mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-31 06:05:37 +00:00
Code Issues Releases Wiki Activity

postfix-2.8.1

Browse Source
This commit is contained in:
Wietse Venema
2011-02-22 00:00:00 -05:00
committed by Viktor Dukhovni
parent 8b118cf292
commit 29719aa21f
13 changed files with 181 additions and 205 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
postfix/HISTORY
View File

@@ -16515,7 +16515,26 @@ Apologies for any names omitted.
from the postscreen_access_list implementation. File: from the postscreen_access_list implementation. File:
postscreen/postscreen_access.c. postscreen/postscreen_access.c.
20110123
Cleanup: remove #ifdef MIGRATION_WARNING transitional code
from postscreen. File: postscreen/postscreen.c.
20110201
Cleanup: when verifying that the client_address->client_name
lookup result resolves to the client_address, request
hostname->address lookup with the same protocol family (IPv4
or IPv6) as the client_address. Files: util/myaddrinfo.[hc],
smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.
20110207 20110207
Bugfix (introduced Postfix 2.8): segfault with smtpd_tls_loglevel Bugfix (introduced Postfix 2.8): segfault with smtpd_tls_loglevel
>= 3. Files: tls/tls_server.c, tls.h, smtpd.c, tlsproxy.c. >= 3. Files: tls/tls_server.c, tls.h, smtpd.c, tlsproxy.c.
20110216
Cleanup: don't log a "connection reset by peer" warning
when postscreen(8) tries to send a server response. File:
postscreen/postscreen_send.c.

5
postfix/README_FILES/POSTSCREEN_README
View File

@@ -318,11 +318,12 @@ in SMTP engine anyway. This is to make postscreen(8) logging more informative.
When a client sends multiple commands, postscreen(8) logs this as: When a client sends multiple commands, postscreen(8) logs this as:
CCOOMMMMAANNDD PPIIPPEELLIINNIINNGG aafftteerr time ffrroomm [address]:port CCOOMMMMAANNDD PPIIPPEELLIINNIINNGG ffrroomm [address]:port aafftteerr command
Translation: the SMTP client at [address]:port sent multiple SMTP commands, Translation: the SMTP client at [address]:port sent multiple SMTP commands,
instead of sending one command and then waiting for the server to reply. This instead of sending one command and then waiting for the server to reply. This
happened time seconds after the "220 " server greeting was sent. happened after the client sent command. Postfix 2.8 does not log the input that
was sent too early.
The postscreen_pipelining_action parameter specifies the action that is taken The postscreen_pipelining_action parameter specifies the action that is taken
next. See "When tests fail after the 220 SMTP server greeting" below. next. See "When tests fail after the 220 SMTP server greeting" below.

11
postfix/html/POSTSCREEN_README.html
View File

@@ -432,13 +432,14 @@ logging more informative. </p>
as: </p> as: </p>
<pre> <pre>
<b>COMMAND PIPELINING after</b> <i>time</i> <b>from</b> <i>[address]:port</i> <b>COMMAND PIPELINING from</b> <i>[address]:port</i> <b>after</b> <i>command</i>
</pre> </pre>
<p> Translation: the SMTP client at <i>[address]:port</i> sent multiple <p> Translation: the SMTP client at <i>[address]:port</i> sent
SMTP commands, instead of sending one command and then waiting for multiple SMTP commands, instead of sending one command and then
the server to reply. This happened <i>time</i> seconds after the waiting for the server to reply. This happened after the client
"220 " server greeting was sent. </p> sent <i>command</i>. Postfix 2.8 does not log the input that was
sent too early. </p>
<p> The <a href="postconf.5.html#postscreen_pipelining_action">postscreen_pipelining_action</a> parameter specifies the action <p> The <a href="postconf.5.html#postscreen_pipelining_action">postscreen_pipelining_action</a> parameter specifies the action
that is taken next. See "<a href="#fail_after_220">When tests fail that is taken next. See "<a href="#fail_after_220">When tests fail

211
postfix/html/postscreen.8.html
View File

@@ -76,64 +76,65 @@ POSTSCREEN(8) POSTSCREEN(8)
Support for AUTH may be added in the future. In the mean Support for AUTH may be added in the future. In the mean
time, if you need to make these services available on port time, if you need to make these services available on port
25, then do not enable the optional "after 220 server 25, then do not enable the optional "after 220 server
greeting" tests. greeting" tests, and do not use DNSBLs that reject traffic
from dial-up and residential networks.
The optional "after 220 server greeting" tests involve The optional "after 220 server greeting" tests involve
<a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine. When these <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine. When these
tests succeed, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> adds the client to the tempo- tests succeed, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> adds the client to the tempo-
rary whitelist but it cannot not hand off the "live" con- rary whitelist but it cannot not hand off the "live" con-
nection to a Postfix SMTP server process in the middle of nection to a Postfix SMTP server process in the middle of
a session. Instead, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> defers attempts to a session. Instead, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> defers attempts to
deliver mail with a 4XX status, and waits for the client deliver mail with a 4XX status, and waits for the client
to disconnect. The next time a good client connects, it to disconnect. The next time a good client connects, it
will be allowed to talk to a Postfix SMTP server process will be allowed to talk to a Postfix SMTP server process
to deliver mail. <a href="postscreen.8.html"><b>postscreen</b>(8)</a> mitigates the impact of to deliver mail. <a href="postscreen.8.html"><b>postscreen</b>(8)</a> mitigates the impact of
this limitation by giving such tests a long expiration this limitation by giving such tests a long expiration
time. time.
<b>CONFIGURATION PARAMETERS</b> <b>CONFIGURATION PARAMETERS</b>
Changes to <a href="postconf.5.html">main.cf</a> are not picked up automatically, as Changes to <a href="postconf.5.html">main.cf</a> are not picked up automatically, as
<a href="postscreen.8.html"><b>postscreen</b>(8)</a> processes may run for several hours. Use <a href="postscreen.8.html"><b>postscreen</b>(8)</a> processes may run for several hours. Use
the command "postfix reload" after a configuration change. the command "postfix reload" after a configuration change.
The text below provides only a parameter summary. See The text below provides only a parameter summary. See
<a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples. <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples.
NOTE: Some <a href="postscreen.8.html"><b>postscreen</b>(8)</a> parameters implement stress- NOTE: Some <a href="postscreen.8.html"><b>postscreen</b>(8)</a> parameters implement stress-
dependent behavior. This is supported only when the dependent behavior. This is supported only when the
default parameter value is stress-dependent (that is, it default parameter value is stress-dependent (that is, it
looks like ${stress?X}${stress:Y}, or it is the $<i>name</i> of looks like ${stress?X}${stress:Y}, or it is the $<i>name</i> of
an smtpd parameter with a stress-dependent default). an smtpd parameter with a stress-dependent default).
Other parameters always evaluate as if the <b>stress</b> parame- Other parameters always evaluate as if the <b>stress</b> parame-
ter value is the empty string. ter value is the empty string.
<b>COMPATIBILITY CONTROLS</b> <b>COMPATIBILITY CONTROLS</b>
<b><a href="postconf.5.html#postscreen_command_filter">postscreen_command_filter</a> ($<a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a>)</b> <b><a href="postconf.5.html#postscreen_command_filter">postscreen_command_filter</a> ($<a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a>)</b>
A mechanism to transform commands from remote SMTP A mechanism to transform commands from remote SMTP
clients. clients.
<b><a href="postconf.5.html#postscreen_discard_ehlo_keyword_address_maps">postscreen_discard_ehlo_keyword_address_maps</a> ($<a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_dis</a>-</b> <b><a href="postconf.5.html#postscreen_discard_ehlo_keyword_address_maps">postscreen_discard_ehlo_keyword_address_maps</a> ($<a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_dis</a>-</b>
<b><a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">card_ehlo_keyword_address_maps</a>)</b> <b><a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">card_ehlo_keyword_address_maps</a>)</b>
Lookup tables, indexed by the remote SMTP client Lookup tables, indexed by the remote SMTP client
address, with case insensitive lists of EHLO key- address, with case insensitive lists of EHLO key-
words (pipelining, starttls, auth, etc.) that the words (pipelining, starttls, auth, etc.) that the
<a href="postscreen.8.html"><b>postscreen</b>(8)</a> server will not send in the EHLO <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server will not send in the EHLO
response to a remote SMTP client. response to a remote SMTP client.
<b><a href="postconf.5.html#postscreen_discard_ehlo_keywords">postscreen_discard_ehlo_keywords</a> ($<a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_key</a>-</b> <b><a href="postconf.5.html#postscreen_discard_ehlo_keywords">postscreen_discard_ehlo_keywords</a> ($<a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_key</a>-</b>
<b><a href="postconf.5.html#smtpd_discard_ehlo_keywords">words</a>)</b> <b><a href="postconf.5.html#smtpd_discard_ehlo_keywords">words</a>)</b>
A case insensitive list of EHLO keywords (pipelin- A case insensitive list of EHLO keywords (pipelin-
ing, starttls, auth, etc.) that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> ing, starttls, auth, etc.) that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
server will not send in the EHLO response to a server will not send in the EHLO response to a
remote SMTP client. remote SMTP client.
<b>TROUBLE SHOOTING CONTROLS</b> <b>TROUBLE SHOOTING CONTROLS</b>
<b><a href="postconf.5.html#postscreen_expansion_filter">postscreen_expansion_filter</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#postscreen_expansion_filter">postscreen_expansion_filter</a> (see 'postconf -d' output)</b>
List of characters that are permitted in List of characters that are permitted in
<a href="postconf.5.html#postscreen_reject_footer">postscreen_reject_footer</a> attribute expansions. <a href="postconf.5.html#postscreen_reject_footer">postscreen_reject_footer</a> attribute expansions.
<b><a href="postconf.5.html#postscreen_reject_footer">postscreen_reject_footer</a> ($<a href="postconf.5.html#smtpd_reject_footer">smtpd_reject_footer</a>)</b> <b><a href="postconf.5.html#postscreen_reject_footer">postscreen_reject_footer</a> ($<a href="postconf.5.html#smtpd_reject_footer">smtpd_reject_footer</a>)</b>
Optional information that is appended after a 4XX Optional information that is appended after a 4XX
or 5XX server response. or 5XX server response.
<b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b> <b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b>
@@ -141,9 +142,9 @@ POSTSCREEN(8) POSTSCREEN(8)
be returned to the sender. be returned to the sender.
<b>PERMANENT WHITE/BLACKLIST TEST</b> <b>PERMANENT WHITE/BLACKLIST TEST</b>
This test is executed immediately after a remote SMTP This test is executed immediately after a remote SMTP
client connects. If a client is permanently whitelisted, client connects. If a client is permanently whitelisted,
the client will be handed off immediately to a Postfix the client will be handed off immediately to a Postfix
SMTP server process. SMTP server process.
<b><a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> (<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>)</b> <b><a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> (<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>)</b>
@@ -151,45 +152,45 @@ POSTSCREEN(8) POSTSCREEN(8)
addresses. addresses.
<b><a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> (ignore)</b> <b><a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> (ignore)</b>
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
client is permanently blacklisted with the client is permanently blacklisted with the
<a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> parameter. <a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> parameter.
<b>BEFORE-GREETING TESTS</b> <b>BEFORE-GREETING TESTS</b>
These tests are executed before the remote SMTP client These tests are executed before the remote SMTP client
receives the "220 servername" greeting. If no tests remain receives the "220 servername" greeting. If no tests remain
after the successful completion of this phase, the client after the successful completion of this phase, the client
will be handed off immediately to a Postfix SMTP server will be handed off immediately to a Postfix SMTP server
process. process.
<b><a href="postconf.5.html#dnsblog_service_name">dnsblog_service_name</a> (dnsblog)</b> <b><a href="postconf.5.html#dnsblog_service_name">dnsblog_service_name</a> (dnsblog)</b>
The name of the <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> service entry in mas- The name of the <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> service entry in mas-
ter.cf. ter.cf.
<b><a href="postconf.5.html#postscreen_dnsbl_action">postscreen_dnsbl_action</a> (ignore)</b> <b><a href="postconf.5.html#postscreen_dnsbl_action">postscreen_dnsbl_action</a> (ignore)</b>
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
client's combined DNSBL score is equal to or client's combined DNSBL score is equal to or
greater than a threshold (as defined with the greater than a threshold (as defined with the
<a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> and <a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_thresh</a>- <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> and <a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_thresh</a>-
<a href="postconf.5.html#postscreen_dnsbl_threshold">old</a> parameters). <a href="postconf.5.html#postscreen_dnsbl_threshold">old</a> parameters).
<b><a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> (empty)</b> <b><a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> (empty)</b>
A mapping from actual DNSBL domain name which A mapping from actual DNSBL domain name which
includes a secret password, to the DNSBL domain includes a secret password, to the DNSBL domain
name that postscreen will reply with when it name that postscreen will reply with when it
rejects mail. rejects mail.
<b><a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> (empty)</b> <b><a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> (empty)</b>
Optional list of DNS white/blacklist domains, fil- Optional list of DNS white/blacklist domains, fil-
ters and weight factors. ters and weight factors.
<b><a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> (1)</b> <b><a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> (1)</b>
The inclusive lower bound for blocking an SMTP The inclusive lower bound for blocking an SMTP
client, based on its combined DNSBL score as client, based on its combined DNSBL score as
defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter. defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter.
<b><a href="postconf.5.html#postscreen_greet_action">postscreen_greet_action</a> (ignore)</b> <b><a href="postconf.5.html#postscreen_greet_action">postscreen_greet_action</a> (ignore)</b>
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
client speaks before its turn within the time spec- client speaks before its turn within the time spec-
ified with the <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> parameter. ified with the <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> parameter.
@@ -197,39 +198,39 @@ POSTSCREEN(8) POSTSCREEN(8)
The <i>text</i> in the optional "220-<i>text</i>..." server The <i>text</i> in the optional "220-<i>text</i>..." server
response that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> sends ahead of the real response that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> sends ahead of the real
Postfix SMTP server's "220 text..." response, in an Postfix SMTP server's "220 text..." response, in an
attempt to confuse bad SMTP clients so that they attempt to confuse bad SMTP clients so that they
speak before their turn (pre-greet). speak before their turn (pre-greet).
<b><a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> (${stress?2}${stress:6}s)</b> <b><a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> (${stress?2}${stress:6}s)</b>
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will wait for The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will wait for
an SMTP client to send a command before its turn, an SMTP client to send a command before its turn,
and for DNS blocklist lookup results to arrive and for DNS blocklist lookup results to arrive
(default: up to 2 seconds under stress, up to 6 (default: up to 2 seconds under stress, up to 6
seconds otherwise). seconds otherwise).
<b><a href="postconf.5.html#smtpd_service_name">smtpd_service_name</a> (smtpd)</b> <b><a href="postconf.5.html#smtpd_service_name">smtpd_service_name</a> (smtpd)</b>
The internal service that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> forwards The internal service that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> forwards
allowed connections to. allowed connections to.
<b>AFTER-GREETING TESTS</b> <b>AFTER-GREETING TESTS</b>
These tests are executed after the remote SMTP client These tests are executed after the remote SMTP client
receives the "220 servername" greeting. If a client passes receives the "220 servername" greeting. If a client passes
all tests during this phase, it will receive a 4XX all tests during this phase, it will receive a 4XX
response to RCPT TO commands until the client hangs up. response to RCPT TO commands until the client hangs up.
After this, the client will be allowed to talk directly to After this, the client will be allowed to talk directly to
a Postfix SMTP server process. a Postfix SMTP server process.
<b><a href="postconf.5.html#postscreen_bare_newline_action">postscreen_bare_newline_action</a> (ignore)</b> <b><a href="postconf.5.html#postscreen_bare_newline_action">postscreen_bare_newline_action</a> (ignore)</b>
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
client sends a bare newline character, that is, a client sends a bare newline character, that is, a
newline not preceded by carriage return. newline not preceded by carriage return.
<b><a href="postconf.5.html#postscreen_bare_newline_enable">postscreen_bare_newline_enable</a> (no)</b> <b><a href="postconf.5.html#postscreen_bare_newline_enable">postscreen_bare_newline_enable</a> (no)</b>
Enable "bare newline" SMTP protocol tests in the Enable "bare newline" SMTP protocol tests in the
<a href="postscreen.8.html"><b>postscreen</b>(8)</a> server. <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server.
<b><a href="postconf.5.html#postscreen_disable_vrfy_command">postscreen_disable_vrfy_command</a> ($<a href="postconf.5.html#disable_vrfy_command">disable_vrfy_command</a>)</b> <b><a href="postconf.5.html#postscreen_disable_vrfy_command">postscreen_disable_vrfy_command</a> ($<a href="postconf.5.html#disable_vrfy_command">disable_vrfy_command</a>)</b>
Disable the SMTP VRFY command in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> Disable the SMTP VRFY command in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
daemon. daemon.
<b><a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a> ($<a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a>)</b> <b><a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a> ($<a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a>)</b>
@@ -237,157 +238,157 @@ POSTSCREEN(8) POSTSCREEN(8)
siders in violation of the SMTP protocol. siders in violation of the SMTP protocol.
<b><a href="postconf.5.html#postscreen_helo_required">postscreen_helo_required</a> ($<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a>)</b> <b><a href="postconf.5.html#postscreen_helo_required">postscreen_helo_required</a> ($<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a>)</b>
Require that a remote SMTP client sends HELO or Require that a remote SMTP client sends HELO or
EHLO before commencing a MAIL transaction. EHLO before commencing a MAIL transaction.
<b><a href="postconf.5.html#postscreen_non_smtp_command_action">postscreen_non_smtp_command_action</a> (drop)</b> <b><a href="postconf.5.html#postscreen_non_smtp_command_action">postscreen_non_smtp_command_action</a> (drop)</b>
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
client sends non-SMTP commands as specified with client sends non-SMTP commands as specified with
the <a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a> parameter. the <a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a> parameter.
<b><a href="postconf.5.html#postscreen_non_smtp_command_enable">postscreen_non_smtp_command_enable</a> (no)</b> <b><a href="postconf.5.html#postscreen_non_smtp_command_enable">postscreen_non_smtp_command_enable</a> (no)</b>
Enable "non-SMTP command" tests in the Enable "non-SMTP command" tests in the
<a href="postscreen.8.html"><b>postscreen</b>(8)</a> server. <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server.
<b><a href="postconf.5.html#postscreen_pipelining_action">postscreen_pipelining_action</a> (enforce)</b> <b><a href="postconf.5.html#postscreen_pipelining_action">postscreen_pipelining_action</a> (enforce)</b>
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
client sends multiple commands instead of sending client sends multiple commands instead of sending
one command and waiting for the server to respond. one command and waiting for the server to respond.
<b><a href="postconf.5.html#postscreen_pipelining_enable">postscreen_pipelining_enable</a> (no)</b> <b><a href="postconf.5.html#postscreen_pipelining_enable">postscreen_pipelining_enable</a> (no)</b>
Enable "pipelining" SMTP protocol tests in the Enable "pipelining" SMTP protocol tests in the
<a href="postscreen.8.html"><b>postscreen</b>(8)</a> server. <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server.
<b>CACHE CONTROLS</b> <b>CACHE CONTROLS</b>
<b><a href="postconf.5.html#postscreen_cache_cleanup_interval">postscreen_cache_cleanup_interval</a> (12h)</b> <b><a href="postconf.5.html#postscreen_cache_cleanup_interval">postscreen_cache_cleanup_interval</a> (12h)</b>
The amount of time between <a href="postscreen.8.html"><b>postscreen</b>(8)</a> cache The amount of time between <a href="postscreen.8.html"><b>postscreen</b>(8)</a> cache
cleanup runs. cleanup runs.
<b><a href="postconf.5.html#postscreen_cache_map">postscreen_cache_map</a> (btree:$data_direc-</b> <b><a href="postconf.5.html#postscreen_cache_map">postscreen_cache_map</a> (btree:$data_direc-</b>
<b>tory/postscreen_cache)</b> <b>tory/postscreen_cache)</b>
Persistent storage for the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server Persistent storage for the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server
decisions. decisions.
<b><a href="postconf.5.html#postscreen_cache_retention_time">postscreen_cache_retention_time</a> (7d)</b> <b><a href="postconf.5.html#postscreen_cache_retention_time">postscreen_cache_retention_time</a> (7d)</b>
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache an The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache an
expired temporary whitelist entry before it is expired temporary whitelist entry before it is
removed. removed.
<b><a href="postconf.5.html#postscreen_bare_newline_ttl">postscreen_bare_newline_ttl</a> (30d)</b> <b><a href="postconf.5.html#postscreen_bare_newline_ttl">postscreen_bare_newline_ttl</a> (30d)</b>
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the
result from a successful "bare newline" SMTP proto- result from a successful "bare newline" SMTP proto-
col test. col test.
<b><a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a> (1h)</b> <b><a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a> (1h)</b>
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the
result from a successful DNS blocklist test. result from a successful DNS blocklist test.
<b><a href="postconf.5.html#postscreen_greet_ttl">postscreen_greet_ttl</a> (1d)</b> <b><a href="postconf.5.html#postscreen_greet_ttl">postscreen_greet_ttl</a> (1d)</b>
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the
result from a successful PREGREET test. result from a successful PREGREET test.
<b><a href="postconf.5.html#postscreen_non_smtp_command_ttl">postscreen_non_smtp_command_ttl</a> (30d)</b> <b><a href="postconf.5.html#postscreen_non_smtp_command_ttl">postscreen_non_smtp_command_ttl</a> (30d)</b>
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the
result from a successful "non_smtp_command" SMTP result from a successful "non_smtp_command" SMTP
protocol test. protocol test.
<b><a href="postconf.5.html#postscreen_pipelining_ttl">postscreen_pipelining_ttl</a> (30d)</b> <b><a href="postconf.5.html#postscreen_pipelining_ttl">postscreen_pipelining_ttl</a> (30d)</b>
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the
result from a successful "pipelining" SMTP protocol result from a successful "pipelining" SMTP protocol
test. test.
<b>RESOURCE CONTROLS</b> <b>RESOURCE CONTROLS</b>
<b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b> <b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b>
Upon input, long lines are chopped up into pieces Upon input, long lines are chopped up into pieces
of at most this length; upon delivery, long lines of at most this length; upon delivery, long lines
are reconstructed. are reconstructed.
<b><a href="postconf.5.html#postscreen_client_connection_count_limit">postscreen_client_connection_count_limit</a></b> <b><a href="postconf.5.html#postscreen_client_connection_count_limit">postscreen_client_connection_count_limit</a></b>
<b>($<a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a>)</b> <b>($<a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a>)</b>
How many simultaneous connections any client is How many simultaneous connections any client is
allowed to have with the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> daemon. allowed to have with the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> daemon.
<b><a href="postconf.5.html#postscreen_command_count_limit">postscreen_command_count_limit</a> (20)</b> <b><a href="postconf.5.html#postscreen_command_count_limit">postscreen_command_count_limit</a> (20)</b>
The limit on the total number of commands per SMTP The limit on the total number of commands per SMTP
session for <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol session for <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol
engine. engine.
<b><a href="postconf.5.html#postscreen_command_time_limit">postscreen_command_time_limit</a> (${stress?10}${stress:300}s)</b> <b><a href="postconf.5.html#postscreen_command_time_limit">postscreen_command_time_limit</a> (${stress?10}${stress:300}s)</b>
The time limit to read an entire command line with The time limit to read an entire command line with
<a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine. <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine.
<b><a href="postconf.5.html#postscreen_post_queue_limit">postscreen_post_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b> <b><a href="postconf.5.html#postscreen_post_queue_limit">postscreen_post_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b>
The number of clients that can be waiting for ser- The number of clients that can be waiting for ser-
vice from a real SMTP server process. vice from a real SMTP server process.
<b><a href="postconf.5.html#postscreen_pre_queue_limit">postscreen_pre_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b> <b><a href="postconf.5.html#postscreen_pre_queue_limit">postscreen_pre_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b>
The number of non-whitelisted clients that can be The number of non-whitelisted clients that can be
waiting for a decision whether they will receive waiting for a decision whether they will receive
service from a real SMTP server process. service from a real SMTP server process.
<b><a href="postconf.5.html#postscreen_watchdog_timeout">postscreen_watchdog_timeout</a> (10s)</b> <b><a href="postconf.5.html#postscreen_watchdog_timeout">postscreen_watchdog_timeout</a> (10s)</b>
How much time a <a href="postscreen.8.html"><b>postscreen</b>(8)</a> process may take to How much time a <a href="postscreen.8.html"><b>postscreen</b>(8)</a> process may take to
respond to an SMTP client command or to perform a respond to an SMTP client command or to perform a
cache operation before it is terminated by a built- cache operation before it is terminated by a built-
in watchdog timer. in watchdog timer.
<b>STARTTLS CONTROLS</b> <b>STARTTLS CONTROLS</b>
<b><a href="postconf.5.html#postscreen_tls_security_level">postscreen_tls_security_level</a> ($<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>)</b> <b><a href="postconf.5.html#postscreen_tls_security_level">postscreen_tls_security_level</a> ($<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>)</b>
The SMTP TLS security level for the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> The SMTP TLS security level for the <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
server; when a non-empty value is specified, this server; when a non-empty value is specified, this
overrides the obsolete parameters overrides the obsolete parameters
<a href="postconf.5.html#postscreen_use_tls">postscreen_use_tls</a> and <a href="postconf.5.html#postscreen_enforce_tls">postscreen_enforce_tls</a>. <a href="postconf.5.html#postscreen_use_tls">postscreen_use_tls</a> and <a href="postconf.5.html#postscreen_enforce_tls">postscreen_enforce_tls</a>.
<b><a href="postconf.5.html#tlsproxy_service_name">tlsproxy_service_name</a> (tlsproxy)</b> <b><a href="postconf.5.html#tlsproxy_service_name">tlsproxy_service_name</a> (tlsproxy)</b>
The name of the <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> service entry in mas- The name of the <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> service entry in mas-
ter.cf. ter.cf.
<b>OBSOLETE STARTTLS SUPPORT CONTROLS</b> <b>OBSOLETE STARTTLS SUPPORT CONTROLS</b>
These parameters are supported for compatibility with These parameters are supported for compatibility with
<a href="smtpd.8.html"><b>smtpd</b>(8)</a> legacy parameters. <a href="smtpd.8.html"><b>smtpd</b>(8)</a> legacy parameters.
<b><a href="postconf.5.html#postscreen_use_tls">postscreen_use_tls</a> ($<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>)</b> <b><a href="postconf.5.html#postscreen_use_tls">postscreen_use_tls</a> ($<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>)</b>
Opportunistic TLS: announce STARTTLS support to Opportunistic TLS: announce STARTTLS support to
SMTP clients, but do not require that clients use SMTP clients, but do not require that clients use
TLS encryption. TLS encryption.
<b><a href="postconf.5.html#postscreen_enforce_tls">postscreen_enforce_tls</a> ($<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>)</b> <b><a href="postconf.5.html#postscreen_enforce_tls">postscreen_enforce_tls</a> ($<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>)</b>
Mandatory TLS: announce STARTTLS support to SMTP Mandatory TLS: announce STARTTLS support to SMTP
clients, and require that clients use TLS encryp- clients, and require that clients use TLS encryp-
tion. tion.
<b>MISCELLANEOUS CONTROLS</b> <b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
<a href="master.5.html">master.cf</a> configuration files. <a href="master.5.html">master.cf</a> configuration files.
<b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b> <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
The maximal number of digits after the decimal The maximal number of digits after the decimal
point when logging sub-second delay values. point when logging sub-second delay values.
<b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
The location of all postfix administrative com- The location of all postfix administrative com-
mands. mands.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b> <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix The maximum amount of time that an idle Postfix
daemon process waits for an incoming connection daemon process waits for an incoming connection
before terminating voluntarily. before terminating voluntarily.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b> <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
The process ID of a Postfix command or daemon The process ID of a Postfix command or daemon
process. process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b> <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
The process name of a Postfix command or daemon The process name of a Postfix command or daemon
process. process.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b> <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging. The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the The mail system name that is prepended to the
process name in syslog records, so that "smtpd" process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd". becomes, for example, "postfix/smtpd".
<b>SEE ALSO</b> <b>SEE ALSO</b>
@@ -400,14 +401,14 @@ POSTSCREEN(8) POSTSCREEN(8)
<a href="POSTSCREEN_README.html">POSTSCREEN_README</a>, Postfix Postscreen Howto <a href="POSTSCREEN_README.html">POSTSCREEN_README</a>, Postfix Postscreen Howto
<b>LICENSE</b> <b>LICENSE</b>
The Secure Mailer license must be distributed with this The Secure Mailer license must be distributed with this
software. software.
<b>HISTORY</b> <b>HISTORY</b>
This service was introduced with Postfix version 2.8. This service was introduced with Postfix version 2.8.
Many ideas in <a href="postscreen.8.html"><b>postscreen</b>(8)</a> were explored in earlier work Many ideas in <a href="postscreen.8.html"><b>postscreen</b>(8)</a> were explored in earlier work
by Michael Tokarev, in OpenBSD spamd, and in MailChannels by Michael Tokarev, in OpenBSD spamd, and in MailChannels
Traffic Control. Traffic Control.
<b>AUTHOR(S)</b> <b>AUTHOR(S)</b>

3
postfix/man/man8/postscreen.8
View File

@@ -82,7 +82,8 @@ XFORWARD.
Support for AUTH may be added in the future. Support for AUTH may be added in the future.
In the mean time, if you need to make these services available In the mean time, if you need to make these services available
on port 25, then do not enable the optional "after 220 on port 25, then do not enable the optional "after 220
server greeting" tests. server greeting" tests, and do not use DNSBLs that reject
traffic from dial-up and residential networks.
The optional "after 220 server greeting" tests involve The optional "after 220 server greeting" tests involve
\fBpostscreen\fR(8)'s built-in SMTP protocol engine. When \fBpostscreen\fR(8)'s built-in SMTP protocol engine. When

11
postfix/proto/POSTSCREEN_README.html
View File

@@ -432,13 +432,14 @@ logging more informative. </p>
as: </p> as: </p>
<pre> <pre>
<b>COMMAND PIPELINING after</b> <i>time</i> <b>from</b> <i>[address]:port</i> <b>COMMAND PIPELINING from</b> <i>[address]:port</i> <b>after</b> <i>command</i>
</pre> </pre>
<p> Translation: the SMTP client at <i>[address]:port</i> sent multiple <p> Translation: the SMTP client at <i>[address]:port</i> sent
SMTP commands, instead of sending one command and then waiting for multiple SMTP commands, instead of sending one command and then
the server to reply. This happened <i>time</i> seconds after the waiting for the server to reply. This happened after the client
"220 " server greeting was sent. </p> sent <i>command</i>. Postfix 2.8 does not log the input that was
sent too early. </p>
<p> The postscreen_pipelining_action parameter specifies the action <p> The postscreen_pipelining_action parameter specifies the action
that is taken next. See "<a href="#fail_after_220">When tests fail that is taken next. See "<a href="#fail_after_220">When tests fail

4
postfix/src/global/mail_version.h
View File

@@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no * Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only. * patchlevel; they change the release date only.
*/ */
#define MAIL_RELEASE_DATE "20110207" #define MAIL_RELEASE_DATE "20110222"
#define MAIL_VERSION_NUMBER "2.8.1-RC1" #define MAIL_VERSION_NUMBER "2.8.1"
#ifdef SNAPSHOT #ifdef SNAPSHOT
# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE

75
postfix/src/postscreen/postscreen.c
View File

@@ -68,7 +68,8 @@
/* Support for AUTH may be added in the future. /* Support for AUTH may be added in the future.
/* In the mean time, if you need to make these services available /* In the mean time, if you need to make these services available
/* on port 25, then do not enable the optional "after 220 /* on port 25, then do not enable the optional "after 220
/* server greeting" tests. /* server greeting" tests, and do not use DNSBLs that reject
/* traffic from dial-up and residential networks.
/* /*
/* The optional "after 220 server greeting" tests involve /* The optional "after 220 server greeting" tests involve
/* \fBpostscreen\fR(8)'s built-in SMTP protocol engine. When /* \fBpostscreen\fR(8)'s built-in SMTP protocol engine. When
@@ -416,13 +417,6 @@ int var_psc_post_queue_limit;
int var_psc_pre_queue_limit; int var_psc_pre_queue_limit;
int var_psc_watchdog; int var_psc_watchdog;
#undef MIGRATION_WARNING
#ifdef MIGRATION_WARNING
char *var_psc_wlist_nets;
char *var_psc_blist_nets;
#endif
char *var_psc_acl; char *var_psc_acl;
char *var_psc_blist_action; char *var_psc_blist_action;
@@ -495,11 +489,6 @@ HTABLE *psc_client_concurrency; /* per-client concurrency */
/* /*
* Local variables. * Local variables.
*/ */
#ifdef MIGRATION_WARNING
static ADDR_MATCH_LIST *psc_wlist_nets; /* permanently whitelisted networks */
static ADDR_MATCH_LIST *psc_blist_nets; /* permanently blacklisted networks */
#endif
static ARGV *psc_acl; /* permanent white/backlist */ static ARGV *psc_acl; /* permanent white/backlist */
static int psc_blist_action; /* PSC_ACT_DROP/ENFORCE/etc */ static int psc_blist_action; /* PSC_ACT_DROP/ENFORCE/etc */
@@ -715,47 +704,6 @@ static void psc_service(VSTREAM *smtp_client_stream,
break; break;
} }
} }
#ifdef MIGRATION_WARNING
/*
* The permanent whitelist has highest precedence (never block mail from
* whitelisted sites, and never run tests against those sites).
*/
if (psc_wlist_nets != 0
&& psc_addr_match_list_match(psc_wlist_nets, state->smtp_client_addr)) {
msg_info("WHITELISTED [%s]:%s", PSC_CLIENT_ADDR_PORT(state));
psc_conclude(state);
return;
}
/*
* The permanent blacklist has second precedence. If the client is
* permanently blacklisted, send some generic reply and hang up
* immediately, or run more tests for logging purposes.
*/
if (psc_blist_nets != 0
&& psc_addr_match_list_match(psc_blist_nets, state->smtp_client_addr)) {
msg_info("BLACKLISTED [%s]:%s", PSC_CLIENT_ADDR_PORT(state));
PSC_FAIL_SESSION_STATE(state, PSC_STATE_FLAG_BLIST_FAIL);
switch (psc_blist_action) {
case PSC_ACT_DROP:
PSC_DROP_SESSION_STATE(state,
"521 5.3.2 Service currently unavailable\r\n");
return;
case PSC_ACT_ENFORCE:
PSC_ENFORCE_SESSION_STATE(state,
"550 5.3.2 Service currently unavailable\r\n");
break;
case PSC_ACT_IGNORE:
PSC_UNFAIL_SESSION_STATE(state, PSC_STATE_FLAG_BLIST_FAIL);
/* Not: PSC_PASS_SESSION_STATE. Repeat this test the next time. */
break;
default:
msg_panic("%s: unknown blacklist action value %d",
myname, psc_blist_action);
}
}
#endif
/* /*
* The temporary whitelist (i.e. the postscreen cache) has the lowest * The temporary whitelist (i.e. the postscreen cache) has the lowest
@@ -841,21 +789,6 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
* Open read-only maps before dropping privilege, for consistency with * Open read-only maps before dropping privilege, for consistency with
* other Postfix daemons. * other Postfix daemons.
*/ */
#ifdef MIGRATION_WARNING
if (*var_psc_wlist_nets)
psc_wlist_nets =
addr_match_list_init(MATCH_FLAG_NONE, var_psc_wlist_nets);
if (*var_psc_blist_nets)
psc_blist_nets = addr_match_list_init(MATCH_FLAG_NONE,
var_psc_blist_nets);
if (psc_blist_nets || psc_wlist_nets) {
msg_warn("The %s and %s features will be removed soon. Use %s instead",
VAR_PSC_WLIST_NETS, VAR_PSC_BLIST_NETS, VAR_PSC_ACL);
msg_warn("To stop this warning, specify empty values for %s and %s",
VAR_PSC_WLIST_NETS, VAR_PSC_BLIST_NETS);
}
#endif
psc_acl_pre_jail_init(); psc_acl_pre_jail_init();
if (*var_psc_acl) if (*var_psc_acl)
psc_acl = psc_acl_parse(var_psc_acl, VAR_PSC_ACL); psc_acl = psc_acl_parse(var_psc_acl, VAR_PSC_ACL);
@@ -1095,10 +1028,6 @@ int main(int argc, char **argv)
VAR_PSC_PIPEL_ACTION, DEF_PSC_PIPEL_ACTION, &var_psc_pipel_action, 1, 0, VAR_PSC_PIPEL_ACTION, DEF_PSC_PIPEL_ACTION, &var_psc_pipel_action, 1, 0,
VAR_PSC_NSMTP_ACTION, DEF_PSC_NSMTP_ACTION, &var_psc_nsmtp_action, 1, 0, VAR_PSC_NSMTP_ACTION, DEF_PSC_NSMTP_ACTION, &var_psc_nsmtp_action, 1, 0,
VAR_PSC_BARLF_ACTION, DEF_PSC_BARLF_ACTION, &var_psc_barlf_action, 1, 0, VAR_PSC_BARLF_ACTION, DEF_PSC_BARLF_ACTION, &var_psc_barlf_action, 1, 0,
#ifdef MIGRATION_WARNING
VAR_PSC_WLIST_NETS, DEF_PSC_WLIST_NETS, &var_psc_wlist_nets, 0, 0,
VAR_PSC_BLIST_NETS, DEF_PSC_BLIST_NETS, &var_psc_blist_nets, 0, 0,
#endif
VAR_PSC_ACL, DEF_PSC_ACL, &var_psc_acl, 0, 0, VAR_PSC_ACL, DEF_PSC_ACL, &var_psc_acl, 0, 0,
VAR_PSC_BLIST_ACTION, DEF_PSC_BLIST_ACTION, &var_psc_blist_action, 1, 0, VAR_PSC_BLIST_ACTION, DEF_PSC_BLIST_ACTION, &var_psc_blist_action, 1, 0,
VAR_PSC_FORBID_CMDS, DEF_PSC_FORBID_CMDS, &var_psc_forbid_cmds, 0, 0, VAR_PSC_FORBID_CMDS, DEF_PSC_FORBID_CMDS, &var_psc_forbid_cmds, 0, 0,

2
postfix/src/postscreen/postscreen_send.c
View File

@@ -121,7 +121,7 @@ int psc_send_reply(PSC_STATE *state, const char *text)
STR(state->send_buf), LEN(state->send_buf)); STR(state->send_buf), LEN(state->send_buf));
if (ret > 0) if (ret > 0)
vstring_truncate(state->send_buf, ret - LEN(state->send_buf)); vstring_truncate(state->send_buf, ret - LEN(state->send_buf));
if (ret < 0 && errno != EAGAIN && errno != EPIPE) if (ret < 0 && errno != EAGAIN && errno != EPIPE && errno != ECONNRESET)
msg_warn("write [%s]:%s: %m", state->smtp_client_addr, msg_warn("write [%s]:%s: %m", state->smtp_client_addr,
state->smtp_client_port); state->smtp_client_port);
return (ret < 0 && errno != EAGAIN); return (ret < 0 && errno != EAGAIN);

3
postfix/src/qmqpd/qmqpd_peer.c
View File

@@ -243,7 +243,8 @@ void qmqpd_peer_init(QMQPD_STATE *state)
/* /*
* Reject the hostname if it does not list the peer address. * Reject the hostname if it does not list the peer address.
*/ */
aierr = hostname_to_sockaddr(state->name, (char *) 0, 0, &res0); aierr = hostname_to_sockaddr_pf(state->name, state->addr_family,
(char *) 0, 0, &res0);
if (aierr) { if (aierr) {
msg_warn("%s: hostname %s verification failed: %s", msg_warn("%s: hostname %s verification failed: %s",
state->addr, state->name, MAI_STRERROR(aierr)); state->addr, state->name, MAI_STRERROR(aierr));

3
postfix/src/smtpd/smtpd_peer.c
View File

@@ -337,7 +337,8 @@ void smtpd_peer_init(SMTPD_STATE *state)
* must not be allowed to enter the audit trail, as people would * must not be allowed to enter the audit trail, as people would
* draw false conclusions. * draw false conclusions.
*/ */
aierr = hostname_to_sockaddr(state->name, (char *) 0, 0, &res0); aierr = hostname_to_sockaddr_pf(state->name, state->addr_family,
(char *) 0, 0, &res0);
if (aierr) { if (aierr) {
msg_warn("%s: hostname %s verification failed: %s", msg_warn("%s: hostname %s verification failed: %s",
state->addr, state->name, MAI_STRERROR(aierr)); state->addr, state->name, MAI_STRERROR(aierr));

23
postfix/src/util/myaddrinfo.c
View File

@@ -22,6 +22,13 @@
/* int socktype; /* int socktype;
/* struct addrinfo **result; /* struct addrinfo **result;
/* /*
/* int hostname_to_sockaddr_pf(hostname, pf, service, socktype, result)
/* const char *hostname;
/* int pf;
/* const char *service;
/* int socktype;
/* struct addrinfo **result;
/*
/* int hostaddr_to_sockaddr(hostaddr, service, socktype, result) /* int hostaddr_to_sockaddr(hostaddr, service, socktype, result)
/* const char *hostaddr; /* const char *hostaddr;
/* const char *service; /* const char *service;
@@ -59,6 +66,9 @@
/* result should be destroyed with freeaddrinfo(). A null host /* result should be destroyed with freeaddrinfo(). A null host
/* pointer converts to the null host address. /* pointer converts to the null host address.
/* /*
/* hostname_to_sockaddr_pf() is an extended interface that
/* provides a protocol family override.
/*
/* hostaddr_to_sockaddr() converts a printable network address /* hostaddr_to_sockaddr() converts a printable network address
/* into the corresponding binary form. The result should be /* into the corresponding binary form. The result should be
/* destroyed with freeaddrinfo(). A null host pointer converts /* destroyed with freeaddrinfo(). A null host pointer converts
@@ -100,6 +110,10 @@
/* hostname, or a null pointer (meaning the wild-card listen /* hostname, or a null pointer (meaning the wild-card listen
/* address). On output from sockaddr_to_hostname(), storage /* address). On output from sockaddr_to_hostname(), storage
/* for the result hostname, or a null pointer. /* for the result hostname, or a null pointer.
/* .IP pf
/* Protocol type: PF_UNSPEC (meaning: use any protocol that is
/* available), PF_INET, or PF_INET6. This argument is ignored
/* in EMULATE_IPV4_ADDRINFO mode.
/* .IP hostaddr /* .IP hostaddr
/* On input to hostaddr_to_sockaddr(), a numeric hostname, /* On input to hostaddr_to_sockaddr(), a numeric hostname,
/* or a null pointer (meaning the wild-card listen address). /* or a null pointer (meaning the wild-card listen address).
@@ -274,10 +288,11 @@ static int find_service(const char *service, int socktype)
#endif #endif
/* hostname_to_sockaddr - hostname to binary address form */ /* hostname_to_sockaddr_pf - hostname to binary address form */
int hostname_to_sockaddr(const char *hostname, const char *service, int hostname_to_sockaddr_pf(const char *hostname, int pf,
int socktype, struct addrinfo ** res) const char *service, int socktype,
struct addrinfo ** res)
{ {
#ifdef EMULATE_IPV4_ADDRINFO #ifdef EMULATE_IPV4_ADDRINFO
@@ -408,7 +423,7 @@ int hostname_to_sockaddr(const char *hostname, const char *service,
int err; int err;
memset((char *) &hints, 0, sizeof(hints)); memset((char *) &hints, 0, sizeof(hints));
hints.ai_family = inet_proto_info()->ai_family; hints.ai_family = (pf != PF_UNSPEC) ? pf : inet_proto_info()->ai_family;
hints.ai_socktype = service ? socktype : MAI_SOCKTYPE; hints.ai_socktype = service ? socktype : MAI_SOCKTYPE;
if (!hostname) { if (!hostname) {
hints.ai_flags = AI_PASSIVE; hints.ai_flags = AI_PASSIVE;

16
postfix/src/util/myaddrinfo.h
View File

@@ -154,8 +154,8 @@ typedef struct {
char buf[MAI_SERVPORT_STRSIZE]; char buf[MAI_SERVPORT_STRSIZE];
} MAI_SERVPORT_STR; } MAI_SERVPORT_STR;
extern int hostname_to_sockaddr(const char *, const char *, int, extern int hostname_to_sockaddr_pf(const char *, int, const char *, int,
struct addrinfo **); struct addrinfo **);
extern int hostaddr_to_sockaddr(const char *, const char *, int, extern int hostaddr_to_sockaddr(const char *, const char *, int,
struct addrinfo **); struct addrinfo **);
extern int sockaddr_to_hostaddr(const struct sockaddr *, SOCKADDR_SIZE, extern int sockaddr_to_hostaddr(const struct sockaddr *, SOCKADDR_SIZE,
@@ -168,18 +168,24 @@ extern void myaddrinfo_control(int,...);
#define MAI_STRERROR(e) ((e) == EAI_SYSTEM ? strerror(errno) : gai_strerror(e)) #define MAI_STRERROR(e) ((e) == EAI_SYSTEM ? strerror(errno) : gai_strerror(e))
#define hostname_to_sockaddr(host, serv, sock, res) \
hostname_to_sockaddr_pf((host), PF_UNSPEC, (serv), (sock), (res))
/* /*
* Macros for the case where we really don't want to be bothered with things * Macros for the case where we really don't want to be bothered with things
* that may fail. * that may fail.
*/ */
#define HOSTNAME_TO_SOCKADDR(host, serv, sock, res) \ #define HOSTNAME_TO_SOCKADDR_PF(host, pf, serv, sock, res) \
do { \ do { \
int _aierr; \ int _aierr; \
_aierr = hostname_to_sockaddr((host), (serv), (sock), (res)); \ _aierr = hostname_to_sockaddr_pf((host), (pf), (serv), (sock), (res)); \
if (_aierr) \ if (_aierr) \
msg_fatal("hostname_to_sockaddr: %s", MAI_STRERROR(_aierr)); \ msg_fatal("hostname_to_sockaddr_pf: %s", MAI_STRERROR(_aierr)); \
} while (0) } while (0)
#define HOSTNAME_TO_SOCKADDR(host, serv, sock, res) \
HOSTNAME_TO_SOCKADDR_PF((host), PF_UNSPEC, (serv), (sock), (res))
#define HOSTADDR_TO_SOCKADDR(host, serv, sock, res) \ #define HOSTADDR_TO_SOCKADDR(host, serv, sock, res) \
do { \ do { \
int _aierr; \ int _aierr; \