From 2b650375dffc62825e8c08ff9332fa816318a6a4 Mon Sep 17 00:00:00 2001 From: Wietse Venema Date: Sun, 8 Mar 2020 00:00:00 -0500 Subject: [PATCH] postfix-3.5.0-RC1 --- postfix/HISTORY | 25 +- postfix/Makefile.in | 2 + postfix/RELEASE_NOTES | 177 +-- postfix/WISHLIST | 1046 ----------------- .../auxiliary/name-addr-test/gethostbyaddr.c | 2 +- .../auxiliary/name-addr-test/getnameinfo.c | 2 +- postfix/html/lmtp.8.html | 4 +- postfix/html/postconf.5.html | 2 +- postfix/html/postsuper.1.html | 2 +- postfix/html/smtp.8.html | 4 +- postfix/html/smtpd.8.html | 489 ++++---- postfix/html/tlsproxy.8.html | 4 +- postfix/makedefs | 2 +- postfix/man/man1/postsuper.1 | 2 +- postfix/man/man5/postconf.5 | 2 +- postfix/man/man8/smtp.8 | 2 +- postfix/man/man8/smtpd.8 | 7 +- postfix/man/man8/tlsproxy.8 | 2 +- postfix/mantools/spelldiff | 23 + postfix/proto/postconf.proto | 2 +- postfix/src/cleanup/cleanup_milter.c | 1 + postfix/src/global/haproxy_srvr.c | 2 +- postfix/src/global/mail_version.h | 4 +- postfix/src/global/map_search.c | 8 +- postfix/src/global/map_search.h | 4 +- postfix/src/postconf/postconf_master.c | 4 +- postfix/src/postsuper/postsuper.c | 6 +- postfix/src/smtp/smtp.c | 2 +- postfix/src/smtp/smtp_misc.c | 2 +- postfix/src/smtpd/smtpd.c | 9 +- postfix/src/smtpd/smtpd_check.c | 2 +- postfix/src/smtpd/smtpd_expand.h | 5 + postfix/src/tls/tls_client.c | 10 +- postfix/src/tls/tls_server.c | 2 +- postfix/src/tlsproxy/tlsproxy.c | 226 ++-- postfix/src/trivial-rewrite/trivial-rewrite.h | 5 + postfix/src/util/byte_mask.c | 9 +- postfix/src/util/vstream_tweak.c | 2 +- 38 files changed, 578 insertions(+), 1526 deletions(-) delete mode 100644 postfix/WISHLIST create mode 100755 postfix/mantools/spelldiff diff --git a/postfix/HISTORY b/postfix/HISTORY index 1cb5c95c4..e7579aff1 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -12281,7 +12281,7 @@ Apologies for any names omitted. 20060606 Safety: mail receiving daemons (smtpd, qmqpd) now pass - actual client name/addres/helo attributes in addition to + actual client name/address/helo attributes in addition to the attributes used for logging (xforward). This prevents Milter applications from treating qmqpd mail as if it originated locally, and prevents incorrect Milter decisions @@ -13424,7 +13424,7 @@ Apologies for any names omitted. 20070414 - Cleanup: expire cached results from addres rewriting, address + Cleanup: expire cached results from address rewriting, address resolution, and from transport map lookups. Results expire after 30 seconds; short enough that it doesn't freak out people who run the same test repeatedly, and long enough @@ -18499,7 +18499,7 @@ Apologies for any names omitted. endpoint label; better reuse of SASL-authenticated connections over UNIX-domains sockets, however unlikely these may be; a first step towards refinement of connection cache lookup - by IP addres for plaintext or SASL-unauthenticated connections. + by IP address for plaintext or SASL-unauthenticated connections. Files: smtp/smtp.h smtp/smtp_connect.c, smtp/smtp_reuse.c, smtp/smtp_key.c, smtp/smtp_tls_sess.s. @@ -24353,7 +24353,7 @@ Apologies for any names omitted. Safety: vstring_set_payload_size() now checks that the payload has not overwritten the safety terminator at the - end of the VSTRING buffer. File: util/vstream.c. + end of the VSTRING buffer. File: util/vstring.c. 20190813 @@ -24636,3 +24636,20 @@ Apologies for any names omitted. macros were evaluated before the Postfix-to-Milter connection had been negotiated. Problem reported by David Bürgin. Files: milter/milter.h, milter/milter.c, milter/milter8.c + +20200308 + + Cleanup: spellchecks, attributions. Files: HISTORY, + auxiliary/name-addr-test/gethostbyaddr.c, + auxiliary/name-addr-test/getnameinfo.c, proto/postconf.proto, + global/haproxy_srvr.c, global/mail_version.h, global/map_search.c, + global/map_search.h, postsuper/postsuper.c, smtp/smtp.c, + smtp/smtp_misc.c, smtpd/smtpd.c, smtpd/smtpd_check.c, + smtpd/smtpd_expand.h, tls/tls_client.c, tls/tls_server.c, + tlsproxy/tlsproxy.c, trivial-rewrite/trivial-rewrite.h, + util/byte_mask.c, util/vstream_tweak.c. + + Cleanup: bitrot in tests. File: cleanup/cleanup_milter.c. + + Cleanup: harmless memory leak in postconf. File: + postconf/postconf_master.c. diff --git a/postfix/Makefile.in b/postfix/Makefile.in index fa12b0443..f70bd1444 100644 --- a/postfix/Makefile.in +++ b/postfix/Makefile.in @@ -1,3 +1,5 @@ +# To test with valgrind: +# make -i tests VALGRIND="valgrind --tool=memcheck --log-file=/some/where.%p" SHELL = /bin/sh WARN = -Wmissing-prototypes -Wformat -Wno-comment OPTS = 'WARN=$(WARN)' diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 4136a4a36..001e2092e 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -1,12 +1,12 @@ -This is the Postfix 3.5 (experimental) release. +This is the Postfix 3.5 (stable) release. -The stable Postfix release is called postfix-3.4.x where 3=major -release number, 4=minor release number, x=patchlevel. The stable +The stable Postfix release is called postfix-3.5.x where 3=major +release number, 5=minor release number, x=patchlevel. The stable release never changes except for patches that address bugs or emergencies. Patches change the patchlevel and the release date. New features are developed in snapshot releases. These are called -postfix-3.5-yyyymmdd where yyyymmdd is the release date (yyyy=year, +postfix-3.6-yyyymmdd where yyyymmdd is the release date (yyyy=year, mm=month, dd=day). Patches are never issued for snapshot releases; instead, a new snapshot is released. @@ -25,77 +25,30 @@ more recent Eclipse Public License 2.0. Recipients can choose to take the software under the license of their choice. Those who are more comfortable with the IPL can continue with that license. -Major changes with snapshot 20200202 -==================================== +Major changes - multiple relayhost in SMTP +------------------------------------------ -Support to force-expire email messages. This introduces new -postsuper(1) command-line options to request expiration, and -additional information in mailq(1) or postqueue(1) output. +[Feature 20200111] SMTP (and LMTP) client support for a list of +nexthop destinations separated by comma or whitespace. These will +destinations be tried in the specified order. -The forced-to-expire status is stored in a queue file attribute. -An expired message is returned to the sender when the queue manager -attempts to deliver that message (note that Postfix will never -deliver messages in the hold queue). +The list form can be specified in relayhost, transport_maps, +default_transport, and sender_dependent_default_transport_maps. -The postsuper(1) -e and -f options both set the forced-to-expire -queue file attribute. The difference is that -f will also release -a message if it is in the hold queue. With -e, such a message would -not be returned to the sender until it is released with -f or -H. +Examples: +/etc/postfix/main.cf: + relayhost = foo.example, bar.example + default_transport = smtp:foo.example, bar.example. -In the mailq(1) or postqueue(1) -p output, a forced-to-expire message -is indicated with # after the queue name. In postqueue(1) JSON -output, there is a new per-message field "forced_expire" (with -value true or false) that shows the forced-to-expire status. +NOTE: this is an SMTP and LMTP client feature. It does not work for +other Postfix delivery agents. -Incompatible changes with snapshot 20191109 -=========================================== +Major changes - certificate access +---------------------------------- -Postfix daemon processes now log the from= and to= addresses in -external (quoted) form in non-debug logging (info, warning, etc.). -This means that when an address localpart contains spaces or other -special characters, the localpart will be quoted, for example: - - from=<"name with spaces"@example.com> - -Older Postfix versions would log the internal (unquoted) form: - - from= - -The external and internal forms are identical for the vast majority -of email addresses that contain no spaces or other special characters -in the localpart. - -Specify "info_log_address_format = internal" for backwards -compatibility. - -The logging in external form is consistent with the address form -that Postfix 3.2 and later prefer for table lookups. It is therefore -the more useful form for non-debug logging. - -Major changes with snapshot 20190615 -==================================== - -This release introduces a workaround for implementations that hang -Postfix while shutting down a TLS session, until Postfix times out. -With "tls_fast_shutdown_enable = yes" (the default), Postfix no -longer waits for a remote TLS peer to respond to a TLS 'close' -request. This behavior is recommended with TLSv1.0 and later. Specify -"tls_fast_shutdown_enable = no" to get historical Postfix behavior. - -Dovecot usability: the SMTP+LMTP delivery agent can now prepend -Delivered-To, X-Original-To and Return-Path headers, just like the -pipe(8) delivery agent. This uses the same "flags=DOR" command-line -flags in master.cf. See the smtp(8) manpage for details. - -This obsoletes the "lmtp_assume_final = yes" setting, and replaces -it with "flags=...X...", for consistency with pipe(8). - -Major changes with snapshot 20190517 -==================================== - -Search order support for check_ccert_access. Search order support -for other tables is in design (canonical_maps, virtual_alias_maps, -transport_maps, etc.). +[Feature 20190517] Search order support for check_ccert_access. +Search order support for other tables is in design (canonical_maps, +virtual_alias_maps, transport_maps, etc.). The following check_ccert_access setting uses the built-in search order: it first looks up the client certificate fingerprint, then @@ -123,10 +76,84 @@ The check_ccert_access search order also supports the subject_cn and issuer_cn properties. Support is planned for rfc822name and smtputf8mailbox. -Incompatibility with snapshot 20190427 -====================================== +Major changes - dovecot usability +--------------------------------- -Postfix now normalizes IP addresses received with XCLIENT, XFORWARD, -or with the HaProxy protocol, for consistency with direct connections -to Postfix. This may change the appearance of logging, and the way -that check_client_access will match subnets of an IPv6 address. +[Feature 20190615] The SMTP+LMTP delivery agent can now prepend +Delivered-To, X-Original-To and Return-Path headers, just like the +pipe(8) and local(8) delivery agents. + +This uses the "flags=DORX" command-line flags in master.cf. See the +smtp(8) manpage for details. + +This obsoletes the "lmtp_assume_final = yes" setting, and replaces +it with "flags=...X...", for consistency with the pipe(8) delivery +agent. + +Major changes - forced expiration +--------------------------------- + +[Feature 20200202] Support to force-expire email messages. This +introduces new postsuper(1) command-line options to request expiration, +and additional information in mailq(1) or postqueue(1) output. + +The forced-to-expire status is stored in a queue file attribute. +An expired message is returned to the sender when the queue manager +attempts to deliver that message (note that Postfix will never +deliver messages in the hold queue). + +The postsuper(1) -e and -f options both set the forced-to-expire +queue file attribute. The difference is that -f will also release +a message if it is in the hold queue. With -e, such a message would +not be returned to the sender until it is released with -f or -H. + +In the mailq(1) or postqueue(1) -p output, a forced-to-expire message +is indicated with # after the queue name. In postqueue(1) JSON +output, there is a new per-message field "forced_expire" (with value +true or false) that shows the forced-to-expire status. + +Major changes - haproxy2 protocol +--------------------------------- + +[Feature 20200112] Support for the haproxy v2 protocol. The Postfix +implementation supports TCP over IPv4 and IPv6, as well as non-proxied +connections; the latter are typically used for heartbeat tests. + +The haproxy v2 protocol introduces no additional Postfix configuration. +The Postfix smtpd(8) and postscreen(8) daemons accept both v1 and +v2 protocol versions. + +Major changes - logging +----------------------- + +[Incompat 20191109] Postfix daemon processes now log the from= and +to= addresses in external (quoted) form in non-debug logging (info, +warning, etc.). This means that when an address localpart contains +spaces or other special characters, the localpart will be quoted, +for example: + + from=<"name with spaces"@example.com> + +Older Postfix versions would log the internal (unquoted) form: + + from= + +The external and internal forms are identical for the vast majority +of email addresses that contain no spaces or other special characters +in the localpart. + +Specify "info_log_address_format = internal" for backwards +compatibility. + +The logging in external form is consistent with the address form +that Postfix 3.2 and later prefer for table lookups. It is therefore +the more useful form for non-debug logging. + +Major changes - IP address normalization +---------------------------------------- + +[Incompat 20190427] Postfix now normalizes IP addresses received +with XCLIENT, XFORWARD, or with the HaProxy protocol, for consistency +with direct connections to Postfix. This may change the appearance +of logging, and the way that check_client_access will match subnets +of an IPv6 address. diff --git a/postfix/WISHLIST b/postfix/WISHLIST deleted file mode 100644 index 1732fddbe..000000000 --- a/postfix/WISHLIST +++ /dev/null @@ -1,1046 +0,0 @@ -Wish list: - - nbbio: exercise the sanity checks with fake msg(3) functions. - - optreset (bsd-ism) how badly do we need it? - - transport policy protocol (clone of check_policy). - - See also postscreen event-driven client for policy delegation - below. - - smtp_line_length_limit can insert a line break in the middle - of a multi-byte character (which is not necessarily UTF-8, - so we can't simply look at the 8th bit). Also, note that a - multi-byte character may span queue file record boundaries, - for example if line_length_limit == smtp_line_length_limit. - The only way to fix this is to make the smtp_text_out() - routine aware of every possible multi-byte encoding. - - Replace ad-hoc code for pipe(8) flags handling, with - infrastructure that was built for smtp(8). - - Things to do before the stable release: - - Spell-check, double-word check, HTML validator check, - mantools/missing-proxy-read-maps check. - - Disable -DSNAPSHOT and -DNONPROD in makedefs. - - Move map descriptions from postconf(1) to DATABASE_README - and point there. The text in DATABASE_README is less complete - than that in postconf(1). - - make tls_pre_jail_init() safe by design for use in programs - that implement both clients and servers. - - In smtpd(8) and postscreen(8), set the ehlo_discard_mask - to ~0 so that STARTTLS, BDAT, DSN, etc. work only for clients - that send EHLO. - - Wordsmithing: "replace by X" -> "replace with X" unless X - is "responsible" for making the substitution. - - In postscreen, don't fork after 'postfix reload' when - psc_check_queue_length (and psc_post_queue_length?) is zero. - - After I/O error, store errno in VSTREAM object before errno - may be overwritten. - - Add some tips for logging from container: - https://www.projectatomic.io/blog/2016/10/playing-with-docker-logging/; - syslog_name = $myhostname/postfix; mkdir queue and data - dir; postfix check to create queue subdirectories. - - Add postwhite as a postscreen-related project. - https://github.com/stevejenkins/postwhite/blob/master/README.md - - XFORWARD attributes in policy protocol? - - Document postsrsd and postforward for srs-ifying. Would - more fine-grained smtp_generic_maps support help? - - Decide whether to deprecate database configuration pathnames - that start with ".", for example, ldap:./file/name. These forms - are documented for ldap:, memcache:, mysql:, pgsql:, and sqlite: - maps. Postfix daemon processes will look up files relative to the - queue directory, but with postmap command-line processes it would - be more natural to interpret relative pathnames relative to the - current directory of the calling process (it would be a surprise - if "postmap hash:./foo" would access "/var/spool/postfix/foo", - or if "postmap hash:foo" and or "postmap hash:./foo" would access - different files). - - Convert postalias(1) to store external-form keys, and convert - aliases(5) to perform external-first lookup with fallback to - internal form, to make it consistent with the rest of Postfix. - In several years we may remove the internal-form fallbacks - with a compatibility_level safety net. - - In the bounce daemon, set util_utf8_enable if returning an - SMTPUTF8 message. This is wrong; if SMTPUTF8 is disabled, - then Postfix must not turn it on. - - Add a header_body_checks extension callback in smtp_proto.c - that implements the PASS action. - - Propagate SMTPD_PEER_CODE_XXX from smtpd(8) to cleanup(8), - so that {client_resolve} and {_} produce consistent results. - - NO_IP_CYRUS_SASL_AUTH should be a main.cf parameter. - - Modeline support in config files to enable/disable trailing - #comment, and to give hints about how to handle an LHS or - RHS. This will not preserve trailing comments in lines that - are modified with "postconf -e" and the like. - - Maintainability: replace lengthy libmilter-API argument lists - with named parameters, as with the libtls API. - - Fix buflen integer overflow detection in dict*sql.c. - - Fix "make test" bitrot. - - Move DNS-based tests from porcupine.org to postfix.org, or use - a mock DNS library (a library that presents the same API as the - real library, but that produces canned responses). - - Document dns_ncache_ttl_fix_enable use case in POSTSCREEN_README - and RELEASE_NOTES. - - Remove this file from the stable release. - - Things to do after the stable release: - - Specify WARN_UNUSED_RESULT for all library functions that - pass, deliver, bounce or defer a delivery request. - - Invent some kind of type-checking wrappers for htable(3), - ctable(3) and other modules that take and return a void* - pointer. We already did that for variadic functions. - - TLS certificate provenance: indicate whether a subject - name/issuer are verified or not (for example, change the - attribute name to unverified_ccert_subject etc.). This is - relevant only for fingerprint-based authentication including - DANE, and affects logging, SMTPD policy, and Milters. - - Generalize the daemon '-S' stand-alone mode, so that it can - be used with custom configuration settings for request/reply - regression testing. This would use the existing "-o name=value" - support to override parameters. For example, queue_directory - would point to a directory with sockets for fake versions of - Postfix-internal services. - - Update the list of Sendmail macros that Postfix can send - to Milters (auth_ssf and TLS-related). - - Update smtpd command count when rejecting or skipping input - before command-table lookup. But then we need to count - commands that are rejected (malformed UTF-8, tokenizer - error, forbidden command), or skipped (noop). - - What is the best place to detect spaces in pathnames during - installation/upgrade/packaging? postfix-install for early - warning, and post-install as a safety net? - - When the service basename differs from the program file - basename, either prepend the service name to the syslogname (as - if syslog_name=postfix/service/program), or prepend the service - name to the process name (perhaps too confusing). The service - indication is desirable for mail delivery transports (smtp - versus relay) as it identifies what scheduler parameters are - in effect, but it is also desirable for mail receiving services - (smtp versus submission verus smtps as configured in the stock - master.cf file). This requires exceptions for some program names - (exclude smtpd to avoid logging postfix/smtp/smtpd which could - result in more confusion, and maybe other program names). - - UTF8 DNS[BW]L domain name. - - Consolidate maps flags in mail_params.h instead of having - multiple copies scattered across programs. - - Try to allow UTF-8 myhostname/mydomain, at least in bounce - template expansion. - - In the SMTP server, do not issue an enhanced status code when - rejecting a connection before the HELO handshake is completed. - - Maybe don't whitelist a client that has maxed out its - per-MTA connection count limit. - - Inline support for pcre:{/pattern/=action, ...} and ditto - support for regexp: and cidr: tables. Factor out and reuse - code that already exists in inline: and other tables. - - Log command=good/bad statistics in postscreen? - - smtpd_checks tests either must use a DNS dummy resolver - (override the res_search API) or all names must be under - test.postfix.org (but that does not work for address->name - lookups, and cannot simulate some errors). - - Reporting the original Message-ID in a bounce message - In-Reply-To: or References: header. In the cleanup daemon, - grab a copy of the Message-ID and export it along with other - header-extracted information at the top of the "extracted" - queue file segment. In the queue manager, extract this - along with other header-extracted information, and forward - the Message-ID in the bounce server notification request. - - Clobber ORCPT when sender is owner-mumble? - - Add milter_mumble_macros to the list of per-macro features. - - The pickup daemon logs warnings only when the cleanup daemon - dit not provide a "reason" attribute. Is this logic right? - - up-convert myhostname to UTF-8 in MIME boundary strings? - - Eliminate code duplication between pcf_print_master_field() - and pcf_print_master_entry(). - - Error reporting: see if pcf_check_master_entry() and children - can return error descriptions instead of terminating with - a fatal error. - - Add a switch to consider postscreen deep protocol tests as - "completed" when receiving "RSET" after "RCPT TO" and the - session has passed all tests up to that point. RSET becomes - like QUIT except perhaps that it does not hang up. - - apipe: map, splits results into address lists and performs - lookups for the invidual addresses, converting back and - forth between external and internal forms. - - Clarify that receive_override_options have no effect with - smtpd_proxy_filter. - - Document the relative order of header_checks, address - rewriting, milters. - - NOT: Table-driven case folding and case-insensitive string - comparison specifically for UTF-8. Use libicu functions - instead. - - When downgrading message/global to 7bit, is quoted-printable - the appropriate encoding? Should it be base64? - - Should we encode headers with RFC 2047, when that is the - only reason that Postfix cannot deliver to a non-UTF8SMTP - server? Probably not in the general case. What about - Postfix as a gateway server that converts UTF8SMTP - for delivery to non-UTF8SMTP environments? - - Document and test restriction_classes example for - smtpd_policy_service_default_action. - - Don't accept AUTH or other features that are not announced - in the EHLO response. - - Suggested at Mailserver conference: Postscreen RDNS-based - reputation (but this makes postscreen performance highly - unpredicable because it introduces a dependency on random - DNS servers). - - Suggested at Mailserver conference: a way to select a - specific field in a table, presumably as the result value. - This may be done with a filtermap{i,j,...}: table that propagates - only the specified field(s). - - Discourage the use of "after 220" tests in POSTSCREEN_README - and the documentation of individual parameter settings. - - To un-break "make tests" under src/smtpd, make tests - independent from the DNS and native routines for host - name/address lookup. - - Make been_here flag BH_FLAG_FOLD configurable for masochists. - - Replace some redundant TLS_README sections with pointers - to FORWARD_SECRECY_README. - - Move html/index.html source to proto/. - - How hard is it to follow canonical or virtual mapping - for the purpose of address validation? We must never - reject a valid address. - - Preserve case in smtpd_resolve_addr() and add a structure - member for the case-folded address. IIRC some Milter macro - needs to show the unfolded address. - - Per SASL account rate limits. This requires new infrastructure - that maintains stats by SASL account instead of client IP - address. - - Watchdog timer in postmap/postalias. - - Begin code revision, after DANE support stabilizes. This - should be one pass that changes only names and no code. - - recipient_delimiters = $recipient_delimiter for BC - - All source code must specify its original author and - license statement. Some code modules specify Lutz Jaenicke - as the original author and fall under his liberal license. - Code that is added to such a module has the same license - (or at least something that is not more restrictive). Code - modules without input from Lutz Jaenicke must state its - original author and license (preferably no more restrictive - than Postfix's own license). Currently, too many files list - Wietse as the original author, and Lutz Jaenicke's license, - which is wrong. - - We have smtp_host_lookup, smtp_dns_resolver_options, and - now smtp_dns_support_level. Of these, smtp_dns_resolver_options - is orthogonal but the rest has overlap. - - There needs to be support for automatic migration from the - deprecated disable_dns_lookups feature to the preferred - smtp_dns_support_level feature. This support needs to exist - for several releases before the deprecated feature can be - removed. - - End code revision, after DANE support stabilizes. - - It would be nice if "bare username" lookup is not hard-coded - for domains in the local address class. - - Don't forget Apple's code donation for fetching mail from - IMAP server. - - Should postconf -o refuse to work without the -x option? - - Make 30s caching (feature 20070414) configurable, such that - 0 means no caching. - - Make errno white/blacklist for getpwnam_r etc. and mailbox - write errors. - - smtpd_muble_restrictions rule names are case-insensitive. - restriction_classes values are case-sensitive but should - be case-insensitive for consistency with smtpd_muble_restrictions. - - Make "rename" the default when postmapping a DB file - (later: use copy+rename for postmap -i, postmap -d). - - Service-name parameters aren't documented in daemon manpages. - - When faking up the DSN ORCPT, don't send bare usernames - from local command-line submission. - - lmtp_assume_final is broken. A 2XX response does not imply - final delivery. The Sieve language implements accept-then-bounce. - - postscreen event-driven plug-in interface to send out a - query in parallel with the Pregreet and DNSBL tests, using - a simplified version of the policy delegation protocol. - - Parallelized queue preprocessing: rip out the queue manager - code to read queue files and resolve recipients, and run - it in parallel processes. The queue manager then processes - their results as they become available. This would eliminate - the qmgr<->trivial-rewrite bottleneck. This can also eliminate - much of the scheduling disadvantage of a single queue manager - compared to hundreds of mail receiving or sending processes - (especially if there is a way to scan the queue in parallel). - - Memory pools for same-type memory objects. This can be - used to either increase memory locality for frequently-allocated - objects (MRU allocation) or to make use-after-free bugs - more detectable (use LRU allocation and wipe the object - immediately after free(). Finally, same-type memory pools - prevent object type errors with use-after-free bugs. - - "no-cache" option for selected postscreen tests? - - Need a new DICT flag to indicate that a map handle supports - locking. If it doesn't (as with memcache or proxymap - handles), then postscreen etc. don't need to close a cache - file after "postfix reload". After a fork() it is OK to - keep using a memcache or proxymap handle, because the parent - exits immediately. For this to work, the memcache client - needs to propagate the flag from a persistent backup map, - but the proxymap protocol should not propagate this to the - client. - - Different TTL values for different DNSBL sources? - - Replace master(8) SIGHUP by very simple socket protocol to - allow reload of a specific service. - - postscreen: in the dummy SMTP engine, log the protocol state - at time of violation (like smtpd, set state->where initially - to CONNECT, then update it with the name of the last "known" - command, or set it to "unimplemented"). - - The discussion of postscreen cache configuration is in the - wrong place (how whitelisting works). Move it to the section - about configuring postscreen. - - Before proxymap can be exposed to the network (primarily - to share postscreen or verify caches), need to enforce - limits on attribute string name and value length in IPC - protocols. 10-20KB seems OK. We need to enforce content - sanity checks (for example, no control characters; Postfix - does not pass around multi-line data in table lookups). The - VSTREAM library already supports read/write deadlines. We - need to use attack-resistant code for numeric conversion. - - move flush_init() etc. from defer service clients to the - bounce daemon? Postfix works best when work can be spread - out over many clients, instead of over a few servers. - - multi_connect() function that takes a list of inet:host:port - and/or unix:pathname specs, with an explicit "inet" prefix - argument to handle applications that use host:port only. - This will simplify multi-host implementation for memcache - client, dovecot client, and other. - - dict_memcache: treat "bad" key as cache miss, i.e. read/write - the backup database as if the cache did not exist. This - does not help because most Postfix maps (virtual, canonical, - access, transport, ...) also don't support spaces in keys. - - postscreen: keep the cache open after "postfix reload" when - it is remote (type memcache: or proxy:). This does not work - because memcache can use a non-proxied file as backup). - - What is the feasibility of adding an mta_name (personality) - attribute that is propagated via queue files and delivery - agent requests? It would default to myhostname. - - Major performance improvement opportunity (that is until - everyone runs Postfix queues on SSDs). Investigate the - viability of a daemon that produces incoming and postdrop - queue files on request (in reality it would maintain a - limited queue of "spare" files). Central queue file allocation - reduces the I/O performance disadvantage that qmgr has when - 100 smtpd processes are receiving mail, or when lots of - mail is submitted with the sendmail command line. When an - smtpd process accepts MAIL FROM, a cleanup daemon requests - a queue file and receives a queue ID + file handle from the - queue file daemon. If the queue file daemon is down, the - cleanup daemon creates the file itself like it does now; - this can be hidden in the mail_stream library module. If - the mail transaction is aborted, then the cleanup daemon - gives the queue file back to the queue file daemon's "spare" - file pool, saving most of the overhead of creating and - deleting a queue file (the file would still need to be - renamed at the start of the next mail transaction). If the - cleanup daemon is unable to give a file back, then it can - delete the file like it does now; this can be hidden in the - mail_stream library module. The whole thing can be - transparently added to Postfix by adding calls to a - queue-file-service client to the mail_queue_enter() and - mail_queue_remove() library routines. Other advantages: - 1) negligible performance hit when queue file allocation - happens earlier, so that logging and milters have a queue - ID for the whole transaction not just the first valid - recipient; 2) by not removing every queue files we get most - of the performance gain of a queue based on append/truncate - instead of the much more expensive create/delete. - - Investigate viability of Sendmail dns maps. - - Make the rules for how to use close-on-exec more explicit. - - Provide separate timeout control for dict_proxy client, - rewrite client, resolve client, cleanup client, and so on. - Perhaps a timeout argument to the mail_connect() routines. - - Trick from amavisd: save listen socket/fifo/etc state, clear - their close-on-exec flags, exec the same program file to - re-initialize (with saved socket state on command line or - in environment), then restore the listen socket/fifo/etc - close-on-exec flags. This could be a way to mitigate the - impact of memory/file leaks, and to implement "postfix - reload" support for master(8) features that currently don't - support this. - - Sub-second time resolution. The first benefit is to make - per-destination rate delays more usable. Other applications - will come up once the support exists. The straightforward - approach is to represent all time intervals in milliseconds, - and to update all code that makes system calls with a time - argument (as well as the compiled-in upper and lower time - parameter bounds, which are currently in seconds). - Unfortunately, that limits he maximum time interval to less - than 25 days on 32-bit systems, and is likely to break - compatibility (for starters, it cannot even deal with the - compiled-in 100d upper bound on the queue file lifetime). - A second option is to have a "compatibility" time base - switch between milliseconds and seconds; this means extra - changes to all code that makes system calls with a time - argument, and the way that the compiled-in upper and lower - bounds are specified. Some of this can be encapsulated in - macros like time_to_sec(t), time_to_msec(t) and sec_to_time(t). - Finally, it is relatively easy to replace the events(3) - interface to use "double" for the time delay arguments, but - it is a major pain to convert all main.cf time parameters - into doubles (converting only some leads to a documentation - nightmare). - - Address verify cache: allow a negative cache "refresh" - result to purge a "positive" cache entry in some safe manner. - Currently, the negative cache "refresh" result is discarded, - address verify cache lookup returns OK, and each lookup - forces a "refresh" probe until the entry expires. - - Some Sendmail configurations trigger sub-optimal behavior - when the postscreen_whitelist_interfaces parameter lists - primary MX addresses only. When postscreen's "deep protocol - tests" are successful on the primary MX address (i.e. they - result in 4XX responses to RCPT TO), some Sendmail - configurations keep the primary MX connection open until - AFTER they finish talking to the backup MX address. The - problem is that the backup connection runs into a WHITELIST - VETO condition because the whitelisting database has not - yet been updated with the PASS NEW result for the primary - MX connection. Unfortunately postscreen can't update the - whitelisting database before the primary MX connection is - closed, because a client may still make a mistake. - - In the SMTP server, check if the connection is closed before - replying to ".", and discard the message if the reply can't - be sent. This reduces the time window for RFC 1047 message - duplication, and may even prevent the delivery of some spam. - http://www.exim.org/lurker/message/20070416.103159.9d5ff0ce.en.html - This requires splitting the SMTP server's commit operation - into two operations: first, a tentative commit operation - that performs most of the I/O and processing in milters and - in the cleanup server; second, a final commit operation - that is executed only if the remote SMTP client hasn't hung - up in the mean time. Unfortunately, SMTP-based before-queue - content filters don't support a tentative commit operation. - - Find out how to reproduce Berkeley DB bogus ENOENT errors. - postscreen does not log this with Berkeley DB 1 (FreeBSD - 4..8), 4.7.25 (Ubuntu 9.04) and 4.8.24 (Ubuntu 10.04). - - postconf command-line option to show the compile-time - settings (CCARGS, AUXLIBS) in case binary packages - don't install the makedefs.out file. - - events.c: cache the side effects of file descriptor event - enable/disable operations in user space, and do bulk kernel - updates at event_loop() time. This can eliminate costly - system calls with successive event disable/enable operations - on the same file descriptor. This can also eliminate the - need for tricky code that tries to avoid the expense of - successive disable/enable operations. Such code is likely - to introduce bugs. - - When does it pay off to send domains in the active queue - to a DNS prefetch daemon? Could this generalize to a dynamic - transport map that piggy-backs domains with the same MX - host into the same mail delivery transaction? - - tlsproxy(8) should receive TLS preferences from postscreen(8) - and smtpd(8), instead of reading them from main.cf. This - means that many tlsproxy_ parameters become postscreen_ - parameters, and that tls_server_init() parameters move to - to tls_server_start(). That is a significant API change. - It also means tlsproxy can't open all files before chroot(). - - anvil rate limit for sasl_username. - - Encapsulate nbbio buffer access and update by tlsproxy. - - Full-duplex support for tlsproxy(8). This requires updating - events(3) and nbbio(3). - - Register automagic destructor for object attached to VSTREAM. - - Use different ipc time limits for email message transactions - (smtpd, pickup)->cleanup and for quick query/reply transactions - such as address rewriting/resolution. Beware of large time - limits for local or virtual alias expansion. - - permit_tempfail_action (default: defer_if_reject) to be - used as the default value for dnswl_tempfail_action and - rhswl_tempfail_action. Steal liberally from the code that - implements unverified_recipient_tempfail_action etc. - - Support filtering of messages that are generated by Postfix: - This would apply to postmaster notices and bounce messages - (DKIM), and address verification (BATV). - - Consistency: in postconf.proto make
..
tags bold. - - Would it help if there were different cleanup_service - parameter names for different message paths? smtpd(8) uses - the same cleanup_service value for receiving remote mail - and for submitting postmaster problem reports. Do we need - separate mumble_cleanup_service_name parameters for "inject", - "notify" and "forward" (with backwards compatible defaults)? - - IF/ENDIF support for CIDR tables. - - Need a regular expression table to translate address - verification responses into hard/soft/accept reply codes. - - Is there a way to make sendmail -V work after local alias - expansion? Majordomo-like mailing lists would benefit from - this; the example in VERP_README does not work in the general - case. - - When an alias is a member of an :include: list with owner- - alias, local(8) needs an option to deliver alias or alias->user - indirectly. What happens when an :include: list with owner- - alias includes another list? - - Don't allow empty result values in pcre and regexp maps. - Postfix doesn't allow them anywhere else (check this). - - Make PCRE_MAX_CAPTURE configurable. - - Add some checks for tokens starting with #. A challenge - is to report sensible context from the guts of some low-level - parser, without introducing a great deal of clumsiness. - - Add sendmail macros for {verify} and maybe other TLS info. - - Find out if we are doing the correct thing by looking at - state->milter_reject_text when expanding {rcpt_addr} or - {rcpt_host}. - - Find out why post_mail() etc. block when the qmgr fifo is - full (answer: trigger_timeout). How can this cause delays - in the queue manager? When a recipient bounces during - (transport, nexthop, address) resolution, it is redirected - to the error or retry mailer; and bounce-after-delivery is - asynchrounous so it can't block the queue manager, either. - - How to ensure that proxy_read_maps is processed after all - its dependencies are initialized, or just bite the bullet - and rewrite the parameter initialization code. - - The cleanup virtual alias expansion limit does not really - deliver on its promises. 1) It promises to truncate the - result without aborting delivery, which would be undesirable - anyway, but that is not what it does, so that is good. 2) - It keeps all the recipients from multi-recipient database - lookup, then terminates further recursion when the result - exceeds the expansion limit. This behavior achieves the - original goal that all things shall have a finite size (even - though but we don'really care how large they are) but may - result in surprises when recipients are listed in virtual - alias domains or need expansion for other reasons. In a - phone call with Victor, a reasonable way out is to set the - limit to some large number (100000) and abort delivery when - the result exceeds the limit. - - Should the postscreen save permanent white/black list lookup - results to the temporary cache, and query the temporary - cache first? Skipping white/black list lookups will speed - up the handling of "good" clients without a permanent - whitelist entry. Of course, this means that updates to the - white/black lists do not immediately take effect. Workarounds: - 1) use a shorter temporary cache TTL for clients on the - permanent black/white lists; 2) ignore cached white/black - list lookup results after "postfix reload"; 2) adjust the - logging, for example "WHITELISTED address (cached)" and - "BLACKLISTED address (cached)" to eliminate surprises. - Comparing the cache entry time with the white/blacklist - file modification time is not foolproof: for example, pcre - or CIDR tables are read only once. - - It would be nice if the generic dict_cache(3) cache manager - could postpone process suicide until cache cleanup is - completed (but that is not possible when postscreen forks - into the background to finish already-accepted connections, - and it is not desirable when a host is being shut down). - - When postscreen drops a connection, a 521 "greeting" should - be of the form "521 servername..." and not have an enhanced - status code. The "521 5.7.1" form can be used after EHLO. - Of course no spammer is going to complain about Postfix - SMTP compliance. - - Find a place to document all the mail routing mechanisms - in one place so people can figure out how Postfix works. - - The access map BCC action is marked "not stable", perhaps - because people would also expect BCC actions in header/body_checks. - How much would it take to make the queue file editing code - generally usable? - - Move smtpd_command_filter into smtpd_chat_query() and update - the session transcript (see smtp_chat_reply() for an example). - - SMTP connection caching without storing connections, to - improve TLS mail delivery performance. - - Should not milter8_mail_event() unset the "hold" default - reply? Better, the default reply should not be used for - this purpose. - - Don't send MASTER_STAT_TAKEN/MASTER_STAT_AVAIL when a server - runs with process limit of 1. But this means the master - never learns that the process is successful and will always - pause $service_throttle_time before restarting a failed service. - - Don't bother maintaining a per-service lockfile when a - server runs with process limit of 1. The purpose of the - lockfile is to avoid thundering herd problems when the kernel - wakes up multiple processes for each new client connection. - - Implement PREPEND action for milter_header_checks. Save the - to-be-prepended text to buffer, then emit it along with the - new header. - - Fix the header_body_checks API, so that the name of the map - class (e.g. milter_header_checks) is available for logging. - - Fix the mime_state and header_body_checks APIs, so that - they use VSTRINGs. This simplifies REPLACE actions. - - Update FILTER_README for multi-instance support, and rename - the old document to FILTER_LEGACY_README. - - Need to sign delivery status notifications, to avoid surprises - when eventually people start enforcing DKIM etc. signatures. - - Either document or remove the internal_mail_filter_classes - feature (it's disabled by default). - - Make the "unknown recipient" test configurable as - first|last|never, with "yes"=="last" for backwards - compatibility. The "first" setting is good for performance - (stress=yes) when all users are defined in local files; but - it may perform worse when users are in networked tables. - - Cleanup: make DNSBL query format configurable beyond the - client's reversed IP address. - - With 'final delivery' in the LMTP client, need an option - to also add delivered-to and other pipe(8) features. This - requires making mail_copy() functionality available in - non-mailbox context. - - Cleanup: modernize the "add missing From: header" code, to - ``phrase '' form. Most likely, quote the entire phrase - if it contains any text that is special, then rfc822_externalize - the whole thing. - - SMTP server: make the server_addr and server_port available - to policy server, Dovecot, and perhaps Milters. - - Med: local and remote source port and IP address for smtpd - policy hook. - - Maybe change maps_rbl_reject_code default to 521, and - update wording in STRESS_README. - - Encapsulate time_t comparisons so that they can be made - system dependent (use difftime() where available). - - Encapsulate time_t conversions (e.g. REC_TYPE_TIME) so that - they can be made system dependent. - - Plan for time_t larger than long, or wait for LP64 to - dominate the world? - - Make "AUTH=<>" appendage to MAIL FROM configurable, enabled - by default. - - To support ternary operator without a huge parsing effort, - consider ${value?{xxx}:{yyy}} where ${name} is existing - syntax, and where ?{text} and :{text} are new syntax that - is unlikely to break existing configurations. Or perhaps - it's just too ugly. - - Write delivery rate delay example (which _README?) and auth - failure cache example (SASL_README). Then include them in - SOHO_README. - - Look for alternatives for the use of non_smtpd_milters. - This involves some way to force local submissions to go - through a local SMTP client and server, without triggering - "mail loops back to myself" false alarms. The advantage is - that it makes smtpd_mumble_restrictions available for local - and remote mail; the disadvantage is that it makes local - submissions more dependent on networking. One possibility - is to use "pickup -o content_filter=smtp:127.0.0.1:10025", - or a dedicated SMTP client/server on UNIX-domain sockets; - we could also decide to always suppress "mail loop" detection - for loopback connections. Another option is to have the - pickup or cleanup server drive an SMTP client directly; - this would require extension of the mail_stream() interface, - plus a way to handle bounced/deferred recipients intelligently, - but it would be at odds with Postfix design where delivery - agents access queue files directly; exposing delivery agents - to raw queue files violates another Postfix design principle. - - Consolidate duplicated code in *_server_accept_{pass,inet}(). - - Consolidate duplicated code in {inet,unix,upass}_trigger.c. - - In the SMTP client, handle 421 replies in smtp_loop() by - having the input function raise a flag after detecting 421 - (kill connection caching and be sure to do the right thing - with RSET probes), leave the smtp_loop() per-command reply - handlers unchanged, and have the smtp_loop() reader loop - bail out with smtp_site_fail("server disconnected after - %s", where), but only in the case that it isn't already in - the final state. But first we need to clean up the handling - of do/don't cache, expired, bad and dead sessions. - - Combine smtpd_peer.c and qmqpd_peer.c into a single function - that produces a client context object, and provide attribute - print/scan routines that pass these client context objects - around. With this, we no longer have to update multiple - pieces of code when a client attribute is added. Ditto for - SASL and TLS context. - - Don't log "warning: XXXXX: undeliverable postmaster - notification discarded" for spam from outside. - - Really need a cleanup driver that allows testing against - Milter applications instead of synthetic events. This would - have to provide stubs for clients that talk to Postfix - daemon processes. See if this approach can also be used for - other daemons. - - smtpd(8) exempts $address_verify_sender from access controls, - but it doesn't know whether cleanup(8) or delivery agents - modify the sender. Would it be possible to "calibrate" this - exemption, perhaps by having delivery agents pass the probe - sender to the verify server, keeping in mind that the probe - sender may differ per delivery agent due to output rewriting. - - Update attr_print/scan() so they can send/receive file - descriptors. This simplifies kludgy code in many daemons. - - Would there be a problem adding $smtpd_mumble_restrictions - and $smtpd_sender_login_maps to the default proxy_read_maps - settings? - - Remove defer(8) and trace(8) references and man pages. These - are services not program names. On the other hand we have - man pages for lmtp(8) and smtp(8), but not for relay(8). - Likewise, retry(8) does not have a man page. - - Bind all deliveries to the same local delivery process, - making Postfix perform as poorly as monolithic mailers, but - giving a possibility to eliminate duplicate deliveries. - - Maybe declare loop when resolve_local(mxhost) is true? - - Update message content length when adding/removing headers. - - Need scache size limit. - - REDIRECT should override original recipient info, and - probably override DSN as well. - - Update FILTER_README with mailing list suggestions to tag - with a badness indicator and then filter down-stream. - - Make null local-part handling configurable: either expand - into mailer-daemon (current behavior) or disallow (strict - behavior, currently implemented only in the SMTP server). - - Add M flag (enable multi-recipient delivery) to pipe daemon. - - The usage of TLScontext->cache_type is unclear. It specifies - a TLS session cache type (smtpd, smtp, or lmtp), but it is - sometimes used as an indicator that TLS session caching is - unavailable. In reality, that decision is made by not - registering call-back functions for cache maintenance. - - Postfix TLS library code should copy any strings that it - receives from the application, instead of passing them - around as pointers. TLScontext->cache_type is a case in - point. - - Are transport:nexthop null fields the same as in the case - of default_transport etc. parameters? - - Don't lose bits when converting st_dev into maildir file - name. It's 64 bits on Linux. Found with the BEAM source - code analyzer. Is this really a problem, or are they just - using 64 bits for upwards compatibility with LP64 systems? - - Do or don't introduce unknown_reverse_client_reject_code. - - Check that "UINT32 == unsigned int" choice is ok (i.e. LP64 - UNIX). - - Tempfail when a Milter application tries to negotiate content - access, while it is configured in an SMTP server that runs - before the smtpd_proxy filter. - - Log DSN original recipient when rejecting mail. - - Keep whitespace between label and ":"? - - Make the map case folding/locking options configurable, if - not at run-time then at least at compile time so we get - consistent behavior across applications. - - Investigate what it would take to eliminate oqmgr, and to - make the old behavior configurable in a unified queue - manager. This would shave another 2.7 KLOC from the source - footprint. - - Document the case folding strategy for match_list like - features. - - Eliminate the (incoming,deferred)->active rename operation. - This requires an in-memory hash of queue file names to avoid - duplicate open() operations. - - Softbounce fallback-to-ISP for SOHO users. This heuristic - assumes that when direct-to-MX delivery fails with 5XX, - delivery via the ISP may still succeed. This could be - implemented by enabling soft bounces for destinations other - than the smtp_fallback_relay. So the only benefit of this - over the existing soft_bounce feature is that it has no - effect on smtp_fallback_relay deliveries. - - Centralize main.cf parameter input so that defaults work - consistently. What about parameter names that are prefixed - with mail delivery transport names? - - Fix default time unit handling so that we can have a default - bounce lifetime of $maximal_queue_lifetime, without causing - panics when a non-default maximal_queue_lifetime setting - includes no time unit. - - After the 20051222 ISASCII paranoia, lowercase() lowercases - ASCII text only. - - Privacy: remove local command/pathname details from remote - delivery status reports, and log them via local msg_warn(). - - Is it safe to cache a connection after it has been used for - more than some number of address verification probes? - - Try to recognize that Resent- headers appear in blocks, - newest block first. But don't break on incorrect header - block organization. - - Hard limits on cache sizes (anvil, specifically). - - Laptop friendliness: make the qmgr remember when the next - deferred queue scan needs to be done, and have the pickup - server stat() the maildrop directory before searching it. - - Low: replace_sender/replace_recipient actions in access - maps, so they can be used in policy servers? - - Low: configurable order of local(8) delivery methods. - - Med: smtp_connect_timeout_budget (default: 3x smtp_connect_timeout) - to limit the total time spent trying to connect. - - Med: transform IPv4-in-IPv6 address literals to IPv4 form - when comparing against local IP addresses? - - Med: transform IPv4-in-IPv6 address literals to IPv4 form - when eliminating MX mailer loops? - - Med: Postfix requires [] around IPv6 address information - in match lists such as mynetworks, debug_peer_list etc., - but the [] must not be specified in access(5) maps. Other - places don't care. For now, this gotcha is documented in - IPV6_README and in postconf(5) with each feature that may - use IPv6 address information. The general recommendation - is not to use [] unless absolutely necessary. - - Med: the partial address matching of IPv6 addresses in - access(5) maps is a bit lame: it repeatedly truncates the - last ":octetpair" from the printable address representation - until a match is found or until truncation is no longer - possible. Since one or more ":" are usually omitted from - the printable IPv6 address representation, this does not - really try all the possibilities that one might expect to - be tried. For now, this gotcha is documented in access(5). - - Low: reject HELO with any domain name or IP address that - this MTA is the final destination for. - - Low: should the Delivered-To: test in local(8) be configurable? - - Low: make mail_addr_find() lookup configurable. - - Low: update events.c so that 1-second timer requests do not - suffer from rounding errors. This is needed for 1-second - SMTP session caching time limits. A 1-second interval would - become arbitrarily short when an event is scheduled just - before the current second rolls over. - - Low: configurable internal/system locking method. - - Low: add INSTALL section for pre-existing Postfix systems. - - Low: add INSTALL section for pre-existing RPM Postfixes. - - Low: disallow smtpd_recipient_limit < 100 (the RFC minimum). - - Low: noise filter: allow smtp(8) to retry immediately if - all MXes return a quick ECONNRESET or 4xx reply during the - initial handshake. Retry once? How many times? - - Low: make post-install a "postfix-only script" so it can - take data from the environment instead of main.cf. - - Low: randomize deferred mail backoff. - - Med: separate ulimit for delivery to command? - - Med: postsuper -r should do something with recipients in - bounce logfiles, to make sure the sender will be notified. - To be perfectly safe, no process other than the queue manager - should move a queue file away from the active queue. - - This could involve tagging a queue file, and use up another - permission bit (postsuper tags a "hot" file, qmgr requeues it). - - Low: postsuper re-run after renaming files, but only a - limited number of times. - - Low: smtp-source may block when sending large test messages. - - Med: find a way to log the sender address when MAIL FROM - is rejected due to lack of disk space. - - Low: revise other local delivery agent duplicate filters. - - Low: all table lookups should consistently use internalized - (unquoted) or externalized (quoted) forms as lookup keys. - smtpd, qmgr, local, etc. use unquoted address forms as keys. - cleanup uses quoted forms. - - Low: have a configurable list of errno values for mailbox - or maildir delivery that result in deferral rather than - bouncing mail. What about "killed by signal" exits? - - Low: after reorganizing configuration parameters, add flags - to all parameters whose value can be read from file. - - Medium: need in-process caching for map lookups. LDAP servers - seem to need this in particular. Need a way to expire cached - results that are too old. - - Low: generic showq protocol, to allow for more intelligent - processing than just mailq. Maybe marry this with postsuper. - - Low: default domain for appending to unqualified recipients, - so that unqualified names can be delivered locally. - - Low: The $process_id_directory setting is not used anywhere - in Postfix. Problem reported by Michael Smith, texas.net. - This should be documented, or better, the code should warn - about attempts to set read-only parameters. - - Low: while converting 8bit text to quoted-printable, perhaps - use =46rom to avoid having to produce >From when delivering - to mailbox. - - virtual_mailbox_path expression like forward_path, so that - people can specify prefix and suffix. diff --git a/postfix/auxiliary/name-addr-test/gethostbyaddr.c b/postfix/auxiliary/name-addr-test/gethostbyaddr.c index e58db9efa..b97390116 100644 --- a/postfix/auxiliary/name-addr-test/gethostbyaddr.c +++ b/postfix/auxiliary/name-addr-test/gethostbyaddr.c @@ -25,7 +25,7 @@ char **argv; long addr; if (argc != 2) { - fprintf(stderr, "usage: %s i.p.addres\n", argv[0]); + fprintf(stderr, "usage: %s i.p.address\n", argv[0]); exit(1); } addr = inet_addr(argv[1]); diff --git a/postfix/auxiliary/name-addr-test/getnameinfo.c b/postfix/auxiliary/name-addr-test/getnameinfo.c index a270a062e..fa1d45752 100644 --- a/postfix/auxiliary/name-addr-test/getnameinfo.c +++ b/postfix/auxiliary/name-addr-test/getnameinfo.c @@ -36,7 +36,7 @@ int main(int argc, char **argv) #define NO_SERVICE ((char *) 0) if (argc != 2) { - fprintf(stderr, "usage: %s ipaddres\n", argv[0]); + fprintf(stderr, "usage: %s ipaddress\n", argv[0]); exit(1); } diff --git a/postfix/html/lmtp.8.html b/postfix/html/lmtp.8.html index 68f79273e..a01589cc1 100644 --- a/postfix/html/lmtp.8.html +++ b/postfix/html/lmtp.8.html @@ -653,8 +653,8 @@ SMTP(8) SMTP(8) Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later: tls_fast_shutdown_enable (yes) - A workaround for implementations that hang Postfix while shuting - down a TLS session, until Postfix times out. + A workaround for implementations that hang Postfix while shut- + ting down a TLS session, until Postfix times out. OBSOLETE STARTTLS CONTROLS The following configuration parameters exist for compatibility with diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 2d927e61d..e8d4ae3c0 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -18596,7 +18596,7 @@ encouraged to not change this setting.

tls_fast_shutdown_enable (default: yes)
-

A workaround for implementations that hang Postfix while shuting +

A workaround for implementations that hang Postfix while shutting down a TLS session, until Postfix times out. With this enabled, Postfix will not wait for the remote TLS peer to respond to a TLS 'close' notification. This behavior is recommended for TLSv1.0 and diff --git a/postfix/html/postsuper.1.html b/postfix/html/postsuper.1.html index 085b25b26..660789772 100644 --- a/postfix/html/postsuper.1.html +++ b/postfix/html/postsuper.1.html @@ -90,7 +90,7 @@ POSTSUPER(1) POSTSUPER(1) o The -e and -f options both request forced expiration. The difference is that -f will also release a message if it - is in the hold queue. With -e, such a message would not + is in the hold queue. With -e, such a message would not be returned to the sender until it is released with -f or -H. diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html index 68f79273e..a01589cc1 100644 --- a/postfix/html/smtp.8.html +++ b/postfix/html/smtp.8.html @@ -653,8 +653,8 @@ SMTP(8) SMTP(8) Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later: tls_fast_shutdown_enable (yes) - A workaround for implementations that hang Postfix while shuting - down a TLS session, until Postfix times out. + A workaround for implementations that hang Postfix while shut- + ting down a TLS session, until Postfix times out. OBSOLETE STARTTLS CONTROLS The following configuration parameters exist for compatibility with diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html index a665abda5..b81b864cd 100644 --- a/postfix/html/smtpd.8.html +++ b/postfix/html/smtpd.8.html @@ -237,11 +237,12 @@ SMTPD(8) SMTPD(8) Postfix 2.6 the default protocol is 2. milter_default_action (tempfail) - The default action when a Milter (mail filter) application is - unavailable or mis-configured. + The default action when a Milter (mail filter) response is + unavailable (for example, bad Postfix configuration or Milter + failure). milter_macro_daemon_name ($myhostname) - The {daemon_name} macro value for Milter (mail filter) applica- + The {daemon_name} macro value for Milter (mail filter) applica- tions. milter_macro_v ($mail_name $mail_version) @@ -252,60 +253,60 @@ SMTPD(8) SMTPD(8) tion, and for negotiating protocol options. milter_command_timeout (30s) - The time limit for sending an SMTP command to a Milter (mail + The time limit for sending an SMTP command to a Milter (mail filter) application, and for receiving the response. milter_content_timeout (300s) - The time limit for sending message content to a Milter (mail + The time limit for sending message content to a Milter (mail filter) application, and for receiving the response. milter_connect_macros (see 'postconf -d' output) - The macros that are sent to Milter (mail filter) applications + The macros that are sent to Milter (mail filter) applications after completion of an SMTP connection. milter_helo_macros (see 'postconf -d' output) - The macros that are sent to Milter (mail filter) applications + The macros that are sent to Milter (mail filter) applications after the SMTP HELO or EHLO command. milter_mail_macros (see 'postconf -d' output) - The macros that are sent to Milter (mail filter) applications + The macros that are sent to Milter (mail filter) applications after the SMTP MAIL FROM command. milter_rcpt_macros (see 'postconf -d' output) - The macros that are sent to Milter (mail filter) applications + The macros that are sent to Milter (mail filter) applications after the SMTP RCPT TO command. milter_data_macros (see 'postconf -d' output) - The macros that are sent to version 4 or higher Milter (mail + The macros that are sent to version 4 or higher Milter (mail filter) applications after the SMTP DATA command. milter_unknown_command_macros (see 'postconf -d' output) - The macros that are sent to version 3 or higher Milter (mail + The macros that are sent to version 3 or higher Milter (mail filter) applications after an unknown SMTP command. milter_end_of_header_macros (see 'postconf -d' output) - The macros that are sent to Milter (mail filter) applications + The macros that are sent to Milter (mail filter) applications after the end of the message header. milter_end_of_data_macros (see 'postconf -d' output) - The macros that are sent to Milter (mail filter) applications + The macros that are sent to Milter (mail filter) applications after the message end-of-data. Available in Postfix version 3.1 and later: milter_macro_defaults (empty) - Optional list of name=value pairs that specify default values - for arbitrary macros that Postfix may send to Milter applica- + Optional list of name=value pairs that specify default values + for arbitrary macros that Postfix may send to Milter applica- tions. Available in Postfix version 3.2 and later: smtpd_milter_maps (empty) - Lookup tables with Milter settings per remote SMTP client IP + Lookup tables with Milter settings per remote SMTP client IP address. GENERAL CONTENT INSPECTION CONTROLS - The following parameters are applicable for both built-in and external + The following parameters are applicable for both built-in and external content filters. Available in Postfix version 2.1 and later: @@ -315,51 +316,51 @@ SMTPD(8) SMTPD(8) ing, or address mapping. EXTERNAL CONTENT INSPECTION CONTROLS - The following parameters are applicable for both before-queue and + The following parameters are applicable for both before-queue and after-queue content filtering. Available in Postfix version 2.1 and later: smtpd_authorized_xforward_hosts (empty) - What remote SMTP clients are allowed to use the XFORWARD fea- + What remote SMTP clients are allowed to use the XFORWARD fea- ture. SASL AUTHENTICATION CONTROLS Postfix SASL support (RFC 4954) can be used to authenticate remote SMTP - clients to the Postfix SMTP server, and to authenticate the Postfix - SMTP client to a remote SMTP server. See the SASL_README document for + clients to the Postfix SMTP server, and to authenticate the Postfix + SMTP client to a remote SMTP server. See the SASL_README document for details. broken_sasl_auth_clients (no) - Enable interoperability with remote SMTP clients that implement + Enable interoperability with remote SMTP clients that implement an obsolete version of the AUTH command (RFC 4954). smtpd_sasl_auth_enable (no) Enable SASL authentication in the Postfix SMTP server. smtpd_sasl_local_domain (empty) - The name of the Postfix SMTP server's local SASL authentication + The name of the Postfix SMTP server's local SASL authentication realm. smtpd_sasl_security_options (noanonymous) Postfix SMTP server SASL security options; as of Postfix 2.3 the - list of available features depends on the SASL server implemen- + list of available features depends on the SASL server implemen- tation that is selected with smtpd_sasl_type. smtpd_sender_login_maps (empty) - Optional lookup table with the SASL login names that own the + Optional lookup table with the SASL login names that own the sender (MAIL FROM) addresses. Available in Postfix version 2.1 and later: smtpd_sasl_exceptions_networks (empty) - What remote SMTP clients the Postfix SMTP server will not offer + What remote SMTP clients the Postfix SMTP server will not offer AUTH support to. Available in Postfix version 2.1 and 2.2: smtpd_sasl_application_name (smtpd) - The application name that the Postfix SMTP server uses for SASL + The application name that the Postfix SMTP server uses for SASL server initialization. Available in Postfix version 2.3 and later: @@ -370,11 +371,11 @@ SMTPD(8) SMTPD(8) smtpd_sasl_path (smtpd) Implementation-specific information that the Postfix SMTP server - passes through to the SASL plug-in implementation that is + passes through to the SASL plug-in implementation that is selected with smtpd_sasl_type. smtpd_sasl_type (cyrus) - The SASL plug-in type that the Postfix SMTP server should use + The SASL plug-in type that the Postfix SMTP server should use for authentication. Available in Postfix version 2.5 and later: @@ -386,7 +387,7 @@ SMTPD(8) SMTPD(8) Available in Postfix version 2.11 and later: smtpd_sasl_service (smtp) - The service name that is passed to the SASL plug-in that is + The service name that is passed to the SASL plug-in that is selected with smtpd_sasl_type and smtpd_sasl_path. Available in Postfix version 3.4 and later: @@ -396,16 +397,16 @@ SMTPD(8) SMTPD(8) lenge. STARTTLS SUPPORT CONTROLS - Detailed information about STARTTLS configuration may be found in the + Detailed information about STARTTLS configuration may be found in the TLS_README document. smtpd_tls_security_level (empty) - The SMTP TLS security level for the Postfix SMTP server; when a + The SMTP TLS security level for the Postfix SMTP server; when a non-empty value is specified, this overrides the obsolete param- eters smtpd_use_tls and smtpd_enforce_tls. smtpd_sasl_tls_security_options ($smtpd_sasl_security_options) - The SASL authentication security options that the Postfix SMTP + The SASL authentication security options that the Postfix SMTP server uses for TLS encrypted SMTP sessions. smtpd_starttls_timeout (see 'postconf -d' output) @@ -413,25 +414,25 @@ SMTPD(8) SMTPD(8) during TLS startup and shutdown handshake procedures. smtpd_tls_CAfile (empty) - A file containing (PEM format) CA certificates of root CAs + A file containing (PEM format) CA certificates of root CAs trusted to sign either remote SMTP client certificates or inter- mediate CA certificates. smtpd_tls_CApath (empty) - A directory containing (PEM format) CA certificates of root CAs + A directory containing (PEM format) CA certificates of root CAs trusted to sign either remote SMTP client certificates or inter- mediate CA certificates. smtpd_tls_always_issue_session_ids (yes) - Force the Postfix SMTP server to issue a TLS session id, even - when TLS session caching is turned off (smtpd_tls_ses- + Force the Postfix SMTP server to issue a TLS session id, even + when TLS session caching is turned off (smtpd_tls_ses- sion_cache_database is empty). smtpd_tls_ask_ccert (no) Ask a remote SMTP client for a client certificate. smtpd_tls_auth_only (no) - When TLS encryption is optional in the Postfix SMTP server, do + When TLS encryption is optional in the Postfix SMTP server, do not announce or accept SASL authentication over unencrypted con- nections. @@ -442,18 +443,18 @@ SMTPD(8) SMTPD(8) File with the Postfix SMTP server RSA certificate in PEM format. smtpd_tls_exclude_ciphers (empty) - List of ciphers or cipher types to exclude from the SMTP server + List of ciphers or cipher types to exclude from the SMTP server cipher list at all TLS security levels. smtpd_tls_dcert_file (empty) File with the Postfix SMTP server DSA certificate in PEM format. smtpd_tls_dh1024_param_file (empty) - File with DH parameters that the Postfix SMTP server should use + File with DH parameters that the Postfix SMTP server should use with non-export EDH ciphers. smtpd_tls_dh512_param_file (empty) - File with DH parameters that the Postfix SMTP server should use + File with DH parameters that the Postfix SMTP server should use with export-grade EDH ciphers. smtpd_tls_dkey_file ($smtpd_tls_dcert_file) @@ -466,35 +467,35 @@ SMTPD(8) SMTPD(8) Enable additional Postfix SMTP server logging of TLS activity. smtpd_tls_mandatory_ciphers (medium) - The minimum TLS cipher grade that the Postfix SMTP server will + The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory TLS encryption. smtpd_tls_mandatory_exclude_ciphers (empty) - Additional list of ciphers or cipher types to exclude from the - Postfix SMTP server cipher list at mandatory TLS security lev- + Additional list of ciphers or cipher types to exclude from the + Postfix SMTP server cipher list at mandatory TLS security lev- els. smtpd_tls_mandatory_protocols (!SSLv2, !SSLv3) - The SSL/TLS protocols accepted by the Postfix SMTP server with + The SSL/TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption. smtpd_tls_received_header (no) Request that the Postfix SMTP server produces Received: message - headers that include information about the protocol and cipher - used, as well as the remote SMTP client CommonName and client + headers that include information about the protocol and cipher + used, as well as the remote SMTP client CommonName and client certificate issuer CommonName. smtpd_tls_req_ccert (no) - With mandatory TLS encryption, require a trusted remote SMTP + With mandatory TLS encryption, require a trusted remote SMTP client certificate in order to allow TLS connections to proceed. smtpd_tls_wrappermode (no) - Run the Postfix SMTP server in the non-standard "wrapper" mode, + Run the Postfix SMTP server in the non-standard "wrapper" mode, instead of using the STARTTLS command. tls_daemon_random_bytes (32) - The number of pseudo-random bytes that an smtp(8) or smtpd(8) - process requests from the tlsmgr(8) server in order to seed its + The number of pseudo-random bytes that an smtp(8) or smtpd(8) + process requests from the tlsmgr(8) server in order to seed its internal pseudo random number generator (PRNG). tls_high_cipherlist (see 'postconf -d' output) @@ -510,41 +511,41 @@ SMTPD(8) SMTPD(8) The OpenSSL cipherlist for "export" or higher grade ciphers. tls_null_cipherlist (eNULL:!aNULL) - The OpenSSL cipherlist for "NULL" grade ciphers that provide + The OpenSSL cipherlist for "NULL" grade ciphers that provide authentication without encryption. Available in Postfix version 2.5 and later: smtpd_tls_fingerprint_digest (md5) - The message digest algorithm to construct remote SMTP - client-certificate fingerprints or public key fingerprints - (Postfix 2.9 and later) for check_ccert_access and per- + The message digest algorithm to construct remote SMTP + client-certificate fingerprints or public key fingerprints + (Postfix 2.9 and later) for check_ccert_access and per- mit_tls_clientcerts. Available in Postfix version 2.6 and later: smtpd_tls_protocols (!SSLv2, !SSLv3) - List of TLS protocols that the Postfix SMTP server will exclude + List of TLS protocols that the Postfix SMTP server will exclude or include with opportunistic TLS encryption. smtpd_tls_ciphers (medium) - The minimum TLS cipher grade that the Postfix SMTP server will + The minimum TLS cipher grade that the Postfix SMTP server will use with opportunistic TLS encryption. smtpd_tls_eccert_file (empty) - File with the Postfix SMTP server ECDSA certificate in PEM for- + File with the Postfix SMTP server ECDSA certificate in PEM for- mat. smtpd_tls_eckey_file ($smtpd_tls_eccert_file) - File with the Postfix SMTP server ECDSA private key in PEM for- + File with the Postfix SMTP server ECDSA private key in PEM for- mat. smtpd_tls_eecdh_grade (see 'postconf -d' output) - The Postfix SMTP server security grade for ephemeral ellip- + The Postfix SMTP server security grade for ephemeral ellip- tic-curve Diffie-Hellman (EECDH) key exchange. tls_eecdh_strong_curve (prime256v1) - The elliptic curve used by the Postfix SMTP server for sensibly + The elliptic curve used by the Postfix SMTP server for sensibly strong ephemeral ECDH key exchange. tls_eecdh_ultra_curve (secp384r1) @@ -555,7 +556,7 @@ SMTPD(8) SMTPD(8) tls_preempt_cipherlist (no) With SSLv3 and later, use the Postfix SMTP server's cipher pref- - erence order instead of the remote client's cipher preference + erence order instead of the remote client's cipher preference order. tls_disable_workarounds (see 'postconf -d' output) @@ -568,7 +569,7 @@ SMTPD(8) SMTPD(8) Available in Postfix version 3.0 and later: - tls_session_ticket_cipher (Postfix >= 3.0: aes-256-cbc, Postfix < 3.0: + tls_session_ticket_cipher (Postfix >= 3.0: aes-256-cbc, Postfix < 3.0: aes-128-cbc) Algorithm used to encrypt RFC5077 TLS session tickets. @@ -581,33 +582,33 @@ SMTPD(8) SMTPD(8) Available in Postfix version 3.4 and later: smtpd_tls_chain_files (empty) - List of one or more PEM files, each holding one or more private + List of one or more PEM files, each holding one or more private keys directly followed by a corresponding certificate chain. tls_server_sni_maps (empty) - Optional lookup tables that map names received from remote SMTP - clients via the TLS Server Name Indication (SNI) extension to + Optional lookup tables that map names received from remote SMTP + clients via the TLS Server Name Indication (SNI) extension to the appropriate keys and certificate chains. Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later: tls_fast_shutdown_enable (yes) - A workaround for implementations that hang Postfix while shuting - down a TLS session, until Postfix times out. + A workaround for implementations that hang Postfix while shut- + ting down a TLS session, until Postfix times out. Available in Postfix 3.5 and later: info_log_address_format (external) - The email address form that will be used in non-debug logging + The email address form that will be used in non-debug logging (info, warning, etc.). OBSOLETE STARTTLS CONTROLS - The following configuration parameters exist for compatibility with - Postfix versions before 2.3. Support for these will be removed in a + The following configuration parameters exist for compatibility with + Postfix versions before 2.3. Support for these will be removed in a future release. smtpd_use_tls (no) - Opportunistic TLS: announce STARTTLS support to remote SMTP + Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do not require that clients use TLS encryption. smtpd_enforce_tls (no) @@ -615,92 +616,92 @@ SMTPD(8) SMTPD(8) and require that clients use TLS encryption. smtpd_tls_cipherlist (empty) - Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS + Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS cipher list. SMTPUTF8 CONTROLS Preliminary SMTPUTF8 support is introduced with Postfix 3.0. smtputf8_enable (yes) - Enable preliminary SMTPUTF8 support for the protocols described + Enable preliminary SMTPUTF8 support for the protocols described in RFC 6531..6533. strict_smtputf8 (no) Enable stricter enforcement of the SMTPUTF8 protocol. smtputf8_autodetect_classes (sendmail, verify) - Detect that a message requires SMTPUTF8 support for the speci- + Detect that a message requires SMTPUTF8 support for the speci- fied mail origin classes. Available in Postfix version 3.2 and later: enable_idna2003_compatibility (no) - Enable 'transitional' compatibility between IDNA2003 and - IDNA2008, when converting UTF-8 domain names to/from the ASCII + Enable 'transitional' compatibility between IDNA2003 and + IDNA2008, when converting UTF-8 domain names to/from the ASCII form that is used for DNS lookups. VERP SUPPORT CONTROLS - With VERP style delivery, each recipient of a message receives a cus- - tomized copy of the message with his/her own recipient address encoded + With VERP style delivery, each recipient of a message receives a cus- + tomized copy of the message with his/her own recipient address encoded in the envelope sender address. The VERP_README file describes config- - uration and operation details of Postfix support for variable envelope - return path addresses. VERP style delivery is requested with the SMTP - XVERP command or with the "sendmail -V" command-line option and is + uration and operation details of Postfix support for variable envelope + return path addresses. VERP style delivery is requested with the SMTP + XVERP command or with the "sendmail -V" command-line option and is available in Postfix version 1.1 and later. default_verp_delimiters (+=) The two default VERP delimiter characters. verp_delimiter_filter (-=+) - The characters Postfix accepts as VERP delimiter characters on + The characters Postfix accepts as VERP delimiter characters on the Postfix sendmail(1) command line and in SMTP commands. Available in Postfix version 1.1 and 2.0: authorized_verp_clients ($mynetworks) - What remote SMTP clients are allowed to specify the XVERP com- + What remote SMTP clients are allowed to specify the XVERP com- mand. Available in Postfix version 2.1 and later: smtpd_authorized_verp_clients ($authorized_verp_clients) - What remote SMTP clients are allowed to specify the XVERP com- + What remote SMTP clients are allowed to specify the XVERP com- mand. TROUBLE SHOOTING CONTROLS - The DEBUG_README document describes how to debug parts of the Postfix - mail system. The methods vary from making the software log a lot of + The DEBUG_README document describes how to debug parts of the Postfix + mail system. The methods vary from making the software log a lot of detail, to running some daemon processes under control of a call tracer or debugger. debug_peer_level (2) - The increment in verbose logging level when a remote client or + The increment in verbose logging level when a remote client or server matches a pattern in the debug_peer_list parameter. debug_peer_list (empty) - Optional list of remote client or server hostname or network + Optional list of remote client or server hostname or network address patterns that cause the verbose logging level to increase by the amount specified in $debug_peer_level. error_notice_recipient (postmaster) - The recipient of postmaster notifications about mail delivery + The recipient of postmaster notifications about mail delivery problems that are caused by policy, resource, software or proto- col errors. internal_mail_filter_classes (empty) - What categories of Postfix-generated mail are subject to - before-queue content inspection by non_smtpd_milters, + What categories of Postfix-generated mail are subject to + before-queue content inspection by non_smtpd_milters, header_checks and body_checks. notify_classes (resource, software) The list of error classes that are reported to the postmaster. smtpd_reject_footer (empty) - Optional information that is appended after each Postfix SMTP + Optional information that is appended after each Postfix SMTP server 4XX or 5XX response. soft_bounce (no) - Safety net to keep mail queued that would otherwise be returned + Safety net to keep mail queued that would otherwise be returned to the sender. Available in Postfix version 2.1 and later: @@ -711,109 +712,109 @@ SMTPD(8) SMTPD(8) Available in Postfix version 2.10 and later: smtpd_log_access_permit_actions (empty) - Enable logging of the named "permit" actions in SMTP server - access lists (by default, the SMTP server logs "reject" actions + Enable logging of the named "permit" actions in SMTP server + access lists (by default, the SMTP server logs "reject" actions but not "permit" actions). KNOWN VERSUS UNKNOWN RECIPIENT CONTROLS - As of Postfix version 2.0, the SMTP server rejects mail for unknown + As of Postfix version 2.0, the SMTP server rejects mail for unknown recipients. This prevents the mail queue from clogging up with undeliv- - erable MAILER-DAEMON messages. Additional information on this topic is + erable MAILER-DAEMON messages. Additional information on this topic is in the LOCAL_RECIPIENT_README and ADDRESS_CLASS_README documents. show_user_unknown_table_name (yes) - Display the name of the recipient table in the "User unknown" + Display the name of the recipient table in the "User unknown" responses. canonical_maps (empty) - Optional address mapping lookup tables for message headers and + Optional address mapping lookup tables for message headers and envelopes. recipient_canonical_maps (empty) - Optional address mapping lookup tables for envelope and header + Optional address mapping lookup tables for envelope and header recipient addresses. sender_canonical_maps (empty) - Optional address mapping lookup tables for envelope and header + Optional address mapping lookup tables for envelope and header sender addresses. Parameters concerning known/unknown local recipients: mydestination ($myhostname, localhost.$mydomain, localhost) - The list of domains that are delivered via the $local_transport + The list of domains that are delivered via the $local_transport mail delivery transport. inet_interfaces (all) - The network interface addresses that this mail system receives + The network interface addresses that this mail system receives mail on. proxy_interfaces (empty) - The network interface addresses that this mail system receives + The network interface addresses that this mail system receives mail on by way of a proxy or network address translation unit. inet_protocols (all) - The Internet protocols Postfix will attempt to use when making + The Internet protocols Postfix will attempt to use when making or accepting connections. local_recipient_maps (proxy:unix:passwd.byname $alias_maps) Lookup tables with all names or addresses of local recipients: a - recipient address is local when its domain matches $mydestina- + recipient address is local when its domain matches $mydestina- tion, $inet_interfaces or $proxy_interfaces. unknown_local_recipient_reject_code (550) The numerical Postfix SMTP server response code when a recipient - address is local, and $local_recipient_maps specifies a list of + address is local, and $local_recipient_maps specifies a list of lookup tables that does not match the recipient. Parameters concerning known/unknown recipients of relay destinations: relay_domains (Postfix >= 3.0: empty, Postfix < 3.0: $mydestination) - What destination domains (and subdomains thereof) this system + What destination domains (and subdomains thereof) this system will relay mail to. relay_recipient_maps (empty) - Optional lookup tables with all valid addresses in the domains + Optional lookup tables with all valid addresses in the domains that match $relay_domains. unknown_relay_recipient_reject_code (550) - The numerical Postfix SMTP server reply code when a recipient - address matches $relay_domains, and relay_recipient_maps speci- - fies a list of lookup tables that does not match the recipient + The numerical Postfix SMTP server reply code when a recipient + address matches $relay_domains, and relay_recipient_maps speci- + fies a list of lookup tables that does not match the recipient address. - Parameters concerning known/unknown recipients in virtual alias + Parameters concerning known/unknown recipients in virtual alias domains: virtual_alias_domains ($virtual_alias_maps) - Postfix is final destination for the specified list of virtual - alias domains, that is, domains for which all addresses are + Postfix is final destination for the specified list of virtual + alias domains, that is, domains for which all addresses are aliased to addresses in other local or remote domains. virtual_alias_maps ($virtual_maps) - Optional lookup tables that alias specific mail addresses or + Optional lookup tables that alias specific mail addresses or domains to other local or remote address. unknown_virtual_alias_reject_code (550) - The Postfix SMTP server reply code when a recipient address - matches $virtual_alias_domains, and $virtual_alias_maps speci- - fies a list of lookup tables that does not match the recipient + The Postfix SMTP server reply code when a recipient address + matches $virtual_alias_domains, and $virtual_alias_maps speci- + fies a list of lookup tables that does not match the recipient address. Parameters concerning known/unknown recipients in virtual mailbox domains: virtual_mailbox_domains ($virtual_mailbox_maps) - Postfix is final destination for the specified list of domains; - mail is delivered via the $virtual_transport mail delivery + Postfix is final destination for the specified list of domains; + mail is delivered via the $virtual_transport mail delivery transport. virtual_mailbox_maps (empty) - Optional lookup tables with all valid addresses in the domains + Optional lookup tables with all valid addresses in the domains that match $virtual_mailbox_domains. unknown_virtual_mailbox_reject_code (550) - The Postfix SMTP server reply code when a recipient address - matches $virtual_mailbox_domains, and $virtual_mailbox_maps + The Postfix SMTP server reply code when a recipient address + matches $virtual_mailbox_domains, and $virtual_mailbox_maps specifies a list of lookup tables that does not match the recip- ient address. @@ -822,7 +823,7 @@ SMTPD(8) SMTPD(8) control client request rates. line_length_limit (2048) - Upon input, long lines are chopped up into pieces of at most + Upon input, long lines are chopped up into pieces of at most this length; upon delivery, long lines are reconstructed. queue_minfree (0) @@ -830,58 +831,58 @@ SMTPD(8) SMTPD(8) tem that is needed to receive mail. message_size_limit (10240000) - The maximal size in bytes of a message, including envelope + The maximal size in bytes of a message, including envelope information. smtpd_recipient_limit (1000) - The maximal number of recipients that the Postfix SMTP server + The maximal number of recipients that the Postfix SMTP server accepts per message delivery request. smtpd_timeout (normal: 300s, overload: 10s) - The time limit for sending a Postfix SMTP server response and + The time limit for sending a Postfix SMTP server response and for receiving a remote SMTP client request. smtpd_history_flush_threshold (100) - The maximal number of lines in the Postfix SMTP server command - history before it is flushed upon receipt of EHLO, RSET, or end + The maximal number of lines in the Postfix SMTP server command + history before it is flushed upon receipt of EHLO, RSET, or end of DATA. Available in Postfix version 2.3 and later: smtpd_peername_lookup (yes) - Attempt to look up the remote SMTP client hostname, and verify + Attempt to look up the remote SMTP client hostname, and verify that the name matches the client IP address. The per SMTP client connection count and request rate limits are imple- - mented in co-operation with the anvil(8) service, and are available in + mented in co-operation with the anvil(8) service, and are available in Postfix version 2.2 and later. smtpd_client_connection_count_limit (50) - How many simultaneous connections any client is allowed to make + How many simultaneous connections any client is allowed to make to this service. smtpd_client_connection_rate_limit (0) - The maximal number of connection attempts any client is allowed + The maximal number of connection attempts any client is allowed to make to this service per time unit. smtpd_client_message_rate_limit (0) - The maximal number of message delivery requests that any client - is allowed to make to this service per time unit, regardless of + The maximal number of message delivery requests that any client + is allowed to make to this service per time unit, regardless of whether or not Postfix actually accepts those messages. smtpd_client_recipient_rate_limit (0) - The maximal number of recipient addresses that any client is - allowed to send to this service per time unit, regardless of + The maximal number of recipient addresses that any client is + allowed to send to this service per time unit, regardless of whether or not Postfix actually accepts those recipients. smtpd_client_event_limit_exceptions ($mynetworks) - Clients that are excluded from smtpd_client_*_count/rate_limit + Clients that are excluded from smtpd_client_*_count/rate_limit restrictions. Available in Postfix version 2.3 and later: smtpd_client_new_tls_session_rate_limit (0) - The maximal number of new (i.e., uncached) TLS sessions that a + The maximal number of new (i.e., uncached) TLS sessions that a remote SMTP client is allowed to negotiate with this service per time unit. @@ -889,68 +890,68 @@ SMTPD(8) SMTPD(8) smtpd_per_record_deadline (normal: no, overload: yes) Change the behavior of the smtpd_timeout and smtpd_start- - tls_timeout time limits, from a time limit per read or write - system call, to a time limit to send or receive a complete - record (an SMTP command line, SMTP response line, SMTP message + tls_timeout time limits, from a time limit per read or write + system call, to a time limit to send or receive a complete + record (an SMTP command line, SMTP response line, SMTP message content line, or TLS protocol message). Available in Postfix version 3.1 and later: smtpd_client_auth_rate_limit (0) - The maximal number of AUTH commands that any client is allowed - to send to this service per time unit, regardless of whether or + The maximal number of AUTH commands that any client is allowed + to send to this service per time unit, regardless of whether or not Postfix actually accepts those commands. TARPIT CONTROLS - When a remote SMTP client makes errors, the Postfix SMTP server can - insert delays before responding. This can help to slow down run-away - software. The behavior is controlled by an error counter that counts + When a remote SMTP client makes errors, the Postfix SMTP server can + insert delays before responding. This can help to slow down run-away + software. The behavior is controlled by an error counter that counts the number of errors within an SMTP session that a client makes without delivering mail. smtpd_error_sleep_time (1s) - With Postfix version 2.1 and later: the SMTP server response - delay after a client has made more than $smtpd_soft_error_limit - errors, and fewer than $smtpd_hard_error_limit errors, without + With Postfix version 2.1 and later: the SMTP server response + delay after a client has made more than $smtpd_soft_error_limit + errors, and fewer than $smtpd_hard_error_limit errors, without delivering mail. smtpd_soft_error_limit (10) - The number of errors a remote SMTP client is allowed to make - without delivering mail before the Postfix SMTP server slows + The number of errors a remote SMTP client is allowed to make + without delivering mail before the Postfix SMTP server slows down all its responses. smtpd_hard_error_limit (normal: 20, overload: 1) - The maximal number of errors a remote SMTP client is allowed to + The maximal number of errors a remote SMTP client is allowed to make without delivering mail. smtpd_junk_command_limit (normal: 100, overload: 1) - The number of junk commands (NOOP, VRFY, ETRN or RSET) that a - remote SMTP client can send before the Postfix SMTP server + The number of junk commands (NOOP, VRFY, ETRN or RSET) that a + remote SMTP client can send before the Postfix SMTP server starts to increment the error counter with each junk command. Available in Postfix version 2.1 and later: smtpd_recipient_overshoot_limit (1000) - The number of recipients that a remote SMTP client can send in + The number of recipients that a remote SMTP client can send in excess of the limit specified with $smtpd_recipient_limit, - before the Postfix SMTP server increments the per-session error + before the Postfix SMTP server increments the per-session error count for each excess recipient. ACCESS POLICY DELEGATION CONTROLS - As of version 2.1, Postfix can be configured to delegate access policy - decisions to an external server that runs outside Postfix. See the + As of version 2.1, Postfix can be configured to delegate access policy + decisions to an external server that runs outside Postfix. See the file SMTPD_POLICY_README for more information. smtpd_policy_service_max_idle (300s) - The time after which an idle SMTPD policy service connection is + The time after which an idle SMTPD policy service connection is closed. smtpd_policy_service_max_ttl (1000s) - The time after which an active SMTPD policy service connection + The time after which an active SMTPD policy service connection is closed. smtpd_policy_service_timeout (100s) - The time limit for connecting to, writing to, or receiving from + The time limit for connecting to, writing to, or receiving from a delegated SMTPD policy server. Available in Postfix version 3.0 and later: @@ -960,81 +961,81 @@ SMTPD(8) SMTPD(8) The default action when an SMTPD policy service request fails. smtpd_policy_service_request_limit (0) - The maximal number of requests per SMTPD policy service connec- + The maximal number of requests per SMTPD policy service connec- tion, or zero (no limit). smtpd_policy_service_try_limit (2) - The maximal number of attempts to send an SMTPD policy service + The maximal number of attempts to send an SMTPD policy service request before giving up. smtpd_policy_service_retry_delay (1s) - The delay between attempts to resend a failed SMTPD policy ser- + The delay between attempts to resend a failed SMTPD policy ser- vice request. Available in Postfix version 3.1 and later: smtpd_policy_service_policy_context (empty) - Optional information that the Postfix SMTP server specifies in - the "policy_context" attribute of a policy service request - (originally, to share the same service endpoint among multiple + Optional information that the Postfix SMTP server specifies in + the "policy_context" attribute of a policy service request + (originally, to share the same service endpoint among multiple check_policy_service clients). ACCESS CONTROLS - The SMTPD_ACCESS_README document gives an introduction to all the SMTP + The SMTPD_ACCESS_README document gives an introduction to all the SMTP server access control features. smtpd_delay_reject (yes) - Wait until the RCPT TO command before evaluating + Wait until the RCPT TO command before evaluating $smtpd_client_restrictions, $smtpd_helo_restrictions and $smtpd_sender_restrictions, or wait until the ETRN command - before evaluating $smtpd_client_restrictions and + before evaluating $smtpd_client_restrictions and $smtpd_helo_restrictions. parent_domain_matches_subdomains (see 'postconf -d' output) - A list of Postfix features where the pattern "example.com" also - matches subdomains of example.com, instead of requiring an + A list of Postfix features where the pattern "example.com" also + matches subdomains of example.com, instead of requiring an explicit ".example.com" pattern. smtpd_client_restrictions (empty) - Optional restrictions that the Postfix SMTP server applies in + Optional restrictions that the Postfix SMTP server applies in the context of a client connection request. smtpd_helo_required (no) - Require that a remote SMTP client introduces itself with the - HELO or EHLO command before sending the MAIL command or other + Require that a remote SMTP client introduces itself with the + HELO or EHLO command before sending the MAIL command or other commands that require EHLO negotiation. smtpd_helo_restrictions (empty) - Optional restrictions that the Postfix SMTP server applies in + Optional restrictions that the Postfix SMTP server applies in the context of a client HELO command. smtpd_sender_restrictions (empty) - Optional restrictions that the Postfix SMTP server applies in + Optional restrictions that the Postfix SMTP server applies in the context of a client MAIL FROM command. smtpd_recipient_restrictions (see 'postconf -d' output) - Optional restrictions that the Postfix SMTP server applies in - the context of a client RCPT TO command, after + Optional restrictions that the Postfix SMTP server applies in + the context of a client RCPT TO command, after smtpd_relay_restrictions. smtpd_etrn_restrictions (empty) - Optional restrictions that the Postfix SMTP server applies in + Optional restrictions that the Postfix SMTP server applies in the context of a client ETRN command. allow_untrusted_routing (no) - Forward mail with sender-specified routing - (user[@%!]remote[@%!]site) from untrusted clients to destina- + Forward mail with sender-specified routing + (user[@%!]remote[@%!]site) from untrusted clients to destina- tions matching $relay_domains. smtpd_restriction_classes (empty) User-defined aliases for groups of access restrictions. smtpd_null_access_lookup_key (<>) - The lookup key to be used in SMTP access(5) tables instead of + The lookup key to be used in SMTP access(5) tables instead of the null sender address. permit_mx_backup_networks (empty) - Restrict the use of the permit_mx_backup SMTP access feature to + Restrict the use of the permit_mx_backup SMTP access feature to only domains whose primary MX hosts match the listed networks. Available in Postfix version 2.0 and later: @@ -1044,19 +1045,19 @@ SMTPD(8) SMTPD(8) applies in the context of the SMTP DATA command. smtpd_expansion_filter (see 'postconf -d' output) - What characters are allowed in $name expansions of RBL reply + What characters are allowed in $name expansions of RBL reply templates. Available in Postfix version 2.1 and later: smtpd_reject_unlisted_sender (no) - Request that the Postfix SMTP server rejects mail from unknown - sender addresses, even when no explicit reject_unlisted_sender + Request that the Postfix SMTP server rejects mail from unknown + sender addresses, even when no explicit reject_unlisted_sender access restriction is specified. smtpd_reject_unlisted_recipient (yes) - Request that the Postfix SMTP server rejects mail for unknown - recipient addresses, even when no explicit + Request that the Postfix SMTP server rejects mail for unknown + recipient addresses, even when no explicit reject_unlisted_recipient access restriction is specified. Available in Postfix version 2.2 and later: @@ -1070,17 +1071,17 @@ SMTPD(8) SMTPD(8) smtpd_relay_restrictions (permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination) Access restrictions for mail relay control that the Postfix SMTP - server applies in the context of the RCPT TO command, before + server applies in the context of the RCPT TO command, before smtpd_recipient_restrictions. SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS - Postfix version 2.1 introduces sender and recipient address verifica- + Postfix version 2.1 introduces sender and recipient address verifica- tion. This feature is implemented by sending probe email messages that are not actually delivered. This feature is requested via the - reject_unverified_sender and reject_unverified_recipient access - restrictions. The status of verification probes is maintained by the - verify(8) server. See the file ADDRESS_VERIFICATION_README for infor- - mation about how to configure and operate the Postfix sender/recipient + reject_unverified_sender and reject_unverified_recipient access + restrictions. The status of verification probes is maintained by the + verify(8) server. See the file ADDRESS_VERIFICATION_README for infor- + mation about how to configure and operate the Postfix sender/recipient address verification service. address_verify_poll_count (normal: 3, overload: 1) @@ -1092,7 +1093,7 @@ SMTPD(8) SMTPD(8) fication request in progress. address_verify_sender ($double_bounce_sender) - The sender address to use in address verification probes; prior + The sender address to use in address verification probes; prior to Postfix 2.5 the default was "postmaster". unverified_sender_reject_code (450) @@ -1100,18 +1101,18 @@ SMTPD(8) SMTPD(8) address is rejected by the reject_unverified_sender restriction. unverified_recipient_reject_code (450) - The numerical Postfix SMTP server response when a recipient - address is rejected by the reject_unverified_recipient restric- + The numerical Postfix SMTP server response when a recipient + address is rejected by the reject_unverified_recipient restric- tion. Available in Postfix version 2.6 and later: unverified_sender_defer_code (450) - The numerical Postfix SMTP server response code when a sender + The numerical Postfix SMTP server response code when a sender address probe fails due to a temporary error condition. unverified_recipient_defer_code (450) - The numerical Postfix SMTP server response when a recipient + The numerical Postfix SMTP server response when a recipient address probe fails due to a temporary error condition. unverified_sender_reject_reason (empty) @@ -1123,17 +1124,17 @@ SMTPD(8) SMTPD(8) reject_unverified_recipient. unverified_sender_tempfail_action ($reject_tempfail_action) - The Postfix SMTP server's action when reject_unverified_sender + The Postfix SMTP server's action when reject_unverified_sender fails due to a temporary error condition. unverified_recipient_tempfail_action ($reject_tempfail_action) - The Postfix SMTP server's action when reject_unverified_recipi- + The Postfix SMTP server's action when reject_unverified_recipi- ent fails due to a temporary error condition. Available with Postfix 2.9 and later: address_verify_sender_ttl (0s) - The time between changes in the time-dependent portion of + The time between changes in the time-dependent portion of address verification probe sender addresses. ACCESS CONTROL RESPONSES @@ -1145,36 +1146,36 @@ SMTPD(8) SMTPD(8) map "reject" action. defer_code (450) - The numerical Postfix SMTP server response code when a remote + The numerical Postfix SMTP server response code when a remote SMTP client request is rejected by the "defer" restriction. invalid_hostname_reject_code (501) - The numerical Postfix SMTP server response code when the client - HELO or EHLO command parameter is rejected by the + The numerical Postfix SMTP server response code when the client + HELO or EHLO command parameter is rejected by the reject_invalid_helo_hostname restriction. maps_rbl_reject_code (554) - The numerical Postfix SMTP server response code when a remote - SMTP client request is blocked by the reject_rbl_client, + The numerical Postfix SMTP server response code when a remote + SMTP client request is blocked by the reject_rbl_client, reject_rhsbl_client, reject_rhsbl_reverse_client, reject_rhsbl_sender or reject_rhsbl_recipient restriction. non_fqdn_reject_code (504) - The numerical Postfix SMTP server reply code when a client - request is rejected by the reject_non_fqdn_helo_hostname, + The numerical Postfix SMTP server reply code when a client + request is rejected by the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender or reject_non_fqdn_recipient restriction. plaintext_reject_code (450) - The numerical Postfix SMTP server response code when a request + The numerical Postfix SMTP server response code when a request is rejected by the reject_plaintext_session restriction. reject_code (554) - The numerical Postfix SMTP server response code when a remote + The numerical Postfix SMTP server response code when a remote SMTP client request is rejected by the "reject" restriction. relay_domains_reject_code (554) - The numerical Postfix SMTP server response code when a client - request is rejected by the reject_unauth_destination recipient + The numerical Postfix SMTP server response code when a client + request is rejected by the reject_unauth_destination recipient restriction. unknown_address_reject_code (450) @@ -1182,24 +1183,24 @@ SMTPD(8) SMTPD(8) a sender or recipient address because its domain is unknown. unknown_client_reject_code (450) - The numerical Postfix SMTP server response code when a client - without valid address <=> name mapping is rejected by the + The numerical Postfix SMTP server response code when a client + without valid address <=> name mapping is rejected by the reject_unknown_client_hostname restriction. unknown_hostname_reject_code (450) - The numerical Postfix SMTP server response code when the host- - name specified with the HELO or EHLO command is rejected by the + The numerical Postfix SMTP server response code when the host- + name specified with the HELO or EHLO command is rejected by the reject_unknown_helo_hostname restriction. Available in Postfix version 2.0 and later: default_rbl_reply (see 'postconf -d' output) - The default Postfix SMTP server response template for a request + The default Postfix SMTP server response template for a request that is rejected by an RBL-based restriction. multi_recipient_bounce_reject_code (550) - The numerical Postfix SMTP server response code when a remote - SMTP client request is blocked by the reject_multi_recipi- + The numerical Postfix SMTP server response code when a remote + SMTP client request is blocked by the reject_multi_recipi- ent_bounce restriction. rbl_reply_maps (empty) @@ -1209,52 +1210,52 @@ SMTPD(8) SMTPD(8) access_map_defer_code (450) The numerical Postfix SMTP server response code for an access(5) - map "defer" action, including "defer_if_permit" or + map "defer" action, including "defer_if_permit" or "defer_if_reject". reject_tempfail_action (defer_if_permit) - The Postfix SMTP server's action when a reject-type restriction + The Postfix SMTP server's action when a reject-type restriction fails due to a temporary error condition. unknown_helo_hostname_tempfail_action ($reject_tempfail_action) - The Postfix SMTP server's action when reject_unknown_helo_host- + The Postfix SMTP server's action when reject_unknown_helo_host- name fails due to a temporary error condition. unknown_address_tempfail_action ($reject_tempfail_action) - The Postfix SMTP server's action when - reject_unknown_sender_domain or reject_unknown_recipient_domain + The Postfix SMTP server's action when + reject_unknown_sender_domain or reject_unknown_recipient_domain fail due to a temporary error condition. MISCELLANEOUS CONTROLS config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and master.cf con- + The default location of the Postfix main.cf and master.cf con- figuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to handle a + How much time a Postfix daemon process may take to handle a request before it is terminated by a built-in watchdog timer. command_directory (see 'postconf -d' output) The location of all postfix administrative commands. double_bounce_sender (double-bounce) - The sender address of postmaster notifications that are gener- + The sender address of postmaster notifications that are gener- ated by the mail system. ipc_timeout (3600s) - The time limit for sending or receiving information over an + The time limit for sending or receiving information over an internal communication channel. mail_name (Postfix) - The mail system name that is displayed in Received: headers, in + The mail system name that is displayed in Received: headers, in the SMTP greeting banner, and in bounced mail. mail_owner (postfix) - The UNIX system account that owns the Postfix queue and most + The UNIX system account that owns the Postfix queue and most Postfix daemon processes. max_idle (100s) - The maximum amount of time that an idle Postfix daemon process + The maximum amount of time that an idle Postfix daemon process waits for an incoming connection before terminating voluntarily. max_use (100) @@ -1265,11 +1266,11 @@ SMTPD(8) SMTPD(8) The internet hostname of this mail system. mynetworks (see 'postconf -d' output) - The list of "trusted" remote SMTP clients that have more privi- + The list of "trusted" remote SMTP clients that have more privi- leges than "strangers". myorigin ($myhostname) - The domain name that locally-posted mail appears to come from, + The domain name that locally-posted mail appears to come from, and that locally posted mail is delivered to. process_id (read-only) @@ -1282,25 +1283,25 @@ SMTPD(8) SMTPD(8) The location of the Postfix top-level queue directory. recipient_delimiter (empty) - The set of characters that can separate a user name from its - extension (example: user+foo), or a .forward file name from its + The set of characters that can separate a user name from its + extension (example: user+foo), or a .forward file name from its extension (example: .forward+foo). smtpd_banner ($myhostname ESMTP $mail_name) - The text that follows the 220 status code in the SMTP greeting + The text that follows the 220 status code in the SMTP greeting banner. syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) - A prefix that is prepended to the process name in syslog + A prefix that is prepended to the process name in syslog records, so that, for example, "smtpd" becomes "prefix/smtpd". Available in Postfix version 2.2 and later: smtpd_forbidden_commands (CONNECT, GET, POST) - List of commands that cause the Postfix SMTP server to immedi- + List of commands that cause the Postfix SMTP server to immedi- ately terminate the session with a 221 code. Available in Postfix version 2.5 and later: @@ -1317,7 +1318,7 @@ SMTPD(8) SMTPD(8) Available in Postfix 3.4 and later: smtpd_reject_footer_maps (empty) - Lookup tables, indexed by the complete Postfix SMTP server 4xx + Lookup tables, indexed by the complete Postfix SMTP server 4xx or 5xx response, with reject footer templates. SEE ALSO diff --git a/postfix/html/tlsproxy.8.html b/postfix/html/tlsproxy.8.html index 9a604996b..4e43ee2b4 100644 --- a/postfix/html/tlsproxy.8.html +++ b/postfix/html/tlsproxy.8.html @@ -147,8 +147,8 @@ TLSPROXY(8) TLSPROXY(8) Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later: tls_fast_shutdown_enable (yes) - A workaround for implementations that hang Postfix while shuting - down a TLS session, until Postfix times out. + A workaround for implementations that hang Postfix while shut- + ting down a TLS session, until Postfix times out. STARTTLS SERVER CONTROLS These settings are clones of Postfix SMTP server settings. They allow diff --git a/postfix/makedefs b/postfix/makedefs index c9e50db73..93731c2af 100644 --- a/postfix/makedefs +++ b/postfix/makedefs @@ -878,7 +878,7 @@ case "$CC" in esac # Snapshot only. -CCARGS="$CCARGS -DSNAPSHOT" +#CCARGS="$CCARGS -DSNAPSHOT" # Non-production: needs thorough testing, or major changes are still # needed before the code stabilizes. diff --git a/postfix/man/man1/postsuper.1 b/postfix/man/man1/postsuper.1 index 83a39e40d..43294f0a9 100644 --- a/postfix/man/man1/postsuper.1 +++ b/postfix/man/man1/postsuper.1 @@ -93,7 +93,7 @@ will never deliver messages in the \fBhold\fR queue). .IP \(bu The \fB\-e\fR and \fB\-f\fR options both request forced expiration. The difference is that \fB\-f\fR will also release -a message if it is in the hold queue. With \fB\-e\fR, such +a message if it is in the \fBhold\fR queue. With \fB\-e\fR, such a message would not be returned to the sender until it is released with \fB\-f\fR or \fB\-H\fR. .IP \(bu diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index ee76f61d7..056e35e47 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -12994,7 +12994,7 @@ encouraged to not change this setting. .PP This feature is available in Postfix 2.3 and later. .SH tls_fast_shutdown_enable (default: yes) -A workaround for implementations that hang Postfix while shuting +A workaround for implementations that hang Postfix while shutting down a TLS session, until Postfix times out. With this enabled, Postfix will not wait for the remote TLS peer to respond to a TLS 'close' notification. This behavior is recommended for TLSv1.0 and diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8 index a7d9646f6..89a7b60eb 100644 --- a/postfix/man/man8/smtp.8 +++ b/postfix/man/man8/smtp.8 @@ -593,7 +593,7 @@ Name Indication (SNI) extension. .PP Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later: .IP "\fBtls_fast_shutdown_enable (yes)\fR" -A workaround for implementations that hang Postfix while shuting +A workaround for implementations that hang Postfix while shutting down a TLS session, until Postfix times out. .SH "OBSOLETE STARTTLS CONTROLS" .na diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8 index 93c12377f..d7f65af09 100644 --- a/postfix/man/man8/smtpd.8 +++ b/postfix/man/man8/smtpd.8 @@ -241,8 +241,9 @@ The mail filter protocol version and optional protocol extensions for communication with a Milter application; prior to Postfix 2.6 the default protocol is 2. .IP "\fBmilter_default_action (tempfail)\fR" -The default action when a Milter (mail filter) application is -unavailable or mis\-configured. +The default action when a Milter (mail filter) response is +unavailable (for example, bad Postfix configuration or Milter +failure). .IP "\fBmilter_macro_daemon_name ($myhostname)\fR" The {daemon_name} macro value for Milter (mail filter) applications. .IP "\fBmilter_macro_v ($mail_name $mail_version)\fR" @@ -530,7 +531,7 @@ appropriate keys and certificate chains. .PP Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later: .IP "\fBtls_fast_shutdown_enable (yes)\fR" -A workaround for implementations that hang Postfix while shuting +A workaround for implementations that hang Postfix while shutting down a TLS session, until Postfix times out. .PP Available in Postfix 3.5 and later: diff --git a/postfix/man/man8/tlsproxy.8 b/postfix/man/man8/tlsproxy.8 index 78a3699fd..c2e53bf1f 100644 --- a/postfix/man/man8/tlsproxy.8 +++ b/postfix/man/man8/tlsproxy.8 @@ -148,7 +148,7 @@ appropriate keys and certificate chains. .PP Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later: .IP "\fBtls_fast_shutdown_enable (yes)\fR" -A workaround for implementations that hang Postfix while shuting +A workaround for implementations that hang Postfix while shutting down a TLS session, until Postfix times out. .SH "STARTTLS SERVER CONTROLS" .na diff --git a/postfix/mantools/spelldiff b/postfix/mantools/spelldiff new file mode 100755 index 000000000..ba059fe57 --- /dev/null +++ b/postfix/mantools/spelldiff @@ -0,0 +1,23 @@ +#!/bin/sh + +# Usage: spelldiff baseline files... + +case $# in +0|1) echo Usage: $0 baseline files... 1>&2; exit 1;; +esac + +baseline="$1"; shift + +for f +do + if [ -f "${baseline}/${f}" ] + then + diff -U0 "${baseline}/${f}" "${f}" | sed -n ' + /^+/{ + s/.// + p + }' + else + cat "${f}" + fi +done diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 555cdb16e..11f769467 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -16263,7 +16263,7 @@ support is via the tls_ssl_options parameter.

%PARAM tls_fast_shutdown_enable yes -

A workaround for implementations that hang Postfix while shuting +

A workaround for implementations that hang Postfix while shutting down a TLS session, until Postfix times out. With this enabled, Postfix will not wait for the remote TLS peer to respond to a TLS 'close' notification. This behavior is recommended for TLSv1.0 and diff --git a/postfix/src/cleanup/cleanup_milter.c b/postfix/src/cleanup/cleanup_milter.c index cf617e9ad..1424880e2 100644 --- a/postfix/src/cleanup/cleanup_milter.c +++ b/postfix/src/cleanup/cleanup_milter.c @@ -2503,6 +2503,7 @@ int main(int unused_argc, char **argv) var_line_limit = DEF_LINE_LIMIT; var_header_limit = DEF_HEADER_LIMIT; var_enable_orcpt = DEF_ENABLE_ORCPT; + var_info_log_addr_form = DEF_INFO_LOG_ADDR_FORM; for (;;) { ARGV *argv; diff --git a/postfix/src/global/haproxy_srvr.c b/postfix/src/global/haproxy_srvr.c index f421f314a..2455835ca 100644 --- a/postfix/src/global/haproxy_srvr.c +++ b/postfix/src/global/haproxy_srvr.c @@ -485,7 +485,7 @@ const char *haproxy_srvr_parse(const char *str, ssize_t *str_len, } } -/* haproxy_srvr_receive - redceive and parse haproxy protocol handshake */ +/* haproxy_srvr_receive - receive and parse haproxy protocol handshake */ int haproxy_srvr_receive(int fd, int *non_proxy, MAI_HOSTADDR_STR *smtp_client_addr, diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 4d68518dd..0cfe0a5ca 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20200203" -#define MAIL_VERSION_NUMBER "3.5" +#define MAIL_RELEASE_DATE "20200308" +#define MAIL_VERSION_NUMBER "3.5-RC1" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff --git a/postfix/src/global/map_search.c b/postfix/src/global/map_search.c index c6e83b2db..8ba6a5a98 100644 --- a/postfix/src/global/map_search.c +++ b/postfix/src/global/map_search.c @@ -38,7 +38,7 @@ /* .IP search_actions /* The mapping from search action string form to numeric form. /* The numbers must be in the range [1..126] (inclusive). The -/* value 0 is reserved for the MAP_SEARCH.serch_order terminator, +/* value 0 is reserved for the MAP_SEARCH.search_order terminator, /* and the value MAP_SEARCH_CODE_UNKNOWN is reserved for the /* 'not found' result. The argument is copied (the pointer /* value, not the table). @@ -49,7 +49,7 @@ /* DIAGNOSTICS /* map_search_create() returns a null pointer when a map_spec /* is a) malformed, b) specifies an unexpected attribute name, -/* c) the search attrubite contains an unknown name. Thus, +/* c) the search attribute contains an unknown name. Thus, /* map_search_create() will never return a search_order that /* contains the value MAP_SEARCH_CODE_UNKNOWN. /* @@ -282,9 +282,9 @@ static const char *string_or_null(const char *s) return (s ? s : "(null)"); } -static char *escape_order(VSTRING *buf, const char *seach_order) +static char *escape_order(VSTRING *buf, const char *search_order) { - return (STR(escape(buf, seach_order, strlen(seach_order)))); + return (STR(escape(buf, search_order, strlen(search_order)))); } int main(int argc, char **argv) diff --git a/postfix/src/global/map_search.h b/postfix/src/global/map_search.h index 63ff3d691..851ab1cd2 100644 --- a/postfix/src/global/map_search.h +++ b/postfix/src/global/map_search.h @@ -19,11 +19,11 @@ * The map_search module maintains one lookup table with MAP_SEARCH results, * indexed by the unparsed form of a map specification. The conversion from * unparsed form to MAP_SEARCH result is controlled by a NAME_CODE mapping, - * Since one lokoup table can support only one mapping per unparsed name, + * Since one lookup table can support only one mapping per unparsed name, * every MAP_SEARCH result in the lookup table must be built using the same * NAME_CODE table. * - * Alternative 1: no lookup table. Allow the user to specicy the NAME_CODE + * Alternative 1: no lookup table. Allow the user to specify the NAME_CODE * mapping in the map_search_create() request (in addition to the unparsed * form), and let the MAP_SEARCH user store each MAP_SEARCH pointer. But * that would clumsify code that wants to use MAP_SEARCH functionality. diff --git a/postfix/src/postconf/postconf_master.c b/postfix/src/postconf/postconf_master.c index 3c169f728..1a70b5dcf 100644 --- a/postfix/src/postconf/postconf_master.c +++ b/postfix/src/postconf/postconf_master.c @@ -355,9 +355,9 @@ void pcf_free_master_entry(PCF_MASTER_ENT *masterp) if (masterp->valid_names) htable_free(masterp->valid_names, myfree); if (masterp->ro_params) - dict_free(masterp->ro_params); + dict_close(masterp->ro_params); if (masterp->all_params) - dict_free(masterp->all_params); + dict_close(masterp->all_params); myfree((void *) masterp); } diff --git a/postfix/src/postsuper/postsuper.c b/postfix/src/postsuper/postsuper.c index 196990ca9..cab381419 100644 --- a/postfix/src/postsuper/postsuper.c +++ b/postfix/src/postsuper/postsuper.c @@ -87,7 +87,7 @@ /* .IP \(bu /* The \fB-e\fR and \fB-f\fR options both request forced /* expiration. The difference is that \fB-f\fR will also release -/* a message if it is in the hold queue. With \fB-e\fR, such +/* a message if it is in the \fBhold\fR queue. With \fB-e\fR, such /* a message would not be returned to the sender until it is /* released with \fB-f\fR or \fB-H\fR. /* .IP \(bu @@ -1135,8 +1135,8 @@ static void super(const char **queues, int action) /* * Many of the following actions may move queue files. To avoid - * loss of of email due to file name collisions. we should do - * such actions only when the queue file names are known to match + * loss of email due to file name collisions. we should do such + * actions only when the queue file names are known to match * their inode number. Even with non-repeating queue IDs a name * collision may happen when different queues are merged. */ diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c index 73047b182..6ca2d5c53 100644 --- a/postfix/src/smtp/smtp.c +++ b/postfix/src/smtp/smtp.c @@ -559,7 +559,7 @@ /* .PP /* Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later: /* .IP "\fBtls_fast_shutdown_enable (yes)\fR" -/* A workaround for implementations that hang Postfix while shuting +/* A workaround for implementations that hang Postfix while shutting /* down a TLS session, until Postfix times out. /* OBSOLETE STARTTLS CONTROLS /* .ad diff --git a/postfix/src/smtp/smtp_misc.c b/postfix/src/smtp/smtp_misc.c index 53b76fd11..43a176fa8 100644 --- a/postfix/src/smtp/smtp_misc.c +++ b/postfix/src/smtp/smtp_misc.c @@ -28,7 +28,7 @@ /* /* smtp_quote_821_address() is a wrapper around quote_821_local(), /* except for the empty address or with "smtp_quote_rfc821_envelope -/* = no"; in those cases the addres is copied literally. +/* = no"; in those cases the address is copied literally. /* DIAGNOSTICS /* Fatal: out of memory. /* LICENSE diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c index 3321bd4e9..f9b766049 100644 --- a/postfix/src/smtpd/smtpd.c +++ b/postfix/src/smtpd/smtpd.c @@ -215,8 +215,9 @@ /* for communication with a Milter application; prior to Postfix 2.6 /* the default protocol is 2. /* .IP "\fBmilter_default_action (tempfail)\fR" -/* The default action when a Milter (mail filter) application is -/* unavailable or mis-configured. +/* The default action when a Milter (mail filter) response is +/* unavailable (for example, bad Postfix configuration or Milter +/* failure). /* .IP "\fBmilter_macro_daemon_name ($myhostname)\fR" /* The {daemon_name} macro value for Milter (mail filter) applications. /* .IP "\fBmilter_macro_v ($mail_name $mail_version)\fR" @@ -496,7 +497,7 @@ /* .PP /* Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later: /* .IP "\fBtls_fast_shutdown_enable (yes)\fR" -/* A workaround for implementations that hang Postfix while shuting +/* A workaround for implementations that hang Postfix while shutting /* down a TLS session, until Postfix times out. /* .PP /* Available in Postfix 3.5 and later: @@ -5843,7 +5844,7 @@ static char *smtpd_format_cmd_stats(VSTRING *buf) * * Fix 20190621: the command counter resetting code was moved from the SMTP * protocol handler to this place, because the protocol handler was never - * called after HaProxy handhake error, causing stale numbers to be + * called after HaProxy handshake error, causing stale numbers to be * logged. */ for (cmdp = smtpd_cmd_table; /* see below */ ; cmdp++) { diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c index e5a59f669..b93ac4d4a 100644 --- a/postfix/src/smtpd/smtpd_check.c +++ b/postfix/src/smtpd/smtpd_check.c @@ -3229,7 +3229,7 @@ static int check_ccert_access(SMTPD_STATE *state, const char *acl_spec, } } else { if (msg_verbose) - msg_info("%s: no client certfificate", myname); + msg_info("%s: no client certificate", myname); } #endif return (result); diff --git a/postfix/src/smtpd/smtpd_expand.h b/postfix/src/smtpd/smtpd_expand.h index 3680036a0..eb95983c7 100644 --- a/postfix/src/smtpd/smtpd_expand.h +++ b/postfix/src/smtpd/smtpd_expand.h @@ -32,4 +32,9 @@ int smtpd_expand(SMTPD_STATE *, VSTRING *, const char *, int); /* IBM T.J. Watson Research /* P.O. Box 704 /* Yorktown Heights, NY 10598, USA +/* +/* Wietse Venema +/* Google, Inc. +/* 111 8th Avenue +/* New York, NY 10011, USA /*--*/ diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c index 4d5143eaf..c12e48cbb 100644 --- a/postfix/src/tls/tls_client.c +++ b/postfix/src/tls/tls_client.c @@ -1043,11 +1043,13 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props) tls_free_context(TLScontext); return (0); } + /* * The saved value is not presently used client-side, but could later - * be logged if acked by the server (requires new client-side callback - * to detect the ack). For now this just maintains symmetry with the - * server code, where do record the received SNI for logging. + * be logged if acked by the server (requires new client-side + * callback to detect the ack). For now this just maintains symmetry + * with the server code, where do record the received SNI for + * logging. */ TLScontext->peer_sni = mystrdup(sni); if (log_mask & TLS_LOG_DEBUG) @@ -1105,7 +1107,7 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props) * Start TLS negotiations. This process is a black box that invokes our * call-backs for certificate verification. * - * Error handling: If the SSL handhake fails, we print out an error message + * Error handling: If the SSL handshake fails, we print out an error message * and remove all TLS state concerning this session. */ sts = tls_bio_connect(vstream_fileno(props->stream), props->timeout, diff --git a/postfix/src/tls/tls_server.c b/postfix/src/tls/tls_server.c index 6c0328de6..0b81d2b64 100644 --- a/postfix/src/tls/tls_server.c +++ b/postfix/src/tls/tls_server.c @@ -869,7 +869,7 @@ TLS_SESS_STATE *tls_server_start(const TLS_SERVER_START_PROPS *props) * Start TLS negotiations. This process is a black box that invokes our * call-backs for session caching and certificate verification. * - * Error handling: If the SSL handhake fails, we print out an error message + * Error handling: If the SSL handshake fails, we print out an error message * and remove all TLS state concerning this session. */ sts = tls_bio_accept(vstream_fileno(props->stream), props->timeout, diff --git a/postfix/src/tlsproxy/tlsproxy.c b/postfix/src/tlsproxy/tlsproxy.c index f22a8f6e6..6eb70c0ac 100644 --- a/postfix/src/tlsproxy/tlsproxy.c +++ b/postfix/src/tlsproxy/tlsproxy.c @@ -132,7 +132,7 @@ /* .PP /* Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later: /* .IP "\fBtls_fast_shutdown_enable (yes)\fR" -/* A workaround for implementations that hang Postfix while shuting +/* A workaround for implementations that hang Postfix while shutting /* down a TLS session, until Postfix times out. /* STARTTLS SERVER CONTROLS /* .ad @@ -774,122 +774,128 @@ static void tlsp_strategy(TLSP_STATE *state) */ if ((state->flags & TLSP_FLAG_NO_MORE_CIPHERTEXT_IO) == 0) { - /* - * Do not enable plain-text I/O before completing the TLS handshake. - * Otherwise the remote peer can prepend plaintext to the optional - * TLS_SESS_STATE object. - */ - if (state->flags & TLSP_FLAG_DO_HANDSHAKE) { - state->timeout = state->handshake_timeout; - if (state->is_server_role) - ssl_stat = SSL_accept(tls_context->con); - else - ssl_stat = SSL_connect(tls_context->con); - if (ssl_stat != 1) { - handshake_err = SSL_get_error(tls_context->con, ssl_stat); - tlsp_eval_tls_error(state, handshake_err); - /* At this point, state could be a dangling pointer. */ + /* + * Do not enable plain-text I/O before completing the TLS handshake. + * Otherwise the remote peer can prepend plaintext to the optional + * TLS_SESS_STATE object. + */ + if (state->flags & TLSP_FLAG_DO_HANDSHAKE) { + state->timeout = state->handshake_timeout; + if (state->is_server_role) + ssl_stat = SSL_accept(tls_context->con); + else + ssl_stat = SSL_connect(tls_context->con); + if (ssl_stat != 1) { + handshake_err = SSL_get_error(tls_context->con, ssl_stat); + tlsp_eval_tls_error(state, handshake_err); + /* At this point, state could be a dangling pointer. */ + return; + } + state->flags &= ~TLSP_FLAG_DO_HANDSHAKE; + state->timeout = state->session_timeout; + if (tlsp_post_handshake(state) != TLSP_STAT_OK) { + /* At this point, state is a dangling pointer. */ + return; + } + } + + /* + * Shutdown and self-destruct after NBBIO error. This automagically + * cleans up all pending read/write and timeout event requests. + * Before shutting down TLS, we stop all plain-text I/O events but + * keep the NBBIO error flags. + */ + plaintext_buf = state->plaintext_buf; + if (NBBIO_ERROR_FLAGS(plaintext_buf)) { + if (NBBIO_ACTIVE_FLAGS(plaintext_buf)) + nbbio_disable_readwrite(state->plaintext_buf); + if (!SSL_in_init(tls_context->con) + && (ssl_stat = SSL_shutdown(tls_context->con)) < 0) { + handshake_err = SSL_get_error(tls_context->con, ssl_stat); + tlsp_eval_tls_error(state, handshake_err); + /* At this point, state could be a dangling pointer. */ + return; + } + tlsp_state_free(state); return; } - state->flags &= ~TLSP_FLAG_DO_HANDSHAKE; - state->timeout = state->session_timeout; - if (tlsp_post_handshake(state) != TLSP_STAT_OK) { + + /* + * Try to move data from the plaintext input buffer to the TLS + * engine. + * + * XXX We're supposed to repeat the exact same SSL_write() call + * arguments after an SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE + * result. Rumor has it that this is because each SSL_write() call + * reads from the buffer incrementally, and returns > 0 only after + * the final byte is processed. Rumor also has it that setting + * SSL_MODE_ENABLE_PARTIAL_WRITE and + * SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER voids this requirement, and + * that repeating the request with an increased request size is OK. + * Unfortunately all this is not or poorly documented, and one has to + * rely on statements from OpenSSL developers in public mailing + * archives. + */ + ssl_write_err = SSL_ERROR_NONE; + while (NBBIO_READ_PEND(plaintext_buf) > 0) { + ssl_stat = SSL_write(tls_context->con, NBBIO_READ_BUF(plaintext_buf), + NBBIO_READ_PEND(plaintext_buf)); + ssl_write_err = SSL_get_error(tls_context->con, ssl_stat); + if (ssl_write_err != SSL_ERROR_NONE) + break; + /* Allow the plaintext pseudothread to read more data. */ + NBBIO_READ_PEND(plaintext_buf) -= ssl_stat; + if (NBBIO_READ_PEND(plaintext_buf) > 0) + memmove(NBBIO_READ_BUF(plaintext_buf), + NBBIO_READ_BUF(plaintext_buf) + ssl_stat, + NBBIO_READ_PEND(plaintext_buf)); + } + + /* + * Try to move data from the TLS engine to the plaintext output + * buffer. Note: data may arrive as a side effect of calling + * SSL_write(), therefore we call SSL_read() after calling + * SSL_write(). + * + * XXX We're supposed to repeat the exact same SSL_read() call arguments + * after an SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE result. This + * supposedly means that our plaintext writer must not memmove() the + * plaintext output buffer until after the SSL_read() call succeeds. + * For now I'll ignore this, because 1) SSL_read() is documented to + * return the bytes available, instead of returning > 0 only after + * the entire buffer is processed like SSL_write() does; and 2) there + * is no "read" equivalent of the SSL_R_BAD_WRITE_RETRY, + * SSL_MODE_ENABLE_PARTIAL_WRITE or + * SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER features. + */ + ssl_read_err = SSL_ERROR_NONE; + while (NBBIO_WRITE_PEND(state->plaintext_buf) < NBBIO_BUFSIZE(plaintext_buf)) { + ssl_stat = SSL_read(tls_context->con, + NBBIO_WRITE_BUF(plaintext_buf) + + NBBIO_WRITE_PEND(state->plaintext_buf), + NBBIO_BUFSIZE(plaintext_buf) + - NBBIO_WRITE_PEND(state->plaintext_buf)); + ssl_read_err = SSL_get_error(tls_context->con, ssl_stat); + if (ssl_read_err != SSL_ERROR_NONE) + break; + NBBIO_WRITE_PEND(plaintext_buf) += ssl_stat; + } + + /* + * Try to enable/disable ciphertext read/write events. If SSL_write() + * was satisfied, see if SSL_read() wants to do some work. In case of + * an unrecoverable error, this automagically destroys the session + * state after cleaning up all pending read/write and timeout event + * requests. + */ + if (tlsp_eval_tls_error(state, ssl_write_err != SSL_ERROR_NONE ? + ssl_write_err : ssl_read_err) < 0) /* At this point, state is a dangling pointer. */ return; - } } /* - * Shutdown and self-destruct after NBBIO error. This automagically - * cleans up all pending read/write and timeout event requests. Before - * shutting down TLS, we stop all plain-text I/O events but keep the - * NBBIO error flags. - */ - plaintext_buf = state->plaintext_buf; - if (NBBIO_ERROR_FLAGS(plaintext_buf)) { - if (NBBIO_ACTIVE_FLAGS(plaintext_buf)) - nbbio_disable_readwrite(state->plaintext_buf); - if (!SSL_in_init(tls_context->con) - && (ssl_stat = SSL_shutdown(tls_context->con)) < 0) { - handshake_err = SSL_get_error(tls_context->con, ssl_stat); - tlsp_eval_tls_error(state, handshake_err); - /* At this point, state could be a dangling pointer. */ - return; - } - tlsp_state_free(state); - return; - } - - /* - * Try to move data from the plaintext input buffer to the TLS engine. - * - * XXX We're supposed to repeat the exact same SSL_write() call arguments - * after an SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE result. Rumor has - * it that this is because each SSL_write() call reads from the buffer - * incrementally, and returns > 0 only after the final byte is processed. - * Rumor also has it that setting SSL_MODE_ENABLE_PARTIAL_WRITE and - * SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER voids this requirement, and that - * repeating the request with an increased request size is OK. - * Unfortunately all this is not or poorly documented, and one has to - * rely on statements from OpenSSL developers in public mailing archives. - */ - ssl_write_err = SSL_ERROR_NONE; - while (NBBIO_READ_PEND(plaintext_buf) > 0) { - ssl_stat = SSL_write(tls_context->con, NBBIO_READ_BUF(plaintext_buf), - NBBIO_READ_PEND(plaintext_buf)); - ssl_write_err = SSL_get_error(tls_context->con, ssl_stat); - if (ssl_write_err != SSL_ERROR_NONE) - break; - /* Allow the plaintext pseudothread to read more data. */ - NBBIO_READ_PEND(plaintext_buf) -= ssl_stat; - if (NBBIO_READ_PEND(plaintext_buf) > 0) - memmove(NBBIO_READ_BUF(plaintext_buf), - NBBIO_READ_BUF(plaintext_buf) + ssl_stat, - NBBIO_READ_PEND(plaintext_buf)); - } - - /* - * Try to move data from the TLS engine to the plaintext output buffer. - * Note: data may arrive as a side effect of calling SSL_write(), - * therefore we call SSL_read() after calling SSL_write(). - * - * XXX We're supposed to repeat the exact same SSL_read() call arguments - * after an SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE result. This - * supposedly means that our plaintext writer must not memmove() the - * plaintext output buffer until after the SSL_read() call succeeds. For - * now I'll ignore this, because 1) SSL_read() is documented to return - * the bytes available, instead of returning > 0 only after the entire - * buffer is processed like SSL_write() does; and 2) there is no "read" - * equivalent of the SSL_R_BAD_WRITE_RETRY, SSL_MODE_ENABLE_PARTIAL_WRITE - * or SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER features. - */ - ssl_read_err = SSL_ERROR_NONE; - while (NBBIO_WRITE_PEND(state->plaintext_buf) < NBBIO_BUFSIZE(plaintext_buf)) { - ssl_stat = SSL_read(tls_context->con, - NBBIO_WRITE_BUF(plaintext_buf) - + NBBIO_WRITE_PEND(state->plaintext_buf), - NBBIO_BUFSIZE(plaintext_buf) - - NBBIO_WRITE_PEND(state->plaintext_buf)); - ssl_read_err = SSL_get_error(tls_context->con, ssl_stat); - if (ssl_read_err != SSL_ERROR_NONE) - break; - NBBIO_WRITE_PEND(plaintext_buf) += ssl_stat; - } - - /* - * Try to enable/disable ciphertext read/write events. If SSL_write() was - * satisfied, see if SSL_read() wants to do some work. In case of an - * unrecoverable error, this automagically destroys the session state - * after cleaning up all pending read/write and timeout event requests. - */ - if (tlsp_eval_tls_error(state, ssl_write_err != SSL_ERROR_NONE ? - ssl_write_err : ssl_read_err) < 0) - /* At this point, state is a dangling pointer. */ - return; - } - - /* - * Destroy state when the ciphertext I/O was permanently disbled and we + * Destroy state when the ciphertext I/O was permanently disabled and we * can no longer trickle out plaintext. */ else { diff --git a/postfix/src/trivial-rewrite/trivial-rewrite.h b/postfix/src/trivial-rewrite/trivial-rewrite.h index 42016efb0..e27dd008e 100644 --- a/postfix/src/trivial-rewrite/trivial-rewrite.h +++ b/postfix/src/trivial-rewrite/trivial-rewrite.h @@ -84,4 +84,9 @@ extern int resolve_class(const char *); /* IBM T.J. Watson Research /* P.O. Box 704 /* Yorktown Heights, NY 10598, USA +/* +/* Wietse Venema +/* Google, Inc. +/* 111 8th Avenue +/* New York, NY 10011, USA /*--*/ diff --git a/postfix/src/util/byte_mask.c b/postfix/src/util/byte_mask.c index 37cfd7e11..e81847655 100644 --- a/postfix/src/util/byte_mask.c +++ b/postfix/src/util/byte_mask.c @@ -6,6 +6,13 @@ /* SYNOPSIS /* #include /* +/* typedef struct { +/* .in +4 +/* int byte_val; +/* int mask; +/* .in -4 +/* } BYTE_MASK; +/* /* int byte_mask( /* const char *context, /* const BYTE_MASK *table, @@ -38,7 +45,7 @@ /* bytes. The result is written to a static buffer that is /* overwritten upon each call. /* -/* byte_mask_opt() and str_name_mask_opt() are extended versions +/* byte_mask_opt() and str_byte_mask_opt() are extended versions /* with additional fine control. /* /* Arguments: diff --git a/postfix/src/util/vstream_tweak.c b/postfix/src/util/vstream_tweak.c index 75d2e7469..7100bc688 100644 --- a/postfix/src/util/vstream_tweak.c +++ b/postfix/src/util/vstream_tweak.c @@ -130,7 +130,7 @@ int vstream_tweak_tcp(VSTREAM *fp) * made before the first stream read or write operation. We don't want to * reduce the buffer size. * - * As of 20190820 we increase the mss size multipler from 2x to 4x, because + * As of 20190820 we increase the mss size multiplier from 2x to 4x, because * some LINUX loopback TCP stacks report an MSS of 21845 which is 3x * smaller than the MTU of 65536. Even with a VSTREAM buffer 2x the * reported MSS size, performance would suck due to Nagle or delayed ACK