define VAR_VIRT_ADDRLEN_LIMIT "virtual_alias_address_length_limit"
#define DEF_VIRT_ADDRLEN_LIMIT 1000
extern int var_virt_addrlen_limit;
/*
* Message/queue size limits.
*/

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20141228"
#define MAIL_RELEASE_DATE "20150117"
#define MAIL_VERSION_NUMBER "2.12"
#ifdef SNAPSHOT

3
postfix/src/global/match_parent_style.c
View File

@ -60,7 +60,8 @@ int match_parent_style(const char *name)
*/
if (match_par_dom_list == 0)
match_par_dom_list =
string_list_init(MATCH_FLAG_NONE, var_par_dom_match);
string_list_init(VAR_PAR_DOM_MATCH, MATCH_FLAG_NONE,
var_par_dom_match);
/*
* Look up the parent domain matching policy.

119
postfix/src/global/midna_adomain.c Normal file
View File

@ -0,0 +1,119 @@
/*++
/* NAME
/* midna_adomain 3
/* SUMMARY
/* address domain part conversion
/* SYNOPSIS
/* #include <midna_adomain.h>
/*
/* char *midna_adomain_to_ascii(
/* VSTRING *dest,
/* const char *name)
/*
/* char *midna_adomain_to_utf8(
/* VSTRING *dest,
/* const char *name)
/* DESCRIPTION
/* The functions in this module transform the domain portion
/* of an email address between ASCII and UTF-8 form. Both
/* functions tolerate a missing domain, and both functions
/* return a copy of the input when the domain portion requires
/* no conversion.
/*
/* midna_adomain_to_ascii() converts an UTF-8 or ASCII domain
/* portion to ASCII. The result is a null pointer when
/* conversion fails. This function verifies that the resulting
/* domain passes valid_hostname().
/*
/* midna_adomain_to_utf8() converts an UTF-8 or ASCII domain
/* name to UTF-8. The result is a null pointer when conversion
/* fails. This function verifies that the resulting domain,
/* after conversion to ASCII, passes valid_hostname().
/* SEE ALSO
/* midna_domain(3), Postfix ASCII/UTF-8 domain name conversion
/* DIAGNOSTICS
/* Fatal errors: memory allocation problem.
/* Warnings: conversion error or result validation error.
/* LICENSE
/* .ad
/* .fi
/* The Secure Mailer license must be distributed with this software.
/* AUTHOR(S)
/* Wietse Venema
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
/*--*/
/*
* System library.
*/
#include <sys_defs.h>
#include <string.h>
#ifndef NO_EAI
#include <unicode/uidna.h>
/*
* Utility library.
*/
#include <vstring.h>
#include <stringops.h>
#include <midna_domain.h>
/*
* Global library.
*/
#include <midna_adomain.h>
#define STR(x) vstring_str(x)
/* midna_adomain_to_utf8 - convert address domain portion to UTF8 */
char *midna_adomain_to_utf8(VSTRING *dest, const char *src)
{
const char *cp;
const char *domain_utf8;
if ((cp = strrchr(src, '@')) == 0) {
vstring_strcpy(dest, src);
} else {
vstring_sprintf(dest, "%*s@", (int) (cp - src), src);
if (*(cp += 1)) {
if (allascii(cp) && strstr(cp, "--") == 0) {
vstring_strcat(dest, cp);
} else if ((domain_utf8 = midna_domain_to_utf8(cp)) == 0) {
return (0);
} else {
vstring_strcat(dest, domain_utf8);
}
}
}
return (STR(dest));
}
/* midna_adomain_to_ascii - convert address domain portion to ASCII */
char *midna_adomain_to_ascii(VSTRING *dest, const char *src)
{
const char *cp;
const char *domain_ascii;
if ((cp = strrchr(src, '@')) == 0) {
vstring_strcpy(dest, src);
} else {
vstring_sprintf(dest, "%*s@", (int) (cp - src), src);
if (*(cp += 1)) {
if (allascii(cp)) {
vstring_strcat(dest, cp);
} else if ((domain_ascii = midna_domain_to_ascii(cp + 1)) == 0) {
return (0);
} else {
vstring_strcat(dest, domain_ascii);
}
}
}
return (STR(dest));
}
#endif /* NO_IDNA */

36
postfix/src/global/midna_adomain.h Normal file
View File

@ -0,0 +1,36 @@
#ifndef _MIDNA_ADOMAIN_H_INCLUDED_
#define _MIDNA_ADOMAIN_H_INCLUDED_
/*++
/* NAME
/* midna_adomain 3h
/* SUMMARY
/* domain name conversion
/* SYNOPSIS
/* #include <midna_adomain.h>
/* DESCRIPTION
/* .nf
/*
* Utility library.
*/
#include <vstring.h>
/*
* External interface.
*/
extern char *midna_adomain_to_utf8(VSTRING *, const char *);
extern char *midna_adomain_to_ascii(VSTRING *, const char *);
/* LICENSE
/* .ad
/* .fi
/* The Secure Mailer license must be distributed with this software.
/* AUTHOR(S)
/* Wietse Venema
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
/*--*/
#endif

8
postfix/src/global/mkmap_open.c
View File

@ -99,6 +99,7 @@
#include <dict_fail.h>
#include <sigdelay.h>
#include <mymalloc.h>
#include <stringops.h>
/* Global library. */
@ -295,6 +296,13 @@ MKMAP *mkmap_open(const char *type, const char *path,
if (mkmap->after_open)
mkmap->after_open(mkmap);
/*
* Wrap the dictionary for UTF-8 syntax checks and casefolding.
*/
if ((mkmap->dict->flags & DICT_FLAG_UTF8_ACTIVE) == 0
&& DICT_NEED_UTF8_ACTIVATION(util_utf8_enable, dict_flags))
mkmap->dict = dict_utf8_activate(mkmap->dict);
/*
* Resume signal delivery if multi-writer safe.
*/

7
postfix/src/global/namadr_list.c
View File

@ -89,12 +89,13 @@
#ifdef TEST
#include <msg.h>
#include <stdlib.h>
#include <unistd.h>
#include <msg.h>
#include <vstream.h>
#include <msg_vstream.h>
#include <dict.h>
#include <stringops.h> /* util_utf8_enable */
static void usage(char *progname)
{
@ -122,7 +123,9 @@ int main(int argc, char **argv)
if (argc != optind + 3)
usage(argv[0]);
dict_allow_surrogate = 1;
list = namadr_list_init(MATCH_FLAG_PARENT | MATCH_FLAG_RETURN, argv[optind]);
util_utf8_enable = 1;
list = namadr_list_init("command line", MATCH_FLAG_PARENT
| MATCH_FLAG_RETURN, argv[optind]);
host = argv[optind + 1];
addr = argv[optind + 2];
vstream_printf("%s/%s: %s\n", host, addr,

4
postfix/src/global/namadr_list.h
View File

@ -21,8 +21,8 @@
*/
#define NAMADR_LIST MATCH_LIST
#define namadr_list_init(f, p) \
match_list_init((f), (p), 2, match_hostname, match_hostaddr)
#define namadr_list_init(o, f, p) \
match_list_init((o), (f), (p), 2, match_hostname, match_hostaddr)
#define namadr_list_match match_list_match
#define namadr_list_free match_list_free

18
postfix/src/global/namadr_list.ref
View File

@ -2,18 +2,18 @@ dummy/168.100.189.2: YES
dummy/168.100.189.2: NO
dummy/168.100.189.3: YES
dummy/168.100.189.16: NO
./namadr_list: warning: bad net/mask pattern: "168.100.189.0/98"
./namadr_list: warning: command line: bad net/mask pattern: "168.100.189.0/98"
dummy/168.100.189.16: ERROR
./namadr_list: warning: bad net/mask pattern: "168.100.589.0/28"
./namadr_list: warning: command line: bad net/mask pattern: "168.100.589.0/28"
dummy/168.100.189.16: ERROR
dummy/168.100.989.16: NO
./namadr_list: error: unsupported dictionary type: 2001
./namadr_list: warning: 2001:240:5c7:0:2d0:b7ff:fe88:2ca7 is unavailable. unsupported dictionary type: 2001
./namadr_list: warning: 2001:240:5c7:0:2d0:b7ff:fe88:2ca7: table lookup problem
./namadr_list: warning: command line: 2001:240:5c7:0:2d0:b7ff:fe88:2ca7: table lookup problem
dummy/2001:240:5c7:0:2d0:b7ff:fe88:2ca7: ERROR
dummy/2001:240:5c7:0:2d0:b7ff:fe88:2ca7: YES
dummy/2001:240:5c7:0:2d0:b7ff:fe88:2ca8: NO
./namadr_list: warning: non-null host address bits in "2001:240:5c7:0:2d0:b7ff:fe88:2ca7/64", perhaps you should use "2001:240:5c7::/64" instead
./namadr_list: warning: command line: non-null host address bits in "2001:240:5c7:0:2d0:b7ff:fe88:2ca7/64", perhaps you should use "2001:240:5c7::/64" instead
dummy/2001:240:5c7:0:2d0:b7ff:fe88:2ca8: ERROR
dummy/2001:240:5c7:0:2d0:b7ff:fe88:2ca8: YES
dummy/2001:24:5c7:0:2d0:b7ff:fe88:2ca8: NO
@ -32,10 +32,10 @@ foo/168.100.189.3: YES
bar/168.100.189.3: NO
baz/168.100.189.3: YES
x.x.x/127.0.0.1: NO
./namadr_list: warning: bad net/mask pattern: "be/be"
./namadr_list: warning: command line: bad net/mask pattern: "be/be"
x.x.x/127.0.0.1: ERROR
x.x.x/127.0.0.1: NO
./namadr_list: warning: bad address pattern: "be:be"
./namadr_list: warning: command line: bad address pattern: "be:be"
x.x.x/::1: ERROR
foo/168.100.189.3: YES
bar/168.100.189.3: NO
@ -43,11 +43,11 @@ foo/168.100.189.3: NO
bar/168.100.189.3: NO
foo/168.100.189.3: YES
bar/168.100.189.3: NO
./namadr_list: warning: fail:1: table lookup problem
./namadr_list: warning: command line: fail:1: table lookup problem
bar/168.100.189.3: ERROR
./namadr_list: warning: fail:1: table lookup problem
./namadr_list: warning: command line: fail:1: table lookup problem
bar/168.100.189.3: ERROR
./namadr_list: error: open file /tmp/nosuchfile: No such file or directory
./namadr_list: warning: non-existent:/tmp/nosuchfile is unavailable. open file /tmp/nosuchfile: No such file or directory
./namadr_list: warning: non-existent:/tmp/nosuchfile: table lookup problem
./namadr_list: warning: command line: non-existent:/tmp/nosuchfile: table lookup problem
bar/168.100.189.3: ERROR

3
postfix/src/global/resolve_local.c
View File

@ -69,7 +69,8 @@ void resolve_local_init(void)
/* Allow on-the-fly update to make testing easier. */
if (resolve_local_list)
string_list_free(resolve_local_list);
resolve_local_list = string_list_init(MATCH_FLAG_RETURN, var_mydest);
resolve_local_list = string_list_init(VAR_MYDEST, MATCH_FLAG_RETURN,
var_mydest);
}
/* resolve_local - match domain against list of local destinations */

2
postfix/src/global/resolve_local.ref
View File

@ -1,6 +1,6 @@
mydestination=example.com destination=example.com YES
mydestination=example.net destination=example.com NO
unknown: warning: fail:1_resolve_local: table lookup problem
unknown: warning: mydestination: fail:1_resolve_local: table lookup problem
mydestination=fail:1_resolve_local destination=example.com ERROR
mydestination=fail:1_resolve_local destination=example.com.. NO
mydestination=fail:1_resolve_local destination= NO

13
postfix/src/global/server_acl.c
View File

@ -102,12 +102,12 @@ void server_acl_pre_jail_init(const char *mynetworks, const char *origin)
addr_match_list_free(server_acl_mynetworks_host);
}
server_acl_mynetworks =
addr_match_list_init(MATCH_FLAG_RETURN | match_parent_style(origin),
mynetworks);
addr_match_list_init(origin, MATCH_FLAG_RETURN
| match_parent_style(origin), mynetworks);
if (warn_compat_break_mynetworks_style)
server_acl_mynetworks_host =
addr_match_list_init(MATCH_FLAG_RETURN | match_parent_style(origin),
mynetworks_host());
addr_match_list_init(origin, MATCH_FLAG_RETURN
| match_parent_style(origin), mynetworks_host());
}
/* server_acl_parse - parse access list */
@ -138,7 +138,8 @@ SERVER_ACL *server_acl_parse(const char *extern_acl, const char *origin)
} else {
if (dict_handle(acl) == 0)
dict_register(acl, dict_open(acl, O_RDONLY, DICT_FLAG_LOCK
| DICT_FLAG_FOLD_FIX));
| DICT_FLAG_FOLD_FIX
| DICT_FLAG_UTF8_REQUEST));
}
}
argv_add(intern_acl, acl, (char *) 0);
@ -278,7 +279,7 @@ int main(void)
} else if (STREQ(cmd, VAR_SERVER_ACL)) {
UPDATE_VAR(var_server_acl, value);
} else if (STREQ(cmd, "address")) {
server_acl_pre_jail_init(var_mynetworks, VAR_SERVER_ACL);
server_acl_pre_jail_init(var_mynetworks, VAR_MYNETWORKS);
argv = server_acl_parse(var_server_acl, VAR_SERVER_ACL);
ret = server_acl_eval(value, argv, VAR_SERVER_ACL);
argv_free(argv);

2
postfix/src/global/server_acl.ref
View File

@ -9,7 +9,7 @@
168.100.189.3: permit
> mynetworks=fail:1
> address=168.100.189.4
unknown: warning: fail:1: table lookup problem
unknown: warning: mynetworks: fail:1: table lookup problem
unknown: warning: server_acl: permit_mynetworks: mynetworks lookup error -- ignoring the remainder of this access list
168.100.189.4: error
> server_acl=fail:1,reject

8
postfix/src/global/string_list.c
View File

@ -75,12 +75,14 @@
#ifdef TEST
#include <msg.h>
#include <stdlib.h>
#include <unistd.h>
#include <msg.h>
#include <vstream.h>
#include <vstring.h>
#include <msg_vstream.h>
#include <dict.h>
#include <stringops.h> /* util_utf8_enable */
static void usage(char *progname)
{
@ -106,7 +108,9 @@ int main(int argc, char **argv)
}
if (argc != optind + 2)
usage(argv[0]);
list = string_list_init(MATCH_FLAG_RETURN, argv[optind]);
dict_allow_surrogate = 1;
util_utf8_enable = 1;
list = string_list_init("command line", MATCH_FLAG_RETURN, argv[optind]);
string = argv[optind + 1];
vstream_printf("%s: %s\n", string, string_list_match(list, string) ?
"YES" : list->error == 0 ? "NO" : "ERROR");

3
postfix/src/global/string_list.h
View File

@ -21,7 +21,8 @@
*/
#define STRING_LIST MATCH_LIST
#define string_list_init(f, p) match_list_init((f), (p), 1, match_string)
#define string_list_init(o, f, p) \
match_list_init((o), (f), (p), 1, match_string)
#define string_list_match match_list_match
#define string_list_free match_list_free

9
postfix/src/global/tok822_tree.c
View File

@ -209,6 +209,7 @@ TOK822 *tok822_sub_append(TOK822 *t1, TOK822 *t2)
return (t1->tail = tok822_append(t1->tail, t2));
} else {
t1->head = t2;
t2->owner = t1;
while (t2->next)
(t2 = t2->next)->owner = t1;
return (t1->tail = t2);
@ -227,6 +228,7 @@ TOK822 *tok822_sub_prepend(TOK822 *t1, TOK822 *t2)
return (tp);
} else {
t1->head = t2;
t2->owner = t1;
while (t2->next)
(t2 = t2->next)->owner = t1;
return (t1->tail = t2);
@ -259,11 +261,12 @@ TOK822 *tok822_sub_keep_after(TOK822 *t1, TOK822 *t2)
TOK822 *tok822_free_tree(TOK822 *tp)
{
if (tp) {
if (tp->next)
tok822_free_tree(tp->next);
TOK822 *next;
for (/* void */; tp != 0; tp = next) {
if (tp->head)
tok822_free_tree(tp->head);
next = tp->next;
tok822_free(tp);
}
return (0);

9
postfix/src/global/user_acl.c
View File

@ -6,7 +6,8 @@
/* SYNOPSIS
/* #include <user_acl.h>
/*
/* const char *check_user_acl_byuid(acl, uid)
/* const char *check_user_acl_byuid(pname, acl, uid)
/* cobnst char *pname;
/* const char *acl;
/* uid_t uid;
/* DESCRIPTION
@ -20,6 +21,8 @@
/* calls.
/*
/* Arguments:
/* .IP pname
/* The parameter name of the acl.
/* .IP acl
/* Authorized user name list suitable for input to string_list_init(3).
/* .IP uid
@ -59,7 +62,7 @@
/* check_user_acl_byuid - check user authorization */
const char *check_user_acl_byuid(char *acl, uid_t uid)
const char *check_user_acl_byuid(const char *pname, const char *acl, uid_t uid)
{
struct mypasswd *mypwd;
STRING_LIST *list;
@ -101,7 +104,7 @@ const char *check_user_acl_byuid(char *acl, uid_t uid)
name = mypwd->pw_name;
}
list = string_list_init(MATCH_FLAG_NONE, acl);
list = string_list_init(pname, MATCH_FLAG_NONE, acl);
if ((matched = string_list_match(list, name)) == 0) {
if (!who)
who = vstring_alloc(10);

2
postfix/src/global/user_acl.h
View File

@ -25,7 +25,7 @@
/*
* External interface
*/
extern const char *check_user_acl_byuid(char *, uid_t);
extern const char *check_user_acl_byuid(const char *, const char *, uid_t);
/* AUTHOR(S)
/* Wietse Venema

3
postfix/src/local/local.c
View File

@ -865,7 +865,8 @@ static void pre_init(char *unused_name, char **unused_argv)
}
alias_maps = maps_create("aliases", var_alias_maps,
DICT_FLAG_LOCK | DICT_FLAG_PARANOID
| DICT_FLAG_FOLD_FIX);
| DICT_FLAG_FOLD_FIX
| DICT_FLAG_UTF8_REQUEST);
flush_init();
}

8
postfix/src/local/mailbox.c
View File

@ -277,7 +277,8 @@ int deliver_mailbox(LOCAL_STATE state, USER_ATTR usr_attr, int *statusp)
*/
if (*var_mbox_transp_maps && transp_maps == 0)
transp_maps = maps_create(VAR_MBOX_TRANSP_MAPS, var_mbox_transp_maps,
DICT_FLAG_LOCK | DICT_FLAG_NO_REGSUB);
DICT_FLAG_LOCK | DICT_FLAG_NO_REGSUB
| DICT_FLAG_UTF8_REQUEST);
/* The -1 is a hint for the down-stream deliver_completed() function. */
if (transp_maps
&& (map_transport = maps_find(transp_maps, state.msg_attr.user,
@ -332,10 +333,11 @@ int deliver_mailbox(LOCAL_STATE state, USER_ATTR usr_attr, int *statusp)
if (*var_mailbox_cmd_maps && cmd_maps == 0)
cmd_maps = maps_create(VAR_MAILBOX_CMD_MAPS, var_mailbox_cmd_maps,
DICT_FLAG_LOCK | DICT_FLAG_PARANOID);
DICT_FLAG_LOCK | DICT_FLAG_PARANOID
| DICT_FLAG_UTF8_REQUEST);
if (cmd_maps && (map_command = maps_find(cmd_maps, state.msg_attr.user,
DICT_FLAG_NONE)) != 0) {
DICT_FLAG_NONE)) != 0) {
status = deliver_command(state, usr_attr, map_command);
} else if (cmd_maps && cmd_maps->error != 0) {
/* Details in the logfile. */

3
postfix/src/local/unknown.c
View File

@ -109,7 +109,8 @@ int deliver_unknown(LOCAL_STATE state, USER_ATTR usr_attr)
*/
if (*var_fbck_transp_maps && transp_maps == 0)
transp_maps = maps_create(VAR_FBCK_TRANSP_MAPS, var_fbck_transp_maps,
DICT_FLAG_LOCK | DICT_FLAG_NO_REGSUB);
DICT_FLAG_LOCK | DICT_FLAG_NO_REGSUB
| DICT_FLAG_UTF8_REQUEST);
/* The -1 is a hint for the down-stream deliver_completed() function. */
if (transp_maps
&& (map_transport = maps_find(transp_maps, state.msg_attr.user,

32
postfix/src/postalias/postalias.c
View File

@ -5,7 +5,7 @@
/* Postfix alias database maintenance
/* SYNOPSIS
/* .fi
/* \fBpostalias\fR [\fB-Nfinoprsvw\fR] [\fB-c \fIconfig_dir\fR]
/* \fBpostalias\fR [\fB-Nfinoprsuvw\fR] [\fB-c \fIconfig_dir\fR]
/* [\fB-d \fIkey\fR] [\fB-q \fIkey\fR]
/* [\fIfile_type\fR:]\fIfile_name\fR ...
/* DESCRIPTION
@ -93,6 +93,10 @@
/* as the original input order.
/* This feature is available in Postfix version 2.2 and later,
/* and is not available for all database types.
/* .IP \fB-u\fR
/* Disable UTF-8 support. UTF-8 support is enabled by default
/* when "smtputf8_enable = yes". It requires that keys and
/* values are valid UTF-8 strings.
/* .IP \fB-v\fR
/* Enable verbose logging for debugging purposes. Multiple \fB-v\fR
/* options make the software increasingly verbose.
@ -176,6 +180,9 @@
/* .IP "\fBdefault_database_type (see 'postconf -d' output)\fR"
/* The default database type for use in \fBnewaliases\fR(1), \fBpostalias\fR(1)
/* and \fBpostmap\fR(1) commands.
/* .IP "\fBsmtputf8_enable (yes)\fR"
/* Enable experimental SMTPUTF8 support for the protocols described
/* in RFC 6531..6533.
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
@ -249,6 +256,7 @@
/* Application-specific. */
#define STR vstring_str
#define LEN VSTRING_LEN
#define POSTALIAS_FLAG_AS_OWNER (1<<0) /* open dest as owner of source */
#define POSTALIAS_FLAG_SAVE_PERM (1<<1) /* copy access permission
@ -309,7 +317,6 @@ static void postalias(char *map_type, char *path_name, int postalias_flags,
&& (st.st_uid != geteuid() || st.st_gid != getegid()))
set_eugid(st.st_uid, st.st_gid);
/*
* Open the database, create it when it does not exist, truncate it when
* it does exist, and lock out any spectators.
@ -338,6 +345,17 @@ static void postalias(char *map_type, char *path_name, int postalias_flags,
last_line = 0;
while (readllines(line_buffer, source_fp, &last_line, &lineno)) {
/*
* First some UTF-8 checks sans casefolding.
*/
if ((mkmap->dict->flags & DICT_FLAG_UTF8_ACTIVE)
&& !allascii(STR(line_buffer))
&& !valid_utf8_string(STR(line_buffer), LEN(line_buffer))) {
msg_warn("%s, line %d: non-UTF-8 input \"%s\"",
VSTREAM_PATH(source_fp), lineno, STR(line_buffer));
continue;
}
/*
* Tokenize the input, so that we do the right thing when a
* quoted localpart contains special characters such as "@", ":"
@ -655,7 +673,7 @@ static void postalias_seq(const char *map_type, const char *map_name,
static NORETURN usage(char *myname)
{
msg_fatal("usage: %s [-Nfinoprsvw] [-c config_dir] [-d key] [-q key] [map_type:]file...",
msg_fatal("usage: %s [-Nfinoprsuvw] [-c config_dir] [-d key] [-q key] [map_type:]file...",
myname);
}
@ -670,7 +688,8 @@ int main(int argc, char **argv)
struct stat st;
int postalias_flags = POSTALIAS_FLAG_AS_OWNER | POSTALIAS_FLAG_SAVE_PERM;
int open_flags = O_RDWR | O_CREAT | O_TRUNC;
int dict_flags = DICT_FLAG_DUP_WARN | DICT_FLAG_FOLD_FIX;
int dict_flags = (DICT_FLAG_DUP_WARN | DICT_FLAG_FOLD_FIX
| DICT_FLAG_UTF8_REQUEST);
char *query = 0;
char *delkey = 0;
int sequence = 0;
@ -720,7 +739,7 @@ int main(int argc, char **argv)
/*
* Parse JCL.
*/
while ((ch = GETOPT(argc, argv, "Nc:d:finopq:rsvw")) > 0) {
while ((ch = GETOPT(argc, argv, "Nc:d:finopq:rsuvw")) > 0) {
switch (ch) {
default:
usage(argv[0]);
@ -768,6 +787,9 @@ int main(int argc, char **argv)
msg_fatal("specify only one of -s or -q or -d");
sequence = 1;
break;
case 'u':
dict_flags &= ~DICT_FLAG_UTF8_REQUEST;
break;
case 'v':
msg_verbose++;
break;

6
postfix/src/postconf/postconf_master.c
View File

@ -321,7 +321,7 @@ static void pcf_check_master_entry(ARGV *argv, const char *raw_text)
for (field = PCF_MASTER_FLD_PRIVATE; field <= PCF_MASTER_FLD_CHROOT; field++) {
cp = argv->argv[field];
if (cp[1] != 0 || strchr(pcf_valid_bool_types, *cp) == 0)
pcf_fix_fatal("invalid %s field \%s\" in \"%s\"",
pcf_fix_fatal("invalid %s field \"%s\" in \"%s\"",
pcf_str_field_pattern(field), cp, raw_text);
}
@ -330,12 +330,12 @@ static void pcf_check_master_entry(ARGV *argv, const char *raw_text)
if (len > 0 && cp[len - 1] == '?')
len--;
if (!(cp[0] == '-' && len == 1) && strspn(cp, "0123456789") != len)
pcf_fix_fatal("invalid " PCF_MASTER_NAME_WAKEUP " field \%s\" in \"%s\"",
pcf_fix_fatal("invalid " PCF_MASTER_NAME_WAKEUP " field \"%s\" in \"%s\"",
cp, raw_text);
cp = argv->argv[PCF_MASTER_FLD_MAXPROC];
if (strcmp("-", cp) != 0 && cp[strspn(cp, "0123456789")] != 0)
pcf_fix_fatal("invalid " PCF_MASTER_NAME_MAXPROC " field \%s\" in \"%s\"",
pcf_fix_fatal("invalid " PCF_MASTER_NAME_MAXPROC " field \"%s\" in \"%s\"",
cp, raw_text);
}

3
postfix/src/postdrop/postdrop.c
View File

@ -315,7 +315,8 @@ int main(int argc, char **argv)
* or in the daemon process?
*/
mail_dict_init();
if ((errstr = check_user_acl_byuid(var_submit_acl, uid)) != 0)
if ((errstr = check_user_acl_byuid(VAR_SUBMIT_ACL, var_submit_acl,
uid)) != 0)
msg_fatal("User %s(%ld) is not allowed to submit mail",
errstr, (long) uid);

50
postfix/src/postmap/postmap.c
View File

@ -5,7 +5,7 @@
/* Postfix lookup table management
/* SYNOPSIS
/* .fi
/* \fBpostmap\fR [\fB-Nbfhimnoprsvw\fR] [\fB-c \fIconfig_dir\fR]
/* \fBpostmap\fR [\fB-NbfhimnoprsuUvw\fR] [\fB-c \fIconfig_dir\fR]
/* [\fB-d \fIkey\fR] [\fB-q \fIkey\fR]
/* [\fIfile_type\fR:]\fIfile_name\fR ...
/* DESCRIPTION
@ -71,6 +71,11 @@
/* generates no body-style lookup keys for attachment MIME
/* headers and for attached message/* headers.
/* .sp
/* NOTE: with "smtputf8_enable = yes", the \fB-b\fR option
/* option disables UTF-8 syntax checks on query keys and
/* lookup results. Specify the \fB-U\fR option to force UTF-8
/* syntax checks anyway.
/* .sp
/* This feature is available in Postfix version 2.6 and later.
/* .IP "\fB-c \fIconfig_dir\fR"
/* Read the \fBmain.cf\fR configuration file in the named directory
@ -104,6 +109,11 @@
/* generates header-style lookup keys for attachment MIME
/* headers and for attached message/* headers.
/* .sp
/* NOTE: with "smtputf8_enable = yes", the \fB-b\fR option
/* option disables UTF-8 syntax checks on query keys and
/* lookup results. Specify the \fB-U\fR option to force UTF-8
/* syntax checks anyway.
/* .sp
/* This feature is available in Postfix version 2.6 and later.
/* .IP \fB-i\fR
/* Incremental mode. Read entries from standard input and do not
@ -151,6 +161,13 @@
/* .sp
/* This feature is available in Postfix version 2.2 and later,
/* and is not available for all database types.
/* .IP \fB-u\fR
/* Disable UTF-8 support. UTF-8 support is enabled by default
/* when "smtputf8_enable = yes". It requires that keys and
/* values are valid UTF-8 strings.
/* .IP \fB-U\fR
/* With "smtputf8_enable = yes", force UTF-8 syntax checks
/* with the \fB-b\fR and \fB-h\fR options.
/* .IP \fB-v\fR
/* Enable verbose logging for debugging purposes. Multiple \fB-v\fR
/* options make the software increasingly verbose.
@ -229,6 +246,9 @@
/* .IP "\fBdefault_database_type (see 'postconf -d' output)\fR"
/* The default database type for use in \fBnewaliases\fR(1), \fBpostalias\fR(1)
/* and \fBpostmap\fR(1) commands.
/* .IP "\fBsmtputf8_enable (yes)\fR"
/* Enable experimental SMTPUTF8 support for the protocols described
/* in RFC 6531..6533.
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
@ -401,6 +421,17 @@ static void postmap(char *map_type, char *path_name, int postmap_flags,
last_line = 0;
while (readllines(line_buffer, source_fp, &last_line, &lineno)) {
/*
* First some UTF-8 checks sans casefolding.
*/
if ((mkmap->dict->flags & DICT_FLAG_UTF8_ACTIVE)
&& !allascii(STR(line_buffer))
&& !valid_utf8_string(STR(line_buffer), LEN(line_buffer))) {
msg_warn("%s, line %d: non-UTF-8 input \"%s\"",
VSTREAM_PATH(source_fp), lineno, STR(line_buffer));
continue;
}
/*
* Split on the first whitespace character, then trim leading and
* trailing whitespace from key and value.
@ -769,7 +800,7 @@ static void postmap_seq(const char *map_type, const char *map_name,
static NORETURN usage(char *myname)
{
msg_fatal("usage: %s [-Nfinoprsvw] [-c config_dir] [-d key] [-q key] [map_type:]file...",
msg_fatal("usage: %s [-NfinoprsuUvw] [-c config_dir] [-d key] [-q key] [map_type:]file...",
myname);
}
@ -784,11 +815,13 @@ int main(int argc, char **argv)
struct stat st;
int postmap_flags = POSTMAP_FLAG_AS_OWNER | POSTMAP_FLAG_SAVE_PERM;
int open_flags = O_RDWR | O_CREAT | O_TRUNC;
int dict_flags = DICT_FLAG_DUP_WARN | DICT_FLAG_FOLD_FIX;
int dict_flags = (DICT_FLAG_DUP_WARN | DICT_FLAG_FOLD_FIX
| DICT_FLAG_UTF8_REQUEST);
char *query = 0;
char *delkey = 0;
int sequence = 0;
int found;
int force_utf8 = 0;
/*
* Fingerprint executables and core dumps.
@ -834,7 +867,7 @@ int main(int argc, char **argv)
/*
* Parse JCL.
*/
while ((ch = GETOPT(argc, argv, "Nbc:d:fhimnopq:rsvw")) > 0) {
while ((ch = GETOPT(argc, argv, "Nbc:d:fhimnopq:rsuUvw")) > 0) {
switch (ch) {
default:
usage(argv[0]);
@ -891,6 +924,12 @@ int main(int argc, char **argv)
msg_fatal("specify only one of -s or -q or -d");
sequence = 1;
break;
case 'u':
dict_flags &= ~DICT_FLAG_UTF8_REQUEST;
break;
case 'U':
force_utf8 = 1;
break;
case 'v':
msg_verbose++;
break;
@ -911,6 +950,9 @@ int main(int argc, char **argv)
&& (postmap_flags & POSTMAP_FLAG_ANY_KEY)
== (postmap_flags & POSTMAP_FLAG_MIME_KEY))
msg_warn("ignoring -m option without -b or -h");
if ((postmap_flags & (POSTMAP_FLAG_ANY_KEY & ~POSTMAP_FLAG_MIME_KEY))
&& force_utf8 == 0)
dict_flags &= ~DICT_FLAG_UTF8_MASK;
/*
* Use the map type specified by the user, or fall back to a default

12
postfix/src/postqueue/postqueue.c
View File

@ -270,7 +270,8 @@ static void show_queue(void)
uid_t uid = getuid();
if (uid != 0 && uid != var_owner_uid
&& (errstr = check_user_acl_byuid(var_showq_acl, uid)) != 0)
&& (errstr = check_user_acl_byuid(VAR_SHOWQ_ACL, var_showq_acl,
uid)) != 0)
msg_fatal_status(EX_NOPERM,
"User %s(%ld) is not allowed to view the mail queue",
errstr, (long) uid);
@ -344,7 +345,8 @@ static void flush_queue(void)
uid_t uid = getuid();
if (uid != 0 && uid != var_owner_uid
&& (errstr = check_user_acl_byuid(var_flush_acl, uid)) != 0)
&& (errstr = check_user_acl_byuid(VAR_FLUSH_ACL, var_flush_acl,
uid)) != 0)
msg_fatal_status(EX_NOPERM,
"User %s(%ld) is not allowed to flush the mail queue",
errstr, (long) uid);
@ -370,7 +372,8 @@ static void flush_site(const char *site)
uid_t uid = getuid();
if (uid != 0 && uid != var_owner_uid
&& (errstr = check_user_acl_byuid(var_flush_acl, uid)) != 0)
&& (errstr = check_user_acl_byuid(VAR_FLUSH_ACL, var_flush_acl,
uid)) != 0)
msg_fatal_status(EX_NOPERM,
"User %s(%ld) is not allowed to flush the mail queue",
errstr, (long) uid);
@ -404,7 +407,8 @@ static void flush_file(const char *queue_id)
uid_t uid = getuid();
if (uid != 0 && uid != var_owner_uid
&& (errstr = check_user_acl_byuid(var_flush_acl, uid)) != 0)
&& (errstr = check_user_acl_byuid(VAR_FLUSH_ACL, var_flush_acl,
uid)) != 0)
msg_fatal_status(EX_NOPERM,
"User %s(%ld) is not allowed to flush the mail queue",
errstr, (long) uid);

6
postfix/src/postscreen/postscreen.c
View File

@ -852,7 +852,8 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
psc_acl = psc_acl_parse(var_psc_acl, VAR_PSC_ACL);
/* Ignore smtpd_forbid_cmds lookup errors. Non-critical feature. */
if (*var_psc_forbid_cmds)
psc_forbid_cmds = string_list_init(MATCH_FLAG_RETURN,
psc_forbid_cmds = string_list_init(VAR_PSC_FORBID_CMDS,
MATCH_FLAG_RETURN,
var_psc_forbid_cmds);
if (*var_psc_dnsbl_reply)
psc_dnsbl_reply = dict_open(var_psc_dnsbl_reply, O_RDONLY,
@ -998,7 +999,8 @@ static void post_jail_init(char *unused_name, char **unused_argv)
msg_fatal("bad %s value: %s", VAR_PSC_BARLF_ACTION,
var_psc_barlf_action);
/* Fail "closed" on error. */
psc_wlist_if = addr_match_list_init(MATCH_FLAG_RETURN, var_psc_wlist_if);
psc_wlist_if = addr_match_list_init(VAR_PSC_WLIST_IF, MATCH_FLAG_RETURN,
var_psc_wlist_if);
/*
* Start the cache maintenance pseudo thread last. Early cleanup makes

2
postfix/src/posttls-finger/Makefile.in
View File

@ -74,7 +74,7 @@ posttls-finger.o: ../../include/iostuff.h
posttls-finger.o: ../../include/mail_conf.h
posttls-finger.o: ../../include/mail_params.h
posttls-finger.o: ../../include/mail_server.h
posttls-finger.o: ../../include/midna.h
posttls-finger.o: ../../include/midna_domain.h
posttls-finger.o: ../../include/msg.h
posttls-finger.o: ../../include/msg_vstream.h
posttls-finger.o: ../../include/myaddrinfo.h

6
postfix/src/posttls-finger/posttls-finger.c
View File

@ -323,7 +323,7 @@
#include <sane_connect.h>
#include <myaddrinfo.h>
#include <sock_addr.h>
#include <midna.h>
#include <midna_domain.h>
#define STR(x) vstring_str(x)
@ -1103,7 +1103,7 @@ static DNS_RR *domain_addr(STATE *state, char *domain)
* IDNA support.
*/
#ifndef NO_EAI
if (!allascii(domain) && (aname = midna_to_ascii(domain)) != 0) {
if (!allascii(domain) && (aname = midna_domain_to_ascii(domain)) != 0) {
msg_info("%s asciified to %s", domain, aname);
} else
#endif
@ -1168,7 +1168,7 @@ static DNS_RR *host_addr(STATE *state, const char *host)
* IDNA support.
*/
#ifndef NO_EAI
if (!allascii(host) && (ahost = midna_to_ascii(host)) != 0) {
if (!allascii(host) && (ahost = midna_domain_to_ascii(host)) != 0) {
msg_info("%s asciified to %s", host, ahost);
} else
#endif

12
postfix/src/proxymap/proxymap.c
View File

@ -382,7 +382,8 @@ static void proxymap_sequence_service(VSTREAM *client_stream)
reply_status = PROXY_STAT_NOKEY;
reply_key = reply_value = "";
} else {
reply_status = PROXY_STAT_RETRY;
reply_status = (dict->error == DICT_ERR_RETRY ?
PROXY_STAT_RETRY : PROXY_STAT_CONFIG);
reply_key = reply_value = "";
}
}
@ -427,7 +428,8 @@ static void proxymap_lookup_service(VSTREAM *client_stream)
reply_status = PROXY_STAT_NOKEY;
reply_value = "";
} else {
reply_status = PROXY_STAT_RETRY;
reply_status = (dict->error == DICT_ERR_RETRY ?
PROXY_STAT_RETRY : PROXY_STAT_CONFIG);
reply_value = "";
}
@ -482,7 +484,8 @@ static void proxymap_update_service(VSTREAM *client_stream)
} else if (dict->error == 0) {
reply_status = PROXY_STAT_NOKEY;
} else {
reply_status = PROXY_STAT_RETRY;
reply_status = (dict->error == DICT_ERR_RETRY ?
PROXY_STAT_RETRY : PROXY_STAT_CONFIG);
}
}
@ -532,7 +535,8 @@ static void proxymap_delete_service(VSTREAM *client_stream)
} else if (dict->error == 0) {
reply_status = PROXY_STAT_NOKEY;
} else {
reply_status = PROXY_STAT_RETRY;
reply_status = (dict->error == DICT_ERR_RETRY ?
PROXY_STAT_RETRY : PROXY_STAT_CONFIG);
}
}

2
postfix/src/qmqpd/qmqpd.c
View File

@ -785,7 +785,7 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
{
debug_peer_init();
qmqpd_clients =
namadr_list_init(MATCH_FLAG_RETURN
namadr_list_init(VAR_QMQPD_CLIENTS, MATCH_FLAG_RETURN
| match_parent_style(VAR_QMQPD_CLIENTS),
var_qmqpd_clients);
}

6
postfix/src/sendmail/sendmail.c
View File

@ -646,7 +646,8 @@ static void enqueue(const int flags, const char *encoding,
* Access control is enforced in the postdrop command. The code here
* merely produces a more user-friendly interface.
*/
if ((errstr = check_user_acl_byuid(var_submit_acl, uid)) != 0)
if ((errstr = check_user_acl_byuid(VAR_SUBMIT_ACL,
var_submit_acl, uid)) != 0)
msg_fatal_status(EX_NOPERM,
"User %s(%ld) is not allowed to submit mail", errstr, (long) uid);
@ -1404,7 +1405,8 @@ int main(int argc, char **argv)
msg_fatal_status(EX_USAGE,
"stand-alone mode requires no recipient");
/* The actual enforcement happens in the postdrop command. */
if ((errstr = check_user_acl_byuid(var_submit_acl, uid = getuid())) != 0)
if ((errstr = check_user_acl_byuid(VAR_SUBMIT_ACL, var_submit_acl,
uid = getuid())) != 0)
msg_fatal_status(EX_NOPERM,
"User %s(%ld) is not allowed to submit mail",
errstr, (long) uid);

4
postfix/src/smtp/Makefile.in
View File

@ -154,7 +154,7 @@ smtp_addr.o: ../../include/inet_proto.h
smtp_addr.o: ../../include/mail_params.h
smtp_addr.o: ../../include/maps.h
smtp_addr.o: ../../include/match_list.h
smtp_addr.o: ../../include/midna.h
smtp_addr.o: ../../include/midna_domain.h
smtp_addr.o: ../../include/mime_state.h
smtp_addr.o: ../../include/msg.h
smtp_addr.o: ../../include/msg_stats.h
@ -380,12 +380,14 @@ smtp_proto.o: ../../include/mail_queue.h
smtp_proto.o: ../../include/maps.h
smtp_proto.o: ../../include/mark_corrupt.h
smtp_proto.o: ../../include/match_list.h
smtp_proto.o: ../../include/match_parent_style.h
smtp_proto.o: ../../include/mime_state.h
smtp_proto.o: ../../include/msg.h
smtp_proto.o: ../../include/msg_stats.h
smtp_proto.o: ../../include/myaddrinfo.h
smtp_proto.o: ../../include/myflock.h
smtp_proto.o: ../../include/mymalloc.h
smtp_proto.o: ../../include/namadr_list.h
smtp_proto.o: ../../include/name_code.h
smtp_proto.o: ../../include/name_mask.h
smtp_proto.o: ../../include/nvtable.h

1
postfix/src/smtp/lmtp_params.c
View File

@ -113,6 +113,7 @@
VAR_LMTP_TLS_BLK_EARLY_MAIL_REPLY, DEF_LMTP_TLS_BLK_EARLY_MAIL_REPLY, &var_smtp_tls_blk_early_mail_reply,
VAR_LMTP_TLS_FORCE_TLSA, DEF_LMTP_TLS_FORCE_TLSA, &var_smtp_tls_force_tlsa,
#endif
VAR_LMTP_TLS_WRAPPER, DEF_LMTP_TLS_WRAPPER, &var_smtp_tls_wrappermode,
VAR_LMTP_SENDER_AUTH, DEF_LMTP_SENDER_AUTH, &var_smtp_sender_auth,
VAR_LMTP_CNAME_OVERR, DEF_LMTP_CNAME_OVERR, &var_smtp_cname_overr,
VAR_LMTP_SASL_AUTH_SOFT_BOUNCE, DEF_LMTP_SASL_AUTH_SOFT_BOUNCE, &var_smtp_sasl_auth_soft_bounce,

13
postfix/src/smtp/smtp.c
View File

@ -464,6 +464,11 @@
/* RFC 6698 trust-anchor digest support in the Postfix TLS library.
/* .IP "\fBtlsmgr_service_name (tlsmgr)\fR"
/* The name of the \fBtlsmgr\fR(8) service entry in master.cf.
/* .PP
/* Available in Postfix version 2.12 and later:
/* .IP "\fBsmtp_tls_wrappermode (no)\fR"
/* Request that the Postfix SMTP client connects using the
/* legacy SMTPS protocol instead of using the STARTTLS command.
/* OBSOLETE STARTTLS CONTROLS
/* .ad
/* .fi
@ -850,6 +855,7 @@ bool var_smtp_use_tls;
bool var_smtp_enforce_tls;
char *var_smtp_tls_per_site;
char *var_smtp_tls_policy;
bool var_smtp_tls_wrappermode;
#ifdef USE_TLS
char *var_smtp_sasl_tls_opts;
@ -1186,7 +1192,9 @@ static void pre_init(char *unused_name, char **unused_argv)
* Session cache domain list.
*/
if (*var_smtp_cache_dest)
smtp_cache_dest = string_list_init(MATCH_FLAG_RETURN, var_smtp_cache_dest);
smtp_cache_dest = string_list_init(VAR_SMTP_CACHE_DEST,
MATCH_FLAG_RETURN,
var_smtp_cache_dest);
/*
* EHLO keyword filter.
@ -1213,7 +1221,8 @@ static void pre_init(char *unused_name, char **unused_argv)
if (*var_smtp_generic_maps)
smtp_generic_maps =
maps_create(VAR_LMTP_SMTP(GENERIC_MAPS), var_smtp_generic_maps,
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX);
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX
| DICT_FLAG_UTF8_REQUEST);
/*
* Header/body checks.

6
postfix/src/smtp/smtp_addr.c
View File

@ -85,7 +85,7 @@
#include <stringops.h>
#include <myaddrinfo.h>
#include <inet_proto.h>
#include <midna.h>
#include <midna_domain.h>
/* Global library. */
@ -378,7 +378,7 @@ DNS_RR *smtp_domain_addr(const char *name, DNS_RR **mxrr, int misc_flags,
* IDNA support.
*/
#ifndef NO_EAI
if (!allascii(name) && (aname = midna_to_ascii(name)) != 0) {
if (!allascii(name) && (aname = midna_domain_to_ascii(name)) != 0) {
if (msg_verbose)
msg_info("%s asciified to %s", name, aname);
} else
@ -524,7 +524,7 @@ DNS_RR *smtp_host_addr(const char *host, int misc_flags, DSN_BUF *why)
* IDNA support.
*/
#ifndef NO_EAI
if (!allascii(host) && (ahost = midna_to_ascii(host)) != 0) {
if (!allascii(host) && (ahost = midna_domain_to_ascii(host)) != 0) {
if (msg_verbose)
msg_info("%s asciified to %s", host, ahost);
} else

15
postfix/src/smtp/smtp_connect.c
View File

@ -820,9 +820,11 @@ static void smtp_connect_inet(SMTP_STATE *state, const char *nexthop,
* specified, or when DNS lookups are disabled.
*/
dest_buf = smtp_parse_destination(dest, def_service, &domain, &port);
if (var_helpful_warnings && ntohs(port) == 465) {
msg_info("CLIENT wrappermode (port smtps/465) is unimplemented");
msg_info("instead, send to (port submission/587) with STARTTLS");
if (var_helpful_warnings && var_smtp_tls_wrappermode == 0
&& ntohs(port) == 465) {
msg_info("SMTPS wrappermode (TCP port 465) requires setting "
"\"%s = yes\", and \"%s = encrypt\" (or stronger)",
VAR_LMTP_SMTP(TLS_WRAPPER), VAR_LMTP_SMTP(TLS_LEVEL));
}
#define NO_HOST "" /* safety */
#define NO_ADDR "" /* safety */
@ -957,6 +959,13 @@ static void smtp_connect_inet(SMTP_STATE *state, const char *nexthop,
continue;
/* XXX Assume there is no code at the end of this loop. */
}
if (var_smtp_tls_wrappermode
&& state->tls->level < TLS_LEV_ENCRYPT) {
msg_warn("%s requires \"%s = encrypt\" (or stronger)",
VAR_LMTP_SMTP(TLS_WRAPPER), VAR_LMTP_SMTP(TLS_LEVEL));
continue;
/* XXX Assume there is no code at the end of this loop. */
}
/* Disable TLS when retrying after a handshake failure */
if (retry_plain) {
state->tls->level = TLS_LEV_NONE;

4
postfix/src/smtp/smtp_map11.c
View File

@ -142,7 +142,9 @@ int main(int argc, char **argv)
if (argc < 3)
msg_fatal("usage: %s maptype:mapname address...", argv[0]);
maps = maps_create(argv[1], argv[1], DICT_FLAG_FOLD_FIX);
util_utf8_enable = 1;
maps = maps_create(argv[1], argv[1], DICT_FLAG_FOLD_FIX
| DICT_FLAG_UTF8_REQUEST);
mail_params_init();
if (chdir(var_queue_dir) < 0)
msg_fatal("chdir(%s): %m", var_queue_dir);

1
postfix/src/smtp/smtp_params.c
View File

@ -117,6 +117,7 @@
VAR_SMTP_TLS_BLK_EARLY_MAIL_REPLY, DEF_SMTP_TLS_BLK_EARLY_MAIL_REPLY, &var_smtp_tls_blk_early_mail_reply,
VAR_SMTP_TLS_FORCE_TLSA, DEF_SMTP_TLS_FORCE_TLSA, &var_smtp_tls_force_tlsa,
#endif
VAR_SMTP_TLS_WRAPPER, DEF_SMTP_TLS_WRAPPER, &var_smtp_tls_wrappermode,
VAR_SMTP_SENDER_AUTH, DEF_SMTP_SENDER_AUTH, &var_smtp_sender_auth,
VAR_SMTP_CNAME_OVERR, DEF_SMTP_CNAME_OVERR, &var_smtp_cname_overr,
VAR_SMTP_SASL_AUTH_SOFT_BOUNCE, DEF_SMTP_SASL_AUTH_SOFT_BOUNCE, &var_smtp_sasl_auth_soft_bounce,

17
postfix/src/smtp/smtp_proto.c
View File

@ -324,6 +324,20 @@ int smtp_helo(SMTP_STATE *state)
#endif
const char *NOCLOBBER where;
/*
* Skip the plaintext SMTP handshake when connecting in SMTPS mode.
*/
#ifdef USE_TLS
if (var_smtp_tls_wrappermode
&& (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) {
/* XXX Mix-up of per-session and per-request flags. */
state->misc_flags |= SMTP_MISC_FLAG_IN_STARTTLS;
tls_helo_status = smtp_start_tls(state);
state->misc_flags &= ~SMTP_MISC_FLAG_IN_STARTTLS;
return (tls_helo_status);
}
#endif
/*
* Prepare for disaster.
*/
@ -336,7 +350,8 @@ int smtp_helo(SMTP_STATE *state)
* If not recursing after STARTTLS, examine the server greeting banner
* and decide if we are going to send EHLO as the next command.
*/
if ((state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) {
if (var_smtp_tls_wrappermode
|| (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) {
/*
* Read and parse the server's SMTP greeting banner.

2
postfix/src/smtp/smtp_sasl_auth_cache.c
View File

@ -131,7 +131,7 @@ SMTP_SASL_AUTH_CACHE *smtp_sasl_auth_cache_init(const char *map, int ttl)
* dict_proxy module one level down in the build dependency hierachy.
*/
#define CACHE_DICT_OPEN_FLAGS \
(DICT_FLAG_DUP_REPLACE | DICT_FLAG_SYNC_UPDATE)
(DICT_FLAG_DUP_REPLACE | DICT_FLAG_SYNC_UPDATE | DICT_FLAG_UTF8_REQUEST)
#define PROXY_COLON DICT_TYPE_PROXY ":"
#define PROXY_COLON_LEN (sizeof(PROXY_COLON) - 1)

10
postfix/src/smtp/smtp_sasl_glue.c
View File

@ -234,9 +234,10 @@ void smtp_sasl_initialize(void)
* Open the per-host password table and initialize the SASL library. Use
* shared locks for reading, just in case someone updates the table.
*/
smtp_sasl_passwd_map = maps_create("smtp_sasl_passwd",
smtp_sasl_passwd_map = maps_create(VAR_LMTP_SMTP(SASL_PASSWD),
var_smtp_sasl_passwd,
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX);
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX
| DICT_FLAG_UTF8_REQUEST);
if ((smtp_sasl_impl = xsasl_client_init(var_smtp_sasl_type,
var_smtp_sasl_path)) == 0)
msg_fatal("SASL library initialization");
@ -245,7 +246,8 @@ void smtp_sasl_initialize(void)
* Initialize optional supported mechanism matchlist
*/
if (*var_smtp_sasl_mechs)
smtp_sasl_mechs = string_list_init(MATCH_FLAG_NONE,
smtp_sasl_mechs = string_list_init(VAR_SMTP_SASL_MECHS,
MATCH_FLAG_NONE,
var_smtp_sasl_mechs);
/*
@ -258,7 +260,7 @@ void smtp_sasl_initialize(void)
var_smtp_sasl_auth_cache_time);
#else
msg_warn("not compiled with TLS support -- "
"ignoring the %s setting", VAR_LMTP_SMTP(SASL_AUTH_CACHE_NAME));
"ignoring the %s setting", VAR_LMTP_SMTP(SASL_AUTH_CACHE_NAME));
#endif
}
}

6
postfix/src/smtp/smtp_tls_policy.c
View File

@ -132,7 +132,8 @@ void smtp_tls_list_init(void)
if (*var_smtp_tls_policy) {
tls_policy = maps_create(VAR_LMTP_SMTP(TLS_POLICY),
var_smtp_tls_policy,
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX);
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX
| DICT_FLAG_UTF8_REQUEST);
if (*var_smtp_tls_per_site)
msg_warn("%s ignored when %s is not empty.",
VAR_LMTP_SMTP(TLS_PER_SITE), VAR_LMTP_SMTP(TLS_POLICY));
@ -141,7 +142,8 @@ void smtp_tls_list_init(void)
if (*var_smtp_tls_per_site) {
tls_per_site = maps_create(VAR_LMTP_SMTP(TLS_PER_SITE),
var_smtp_tls_per_site,
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX);
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX
| DICT_FLAG_UTF8_REQUEST);
}
}

2
postfix/src/smtpd/Makefile.in
View File

@ -329,7 +329,7 @@ smtpd_check.o: ../../include/mail_stream.h
smtpd_check.o: ../../include/maps.h
smtpd_check.o: ../../include/match_list.h
smtpd_check.o: ../../include/match_parent_style.h
smtpd_check.o: ../../include/midna.h
smtpd_check.o: ../../include/midna_domain.h
smtpd_check.o: ../../include/milter.h
smtpd_check.o: ../../include/msg.h
smtpd_check.o: ../../include/msg_stats.h

32
postfix/src/smtpd/smtpd.c
View File

@ -3653,7 +3653,8 @@ static int etrn_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
* As an extension to RFC 1985 we also allow an RFC 2821 address literal
* enclosed in [].
*
* XXX EAI: Convert to ASCII and use that form internally.
* XXX There does not appear to be an ETRN parameter to indicate that the
* domain name is UTF-8.
*/
if (!valid_hostname(argv[1].strval, DONT_GRIPE)
&& !valid_mailhost_literal(argv[1].strval, DONT_GRIPE)) {
@ -4948,6 +4949,14 @@ static void smtpd_proto(SMTPD_STATE *state)
}
watchdog_pat();
smtpd_chat_query(state);
/* Safety: protect internal interfaces against malformed UTF-8. */
if (var_smtputf8_enable && valid_utf8_string(STR(state->buffer),
LEN(state->buffer)) == 0) {
state->error_mask |= MAIL_ERROR_PROTOCOL;
smtpd_chat_reply(state, "500 5.5.2 Error: bad UTF-8 syntax");
state->error_count++;
continue;
}
/* Move into smtpd_chat_query() and update session transcript. */
if (smtpd_cmd_filter != 0) {
for (cp = STR(state->buffer); *cp && IS_SPACE_TAB(*cp); cp++)
@ -5237,12 +5246,18 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
* Initialize blacklist/etc. patterns before entering the chroot jail, in
* case they specify a filename pattern.
*/
smtpd_noop_cmds = string_list_init(MATCH_FLAG_RETURN, var_smtpd_noop_cmds);
smtpd_forbid_cmds = string_list_init(MATCH_FLAG_RETURN, var_smtpd_forbid_cmds);
verp_clients = namadr_list_init(MATCH_FLAG_RETURN, var_verp_clients);
xclient_hosts = namadr_list_init(MATCH_FLAG_RETURN, var_xclient_hosts);
xforward_hosts = namadr_list_init(MATCH_FLAG_RETURN, var_xforward_hosts);
hogger_list = namadr_list_init(MATCH_FLAG_RETURN
smtpd_noop_cmds = string_list_init(VAR_SMTPD_NOOP_CMDS, MATCH_FLAG_RETURN,
var_smtpd_noop_cmds);
smtpd_forbid_cmds = string_list_init(VAR_SMTPD_FORBID_CMDS,
MATCH_FLAG_RETURN,
var_smtpd_forbid_cmds);
verp_clients = namadr_list_init(VAR_VERP_CLIENTS, MATCH_FLAG_RETURN,
var_verp_clients);
xclient_hosts = namadr_list_init(VAR_XCLIENT_HOSTS, MATCH_FLAG_RETURN,
var_xclient_hosts);
xforward_hosts = namadr_list_init(VAR_XFORWARD_HOSTS, MATCH_FLAG_RETURN,
var_xforward_hosts);
hogger_list = namadr_list_init(VAR_SMTPD_HOGGERS, MATCH_FLAG_RETURN
| match_parent_style(VAR_SMTPD_HOGGERS),
var_smtpd_hoggers);
@ -5267,7 +5282,8 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
if (*var_smtpd_sasl_exceptions_networks)
sasl_exceptions_networks =
namadr_list_init(MATCH_FLAG_RETURN,
namadr_list_init(VAR_SMTPD_SASL_EXCEPTIONS_NETWORKS,
MATCH_FLAG_RETURN,
var_smtpd_sasl_exceptions_networks);
#else
msg_warn("%s is true, but SASL support is not compiled in",

165
postfix/src/smtpd/smtpd_check.c
View File

@ -206,7 +206,7 @@
#include <inet_proto.h>
#include <ip_match.h>
#include <valid_utf8_hostname.h>
#include <midna.h>
#include <midna_domain.h>
#include <mynetworks.h>
/* DNS library. */
@ -607,7 +607,8 @@ static ARGV *smtpd_check_parse(int flags, const char *checks)
else if ((flags & SMTPD_CHECK_PARSE_MAPS)
&& strchr(name, ':') && dict_handle(name) == 0) {
dict_register(name, dict_open(name, O_RDONLY, DICT_FLAG_LOCK
| DICT_FLAG_FOLD_FIX));
| DICT_FLAG_FOLD_FIX
| DICT_FLAG_UTF8_REQUEST));
}
last = name;
}
@ -705,16 +706,17 @@ void smtpd_check_init(void)
* Pre-open access control lists before going to jail.
*/
mynetworks_curr =
namadr_list_init(MATCH_FLAG_RETURN | match_parent_style(VAR_MYNETWORKS),
var_mynetworks);
namadr_list_init(VAR_MYNETWORKS, MATCH_FLAG_RETURN
| match_parent_style(VAR_MYNETWORKS), var_mynetworks);
mynetworks_new =
namadr_list_init(MATCH_FLAG_RETURN | match_parent_style(VAR_MYNETWORKS),
mynetworks_host());
namadr_list_init(VAR_MYNETWORKS, MATCH_FLAG_RETURN
| match_parent_style(VAR_MYNETWORKS), mynetworks_host());
relay_domains =
domain_list_init(match_parent_style(VAR_RELAY_DOMAINS),
domain_list_init(VAR_RELAY_DOMAINS,
match_parent_style(VAR_RELAY_DOMAINS),
var_relay_domains);
perm_mx_networks =
namadr_list_init(MATCH_FLAG_RETURN
namadr_list_init(VAR_PERM_MX_NETWORKS, MATCH_FLAG_RETURN
| match_parent_style(VAR_PERM_MX_NETWORKS),
var_perm_mx_networks);
#ifdef USE_TLS
@ -726,22 +728,30 @@ void smtpd_check_init(void)
* Pre-parse and pre-open the recipient maps.
*/
local_rcpt_maps = maps_create(VAR_LOCAL_RCPT_MAPS, var_local_rcpt_maps,
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX);
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX
| DICT_FLAG_UTF8_REQUEST);
rcpt_canon_maps = maps_create(VAR_RCPT_CANON_MAPS, var_rcpt_canon_maps,
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX);
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX
| DICT_FLAG_UTF8_REQUEST);
canonical_maps = maps_create(VAR_CANONICAL_MAPS, var_canonical_maps,
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX);
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX
| DICT_FLAG_UTF8_REQUEST);
virt_alias_maps = maps_create(VAR_VIRT_ALIAS_MAPS, var_virt_alias_maps,
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX);
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX
| DICT_FLAG_UTF8_REQUEST);
virt_mailbox_maps = maps_create(VAR_VIRT_MAILBOX_MAPS,
var_virt_mailbox_maps,
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX);
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX
| DICT_FLAG_UTF8_REQUEST);
relay_rcpt_maps = maps_create(VAR_RELAY_RCPT_MAPS, var_relay_rcpt_maps,
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX);
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX
| DICT_FLAG_UTF8_REQUEST);
#ifdef TEST
virt_alias_doms = string_list_init(MATCH_FLAG_NONE, var_virt_alias_doms);
virt_mailbox_doms = string_list_init(MATCH_FLAG_NONE, var_virt_mailbox_doms);
virt_alias_doms = string_list_init(VAR_VIRT_ALIAS_DOMS, MATCH_FLAG_NONE,
var_virt_alias_doms);
virt_mailbox_doms = string_list_init(VAR_VIRT_MAILBOX_DOMS, MATCH_FLAG_NONE,
var_virt_mailbox_doms);
#endif
access_parent_style = match_parent_style(SMTPD_ACCESS_MAPS);
@ -750,14 +760,16 @@ void smtpd_check_init(void)
* Templates for RBL rejection replies.
*/
rbl_reply_maps = maps_create(VAR_RBL_REPLY_MAPS, var_rbl_reply_maps,
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX);
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX
| DICT_FLAG_UTF8_REQUEST);
/*
* Sender to login name mapping.
*/
smtpd_sender_login_maps = maps_create(VAR_SMTPD_SND_AUTH_MAPS,
var_smtpd_snd_auth_maps,
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX);
DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX
| DICT_FLAG_UTF8_REQUEST);
/*
* error_text is used for returning error responses.
@ -880,7 +892,8 @@ void smtpd_check_init(void)
/*
* Optional permit logging.
*/
smtpd_acl_perm_log = string_list_init(MATCH_FLAG_RETURN,
smtpd_acl_perm_log = string_list_init(VAR_SMTPD_ACL_PERM_LOG,
MATCH_FLAG_RETURN,
var_smtpd_acl_perm_log);
}
@ -1117,11 +1130,29 @@ static const char *check_mail_addr_find(SMTPD_STATE *state,
if ((result = mail_addr_find(maps, key, ext)) != 0 || maps->error == 0)
return (result);
if (maps->error == DICT_ERR_RETRY)
/* Warning is already logged. */
reject_dict_retry(state, reply_name);
else
reject_server_error(state);
}
/* check_dict_get - reject with temporary failure if dict lookup fails */
static const char *check_dict_get(SMTPD_STATE *state, const char *table,
const char *reply_name,
DICT *dict, const char *key)
{
const char *result;
if ((result = dict_get(dict, key)) != 0 || dict->error == 0)
return (result);
if (dict->error == DICT_ERR_RETRY) {
msg_warn("%s: table lookup problem", table);
reject_dict_retry(state, reply_name);
} else
reject_server_error(state);
}
/* reject_unknown_reverse_name - fail if reverse client hostname is unknown */
static int reject_unknown_reverse_name(SMTPD_STATE *state)
@ -1417,7 +1448,7 @@ static int reject_unknown_mailhost(SMTPD_STATE *state, const char *name,
* Fix 20140924: convert domain to ASCII.
*/
#ifndef NO_EAI
if (!allascii(name) && (aname = midna_to_ascii(name)) != 0) {
if (!allascii(name) && (aname = midna_domain_to_ascii(name)) != 0) {
if (msg_verbose)
msg_info("%s asciified to %s", name, aname);
name = aname;
@ -1916,7 +1947,7 @@ static int permit_mx_backup(SMTPD_STATE *state, const char *recipient,
* Fix 20140924: convert domain to ASCII.
*/
#ifndef NO_EAI
if (!allascii(domain) && (adomain = midna_to_ascii(domain)) != 0) {
if (!allascii(domain) && (adomain = midna_domain_to_ascii(domain)) != 0) {
if (msg_verbose)
msg_info("%s asciified to %s", domain, adomain);
domain = adomain;
@ -2661,23 +2692,13 @@ static int check_access(SMTPD_STATE *state, const char *table, const char *name,
if ((dict = dict_handle(table)) == 0) {
msg_warn("%s: unexpected dictionary: %s", myname, table);
value = "451 4.3.5 Server configuration error";
CHK_ACCESS_RETURN(check_table_result(state, table, value, name,
reply_name, reply_class,
def_acl), FOUND);
reject_server_error(state);
}
if (flags == 0 || (flags & dict->flags) != 0) {
if ((value = dict_get(dict, name)) != 0)
if ((value = check_dict_get(state, table, reply_name, dict, name)) != 0)
CHK_ACCESS_RETURN(check_table_result(state, table, value, name,
reply_name, reply_class,
def_acl), FOUND);
if (dict->error != 0) {
msg_warn("%s: table lookup problem", table);
value = "451 4.3.5 Server configuration error";
CHK_ACCESS_RETURN(check_table_result(state, table, value, name,
reply_name, reply_class,
def_acl), FOUND);
}
}
CHK_ACCESS_RETURN(SMTPD_CHECK_DUNNO, MISSED);
}
@ -2711,24 +2732,15 @@ static int check_domain_access(SMTPD_STATE *state, const char *table,
if ((dict = dict_handle(table)) == 0) {
msg_warn("%s: unexpected dictionary: %s", myname, table);
value = "451 4.3.5 Server configuration error";
CHK_DOMAIN_RETURN(check_table_result(state, table, value,
domain, reply_name, reply_class,
def_acl), FOUND);
reject_server_error(state);
}
for (name = domain; *name != 0; name = next) {
if (flags == 0 || (flags & dict->flags) != 0) {
if ((value = dict_get(dict, name)) != 0)
if ((value = check_dict_get(state, table, reply_name,
dict, name)) != 0)
CHK_DOMAIN_RETURN(check_table_result(state, table, value,
domain, reply_name, reply_class,
def_acl), FOUND);
if (dict->error != 0) {
msg_warn("%s: table lookup problem", table);
value = "451 4.3.5 Server configuration error";
CHK_DOMAIN_RETURN(check_table_result(state, table, value,
domain, reply_name, reply_class,
def_acl), FOUND);
}
}
/* Don't apply subdomain magic to numerical hostnames. */
if (maybe_numerical
@ -2775,24 +2787,15 @@ static int check_addr_access(SMTPD_STATE *state, const char *table,
if ((dict = dict_handle(table)) == 0) {
msg_warn("%s: unexpected dictionary: %s", myname, table);
value = "451 4.3.5 Server configuration error";
CHK_ADDR_RETURN(check_table_result(state, table, value, address,
reply_name, reply_class,
def_acl), FOUND);
reject_server_error(state);
}
do {
if (flags == 0 || (flags & dict->flags) != 0) {
if ((value = dict_get(dict, addr)) != 0)
if ((value = check_dict_get(state, table, reply_name,
dict, addr)) != 0)
CHK_ADDR_RETURN(check_table_result(state, table, value, address,
reply_name, reply_class,
def_acl), FOUND);
if (dict->error != 0) {
msg_warn("%s: table lookup problem", table);
value = "451 4.3.5 Server configuration error";
CHK_ADDR_RETURN(check_table_result(state, table, value, address,
reply_name, reply_class,
def_acl), FOUND);
}
}
flags = PARTIAL;
} while (split_at_right(addr, delim));
@ -2914,7 +2917,7 @@ static int check_server_access(SMTPD_STATE *state, const char *table,
* Fix 20140924: convert domain to ASCII.
*/
#ifndef NO_EAI
if (!allascii(domain) && (adomain = midna_to_ascii(domain)) != 0) {
if (!allascii(domain) && (adomain = midna_domain_to_ascii(domain)) != 0) {
if (msg_verbose)
msg_info("%s asciified to %s", domain, adomain);
domain = adomain;
@ -3634,7 +3637,7 @@ static const SMTPD_RBL_STATE *find_dnsxl_domain(SMTPD_STATE *state,
* Fix 20140706: convert domain to ASCII.
*/
#ifndef NO_EAI
if (!allascii(domain) && (adomain = midna_to_ascii(domain)) != 0) {
if (!allascii(domain) && (adomain = midna_domain_to_ascii(domain)) != 0) {
if (msg_verbose)
msg_info("%s asciified to %s", domain, adomain);
domain = adomain;
@ -3816,6 +3819,18 @@ static int reject_unauth_sender_login_mismatch(SMTPD_STATE *state, const char *s
#endif
/* valid_utf8_action - validate UTF-8 policy server response */
static int valid_utf8_action(const char *server, const char *action)
{
int retval;
if ((retval = valid_utf8_string(action, strlen(action))) == 0)
msg_warn("malformed UTF-8 in policy server %s response: \"%s\"",
server, action);
return (retval);
}
/* check_policy_service - check delegated policy service */
static int check_policy_service(SMTPD_STATE *state, const char *server,
@ -3926,7 +3941,8 @@ static int check_policy_service(SMTPD_STATE *state, const char *server,
ATTR_TYPE_END,
ATTR_FLAG_MISSING, /* Reply attributes. */
RECV_ATTR_STR(MAIL_ATTR_ACTION, action),
ATTR_TYPE_END) != 1) {
ATTR_TYPE_END) != 1
|| (var_smtputf8_enable && valid_utf8_action(server, STR(action)) == 0)) {
NOCLOBBER static int nesting_level = 0;
jmp_buf savebuf;
int status;
@ -5963,9 +5979,9 @@ int main(int argc, char **argv)
#define UPDATE_MAPS(ptr, var, val, lock) \
{ if (ptr) maps_free(ptr); ptr = maps_create(var, val, lock); }
#define UPDATE_LIST(ptr, val) \
#define UPDATE_LIST(ptr, var, val) \
{ if (ptr) string_list_free(ptr); \
ptr = string_list_init(MATCH_FLAG_NONE, val); }
ptr = string_list_init(var, MATCH_FLAG_NONE, val); }
case 2:
if (strcasecmp(args->argv[0], VAR_MYDEST) == 0) {
@ -5979,13 +5995,14 @@ int main(int argc, char **argv)
UPDATE_STRING(var_virt_alias_maps, args->argv[1]);
UPDATE_MAPS(virt_alias_maps, VAR_VIRT_ALIAS_MAPS,
var_virt_alias_maps, DICT_FLAG_LOCK
| DICT_FLAG_FOLD_FIX);
| DICT_FLAG_FOLD_FIX | DICT_FLAG_UTF8_REQUEST);
resp = 0;
break;
}
if (strcasecmp(args->argv[0], VAR_VIRT_ALIAS_DOMS) == 0) {
UPDATE_STRING(var_virt_alias_doms, args->argv[1]);
UPDATE_LIST(virt_alias_doms, var_virt_alias_doms);
UPDATE_LIST(virt_alias_doms, VAR_VIRT_ALIAS_DOMS,
var_virt_alias_doms);
smtpd_resolve_init(100);
resp = 0;
break;
@ -5994,13 +6011,14 @@ int main(int argc, char **argv)
UPDATE_STRING(var_virt_mailbox_maps, args->argv[1]);
UPDATE_MAPS(virt_mailbox_maps, VAR_VIRT_MAILBOX_MAPS,
var_virt_mailbox_maps, DICT_FLAG_LOCK
| DICT_FLAG_FOLD_FIX);
| DICT_FLAG_FOLD_FIX | DICT_FLAG_UTF8_REQUEST);
resp = 0;
break;
}
if (strcasecmp(args->argv[0], VAR_VIRT_MAILBOX_DOMS) == 0) {
UPDATE_STRING(var_virt_mailbox_doms, args->argv[1]);
UPDATE_LIST(virt_mailbox_doms, var_virt_mailbox_doms);
UPDATE_LIST(virt_mailbox_doms, VAR_VIRT_MAILBOX_DOMS,
var_virt_mailbox_doms);
smtpd_resolve_init(100);
resp = 0;
break;
@ -6009,7 +6027,7 @@ int main(int argc, char **argv)
UPDATE_STRING(var_local_rcpt_maps, args->argv[1]);
UPDATE_MAPS(local_rcpt_maps, VAR_LOCAL_RCPT_MAPS,
var_local_rcpt_maps, DICT_FLAG_LOCK
| DICT_FLAG_FOLD_FIX);
| DICT_FLAG_FOLD_FIX | DICT_FLAG_UTF8_REQUEST);
resp = 0;
break;
}
@ -6017,7 +6035,7 @@ int main(int argc, char **argv)
UPDATE_STRING(var_relay_rcpt_maps, args->argv[1]);
UPDATE_MAPS(relay_rcpt_maps, VAR_RELAY_RCPT_MAPS,
var_relay_rcpt_maps, DICT_FLAG_LOCK
| DICT_FLAG_FOLD_FIX);
| DICT_FLAG_FOLD_FIX | DICT_FLAG_UTF8_REQUEST);
resp = 0;
break;
}
@ -6025,7 +6043,7 @@ int main(int argc, char **argv)
UPDATE_STRING(var_canonical_maps, args->argv[1]);
UPDATE_MAPS(canonical_maps, VAR_CANONICAL_MAPS,
var_canonical_maps, DICT_FLAG_LOCK
| DICT_FLAG_FOLD_FIX);
| DICT_FLAG_FOLD_FIX | DICT_FLAG_UTF8_REQUEST);
resp = 0;
break;
}
@ -6033,7 +6051,7 @@ int main(int argc, char **argv)
UPDATE_STRING(var_rbl_reply_maps, args->argv[1]);
UPDATE_MAPS(rbl_reply_maps, VAR_RBL_REPLY_MAPS,
var_rbl_reply_maps, DICT_FLAG_LOCK
| DICT_FLAG_FOLD_FIX);
| DICT_FLAG_FOLD_FIX | DICT_FLAG_UTF8_REQUEST);
resp = 0;
break;
}
@ -6041,7 +6059,7 @@ int main(int argc, char **argv)
/* NOT: UPDATE_STRING */
namadr_list_free(mynetworks_curr);
mynetworks_curr =
namadr_list_init(MATCH_FLAG_RETURN
namadr_list_init(VAR_MYNETWORKS, MATCH_FLAG_RETURN
| match_parent_style(VAR_MYNETWORKS),
args->argv[1]);
smtpd_resolve_init(100);
@ -6052,7 +6070,8 @@ int main(int argc, char **argv)
/* NOT: UPDATE_STRING */
domain_list_free(relay_domains);
relay_domains =
domain_list_init(match_parent_style(VAR_RELAY_DOMAINS),
domain_list_init(VAR_RELAY_DOMAINS,
match_parent_style(VAR_RELAY_DOMAINS),
args->argv[1]);
smtpd_resolve_init(100);
resp = 0;
@ -6062,7 +6081,7 @@ int main(int argc, char **argv)
UPDATE_STRING(var_perm_mx_networks, args->argv[1]);
domain_list_free(perm_mx_networks);
perm_mx_networks =
namadr_list_init(MATCH_FLAG_RETURN
namadr_list_init(VAR_PERM_MX_NETWORKS, MATCH_FLAG_RETURN
| match_parent_style(VAR_PERM_MX_NETWORKS),
args->argv[1]);
resp = 0;

26
postfix/src/smtpd/smtpd_error.ref
View File

@ -11,8 +11,8 @@ OK
>>> # Expect: REJECT (temporary lookup failure)
>>> helo foobar
./smtpd_check: warning: fail:1_helo_access: table lookup problem
./smtpd_check: <queue id>: reject: HELO from localhost[127.0.0.1]: 451 4.3.5 <foobar>: Helo command rejected: Server configuration error; proto=SMTP helo=<foobar>
451 4.3.5 <foobar>: Helo command rejected: Server configuration error
./smtpd_check: <queue id>: reject: HELO from localhost[127.0.0.1]: 451 4.3.0 <foobar>: Temporary lookup failure; proto=SMTP helo=<foobar>
451 4.3.0 <foobar>: Temporary lookup failure
>>> #
>>> # Test check_namadr_access()
>>> #
@ -21,8 +21,8 @@ OK
>>> # Expect: REJECT (temporary lookup failure)
>>> client foo.dunno.com 131.155.210.17
./smtpd_check: warning: fail:1_client_access: table lookup problem
./smtpd_check: <queue id>: reject: CONNECT from foo.dunno.com[131.155.210.17]: 451 4.3.5 <foo.dunno.com[131.155.210.17]>: Client host rejected: Server configuration error; proto=SMTP helo=<foobar>
451 4.3.5 <foo.dunno.com[131.155.210.17]>: Client host rejected: Server configuration error
./smtpd_check: <queue id>: reject: CONNECT from foo.dunno.com[131.155.210.17]: 451 4.3.0 <foo.dunno.com[131.155.210.17]>: Temporary lookup failure; proto=SMTP helo=<foobar>
451 4.3.0 <foo.dunno.com[131.155.210.17]>: Temporary lookup failure
>>> #
>>> # Test check_mail_access()
>>> #
@ -31,8 +31,8 @@ OK
>>> # Expect: REJECT (temporary lookup failure)
>>> mail reject@dunno.domain
./smtpd_check: warning: fail:1_sender_access: table lookup problem
./smtpd_check: <queue id>: reject: MAIL from foo.dunno.com[131.155.210.17]: 451 4.3.5 <reject@dunno.domain>: Sender address rejected: Server configuration error; from=<reject@dunno.domain> proto=SMTP helo=<foobar>
451 4.3.5 <reject@dunno.domain>: Sender address rejected: Server configuration error
./smtpd_check: <queue id>: reject: MAIL from foo.dunno.com[131.155.210.17]: 451 4.3.0 <reject@dunno.domain>: Temporary lookup failure; from=<reject@dunno.domain> proto=SMTP helo=<foobar>
451 4.3.0 <reject@dunno.domain>: Temporary lookup failure
>>> #
>>> # Test check_rcpt_access()
>>> #
@ -41,8 +41,8 @@ OK
>>> # Expect: REJECT (temporary lookup failure)
>>> rcpt reject@dunno.domain
./smtpd_check: warning: fail:1_rcpt_access: table lookup problem
./smtpd_check: <queue id>: reject: RCPT from foo.dunno.com[131.155.210.17]: 451 4.3.5 <reject@dunno.domain>: Recipient address rejected: Server configuration error; from=<reject@dunno.domain> to=<reject@dunno.domain> proto=SMTP helo=<foobar>
451 4.3.5 <reject@dunno.domain>: Recipient address rejected: Server configuration error
./smtpd_check: <queue id>: reject: RCPT from foo.dunno.com[131.155.210.17]: 451 4.3.0 <reject@dunno.domain>: Temporary lookup failure; from=<reject@dunno.domain> to=<reject@dunno.domain> proto=SMTP helo=<foobar>
451 4.3.0 <reject@dunno.domain>: Temporary lookup failure
>>> # Expect: OK
>>> rcpt postmaster
OK
@ -57,7 +57,7 @@ OK
>>> recipient_restrictions permit_mynetworks
OK
>>> rcpt reject@dunno.domain
./smtpd_check: warning: fail:1_mynetworks: table lookup problem
./smtpd_check: warning: mynetworks: fail:1_mynetworks: table lookup problem
./smtpd_check: <queue id>: reject: RCPT from foo.dunno.com[131.155.210.17]: 451 4.3.0 <reject@dunno.domain>: Temporary lookup failure; from=<reject@dunno.domain> to=<reject@dunno.domain> proto=SMTP helo=<foobar>
451 4.3.0 <reject@dunno.domain>: Temporary lookup failure
>>> #
@ -69,7 +69,7 @@ OK
>>> # Expect REJECT (server configuration error)
>>> #
>>> rcpt reject@dunno.domain
./smtpd_check: warning: non-null host address bits in "168.100.189.1/27", perhaps you should use "168.100.189.0/27" instead
./smtpd_check: warning: mynetworks: non-null host address bits in "168.100.189.1/27", perhaps you should use "168.100.189.0/27" instead
./smtpd_check: <queue id>: reject: RCPT from foo.dunno.com[131.155.210.17]: 451 4.3.0 <reject@dunno.domain>: Temporary lookup failure; from=<reject@dunno.domain> to=<reject@dunno.domain> proto=SMTP helo=<foobar>
451 4.3.0 <reject@dunno.domain>: Temporary lookup failure
>>> #
@ -79,8 +79,8 @@ OK
OK
>>> mail <>
./smtpd_check: warning: fail:1_sender_access: table lookup problem
./smtpd_check: <queue id>: reject: MAIL from foo.dunno.com[131.155.210.17]: 451 4.3.5 <>: Sender address rejected: Server configuration error; from=<> proto=SMTP helo=<foobar>
451 4.3.5 <>: Sender address rejected: Server configuration error
./smtpd_check: <queue id>: reject: MAIL from foo.dunno.com[131.155.210.17]: 451 4.3.0 <>: Temporary lookup failure; from=<> proto=SMTP helo=<foobar>
451 4.3.0 <>: Temporary lookup failure
>>> #
>>> # Test permit_tls_client_certs in generic_restrictions
>>> #
@ -119,7 +119,7 @@ OK
>>> mydestination fail:1_mydestination
OK
>>> rcpt user@example.com
./smtpd_check: warning: fail:1_mydestination: table lookup problem
./smtpd_check: warning: mydestination: fail:1_mydestination: table lookup problem
./smtpd_check: <queue id>: reject: RCPT from foo.dunno.com[131.155.210.17]: 451 4.3.0 <user@example.com>: Temporary lookup failure; from=<> to=<user@example.com> proto=SMTP helo=<foobar>
451 4.3.0 <user@example.com>: Temporary lookup failure
>>> #

2
postfix/src/tls/Makefile.in
View File

@ -140,7 +140,7 @@ tls_client.o: ../../include/dict.h
tls_client.o: ../../include/dns.h
tls_client.o: ../../include/iostuff.h
tls_client.o: ../../include/mail_params.h
tls_client.o: ../../include/midna.h
tls_client.o: ../../include/midna_domain.h
tls_client.o: ../../include/msg.h
tls_client.o: ../../include/myaddrinfo.h
tls_client.o: ../../include/myflock.h

41
postfix/src/tls/tls.h
View File

@ -296,23 +296,61 @@ extern void tls_param_init(void);
* Protocol selection.
*/
#define TLS_PROTOCOL_INVALID (~0) /* All protocol bits masked */
#ifdef SSL_TXT_SSLV2
#define TLS_PROTOCOL_SSLv2 (1<<0) /* SSLv2 */
#else
#define SSL_TXT_SSLV2 "SSLv2"
#define TLS_PROTOCOL_SSLv2 0 /* Unknown */
#undef SSL_OP_NO_SSLv2
#define SSL_OP_NO_SSLv2 0L /* Noop */
#endif
#ifdef SSL_TXT_SSLV3
#define TLS_PROTOCOL_SSLv3 (1<<1) /* SSLv3 */
#else
#define SSL_TXT_SSLV3 "SSLv3"
#define TLS_PROTOCOL_SSLv3 0 /* Unknown */
#undef SSL_OP_NO_SSLv3
#define SSL_OP_NO_SSLv3 0L /* Noop */
#endif
#ifdef SSL_TXT_TLSV1
#define TLS_PROTOCOL_TLSv1 (1<<2) /* TLSv1 */
#else
#define SSL_TXT_TLSV1 "TLSv1"
#define TLS_PROTOCOL_TLSv1 0 /* Unknown */
#undef SSL_OP_NO_TLSv1
#define SSL_OP_NO_TLSv1 0L /* Noop */
#endif
#ifdef SSL_TXT_TLSV1_1
#define TLS_PROTOCOL_TLSv1_1 (1<<3) /* TLSv1_1 */
#else
#define SSL_TXT_TLSV1_1 "TLSv1.1"
#define TLS_PROTOCOL_TLSv1_1 0 /* Unknown */
#undef SSL_OP_NO_TLSv1_1
#define SSL_OP_NO_TLSv1_1 0L /* Noop */
#endif
#ifdef SSL_TXT_TLSV1_2
#define TLS_PROTOCOL_TLSv1_2 (1<<4) /* TLSv1_2 */
#else
#define SSL_TXT_TLSV1_2 "TLSv1.2"
#define TLS_PROTOCOL_TLSv1_2 0 /* Unknown */
#undef SSL_OP_NO_TLSv1_2
#define SSL_OP_NO_TLSv1_2 0L /* Noop */
#endif
#ifdef SSL_TXT_TLSV1_3
#define TLS_PROTOCOL_TLSv1_3 (1<<5) /* TLSv1_3 */
#else
#define SSL_TXT_TLSV1_3 "TLSv1.3"
#define TLS_PROTOCOL_TLSv1_3 0 /* Unknown */
#undef SSL_OP_NO_TLSv1_3
#define SSL_OP_NO_TLSv1_3 0L /* Noop */
#endif
#define TLS_KNOWN_PROTOCOLS \
( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 \
| TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 )
@ -321,7 +359,8 @@ extern void tls_param_init(void);
| (((m) & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L) \
| (((m) & TLS_PROTOCOL_TLSv1) ? SSL_OP_NO_TLSv1 : 0L) \
| (((m) & TLS_PROTOCOL_TLSv1_1) ? SSL_OP_NO_TLSv1_1 : 0L) \
| (((m) & TLS_PROTOCOL_TLSv1_2) ? SSL_OP_NO_TLSv1_2 : 0L))
| (((m) & TLS_PROTOCOL_TLSv1_2) ? SSL_OP_NO_TLSv1_2 : 0L) \
| (((m) & TLS_PROTOCOL_TLSv1_3) ? SSL_OP_NO_TLSv1_3 : 0L))
/*
* SSL options that are managed via dedicated Postfix features, rather than

24
postfix/src/tls/tls_client.c
View File

@ -140,7 +140,7 @@
#include <stringops.h>
#include <msg.h>
#include <iostuff.h> /* non-blocking */
#include <midna.h>
#include <midna_domain.h>
/* Global library. */
@ -535,7 +535,7 @@ static int match_servername(const char *certid,
*/
if (!allascii(certid))
return (0);
if (!allascii(nexthop) && (aname = midna_to_ascii(nexthop)) != 0) {
if (!allascii(nexthop) && (aname = midna_domain_to_ascii(nexthop)) != 0) {
if (msg_verbose)
msg_info("%s asciified to %s", nexthop, aname);
nexthop = aname;
@ -565,13 +565,19 @@ static int match_servername(const char *certid,
#ifndef NO_EAI
/*
* IDNA allows labels to be separated by any of the additional
* characters U+3002, U+FF0E, and U+FF61; that are Unicode
* variants. Their UTF-8 encodings are: E38082, EFBC8E and
* EFBDA1.
* Besides U+002E (full stop) IDNA2003 allows labels to be
* separated by any of the Unicode variants U+3002 (ideographic
* full stop), U+FF0E (fullwidth full stop), and U+FF61
* (halfwidth ideographic full stop). Their respective UTF-8
* encodings are: E38082, EFBC8E and EFBDA1.
*
* It is not clear whether the IDNA to_ASCII conversion allows empty
* leading labels, so we handle these explicitly here.
* IDNA2008 does not permit (upper) case and other variant
* differences in U-labels. The midna_domain_to_ascii() function,
* based on UTS46, midna_domain_to_ascii() normalizes the
* differences away.
*
* The IDNA to_ASCII conversion does not allow empty leading labels,
* so we handle these explicitly here.
*/
else {
unsigned char *cp = (unsigned char *) domain;
@ -586,7 +592,7 @@ static int match_servername(const char *certid,
}
}
if (!allascii(domain)
&& (aname = midna_to_ascii(domain)) != 0) {
&& (aname = midna_domain_to_ascii(domain)) != 0) {
if (msg_verbose)
msg_info("%s asciified to %s", domain, aname);
domain = aname;

1
postfix/src/tls/tls_dh.c
View File

@ -82,6 +82,7 @@
#define TLS_INTERNAL
#include <tls.h>
#include <openssl/dh.h>
/* Application-specific. */

Some files were not shown because too many files have changed in this diff Show More