mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-22 09:57:34 +00:00
Code Issues Releases Wiki Activity

postfix-3.5-20190908

Browse Source
This commit is contained in:
Wietse Venema 2019-09-08 00:00:00 -05:00 committed by Viktor Dukhovni
parent bb8da60fce
commit 1a2bf1fc7c
9 changed files with 251 additions and 230 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
postfix/HISTORY
View File

@ -24354,3 +24354,45 @@ Apologies for any names omitted.
Safety: vstring_set_payload_size() now checks that the
payload has not overwritten the safety terminator at the
end of the VSTRING buffer. File: util/vstream.c.
20190813
Documentation: access(5) map network address pattern syntax.
File: proto/access.
20190820
Workaround for poor TCP loopback performance on LINUX, where
getsockopt(..., TCP_MAXSEG, ..) reports a TCP maximal segment
size that is 1/2 to 1/3 of the MTU. For example, with kernel
5.1.16-300.fc30.x86_64 the TCP client and server announce
an mss of 65495 in the TCP handshake, but getsockopt()
returns 32741 (less than half). As a matter of principle,
Postfix won't turn on client-side TCP_NODELAY because that
hides application performance bugs, and because that still
suffers from server-side delayed ACKs. Instead, Postfix
avoids sending "small" writes back-to-back, by choosing a
VSTREAM buffer size that is a multiple of the reported
MSS. This workaround bumps the multiplier from 2x to 4x.
File: util/vstream_tweak.c.
20190825
Bugfix (introduced: 20051222): the Dovecot client could
segfault (null pointer read) or cause an SMTP server assertion
to fail when talking to a fake Dovecot server. The client
now logs a proper error instead. Problem reported by Tim
Düsterhus. File: xsasl/xsasl_dovecot_server.c.
20190906
Bugfix (introduced: Postfix 3.4): don't whitewash OpenSSL
error results after a plaintext output error. The code could
loop, and with some OpenSSL error results could flood the
log with error messages (see below for a specific case).
Problem reported by Andreas Schulze. File: tlsproxy/tlsproxy.c.
Bitrot: don't invoke SSL_shutdown() when the SSL engine
thinks it is processing a handshake. As of OpenSSL 1.something
this returns SSL_ERROR_SSL instead of SSL_ERROR_NONE. File:
tlsproxy/tlsproxy.c.

279
postfix/conf/access
View File

@ -122,21 +122,17 @@
#
# net.work
#
# net Matches the specified IPv4 host address or subnet-
# work. An IPv4 host address is a sequence of four
# decimal octets separated by ".".
# net Matches a remote IPv4 host address or network
# address range. Specify one to four decimal octets
# separated by ".". Do not specify "[]" , "/", lead-
# ing zeros, or hexadecimal forms.
#
# Subnetworks are matched by repeatedly truncating
# the last ".octet" from the remote IPv4 host address
# string until a match is found in the access table,
# Network ranges are matched by repeatedly truncating
# the last ".octet" from a remote IPv4 host address
# string, until a match is found in the access table,
# or until further truncation is not possible.
#
# NOTE 1: The access map lookup key must be in canon-
# ical form: do not specify unnecessary null charac-
# ters, and do not enclose network address informa-
# tion with "[]" characters.
#
# NOTE 2: use the cidr lookup table type to specify
# NOTE: use the cidr lookup table type to specify
# network/netmask patterns. See cidr_table(5) for
# details.
#
@ -146,25 +142,20 @@
#
# net:work
#
# net Matches the specified IPv6 host address or subnet-
# work. An IPv6 host address is a sequence of three
# to eight hexadecimal octet pairs separated by ":".
# net Matches a remote IPv6 host address or network
# address range. Specify three to eight hexadecimal
# octet pairs separated by ":", using the compressed
# form "::" for a sequence of zero-valued octet
# pairs. Do not specify "[]", "/", leading zeros, or
# non-compressed forms.
#
# Subnetworks are matched by repeatedly truncating
# the last ":octetpair" from the remote IPv6 host
# address string until a match is found in the access
# table, or until further truncation is not possible.
# A network range is matched by repeatedly truncating
# the last ":octetpair" from the compressed-form
# remote IPv6 host address string, until a match is
# found in the access table, or until further trunca-
# tion is not possible.
#
# NOTE 1: the truncation and comparison are done with
# the string representation of the IPv6 host address.
# Thus, not all the ":" subnetworks will be tried.
#
# NOTE 2: The access map lookup key must be in canon-
# ical form: do not specify unnecessary null charac-
# ters, and do not enclose network address informa-
# tion with "[]" characters.
#
# NOTE 3: use the cidr lookup table type to specify
# NOTE: use the cidr lookup table type to specify
# network/netmask patterns. See cidr_table(5) for
# details.
#
@ -175,64 +166,64 @@
#
# all-numerical
# An all-numerical result is treated as OK. This for-
# mat is generated by address-based relay authoriza-
# mat is generated by address-based relay authoriza-
# tion schemes such as pop-before-smtp.
#
# For other accept actions, see "OTHER ACTIONS" below.
#
# REJECT ACTIONS
# Postfix version 2.3 and later support enhanced status
# codes as defined in RFC 3463. When no code is specified
# at the beginning of the text below, Postfix inserts a
# default enhanced status code of "5.7.1" in the case of
# reject actions, and "4.7.1" in the case of defer actions.
# Postfix version 2.3 and later support enhanced status
# codes as defined in RFC 3463. When no code is specified
# at the beginning of the text below, Postfix inserts a
# default enhanced status code of "5.7.1" in the case of
# reject actions, and "4.7.1" in the case of defer actions.
# See "ENHANCED STATUS CODES" below.
#
# 4NN text
#
# 5NN text
# Reject the address etc. that matches the pattern,
# Reject the address etc. that matches the pattern,
# and respond with the numerical three-digit code and
# text. 4NN means "try again later", while 5NN means
# text. 4NN means "try again later", while 5NN means
# "do not try again".
#
# The following responses have special meaning for
# The following responses have special meaning for
# the Postfix SMTP server:
#
# 421 text (Postfix 2.3 and later)
#
# 521 text (Postfix 2.6 and later)
# After responding with the numerical
# three-digit code and text, disconnect imme-
# After responding with the numerical
# three-digit code and text, disconnect imme-
# diately from the SMTP client. This frees up
# SMTP server resources so that they can be
# SMTP server resources so that they can be
# made available to another SMTP client.
#
# Note: The "521" response should be used only
# with botnets and other malware where inter-
# with botnets and other malware where inter-
# operability is of no concern. The "send 521
# and disconnect" behavior is NOT defined in
# and disconnect" behavior is NOT defined in
# the SMTP standard.
#
# REJECT optional text...
# Reject the address etc. that matches the pattern.
# Reply with "$access_map_reject_code optional
# text..." when the optional text is specified, oth-
# Reject the address etc. that matches the pattern.
# Reply with "$access_map_reject_code optional
# text..." when the optional text is specified, oth-
# erwise reply with a generic error response message.
#
# DEFER optional text...
# Reject the address etc. that matches the pattern.
# Reply with "$access_map_defer_code optional
# text..." when the optional text is specified, oth-
# Reject the address etc. that matches the pattern.
# Reply with "$access_map_defer_code optional
# text..." when the optional text is specified, oth-
# erwise reply with a generic error response message.
#
# This feature is available in Postfix 2.6 and later.
#
# DEFER_IF_REJECT optional text...
# Defer the request if some later restriction would
# result in a REJECT action. Reply with
# "$access_map_defer_code 4.7.1 optional text..."
# when the optional text is specified, otherwise
# Defer the request if some later restriction would
# result in a REJECT action. Reply with
# "$access_map_defer_code 4.7.1 optional text..."
# when the optional text is specified, otherwise
# reply with a generic error response message.
#
# Prior to Postfix 2.6, the SMTP reply code is 450.
@ -240,10 +231,10 @@
# This feature is available in Postfix 2.1 and later.
#
# DEFER_IF_PERMIT optional text...
# Defer the request if some later restriction would
# result in a an explicit or implicit PERMIT action.
# Reply with "$access_map_defer_code 4.7.1 optional
# text..." when the optional text is specified, oth-
# Defer the request if some later restriction would
# result in a an explicit or implicit PERMIT action.
# Reply with "$access_map_defer_code 4.7.1 optional
# text..." when the optional text is specified, oth-
# erwise reply with a generic error response message.
#
# Prior to Postfix 2.6, the SMTP reply code is 450.
@ -258,195 +249,195 @@
# reject_unauth_destination, and so on).
#
# BCC user@domain
# Send one copy of the message to the specified
# Send one copy of the message to the specified
# recipient.
#
# If multiple BCC actions are specified within the
# same SMTP MAIL transaction, with Postfix 3.0 only
# If multiple BCC actions are specified within the
# same SMTP MAIL transaction, with Postfix 3.0 only
# the last action will be used.
#
# This feature is available in Postfix 3.0 and later.
#
# DISCARD optional text...
# Claim successful delivery and silently discard the
# message. Log the optional text if specified, oth-
# Claim successful delivery and silently discard the
# message. Log the optional text if specified, oth-
# erwise log a generic message.
#
# Note: this action currently affects all recipients
# of the message. To discard only one recipient
# without discarding the entire message, use the
# Note: this action currently affects all recipients
# of the message. To discard only one recipient
# without discarding the entire message, use the
# transport(5) table to direct mail to the discard(8)
# service.
#
# This feature is available in Postfix 2.0 and later.
#
# DUNNO Pretend that the lookup key was not found. This
# prevents Postfix from trying substrings of the
# lookup key (such as a subdomain name, or a network
# DUNNO Pretend that the lookup key was not found. This
# prevents Postfix from trying substrings of the
# lookup key (such as a subdomain name, or a network
# address subnetwork).
#
# This feature is available in Postfix 2.0 and later.
#
# FILTER transport:destination
# After the message is queued, send the entire mes-
# After the message is queued, send the entire mes-
# sage through the specified external content filter.
# The transport name specifies the first field of a
# mail delivery agent definition in master.cf; the
# syntax of the next-hop destination is described in
# The transport name specifies the first field of a
# mail delivery agent definition in master.cf; the
# syntax of the next-hop destination is described in
# the manual page of the corresponding delivery
# agent. More information about external content
# agent. More information about external content
# filters is in the Postfix FILTER_README file.
#
# Note 1: do not use $number regular expression sub-
# stitutions for transport or destination unless you
# Note 1: do not use $number regular expression sub-
# stitutions for transport or destination unless you
# know that the information has a trusted origin.
#
# Note 2: this action overrides the main.cf con-
# tent_filter setting, and affects all recipients of
# the message. In the case that multiple FILTER
# Note 2: this action overrides the main.cf con-
# tent_filter setting, and affects all recipients of
# the message. In the case that multiple FILTER
# actions fire, only the last one is executed.
#
# Note 3: the purpose of the FILTER command is to
# override message routing. To override the recipi-
# ent's transport but not the next-hop destination,
# specify an empty filter destination (Postfix 2.7
# Note 3: the purpose of the FILTER command is to
# override message routing. To override the recipi-
# ent's transport but not the next-hop destination,
# specify an empty filter destination (Postfix 2.7
# and later), or specify a transport:destination that
# delivers through a different Postfix instance
# (Postfix 2.6 and earlier). Other options are using
# the recipient-dependent transport_maps or the sen-
# delivers through a different Postfix instance
# (Postfix 2.6 and earlier). Other options are using
# the recipient-dependent transport_maps or the sen-
# der-dependent sender_dependent_default_transport-
# _maps features.
#
# This feature is available in Postfix 2.0 and later.
#
# HOLD optional text...
# Place the message on the hold queue, where it will
# sit until someone either deletes it or releases it
# for delivery. Log the optional text if specified,
# Place the message on the hold queue, where it will
# sit until someone either deletes it or releases it
# for delivery. Log the optional text if specified,
# otherwise log a generic message.
#
# Mail that is placed on hold can be examined with
# the postcat(1) command, and can be destroyed or
# Mail that is placed on hold can be examined with
# the postcat(1) command, and can be destroyed or
# released with the postsuper(1) command.
#
# Note: use "postsuper -r" to release mail that was
# kept on hold for a significant fraction of $maxi-
# Note: use "postsuper -r" to release mail that was
# kept on hold for a significant fraction of $maxi-
# mal_queue_lifetime or $bounce_queue_lifetime, or
# longer. Use "postsuper -H" only for mail that will
# longer. Use "postsuper -H" only for mail that will
# not expire within a few delivery attempts.
#
# Note: this action currently affects all recipients
# Note: this action currently affects all recipients
# of the message.
#
# This feature is available in Postfix 2.0 and later.
#
# PREPEND headername: headervalue
# Prepend the specified message header to the mes-
# sage. When more than one PREPEND action executes,
# the first prepended header appears before the sec-
# Prepend the specified message header to the mes-
# sage. When more than one PREPEND action executes,
# the first prepended header appears before the sec-
# ond etc. prepended header.
#
# Note: this action must execute before the message
# content is received; it cannot execute in the con-
# Note: this action must execute before the message
# content is received; it cannot execute in the con-
# text of smtpd_end_of_data_restrictions.
#
# This feature is available in Postfix 2.1 and later.
#
# REDIRECT user@domain
# After the message is queued, send the message to
# After the message is queued, send the message to
# the specified address instead of the intended
# recipient(s). When multiple REDIRECT actions fire,
# only the last one takes effect.
#
# Note: this action overrides the FILTER action, and
# currently overrides all recipients of the message.
# Note: this action overrides the FILTER action, and
# currently overrides all recipients of the message.
#
# This feature is available in Postfix 2.1 and later.
#
# INFO optional text...
# Log an informational record with the optional text,
# together with client information and if available,
# with helo, sender, recipient and protocol informa-
# together with client information and if available,
# with helo, sender, recipient and protocol informa-
# tion.
#
# This feature is available in Postfix 3.0 and later.
#
# WARN optional text...
# Log a warning with the optional text, together with
# client information and if available, with helo,
# client information and if available, with helo,
# sender, recipient and protocol information.
#
# This feature is available in Postfix 2.1 and later.
#
# ENHANCED STATUS CODES
# Postfix version 2.3 and later support enhanced status
# codes as defined in RFC 3463. When an enhanced status
# code is specified in an access table, it is subject to
# modification. The following transformations are needed
# when the same access table is used for client, helo,
# sender, or recipient access restrictions; they happen
# Postfix version 2.3 and later support enhanced status
# codes as defined in RFC 3463. When an enhanced status
# code is specified in an access table, it is subject to
# modification. The following transformations are needed
# when the same access table is used for client, helo,
# sender, or recipient access restrictions; they happen
# regardless of whether Postfix replies to a MAIL FROM, RCPT
# TO or other SMTP command.
#
# o When a sender address matches a REJECT action, the
# Postfix SMTP server will transform a recipient DSN
# status (e.g., 4.1.1-4.1.6) into the corresponding
# o When a sender address matches a REJECT action, the
# Postfix SMTP server will transform a recipient DSN
# status (e.g., 4.1.1-4.1.6) into the corresponding
# sender DSN status, and vice versa.
#
# o When non-address information matches a REJECT
# action (such as the HELO command argument or the
# client hostname/address), the Postfix SMTP server
# will transform a sender or recipient DSN status
# into a generic non-address DSN status (e.g.,
# o When non-address information matches a REJECT
# action (such as the HELO command argument or the
# client hostname/address), the Postfix SMTP server
# will transform a sender or recipient DSN status
# into a generic non-address DSN status (e.g.,
# 4.0.0).
#
# REGULAR EXPRESSION TABLES
# This section describes how the table lookups change when
# This section describes how the table lookups change when
# the table is given in the form of regular expressions. For
# a description of regular expression lookup table syntax,
# a description of regular expression lookup table syntax,
# see regexp_table(5) or pcre_table(5).
#
# Each pattern is a regular expression that is applied to
# Each pattern is a regular expression that is applied to
# the entire string being looked up. Depending on the appli-
# cation, that string is an entire client hostname, an
# cation, that string is an entire client hostname, an
# entire client IP address, or an entire mail address. Thus,
# no parent domain or parent network search is done,
# user@domain mail addresses are not broken up into their
# user@domain mail addresses are not broken up into their
# user@ and domain constituent parts, nor is user+foo broken
# up into user and foo.
#
# Patterns are applied in the order as specified in the ta-
# ble, until a pattern is found that matches the search
# Patterns are applied in the order as specified in the ta-
# ble, until a pattern is found that matches the search
# string.
#
# Actions are the same as with indexed file lookups, with
# the additional feature that parenthesized substrings from
# Actions are the same as with indexed file lookups, with
# the additional feature that parenthesized substrings from
# the pattern can be interpolated as $1, $2 and so on.
#
# TCP-BASED TABLES
# This section describes how the table lookups change when
# This section describes how the table lookups change when
# lookups are directed to a TCP-based server. For a descrip-
# tion of the TCP client/server lookup protocol, see tcp_ta-
# ble(5). This feature is not available up to and including
# Postfix version 2.4.
#
# Each lookup operation uses the entire query string once.
# Depending on the application, that string is an entire
# Each lookup operation uses the entire query string once.
# Depending on the application, that string is an entire
# client hostname, an entire client IP address, or an entire
# mail address. Thus, no parent domain or parent network
# search is done, user@domain mail addresses are not broken
# up into their user@ and domain constituent parts, nor is
# mail address. Thus, no parent domain or parent network
# search is done, user@domain mail addresses are not broken
# up into their user@ and domain constituent parts, nor is
# user+foo broken up into user and foo.
#
# Actions are the same as with indexed file lookups.
#
# EXAMPLE
# The following example uses an indexed file, so that the
# order of table entries does not matter. The example per-
# mits access by the client at address 1.2.3.4 but rejects
# all other clients in 1.2.3.0/24. Instead of hash lookup
# tables, some systems use dbm. Use the command "postconf
# -m" to find out what lookup tables Postfix supports on
# The following example uses an indexed file, so that the
# order of table entries does not matter. The example per-
# mits access by the client at address 1.2.3.4 but rejects
# all other clients in 1.2.3.0/24. Instead of hash lookup
# tables, some systems use dbm. Use the command "postconf
# -m" to find out what lookup tables Postfix supports on
# your system.
#
# /etc/postfix/main.cf:
@ -457,11 +448,11 @@
# 1.2.3 REJECT
# 1.2.3.4 OK
#
# Execute the command "postmap /etc/postfix/access" after
# Execute the command "postmap /etc/postfix/access" after
# editing the file.
#
# BUGS
# The table format does not understand quoting conventions.
# The table format does not understand quoting conventions.
#
# SEE ALSO
# postmap(1), Postfix lookup table manager
@ -470,13 +461,13 @@
# transport(5), transport:nexthop syntax
#
# README FILES
# Use "postconf readme_directory" or "postconf html_direc-
# Use "postconf readme_directory" or "postconf html_direc-
# tory" to locate this information.
# SMTPD_ACCESS_README, built-in SMTP server access control
# DATABASE_README, Postfix lookup table overview
#
# LICENSE
# The Secure Mailer license must be distributed with this
# The Secure Mailer license must be distributed with this
# software.
#
# AUTHOR(S)

46
postfix/html/access.5.html
View File

@ -114,21 +114,17 @@ ACCESS(5) ACCESS(5)
<i>net.work</i>
<i>net</i> Matches the specified IPv4 host address or subnetwork. An IPv4
host address is a sequence of four decimal octets separated by
".".
<i>net</i> Matches a remote IPv4 host address or network address range.
Specify one to four decimal octets separated by ".". Do not
specify "[]" , "/", leading zeros, or hexadecimal forms.
Subnetworks are matched by repeatedly truncating the last
".octet" from the remote IPv4 host address string until a match
Network ranges are matched by repeatedly truncating the last
".octet" from a remote IPv4 host address string, until a match
is found in the access table, or until further truncation is not
possible.
NOTE 1: The access map lookup key must be in canonical form: do
not specify unnecessary null characters, and do not enclose net-
work address information with "[]" characters.
NOTE 2: use the <b>cidr</b> lookup table type to specify network/net-
mask patterns. See <a href="cidr_table.5.html"><b>cidr_table</b>(5)</a> for details.
NOTE: use the <b>cidr</b> lookup table type to specify network/netmask
patterns. See <a href="cidr_table.5.html"><b>cidr_table</b>(5)</a> for details.
<i>net:work:addr:ess</i>
@ -136,25 +132,19 @@ ACCESS(5) ACCESS(5)
<i>net:work</i>
<i>net</i> Matches the specified IPv6 host address or subnetwork. An IPv6
host address is a sequence of three to eight hexadecimal octet
pairs separated by ":".
<i>net</i> Matches a remote IPv6 host address or network address range.
Specify three to eight hexadecimal octet pairs separated by ":",
using the compressed form "::" for a sequence of zero-valued
octet pairs. Do not specify "[]", "/", leading zeros, or
non-compressed forms.
Subnetworks are matched by repeatedly truncating the last
":octetpair" from the remote IPv6 host address string until a
match is found in the access table, or until further truncation
is not possible.
A network range is matched by repeatedly truncating the last
":octetpair" from the compressed-form remote IPv6 host address
string, until a match is found in the access table, or until
further truncation is not possible.
NOTE 1: the truncation and comparison are done with the string
representation of the IPv6 host address. Thus, not all the ":"
subnetworks will be tried.
NOTE 2: The access map lookup key must be in canonical form: do
not specify unnecessary null characters, and do not enclose net-
work address information with "[]" characters.
NOTE 3: use the <b>cidr</b> lookup table type to specify network/net-
mask patterns. See <a href="cidr_table.5.html"><b>cidr_table</b>(5)</a> for details.
NOTE: use the <b>cidr</b> lookup table type to specify network/netmask
patterns. See <a href="cidr_table.5.html"><b>cidr_table</b>(5)</a> for details.
IPv6 support is available in Postfix 2.2 and later.

42
postfix/man/man5/access.5
View File

@ -121,43 +121,33 @@ string \fBsmtpd_access_maps\fR is not listed in the Postfix
.IP \fInet.work.addr\fR
.IP \fInet.work\fR
.IP \fInet\fR
Matches the specified IPv4 host address or subnetwork. An
IPv4 host address is a sequence of four decimal octets
separated by ".".
Matches a remote IPv4 host address or network address range.
Specify one to four decimal octets separated by ".". Do not
specify "[]" , "/", leading zeros, or hexadecimal forms.
Subnetworks are matched by repeatedly truncating the last
".octet" from the remote IPv4 host address string until a
Network ranges are matched by repeatedly truncating the last
".octet" from a remote IPv4 host address string, until a
match is found in the access table, or until further
truncation is not possible.
NOTE 1: The access map lookup key must be in canonical form:
do not specify unnecessary null characters, and do not
enclose network address information with "[]" characters.
NOTE 2: use the \fBcidr\fR lookup table type to specify
NOTE: use the \fBcidr\fR lookup table type to specify
network/netmask patterns. See \fBcidr_table\fR(5) for details.
.IP \fInet:work:addr:ess\fR
.IP \fInet:work:addr\fR
.IP \fInet:work\fR
.IP \fInet\fR
Matches the specified IPv6 host address or subnetwork. An
IPv6 host address is a sequence of three to eight hexadecimal
octet pairs separated by ":".
Matches a remote IPv6 host address or network address range.
Specify three to eight hexadecimal octet pairs separated
by ":", using the compressed form "::" for a sequence of
zero\-valued octet pairs. Do not specify "[]", "/", leading
zeros, or non\-compressed forms.
Subnetworks are matched by repeatedly truncating the last
":octetpair" from the remote IPv6 host address string until
a match is found in the access table, or until further
truncation is not possible.
A network range is matched by repeatedly truncating the
last ":octetpair" from the compressed\-form remote IPv6 host
address string, until a match is found in the access table,
or until further truncation is not possible.
NOTE 1: the truncation and comparison are done with the
string representation of the IPv6 host address. Thus, not
all the ":" subnetworks will be tried.
NOTE 2: The access map lookup key must be in canonical form:
do not specify unnecessary null characters, and do not
enclose network address information with "[]" characters.
NOTE 3: use the \fBcidr\fR lookup table type to specify
NOTE: use the \fBcidr\fR lookup table type to specify
network/netmask patterns. See \fBcidr_table\fR(5) for details.
IPv6 support is available in Postfix 2.2 and later.

42
postfix/proto/access
View File

@ -105,43 +105,33 @@
# .IP \fInet.work.addr\fR
# .IP \fInet.work\fR
# .IP \fInet\fR
# Matches the specified IPv4 host address or subnetwork. An
# IPv4 host address is a sequence of four decimal octets
# separated by ".".
# Matches a remote IPv4 host address or network address range.
# Specify one to four decimal octets separated by ".". Do not
# specify "[]" , "/", leading zeros, or hexadecimal forms.
#
# Subnetworks are matched by repeatedly truncating the last
# ".octet" from the remote IPv4 host address string until a
# Network ranges are matched by repeatedly truncating the last
# ".octet" from a remote IPv4 host address string, until a
# match is found in the access table, or until further
# truncation is not possible.
#
# NOTE 1: The access map lookup key must be in canonical form:
# do not specify unnecessary null characters, and do not
# enclose network address information with "[]" characters.
#
# NOTE 2: use the \fBcidr\fR lookup table type to specify
# NOTE: use the \fBcidr\fR lookup table type to specify
# network/netmask patterns. See \fBcidr_table\fR(5) for details.
# .IP \fInet:work:addr:ess\fR
# .IP \fInet:work:addr\fR
# .IP \fInet:work\fR
# .IP \fInet\fR
# Matches the specified IPv6 host address or subnetwork. An
# IPv6 host address is a sequence of three to eight hexadecimal
# octet pairs separated by ":".
# Matches a remote IPv6 host address or network address range.
# Specify three to eight hexadecimal octet pairs separated
# by ":", using the compressed form "::" for a sequence of
# zero-valued octet pairs. Do not specify "[]", "/", leading
# zeros, or non-compressed forms.
#
# Subnetworks are matched by repeatedly truncating the last
# ":octetpair" from the remote IPv6 host address string until
# a match is found in the access table, or until further
# truncation is not possible.
# A network range is matched by repeatedly truncating the
# last ":octetpair" from the compressed-form remote IPv6 host
# address string, until a match is found in the access table,
# or until further truncation is not possible.
#
# NOTE 1: the truncation and comparison are done with the
# string representation of the IPv6 host address. Thus, not
# all the ":" subnetworks will be tried.
#
# NOTE 2: The access map lookup key must be in canonical form:
# do not specify unnecessary null characters, and do not
# enclose network address information with "[]" characters.
#
# NOTE 3: use the \fBcidr\fR lookup table type to specify
# NOTE: use the \fBcidr\fR lookup table type to specify
# network/netmask patterns. See \fBcidr_table\fR(5) for details.
#
# IPv6 support is available in Postfix 2.2 and later.

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20190724"
#define MAIL_RELEASE_DATE "20190908"
#define MAIL_VERSION_NUMBER "3.5"
#ifdef SNAPSHOT

8
postfix/src/tlsproxy/tlsproxy.c
View File

@ -678,7 +678,8 @@ static int tlsp_eval_tls_error(TLSP_STATE *state, int err)
/*
* Allow buffered-up plaintext output to trickle out.
*/
if (state->plaintext_buf && NBBIO_WRITE_PEND(state->plaintext_buf))
if (state->plaintext_buf && !NBBIO_ERROR_FLAGS(state->plaintext_buf)
&& NBBIO_WRITE_PEND(state->plaintext_buf))
return (TLSP_STAT_OK);
tlsp_state_free(state);
return (TLSP_STAT_ERR);
@ -784,9 +785,8 @@ static void tlsp_strategy(TLSP_STATE *state)
if (NBBIO_ERROR_FLAGS(plaintext_buf)) {
if (NBBIO_ACTIVE_FLAGS(plaintext_buf))
nbbio_disable_readwrite(state->plaintext_buf);
ssl_stat = SSL_shutdown(tls_context->con);
/* XXX Wait for return value 1 if sessions are to be reused? */
if (ssl_stat < 0) {
if (!SSL_in_init(tls_context->con)
&& (ssl_stat = SSL_shutdown(tls_context->con)) < 0) {
handshake_err = SSL_get_error(tls_context->con, ssl_stat);
tlsp_eval_tls_error(state, handshake_err);
/* At this point, state could be a dangling pointer. */

10
postfix/src/util/vstream_tweak.c
View File

@ -124,12 +124,20 @@ int vstream_tweak_tcp(VSTREAM *fp)
* stream buffer size to less than VSTREAM_BUFSIZE, when the request is
* made before the first stream read or write operation. We don't want to
* reduce the buffer size.
*
* As of 20190820 we increase the mss size multipler from 2x to 4x, because
* some LINUX loopback TCP stacks report an MSS of 21845 which is 3x
* smaller than the MTU of 65536. Even with a VSTREAM buffer 2x the
* reported MSS size, performance would suck due to Nagle or delayed ACK
* delays.
*/
#define EFF_BUFFER_SIZE(fp) (vstream_req_bufsize(fp) ? \
vstream_req_bufsize(fp) : VSTREAM_BUFSIZE)
#ifdef CA_VSTREAM_CTL_BUFSIZE
if (mss > EFF_BUFFER_SIZE(fp) / 2) {
if (mss > EFF_BUFFER_SIZE(fp) / 4) {
if (mss < INT_MAX / 2)
mss *= 2;
if (mss < INT_MAX / 2)
mss *= 2;
vstream_control(fp,

10
postfix/src/xsasl/xsasl_dovecot_server.c
View File

@ -584,10 +584,20 @@ static int xsasl_dovecot_handle_reply(XSASL_DOVECOT_SERVER *server,
if (xsasl_dovecot_parse_reply(server, &line) == 0) {
/* authentication successful */
xsasl_dovecot_parse_reply_args(server, line, reply, 1);
if (server->username == 0) {
msg_warn("missing Dovecot server %s username field", cmd);
vstring_strcpy(reply, "Authentication backend error");
return XSASL_AUTH_FAIL;
}
return XSASL_AUTH_DONE;
}
} else if (strcmp(cmd, "CONT") == 0) {
if (xsasl_dovecot_parse_reply(server, &line) == 0) {
if (line == 0) {
msg_warn("missing Dovecot server %s reply field", cmd);
vstring_strcpy(reply, "Authentication backend error");
return XSASL_AUTH_FAIL;
}
vstring_strcpy(reply, line);
return XSASL_AUTH_MORE;
}