mirror of
https://github.com/vdukhovni/postfix
synced 2025-08-30 13:48:06 +00:00
postfix-2.4.0-RC8
This commit is contained in:
parent
b98446f146
commit
47602acef6
@ -13303,7 +13303,8 @@ Apologies for any names omitted.
|
||||
instead of appending mail to a deleted file. To minimize
|
||||
the use of this workaround, Postfix now by default creates
|
||||
mailbox dotlock files on all systems, and creates dotlock
|
||||
files before opening mailbox files. Files: util/sys_defs.h.
|
||||
files before opening mailbox files. Files: util/sys_defs.h,
|
||||
global/mbox_open.c.
|
||||
|
||||
20070301
|
||||
|
||||
@ -13374,6 +13375,17 @@ Apologies for any names omitted.
|
||||
records or content encoding records with other mail. File:
|
||||
global/rec_type.h.
|
||||
|
||||
20070321
|
||||
|
||||
Bugfix (introduced 20070224): local(8) or virtual(8) could
|
||||
log a misleading error message after failure to open a
|
||||
mailbox file. File: global/mbox_open.c.
|
||||
|
||||
Bugfix (code should have been updated 20070104): the proxymap
|
||||
client did not propagate changes in case folding flags.
|
||||
Currently, nothing in Postfix uses this functionality.
|
||||
File: global/dict_proxy.c.
|
||||
|
||||
Wish list:
|
||||
|
||||
Bind all deliveries to the same local delivery process,
|
||||
|
@ -18,7 +18,6 @@ PPrroobblleemm ssoollvviinngg
|
||||
* QSHAPE_README: Bottleneck analysis
|
||||
* TUNING_README: Performance tuning
|
||||
* DEBUG_README: Debugging strategies
|
||||
* Error messages (*)
|
||||
|
||||
CCoonntteenntt iinnssppeeccttiioonn
|
||||
|
||||
@ -50,20 +49,16 @@ LLooookkuupp ttaabblleess ((ddaattaabbaasseess))
|
||||
|
||||
MMaaiilliinngg lliisstt ssuuppppoorrtt
|
||||
|
||||
* qmail/ezmlm support (*)
|
||||
* VERP_README: VERP Support
|
||||
|
||||
SSppeecciiffiicc eennvviirroonnmmeennttss
|
||||
|
||||
* LINUX_README: Linux issues
|
||||
* NFS_README: NFS issues
|
||||
* ULTRIX_README: Ultrix support
|
||||
|
||||
OOtthheerr mmaaiill ddeelliivveerryy aaggeennttss
|
||||
|
||||
* Cyrus (*)
|
||||
* MAILDROP_README: Maildrop
|
||||
* LMTP (*)
|
||||
|
||||
OOtthheerr ttooppiiccss
|
||||
|
||||
@ -78,6 +73,3 @@ OOtthheerr ttooppiiccss
|
||||
* XCLIENT_README: XCLIENT Command
|
||||
* XFORWARD_README: XFORWARD Command
|
||||
|
||||
(*) These documents will be made available via http://www.postfix.org/ and
|
||||
mirror sites.
|
||||
|
||||
|
@ -28,8 +28,9 @@ An address class is defined by three items.
|
||||
* The list of domains that are a member of the class: for example, all local
|
||||
domains, or all relay domains.
|
||||
|
||||
* The default delivery method. For example, the local or smtp delivery agent.
|
||||
This helps to keep Postfix configurations simple.
|
||||
* The default delivery transport. For example, the local or relay delivery
|
||||
transport (delivery transports are defined in master.cf). This helps to
|
||||
keep Postfix configurations simple.
|
||||
|
||||
* The list of valid recipient addresses for that address class. The Postfix
|
||||
SMTP server rejects invalid recipients with "User unknown in <name of
|
||||
|
@ -122,7 +122,9 @@ from filling up with MAILER-DAEMON messages.
|
||||
Recipient address verification is relatively straightforward and there are no
|
||||
surprises. If a recipient probe fails, then Postfix rejects mail for the
|
||||
recipient address. If a recipient probe succeeds, then Postfix accepts mail for
|
||||
the recipient address.
|
||||
the recipient address. However, recipient address verification probes can
|
||||
increase the load on down-stream MTAs when you're being flooded by backscatter
|
||||
bounces, or when some spammer is mounting a dictionary attack.
|
||||
|
||||
By default, address verification results are not saved. To avoid probing the
|
||||
same address repeatedly, you can store the result in a persistent database as
|
||||
|
@ -57,13 +57,25 @@ reused only by the mail delivering process that creates the connection. To get
|
||||
the same performance improvement as with a shared connection cache, non-shared
|
||||
connections need to be kept open for a longer time.
|
||||
|
||||
Internet <-- smtp(8) <-> scache(8) <-> smtp(8) --> Internet
|
||||
|
||||
|
||||
The scache(8) server, introduced with Postfix version 2.2, maintains the shared
|
||||
connection cache. With Postfix version 2.2, only the smtp(8) client has support
|
||||
to access this cache.
|
||||
|
||||
smtp(8) --> Internet
|
||||
|
||||
|
||||
|
|
||||
|
|
||||
|
|
||||
| smtp(8) --> Internet
|
||||
|
|
||||
|
|
||||
v ^
|
||||
|
|
||||
|
||||
scache(8)
|
||||
|
||||
|
||||
When SMTP connection caching is enabled (see next section), the smtp(8) client
|
||||
does not disconnect after a mail transaction, but gives the connection to the
|
||||
scache(8) server which keeps the connection open for a limited amount of time.
|
||||
|
@ -44,7 +44,8 @@ Benefits of the Postfix (key, value) query interface:
|
||||
lookups" below.
|
||||
* You can use Berkeley DB files with fixed lookup strings for simple address
|
||||
rewriting operations and you can use regular expression tables for the more
|
||||
complicated work.
|
||||
complicated work. In other words, you don't have to put everything into the
|
||||
same table.
|
||||
|
||||
PPoossttffiixx lliissttss vveerrssuuss ttaabblleess
|
||||
|
||||
@ -124,7 +125,8 @@ update fails because the disk is full or because something else happens. This
|
||||
is because commands such as postmap(1) or postalias(1) overwrite existing
|
||||
files. If the update fails in the middle then you have no usable database, and
|
||||
Postfix will stop working. This is not an issue with the CDB database type
|
||||
available with Postfix 2.2 and later, because CDB database rebuilds are atomic.
|
||||
available with Postfix 2.2 and later: CDB creates a new file, and renames the
|
||||
file upon successful completion.
|
||||
|
||||
With multi-file databases such as DBM, there is no simple solution. With
|
||||
Berkeley DB and other "one file" databases, it is possible to add some extra
|
||||
|
@ -25,14 +25,15 @@ This document describes:
|
||||
|
||||
BBuuiillddiinngg PPoossttffiixx oonn ssyysstteemmss wwiitthhoouutt BBeerrkkeelleeyy DDBB
|
||||
|
||||
Many commercial UNIXes ship without Berkeley DB support. Examples are Solaris,
|
||||
HP-UX, IRIX, UNIXWARE. In order to build Postfix with Berkeley DB support you
|
||||
need to download and install the source code from http://www.sleepycat.com/
|
||||
Some UNIXes ship without Berkeley DB support; for historical reasons these use
|
||||
DBM files instead. A problem with DBM files is that they can store only limited
|
||||
amounts of data. To build Postfix with Berkeley DB support you need to download
|
||||
and install the source code from http://www.oracle.com/database/berkeley-db/.
|
||||
|
||||
Warning: some Linux system libraries use Berkeley DB, as do some third-party
|
||||
libraries such as SASL. If you compile Postfix with a different Berkeley DB
|
||||
implementation, then every Postfix program will dump core because either the
|
||||
system library, SASL library, or Postfix itself ends up using the wrong
|
||||
system library, the SASL library, or Postfix itself ends up using the wrong
|
||||
version.
|
||||
|
||||
The more recent Berkeley DB versions have a compile-time switch, "--with-
|
||||
@ -40,8 +41,8 @@ uniquename", which renames the symbols so that multiple versions of Berkeley DB
|
||||
can co-exist in the same application. Although wasteful, this may be the only
|
||||
way to keep things from falling apart.
|
||||
|
||||
To build Postfix after you installed the Berkeley DB from http://
|
||||
www.sleepycat.com/, use something like:
|
||||
To build Postfix after you installed the Berkeley DB from source code, use
|
||||
something like:
|
||||
|
||||
% make tidy
|
||||
% make makefiles CCARGS="-DHAS_DB -I/usr/local/BerkeleyDB/include" \
|
||||
@ -151,5 +152,5 @@ Add the "-lpthread" library to the "make makefiles" command.
|
||||
|
||||
% make makefiles .... AUXLIBS="... -lpthread"
|
||||
|
||||
More information is available at http://www.sleepycat.com/.
|
||||
More information is available at http://www.oracle.com/database/berkeley-db/.
|
||||
|
||||
|
@ -54,8 +54,8 @@ The nature of each problem is indicated as follows:
|
||||
configuration file settings that you can fix. Postfix cannot proceed until
|
||||
this is fixed.
|
||||
|
||||
* "eerrrroorr" reports a fatal or non-fatal error condition. Postfix cannot
|
||||
proceed until this is fixed.
|
||||
* "eerrrroorr" reports an error condition. For safety reasons, a Postfix process
|
||||
will terminate when more than 13 of these happen.
|
||||
|
||||
* "wwaarrnniinngg" indicates a non-fatal error. These are problems that you may not
|
||||
be able to fix (such as a broken DNS server elsewhere on the network) but
|
||||
@ -85,7 +85,7 @@ Postfix can produce two types of mail delivery reports for debugging:
|
||||
Mail Delivery Status Report will be mailed to <your login name>.
|
||||
|
||||
These reports contain information that is generated by Postfix delivery agents.
|
||||
Since these run as daemon processes and do not interact with users directly,
|
||||
Since these run as daemon processes that cannot interact with users directly,
|
||||
the result is sent as mail to the sender of the test message. The format of
|
||||
these reports is practically identical to that of ordinary non-delivery
|
||||
notifications.
|
||||
@ -136,29 +136,31 @@ change effective immediately, execute the command "ppoossttffiixx rreel
|
||||
RReeccoorrdd tthhee SSMMTTPP sseessssiioonn wwiitthh aa nneettwwoorrkk ssnniiffffeerr
|
||||
|
||||
This example uses ttccppdduummpp. In order to record a conversation you need to
|
||||
specify a large enough buffer with the "-s" option or else you will miss some
|
||||
specify a large enough buffer with the "--ss" option or else you will miss some
|
||||
or all of the packet payload.
|
||||
|
||||
# ttccppdduummpp --ww //ffiillee//nnaammee --ss 22000000 hhoosstt eexxaammppllee..ccoomm aanndd ppoorrtt 2255
|
||||
# ttccppdduummpp --ww //ffiillee//nnaammee --ss 00 hhoosstt eexxaammppllee..ccoomm aanndd ppoorrtt 2255
|
||||
|
||||
Older tcpdump versions don't support "--ss 00"; in that case, use "--ss 22000000"
|
||||
instead.
|
||||
|
||||
Run this for a while, stop with Ctrl-C when done. To view the data use a binary
|
||||
viewer, or eetthheerreeaall, or use my ttccppdduummppxx utility that is available from ftp://
|
||||
ftp.porcupine.org/pub/debugging/.
|
||||
viewer, eetthheerreeaall, or good old lleessss.
|
||||
|
||||
MMaakkiinngg PPoossttffiixx ddaaeemmoonn pprrooggrraammss mmoorree vveerrbboossee
|
||||
|
||||
Append one or more "--vv" options to selected daemon definitions in /etc/postfix/
|
||||
master.cf and type "ppoossttffiixx rreellooaadd". This will cause a lot of activity to be
|
||||
logged to the syslog daemon. Example:
|
||||
logged to the syslog daemon. For example, to make the Postfix SMTP server
|
||||
process more verbose:
|
||||
|
||||
/etc/postfix/master.cf:
|
||||
smtp inet n - n - - smtpd -v
|
||||
|
||||
This makes the Postfix SMTP server more verbose. To diagnose problems with
|
||||
address rewriting one would specify a "--vv" option for the cleanup(8) and/or
|
||||
trivial-rewrite(8) daemon, and to diagnose problems with mail delivery one
|
||||
would specify a "--vv" option for the qmgr(8) or oqmgr(8) queue manager, or for
|
||||
the lmtp(8), local(8), pipe(8), smtp(8), or virtual(8) delivery agent.
|
||||
To diagnose problems with address rewriting specify a "--vv" option for the
|
||||
cleanup(8) and/or trivial-rewrite(8) daemon, and to diagnose problems with mail
|
||||
delivery specify a "--vv" option for the qmgr(8) or oqmgr(8) queue manager, or
|
||||
for the lmtp(8), local(8), pipe(8), smtp(8), or virtual(8) delivery agent.
|
||||
|
||||
MMaannuuaallllyy ttrraacciinngg aa PPoossttffiixx ddaaeemmoonn pprroocceessss
|
||||
|
||||
@ -361,16 +363,17 @@ When reporting a problem, be sure to include the following information.
|
||||
|
||||
* Postfix logging. See the text at the top of the DEBUG_README document to
|
||||
find out where logging is stored. Please do not frustrate the helpers by
|
||||
word wrapping the logging.
|
||||
word wrapping the logging. If the logging is more than a few kbytes of
|
||||
text, consider posting an URL on a web or ftp site.
|
||||
|
||||
* Consider using a test email address so that you don't have to reveal email
|
||||
addresses or passwords of innocent people.
|
||||
|
||||
* If you can't use a test email address, please anonymize information
|
||||
consistently. Replace each letter by "A", each digit by "D" so that the
|
||||
helpers can still recognize syntactical errors.
|
||||
* If you can't use a test email address, please anonymize email addresses and
|
||||
host names consistently. Replace each letter by "A", each digit by "D" so
|
||||
that the helpers can still recognize syntactical errors.
|
||||
|
||||
* Output from "ppoossttccoonnff --nn". Please do not send your main.cf file or 400+
|
||||
* Output from "ppoossttccoonnff --nn". Please do not send your main.cf file, or 500+
|
||||
lines of ppoossttccoonnff output.
|
||||
|
||||
* Better, provide output from the ppoossttffiinnggeerr tool. This can be found at http:
|
||||
@ -383,7 +386,7 @@ When reporting a problem, be sure to include the following information.
|
||||
* If the problem is about too much mail in the queue, consider including
|
||||
output from the qqsshhaappee tool, as described in the QSHAPE_README file.
|
||||
|
||||
* If the problem is protocol related (connections time out or an SMTP server
|
||||
* If the problem is protocol related (connections time out, or an SMTP server
|
||||
complains about syntax errors etc.) consider recording a session with
|
||||
ttccppdduummpp, as described in the DEBUG_README document.
|
||||
|
||||
|
@ -22,7 +22,7 @@ Specifically, DSN support gives an email sender the ability to specify:
|
||||
confused with the message ID, which identifies the message content.
|
||||
|
||||
The implementation of DSN support involves extra parameters to the SMTP MAIL
|
||||
FROM and RCPT TO commands, as well as new Postfix sendmail command line options
|
||||
FROM and RCPT TO commands, as well as two Postfix sendmail command line options
|
||||
that provide a sub-set of the functions of the extra SMTP command parameters.
|
||||
|
||||
This document has information on the following topics:
|
||||
|
@ -11,10 +11,6 @@ to the customer, and delivers that mail bbyy ccoonnnneeccttiinngg t
|
||||
sseerrvveerr. The mail is not delivered via the connection that was used for sending
|
||||
ETRN.
|
||||
|
||||
Postfix versions before 1.0 (also known as version 20010228) implemented the
|
||||
ETRN command in an inefficient manner: they simply attempted to deliver all
|
||||
queued mail. This is slow on mail servers that queue mail for many customers.
|
||||
|
||||
As of version 1.0, Postfix has a fast ETRN implementation that does not require
|
||||
Postfix to examine every queue file. Instead, Postfix maintains a record of
|
||||
what queue files contain mail for destinations that are configured for ETRN
|
||||
@ -40,11 +36,11 @@ The following is an example SMTP session that shows how an SMTP client requests
|
||||
the ETRN service. Client commands are shown in bold font.
|
||||
|
||||
220 my.server.tld ESMTP Postfix
|
||||
hheelloo mmyy..cclliieenntt..ttlldd
|
||||
HHEELLOO mmyy..cclliieenntt..ttlldd
|
||||
250 Ok
|
||||
eettrrnn ssoommee..ccuussttoommeerr..ddoommaaiinn
|
||||
EETTRRNN ssoommee..ccuussttoommeerr..ddoommaaiinn
|
||||
250 Queuing started
|
||||
qquuiitt
|
||||
QQUUIITT
|
||||
221 Bye
|
||||
|
||||
As mentioned in the introduction, the mail is delivered by connecting to the
|
||||
@ -53,7 +49,8 @@ send the ETRN command.
|
||||
|
||||
The Postfix operator can request delivery for a specific customer by using the
|
||||
command "sendmail -qRdestination" and, with Postfix version 1.1 and later,
|
||||
"postqueue -sdestination".
|
||||
"postqueue -sdestination". Access to this feature is controlled with the
|
||||
authorized_flush_users configuration parameter (Postfix version 2.2 and later).
|
||||
|
||||
HHooww PPoossttffiixx ffaasstt EETTRRNN wwoorrkkss
|
||||
|
||||
@ -85,13 +82,14 @@ service for every possible destination.
|
||||
* The flush(8) daemon maintains per-destination logfiles with queue file
|
||||
names. When a request to "deliver mail now" arrives, Postfix will attempt
|
||||
to deliver all recipients in the queue files that have mail for the
|
||||
destination in question. This does not perform well when queue files have
|
||||
recipients in many different domains.
|
||||
destination in question. This does not perform well with queue files that
|
||||
have recipients in many different domains, such as queue files with
|
||||
outbound mailing list traffic.
|
||||
|
||||
* The flush(8) daemon maintains per-destination logfiles only for
|
||||
destinations listed with $fast_flush_domains. With other destinations it
|
||||
not possible to trigger delivery with "sendmail -qRdestination" or, with
|
||||
Postfix version 1.1 and later, "postqueue -sdestination".
|
||||
destinations listed with $fast_flush_domains. With other destinations you
|
||||
cannot request delivery with "sendmail -qRdestination" or, with Postfix
|
||||
version 1.1 and later, "postqueue -sdestination".
|
||||
|
||||
* Up to and including early versions of Postfix version 2.1, the "fast flush"
|
||||
service may not deliver some messages if the request to "deliver mail now"
|
||||
@ -100,6 +98,10 @@ service for every possible destination.
|
||||
dead domains, and the list of message delivery transports specified with
|
||||
the defer_transports configuration parameter.
|
||||
|
||||
* Up to and including Postfix version 2.3, the "fast flush" service may not
|
||||
deliver some messages if the request to "deliver mail now" arrives while an
|
||||
incoming queue scan is already in progress.
|
||||
|
||||
CCoonnffiigguurriinngg tthhee PPoossttffiixx ffaasstt EETTRRNN sseerrvviiccee
|
||||
|
||||
The behavior of the flush(8) daemon is controlled by parameters in the main.cf
|
||||
@ -200,9 +202,9 @@ client that is allowed to execute ETRN commands (by default, that's every
|
||||
client), and type the commands shown in boldface:
|
||||
|
||||
220 my.server.tld ESMTP Postfix
|
||||
hheelloo mmyy..cclliieenntt..ttlldd
|
||||
HHEELLOO mmyy..cclliieenntt..ttlldd
|
||||
250 Ok
|
||||
eettrrnn ssoommee..ccuussttoommeerr..ddoommaaiinn
|
||||
EETTRRNN ssoommee..ccuussttoommeerr..ddoommaaiinn
|
||||
250 Queuing started
|
||||
|
||||
where "some.customer.domain" is the name of a domain that has a non-empty
|
||||
@ -225,9 +227,9 @@ relay to (any domain listed in $relay_domains), but that has no mail queued.
|
||||
The text in bold face stands for the commands that you type:
|
||||
|
||||
220 my.server.tld ESMTP Postfix
|
||||
hheelloo mmyy..cclliieenntt..ttlldd
|
||||
HHEELLOO mmyy..cclliieenntt..ttlldd
|
||||
250 Ok
|
||||
eettrrnn ssoommee..ootthheerr..ccuussttoommeerr..ddoommaaiinn
|
||||
EETTRRNN ssoommee..ootthheerr..ccuussttoommeerr..ddoommaaiinn
|
||||
250 Queuing started
|
||||
|
||||
This time, the "ETRN"" command should trigger NO mail deliveries at all. If
|
||||
@ -239,9 +241,9 @@ willing to relay to. It does not matter if your server has mail queued for that
|
||||
destination.
|
||||
|
||||
220 my.server.tld ESMTP Postfix
|
||||
hheelloo mmyy..cclliieenntt..ttlldd
|
||||
HHEELLOO mmyy..cclliieenntt..ttlldd
|
||||
250 Ok
|
||||
eettrrnn nnoott..aa..ccuussttoommeerr..ddoommaaiinn
|
||||
EETTRRNN nnoott..aa..ccuussttoommeerr..ddoommaaiinn
|
||||
459 <not.a.customer.domain>: service unavailable
|
||||
|
||||
In this case, Postfix should reject the request as shown above.
|
||||
|
@ -21,9 +21,9 @@ This document describes implementations that use a single Postfix instance for
|
||||
everything: receiving, filtering and delivering mail. Applications that use two
|
||||
separate Postfix instances will be covered by a later version of this document.
|
||||
|
||||
The after-queue content filter is not to be confused with the approach that is
|
||||
described in the SMTPD_PROXY_README document, where incoming SMTP mail is
|
||||
filtered BEFORE it is stored into the Postfix queue.
|
||||
The after-queue content filter is not to be confused with the approaches
|
||||
described in the SMTPD_PROXY_README or MILTER_README documents, where incoming
|
||||
SMTP mail is filtered BEFORE it is stored into the Postfix queue.
|
||||
|
||||
This document describes two approaches to content filter all email, as well as
|
||||
several options to filter mail selectively:
|
||||
@ -50,14 +50,16 @@ several options to filter mail selectively:
|
||||
|
||||
PPrriinncciipplleess ooff ooppeerraattiioonn
|
||||
|
||||
An external content filter receives unfiltered mail from Postfix (as described
|
||||
further below) and does one of the following:
|
||||
An after-queue content filter receives unfiltered mail from Postfix (as
|
||||
described further below) and can do one of the following:
|
||||
|
||||
1. Re-inject the mail back into Postfix, perhaps after changing content and/or
|
||||
destination.
|
||||
|
||||
2. Reject the mail (by sending a suitable status code back to Postfix).
|
||||
Postfix will return the mail to the sender.
|
||||
2. Discard or quarantine the mail.
|
||||
|
||||
3. Reject the mail (by sending a suitable status code back to Postfix).
|
||||
Postfix will send the mail back to the sender address.
|
||||
|
||||
NOTE: in this time of mail worms and forged spam, it is a VERY BAD IDEA to send
|
||||
viruses back to the sender address, because the sender address is almost
|
||||
@ -67,8 +69,9 @@ it.
|
||||
|
||||
SSiimmppllee ccoonntteenntt ffiilltteerr eexxaammppllee
|
||||
|
||||
The first example is simple to set up. Postfix receives unfiltered mail from
|
||||
the network with the smtpd(8) server, and delivers unfiltered mail to a content
|
||||
The first example is simple to set up, but has major limitations that will be
|
||||
addressed in a second example. Postfix receives unfiltered mail from the
|
||||
network with the smtpd(8) server, and delivers unfiltered mail to a content
|
||||
filter with the Postfix pipe(8) delivery agent. The content filter injects
|
||||
filtered mail back into Postfix with the Postfix sendmail(1) command, so that
|
||||
Postfix can deliver it to the final destination.
|
||||
@ -126,33 +129,36 @@ The content filter can be a simple shell script like this:
|
||||
|
||||
Notes:
|
||||
|
||||
* Line 8: The -G option does nothing before Postfix 2.3, otherwise it
|
||||
disables address rewriting of message headers.
|
||||
* Line 8: The -G option says the filter output is not a local mail
|
||||
submission: don't do silly things like appending the local domain name to
|
||||
addresses in message headers. This option does nothing before Postfix
|
||||
version 2.3.
|
||||
|
||||
* Line 8: The -i option says don't stop reading input when a line contains
|
||||
"." only.
|
||||
|
||||
* Line 8: NEVER NEVER NEVER use the "-t" command-line option here. It will
|
||||
mis-deliver mail, like sending mailing list mail back to the mailing list.
|
||||
mis-deliver mail, like sending messages from a mailing list back to the
|
||||
mailing list.
|
||||
|
||||
* Line 21: The idea is to first capture the message to file and then run the
|
||||
content through a third-party content filter program.
|
||||
|
||||
* Line 22: If the mail cannot be captured to file, mail delivery is deferred
|
||||
by terminating with exit status 75 (EX_TEMPFAIL). Postfix places the
|
||||
message in the deferred mail queue and tries again later.
|
||||
* Line 22: If the message cannot be captured to file, mail delivery is
|
||||
deferred by terminating with exit status 75 (EX_TEMPFAIL). Postfix places
|
||||
the message in the deferred mail queue and tries again later.
|
||||
|
||||
* Line 25: You will need to specify a real content filter program here that
|
||||
receives the content on standard input.
|
||||
|
||||
* Line 26: If the content filter program finds a problem, the mail is bounced
|
||||
by terminating with exit status 69 (EX_UNAVAILABLE). Postfix will return
|
||||
the message to the sender as undeliverable.
|
||||
by terminating with exit status 69 (EX_UNAVAILABLE). Postfix will send the
|
||||
message back to the sender as undeliverable mail.
|
||||
|
||||
* Note: in this time of mail worms and spam, it is a BAD IDEA to send known
|
||||
* NOTE: in this time of mail worms and spam, it is a BAD IDEA to send known
|
||||
viruses or spam back to the sender, because that address is likely to be
|
||||
forged. It is safer to discard known to be bad content and to quarantine
|
||||
suspicious content so that it can be inspected by a human being.
|
||||
forged. It is safer to discard known viruses and to quarantine suspicious
|
||||
content so that it can be inspected by a human being.
|
||||
|
||||
* Line 28: If the content is OK, it is given as input to the Postfix sendmail
|
||||
command, and the exit status of the filter command is whatever exit status
|
||||
@ -164,7 +170,7 @@ Notes:
|
||||
I suggest that you first run this script by hand until you are satisfied with
|
||||
the results. Run it with a real message (headers+body) as input:
|
||||
|
||||
% /path/to/script -f sender recipient... <message-file
|
||||
% /path/to/script -f sender -- recipient... <message-file
|
||||
|
||||
Once you're satisfied with the content filtering script:
|
||||
|
||||
@ -206,10 +212,10 @@ Once you're satisfied with the content filtering script:
|
||||
smtp inet ...other stuff here, do not change... smtpd
|
||||
-o content_filter=filter:dummy
|
||||
|
||||
The "content_filter" line causes Postfix to add one content filter request
|
||||
record to each incoming mail message, with content "filter:dummy". This
|
||||
record overrides the normal mail routing and causes mail to be given to the
|
||||
content filter instead.
|
||||
The "-o content_filter" line causes Postfix to add one content filter
|
||||
request record to each incoming mail message, with content "filter:dummy".
|
||||
This record overrides the normal mail routing and causes mail to be given
|
||||
to the content filter instead.
|
||||
|
||||
The content_filter configuration parameter accepts the same syntax as the
|
||||
right-hand side in a Postfix transport table.
|
||||
@ -249,7 +255,7 @@ To turn off "simple" content filtering:
|
||||
* Edit the master.cf file, remove the "-o content_filter=filter:dummy" text
|
||||
from the entry that defines the Postfix SMTP server.
|
||||
|
||||
* Execute "ppoossttssuuppeerr --rr AALLLL" to remove content filter information from
|
||||
* Execute "ppoossttssuuppeerr --rr AALLLL" to remove content filter request records from
|
||||
existing queue files.
|
||||
|
||||
* Execute another "ppoossttffiixx rreellooaadd".
|
||||
@ -285,9 +291,11 @@ architecture.
|
||||
content filter 10025
|
||||
|
||||
The example given here filters all mail, including mail that arrives via SMTP
|
||||
and mail that is locally submitted via the Postfix sendmail command. See
|
||||
examples near the end of this document for how to exclude local users from
|
||||
filtering, or how to configure a destination dependent content filter.
|
||||
and mail that is locally submitted via the Postfix sendmail command (local
|
||||
submissions enter Postfix via the pickup(8) server; to keep the figure simple
|
||||
we omit local submission details). See examples near the end of this document
|
||||
for how to exclude local users from filtering, or how to configure a
|
||||
destination dependent content filter.
|
||||
|
||||
You can expect to lose about a factor of two in Postfix performance for mail
|
||||
that arrives and leaves via SMTP, provided that the content filter creates no
|
||||
@ -348,7 +356,7 @@ the Postfix master.cf file:
|
||||
* The "-o disable_mime_output_conversion=yes" is a workaround that prevents
|
||||
the breaking of domainkeys and other digital signatures. This is needed
|
||||
because some SMTP-based content filters don't announce 8BITMIME support,
|
||||
even though they can handle it just fine.
|
||||
even though they can handle 8-bit mail.
|
||||
|
||||
* The "-o smtp_generic_maps=" is a workaround that prevents local address
|
||||
rewriting with generic(5) maps. Such rewriting should happen only when mail
|
||||
@ -373,6 +381,10 @@ filtering processes on localhost port 10025:
|
||||
user handles all potentially dangerous mail content - that is why it should
|
||||
be a separate account.
|
||||
|
||||
* By default, Postfix will terminate a command that runs longer than
|
||||
command_time_limit seconds (default: 1000s). This is a safety measure that
|
||||
prevents filters from running forever.
|
||||
|
||||
If you want to have your filter listening on port localhost:10025 instead of
|
||||
Postfix, then you must run your filter as a stand-alone program, and must not
|
||||
use the Postfix spawn service.
|
||||
@ -405,14 +417,14 @@ without sending `.' on the connection that injects mail back into Postfix.
|
||||
-o mynetworks=127.0.0.0/8
|
||||
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
|
||||
|
||||
* Note: do not use spaces around the "=" or "," characters.
|
||||
* NOTE: do not use spaces around the "=" or "," characters.
|
||||
|
||||
* Note: the SMTP server must not have a smaller process limit than the
|
||||
* NOTE: the SMTP server must not have a smaller process limit than the
|
||||
"filter" master.cf entry.
|
||||
|
||||
* The "-o content_filter=" overrides main.cf settings, and requests no
|
||||
content filtering for mail from the content filter. This is required or
|
||||
else mail will stay in the content filtering loop.
|
||||
else mail will loop.
|
||||
|
||||
* The "-o receive_override_options" overrides main.cf settings to avoid
|
||||
duplicating work that was already done before the content filter. These
|
||||
@ -426,7 +438,7 @@ without sending `.' on the connection that injects mail back into Postfix.
|
||||
o We specify "no_milters" to disable Milter applications (this option is
|
||||
available only in Postfix 2.3 and later).
|
||||
|
||||
o We don't specify "no_address_mapping" here. This enables virtual alias
|
||||
o We don't specify "no_address_mappings" here. This enables virtual alias
|
||||
expansion, canonical mappings, address masquerading, and other address
|
||||
mappings after the content filter. The main.cf setting of
|
||||
"receive_override_options" disables these mappings before the content
|
||||
@ -470,7 +482,7 @@ To turn off "advanced" content filtering:
|
||||
content_filter = scan:localhost:10025
|
||||
receive_override_options = no_address_mappings
|
||||
|
||||
* Execute "ppoossttssuuppeerr --rr AALLLL" to remove content filter information from
|
||||
* Execute "ppoossttssuuppeerr --rr AALLLL" to remove content filter request records from
|
||||
existing queue files.
|
||||
|
||||
* Execute another "ppoossttffiixx rreellooaadd".
|
||||
|
@ -249,10 +249,10 @@ attribute is for a different use case). The returned data for "auser" and
|
||||
auser@mailhub.example.com,buser@mailhub.example.com,auser@example.org,buser@example.org
|
||||
|
||||
Note: if the desired member object result attribute is always also present in
|
||||
the group, you get suprising results, the expansion also returns the address of
|
||||
the group. This is a known limitation of Postfix releases prior to 2.4, and is
|
||||
addressed in the new with Postfix 2.4 "leaf_result_attribute" feature described
|
||||
in ldap_table(5).
|
||||
the group, you get surprising results, the expansion also returns the address
|
||||
of the group. This is a known limitation of Postfix releases prior to 2.4, and
|
||||
is addressed in the new with Postfix 2.4 "leaf_result_attribute" feature
|
||||
described in ldap_table(5).
|
||||
|
||||
Our third use case has some groups that are expanded immediately, and other
|
||||
groups that are forwarded to a dedicated mailing list manager host for delayed
|
||||
|
@ -11,9 +11,10 @@ FROM, etc.) as well as mail content. All this happens before mail is queued.
|
||||
|
||||
The reason for adding Milter support to Postfix is that there exists a large
|
||||
collection of applications, not only to block unwanted mail, but also to verify
|
||||
authenticity (examples: SenderID+SPF and Domain keys) or to digitally sign mail
|
||||
(example: Domain keys). Having yet another Postfix-specific version of all that
|
||||
software is a poor use of human and system resources.
|
||||
authenticity (examples: Domain keys identified mail, SenderID+SPF and Domain
|
||||
keys) or to digitally sign mail (examples: Domain keys identified mail, Domain
|
||||
keys). Having yet another Postfix-specific version of all that software is a
|
||||
poor use of human and system resources.
|
||||
|
||||
Postfix version 2.4 implements all the requests of Sendmail version 8 Milter
|
||||
protocols up to version 4, including message body replacement (body replacement
|
||||
@ -86,11 +87,11 @@ implements the Sendmail 8 Milter protocol. Postfix currently does not provide
|
||||
such a library, but Sendmail does.
|
||||
|
||||
On some Linux and *BSD distributions, the Sendmail libmilter library is
|
||||
installed by default. With this, applications such as dk-milter and sid-milter
|
||||
build out of the box without requiring any tinkering:
|
||||
installed by default. With this, applications such as dkim-milter and sid-
|
||||
milter build out of the box without requiring any tinkering:
|
||||
|
||||
$ ggzzccaatt ddkk--mmiilltteerr--xx..yy..zz..ttaarr..ggzz || ttaarr xxff --
|
||||
$ ccdd ddkk--mmiilltteerr--xx..yy..zz
|
||||
$ ggzzccaatt ddkkiimm--mmiilltteerr--xx..yy..zz..ttaarr..ggzz || ttaarr xxff --
|
||||
$ ccdd ddkkiimm--mmiilltteerr--xx..yy..zz
|
||||
$ mmaakkee
|
||||
[...lots of output omitted...]
|
||||
|
||||
@ -126,7 +127,7 @@ RRuunnnniinngg MMiilltteerr aapppplliiccaattiioonnss
|
||||
To run a Milter application, see the documentation of the filter for options. A
|
||||
typical command looks like this:
|
||||
|
||||
# //ssoommee//wwhheerree//ddkk--ffiilltteerr --uu uusseerriidd --pp iinneett::ppoorrttnnuummbbeerr@@llooccaallhhoosstt ......ootthheerr
|
||||
# //ssoommee//wwhheerree//ddkkiimm--ffiilltteerr --uu uusseerriidd --pp iinneett::ppoorrttnnuummbbeerr@@llooccaallhhoosstt ......ootthheerr
|
||||
ooppttiioonnss......
|
||||
|
||||
Please specify a userid value that isn't used for other applications (not
|
||||
@ -407,68 +408,72 @@ Milter applications make assumptions that aren't true in a Postfix environment.
|
||||
X-SenderID: Sendmail Sender-ID Filter vx.y.z host.example.com <unknown-
|
||||
msgid>
|
||||
|
||||
This happens because some Milter applications expect that the queue ID is
|
||||
This happens because those Milter applications expect that the queue ID is
|
||||
known before the MTA accepts the MAIL FROM (sender) command. Postfix, on
|
||||
the other hand, does not choose a queue file name until after it accepts
|
||||
the first valid RCPT TO (recipient) command. Postfix queue file names must
|
||||
the first valid RCPT TO (recipient) command (Postfix queue file names must
|
||||
be unique across multiple directories, so the name can't be chosen before
|
||||
the file is created. If multiple messages were to use the same queue ID
|
||||
simultaneously, mail would be lost.
|
||||
the file is created; if multiple messages were to use the same queue ID
|
||||
simultaneously, mail would be lost).
|
||||
|
||||
To work around the ugly message header from Milter applications, we add a
|
||||
little code to the Milter source to look up the queue ID after Postfix
|
||||
receives the end of the message.
|
||||
Fixing the ugly header maybe as simple as upgrading to a recent version of the
|
||||
Milter application. For example, current versions of dkim-filter and dk-filter
|
||||
have code that looks up the Postfix queue ID at a later protocol stage.
|
||||
|
||||
o Edit the filter source file (typically named dk-filter/dk-filter.c or
|
||||
similar).
|
||||
To fix the ugly message header with sid-filter applications, we change the
|
||||
source code, so that it does the queue ID lookup after Postfix receives the end
|
||||
of the message.
|
||||
|
||||
o Look up the mlfi_eom() function and add code near the top shown as bboolldd
|
||||
text below:
|
||||
* Edit the filter source file (named sid-filter/sid-filter.c).
|
||||
|
||||
dfc = cc->cctx_msg;
|
||||
assert(dfc != NULL);
|
||||
* Look up the smfilter table and replace mlfi_eoh by NULL.
|
||||
|
||||
//** DDeetteerrmmiinnee tthhee jjoobb IIDD ffoorr llooggggiinngg.. **//
|
||||
iiff ((ddffcc-->>mmccttxx__jjoobbiidd ==== 00 |||| ssttrrccmmpp((ddffcc-->>mmccttxx__jjoobbiidd,, JJOOBBIIDDUUNNKKNNOOWWNN)) ==== 00))
|
||||
{{
|
||||
cchhaarr **jjoobbiidd == ssmmffii__ggeettssyymmvvaall((ccttxx,, ""ii""));;
|
||||
iiff ((jjoobbiidd !!== 00))
|
||||
ddffcc-->>mmccttxx__jjoobbiidd == jjoobbiidd;;
|
||||
}}
|
||||
* Look up the mlfi_eom() function and add code near the top that calls
|
||||
mlfi_eoh() as shown by the bboolldd text below:
|
||||
|
||||
/* get hostname; used in the X header and in new MIME boundaries */
|
||||
assert(ctx != NULL);
|
||||
#endif /* !DEBUG */
|
||||
|
||||
NOTES:
|
||||
rreett == mmllffii__eeoohh((ccttxx));;
|
||||
iiff ((rreett !!== SSMMFFIISS__CCOONNTTIINNUUEE))
|
||||
rreettuurrnn rreett;;
|
||||
|
||||
o Different mail filters use slightly different names for variables. If
|
||||
the above code does not compile, look for the code at the start of the
|
||||
mlfi_eoh() routine.
|
||||
NOTES:
|
||||
|
||||
o This fixes only the ugly message header, but not the WARNING message.
|
||||
Fortunately, dk-filter logs that message only once.
|
||||
* This was tested with sid-milter-0.2.10 and sid-milter-0.2.14.
|
||||
|
||||
With some Milter applications we can fix both the WARNING and the "unknown-
|
||||
msgid" by postponing the call of mlfi_eoh() (or whatever routine logs the
|
||||
WARNING) until the end of the message.
|
||||
* This fixes only the ugly message header, but not the WARNING message.
|
||||
Fortunately, sid-milter logs that message only once.
|
||||
|
||||
o Edit the filter source file (typically named sid-filter/sid-filter.c or
|
||||
similar).
|
||||
To fix the ugly message header with other Milter applications, you will need to
|
||||
do something like this:
|
||||
|
||||
o Look up the smfilter table and replace mlfi_eoh (or whatever routine
|
||||
logs the WARNING) by NULL.
|
||||
* Edit the filter source file (typically named xxx-filter/xxx-filter.c or
|
||||
similar).
|
||||
|
||||
o Look up the mlfi_eom() function and add code near the top that calls
|
||||
mlfi_eoh() as shown by the bboolldd text below:
|
||||
* Look up the mlfi_eom() function and add code near the top shown as bboolldd
|
||||
text below:
|
||||
|
||||
assert(ctx != NULL);
|
||||
#endif /* !DEBUG */
|
||||
dfc = cc->cctx_msg;
|
||||
assert(dfc != NULL);
|
||||
|
||||
rreett == mmllffii__eeoohh((ccttxx));;
|
||||
iiff ((rreett !!== SSMMFFIISS__CCOONNTTIINNUUEE))
|
||||
rreettuurrnn rreett;;
|
||||
//** DDeetteerrmmiinnee tthhee jjoobb IIDD ffoorr llooggggiinngg.. **//
|
||||
iiff ((ddffcc-->>mmccttxx__jjoobbiidd ==== 00 |||| ssttrrccmmpp((ddffcc-->>mmccttxx__jjoobbiidd,, JJOOBBIIDDUUNNKKNNOOWWNN)) ==== 00)) {{
|
||||
cchhaarr **jjoobbiidd == ssmmffii__ggeettssyymmvvaall((ccttxx,, ""ii""));;
|
||||
iiff ((jjoobbiidd !!== 00))
|
||||
ddffcc-->>mmccttxx__jjoobbiidd == jjoobbiidd;;
|
||||
}}
|
||||
|
||||
This works with sid-milter-0.2.10. Other Milter applications will dump core
|
||||
when you do this.
|
||||
/* get hostname; used in the X header and in new MIME boundaries */
|
||||
|
||||
NOTES:
|
||||
|
||||
* Different mail filters use slightly different names for variables. If the
|
||||
above code does not compile, look for the code at the start of the mlfi_eoh
|
||||
() routine.
|
||||
|
||||
* This fixes only the ugly message header, but not the WARNING message.
|
||||
Fortunately, many Milters log that message only once.
|
||||
|
||||
LLiimmiittaattiioonnss
|
||||
|
||||
|
@ -11,10 +11,10 @@ for general use.
|
||||
GGeenneerraall ddiissttrriibbuuttiioonnss:: pplleeaassee pprroovviiddee aa ssmmaallll ddeeffaauulltt mmaaiinn..ccff ffiillee
|
||||
|
||||
The installed main.cf file must be small. PLEASE resist the temptation to list
|
||||
all 400+ parameters in the main.cf file. Postfix is supposed to be easy to
|
||||
configure. Listing all 400+ in main.cf defeats the purpose. It is an invitation
|
||||
for hobbyists to make random changes without understanding what they do, and
|
||||
gets them into endless trouble.
|
||||
all parameters in the main.cf file. Postfix is supposed to be easy to
|
||||
configure. Listing all parameters in main.cf defeats the purpose. It is an
|
||||
invitation for hobbyists to make random changes without understanding what they
|
||||
do, and gets them into endless trouble.
|
||||
|
||||
GGeenneerraall ddiissttrriibbuuttiioonnss:: pplleeaassee iinncclluuddee RREEAADDMMEE oorr HHTTMMLL ffiilleess
|
||||
|
||||
|
@ -118,7 +118,7 @@ Notes:
|
||||
how the client was authenticated via TLS. These attributes are empty in
|
||||
case of no certificate authentication. As of Postfix 2.2.11 these attribute
|
||||
values are encoded as xtext: some characters are represented by +XX, where
|
||||
XX is the two-digit hecadecimal representation of the character value.
|
||||
XX is the two-digit hexadecimal representation of the character value.
|
||||
|
||||
* The "encryption_*" attributes (Postfix 2.3 and later) specify information
|
||||
about how the connection is encrypted. With plaintext connections the
|
||||
|
@ -141,7 +141,8 @@ Postfix version 2.0 and earlier:
|
||||
|
||||
MMeeaassuurreess aaggaaiinnsstt cclliieennttss tthhaatt mmaakkee ttoooo mmaannyy ccoonnnneeccttiioonnss
|
||||
|
||||
Note: the anvil(8) service was introduced with Postfix version 2.2.
|
||||
Note: these features use the Postfix anvil(8) service, introduced with Postfix
|
||||
version 2.2.
|
||||
|
||||
The Postfix smtpd(8) server can limit the number of simultaneous connections
|
||||
from the same SMTP client, as well as the number of connections that a client
|
||||
@ -149,29 +150,31 @@ is allowed to make per unit time. These statistics are maintained by the anvil
|
||||
(8) server (translation: if anvil(8) breaks, then connection limits stop
|
||||
working).
|
||||
|
||||
IMPORTANT: These limits are designed to protect the smtpd(8) server against
|
||||
flagrant abuse. Do not use these limits to regulate legitimate traffic: mail
|
||||
will suffer grotesque delays if you do so.
|
||||
IMPORTANT: These limits must not be used to regulate legitimate traffic: mail
|
||||
will suffer grotesque delays if you do so. The limits are designed to protect
|
||||
the smtpd(8) server against abuse by out-of-control clients.
|
||||
|
||||
* An SMTP client may make up to $smtpd_client_connection_count_limit
|
||||
simultaneous connections (default: 50). This is half the default process
|
||||
limit.
|
||||
|
||||
* An SMTP client may make up to $smtpd_client_message_rate_limit message
|
||||
delivery requests per unit time (default: no limit).
|
||||
|
||||
* An SMTP client may send up to $smtpd_client_recipient_rate_limit recipient
|
||||
addresses per unit time (default: no limit).
|
||||
|
||||
* An SMTP client may make up to $smtpd_client_connection_rate_limit
|
||||
connections per unit time (default: no limit).
|
||||
|
||||
* These limits are not applied to SMTP clients in the networks specified with
|
||||
$smtpd_client_event_limit_exceptions (default: clients in $mynetworks may
|
||||
make an unlimited number of connections).
|
||||
|
||||
* The anvil_rate_time_unit parameter specifies the time unit over which
|
||||
client connection rates are computed (default: 60s).
|
||||
smtpd_client_connection_count_limit (default: 50)
|
||||
The maximum number of connections than an SMTP client may make
|
||||
simultaneously.
|
||||
smtpd_client_connection_rate_limit (default: no limit)
|
||||
The maximum number of connections that an SMTP client may make in the
|
||||
time interval specified with anvil_rate_time_unit (default: 60s).
|
||||
smtpd_client_message_rate_limit (default: no limit)
|
||||
The maximum number of message delivery requests that an SMTP client may
|
||||
make in the time interval specified with anvil_rate_time_unit (default:
|
||||
60s).
|
||||
smtpd_client_recipient_rate_limit (default: no limit)
|
||||
The maximum number of recipient addresses that an SMTP client may
|
||||
specify in the time interval specified with anvil_rate_time_unit
|
||||
(default: 60s).
|
||||
smtpd_client_new_tls_session_rate_limit (default: no limit)
|
||||
The maximum number of new TLS sessions (without using the TLS session
|
||||
cache) that an SMTP client may negotiate in the time interval specified
|
||||
with anvil_rate_time_unit (default: 60s).
|
||||
smtpd_client_event_limit_exceptions (default: $mynetworks)
|
||||
SMTP clients that are excluded from connection and rate limits
|
||||
specified above.
|
||||
|
||||
GGeenneerraall mmaaiill ddeelliivveerryy ppeerrffoorrmmaannccee ttiippss
|
||||
|
||||
@ -251,7 +254,7 @@ Examples of transport specific concurrency limits are:
|
||||
limit delivery concurrency to the same recipient: if the recipient has an
|
||||
expensive shell command in her .forward file, or if the recipient is a
|
||||
mailing list manager, you don't want to run too many instances of those
|
||||
processes the same time.
|
||||
processes at the same time.
|
||||
|
||||
* The default smtp_destination_concurrency_limit of 20 seems enough to
|
||||
noticeably load a system without bringing it to its knees. Be careful when
|
||||
@ -334,9 +337,9 @@ message it may blame the message itself, or it may blame the receiving party.
|
||||
|
||||
This process is governed by a bunch of little parameters.
|
||||
|
||||
queue_run_delay (default: 1000 seconds)
|
||||
queue_run_delay (default: 300 seconds; before Postfix 2.4: 1000s)
|
||||
How often the queue manager scans the queue for deferred mail.
|
||||
minimal_backoff_time (default: 1000 seconds)
|
||||
minimal_backoff_time (default: 300 seconds; before Postfix 2.4: 1000s)
|
||||
The minimal amount of time a message won't be looked at, and the
|
||||
minimal amount of time to stay away from a "dead" destination.
|
||||
maximal_backoff_time (default: 4000 seconds)
|
||||
@ -374,8 +377,8 @@ mail delivery performance actually becomes worse. The symptoms are as follows:
|
||||
When mail is being deferred frequently, fixing the problem is always better
|
||||
than increasing the frequency of delivery attempts. However, if you can control
|
||||
only the delivery attempt frequency, consider using a dedicated fallback_relay
|
||||
"graveyard" machine for bad destinations so that they do not ruin the
|
||||
performance of normal mail deliveries.
|
||||
"graveyard" machine for bad destinations, so that these destinations do not
|
||||
ruin the performance of normal mail deliveries.
|
||||
|
||||
TTuunniinngg tthhee nnuummbbeerr ooff PPoossttffiixx pprroocceesssseess
|
||||
|
||||
@ -414,6 +417,16 @@ TTuunniinngg tthhee nnuummbbeerr ooff ooppeenn ffiillee
|
||||
When Postfix opens too many files or sockets, processes will abort with fatal
|
||||
errors, and the system may log "file table full" errors.
|
||||
|
||||
* Depending on your Postfix and operating system versions you may need to
|
||||
recompile Postfix if you need more than 1024 file descriptors per process:
|
||||
|
||||
o No recompilation is needed for Postfix version 2.4 and later, when it
|
||||
was compiled for systems that support BSD kqueue(2) (FreeBSD 4.1,
|
||||
NetBSD 2.0, OpenBSD 2.9), Solaris 8 /dev/poll, or Linux 2.6 epoll(4).
|
||||
|
||||
o Otherwise, Postfix needs to be recompiled to override the default
|
||||
FD_SETSIZE value.
|
||||
|
||||
* Reduce the number of processes as described under "Tuning the number of
|
||||
Postfix processes" above. Fewer processes need fewer open files and
|
||||
sockets.
|
||||
@ -423,8 +436,8 @@ errors, and the system may log "file table full" errors.
|
||||
sure to verify the following information with your system tuning guide:
|
||||
|
||||
o Some FreeBSD kernel parameters can be specified in /boot/loader.conf,
|
||||
and some can be changed with sysctl commands. Which is which depends on
|
||||
the version.
|
||||
and some can be specified in /etc/sysctl.conf or changed with sysctl
|
||||
commands. Which is which depends on the version.
|
||||
|
||||
kern.ipc.maxsockets="5000"
|
||||
kern.ipc.nmbclusters="65536"
|
||||
@ -432,8 +445,8 @@ errors, and the system may log "file table full" errors.
|
||||
kern.maxfiles="16384"
|
||||
kern.maxfilesperproc="16384"
|
||||
|
||||
o Linux kernel parameters can be specified in /etc/sysctl.conf and can
|
||||
also be changed with sysctl commands:
|
||||
o Linux kernel parameters can be specified in /etc/sysctl.conf or changed
|
||||
with sysctl commands:
|
||||
|
||||
fs.file-max=16384
|
||||
kernel.threads-max=2048
|
||||
|
14
postfix/TODO
14
postfix/TODO
@ -1,23 +1,13 @@
|
||||
What needs to be done before Postfix 2.4.0 is finished:
|
||||
|
||||
- Update MILTER_README (dkim, application patches).
|
||||
|
||||
- Create RELEASE_NOTES_2.4.
|
||||
|
||||
- Update BACKSCATTER_README with PCRE rules.
|
||||
|
||||
- Otherwise done up to and including FILTER_README
|
||||
|
||||
- Truncate wish list from HISTORY.
|
||||
|
||||
- Spell check and double word check the proto files.
|
||||
|
||||
- Parameter hyperlink check and HTML check the html outputs.
|
||||
|
||||
- Replace SPF policy server script by link to SPF website.
|
||||
|
||||
- Remove MacOS X examples. They have not been updated.
|
||||
|
||||
- Is "postmap -qf" still needed with regexp/pcre maps?
|
||||
|
||||
- Update TUNING_README smtpd_client_*_limit feature list (add TLS).
|
||||
|
||||
- Update TUNING_README file descriptor tuning.
|
||||
|
@ -1,46 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Gerben Wierda, Oct 2001. Adapted from an existing example. I waive every
|
||||
# copyright on this and I also do not give any warranty.
|
||||
|
||||
# Updated Sepember 29, 2002
|
||||
# To work properly, the POSTFIX variable needs to be set to -YES-
|
||||
# in /etc/hostconfig
|
||||
|
||||
. /etc/rc.common
|
||||
|
||||
if [ "${POSTFIX:=-NO-}" = "-YES-" -a "${MAILSERVER:=-NO-}" = "-YES-" ]
|
||||
then
|
||||
ConsoleMessage "Cannot run concurrent postfix and sendmail"
|
||||
sleep 2
|
||||
exit
|
||||
fi
|
||||
|
||||
##
|
||||
# Start mail server
|
||||
##
|
||||
|
||||
if [ "$1" == "start" ]
|
||||
then
|
||||
if [ "${POSTFIX:=-NO-}" = "-YES-" ]
|
||||
then
|
||||
ConsoleMessage "Starting Postfix mail services"
|
||||
/usr/sbin/postfix start
|
||||
fi
|
||||
elif [ "$1" == "stop" ]
|
||||
then
|
||||
ConsoleMessage "Stopping Postfix mail services"
|
||||
/usr/sbin/postfix stop
|
||||
elif [ "$1" == "restart" ]
|
||||
then
|
||||
if [ "${POSTFIX:=-NO-}" = "-YES-" ]
|
||||
then
|
||||
ConsoleMessage "Reloading Postfix configuration"
|
||||
/usr/sbin/postfix reload
|
||||
else
|
||||
ConsoleMessage "Stopping Postfix mail services"
|
||||
/usr/sbin/postfix stop
|
||||
fi
|
||||
fi
|
||||
|
||||
|
@ -1,13 +0,0 @@
|
||||
{
|
||||
Description = "Postfix mail server";
|
||||
Provides = ("SMTP");
|
||||
Requires = ("Resolver");
|
||||
Uses = ("Network Time", "NFS");
|
||||
Preference = "None";
|
||||
Messages =
|
||||
{
|
||||
start = "Starting Postfix";
|
||||
stop = "Stopping Postfix";
|
||||
restart = "Reloading Postfix Configuration";
|
||||
};
|
||||
}
|
@ -1,74 +0,0 @@
|
||||
# Adapted from an existing example by Gerben Wierda, Oct 2001. I waive every
|
||||
# copyright on this and I also do not give any warranty.
|
||||
|
||||
Let's start with the important warning:
|
||||
|
||||
DO NOT USE THE MULTIPLE USERS APPLICATION TO CREATE THE POSTFIX USER!
|
||||
|
||||
NOTE: Mac OS X as of version 10.3 comes with Postfix as the standard mailer
|
||||
and it is supported in Server Admin on Mac OS X 10.3 Server . The instructions
|
||||
below therefore only apply for Mac OS X 10.2.8.
|
||||
|
||||
NOTE: As of 29 September 2002, these instructions and the scripts have changed
|
||||
to make the solution more robust for Apple updates.
|
||||
|
||||
Run the commands below in the order that they are presented
|
||||
|
||||
A. INSTALLING POSTFIX for the first time and selecting it as the active
|
||||
Mail Transfer Agent (MTA):
|
||||
|
||||
# All these commands are written to be run from this directory.
|
||||
|
||||
# This repairs the previous Oct 2001 setup if any
|
||||
sudo ./repair-oldsetup
|
||||
|
||||
# Prepare for reactivating sendmail
|
||||
sudo ./backup-sendmail-binaries
|
||||
|
||||
# this creates the necessary users & groups for proper operation
|
||||
# of postfix:
|
||||
sudo ./niscript
|
||||
|
||||
# Install postfix:
|
||||
# When the script asks you for setgid (the default will be no) tell it
|
||||
# maildrop
|
||||
(cd ../..; sudo make install)
|
||||
|
||||
# Prepare for reactivating postfix
|
||||
sudo ./backup-postfix-binaries
|
||||
|
||||
# edit /etc/postfix/main.cf to suit your requirements
|
||||
### add your own commands here ###
|
||||
|
||||
# Activate postfix startup at boot time. Deactivates sendmail.
|
||||
sudo ./activate-postfix
|
||||
|
||||
# Test. Read INSTALL for a series of suggested tests.
|
||||
|
||||
B. DEACTIVATING POSTFIX
|
||||
|
||||
# Deactivate postfix startup at boot time
|
||||
sudo ./deactivate-postfix
|
||||
|
||||
C. RESTORING Sendmail as the MTA when Postfix is the active MTA
|
||||
|
||||
# This repairs the previous Oct 2001 setup if any
|
||||
sudo ./repair-oldsetup
|
||||
|
||||
# Deactivate postfix startup at boot time
|
||||
sudo ./deactivate-postfix
|
||||
|
||||
sudo ./activate-sendmail
|
||||
|
||||
# Restart your computer
|
||||
|
||||
D. RESTORING postfix as the MTA when Sendmail is the active MTA
|
||||
|
||||
# NOTE: The first time you activate postfix you have to follow
|
||||
# the steps of A.
|
||||
|
||||
# This repairs the previous Oct 2001 setup if any
|
||||
sudo ./repair-oldsetup
|
||||
|
||||
sudo ./activate-postfix
|
||||
|
@ -1,43 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Written by Gerben Wierda, Oct 2001. I waive every copyright on this and
|
||||
# I also do not give any warranty.
|
||||
|
||||
. ./defines
|
||||
|
||||
# Activate binaries
|
||||
if [ ! -e ${POSTFIXBACKUPDIR}/sendmail ]
|
||||
then
|
||||
echo "Something is wrong: there is no existing postfix binary backup"
|
||||
exit 1;
|
||||
else
|
||||
echo "Restoring postfix versions of sendmail programs from backup..."
|
||||
(cd ${POSTFIXBACKUPDIR}; tar cf - sendmail) | (cd /usr/sbin; tar xf -)
|
||||
(cd ${POSTFIXBACKUPDIR}; tar cf - newaliases) | (cd /usr/bin; tar xf -)
|
||||
(cd ${POSTFIXBACKUPDIR}; tar cf - mailq) | (cd /usr/bin; tar xf -)
|
||||
fi
|
||||
|
||||
if [ -e "${PSI}" ]
|
||||
then
|
||||
echo "Postfix StartupItem already exists."
|
||||
else
|
||||
if [ -e "${PSIDISABLED}" ]
|
||||
then
|
||||
echo "Reinstating disabled Postfix StartupItem..."
|
||||
mv "${PSIDISABLED}" "${PSI}"
|
||||
else
|
||||
echo "Installing new default Postfix StartupItem..."
|
||||
cp -R Postfix.StartupItem "${PSI}"
|
||||
fi
|
||||
fi
|
||||
|
||||
# De-activate sendmail in /etc/hostconfig
|
||||
/usr/bin/perl -pi -e 's/MAILSERVER=-YES-/MAILSERVER=-NO-/g' /etc/hostconfig
|
||||
# Activate postfix in /etc/hostconfig
|
||||
if /usr/bin/grep '^POSTFIX=-NO-' /etc/hostconfig >/dev/null 2>&1; then
|
||||
/usr/bin/perl -pi -e 's/POSTFIX=-NO-/POSTFIX=-YES-/g' /etc/hostconfig
|
||||
else
|
||||
echo "POSTFIX=-YES-" >>/etc/hostconfig
|
||||
fi
|
||||
|
||||
/usr/sbin/postfix start
|
@ -1,24 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Written by Gerben Wierda, Oct 2001. I waive every copyright on this and
|
||||
# I also do not give any warranty.
|
||||
|
||||
. ./defines
|
||||
|
||||
. ./deactivate-postfix
|
||||
|
||||
# Activate binaries
|
||||
if [ ! -e ${SENDMAILBACKUPDIR}/sendmail ]
|
||||
then
|
||||
echo "Something is wrong: there is no existing sendmail binary backup"
|
||||
exit 1;
|
||||
else
|
||||
echo "Restoring sendmail versions of sendmail programs from backup..."
|
||||
(cd ${SENDMAILBACKUPDIR}; tar cf - sendmail) | (cd /usr/sbin; tar xf -)
|
||||
(cd ${SENDMAILBACKUPDIR}; tar cf - newaliases) | (cd /usr/bin; tar xf -)
|
||||
(cd ${SENDMAILBACKUPDIR}; tar cf - mailq) | (cd /usr/bin; tar xf -)
|
||||
fi
|
||||
|
||||
# Activate sendmail in /etc/hostconfig
|
||||
/usr/bin/perl -pi -e 's/MAILSERVER=-NO-/MAILSERVER=-YES-/g' /etc/hostconfig
|
||||
|
@ -1,20 +0,0 @@
|
||||
#! /bin/sh
|
||||
|
||||
# Written by Gerben Wierda, Oct 2001. I waive every copyright on this and
|
||||
# I also do not give any warranty.
|
||||
|
||||
# We use tar, as we do not know beforehand if we are dealing with real
|
||||
# files or symbolic links. Since we use tar, we cannot change filenames
|
||||
# we need to create a directory to hold our backup binaries.
|
||||
|
||||
. ./defines
|
||||
|
||||
if [ ! -d ${POSTFIXBACKUPDIR} ]
|
||||
then
|
||||
mkdir -p ${POSTFIXBACKUPDIR}
|
||||
fi
|
||||
|
||||
(cd /usr/sbin; tar cf - sendmail) | (cd ${POSTFIXBACKUPDIR}; tar xf -)
|
||||
(cd /usr/bin; tar cf - newaliases) | (cd ${POSTFIXBACKUPDIR}; tar xf -)
|
||||
(cd /usr/bin; tar cf - mailq) | (cd ${POSTFIXBACKUPDIR}; tar xf -)
|
||||
|
@ -1,20 +0,0 @@
|
||||
#! /bin/sh
|
||||
|
||||
# Written by Gerben Wierda, Oct 2001. I waive every copyright on this and
|
||||
# I also do not give any warranty.
|
||||
|
||||
# We use tar, as we do not know beforehand if we are dealing with real
|
||||
# files or symbolic links. Since we use tar, we cannot change filenames
|
||||
# we need to create a directory to hold our backup binaries.
|
||||
|
||||
. ./defines
|
||||
|
||||
if [ ! -d ${SENDMAILBACKUPDIR} ]
|
||||
then
|
||||
mkdir -p ${SENDMAILBACKUPDIR}
|
||||
fi
|
||||
|
||||
(cd /usr/sbin; tar cf - sendmail) | (cd ${SENDMAILBACKUPDIR}; tar xf -)
|
||||
(cd /usr/bin; tar cf - newaliases) | (cd ${SENDMAILBACKUPDIR}; tar xf -)
|
||||
(cd /usr/bin; tar cf - mailq) | (cd ${SENDMAILBACKUPDIR}; tar xf -)
|
||||
|
@ -1,16 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Written by Gerben Wierda, Sep 2002. I waive every copyright on this and
|
||||
# I also do not give any warranty.
|
||||
|
||||
. ./defines
|
||||
|
||||
if [ -e "${PSI}" ]
|
||||
then
|
||||
mv "${PSI}" "${PSIDISABLED}"
|
||||
fi
|
||||
|
||||
# De-activate postfix in /etc/hostconfig
|
||||
/usr/bin/perl -pi -e 's/POSTFIX=-YES-/POSTFIX=-NO-/g' /etc/hostconfig
|
||||
|
||||
/usr/sbin/postfix stop >/dev/null 2>&1
|
@ -1,12 +0,0 @@
|
||||
#! /bin/sh
|
||||
|
||||
# Written by Gerben Wierda, Oct 2001. I waive every copyright on this and
|
||||
# I also do not give any warranty.
|
||||
|
||||
SIDIR="/Library/StartupItems"
|
||||
|
||||
PSI="${SIDIR}/Postfix"
|
||||
PSIDISABLED="${PSI}.disabled"
|
||||
|
||||
POSTFIXBACKUPDIR=/usr/sbin/.postfixbackup
|
||||
SENDMAILBACKUPDIR=/usr/sbin/.sendmailbackup
|
@ -1,164 +0,0 @@
|
||||
#!/usr/bin/perl
|
||||
|
||||
# niscript.pl by Gerben Wierda <gerben_wierda@rna.nl>
|
||||
|
||||
# This little script is an adaptation of the original niscript sh script by
|
||||
# Joe Block <jpb@creol.ucf.edu>
|
||||
# instead of using fixed uid/gid and thus not robust if you run it on a
|
||||
# system where groups and/or users have been added, this script checks
|
||||
# if the users/groups are there and if not creates them with free id's.
|
||||
|
||||
# 17 Jul 2002 GW: Fixed two bugs
|
||||
# 1. Typo in createuser would always have uid 88 for postfix
|
||||
# 2. Add to netinfo domain . instead of / so that it also works on systems
|
||||
# where the / domain is actually network-wide (not very useful to add
|
||||
# a postfix user to all systems in that netinfo domain...)
|
||||
|
||||
print <<_WARNING
|
||||
|
||||
This script massages your netinfo database. This can severely break
|
||||
your system. If your netinfo database breaks, you get to keep the parts.
|
||||
|
||||
No Warranty. Really.
|
||||
|
||||
This script tries to create two groups (if they do not already exist):
|
||||
- postfix
|
||||
- maildrop
|
||||
and tries to create a user (if it does not already exist)
|
||||
- postfix
|
||||
which is member of group postfix.
|
||||
|
||||
_WARNING
|
||||
;
|
||||
|
||||
# The script starts to look at id 88 (both for user and group) and up to 65535
|
||||
# It dies if no free id is found.
|
||||
|
||||
my $postfixgid = undef;
|
||||
my $maildropgid = undef;
|
||||
my $postfixuid = undef;
|
||||
|
||||
# First create
|
||||
|
||||
my @groups = readgroups();
|
||||
foreach $group (@groups) {
|
||||
(my $groupname, undef, my $gid, undef) = split( ':', $group);
|
||||
if ($groupname eq 'postfix') {
|
||||
warn "You already have a postfix group (with gid $gid)\n";
|
||||
$postfixgid = $gid;
|
||||
}
|
||||
if ($groupname eq 'maildrop') {
|
||||
warn "You already have a maildrop group (with gid $gid)\n";
|
||||
$maildropgid = $gid;
|
||||
}
|
||||
}
|
||||
|
||||
if (not defined $postfixgid) {
|
||||
$postfixgid = creategroup( 'postfix');
|
||||
}
|
||||
|
||||
if (not defined $maildropgid) {
|
||||
$maildropgid = creategroup( 'maildrop');
|
||||
}
|
||||
|
||||
my @users = readusers();
|
||||
foreach $user (@users) {
|
||||
(my $username, undef, my $uid, undef) = split( ':', $user);
|
||||
if ($username eq 'postfix') {
|
||||
warn "You already have a postfix user (with uid $uid)\n";
|
||||
$postfixuid = $uid;
|
||||
}
|
||||
}
|
||||
|
||||
if (not defined $postfixuid) {
|
||||
$postfixuid = createuser( 'postfix', '"Postfix User"',
|
||||
'/usr/bin/false', '/etc/postfix',
|
||||
$postfixgid);
|
||||
addusertogroup( 'postfix', 'postfix');
|
||||
}
|
||||
|
||||
warn "\n";
|
||||
|
||||
sub creategroup
|
||||
{
|
||||
my $name = shift;
|
||||
open( NIDUMP, "nidump group .|") or die "Cannot run nidump\n";
|
||||
my @groups=<NIDUMP>;
|
||||
close( NIDUMP);
|
||||
|
||||
my $tryno;
|
||||
NEXTNO: for ($tryno = 88; $tryno <= 65535; $tryno++) {
|
||||
foreach my $group (@groups) {
|
||||
(my $groupname, undef, my $gid, undef) =
|
||||
split( ':', $group);
|
||||
next NEXTNO if $gid == $tryno;
|
||||
}
|
||||
last NEXTNO;
|
||||
}
|
||||
die "Cannot find free gid\n" if $tryno == 65536;
|
||||
warn "Will create $name as gid $tryno\n";
|
||||
system "niutil -create . /groups/$name";
|
||||
system "niutil -createprop . /groups/$name name $name";
|
||||
system "niutil -createprop . /groups/$name gid $tryno";
|
||||
system "niutil -createprop . /groups/$name passwd '*'";
|
||||
return $tryno;
|
||||
}
|
||||
|
||||
sub addusertogroup
|
||||
{
|
||||
my $user = shift;
|
||||
my $group = shift;
|
||||
system "niutil -appendprop . /groups/$group users $user";
|
||||
}
|
||||
|
||||
sub readgroups
|
||||
{
|
||||
open( NIDUMP, "nidump group .|") or die "Cannot run nidump\n";
|
||||
my @groups=<NIDUMP>;
|
||||
close( NIDUMP);
|
||||
return @groups;
|
||||
}
|
||||
|
||||
sub readusers
|
||||
{
|
||||
my @passwd;
|
||||
open( NIDUMP, "nidump passwd .|") or die "Cannot run nidump\n";
|
||||
@passwd=<NIDUMP>;
|
||||
close( NIDUMP);
|
||||
return @passwd;
|
||||
}
|
||||
|
||||
sub createuser
|
||||
{
|
||||
my $name = shift;
|
||||
my $realname = shift;
|
||||
my $shell = shift;
|
||||
my $home = shift;
|
||||
my $gid = shift;
|
||||
|
||||
open( NIDUMP, "nidump passwd .|") or die "Cannot run nidump\n";
|
||||
my @passwds=<NIDUMP>;
|
||||
close( NIDUMP);
|
||||
|
||||
my $tryno;
|
||||
NEXTNO: for ($tryno = 88; $tryno <= 65535; $tryno++) {
|
||||
foreach my $passwd (@passwds) {
|
||||
(my $passwdname, undef, my $uid, undef) =
|
||||
split( ':', $passwd);
|
||||
next NEXTNO if $uid == $tryno;
|
||||
}
|
||||
last NEXTNO;
|
||||
}
|
||||
die "Cannot find free uid\n" if $tryno == 65536;
|
||||
warn "Will create $name as uid $tryno\n";
|
||||
system "niutil -create . /users/$name";
|
||||
system "niutil -createprop . /users/$name realname $realname";
|
||||
system "niutil -createprop . /users/$name shell $shell";
|
||||
system "niutil -createprop . /users/$name uid $tryno";
|
||||
system "niutil -createprop . /users/$name gid $gid";
|
||||
system "niutil -createprop . /users/$name home $home";
|
||||
system "niutil -createprop . /users/$name _shadow_passwd";
|
||||
system "niutil -createprop . /users/$name passwd '*'";
|
||||
return $tryno;
|
||||
}
|
||||
|
@ -1,8 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
if [ -d /System/Library/DisabledStartupItems/Sendmail ]
|
||||
then
|
||||
mv /System/Library/DisabledStartupItems/Sendmail /System/Library/StartupItems
|
||||
rmdir /System/Library/DisabledStartupItems/Sendmail
|
||||
rm -rf /System/Library/StartupItems/Postfix
|
||||
fi
|
@ -11,34 +11,35 @@
|
||||
# postmap -q - /etc/postfix/access <inputfile
|
||||
#
|
||||
# DESCRIPTION
|
||||
# The Postfix SMTP server supports access control on remote
|
||||
# SMTP client information: host names, network addresses,
|
||||
# and envelope sender or recipient addresses. See
|
||||
# header_checks(5) or body_checks(5) for access control on
|
||||
# the content of email messages.
|
||||
# This document describes access control on remote SMTP
|
||||
# client information: host names, network addresses, and
|
||||
# envelope sender or recipient addresses; it is implemented
|
||||
# by the Postfix SMTP server. See header_checks(5) or
|
||||
# body_checks(5) for access control on the content of email
|
||||
# messages.
|
||||
#
|
||||
# Normally, the access(5) table is specified as a text file
|
||||
# that serves as input to the postmap(1) command. The
|
||||
# result, an indexed file in dbm or db format, is used for
|
||||
# fast searching by the mail system. Execute the command
|
||||
# "postmap /etc/postfix/access" to rebuild an indexed file
|
||||
# Normally, the access(5) table is specified as a text file
|
||||
# that serves as input to the postmap(1) command. The
|
||||
# result, an indexed file in dbm or db format, is used for
|
||||
# fast searching by the mail system. Execute the command
|
||||
# "postmap /etc/postfix/access" to rebuild an indexed file
|
||||
# after changing the corresponding text file.
|
||||
#
|
||||
# When the table is provided via other means such as NIS,
|
||||
# LDAP or SQL, the same lookups are done as for ordinary
|
||||
# When the table is provided via other means such as NIS,
|
||||
# LDAP or SQL, the same lookups are done as for ordinary
|
||||
# indexed files.
|
||||
#
|
||||
# Alternatively, the table can be provided as a regular-
|
||||
# Alternatively, the table can be provided as a regular-
|
||||
# expression map where patterns are given as regular expres-
|
||||
# sions, or lookups can be directed to TCP-based server. In
|
||||
# those cases, the lookups are done in a slightly different
|
||||
# way as described below under "REGULAR EXPRESSION TABLES"
|
||||
# sions, or lookups can be directed to TCP-based server. In
|
||||
# those cases, the lookups are done in a slightly different
|
||||
# way as described below under "REGULAR EXPRESSION TABLES"
|
||||
# or "TCP-BASED TABLES".
|
||||
#
|
||||
# CASE FOLDING
|
||||
# The search string is folded to lowercase before database
|
||||
# lookup. As of Postfix 2.3, the search string is not case
|
||||
# folded with database types such as regexp: or pcre: whose
|
||||
# The search string is folded to lowercase before database
|
||||
# lookup. As of Postfix 2.3, the search string is not case
|
||||
# folded with database types such as regexp: or pcre: whose
|
||||
# lookup fields can match both upper and lower case.
|
||||
#
|
||||
# TABLE FORMAT
|
||||
@ -49,53 +50,53 @@
|
||||
# address, perform the corresponding action.
|
||||
#
|
||||
# blank lines and comments
|
||||
# Empty lines and whitespace-only lines are ignored,
|
||||
# as are lines whose first non-whitespace character
|
||||
# Empty lines and whitespace-only lines are ignored,
|
||||
# as are lines whose first non-whitespace character
|
||||
# is a `#'.
|
||||
#
|
||||
# multi-line text
|
||||
# A logical line starts with non-whitespace text. A
|
||||
# line that starts with whitespace continues a logi-
|
||||
# A logical line starts with non-whitespace text. A
|
||||
# line that starts with whitespace continues a logi-
|
||||
# cal line.
|
||||
#
|
||||
# EMAIL ADDRESS PATTERNS
|
||||
# With lookups from indexed files such as DB or DBM, or from
|
||||
# networked tables such as NIS, LDAP or SQL, patterns are
|
||||
# networked tables such as NIS, LDAP or SQL, patterns are
|
||||
# tried in the order as listed below:
|
||||
#
|
||||
# user@domain
|
||||
# Matches the specified mail address.
|
||||
#
|
||||
# domain.tld
|
||||
# Matches domain.tld as the domain part of an email
|
||||
# Matches domain.tld as the domain part of an email
|
||||
# address.
|
||||
#
|
||||
# The pattern domain.tld also matches subdomains, but
|
||||
# only when the string smtpd_access_maps is listed in
|
||||
# the Postfix parent_domain_matches_subdomains con-
|
||||
# figuration setting (note that this is the default
|
||||
# for some versions of Postfix). Otherwise, specify
|
||||
# .domain.tld (note the initial dot) in order to
|
||||
# the Postfix parent_domain_matches_subdomains con-
|
||||
# figuration setting (note that this is the default
|
||||
# for some versions of Postfix). Otherwise, specify
|
||||
# .domain.tld (note the initial dot) in order to
|
||||
# match subdomains.
|
||||
#
|
||||
# user@ Matches all mail addresses with the specified user
|
||||
# user@ Matches all mail addresses with the specified user
|
||||
# part.
|
||||
#
|
||||
# Note: lookup of the null sender address is not possible
|
||||
# with some types of lookup table. By default, Postfix uses
|
||||
# <> as the lookup key for such addresses. The value is
|
||||
# specified with the smtpd_null_access_lookup_key parameter
|
||||
# Note: lookup of the null sender address is not possible
|
||||
# with some types of lookup table. By default, Postfix uses
|
||||
# <> as the lookup key for such addresses. The value is
|
||||
# specified with the smtpd_null_access_lookup_key parameter
|
||||
# in the Postfix main.cf file.
|
||||
#
|
||||
# EMAIL ADDRESS EXTENSION
|
||||
# When a mail address localpart contains the optional recip-
|
||||
# ient delimiter (e.g., user+foo@domain), the lookup order
|
||||
# becomes: user+foo@domain, user@domain, domain, user+foo@,
|
||||
# ient delimiter (e.g., user+foo@domain), the lookup order
|
||||
# becomes: user+foo@domain, user@domain, domain, user+foo@,
|
||||
# and user@.
|
||||
#
|
||||
# HOST NAME/ADDRESS PATTERNS
|
||||
# With lookups from indexed files such as DB or DBM, or from
|
||||
# networked tables such as NIS, LDAP or SQL, the following
|
||||
# networked tables such as NIS, LDAP or SQL, the following
|
||||
# lookup patterns are examined in the order as listed:
|
||||
#
|
||||
# domain.tld
|
||||
@ -103,9 +104,9 @@
|
||||
#
|
||||
# The pattern domain.tld also matches subdomains, but
|
||||
# only when the string smtpd_access_maps is listed in
|
||||
# the Postfix parent_domain_matches_subdomains con-
|
||||
# the Postfix parent_domain_matches_subdomains con-
|
||||
# figuration setting. Otherwise, specify .domain.tld
|
||||
# (note the initial dot) in order to match subdo-
|
||||
# (note the initial dot) in order to match subdo-
|
||||
# mains.
|
||||
#
|
||||
# net.work.addr.ess
|
||||
@ -114,21 +115,21 @@
|
||||
#
|
||||
# net.work
|
||||
#
|
||||
# net Matches the specified IPv4 host address or subnet-
|
||||
# work. An IPv4 host address is a sequence of four
|
||||
# net Matches the specified IPv4 host address or subnet-
|
||||
# work. An IPv4 host address is a sequence of four
|
||||
# decimal octets separated by ".".
|
||||
#
|
||||
# Subnetworks are matched by repeatedly truncating
|
||||
# Subnetworks are matched by repeatedly truncating
|
||||
# the last ".octet" from the remote IPv4 host address
|
||||
# string until a match is found in the access table,
|
||||
# string until a match is found in the access table,
|
||||
# or until further truncation is not possible.
|
||||
#
|
||||
# NOTE 1: The information in the access map should be
|
||||
# in canonical form, with unnecessary null characters
|
||||
# eliminated. Address information must not be
|
||||
# eliminated. Address information must not be
|
||||
# enclosed with "[]" characters.
|
||||
#
|
||||
# NOTE 2: use the cidr lookup table type to specify
|
||||
# NOTE 2: use the cidr lookup table type to specify
|
||||
# network/netmask patterns. See cidr_table(5) for
|
||||
# details.
|
||||
#
|
||||
@ -138,12 +139,12 @@
|
||||
#
|
||||
# net:work
|
||||
#
|
||||
# net Matches the specified IPv6 host address or subnet-
|
||||
# work. An IPv6 host address is a sequence of three
|
||||
# to eight hexadecimal octet pairs separated by ":".
|
||||
# net Matches the specified IPv6 host address or subnet-
|
||||
# work. An IPv6 host address is a sequence of three
|
||||
# to eight hexadecimal octet pairs separated by ":".
|
||||
#
|
||||
# Subnetworks are matched by repeatedly truncating
|
||||
# the last ":octetpair" from the remote IPv6 host
|
||||
# Subnetworks are matched by repeatedly truncating
|
||||
# the last ":octetpair" from the remote IPv6 host
|
||||
# address string until a match is found in the access
|
||||
# table, or until further truncation is not possible.
|
||||
#
|
||||
@ -153,10 +154,10 @@
|
||||
#
|
||||
# NOTE 2: The information in the access map should be
|
||||
# in canonical form, with unnecessary null characters
|
||||
# eliminated. Address information must not be
|
||||
# eliminated. Address information must not be
|
||||
# enclosed with "[]" characters.
|
||||
#
|
||||
# NOTE 3: use the cidr lookup table type to specify
|
||||
# NOTE 3: use the cidr lookup table type to specify
|
||||
# network/netmask patterns. See cidr_table(5) for
|
||||
# details.
|
||||
#
|
||||
@ -167,48 +168,48 @@
|
||||
#
|
||||
# all-numerical
|
||||
# An all-numerical result is treated as OK. This for-
|
||||
# mat is generated by address-based relay authoriza-
|
||||
# mat is generated by address-based relay authoriza-
|
||||
# tion schemes such as pop-before-smtp.
|
||||
#
|
||||
# REJECT ACTIONS
|
||||
# Postfix version 2.3 and later support enhanced status
|
||||
# codes as defined in RFC 3463. When no code is specified
|
||||
# at the beginning of the text below, Postfix inserts a
|
||||
# default enhanced status code of "5.7.1" in the case of
|
||||
# reject actions, and "4.7.1" in the case of defer actions.
|
||||
# Postfix version 2.3 and later support enhanced status
|
||||
# codes as defined in RFC 3463. When no code is specified
|
||||
# at the beginning of the text below, Postfix inserts a
|
||||
# default enhanced status code of "5.7.1" in the case of
|
||||
# reject actions, and "4.7.1" in the case of defer actions.
|
||||
# See "ENHANCED STATUS CODES" below.
|
||||
#
|
||||
# 4NN text
|
||||
#
|
||||
# 5NN text
|
||||
# Reject the address etc. that matches the pattern,
|
||||
# Reject the address etc. that matches the pattern,
|
||||
# and respond with the numerical three-digit code and
|
||||
# text. 4NN means "try again later", while 5NN means
|
||||
# text. 4NN means "try again later", while 5NN means
|
||||
# "do not try again".
|
||||
#
|
||||
# The reply code "421" causes Postfix to disconnect
|
||||
# The reply code "421" causes Postfix to disconnect
|
||||
# immediately (Postfix version 2.3 and later).
|
||||
#
|
||||
# REJECT optional text...
|
||||
# Reject the address etc. that matches the pattern.
|
||||
# Reply with $reject_code optional text... when the
|
||||
# optional text is specified, otherwise reply with a
|
||||
# Reject the address etc. that matches the pattern.
|
||||
# Reply with $reject_code optional text... when the
|
||||
# optional text is specified, otherwise reply with a
|
||||
# generic error response message.
|
||||
#
|
||||
# DEFER_IF_REJECT optional text...
|
||||
# Defer the request if some later restriction would
|
||||
# result in a REJECT action. Reply with "450 4.7.1
|
||||
# optional text... when the optional text is speci-
|
||||
# Defer the request if some later restriction would
|
||||
# result in a REJECT action. Reply with "450 4.7.1
|
||||
# optional text... when the optional text is speci-
|
||||
# fied, otherwise reply with a generic error response
|
||||
# message.
|
||||
#
|
||||
# This feature is available in Postfix 2.1 and later.
|
||||
#
|
||||
# DEFER_IF_PERMIT optional text...
|
||||
# Defer the request if some later restriction would
|
||||
# result in a an explicit or implicit PERMIT action.
|
||||
# Reply with "450 4.7.1 optional text... when the
|
||||
# optional text is specified, otherwise reply with a
|
||||
# Defer the request if some later restriction would
|
||||
# result in a an explicit or implicit PERMIT action.
|
||||
# Reply with "450 4.7.1 optional text... when the
|
||||
# optional text is specified, otherwise reply with a
|
||||
# generic error response message.
|
||||
#
|
||||
# This feature is available in Postfix 2.1 and later.
|
||||
@ -219,158 +220,158 @@
|
||||
# reject_unauth_destination, and so on).
|
||||
#
|
||||
# DISCARD optional text...
|
||||
# Claim successful delivery and silently discard the
|
||||
# message. Log the optional text if specified, oth-
|
||||
# Claim successful delivery and silently discard the
|
||||
# message. Log the optional text if specified, oth-
|
||||
# erwise log a generic message.
|
||||
#
|
||||
# Note: this action currently affects all recipients
|
||||
# of the message. To discard only one recipient
|
||||
# without discarding the entire message, use the
|
||||
# Note: this action currently affects all recipients
|
||||
# of the message. To discard only one recipient
|
||||
# without discarding the entire message, use the
|
||||
# transport(5) table to direct mail to the discard(8)
|
||||
# service.
|
||||
#
|
||||
# This feature is available in Postfix 2.0 and later.
|
||||
#
|
||||
# DUNNO Pretend that the lookup key was not found. This
|
||||
# prevents Postfix from trying substrings of the
|
||||
# lookup key (such as a subdomain name, or a network
|
||||
# DUNNO Pretend that the lookup key was not found. This
|
||||
# prevents Postfix from trying substrings of the
|
||||
# lookup key (such as a subdomain name, or a network
|
||||
# address subnetwork).
|
||||
#
|
||||
# This feature is available in Postfix 2.0 and later.
|
||||
#
|
||||
# FILTER transport:destination
|
||||
# After the message is queued, send the entire mes-
|
||||
# After the message is queued, send the entire mes-
|
||||
# sage through the specified external content filter.
|
||||
# The transport:destination syntax is described in
|
||||
# the transport(5) manual page. More information
|
||||
# about external content filters is in the Postfix
|
||||
# The transport:destination syntax is described in
|
||||
# the transport(5) manual page. More information
|
||||
# about external content filters is in the Postfix
|
||||
# FILTER_README file.
|
||||
#
|
||||
# Note: this action overrides the main.cf con-
|
||||
# tent_filter setting, and currently affects all
|
||||
# recipients of the message.
|
||||
# Note: this action overrides the content_filter set-
|
||||
# ting, and currently affects all recipients of the
|
||||
# message.
|
||||
#
|
||||
# This feature is available in Postfix 2.0 and later.
|
||||
#
|
||||
# HOLD optional text...
|
||||
# Place the message on the hold queue, where it will
|
||||
# sit until someone either deletes it or releases it
|
||||
# for delivery. Log the optional text if specified,
|
||||
# Place the message on the hold queue, where it will
|
||||
# sit until someone either deletes it or releases it
|
||||
# for delivery. Log the optional text if specified,
|
||||
# otherwise log a generic message.
|
||||
#
|
||||
# Mail that is placed on hold can be examined with
|
||||
# the postcat(1) command, and can be destroyed or
|
||||
# Mail that is placed on hold can be examined with
|
||||
# the postcat(1) command, and can be destroyed or
|
||||
# released with the postsuper(1) command.
|
||||
#
|
||||
# Note: use "postsuper -r" to release mail that was
|
||||
# kept on hold for a significant fraction of $maxi-
|
||||
# Note: use "postsuper -r" to release mail that was
|
||||
# kept on hold for a significant fraction of $maxi-
|
||||
# mal_queue_lifetime or $bounce_queue_lifetime, or
|
||||
# longer. Use "postsuper -H" only for mail that will
|
||||
# longer. Use "postsuper -H" only for mail that will
|
||||
# not expire within a few delivery attempts.
|
||||
#
|
||||
# Note: this action currently affects all recipients
|
||||
# Note: this action currently affects all recipients
|
||||
# of the message.
|
||||
#
|
||||
# This feature is available in Postfix 2.0 and later.
|
||||
#
|
||||
# PREPEND headername: headervalue
|
||||
# Prepend the specified message header to the mes-
|
||||
# sage. When more than one PREPEND action executes,
|
||||
# the first prepended header appears before the sec-
|
||||
# Prepend the specified message header to the mes-
|
||||
# sage. When more than one PREPEND action executes,
|
||||
# the first prepended header appears before the sec-
|
||||
# ond etc. prepended header.
|
||||
#
|
||||
# Note: this action must execute before the message
|
||||
# content is received; it cannot execute in the con-
|
||||
# Note: this action must execute before the message
|
||||
# content is received; it cannot execute in the con-
|
||||
# text of smtpd_end_of_data_restrictions.
|
||||
#
|
||||
# This feature is available in Postfix 2.1 and later.
|
||||
#
|
||||
# REDIRECT user@domain
|
||||
# After the message is queued, send the message to
|
||||
# After the message is queued, send the message to
|
||||
# the specified address instead of the intended
|
||||
# recipient(s).
|
||||
#
|
||||
# Note: this action overrides the FILTER action, and
|
||||
# Note: this action overrides the FILTER action, and
|
||||
# currently affects all recipients of the message.
|
||||
#
|
||||
# This feature is available in Postfix 2.1 and later.
|
||||
#
|
||||
# WARN optional text...
|
||||
# Log a warning with the optional text, together with
|
||||
# client information and if available, with helo,
|
||||
# client information and if available, with helo,
|
||||
# sender, recipient and protocol information.
|
||||
#
|
||||
# This feature is available in Postfix 2.1 and later.
|
||||
#
|
||||
# ENHANCED STATUS CODES
|
||||
# Postfix version 2.3 and later support enhanced status
|
||||
# codes as defined in RFC 3463. When an enhanced status
|
||||
# code is specified in an access table, it is subject to
|
||||
# modification. The following transformations are needed
|
||||
# when the same access table is used for client, helo,
|
||||
# sender, or recipient access restrictions; they happen
|
||||
# Postfix version 2.3 and later support enhanced status
|
||||
# codes as defined in RFC 3463. When an enhanced status
|
||||
# code is specified in an access table, it is subject to
|
||||
# modification. The following transformations are needed
|
||||
# when the same access table is used for client, helo,
|
||||
# sender, or recipient access restrictions; they happen
|
||||
# regardless of whether Postfix replies to a MAIL FROM, RCPT
|
||||
# TO or other SMTP command.
|
||||
#
|
||||
# o When a sender address matches a REJECT action, the
|
||||
# Postfix SMTP server will transform a recipient DSN
|
||||
# status (e.g., 4.1.1-4.1.6) into the corresponding
|
||||
# o When a sender address matches a REJECT action, the
|
||||
# Postfix SMTP server will transform a recipient DSN
|
||||
# status (e.g., 4.1.1-4.1.6) into the corresponding
|
||||
# sender DSN status, and vice versa.
|
||||
#
|
||||
# o When non-address information matches a REJECT
|
||||
# action (such as the HELO command argument or the
|
||||
# client hostname/address), the Postfix SMTP server
|
||||
# will transform a sender or recipient DSN status
|
||||
# into a generic non-address DSN status (e.g.,
|
||||
# o When non-address information matches a REJECT
|
||||
# action (such as the HELO command argument or the
|
||||
# client hostname/address), the Postfix SMTP server
|
||||
# will transform a sender or recipient DSN status
|
||||
# into a generic non-address DSN status (e.g.,
|
||||
# 4.0.0).
|
||||
#
|
||||
# REGULAR EXPRESSION TABLES
|
||||
# This section describes how the table lookups change when
|
||||
# This section describes how the table lookups change when
|
||||
# the table is given in the form of regular expressions. For
|
||||
# a description of regular expression lookup table syntax,
|
||||
# a description of regular expression lookup table syntax,
|
||||
# see regexp_table(5) or pcre_table(5).
|
||||
#
|
||||
# Each pattern is a regular expression that is applied to
|
||||
# Each pattern is a regular expression that is applied to
|
||||
# the entire string being looked up. Depending on the appli-
|
||||
# cation, that string is an entire client hostname, an
|
||||
# cation, that string is an entire client hostname, an
|
||||
# entire client IP address, or an entire mail address. Thus,
|
||||
# no parent domain or parent network search is done,
|
||||
# user@domain mail addresses are not broken up into their
|
||||
# user@domain mail addresses are not broken up into their
|
||||
# user@ and domain constituent parts, nor is user+foo broken
|
||||
# up into user and foo.
|
||||
#
|
||||
# Patterns are applied in the order as specified in the ta-
|
||||
# ble, until a pattern is found that matches the search
|
||||
# Patterns are applied in the order as specified in the ta-
|
||||
# ble, until a pattern is found that matches the search
|
||||
# string.
|
||||
#
|
||||
# Actions are the same as with indexed file lookups, with
|
||||
# the additional feature that parenthesized substrings from
|
||||
# Actions are the same as with indexed file lookups, with
|
||||
# the additional feature that parenthesized substrings from
|
||||
# the pattern can be interpolated as $1, $2 and so on.
|
||||
#
|
||||
# TCP-BASED TABLES
|
||||
# This section describes how the table lookups change when
|
||||
# This section describes how the table lookups change when
|
||||
# lookups are directed to a TCP-based server. For a descrip-
|
||||
# tion of the TCP client/server lookup protocol, see tcp_ta-
|
||||
# ble(5). This feature is not available up to and including
|
||||
# Postfix version 2.4.
|
||||
#
|
||||
# Each lookup operation uses the entire query string once.
|
||||
# Depending on the application, that string is an entire
|
||||
# Each lookup operation uses the entire query string once.
|
||||
# Depending on the application, that string is an entire
|
||||
# client hostname, an entire client IP address, or an entire
|
||||
# mail address. Thus, no parent domain or parent network
|
||||
# search is done, user@domain mail addresses are not broken
|
||||
# up into their user@ and domain constituent parts, nor is
|
||||
# mail address. Thus, no parent domain or parent network
|
||||
# search is done, user@domain mail addresses are not broken
|
||||
# up into their user@ and domain constituent parts, nor is
|
||||
# user+foo broken up into user and foo.
|
||||
#
|
||||
# Actions are the same as with indexed file lookups.
|
||||
#
|
||||
# EXAMPLE
|
||||
# The following example uses an indexed file, so that the
|
||||
# order of table entries does not matter. The example per-
|
||||
# mits access by the client at address 1.2.3.4 but rejects
|
||||
# all other clients in 1.2.3.0/24. Instead of hash lookup
|
||||
# tables, some systems use dbm. Use the command "postconf
|
||||
# -m" to find out what lookup tables Postfix supports on
|
||||
# The following example uses an indexed file, so that the
|
||||
# order of table entries does not matter. The example per-
|
||||
# mits access by the client at address 1.2.3.4 but rejects
|
||||
# all other clients in 1.2.3.0/24. Instead of hash lookup
|
||||
# tables, some systems use dbm. Use the command "postconf
|
||||
# -m" to find out what lookup tables Postfix supports on
|
||||
# your system.
|
||||
#
|
||||
# /etc/postfix/main.cf:
|
||||
@ -385,7 +386,7 @@
|
||||
# editing the file.
|
||||
#
|
||||
# BUGS
|
||||
# The table format does not understand quoting conventions.
|
||||
# The table format does not understand quoting conventions.
|
||||
#
|
||||
# SEE ALSO
|
||||
# postmap(1), Postfix lookup table manager
|
||||
@ -394,13 +395,13 @@
|
||||
# transport(5), transport:nexthop syntax
|
||||
#
|
||||
# README FILES
|
||||
# Use "postconf readme_directory" or "postconf html_direc-
|
||||
# Use "postconf readme_directory" or "postconf html_direc-
|
||||
# tory" to locate this information.
|
||||
# SMTPD_ACCESS_README, built-in SMTP server access control
|
||||
# DATABASE_README, Postfix lookup table overview
|
||||
#
|
||||
# LICENSE
|
||||
# The Secure Mailer license must be distributed with this
|
||||
# The Secure Mailer license must be distributed with this
|
||||
# software.
|
||||
#
|
||||
# AUTHOR(S)
|
||||
|
@ -1,7 +1,7 @@
|
||||
# HEADER_CHECKS(5) HEADER_CHECKS(5)
|
||||
#
|
||||
# NAME
|
||||
# header_checks - Postfix built-in header/body inspection
|
||||
# header_checks - Postfix built-in content inspection
|
||||
#
|
||||
# SYNOPSIS
|
||||
# header_checks = pcre:/etc/postfix/header_checks
|
||||
@ -13,48 +13,49 @@
|
||||
# postmap -fq - pcre:/etc/postfix/filename <inputfile
|
||||
#
|
||||
# DESCRIPTION
|
||||
# The Postfix cleanup(8) server supports access control on
|
||||
# the content of message headers and message body lines.
|
||||
# See access(5) for access control on remote SMTP client
|
||||
# This document describes access control on the content of
|
||||
# message headers and message body lines; it is implemented
|
||||
# by the Postfix cleanup(8) server before mail is queued.
|
||||
# See access(5) for access control on remote SMTP client
|
||||
# information.
|
||||
#
|
||||
# Each message header or message body line is compared
|
||||
# against a list of patterns. When a match is found the
|
||||
# Each message header or message body line is compared
|
||||
# against a list of patterns. When a match is found the
|
||||
# corresponding action is executed, and the matching process
|
||||
# is repeated for the next message header or message body
|
||||
# is repeated for the next message header or message body
|
||||
# line.
|
||||
#
|
||||
# For examples, see the EXAMPLES section at the end of this
|
||||
# For examples, see the EXAMPLES section at the end of this
|
||||
# manual page.
|
||||
#
|
||||
# Postfix header or body_checks are designed to stop a flood
|
||||
# of mail from worms or viruses; they do not decode attach-
|
||||
# ments, and they do not unzip archives. See the documents
|
||||
# referenced below in the README FILES section if you need
|
||||
# of mail from worms or viruses; they do not decode attach-
|
||||
# ments, and they do not unzip archives. See the documents
|
||||
# referenced below in the README FILES section if you need
|
||||
# more sophisticated content analysis.
|
||||
#
|
||||
# Postfix supports four built-in content inspection classes:
|
||||
#
|
||||
# header_checks
|
||||
# These are applied to initial message headers
|
||||
# (except for the headers that are processed with
|
||||
# These are applied to initial message headers
|
||||
# (except for the headers that are processed with
|
||||
# mime_header_checks).
|
||||
#
|
||||
# mime_header_checks (default: $header_checks)
|
||||
# These are applied to MIME related message headers
|
||||
# These are applied to MIME related message headers
|
||||
# only.
|
||||
#
|
||||
# This feature is available in Postfix 2.0 and later.
|
||||
#
|
||||
# nested_header_checks (default: $header_checks)
|
||||
# These are applied to message headers of attached
|
||||
# email messages (except for the headers that are
|
||||
# These are applied to message headers of attached
|
||||
# email messages (except for the headers that are
|
||||
# processed with mime_header_checks).
|
||||
#
|
||||
# This feature is available in Postfix 2.0 and later.
|
||||
#
|
||||
# body_checks
|
||||
# These are applied to all other content, including
|
||||
# These are applied to all other content, including
|
||||
# multi-part message boundaries.
|
||||
#
|
||||
# With Postfix versions before 2.0, all content after
|
||||
@ -62,73 +63,73 @@
|
||||
# tent.
|
||||
#
|
||||
# Note: message headers are examined one logical header at a
|
||||
# time, even when a message header spans multiple lines.
|
||||
# time, even when a message header spans multiple lines.
|
||||
# Body lines are always examined one line at a time.
|
||||
#
|
||||
# TABLE FORMAT
|
||||
# This document assumes that header and body_checks rules
|
||||
# are specified in the form of Postfix regular expression
|
||||
# lookup tables. Usually the best performance is obtained
|
||||
# This document assumes that header and body_checks rules
|
||||
# are specified in the form of Postfix regular expression
|
||||
# lookup tables. Usually the best performance is obtained
|
||||
# with pcre (Perl Compatible Regular Expression) tables, but
|
||||
# the slower regexp (POSIX regular expressions) support is
|
||||
# more widely available. Use the command "postconf -m" to
|
||||
# find out what lookup table types your Postfix system sup-
|
||||
# the slower regexp (POSIX regular expressions) support is
|
||||
# more widely available. Use the command "postconf -m" to
|
||||
# find out what lookup table types your Postfix system sup-
|
||||
# ports.
|
||||
#
|
||||
# The general format of Postfix regular expression tables is
|
||||
# given below. For a discussion of specific pattern or
|
||||
# flags syntax, see pcre_table(5) or regexp_table(5),
|
||||
# given below. For a discussion of specific pattern or
|
||||
# flags syntax, see pcre_table(5) or regexp_table(5),
|
||||
# respectively.
|
||||
#
|
||||
# /pattern/flags action
|
||||
# When pattern matches the input string, execute the
|
||||
# corresponding action. See below for a list of pos-
|
||||
# When pattern matches the input string, execute the
|
||||
# corresponding action. See below for a list of pos-
|
||||
# sible actions.
|
||||
#
|
||||
# !/pattern/flags action
|
||||
# When pattern does not match the input string, exe-
|
||||
# When pattern does not match the input string, exe-
|
||||
# cute the corresponding action.
|
||||
#
|
||||
# if /pattern/flags
|
||||
#
|
||||
# endif Match the input string against the patterns between
|
||||
# if and endif, if and only if the input string also
|
||||
# matches pattern. The if..endif can nest.
|
||||
# if and endif, if and only if the same input string
|
||||
# also matches pattern. The if..endif can nest.
|
||||
#
|
||||
# Note: do not prepend whitespace to patterns inside
|
||||
# Note: do not prepend whitespace to patterns inside
|
||||
# if..endif.
|
||||
#
|
||||
# if !/pattern/flags
|
||||
#
|
||||
# endif Match the input string against the patterns between
|
||||
# if and endif, if and only if the input string does
|
||||
# not match pattern. The if..endif can nest.
|
||||
# if and endif, if and only if the same input string
|
||||
# does not match pattern. The if..endif can nest.
|
||||
#
|
||||
# blank lines and comments
|
||||
# Empty lines and whitespace-only lines are ignored,
|
||||
# as are lines whose first non-whitespace character
|
||||
# Empty lines and whitespace-only lines are ignored,
|
||||
# as are lines whose first non-whitespace character
|
||||
# is a `#'.
|
||||
#
|
||||
# multi-line text
|
||||
# A pattern/action line starts with non-whitespace
|
||||
# text. A line that starts with whitespace continues
|
||||
# A pattern/action line starts with non-whitespace
|
||||
# text. A line that starts with whitespace continues
|
||||
# a logical line.
|
||||
#
|
||||
# TABLE SEARCH ORDER
|
||||
# For each line of message input, the patterns are applied
|
||||
# in the order as specified in the table. When a pattern is
|
||||
# found that matches the input line, the corresponding
|
||||
# action is executed and then the next input line is
|
||||
# For each line of message input, the patterns are applied
|
||||
# in the order as specified in the table. When a pattern is
|
||||
# found that matches the input line, the corresponding
|
||||
# action is executed and then the next input line is
|
||||
# inspected.
|
||||
#
|
||||
# TEXT SUBSTITUTION
|
||||
# Substitution of substrings from the matched expression
|
||||
# into the action string is possible using the conventional
|
||||
# Perl syntax ($1, $2, etc.). The macros in the result
|
||||
# string may need to be written as ${n} or $(n) if they
|
||||
# Substitution of substrings from the matched expression
|
||||
# into the action string is possible using the conventional
|
||||
# Perl syntax ($1, $2, etc.). The macros in the result
|
||||
# string may need to be written as ${n} or $(n) if they
|
||||
# aren't followed by whitespace.
|
||||
#
|
||||
# Note: since negated patterns (those preceded by !) return
|
||||
# Note: since negated patterns (those preceded by !) return
|
||||
# a result when the expression does not match, substitutions
|
||||
# are not available for negated patterns.
|
||||
#
|
||||
@ -137,12 +138,12 @@
|
||||
# case for consistency with other Postfix documentation.
|
||||
#
|
||||
# DISCARD optional text...
|
||||
# Claim successful delivery and silently discard the
|
||||
# message. Log the optional text if specified, oth-
|
||||
# Claim successful delivery and silently discard the
|
||||
# message. Log the optional text if specified, oth-
|
||||
# erwise log a generic message.
|
||||
#
|
||||
# Note: this action disables further header or
|
||||
# body_checks inspection of the current message and
|
||||
# Note: this action disables further header or
|
||||
# body_checks inspection of the current message and
|
||||
# affects all recipients. To discard only one recip-
|
||||
# ient without discarding the entire message, use the
|
||||
# transport(5) table to direct mail to the discard(8)
|
||||
@ -150,74 +151,74 @@
|
||||
#
|
||||
# This feature is available in Postfix 2.0 and later.
|
||||
#
|
||||
# DUNNO Pretend that the input line did not match any pat-
|
||||
# tern, and inspect the next input line. This action
|
||||
# DUNNO Pretend that the input line did not match any pat-
|
||||
# tern, and inspect the next input line. This action
|
||||
# can be used to shorten the table search.
|
||||
#
|
||||
# For backwards compatibility reasons, Postfix also
|
||||
# accepts OK but it is (and always has been) treated
|
||||
# For backwards compatibility reasons, Postfix also
|
||||
# accepts OK but it is (and always has been) treated
|
||||
# as DUNNO.
|
||||
#
|
||||
# This feature is available in Postfix 2.1 and later.
|
||||
#
|
||||
# FILTER transport:destination
|
||||
# Write a content filter request to the queue file
|
||||
# and inspect the next input line. After the com-
|
||||
# plete message is received it will be sent through
|
||||
# Write a content filter request to the queue file,
|
||||
# and inspect the next input line. After the com-
|
||||
# plete message is received it will be sent through
|
||||
# the specified external content filter. More infor-
|
||||
# mation about external content filters is in the
|
||||
# mation about external content filters is in the
|
||||
# Postfix FILTER_README file.
|
||||
#
|
||||
# Note: this action overrides the main.cf con-
|
||||
# tent_filter setting, and affects all recipients of
|
||||
# the message. In the case that multiple FILTER
|
||||
# actions fire, only the last one is executed.
|
||||
# Note: this action overrides the content_filter set-
|
||||
# ting, and affects all recipients of the message. In
|
||||
# the case that multiple FILTER actions fire, only
|
||||
# the last one is executed.
|
||||
#
|
||||
# This feature is available in Postfix 2.0 and later.
|
||||
#
|
||||
# HOLD optional text...
|
||||
# Arrange for the message to be placed on the hold
|
||||
# queue, and inspect the next input line. The mes-
|
||||
# sage remains on hold until someone either deletes
|
||||
# it or releases it for delivery. Log the optional
|
||||
# Arrange for the message to be placed on the hold
|
||||
# queue, and inspect the next input line. The mes-
|
||||
# sage remains on hold until someone either deletes
|
||||
# it or releases it for delivery. Log the optional
|
||||
# text if specified, otherwise log a generic message.
|
||||
#
|
||||
# Mail that is placed on hold can be examined with
|
||||
# the postcat(1) command, and can be destroyed or
|
||||
# Mail that is placed on hold can be examined with
|
||||
# the postcat(1) command, and can be destroyed or
|
||||
# released with the postsuper(1) command.
|
||||
#
|
||||
# Note: use "postsuper -r" to release mail that was
|
||||
# kept on hold for a significant fraction of $maxi-
|
||||
# Note: use "postsuper -r" to release mail that was
|
||||
# kept on hold for a significant fraction of $maxi-
|
||||
# mal_queue_lifetime or $bounce_queue_lifetime, or
|
||||
# longer. Use "postsuper -H" only for mail that will
|
||||
# longer. Use "postsuper -H" only for mail that will
|
||||
# not expire within a few delivery attempts.
|
||||
#
|
||||
# Note: this action affects all recipients of the
|
||||
# Note: this action affects all recipients of the
|
||||
# message.
|
||||
#
|
||||
# This feature is available in Postfix 2.0 and later.
|
||||
#
|
||||
# IGNORE Delete the current line from the input and inspect
|
||||
# IGNORE Delete the current line from the input, and inspect
|
||||
# the next input line.
|
||||
#
|
||||
# PREPEND text...
|
||||
# Prepend one line with the specified text and
|
||||
# Prepend one line with the specified text, and
|
||||
# inspect the next input line.
|
||||
#
|
||||
# Notes:
|
||||
#
|
||||
# o The prepended text is output on a separate
|
||||
# o The prepended text is output on a separate
|
||||
# line, immediately before the input that
|
||||
# triggered the PREPEND action.
|
||||
#
|
||||
# o The prepended text is not considered part of
|
||||
# the input stream: it is not subject to
|
||||
# the input stream: it is not subject to
|
||||
# header/body checks or address rewriting, and
|
||||
# it does not affect the way that Postfix adds
|
||||
# missing message headers.
|
||||
#
|
||||
# o When prepending text before a message header
|
||||
# line, the prepended text must begin with a
|
||||
# line, the prepended text must begin with a
|
||||
# valid message header label.
|
||||
#
|
||||
# o This action cannot be used to prepend multi-
|
||||
@ -226,46 +227,46 @@
|
||||
# This feature is available in Postfix 2.1 and later.
|
||||
#
|
||||
# REDIRECT user@domain
|
||||
# Write a message redirection request to the queue
|
||||
# file and inspect the next input line. After the
|
||||
# Write a message redirection request to the queue
|
||||
# file, and inspect the next input line. After the
|
||||
# message is queued, it will be sent to the specified
|
||||
# address instead of the intended recipient(s).
|
||||
#
|
||||
# Note: this action overrides the FILTER action, and
|
||||
# affects all recipients of the message. If multiple
|
||||
# REDIRECT actions fire, only the last one is exe-
|
||||
# Note: this action overrides the FILTER action, and
|
||||
# affects all recipients of the message. If multiple
|
||||
# REDIRECT actions fire, only the last one is exe-
|
||||
# cuted.
|
||||
#
|
||||
# This feature is available in Postfix 2.1 and later.
|
||||
#
|
||||
# REPLACE text...
|
||||
# Replace the current line with the specified text
|
||||
# Replace the current line with the specified text,
|
||||
# and inspect the next input line.
|
||||
#
|
||||
# This feature is available in Postfix 2.2 and later.
|
||||
# The description below applies to Postfix 2.2.2 and
|
||||
# The description below applies to Postfix 2.2.2 and
|
||||
# later.
|
||||
#
|
||||
# Notes:
|
||||
#
|
||||
# o When replacing a message header line, the
|
||||
# replacement text must begin with a valid
|
||||
# o When replacing a message header line, the
|
||||
# replacement text must begin with a valid
|
||||
# header label.
|
||||
#
|
||||
# o The replaced text remains part of the input
|
||||
# stream. Unlike the result from the PREPEND
|
||||
# action, a replaced message header may be
|
||||
# subject to address rewriting and may affect
|
||||
# the way that Postfix adds missing message
|
||||
# o The replaced text remains part of the input
|
||||
# stream. Unlike the result from the PREPEND
|
||||
# action, a replaced message header may be
|
||||
# subject to address rewriting and may affect
|
||||
# the way that Postfix adds missing message
|
||||
# headers.
|
||||
#
|
||||
# REJECT optional text...
|
||||
# Reject the entire message. Reply with optional
|
||||
# Reject the entire message. Reply with optional
|
||||
# text... when the optional text is specified, other-
|
||||
# wise reply with a generic error message.
|
||||
#
|
||||
# Note: this action disables further header or
|
||||
# body_checks inspection of the current message and
|
||||
# Note: this action disables further header or
|
||||
# body_checks inspection of the current message and
|
||||
# affects all recipients.
|
||||
#
|
||||
# Postfix version 2.3 and later support enhanced sta-
|
||||
@ -274,26 +275,32 @@
|
||||
# enhanced status code of "5.7.1".
|
||||
#
|
||||
# WARN optional text...
|
||||
# Log a warning with the optional text... (or log a
|
||||
# generic message) and inspect the next input line.
|
||||
# Log a warning with the optional text... (or log a
|
||||
# generic message), and inspect the next input line.
|
||||
# This action is useful for debugging and for testing
|
||||
# a pattern before applying more drastic actions.
|
||||
#
|
||||
# BUGS
|
||||
# Many people overlook the main limitations of header and
|
||||
# body_checks rules. These rules operate on one logical
|
||||
# message header or one body line at a time, and a decision
|
||||
# made for one line is not carried over to the next line.
|
||||
# If text in the message body is encoded (RFC 2045) then the
|
||||
# rules have to specified for the encoded form. Likewise,
|
||||
# when message headers are encoded (RFC 2047) then the rules
|
||||
# need to be specified for the encoded form.
|
||||
# Many people overlook the main limitations of header and
|
||||
# body_checks rules.
|
||||
#
|
||||
# Message headers added by the cleanup(8) daemon itself are
|
||||
# o These rules operate on one logical message header
|
||||
# or one body line at a time. A decision made for one
|
||||
# line is not carried over to the next line.
|
||||
#
|
||||
# o If text in the message body is encoded (RFC 2045)
|
||||
# then the rules have to specified for the encoded
|
||||
# form.
|
||||
#
|
||||
# o Likewise, when message headers are encoded (RFC
|
||||
# 2047) then the rules need to be specified for the
|
||||
# encoded form.
|
||||
#
|
||||
# Message headers added by the cleanup(8) daemon itself are
|
||||
# excluded from inspection. Examples of such message headers
|
||||
# are From:, To:, Message-ID:, Date:.
|
||||
#
|
||||
# Message headers deleted by the cleanup(8) daemon will be
|
||||
# Message headers deleted by the cleanup(8) daemon will be
|
||||
# examined before they are deleted. Examples are: Bcc:, Con-
|
||||
# tent-Length:, Return-Path:.
|
||||
#
|
||||
@ -301,11 +308,11 @@
|
||||
# body_checks
|
||||
# Lookup tables with content filter rules for message
|
||||
# body lines. These filters see one physical line at
|
||||
# a time, in chunks of at most $line_length_limit
|
||||
# a time, in chunks of at most $line_length_limit
|
||||
# bytes.
|
||||
#
|
||||
# body_checks_size_limit
|
||||
# The amount of content per message body segment
|
||||
# The amount of content per message body segment
|
||||
# (attachment) that is subjected to $body_checks fil-
|
||||
# tering.
|
||||
#
|
||||
@ -315,32 +322,32 @@
|
||||
#
|
||||
# nested_header_checks (default: $header_checks)
|
||||
# Lookup tables with content filter rules for message
|
||||
# header lines: respectively, these are applied to
|
||||
# the initial message headers (not including MIME
|
||||
# headers), to the MIME headers anywhere in the mes-
|
||||
# sage, and to the initial headers of attached mes-
|
||||
# header lines: respectively, these are applied to
|
||||
# the initial message headers (not including MIME
|
||||
# headers), to the MIME headers anywhere in the mes-
|
||||
# sage, and to the initial headers of attached mes-
|
||||
# sages.
|
||||
#
|
||||
# Note: these filters see one logical message header
|
||||
# at a time, even when a message header spans multi-
|
||||
# ple lines. Message headers that are longer than
|
||||
# Note: these filters see one logical message header
|
||||
# at a time, even when a message header spans multi-
|
||||
# ple lines. Message headers that are longer than
|
||||
# $header_size_limit characters are truncated.
|
||||
#
|
||||
# disable_mime_input_processing
|
||||
# While receiving mail, give no special treatment to
|
||||
# MIME related message headers; all text after the
|
||||
# While receiving mail, give no special treatment to
|
||||
# MIME related message headers; all text after the
|
||||
# initial message headers is considered to be part of
|
||||
# the message body. This means that header_checks is
|
||||
# applied to all the initial message headers, and
|
||||
# the message body. This means that header_checks is
|
||||
# applied to all the initial message headers, and
|
||||
# that body_checks is applied to the remainder of the
|
||||
# message.
|
||||
#
|
||||
# Note: when used in this manner, body_checks will
|
||||
# process a multi-line message header one line at a
|
||||
# Note: when used in this manner, body_checks will
|
||||
# process a multi-line message header one line at a
|
||||
# time.
|
||||
#
|
||||
# EXAMPLES
|
||||
# Header pattern to block attachments with bad file name
|
||||
# Header pattern to block attachments with bad file name
|
||||
# extensions.
|
||||
#
|
||||
# /etc/postfix/main.cf:
|
||||
@ -372,7 +379,7 @@
|
||||
# RFC 2047, message header encoding for non-ASCII text
|
||||
#
|
||||
# README FILES
|
||||
# Use "postconf readme_directory" or "postconf html_direc-
|
||||
# Use "postconf readme_directory" or "postconf html_direc-
|
||||
# tory" to locate this information.
|
||||
# DATABASE_README, Postfix lookup table overview
|
||||
# CONTENT_INSPECTION_README, Postfix content inspection overview
|
||||
@ -380,7 +387,7 @@
|
||||
# BACKSCATTER_README, blocking returned forged mail
|
||||
#
|
||||
# LICENSE
|
||||
# The Secure Mailer license must be distributed with this
|
||||
# The Secure Mailer license must be distributed with this
|
||||
# software.
|
||||
#
|
||||
# AUTHOR(S)
|
||||
|
@ -280,7 +280,7 @@ $html_directory/BUILTIN_FILTER_README.html:f:root:-:644
|
||||
$html_directory/CDB_README.html:f:root:-:644
|
||||
$html_directory/CONNECTION_CACHE_README.html:f:root:-:644
|
||||
$html_directory/CONTENT_INSPECTION_README.html:f:root:-:644
|
||||
$html_directory/CYRUS_README.html:f:root:-:644
|
||||
$html_directory/CYRUS_README.html:f:root:-:644:o
|
||||
$html_directory/DATABASE_README.html:f:root:-:644
|
||||
$html_directory/DB_README.html:f:root:-:644
|
||||
$html_directory/DEBUG_README.html:f:root:-:644
|
||||
@ -312,7 +312,7 @@ $html_directory/STANDARD_CONFIGURATION_README.html:f:root:-:644
|
||||
$html_directory/TLS_LEGACY_README.html:f:root:-:644
|
||||
$html_directory/TLS_README.html:f:root:-:644
|
||||
$html_directory/TUNING_README.html:f:root:-:644
|
||||
$html_directory/ULTRIX_README.html:f:root:-:644
|
||||
$html_directory/ULTRIX_README.html:f:root:-:644:o
|
||||
$html_directory/UUCP_README.html:f:root:-:644
|
||||
$html_directory/VERP_README.html:f:root:-:644
|
||||
$html_directory/VIRTUAL_README.html:f:root:-:644
|
||||
|
6
postfix/examples/smtpd-policy/README.SPF
Normal file
6
postfix/examples/smtpd-policy/README.SPF
Normal file
@ -0,0 +1,6 @@
|
||||
See http://www.openspf.org/Software for the current version of the
|
||||
SPF policy daemon for Postfix.
|
||||
|
||||
SPF support is also available via MILTER plugins, such as sid-milter
|
||||
at http://sourceforge.net/projects/sid-milter/ which implements both
|
||||
SenderID and SPF.
|
@ -1,238 +0,0 @@
|
||||
#!/usr/bin/perl
|
||||
|
||||
# postfix-policyd-spf
|
||||
# http://www.openspf.org
|
||||
# version 1.07
|
||||
# $Id$
|
||||
|
||||
use Fcntl;
|
||||
use Sys::Syslog qw(:DEFAULT setlogsock);
|
||||
use strict;
|
||||
|
||||
# ----------------------------------------------------------
|
||||
# configuration
|
||||
# ----------------------------------------------------------
|
||||
|
||||
# to use SPF, install Mail::SPF::Query from CPAN or from the SPF website at http://www.openspf.org/downloads.html
|
||||
|
||||
my @HANDLERS;
|
||||
push @HANDLERS, "testing";
|
||||
push @HANDLERS, "sender_permitted_from"; use Mail::SPF::Query;
|
||||
|
||||
my $VERBOSE = 0;
|
||||
|
||||
my $DEFAULT_RESPONSE = "DUNNO";
|
||||
|
||||
#
|
||||
# Syslogging options for verbose mode and for fatal errors.
|
||||
# NOTE: comment out the $syslog_socktype line if syslogging does not
|
||||
# work on your system.
|
||||
#
|
||||
|
||||
my $syslog_socktype = 'unix'; # inet, unix, stream, console
|
||||
my $syslog_facility = "mail";
|
||||
my $syslog_options = "pid";
|
||||
my $syslog_priority = "info";
|
||||
my $syslog_ident = "postfix/policy-spf";
|
||||
|
||||
# ----------------------------------------------------------
|
||||
# minimal documentation
|
||||
# ----------------------------------------------------------
|
||||
|
||||
#
|
||||
# Usage: smtpd-policy.pl [-v]
|
||||
#
|
||||
# Demo delegated Postfix SMTPD policy server.
|
||||
# This server implements SPF.
|
||||
# Another server implements greylisting.
|
||||
# Postfix has a pluggable policy server architecture.
|
||||
# You can call one or both from Postfix.
|
||||
#
|
||||
# The SPF handler uses Mail::SPF::Query to do the heavy lifting.
|
||||
#
|
||||
# This documentation assumes you have read Postfix's README_FILES/SMTPD_POLICY_README
|
||||
#
|
||||
# Logging is sent to syslogd.
|
||||
#
|
||||
# How it works: each time a Postfix SMTP server process is started
|
||||
# it connects to the policy service socket, and Postfix runs one
|
||||
# instance of this PERL script. By default, a Postfix SMTP server
|
||||
# process terminates after 100 seconds of idle time, or after serving
|
||||
# 100 clients. Thus, the cost of starting this PERL script is smoothed
|
||||
# out over time.
|
||||
#
|
||||
# To run this from /etc/postfix/master.cf:
|
||||
#
|
||||
# policy unix - n n - - spawn
|
||||
# user=nobody argv=/usr/bin/perl /usr/libexec/postfix/smtpd-policy.pl
|
||||
#
|
||||
# To use this from Postfix SMTPD, use in /etc/postfix/main.cf:
|
||||
#
|
||||
# smtpd_recipient_restrictions =
|
||||
# ...
|
||||
# reject_unauth_destination
|
||||
# check_policy_service unix:private/policy
|
||||
# ...
|
||||
#
|
||||
# NOTE: specify check_policy_service AFTER reject_unauth_destination
|
||||
# or else your system can become an open relay.
|
||||
#
|
||||
# To test this script by hand, execute:
|
||||
#
|
||||
# % perl smtpd-policy.pl
|
||||
#
|
||||
# Each query is a bunch of attributes. Order does not matter, and
|
||||
# the demo script uses only a few of all the attributes shown below:
|
||||
#
|
||||
# request=smtpd_access_policy
|
||||
# protocol_state=RCPT
|
||||
# protocol_name=SMTP
|
||||
# helo_name=some.domain.tld
|
||||
# queue_id=8045F2AB23
|
||||
# sender=foo@bar.tld
|
||||
# recipient=bar@foo.tld
|
||||
# client_address=1.2.3.4
|
||||
# client_name=another.domain.tld
|
||||
# [empty line]
|
||||
#
|
||||
# The policy server script will answer in the same style, with an
|
||||
# attribute list followed by a empty line:
|
||||
#
|
||||
# action=dunno
|
||||
# [empty line]
|
||||
#
|
||||
|
||||
# Jul 23 18:43:29 dumbo/dumbo policyd[21171]: Attribute: client_address=208.210.125.227
|
||||
# Jul 23 18:43:29 dumbo/dumbo policyd[21171]: Attribute: client_name=newbabe.mengwong.com
|
||||
# Jul 23 18:43:29 dumbo/dumbo policyd[21171]: Attribute: helo_name=newbabe.mengwong.com
|
||||
# Jul 23 18:43:29 dumbo/dumbo policyd[21171]: Attribute: protocol_name=ESMTP
|
||||
# Jul 23 18:43:29 dumbo/dumbo policyd[21171]: Attribute: protocol_state=RCPT
|
||||
# Jul 23 18:43:29 dumbo/dumbo policyd[21171]: Attribute: queue_id=
|
||||
# Jul 23 18:43:29 dumbo/dumbo policyd[21171]: Attribute: recipient=mengwong@dumbo.pobox.com
|
||||
# Jul 23 18:43:29 dumbo/dumbo policyd[21171]: Attribute: request=smtpd_access_policy
|
||||
# Jul 23 18:43:29 dumbo/dumbo policyd[21171]: Attribute: sender=mengwong@newbabe.mengwong.com
|
||||
|
||||
# ----------------------------------------------------------
|
||||
# initialization
|
||||
# ----------------------------------------------------------
|
||||
|
||||
#
|
||||
# Log an error and abort.
|
||||
#
|
||||
sub fatal_exit {
|
||||
syslog(err => "fatal_exit: @_");
|
||||
syslog(warning => "fatal_exit: @_");
|
||||
syslog(info => "fatal_exit: @_");
|
||||
die "fatal: @_";
|
||||
}
|
||||
|
||||
#
|
||||
# Unbuffer standard output.
|
||||
#
|
||||
select((select(STDOUT), $| = 1)[0]);
|
||||
|
||||
#
|
||||
# This process runs as a daemon, so it can't log to a terminal. Use
|
||||
# syslog so that people can actually see our messages.
|
||||
#
|
||||
setlogsock $syslog_socktype;
|
||||
openlog $syslog_ident, $syslog_options, $syslog_facility;
|
||||
|
||||
# ----------------------------------------------------------
|
||||
# main
|
||||
# ----------------------------------------------------------
|
||||
|
||||
#
|
||||
# Receive a bunch of attributes, evaluate the policy, send the result.
|
||||
#
|
||||
my %attr;
|
||||
while (<STDIN>) {
|
||||
chomp;
|
||||
if (/=/) { my ($k, $v) = split (/=/, $_, 2); $attr{$k} = $v; next }
|
||||
elsif (length) { syslog(warning => sprintf("warning: ignoring garbage: %.100s", $_)); next; }
|
||||
|
||||
if ($VERBOSE) {
|
||||
for (sort keys %attr) {
|
||||
syslog(debug => "Attribute: %s=%s", $_, $attr{$_});
|
||||
}
|
||||
}
|
||||
|
||||
fatal_exit ("unrecognized request type: '$attr{request}'") unless $attr{request} eq "smtpd_access_policy";
|
||||
|
||||
my $action = $DEFAULT_RESPONSE;
|
||||
my %responses;
|
||||
foreach my $handler (@HANDLERS) {
|
||||
no strict 'refs';
|
||||
my $response = $handler->(attr=>\%attr);
|
||||
syslog(debug => "handler %s: %s", $handler, $response);
|
||||
if ($response and $response !~ /^dunno/i) {
|
||||
syslog(info => "handler %s: %s is decisive.", $handler, $response);
|
||||
$action = $response; last;
|
||||
}
|
||||
}
|
||||
|
||||
syslog(info => "decided action=%s", $action);
|
||||
|
||||
print STDOUT "action=$action\n\n";
|
||||
%attr = ();
|
||||
}
|
||||
|
||||
# ----------------------------------------------------------
|
||||
# plugin: SPF
|
||||
# ----------------------------------------------------------
|
||||
sub sender_permitted_from {
|
||||
local %_ = @_;
|
||||
my %attr = %{ $_{attr} };
|
||||
|
||||
my $query = eval { new Mail::SPF::Query (ip =>$attr{client_address},
|
||||
sender=>$attr{sender},
|
||||
helo =>$attr{helo_name}) };
|
||||
if ($@) {
|
||||
syslog(info => "%s: Mail::SPF::Query->new(%s, %s, %s) failed: %s",
|
||||
$attr{queue_id}, $attr{client_address}, $attr{sender}, $attr{helo_name}, $@);
|
||||
return "DUNNO";
|
||||
}
|
||||
my ($result, $smtp_comment, $header_comment) = $query->result();
|
||||
|
||||
syslog(info => "%s: SPF %s: smtp_comment=%s, header_comment=%s",
|
||||
$attr{queue_id}, $result, $smtp_comment, $header_comment);
|
||||
|
||||
if ($result eq "fail") { return "REJECT $smtp_comment"; }
|
||||
elsif ($result eq "error") { return "DEFER_IF_PERMIT $smtp_comment"; }
|
||||
else { return "PREPEND Received-SPF: $result ($header_comment)"; }
|
||||
}
|
||||
|
||||
# ----------------------------------------------------------
|
||||
# plugin: testing
|
||||
# ----------------------------------------------------------
|
||||
sub testing {
|
||||
local %_ = @_;
|
||||
my %attr = %{ $_{attr} };
|
||||
|
||||
if (lc address_stripped($attr{sender}) eq
|
||||
lc address_stripped($attr{recipient})
|
||||
and
|
||||
$attr{recipient} =~ /policyblock/) {
|
||||
|
||||
syslog(info => "%s: testing: will block as requested", $attr{queue_id});
|
||||
return "REJECT smtpd-policy blocking $attr{recipient}";
|
||||
}
|
||||
else {
|
||||
syslog(info => "%s: testing: stripped sender=%s, stripped rcpt=%s",
|
||||
$attr{queue_id},
|
||||
address_stripped($attr{sender}),
|
||||
address_stripped($attr{recipient}),
|
||||
);
|
||||
|
||||
}
|
||||
return "DUNNO";
|
||||
}
|
||||
|
||||
sub address_stripped {
|
||||
# my $foo = localpart_lhs('foo+bar@baz.com'); # returns 'foo@baz.com'
|
||||
my $string = shift;
|
||||
for ($string) {
|
||||
s/[+-].*\@/\@/;
|
||||
}
|
||||
return $string;
|
||||
}
|
@ -53,8 +53,9 @@ address classes are very important for the operation of Postfix. </p>
|
||||
<li> <p> The list of domains that are a member of the class: for
|
||||
example, all <a href="ADDRESS_CLASS_README.html#local_domain_class">local domains</a>, or all <a href="ADDRESS_CLASS_README.html#relay_domain_class">relay domains</a>. </p>
|
||||
|
||||
<li> <p> The default delivery method. For example, the local or
|
||||
smtp delivery agent. This helps to keep Postfix configurations
|
||||
<li> <p> The default delivery transport. For example, the local or
|
||||
relay delivery transport (delivery transports are defined in
|
||||
<a href="master.5.html">master.cf</a>). This helps to keep Postfix configurations
|
||||
simple. </p>
|
||||
|
||||
<li> <p> The list of valid recipient addresses for that address
|
||||
@ -95,7 +96,7 @@ empty, then the Postfix SMTP server accepts any address in the
|
||||
<a href="ADDRESS_CLASS_README.html#local_domain_class">local domain</a> class. </p>
|
||||
|
||||
<li> <p> The mail delivery transport is specified with the
|
||||
<a href="postconf.5.html#local_transport">local_transport</a> parameter. The default value is <b>local:$<a href="postconf.5.html#myhostname">myhostname</a></b>
|
||||
<a href="postconf.5.html#local_transport">local_transport</a> parameter. The default value is <b><a href="local.8.html">local</a>:$<a href="postconf.5.html#myhostname">myhostname</a></b>
|
||||
for delivery with the <a href="local.8.html">local(8)</a> delivery agent. </p>
|
||||
|
||||
</ul>
|
||||
@ -265,7 +266,7 @@ default. The Postfix SMTP server uses this to reject mail for
|
||||
unknown local recipients. See the <a href="LOCAL_RECIPIENT_README.html">LOCAL_RECIPIENT_README</a> file hints
|
||||
and tips. </p>
|
||||
|
||||
<li> <p> Introduction of the relay delivery transport in master.cf.
|
||||
<li> <p> Introduction of the relay delivery transport in <a href="master.5.html">master.cf</a>.
|
||||
This helps to avoid mail delivery scheduling problems on inbound
|
||||
mail relays when there is a lot of outbound mail, but may require
|
||||
that you update your "<a href="postconf.5.html#defer_transports">defer_transports</a>" setting. </p>
|
||||
|
@ -229,7 +229,10 @@ MAILER-DAEMON messages. </p>
|
||||
<p> Recipient address verification is relatively straightforward
|
||||
and there are no surprises. If a recipient probe fails, then Postfix
|
||||
rejects mail for the recipient address. If a recipient probe
|
||||
succeeds, then Postfix accepts mail for the recipient address. </p>
|
||||
succeeds, then Postfix accepts mail for the recipient address.
|
||||
However, recipient address verification probes can increase the
|
||||
load on down-stream MTAs when you're being flooded by backscatter
|
||||
bounces, or when some spammer is mounting a dictionary attack. </p>
|
||||
|
||||
<p> By default, address verification results are not saved. To avoid
|
||||
probing the same address repeatedly, you can store the result in a
|
||||
|
@ -92,28 +92,38 @@ by the mail delivering process that creates the connection. To get
|
||||
the same performance improvement as with a shared connection cache,
|
||||
non-shared connections need to be kept open for a longer time. </p>
|
||||
|
||||
<p> The <a href="scache.8.html">scache(8)</a> server, introduced with Postfix version 2.2,
|
||||
maintains the shared connection cache. With Postfix version 2.2,
|
||||
only the <a href="smtp.8.html">smtp(8)</a> client has support to access this cache. </p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<table>
|
||||
|
||||
<tr> <td> Internet <-- </td> <td align="center" bgcolor="#f0f0ff">
|
||||
<br> <a href="smtp.8.html">smtp(8)</a> <br> </td> <td> <tt> <-> </tt> </td> <td
|
||||
align="center" bgcolor="#f0f0ff"> <br> <a href="scache.8.html">scache(8)</a> <br> </td>
|
||||
<td> <tt> <-> </tt> </td> <td align="center" bgcolor="#f0f0ff">
|
||||
<br> <a href="smtp.8.html">smtp(8)</a> <br> </td> <td> --> Internet </td>
|
||||
<tr> <td align="center" colspan="3" bgcolor="#f0f0ff"> <br> <a href="smtp.8.html">smtp(8)</a>
|
||||
<br> </td> <td colspan="2"> --> Internet </td> </tr>
|
||||
|
||||
<tr> <td align="center" rowspan="3"> </td> <td align="center"
|
||||
rowspan="3"><tt>|<br>|<br>|<br>|<br>|<br>|<br>v</tt></td>
|
||||
<td> </td> </tr>
|
||||
|
||||
<tr> <td align="center"
|
||||
colspan="2" bgcolor="#f0f0ff"> <br> <a href="smtp.8.html">smtp(8)</a> <br> </td> <td
|
||||
align="left"> --> Internet </td> </tr>
|
||||
|
||||
<tr> <td align="center"><tt>^<br>|</tt></td> <td> </td> </tr>
|
||||
|
||||
<tr> <td align="center" colspan="3" bgcolor="#f0f0ff"> <br> <a href="scache.8.html">scache(8)</a>
|
||||
<br> </td> </tr>
|
||||
|
||||
</table>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<p> The <a href="scache.8.html">scache(8)</a> server, introduced with Postfix version 2.2,
|
||||
maintains the shared connection cache. With Postfix version 2.2,
|
||||
only the <a href="smtp.8.html">smtp(8)</a> client has support to access this cache. </p>
|
||||
|
||||
<p> When SMTP connection caching is enabled (see next section), the
|
||||
<a href="smtp.8.html">smtp(8)</a> client does not disconnect after a mail transaction, but
|
||||
gives the connection to the <a href="scache.8.html">scache(8)</a> server which keeps the
|
||||
connection open for a limited amount of time. </p>
|
||||
connection open for a limited amount of time. </p>
|
||||
|
||||
<p> After handing over the open connection to the <a href="scache.8.html">scache(8)</a> server,
|
||||
the <a href="smtp.8.html">smtp(8)</a> client continues with some other mail delivery request.
|
||||
@ -144,7 +154,7 @@ destination has a high volume of mail in the <a href="QSHAPE_README.html#active_
|
||||
<blockquote>
|
||||
|
||||
<pre>
|
||||
/etc/postfix/main.cf:
|
||||
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
|
||||
<a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> = yes
|
||||
</pre>
|
||||
|
||||
@ -167,7 +177,7 @@ right-hand side of an email address, without the [] around a numeric
|
||||
IP address), </p>
|
||||
|
||||
<li> <p> if mail is sent via a <a href="postconf.5.html#relayhost">relay host</a>: a <a href="postconf.5.html#relayhost">relay host</a> name (without
|
||||
the [] or non-default TCP port), as specified in main.cf or in the
|
||||
the [] or non-default TCP port), as specified in <a href="postconf.5.html">main.cf</a> or in the
|
||||
transport map, </p>
|
||||
|
||||
<li> <p> a /file/name with domain names and/or <a href="postconf.5.html#relayhost">relay host</a> names as
|
||||
@ -184,7 +194,7 @@ lookups is ignored. </p>
|
||||
<blockquote>
|
||||
|
||||
<pre>
|
||||
/etc/postfix/main.cf:
|
||||
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
|
||||
<a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> = $<a href="postconf.5.html#relayhost">relayhost</a>
|
||||
<a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> = hotmail.com, ...
|
||||
<a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> = static:all (<i>not recommended</i>)
|
||||
|
@ -1,24 +0,0 @@
|
||||
<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
|
||||
"http://www.w3.org/TR/html4/loose.dtd">
|
||||
|
||||
<html>
|
||||
|
||||
<head>
|
||||
|
||||
<title>Postfix Cyrus Howto</title>
|
||||
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
|
||||
|
||||
</head>
|
||||
|
||||
<body>
|
||||
|
||||
<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix Cyrus Howto</h1>
|
||||
|
||||
<hr>
|
||||
|
||||
<p> This document will be made available via <a href="http://www.postfix.org/">http://www.postfix.org/</a>. </p>
|
||||
|
||||
</body>
|
||||
|
||||
</html>
|
@ -80,7 +80,8 @@ below.
|
||||
|
||||
<li> You can use Berkeley DB files with fixed lookup strings for
|
||||
simple address rewriting operations and you can use regular expression
|
||||
tables for the more complicated work.
|
||||
tables for the more complicated work. In other words, you don't
|
||||
have to put everything into the same table.
|
||||
|
||||
</ul>
|
||||
|
||||
@ -189,8 +190,9 @@ because something else happens. This is because commands such as
|
||||
<a href="postmap.1.html">postmap(1)</a> or <a href="postalias.1.html">postalias(1)</a> overwrite existing files. If the update
|
||||
fails in the middle then you have no usable database, and Postfix
|
||||
will stop working. This is not an issue with the CDB database type
|
||||
available with Postfix 2.2 and later, because <a href="CDB_README.html">CDB</a>
|
||||
database rebuilds are atomic. </p>
|
||||
available with Postfix 2.2 and later: <a href="CDB_README.html">CDB</a>
|
||||
creates a new file, and renames the file upon successful completion.
|
||||
</p>
|
||||
|
||||
<p> With multi-file databases such as DBM, there is no simple
|
||||
solution. With Berkeley DB and other "one file" databases, it is
|
||||
|
@ -49,15 +49,17 @@ versions. </p>
|
||||
<h2><a name="no_db">Building Postfix on systems without Berkeley
|
||||
DB</a></h2>
|
||||
|
||||
<p> Many commercial UNIXes ship without Berkeley DB support. Examples
|
||||
are Solaris, HP-UX, IRIX, UNIXWARE. In order to build Postfix with
|
||||
<p> Some UNIXes ship without Berkeley DB support; for historical
|
||||
reasons these use DBM files instead. A problem with DBM files is
|
||||
that they can store only limited amounts of data. To build Postfix
|
||||
with
|
||||
Berkeley DB support you need to download and install the source
|
||||
code from <a href="http://www.sleepycat.com/">http://www.sleepycat.com/</a> </p>
|
||||
code from <a href="http://www.oracle.com/database/berkeley-db/">http://www.oracle.com/database/berkeley-db/</a>. </p>
|
||||
|
||||
<p> Warning: some Linux system libraries use Berkeley DB, as do
|
||||
some third-party libraries such as SASL. If you compile Postfix
|
||||
with a different Berkeley DB implementation, then every Postfix
|
||||
program will dump core because either the system library, SASL
|
||||
program will dump core because either the system library, the SASL
|
||||
library, or Postfix itself ends up using the wrong version. </p>
|
||||
|
||||
<p>The more recent Berkeley DB versions have a compile-time switch,
|
||||
@ -67,7 +69,7 @@ Although wasteful, this may be the only way to keep things from
|
||||
falling apart. </p>
|
||||
|
||||
<p> To build Postfix after you installed the Berkeley DB from
|
||||
<a href="http://www.sleepycat.com/">http://www.sleepycat.com/</a>, use something like: </p>
|
||||
source code, use something like: </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
@ -214,7 +216,8 @@ undefined reference to `pthread_mutex_trylock'
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> More information is available at <a href="http://www.sleepycat.com/">http://www.sleepycat.com/</a>. </p>
|
||||
<p> More information is available at
|
||||
<a href="http://www.oracle.com/database/berkeley-db/">http://www.oracle.com/database/berkeley-db/</a>. </p>
|
||||
|
||||
</body>
|
||||
|
||||
|
@ -100,8 +100,9 @@ is fixed. </p>
|
||||
permissions, incorrect configuration file settings that you can
|
||||
fix. Postfix cannot proceed until this is fixed. </p>
|
||||
|
||||
<li> <p> "<b>error</b>" reports a fatal or non-fatal error condition.
|
||||
Postfix cannot proceed until this is fixed. </p>
|
||||
<li> <p> "<b>error</b>" reports an error condition. For safety
|
||||
reasons, a Postfix process will terminate when more than 13 of these
|
||||
happen. </p>
|
||||
|
||||
<li> <p> "<b>warning</b>" indicates a non-fatal error. These are
|
||||
problems that you may not be able to fix (such as a broken DNS
|
||||
@ -145,7 +146,7 @@ Mail Delivery Status Report will be mailed to <your login name>.
|
||||
</ul>
|
||||
|
||||
<p> These reports contain information that is generated by Postfix
|
||||
delivery agents. Since these run as daemon processes and do not
|
||||
delivery agents. Since these run as daemon processes that cannot
|
||||
interact with users directly, the result is sent as mail to the
|
||||
sender of the test message. The format of these reports is practically
|
||||
identical to that of ordinary non-delivery notifications. </p>
|
||||
@ -209,18 +210,21 @@ command "<b>postfix reload</b>". </p>
|
||||
<h2><a name="sniffer">Record the SMTP session with a network sniffer</a></h2>
|
||||
|
||||
<p> This example uses <b>tcpdump</b>. In order to record a conversation
|
||||
you need to specify a large enough buffer with the "-s" option or
|
||||
else you will miss some or all of the packet payload. </p>
|
||||
you need to specify a large enough buffer with the "<b>-s</b>"
|
||||
option or else you will miss some or all of the packet payload.
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
# <b>tcpdump -w /file/name -s 2000 host example.com and port 25</b>
|
||||
# <b>tcpdump -w /file/name -s 0 host example.com and port 25</b>
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> Older tcpdump versions don't support "<b>-s 0</b>"; in that case,
|
||||
use "<b>-s 2000</b>" instead. </p>
|
||||
|
||||
<p> Run this for a while, stop with Ctrl-C when done. To view the
|
||||
data use a binary viewer, or <b>ethereal</b>, or use my <b>tcpdumpx</b>
|
||||
utility that is available from <a href="ftp://ftp.porcupine.org/pub/debugging/">ftp://ftp.porcupine.org/pub/debugging/</a>.
|
||||
data use a binary viewer, <b>ethereal</b>, or good old <b>less</b>.
|
||||
</p>
|
||||
|
||||
<h2><a name="verbose">Making Postfix daemon programs more verbose</a></h2>
|
||||
@ -228,7 +232,7 @@ utility that is available from <a href="ftp://ftp.porcupine.org/pub/debugging/">
|
||||
<p> Append one or more "<b>-v</b>" options to selected daemon
|
||||
definitions in /etc/postfix/<a href="master.5.html">master.cf</a> and type "<b>postfix reload</b>".
|
||||
This will cause a lot of activity to be logged to the syslog daemon.
|
||||
Example: </p>
|
||||
For example, to make the Postfix SMTP server process more verbose: </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
@ -237,10 +241,9 @@ Example: </p>
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> This makes the Postfix SMTP server more verbose. To diagnose
|
||||
problems with address rewriting one would specify a "<b>-v</b>"
|
||||
<p> To diagnose problems with address rewriting specify a "<b>-v</b>"
|
||||
option for the <a href="cleanup.8.html">cleanup(8)</a> and/or <a href="trivial-rewrite.8.html">trivial-rewrite(8)</a> daemon, and to
|
||||
diagnose problems with mail delivery one would specify a "<b>-v</b>"
|
||||
diagnose problems with mail delivery specify a "<b>-v</b>"
|
||||
option for the <a href="qmgr.8.html">qmgr(8)</a> or <a href="qmgr.8.html">oqmgr(8)</a> queue manager, or for the <a href="lmtp.8.html">lmtp(8)</a>,
|
||||
<a href="local.8.html">local(8)</a>, <a href="pipe.8.html">pipe(8)</a>, <a href="smtp.8.html">smtp(8)</a>, or <a href="virtual.8.html">virtual(8)</a> delivery agent. </p>
|
||||
|
||||
@ -538,20 +541,23 @@ attachments, instead of reciting information from memory.
|
||||
|
||||
<li> <p> Postfix logging. See the text at the top of the <a href="DEBUG_README.html">DEBUG_README</a>
|
||||
document to find out where logging is stored. Please do not frustrate
|
||||
the helpers by word wrapping the logging. </p>
|
||||
the helpers by word wrapping the logging. If the logging is more
|
||||
than a few kbytes of text, consider posting an URL on a web or ftp
|
||||
site. </p>
|
||||
|
||||
<li> <p> Consider using a test email address so that you don't have
|
||||
to reveal email addresses or passwords of innocent people. </p>
|
||||
|
||||
<li> <p> If you can't use a test email address, please anonymize
|
||||
information consistently. Replace each letter by "A", each digit
|
||||
email addresses and host names consistently. Replace each letter
|
||||
by "A", each digit
|
||||
by "D" so that the helpers can still recognize syntactical errors.
|
||||
</p>
|
||||
|
||||
<li> <p> Output from "<b>postconf -n</b>". Please do not send your
|
||||
<a href="postconf.5.html">main.cf</a> file or 400+ lines of <b>postconf</b> output. </p>
|
||||
<a href="postconf.5.html">main.cf</a> file, or 500+ lines of <b>postconf</b> output. </p>
|
||||
|
||||
<li> <p> Better, provide output from the <b>postfinger</b> tool.
|
||||
<li> <p> Better, provide output from the <b>postfinger</b> tool.
|
||||
This can be found at <a href="http://ftp.wl0.org/SOURCES/postfinger">http://ftp.wl0.org/SOURCES/postfinger</a>. </p>
|
||||
|
||||
<li> <p> If the problem is SASL related, consider including the
|
||||
@ -562,7 +568,7 @@ output from the <b>saslfinger</b> tool. This can be found at
|
||||
including output from the <b>qshape</b> tool, as described in the
|
||||
<a href="QSHAPE_README.html">QSHAPE_README</a> file. </p>
|
||||
|
||||
<li> <p> If the problem is protocol related (connections time out
|
||||
<li> <p> If the problem is protocol related (connections time out,
|
||||
or an SMTP server complains about syntax errors etc.) consider
|
||||
recording a session with <b>tcpdump</b>, as described in the <a
|
||||
href="#sniffer">DEBUG_README</a> document. </ul>
|
||||
|
@ -44,7 +44,7 @@ identifies the message <i>content</i>. </p>
|
||||
</ul>
|
||||
|
||||
<p> The implementation of DSN support involves extra parameters to
|
||||
the SMTP MAIL FROM and RCPT TO commands, as well as new Postfix
|
||||
the SMTP MAIL FROM and RCPT TO commands, as well as two Postfix
|
||||
sendmail command line options that provide a sub-set of the functions
|
||||
of the extra SMTP command parameters. </p>
|
||||
|
||||
|
@ -27,11 +27,6 @@ searches the queue for mail to the customer, and delivers that mail
|
||||
not delivered via the connection that was used for sending ETRN.
|
||||
</p>
|
||||
|
||||
<p> Postfix versions before 1.0 (also known as version 20010228)
|
||||
implemented the ETRN command in an inefficient manner: they simply
|
||||
attempted to deliver all queued mail. This is slow on mail servers
|
||||
that queue mail for many customers. </p>
|
||||
|
||||
<p> As of version 1.0, Postfix has a fast ETRN implementation that
|
||||
does not require Postfix to examine every queue file. Instead,
|
||||
Postfix maintains a record of what queue files contain mail for
|
||||
@ -74,11 +69,11 @@ font. </p>
|
||||
<blockquote>
|
||||
<pre>
|
||||
220 my.server.tld ESMTP Postfix
|
||||
<b>helo my.client.tld</b>
|
||||
<b>HELO my.client.tld</b>
|
||||
250 Ok
|
||||
<b>etrn some.customer.domain</b>
|
||||
<b>ETRN some.customer.domain</b>
|
||||
250 Queuing started
|
||||
<b>quit</b>
|
||||
<b>QUIT</b>
|
||||
221 Bye
|
||||
</pre>
|
||||
</blockquote>
|
||||
@ -90,6 +85,8 @@ the connection that was used to send the ETRN command. </p>
|
||||
<p> The Postfix operator can request delivery for a specific customer
|
||||
by using the command "sendmail -qR<i>destination</i>" and, with
|
||||
Postfix version 1.1 and later, "postqueue -s<i>destination</i>".
|
||||
Access to this feature is controlled with the <a href="postconf.5.html#authorized_flush_users">authorized_flush_users</a>
|
||||
configuration parameter (Postfix version 2.2 and later).
|
||||
</p>
|
||||
|
||||
<h2><a name="how">How Postfix fast ETRN works</a></h2>
|
||||
@ -149,12 +146,13 @@ want to turn on fast ETRN service for every possible destination.
|
||||
with queue file names. When a request to "deliver mail now" arrives,
|
||||
Postfix will attempt to deliver all recipients in the queue files
|
||||
that have mail for the destination in question. This does not
|
||||
perform well when queue files have recipients in many different
|
||||
domains. </p>
|
||||
perform well with queue files that have recipients in many different
|
||||
domains, such as queue files with outbound mailing list traffic.
|
||||
</p>
|
||||
|
||||
<li> <p> The <a href="flush.8.html">flush(8)</a> daemon maintains per-destination logfiles
|
||||
only for destinations listed with $<a href="postconf.5.html#fast_flush_domains">fast_flush_domains</a>. With other
|
||||
destinations it not possible to trigger delivery with "sendmail
|
||||
destinations you cannot request delivery with "sendmail
|
||||
-qR<i>destination</i>" or, with Postfix version 1.1 and later,
|
||||
"postqueue -s<i>destination</i>". </p>
|
||||
|
||||
@ -166,19 +164,24 @@ does not ignore the volatile in-memory list of dead domains, and
|
||||
the list of message delivery transports specified with the
|
||||
<a href="postconf.5.html#defer_transports">defer_transports</a> configuration parameter. </p>
|
||||
|
||||
<li> <p> Up to and including Postfix version 2.3, the "fast flush"
|
||||
service may not deliver some messages if the request to "deliver
|
||||
mail now" arrives while an <a href="QSHAPE_README.html#incoming_queue">incoming queue</a> scan is already in progress.
|
||||
</p>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2><a name="config">Configuring the Postfix fast ETRN service</a></h2>
|
||||
|
||||
<p> The behavior of the <a href="flush.8.html">flush(8)</a> daemon is controlled by parameters
|
||||
in the main.cf configuration file. </p>
|
||||
in the <a href="postconf.5.html">main.cf</a> configuration file. </p>
|
||||
|
||||
<p> By default, Postfix "fast ETRN" service is available only for
|
||||
destinations that Postfix is willing to relay mail to: </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
/etc/postfix/main.cf:
|
||||
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
|
||||
<a href="postconf.5.html#fast_flush_domains">fast_flush_domains</a> = $<a href="postconf.5.html#relay_domains">relay_domains</a>
|
||||
<a href="postconf.5.html#smtpd_etrn_restrictions">smtpd_etrn_restrictions</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, reject
|
||||
</pre>
|
||||
@ -203,7 +206,7 @@ may execute the ETRN command. By default, any client has permission.
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
/etc/postfix/main.cf:
|
||||
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
|
||||
<a href="postconf.5.html#fast_flush_domains">fast_flush_domains</a> = $<a href="postconf.5.html#relay_domains">relay_domains</a>, some.other.domain
|
||||
</pre>
|
||||
</blockquote>
|
||||
@ -213,7 +216,7 @@ and so that it maintains no per-destination logfiles, specify: </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
/etc/postfix/main.cf:
|
||||
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
|
||||
<a href="postconf.5.html#fast_flush_domains">fast_flush_domains</a> =
|
||||
</pre>
|
||||
</blockquote>
|
||||
@ -240,7 +243,7 @@ for this delivery transport is deferred as soon as it arrives.
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
1 /etc/postfix/master.cf:
|
||||
1 /etc/postfix/<a href="master.5.html">master.cf</a>:
|
||||
2 # =============================================================
|
||||
3 # service type private unpriv chroot wakeup maxproc command
|
||||
4 # (yes) (yes) (yes) (never) (100)
|
||||
@ -249,7 +252,7 @@ for this delivery transport is deferred as soon as it arrives.
|
||||
7 relay unix - - n - - smtp
|
||||
8 etrn-only unix - - n - - smtp
|
||||
9
|
||||
10 /etc/postfix/main.cf:
|
||||
10 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
|
||||
11 <a href="postconf.5.html#relay_domains">relay_domains</a> = customer.tld ...other domains...
|
||||
12 <a href="postconf.5.html#defer_transports">defer_transports</a> = etrn-only
|
||||
13 <a href="postconf.5.html#transport_maps">transport_maps</a> = hash:/etc/postfix/transport
|
||||
@ -302,9 +305,9 @@ boldface: </p>
|
||||
<blockquote>
|
||||
<pre>
|
||||
220 my.server.tld ESMTP Postfix
|
||||
<b>helo my.client.tld</b>
|
||||
<b>HELO my.client.tld</b>
|
||||
250 Ok
|
||||
<b>etrn some.customer.domain</b>
|
||||
<b>ETRN some.customer.domain</b>
|
||||
250 Queuing started
|
||||
</pre>
|
||||
</blockquote>
|
||||
@ -338,9 +341,9 @@ commands that you type: </p>
|
||||
<blockquote>
|
||||
<pre>
|
||||
220 my.server.tld ESMTP Postfix
|
||||
<b>helo my.client.tld</b>
|
||||
<b>HELO my.client.tld</b>
|
||||
250 Ok
|
||||
<b>etrn some.other.customer.domain</b>
|
||||
<b>ETRN some.other.customer.domain</b>
|
||||
250 Queuing started
|
||||
</pre>
|
||||
</blockquote>
|
||||
@ -356,9 +359,9 @@ server has mail queued for that destination. </p>
|
||||
<blockquote>
|
||||
<pre>
|
||||
220 my.server.tld ESMTP Postfix
|
||||
<b>helo my.client.tld</b>
|
||||
<b>HELO my.client.tld</b>
|
||||
250 Ok
|
||||
<b>etrn not.a.customer.domain</b>
|
||||
<b>ETRN not.a.customer.domain</b>
|
||||
459 <not.a.customer.domain>: service unavailable
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
@ -71,7 +71,8 @@ mail. Applications that use two separate Postfix instances will
|
||||
be covered by a later version of this document. </p>
|
||||
|
||||
<p> The after-queue content filter is not to be confused with the
|
||||
approach that is described in the <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> document,
|
||||
approaches described in the <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> or <a href="MILTER_README.html">MILTER_README</a>
|
||||
documents,
|
||||
where incoming SMTP mail is filtered BEFORE it is stored into the
|
||||
Postfix queue. </p>
|
||||
|
||||
@ -125,16 +126,18 @@ all email, as well as several options to filter mail selectively: </p>
|
||||
|
||||
<h2><a name="principles">Principles of operation</a> </h2>
|
||||
|
||||
<p> An external content filter receives unfiltered mail from Postfix
|
||||
(as described further below) and does one of the following: </p>
|
||||
<p> An after-queue content filter receives unfiltered mail from Postfix
|
||||
(as described further below) and can do one of the following: </p>
|
||||
|
||||
<ol>
|
||||
|
||||
<li> <p> Re-inject the mail back into Postfix, perhaps after changing
|
||||
content and/or destination. </p>
|
||||
|
||||
<li> <p> Discard or quarantine the mail. </p>
|
||||
|
||||
<li> <p> Reject the mail (by sending a suitable status code back to
|
||||
Postfix). Postfix will return the mail to the sender. </p>
|
||||
Postfix). Postfix will send the mail back to the sender address. </p>
|
||||
|
||||
</ol>
|
||||
|
||||
@ -146,7 +149,8 @@ suspect so that a human can decide what to do with it. </p>
|
||||
|
||||
<h2><a name="simple_filter">Simple content filter example</a></h2>
|
||||
|
||||
<p> The first example is simple to set up. Postfix receives
|
||||
<p> The first example is simple to set up, but has major limitations
|
||||
that will be addressed in a second example. Postfix receives
|
||||
unfiltered mail from the network with the <a href="smtpd.8.html">smtpd(8)</a> server, and
|
||||
delivers unfiltered mail to a content filter with the Postfix
|
||||
<a href="pipe.8.html">pipe(8)</a> delivery agent. The content filter injects filtered mail
|
||||
@ -282,21 +286,23 @@ document for an introduction to the Postfix architecture. </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> Line 8: The -G option does nothing before Postfix 2.3,
|
||||
otherwise it disables address rewriting of message headers. </p>
|
||||
<li> <p> Line 8: The -G option says the filter output is not a local
|
||||
mail submission: don't do silly things like appending the local
|
||||
domain name to addresses in message headers. This option does
|
||||
nothing before Postfix version 2.3. </p>
|
||||
|
||||
<li> <p> Line 8: The -i option says don't stop reading input when
|
||||
a line contains "." only. </p>
|
||||
|
||||
<li> <p> Line 8: NEVER NEVER NEVER use the "-t" command-line option
|
||||
here. It will mis-deliver mail, like sending mailing list mail back
|
||||
to the mailing list. </p>
|
||||
here. It will mis-deliver mail, like sending messages from a mailing
|
||||
list back to the mailing list. </p>
|
||||
|
||||
<li> <p> Line 21: The idea is to first capture the message to
|
||||
file and then run the content through a third-party content filter
|
||||
program. </p>
|
||||
|
||||
<li> <p> Line 22: If the mail cannot be captured to file, mail
|
||||
<li> <p> Line 22: If the message cannot be captured to file, mail
|
||||
delivery is deferred by terminating with exit status 75 (EX_TEMPFAIL).
|
||||
Postfix places the message in the deferred mail queue and tries
|
||||
again later. </p>
|
||||
@ -306,13 +312,14 @@ program here that receives the content on standard input. </p>
|
||||
|
||||
<li> <p> Line 26: If the content filter program finds a problem,
|
||||
the mail is bounced by terminating with exit status 69 (EX_UNAVAILABLE).
|
||||
Postfix will return the message to the sender as undeliverable.
|
||||
Postfix will send the message back to the sender as undeliverable
|
||||
mail.
|
||||
</p>
|
||||
|
||||
<li> <p> Note: in this time of mail worms and spam, it is a BAD
|
||||
<li> <p> NOTE: in this time of mail worms and spam, it is a BAD
|
||||
IDEA to send known viruses or spam back to the sender, because that
|
||||
address is likely to be forged. It is safer to discard known to be
|
||||
bad content and to quarantine suspicious content so that it can
|
||||
address is likely to be forged. It is safer to discard known viruses
|
||||
and to quarantine suspicious content so that it can
|
||||
be inspected by a human being. </p>
|
||||
|
||||
<li> <p> Line 28: If the content is OK, it is given as input to
|
||||
@ -331,7 +338,7 @@ as input: </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
% /path/to/script -f sender recipient... <message-file
|
||||
% /path/to/script -f sender -- recipient... <message-file
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
@ -381,7 +388,7 @@ entry that defines the Postfix SMTP server: </p>
|
||||
-o <a href="postconf.5.html#content_filter">content_filter</a>=filter:dummy
|
||||
</pre>
|
||||
|
||||
<p> The "<a href="postconf.5.html#content_filter">content_filter</a>" line causes Postfix to add one content
|
||||
<p> The "-o <a href="postconf.5.html#content_filter">content_filter</a>" line causes Postfix to add one content
|
||||
filter request record to each incoming mail message, with content
|
||||
"filter:dummy". This record overrides the normal mail routing
|
||||
and causes mail to be given to the content filter instead. </p>
|
||||
@ -432,7 +439,7 @@ for filtered mail. </p>
|
||||
Postfix SMTP server. </p>
|
||||
|
||||
<li> <p> Execute "<b>postsuper -r ALL</b>" to remove content
|
||||
filter information from existing queue files. </p>
|
||||
filter request records from existing queue files. </p>
|
||||
|
||||
<li> <p> Execute another "<b>postfix reload</b>". </p>
|
||||
|
||||
@ -553,7 +560,9 @@ document for an introduction to the Postfix architecture. </p>
|
||||
|
||||
<p> The example given here filters all mail, including mail that
|
||||
arrives via SMTP and mail that is locally submitted via the Postfix
|
||||
sendmail command. See examples near the end of this document for
|
||||
sendmail command (local submissions enter Postfix via the <a href="pickup.8.html">pickup(8)</a>
|
||||
server; to keep the figure simple we omit local submission details).
|
||||
See examples near the end of this document for
|
||||
how to exclude local users from filtering, or how to configure a
|
||||
destination dependent content filter. </p>
|
||||
|
||||
@ -638,7 +647,7 @@ for more information. </p>
|
||||
<li> <p> The "-o <a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a>=yes" is a workaround
|
||||
that prevents the breaking of domainkeys and other digital signatures.
|
||||
This is needed because some SMTP-based content filters don't announce
|
||||
8BITMIME support, even though they can handle it just fine. </p>
|
||||
8BITMIME support, even though they can handle 8-bit mail. </p>
|
||||
|
||||
<li> <p> The "-o <a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a>=" is a workaround that prevents
|
||||
local address rewriting with <a href="generic.5.html">generic(5)</a> maps. Such rewriting should
|
||||
@ -672,6 +681,10 @@ shell and home directory. This user handles all potentially
|
||||
dangerous mail content - that is why it should be a separate account.
|
||||
</p>
|
||||
|
||||
<li> <p> By default, Postfix will terminate a command that runs
|
||||
longer than <a href="postconf.5.html#command_time_limit">command_time_limit</a> seconds (default: 1000s). This is a
|
||||
safety measure that prevents filters from running forever. </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<p> If you want to have your filter listening on port localhost:10025
|
||||
@ -711,15 +724,14 @@ that injects mail back into Postfix. </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> Note: do not use spaces around the "=" or "," characters. </p>
|
||||
<li> <p> NOTE: do not use spaces around the "=" or "," characters. </p>
|
||||
|
||||
<li> <p> Note: the SMTP server must not have a smaller process
|
||||
<li> <p> NOTE: the SMTP server must not have a smaller process
|
||||
limit than the "filter" <a href="master.5.html">master.cf</a> entry. </p>
|
||||
|
||||
<li> <p> The "-o <a href="postconf.5.html#content_filter">content_filter</a>=" overrides <a href="postconf.5.html">main.cf</a> settings, and
|
||||
requests no content filtering for mail from the content filter.
|
||||
This is required or else mail will stay in the content filtering
|
||||
loop. </p>
|
||||
This is required or else mail will loop. </p>
|
||||
|
||||
<li> <p> The "-o <a href="postconf.5.html#receive_override_options">receive_override_options</a>" overrides <a href="postconf.5.html">main.cf</a> settings
|
||||
to avoid duplicating work that was already done before the content
|
||||
@ -737,7 +749,7 @@ specified in <a href="postconf.5.html">main.cf</a>: </p>
|
||||
<li> <p> We specify "<a href="postconf.5.html#no_milters">no_milters</a>" to disable Milter applications
|
||||
(this option is available only in Postfix 2.3 and later). </p>
|
||||
|
||||
<li> <p> We don't specify "no_address_mapping" here. This
|
||||
<li> <p> We don't specify "<a href="postconf.5.html#no_address_mappings">no_address_mappings</a>" here. This
|
||||
enables virtual alias expansion, canonical mappings, address
|
||||
masquerading, and other address mappings after the content
|
||||
filter. The <a href="postconf.5.html">main.cf</a> setting of "<a href="postconf.5.html#receive_override_options">receive_override_options</a>"
|
||||
@ -794,7 +806,7 @@ when content filtering is turned off. </p>
|
||||
</blockquote>
|
||||
|
||||
<li> <p> Execute "<b>postsuper -r ALL</b>" to remove content
|
||||
filter information from existing queue files. </p>
|
||||
filter request records from existing queue files. </p>
|
||||
|
||||
<li> <p> Execute another "<b>postfix reload</b>". </p>
|
||||
|
||||
|
@ -350,7 +350,7 @@ assume for the moment that groups never have a "maildrop" (the "bgroup"
|
||||
</blockquote>
|
||||
|
||||
<p> Note: if the desired member object result attribute is always also
|
||||
present in the group, you get suprising results, the expansion also
|
||||
present in the group, you get surprising results, the expansion also
|
||||
returns the address of the group. This is a known limitation of Postfix
|
||||
releases prior to 2.4, and is addressed in the new with Postfix 2.4
|
||||
"leaf_result_attribute" feature described in <a href="ldap_table.5.html">ldap_table(5)</a>. </p>
|
||||
|
@ -28,9 +28,13 @@ this happens before mail is queued. </p>
|
||||
<p> The reason for adding Milter support to Postfix is that there
|
||||
exists a large collection of applications, not only to block unwanted
|
||||
mail, but also to verify authenticity (examples: <a
|
||||
href="http://sourceforge.net/projects/dkim-milter/">Domain keys
|
||||
identified mail</a>, <a
|
||||
href="http://sourceforge.net/projects/sid-milter/">SenderID+SPF</a> and
|
||||
<a href="http://sourceforge.net/projects/dk-milter/">Domain keys</a>)
|
||||
or to digitally sign mail (example: <a
|
||||
or to digitally sign mail (examples: <a
|
||||
href="http://sourceforge.net/projects/dkim-milter/">Domain keys
|
||||
identified mail</a>, <a
|
||||
href="http://sourceforge.net/projects/dk-milter/">Domain keys</a>).
|
||||
Having yet another Postfix-specific version of all that software
|
||||
is a poor use of human and system resources. </p>
|
||||
@ -202,14 +206,14 @@ does. </p>
|
||||
|
||||
<p> On some Linux and *BSD distributions, the Sendmail libmilter
|
||||
library is installed by default. With this, applications such as
|
||||
<a href="http://sourceforge.net/projects/dk-milter/">dk-milter</a>
|
||||
<a href="http://sourceforge.net/projects/dkim-milter/">dkim-milter</a>
|
||||
and <a href="http://sourceforge.net/projects/sid-milter/">sid-milter</a>
|
||||
build out of the box without requiring any tinkering:</p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
$ <b>gzcat dk-milter-<i>x.y.z</i>.tar.gz | tar xf -</b>
|
||||
$ <b>cd dk-milter-<i>x.y.z</i></b>
|
||||
$ <b>gzcat dkim-milter-<i>x.y.z</i>.tar.gz | tar xf -</b>
|
||||
$ <b>cd dkim-milter-<i>x.y.z</i></b>
|
||||
$ <b>make</b>
|
||||
[...<i>lots of output omitted</i>...]
|
||||
</pre>
|
||||
@ -260,7 +264,7 @@ for options. A typical command looks like this:</p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
# <b>/some/where/dk-filter -u <i>userid</i> -p inet:<i>portnumber</i>@localhost ...<i>other options</i>...</b>
|
||||
# <b>/some/where/dkim-filter -u <i>userid</i> -p inet:<i>portnumber</i>@localhost ...<i>other options</i>...</b>
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
@ -652,23 +656,70 @@ X-SenderID: Sendmail Sender-ID Filter vx.y.z host.example.com <unknown-msgid&
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> This happens because some Milter applications expect that the
|
||||
<p> This happens because those Milter applications expect that the
|
||||
queue ID is known <i>before</i> the MTA accepts the MAIL FROM
|
||||
(sender) command. Postfix, on the other hand, does not choose a
|
||||
queue file name until <i>after</i> it accepts the first valid RCPT
|
||||
TO (recipient) command. Postfix queue file names must be unique
|
||||
TO (recipient) command (Postfix queue file names must be unique
|
||||
across multiple directories, so the name can't be chosen before the
|
||||
file is created. If multiple messages were to use the same queue
|
||||
ID <i>simultaneously</i>, mail would be lost. </p>
|
||||
file is created; if multiple messages were to use the same queue
|
||||
ID <i>simultaneously</i>, mail would be lost). </p>
|
||||
|
||||
<p> To work around the ugly message header from Milter applications,
|
||||
we add a little code to the Milter source to look up the queue ID
|
||||
after Postfix receives the end of the message. </p>
|
||||
</ul>
|
||||
|
||||
<p> Fixing the ugly header maybe as simple as upgrading to a recent
|
||||
version of the Milter application. For example, current versions
|
||||
of dkim-filter and dk-filter have code that looks up the Postfix
|
||||
queue ID at a later protocol stage. </p>
|
||||
|
||||
<p> To fix the ugly message header with sid-filter applications,
|
||||
we change the source code, so that it does the queue ID lookup after
|
||||
Postfix receives the end of the message. </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> Edit the filter source file (named
|
||||
<tt>sid-filter/sid-filter.c</tt>). </p>
|
||||
|
||||
<li> <p> Look up the <tt>smfilter</tt> table and replace
|
||||
<tt>mlfi_eoh</tt> by <tt>NULL</tt>.
|
||||
</p>
|
||||
|
||||
<li> <p> Look up the <tt>mlfi_eom()</tt> function and add code near
|
||||
the top that calls <tt>mlfi_eoh()</tt> as shown by the <b>bold</b>
|
||||
text below: </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
assert(ctx != NULL);
|
||||
#endif /* !DEBUG */
|
||||
<b>
|
||||
ret = mlfi_eoh(ctx);
|
||||
if (ret != SMFIS_CONTINUE)
|
||||
return ret;</b>
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> NOTES: </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> This was tested with sid-milter-0.2.10 and sid-milter-0.2.14. </p>
|
||||
|
||||
<li> <p> This fixes only the ugly message header, but not the WARNING
|
||||
message. Fortunately, sid-milter logs that message only once. </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<p> To fix the ugly message header with other Milter applications,
|
||||
you will need to do something like this: </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> Edit the filter source file (typically named
|
||||
<tt>dk-filter/dk-filter.c</tt> or similar). </p>
|
||||
<tt>xxx-filter/xxx-filter.c</tt> or similar). </p>
|
||||
|
||||
<li> <p> Look up the <tt>mlfi_eom()</tt> function and add code near
|
||||
the top shown as <b>bold</b> text below: </p>
|
||||
@ -700,43 +751,7 @@ variables. If the above code does not compile, look for the code
|
||||
at the start of the <tt>mlfi_eoh()</tt> routine. </p>
|
||||
|
||||
<li> <p> This fixes only the ugly message header, but not the WARNING
|
||||
message. Fortunately, dk-filter logs that message only once. </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<p> With some Milter applications we can fix both the WARNING and
|
||||
the "unknown-msgid" by postponing the call of <tt>mlfi_eoh()</tt>
|
||||
(or whatever routine logs the WARNING) until the end of the message.
|
||||
</p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> Edit the filter source file (typically named
|
||||
<tt>sid-filter/sid-filter.c</tt> or similar). </p>
|
||||
|
||||
<li> <p> Look up the <tt>smfilter</tt> table and replace
|
||||
<tt>mlfi_eoh</tt> (or whatever routine logs the WARNING) by NULL.
|
||||
</p>
|
||||
|
||||
<li> <p> Look up the <tt>mlfi_eom()</tt> function and add code near
|
||||
the top that calls <tt>mlfi_eoh()</tt> as shown by the <b>bold</b>
|
||||
text below: </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
assert(ctx != NULL);
|
||||
#endif /* !DEBUG */
|
||||
<b>
|
||||
ret = mlfi_eoh(ctx);
|
||||
if (ret != SMFIS_CONTINUE)
|
||||
return ret;</b>
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> This works with sid-milter-0.2.10. Other Milter applications
|
||||
will dump core when you do this. </p>
|
||||
message. Fortunately, many Milters log that message only once. </p>
|
||||
|
||||
</ul>
|
||||
|
||||
|
@ -26,9 +26,9 @@ Postfix distributions for general use. </p>
|
||||
<h2>General distributions: please provide a small default main.cf
|
||||
file</h2>
|
||||
|
||||
<p> The installed main.cf file must be small. PLEASE resist the
|
||||
temptation to list all 400+ parameters in the main.cf file. Postfix
|
||||
is supposed to be easy to configure. Listing all 400+ in main.cf
|
||||
<p> The installed <a href="postconf.5.html">main.cf</a> file must be small. PLEASE resist the
|
||||
temptation to list all parameters in the <a href="postconf.5.html">main.cf</a> file. Postfix
|
||||
is supposed to be easy to configure. Listing all parameters in <a href="postconf.5.html">main.cf</a>
|
||||
defeats the purpose. It is an invitation for hobbyists to make
|
||||
random changes without understanding what they do, and gets them
|
||||
into endless trouble. </p>
|
||||
@ -70,7 +70,7 @@ script directly (<tt>% <b>sh post-install</b></tt>). </p>
|
||||
|
||||
<p> You will be prompted for installation parameters. Specify an
|
||||
install_root directory other than /. The <a href="postconf.5.html#mail_owner">mail_owner</a> and <a href="postconf.5.html#setgid_group">setgid_group</a>
|
||||
installation parameter settings will be recorded in the main.cf
|
||||
installation parameter settings will be recorded in the <a href="postconf.5.html">main.cf</a>
|
||||
file, but they won't take effect until the package is unpacked and
|
||||
installed on the destination machine. </p>
|
||||
|
||||
|
@ -164,7 +164,7 @@ etrn_domain=
|
||||
These attributes are empty in case of no certificate authentication.
|
||||
As of Postfix 2.2.11 these attribute values are encoded as
|
||||
xtext: some characters are represented by +XX, where XX is the
|
||||
two-digit hecadecimal representation of the character value.
|
||||
two-digit hexadecimal representation of the character value.
|
||||
</p>
|
||||
|
||||
<li> <p> The "encryption_*" attributes (Postfix 2.3 and later)
|
||||
|
@ -224,8 +224,8 @@ seconds or $<a href="postconf.5.html#smtpd_error_sleep_time">smtpd_error_sleep_t
|
||||
|
||||
<h2><a name="conn_limit">Measures against clients that make too many connections</a></h2>
|
||||
|
||||
<p> Note: the <a href="anvil.8.html">anvil(8)</a> service was introduced with Postfix version
|
||||
2.2. </p>
|
||||
<p> Note: these features use the Postfix <a href="anvil.8.html">anvil(8)</a> service, introduced
|
||||
with Postfix version 2.2. </p>
|
||||
|
||||
<p> The Postfix <a href="smtpd.8.html">smtpd(8)</a> server can limit the number of simultaneous
|
||||
connections from the same SMTP client, as well as the number of
|
||||
@ -233,34 +233,47 @@ connections that a client is allowed to make per unit time.
|
||||
These statistics are maintained by the <a href="anvil.8.html">anvil(8)</a> server (translation:
|
||||
if <a href="anvil.8.html">anvil(8)</a> breaks, then connection limits stop working). </p>
|
||||
|
||||
<p> IMPORTANT: These limits are designed to protect the <a href="smtpd.8.html">smtpd(8)</a> server
|
||||
against flagrant abuse. Do not use these limits to regulate legitimate
|
||||
traffic: mail will suffer grotesque delays if you do so. </p>
|
||||
<p> IMPORTANT: These limits must not be used to regulate legitimate
|
||||
traffic: mail will suffer grotesque delays if you do so. The limits
|
||||
are designed to protect the <a href="smtpd.8.html">smtpd(8)</a> server against abuse by
|
||||
out-of-control clients. </p>
|
||||
|
||||
<ul>
|
||||
<blockquote>
|
||||
|
||||
<li> <p> An SMTP client may make up to $<a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a>
|
||||
simultaneous connections (default: 50). This is half the default
|
||||
process limit. </p>
|
||||
<dl>
|
||||
|
||||
<li> <p> An SMTP client may make up to $<a href="postconf.5.html#smtpd_client_message_rate_limit">smtpd_client_message_rate_limit</a>
|
||||
message delivery requests per unit time (default: no limit). </p>
|
||||
<dt> <a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a> (default: 50) </dt> <dd>
|
||||
The maximum number of connections than an SMTP client may make
|
||||
simultaneously. </dd>
|
||||
|
||||
<li> <p> An SMTP client may send up to $<a href="postconf.5.html#smtpd_client_recipient_rate_limit">smtpd_client_recipient_rate_limit</a>
|
||||
recipient addresses per unit time (default: no limit). </p>
|
||||
<dt> <a href="postconf.5.html#smtpd_client_connection_rate_limit">smtpd_client_connection_rate_limit</a> (default: no limit) </dt>
|
||||
<dd> The maximum number of connections that an SMTP client may make
|
||||
in the time interval specified with <a href="postconf.5.html#anvil_rate_time_unit">anvil_rate_time_unit</a> (default:
|
||||
60s). </dd>
|
||||
|
||||
<li> <p> An SMTP client may make up to $<a href="postconf.5.html#smtpd_client_connection_rate_limit">smtpd_client_connection_rate_limit</a>
|
||||
connections per unit time (default: no limit). </p>
|
||||
<dt> <a href="postconf.5.html#smtpd_client_message_rate_limit">smtpd_client_message_rate_limit</a> (default: no limit) </dt> <dd>
|
||||
The maximum number of message delivery requests that an SMTP client
|
||||
may make in the time interval specified with <a href="postconf.5.html#anvil_rate_time_unit">anvil_rate_time_unit</a>
|
||||
(default: 60s). </dd>
|
||||
|
||||
<li> <p> These limits are not applied to SMTP clients in the networks
|
||||
specified with $<a href="postconf.5.html#smtpd_client_event_limit_exceptions">smtpd_client_event_limit_exceptions</a> (default:
|
||||
clients in $<a href="postconf.5.html#mynetworks">mynetworks</a> may make an unlimited number of connections).
|
||||
<dt> <a href="postconf.5.html#smtpd_client_recipient_rate_limit">smtpd_client_recipient_rate_limit</a> (default: no limit) </dt>
|
||||
<dd> The maximum number of recipient addresses that an SMTP client
|
||||
may specify in the time interval specified with <a href="postconf.5.html#anvil_rate_time_unit">anvil_rate_time_unit</a>
|
||||
(default: 60s). </dd>
|
||||
|
||||
<li> <p> The <a href="postconf.5.html#anvil_rate_time_unit">anvil_rate_time_unit</a> parameter specifies the time
|
||||
unit over which client connection rates are computed (default:
|
||||
60s).
|
||||
<dt> <a href="postconf.5.html#smtpd_client_new_tls_session_rate_limit">smtpd_client_new_tls_session_rate_limit</a> (default: no limit)
|
||||
</dt> <dd> The maximum number of new TLS sessions (without using
|
||||
the TLS session cache) that an SMTP client may negotiate in the
|
||||
time interval specified with <a href="postconf.5.html#anvil_rate_time_unit">anvil_rate_time_unit</a> (default: 60s).
|
||||
</dd>
|
||||
|
||||
</ul>
|
||||
<dt> <a href="postconf.5.html#smtpd_client_event_limit_exceptions">smtpd_client_event_limit_exceptions</a> (default: $<a href="postconf.5.html#mynetworks">mynetworks</a>)
|
||||
</dt> <dd> SMTP clients that are excluded from connection and rate
|
||||
limits specified above. </dd>
|
||||
|
||||
</dl>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<h2><a name="mailing_tips">General mail delivery performance tips</a></h2>
|
||||
|
||||
@ -360,7 +373,7 @@ is not useful. Another good reason to limit delivery concurrency
|
||||
to the same recipient: if the recipient has an expensive shell
|
||||
command in her .forward file, or if the recipient is a mailing list
|
||||
manager, you don't want to run too many instances of those processes
|
||||
the same time. </p>
|
||||
at the same time. </p>
|
||||
|
||||
<li> <p> The default <a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a> of 20 seems
|
||||
enough to noticeably load a system without bringing it to its knees.
|
||||
@ -465,10 +478,12 @@ some amount of time. </p>
|
||||
|
||||
<dl>
|
||||
|
||||
<dt> <a href="postconf.5.html#queue_run_delay">queue_run_delay</a> (default: 1000 seconds) </dt> <dd> How often
|
||||
<dt> <a href="postconf.5.html#queue_run_delay">queue_run_delay</a> (default: 300 seconds; before Postfix 2.4:
|
||||
1000s) </dt> <dd> How often
|
||||
the queue manager scans the queue for deferred mail. </dd>
|
||||
|
||||
<dt> <a href="postconf.5.html#minimal_backoff_time">minimal_backoff_time</a> (default: 1000 seconds) </dt> <dd> The
|
||||
<dt> <a href="postconf.5.html#minimal_backoff_time">minimal_backoff_time</a> (default: 300 seconds; before Postfix
|
||||
2.4: 1000s) </dt> <dd> The
|
||||
minimal amount of time a message won't be looked at, and the minimal
|
||||
amount of time to stay away from a "dead" destination. </dd>
|
||||
|
||||
@ -519,7 +534,8 @@ that usually requires timing out one or more SMTP connections. </p>
|
||||
always better than increasing the frequency of delivery attempts.
|
||||
However, if you can control only the delivery attempt frequency,
|
||||
consider using a dedicated <a href="postconf.5.html#fallback_relay">fallback_relay</a> "graveyard" machine for
|
||||
bad destinations so that they do not ruin the performance of normal
|
||||
bad destinations, so that these destinations do not ruin the
|
||||
performance of normal
|
||||
mail deliveries. </p>
|
||||
|
||||
<h2><a name="proc_limit">Tuning the number of Postfix processes</a></h2>
|
||||
@ -573,6 +589,20 @@ errors. </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> Depending on your Postfix and operating system versions
|
||||
you may need to recompile Postfix if you need more than 1024 file
|
||||
descriptors per process: </p>
|
||||
|
||||
<ul> <li> <p> No recompilation is needed for Postfix version 2.4
|
||||
and later, when it was compiled for systems that support BSD kqueue(2)
|
||||
(FreeBSD 4.1, NetBSD 2.0, OpenBSD 2.9), Solaris 8 /dev/poll, or
|
||||
Linux 2.6 epoll(4). </p>
|
||||
|
||||
<li> <p> Otherwise, Postfix needs to be recompiled to override the
|
||||
default FD_SETSIZE value. </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<li> <p> Reduce the number of processes as described under "<a
|
||||
href="#proc_limit">Tuning the number of Postfix processes</a>" above.
|
||||
Fewer processes need fewer open files and sockets. </p>
|
||||
@ -585,7 +615,8 @@ with your system tuning guide: </p>
|
||||
<ul>
|
||||
|
||||
<li> <p> Some FreeBSD kernel parameters can be specified in
|
||||
/boot/loader.conf, and some can be changed with sysctl commands.
|
||||
/boot/loader.conf, and some can be specified in /etc/sysctl.conf
|
||||
or changed with sysctl commands.
|
||||
Which is which depends on the version.
|
||||
</p>
|
||||
|
||||
@ -598,7 +629,7 @@ kern.maxfilesperproc="16384"
|
||||
</pre>
|
||||
|
||||
<li> <p> Linux kernel parameters can be specified in /etc/sysctl.conf
|
||||
and can also be changed with sysctl commands: </p>
|
||||
or changed with sysctl commands: </p>
|
||||
|
||||
<pre>
|
||||
fs.file-max=16384
|
||||
@ -607,7 +638,7 @@ kernel.threads-max=2048
|
||||
|
||||
<li> <p> Solaris kernel parameters can be specified in /etc/system,
|
||||
as described in the <a
|
||||
href="http://www.science.uva.nl/pub/solaris/solaris2.html#q3.46">Solaris
|
||||
href="http://www.science.uva.nl/pub/solaris/solaris2.html#q3.48">Solaris
|
||||
FAQ</a> entry titled "How can I increase the number of file
|
||||
descriptors per process?" </p>
|
||||
|
||||
|
@ -1,71 +0,0 @@
|
||||
<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
|
||||
"http://www.w3.org/TR/html4/loose.dtd">
|
||||
|
||||
<html>
|
||||
|
||||
<head>
|
||||
|
||||
<title>Postfix and Ultrix </title>
|
||||
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
|
||||
|
||||
</head>
|
||||
|
||||
<body>
|
||||
|
||||
<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix and Ultrix </h1>
|
||||
|
||||
<hr>
|
||||
|
||||
<h2> Postfix on Ultrix </h2>
|
||||
|
||||
<p> This document is probably only of historical value, because
|
||||
Ultrix version 4 dates from the early 1990s. However, as long as
|
||||
Wietse keeps Postfix alive for SunOS 4, it is likely to run on
|
||||
Ultrix 4 with very little change. Feedback is welcome if anyone
|
||||
actually still uses Postfix on any version of Ultrix. </p>
|
||||
|
||||
<p> The source of this document is an email message by Christian von Roques
|
||||
that was sent on Jun 2, 1999. </p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<p> I've upgraded the MTA of our DECstation-3100 running Ultrix4.3a to
|
||||
postfix-19990317-pl05 and am sending you the patches I needed to get
|
||||
it running under Ultrix. </p>
|
||||
|
||||
<p> . . . </p>
|
||||
|
||||
<p> One of the bugs of Ultrix's /bin/sh is that shell-variables
|
||||
set in arguments of `:' expand to garbage if expanded in here-documents.
|
||||
Using a different shell helps. I needed to replace all calls of
|
||||
``sh .../makedefs'' by ``$(SHELL) .../makedefs'' in all the
|
||||
Makefile.in and am now able to use ``make SHELL=/bin/sh5'' or zsh.
|
||||
|
||||
<p> . . . </p>
|
||||
|
||||
<p> Ultrix's FD_SET_SIZE is 4096, but getdtablesize()
|
||||
returns 64 by default, if not increased when building a new
|
||||
kernel. getrlimit() doesn't know RLIMIT_NOFILE. This makes
|
||||
event_init() always log the warning: `could allocate space for
|
||||
only 64 open files'. </p>
|
||||
|
||||
<p> I just reduced the threshold from 256 to 64, but this is not good.
|
||||
The initial problem still remains: How to disable this warning on
|
||||
Ultrix without making the source ugly? </p>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<p> To work around the first problem, all the Makefile.in files
|
||||
have been updated to use `$(SHELL)' instead of `sh'. So you only
|
||||
need to supply a non-default shell in order to eliminate Ultrix
|
||||
shell trouble. </p>
|
||||
|
||||
<p> To work around the latter, util/sys_defs.h was updated for
|
||||
Ultrix, with a default FD_SETSIZE of 100. This should be sufficient
|
||||
for a workstation. Even in 1999, no-one would run a major mail hub
|
||||
on Ultrix 4. </p>
|
||||
|
||||
</body>
|
||||
|
||||
</html>
|
@ -17,34 +17,35 @@ ACCESS(5) ACCESS(5)
|
||||
<b>postmap -q - /etc/postfix/access</b> <<i>inputfile</i>
|
||||
|
||||
<b>DESCRIPTION</b>
|
||||
The Postfix SMTP server supports access control on remote
|
||||
SMTP client information: host names, network addresses,
|
||||
and envelope sender or recipient addresses. See
|
||||
<b><a href="postconf.5.html#header_checks">header_checks</a></b>(5) or <b><a href="postconf.5.html#body_checks">body_checks</a></b>(5) for access control on
|
||||
the content of email messages.
|
||||
This document describes access control on remote SMTP
|
||||
client information: host names, network addresses, and
|
||||
envelope sender or recipient addresses; it is implemented
|
||||
by the Postfix SMTP server. See <b><a href="postconf.5.html#header_checks">header_checks</a></b>(5) or
|
||||
<b><a href="postconf.5.html#body_checks">body_checks</a></b>(5) for access control on the content of email
|
||||
messages.
|
||||
|
||||
Normally, the <a href="access.5.html"><b>access</b>(5)</a> table is specified as a text file
|
||||
that serves as input to the <a href="postmap.1.html"><b>postmap</b>(1)</a> command. The
|
||||
result, an indexed file in <b>dbm</b> or <b>db</b> format, is used for
|
||||
fast searching by the mail system. Execute the command
|
||||
"<b>postmap /etc/postfix/access</b>" to rebuild an indexed file
|
||||
Normally, the <a href="access.5.html"><b>access</b>(5)</a> table is specified as a text file
|
||||
that serves as input to the <a href="postmap.1.html"><b>postmap</b>(1)</a> command. The
|
||||
result, an indexed file in <b>dbm</b> or <b>db</b> format, is used for
|
||||
fast searching by the mail system. Execute the command
|
||||
"<b>postmap /etc/postfix/access</b>" to rebuild an indexed file
|
||||
after changing the corresponding text file.
|
||||
|
||||
When the table is provided via other means such as NIS,
|
||||
LDAP or SQL, the same lookups are done as for ordinary
|
||||
When the table is provided via other means such as NIS,
|
||||
LDAP or SQL, the same lookups are done as for ordinary
|
||||
indexed files.
|
||||
|
||||
Alternatively, the table can be provided as a regular-
|
||||
Alternatively, the table can be provided as a regular-
|
||||
expression map where patterns are given as regular expres-
|
||||
sions, or lookups can be directed to TCP-based server. In
|
||||
those cases, the lookups are done in a slightly different
|
||||
way as described below under "REGULAR EXPRESSION TABLES"
|
||||
sions, or lookups can be directed to TCP-based server. In
|
||||
those cases, the lookups are done in a slightly different
|
||||
way as described below under "REGULAR EXPRESSION TABLES"
|
||||
or "TCP-BASED TABLES".
|
||||
|
||||
<b>CASE FOLDING</b>
|
||||
The search string is folded to lowercase before database
|
||||
lookup. As of Postfix 2.3, the search string is not case
|
||||
folded with database types such as <a href="regexp_table.5.html">regexp</a>: or <a href="pcre_table.5.html">pcre</a>: whose
|
||||
The search string is folded to lowercase before database
|
||||
lookup. As of Postfix 2.3, the search string is not case
|
||||
folded with database types such as <a href="regexp_table.5.html">regexp</a>: or <a href="pcre_table.5.html">pcre</a>: whose
|
||||
lookup fields can match both upper and lower case.
|
||||
|
||||
<b>TABLE FORMAT</b>
|
||||
@ -55,53 +56,53 @@ ACCESS(5) ACCESS(5)
|
||||
address, perform the corresponding <i>action</i>.
|
||||
|
||||
blank lines and comments
|
||||
Empty lines and whitespace-only lines are ignored,
|
||||
as are lines whose first non-whitespace character
|
||||
Empty lines and whitespace-only lines are ignored,
|
||||
as are lines whose first non-whitespace character
|
||||
is a `#'.
|
||||
|
||||
multi-line text
|
||||
A logical line starts with non-whitespace text. A
|
||||
line that starts with whitespace continues a logi-
|
||||
A logical line starts with non-whitespace text. A
|
||||
line that starts with whitespace continues a logi-
|
||||
cal line.
|
||||
|
||||
<b>EMAIL ADDRESS PATTERNS</b>
|
||||
With lookups from indexed files such as DB or DBM, or from
|
||||
networked tables such as NIS, LDAP or SQL, patterns are
|
||||
networked tables such as NIS, LDAP or SQL, patterns are
|
||||
tried in the order as listed below:
|
||||
|
||||
<i>user</i>@<i>domain</i>
|
||||
Matches the specified mail address.
|
||||
|
||||
<i>domain.tld</i>
|
||||
Matches <i>domain.tld</i> as the domain part of an email
|
||||
Matches <i>domain.tld</i> as the domain part of an email
|
||||
address.
|
||||
|
||||
The pattern <i>domain.tld</i> also matches subdomains, but
|
||||
only when the string <b>smtpd_access_maps</b> is listed in
|
||||
the Postfix <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a></b> con-
|
||||
figuration setting (note that this is the default
|
||||
for some versions of Postfix). Otherwise, specify
|
||||
<i>.domain.tld</i> (note the initial dot) in order to
|
||||
the Postfix <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a></b> con-
|
||||
figuration setting (note that this is the default
|
||||
for some versions of Postfix). Otherwise, specify
|
||||
<i>.domain.tld</i> (note the initial dot) in order to
|
||||
match subdomains.
|
||||
|
||||
<i>user</i>@ Matches all mail addresses with the specified user
|
||||
<i>user</i>@ Matches all mail addresses with the specified user
|
||||
part.
|
||||
|
||||
Note: lookup of the null sender address is not possible
|
||||
with some types of lookup table. By default, Postfix uses
|
||||
<> as the lookup key for such addresses. The value is
|
||||
specified with the <b><a href="postconf.5.html#smtpd_null_access_lookup_key">smtpd_null_access_lookup_key</a></b> parameter
|
||||
Note: lookup of the null sender address is not possible
|
||||
with some types of lookup table. By default, Postfix uses
|
||||
<> as the lookup key for such addresses. The value is
|
||||
specified with the <b><a href="postconf.5.html#smtpd_null_access_lookup_key">smtpd_null_access_lookup_key</a></b> parameter
|
||||
in the Postfix <a href="postconf.5.html"><b>main.cf</b></a> file.
|
||||
|
||||
<b>EMAIL ADDRESS EXTENSION</b>
|
||||
When a mail address localpart contains the optional recip-
|
||||
ient delimiter (e.g., <i>user+foo</i>@<i>domain</i>), the lookup order
|
||||
becomes: <i>user+foo</i>@<i>domain</i>, <i>user</i>@<i>domain</i>, <i>domain</i>, <i>user+foo</i>@,
|
||||
ient delimiter (e.g., <i>user+foo</i>@<i>domain</i>), the lookup order
|
||||
becomes: <i>user+foo</i>@<i>domain</i>, <i>user</i>@<i>domain</i>, <i>domain</i>, <i>user+foo</i>@,
|
||||
and <i>user</i>@.
|
||||
|
||||
<b>HOST NAME/ADDRESS PATTERNS</b>
|
||||
With lookups from indexed files such as DB or DBM, or from
|
||||
networked tables such as NIS, LDAP or SQL, the following
|
||||
networked tables such as NIS, LDAP or SQL, the following
|
||||
lookup patterns are examined in the order as listed:
|
||||
|
||||
<i>domain.tld</i>
|
||||
@ -109,9 +110,9 @@ ACCESS(5) ACCESS(5)
|
||||
|
||||
The pattern <i>domain.tld</i> also matches subdomains, but
|
||||
only when the string <b>smtpd_access_maps</b> is listed in
|
||||
the Postfix <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a></b> con-
|
||||
the Postfix <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a></b> con-
|
||||
figuration setting. Otherwise, specify <i>.domain.tld</i>
|
||||
(note the initial dot) in order to match subdo-
|
||||
(note the initial dot) in order to match subdo-
|
||||
mains.
|
||||
|
||||
<i>net.work.addr.ess</i>
|
||||
@ -120,21 +121,21 @@ ACCESS(5) ACCESS(5)
|
||||
|
||||
<i>net.work</i>
|
||||
|
||||
<i>net</i> Matches the specified IPv4 host address or subnet-
|
||||
work. An IPv4 host address is a sequence of four
|
||||
<i>net</i> Matches the specified IPv4 host address or subnet-
|
||||
work. An IPv4 host address is a sequence of four
|
||||
decimal octets separated by ".".
|
||||
|
||||
Subnetworks are matched by repeatedly truncating
|
||||
Subnetworks are matched by repeatedly truncating
|
||||
the last ".octet" from the remote IPv4 host address
|
||||
string until a match is found in the access table,
|
||||
string until a match is found in the access table,
|
||||
or until further truncation is not possible.
|
||||
|
||||
NOTE 1: The information in the access map should be
|
||||
in canonical form, with unnecessary null characters
|
||||
eliminated. Address information must not be
|
||||
eliminated. Address information must not be
|
||||
enclosed with "[]" characters.
|
||||
|
||||
NOTE 2: use the <b>cidr</b> lookup table type to specify
|
||||
NOTE 2: use the <b>cidr</b> lookup table type to specify
|
||||
network/netmask patterns. See <a href="cidr_table.5.html"><b>cidr_table</b>(5)</a> for
|
||||
details.
|
||||
|
||||
@ -144,12 +145,12 @@ ACCESS(5) ACCESS(5)
|
||||
|
||||
<i>net:work</i>
|
||||
|
||||
<i>net</i> Matches the specified IPv6 host address or subnet-
|
||||
work. An IPv6 host address is a sequence of three
|
||||
to eight hexadecimal octet pairs separated by ":".
|
||||
<i>net</i> Matches the specified IPv6 host address or subnet-
|
||||
work. An IPv6 host address is a sequence of three
|
||||
to eight hexadecimal octet pairs separated by ":".
|
||||
|
||||
Subnetworks are matched by repeatedly truncating
|
||||
the last ":octetpair" from the remote IPv6 host
|
||||
Subnetworks are matched by repeatedly truncating
|
||||
the last ":octetpair" from the remote IPv6 host
|
||||
address string until a match is found in the access
|
||||
table, or until further truncation is not possible.
|
||||
|
||||
@ -159,10 +160,10 @@ ACCESS(5) ACCESS(5)
|
||||
|
||||
NOTE 2: The information in the access map should be
|
||||
in canonical form, with unnecessary null characters
|
||||
eliminated. Address information must not be
|
||||
eliminated. Address information must not be
|
||||
enclosed with "[]" characters.
|
||||
|
||||
NOTE 3: use the <b>cidr</b> lookup table type to specify
|
||||
NOTE 3: use the <b>cidr</b> lookup table type to specify
|
||||
network/netmask patterns. See <a href="cidr_table.5.html"><b>cidr_table</b>(5)</a> for
|
||||
details.
|
||||
|
||||
@ -173,48 +174,48 @@ ACCESS(5) ACCESS(5)
|
||||
|
||||
<i>all-numerical</i>
|
||||
An all-numerical result is treated as OK. This for-
|
||||
mat is generated by address-based relay authoriza-
|
||||
mat is generated by address-based relay authoriza-
|
||||
tion schemes such as pop-before-smtp.
|
||||
|
||||
<b>REJECT ACTIONS</b>
|
||||
Postfix version 2.3 and later support enhanced status
|
||||
codes as defined in <a href="http://www.faqs.org/rfcs/rfc3463.html">RFC 3463</a>. When no code is specified
|
||||
at the beginning of the <i>text</i> below, Postfix inserts a
|
||||
default enhanced status code of "5.7.1" in the case of
|
||||
reject actions, and "4.7.1" in the case of defer actions.
|
||||
Postfix version 2.3 and later support enhanced status
|
||||
codes as defined in <a href="http://www.faqs.org/rfcs/rfc3463.html">RFC 3463</a>. When no code is specified
|
||||
at the beginning of the <i>text</i> below, Postfix inserts a
|
||||
default enhanced status code of "5.7.1" in the case of
|
||||
reject actions, and "4.7.1" in the case of defer actions.
|
||||
See "ENHANCED STATUS CODES" below.
|
||||
|
||||
<b>4</b><i>NN text</i>
|
||||
|
||||
<b>5</b><i>NN text</i>
|
||||
Reject the address etc. that matches the pattern,
|
||||
Reject the address etc. that matches the pattern,
|
||||
and respond with the numerical three-digit code and
|
||||
text. <b>4</b><i>NN</i> means "try again later", while <b>5</b><i>NN</i> means
|
||||
text. <b>4</b><i>NN</i> means "try again later", while <b>5</b><i>NN</i> means
|
||||
"do not try again".
|
||||
|
||||
The reply code "421" causes Postfix to disconnect
|
||||
The reply code "421" causes Postfix to disconnect
|
||||
immediately (Postfix version 2.3 and later).
|
||||
|
||||
<b>REJECT</b> <i>optional text...</i>
|
||||
Reject the address etc. that matches the pattern.
|
||||
Reply with <i>$reject</i><b>_</b><i>code optional text...</i> when the
|
||||
optional text is specified, otherwise reply with a
|
||||
Reject the address etc. that matches the pattern.
|
||||
Reply with <i>$reject</i><b>_</b><i>code optional text...</i> when the
|
||||
optional text is specified, otherwise reply with a
|
||||
generic error response message.
|
||||
|
||||
<b>DEFER_IF_REJECT</b> <i>optional text...</i>
|
||||
Defer the request if some later restriction would
|
||||
result in a REJECT action. Reply with "<b>450 4.7.1</b>
|
||||
<i>optional text...</i> when the optional text is speci-
|
||||
Defer the request if some later restriction would
|
||||
result in a REJECT action. Reply with "<b>450 4.7.1</b>
|
||||
<i>optional text...</i> when the optional text is speci-
|
||||
fied, otherwise reply with a generic error response
|
||||
message.
|
||||
|
||||
This feature is available in Postfix 2.1 and later.
|
||||
|
||||
<b>DEFER_IF_PERMIT</b> <i>optional text...</i>
|
||||
Defer the request if some later restriction would
|
||||
result in a an explicit or implicit PERMIT action.
|
||||
Reply with "<b>450 4.7.1</b> <i>optional text...</i> when the
|
||||
optional text is specified, otherwise reply with a
|
||||
Defer the request if some later restriction would
|
||||
result in a an explicit or implicit PERMIT action.
|
||||
Reply with "<b>450 4.7.1</b> <i>optional text...</i> when the
|
||||
optional text is specified, otherwise reply with a
|
||||
generic error response message.
|
||||
|
||||
This feature is available in Postfix 2.1 and later.
|
||||
@ -225,158 +226,158 @@ ACCESS(5) ACCESS(5)
|
||||
<b><a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a></b>, and so on).
|
||||
|
||||
<b>DISCARD</b> <i>optional text...</i>
|
||||
Claim successful delivery and silently discard the
|
||||
message. Log the optional text if specified, oth-
|
||||
Claim successful delivery and silently discard the
|
||||
message. Log the optional text if specified, oth-
|
||||
erwise log a generic message.
|
||||
|
||||
Note: this action currently affects all recipients
|
||||
of the message. To discard only one recipient
|
||||
without discarding the entire message, use the
|
||||
Note: this action currently affects all recipients
|
||||
of the message. To discard only one recipient
|
||||
without discarding the entire message, use the
|
||||
<a href="transport.5.html">transport(5)</a> table to direct mail to the <a href="discard.8.html">discard(8)</a>
|
||||
service.
|
||||
|
||||
This feature is available in Postfix 2.0 and later.
|
||||
|
||||
<b>DUNNO</b> Pretend that the lookup key was not found. This
|
||||
prevents Postfix from trying substrings of the
|
||||
lookup key (such as a subdomain name, or a network
|
||||
<b>DUNNO</b> Pretend that the lookup key was not found. This
|
||||
prevents Postfix from trying substrings of the
|
||||
lookup key (such as a subdomain name, or a network
|
||||
address subnetwork).
|
||||
|
||||
This feature is available in Postfix 2.0 and later.
|
||||
|
||||
<b>FILTER</b> <i>transport:destination</i>
|
||||
After the message is queued, send the entire mes-
|
||||
After the message is queued, send the entire mes-
|
||||
sage through the specified external content filter.
|
||||
The <i>transport:destination</i> syntax is described in
|
||||
the <a href="transport.5.html"><b>transport</b>(5)</a> manual page. More information
|
||||
about external content filters is in the Postfix
|
||||
The <i>transport:destination</i> syntax is described in
|
||||
the <a href="transport.5.html"><b>transport</b>(5)</a> manual page. More information
|
||||
about external content filters is in the Postfix
|
||||
<a href="FILTER_README.html">FILTER_README</a> file.
|
||||
|
||||
Note: this action overrides the <a href="postconf.5.html"><b>main.cf</a> <a href="postconf.5.html#content_filter">con</a>-</b>
|
||||
<b><a href="postconf.5.html#content_filter">tent_filter</a></b> setting, and currently affects all
|
||||
recipients of the message.
|
||||
Note: this action overrides the <b><a href="postconf.5.html#content_filter">content_filter</a></b> set-
|
||||
ting, and currently affects all recipients of the
|
||||
message.
|
||||
|
||||
This feature is available in Postfix 2.0 and later.
|
||||
|
||||
<b>HOLD</b> <i>optional text...</i>
|
||||
Place the message on the <b>hold</b> queue, where it will
|
||||
sit until someone either deletes it or releases it
|
||||
for delivery. Log the optional text if specified,
|
||||
Place the message on the <b>hold</b> queue, where it will
|
||||
sit until someone either deletes it or releases it
|
||||
for delivery. Log the optional text if specified,
|
||||
otherwise log a generic message.
|
||||
|
||||
Mail that is placed on hold can be examined with
|
||||
the <a href="postcat.1.html"><b>postcat</b>(1)</a> command, and can be destroyed or
|
||||
Mail that is placed on hold can be examined with
|
||||
the <a href="postcat.1.html"><b>postcat</b>(1)</a> command, and can be destroyed or
|
||||
released with the <a href="postsuper.1.html"><b>postsuper</b>(1)</a> command.
|
||||
|
||||
Note: use "<b>postsuper -r</b>" to release mail that was
|
||||
kept on hold for a significant fraction of <b>$<a href="postconf.5.html#maximal_queue_lifetime">maxi</a>-</b>
|
||||
Note: use "<b>postsuper -r</b>" to release mail that was
|
||||
kept on hold for a significant fraction of <b>$<a href="postconf.5.html#maximal_queue_lifetime">maxi</a>-</b>
|
||||
<b><a href="postconf.5.html#maximal_queue_lifetime">mal_queue_lifetime</a></b> or <b>$<a href="postconf.5.html#bounce_queue_lifetime">bounce_queue_lifetime</a></b>, or
|
||||
longer. Use "<b>postsuper -H</b>" only for mail that will
|
||||
longer. Use "<b>postsuper -H</b>" only for mail that will
|
||||
not expire within a few delivery attempts.
|
||||
|
||||
Note: this action currently affects all recipients
|
||||
Note: this action currently affects all recipients
|
||||
of the message.
|
||||
|
||||
This feature is available in Postfix 2.0 and later.
|
||||
|
||||
<b>PREPEND</b> <i>headername: headervalue</i>
|
||||
Prepend the specified message header to the mes-
|
||||
sage. When more than one PREPEND action executes,
|
||||
the first prepended header appears before the sec-
|
||||
Prepend the specified message header to the mes-
|
||||
sage. When more than one PREPEND action executes,
|
||||
the first prepended header appears before the sec-
|
||||
ond etc. prepended header.
|
||||
|
||||
Note: this action must execute before the message
|
||||
content is received; it cannot execute in the con-
|
||||
Note: this action must execute before the message
|
||||
content is received; it cannot execute in the con-
|
||||
text of <b><a href="postconf.5.html#smtpd_end_of_data_restrictions">smtpd_end_of_data_restrictions</a></b>.
|
||||
|
||||
This feature is available in Postfix 2.1 and later.
|
||||
|
||||
<b>REDIRECT</b> <i>user@domain</i>
|
||||
After the message is queued, send the message to
|
||||
After the message is queued, send the message to
|
||||
the specified address instead of the intended
|
||||
recipient(s).
|
||||
|
||||
Note: this action overrides the FILTER action, and
|
||||
Note: this action overrides the FILTER action, and
|
||||
currently affects all recipients of the message.
|
||||
|
||||
This feature is available in Postfix 2.1 and later.
|
||||
|
||||
<b>WARN</b> <i>optional text...</i>
|
||||
Log a warning with the optional text, together with
|
||||
client information and if available, with helo,
|
||||
client information and if available, with helo,
|
||||
sender, recipient and protocol information.
|
||||
|
||||
This feature is available in Postfix 2.1 and later.
|
||||
|
||||
<b>ENHANCED STATUS CODES</b>
|
||||
Postfix version 2.3 and later support enhanced status
|
||||
codes as defined in <a href="http://www.faqs.org/rfcs/rfc3463.html">RFC 3463</a>. When an enhanced status
|
||||
code is specified in an access table, it is subject to
|
||||
modification. The following transformations are needed
|
||||
when the same access table is used for client, helo,
|
||||
sender, or recipient access restrictions; they happen
|
||||
Postfix version 2.3 and later support enhanced status
|
||||
codes as defined in <a href="http://www.faqs.org/rfcs/rfc3463.html">RFC 3463</a>. When an enhanced status
|
||||
code is specified in an access table, it is subject to
|
||||
modification. The following transformations are needed
|
||||
when the same access table is used for client, helo,
|
||||
sender, or recipient access restrictions; they happen
|
||||
regardless of whether Postfix replies to a MAIL FROM, RCPT
|
||||
TO or other SMTP command.
|
||||
|
||||
<b>o</b> When a sender address matches a REJECT action, the
|
||||
Postfix SMTP server will transform a recipient DSN
|
||||
status (e.g., 4.1.1-4.1.6) into the corresponding
|
||||
<b>o</b> When a sender address matches a REJECT action, the
|
||||
Postfix SMTP server will transform a recipient DSN
|
||||
status (e.g., 4.1.1-4.1.6) into the corresponding
|
||||
sender DSN status, and vice versa.
|
||||
|
||||
<b>o</b> When non-address information matches a REJECT
|
||||
action (such as the HELO command argument or the
|
||||
client hostname/address), the Postfix SMTP server
|
||||
will transform a sender or recipient DSN status
|
||||
into a generic non-address DSN status (e.g.,
|
||||
<b>o</b> When non-address information matches a REJECT
|
||||
action (such as the HELO command argument or the
|
||||
client hostname/address), the Postfix SMTP server
|
||||
will transform a sender or recipient DSN status
|
||||
into a generic non-address DSN status (e.g.,
|
||||
4.0.0).
|
||||
|
||||
<b>REGULAR EXPRESSION TABLES</b>
|
||||
This section describes how the table lookups change when
|
||||
This section describes how the table lookups change when
|
||||
the table is given in the form of regular expressions. For
|
||||
a description of regular expression lookup table syntax,
|
||||
a description of regular expression lookup table syntax,
|
||||
see <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a> or <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a>.
|
||||
|
||||
Each pattern is a regular expression that is applied to
|
||||
Each pattern is a regular expression that is applied to
|
||||
the entire string being looked up. Depending on the appli-
|
||||
cation, that string is an entire client hostname, an
|
||||
cation, that string is an entire client hostname, an
|
||||
entire client IP address, or an entire mail address. Thus,
|
||||
no parent domain or parent network search is done,
|
||||
<i>user@domain</i> mail addresses are not broken up into their
|
||||
<i>user@domain</i> mail addresses are not broken up into their
|
||||
<i>user@</i> and <i>domain</i> constituent parts, nor is <i>user+foo</i> broken
|
||||
up into <i>user</i> and <i>foo</i>.
|
||||
|
||||
Patterns are applied in the order as specified in the ta-
|
||||
ble, until a pattern is found that matches the search
|
||||
Patterns are applied in the order as specified in the ta-
|
||||
ble, until a pattern is found that matches the search
|
||||
string.
|
||||
|
||||
Actions are the same as with indexed file lookups, with
|
||||
the additional feature that parenthesized substrings from
|
||||
Actions are the same as with indexed file lookups, with
|
||||
the additional feature that parenthesized substrings from
|
||||
the pattern can be interpolated as <b>$1</b>, <b>$2</b> and so on.
|
||||
|
||||
<b>TCP-BASED TABLES</b>
|
||||
This section describes how the table lookups change when
|
||||
This section describes how the table lookups change when
|
||||
lookups are directed to a TCP-based server. For a descrip-
|
||||
tion of the TCP client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_ta-</b></a>
|
||||
<a href="tcp_table.5.html"><b>ble</b>(5)</a>. This feature is not available up to and including
|
||||
Postfix version 2.4.
|
||||
|
||||
Each lookup operation uses the entire query string once.
|
||||
Depending on the application, that string is an entire
|
||||
Each lookup operation uses the entire query string once.
|
||||
Depending on the application, that string is an entire
|
||||
client hostname, an entire client IP address, or an entire
|
||||
mail address. Thus, no parent domain or parent network
|
||||
search is done, <i>user@domain</i> mail addresses are not broken
|
||||
up into their <i>user@</i> and <i>domain</i> constituent parts, nor is
|
||||
mail address. Thus, no parent domain or parent network
|
||||
search is done, <i>user@domain</i> mail addresses are not broken
|
||||
up into their <i>user@</i> and <i>domain</i> constituent parts, nor is
|
||||
<i>user+foo</i> broken up into <i>user</i> and <i>foo</i>.
|
||||
|
||||
Actions are the same as with indexed file lookups.
|
||||
|
||||
<b>EXAMPLE</b>
|
||||
The following example uses an indexed file, so that the
|
||||
order of table entries does not matter. The example per-
|
||||
mits access by the client at address 1.2.3.4 but rejects
|
||||
all other clients in 1.2.3.0/24. Instead of <b>hash</b> lookup
|
||||
tables, some systems use <b>dbm</b>. Use the command "<b>postconf</b>
|
||||
<b>-m</b>" to find out what lookup tables Postfix supports on
|
||||
The following example uses an indexed file, so that the
|
||||
order of table entries does not matter. The example per-
|
||||
mits access by the client at address 1.2.3.4 but rejects
|
||||
all other clients in 1.2.3.0/24. Instead of <b>hash</b> lookup
|
||||
tables, some systems use <b>dbm</b>. Use the command "<b>postconf</b>
|
||||
<b>-m</b>" to find out what lookup tables Postfix supports on
|
||||
your system.
|
||||
|
||||
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
|
||||
@ -391,7 +392,7 @@ ACCESS(5) ACCESS(5)
|
||||
editing the file.
|
||||
|
||||
<b>BUGS</b>
|
||||
The table format does not understand quoting conventions.
|
||||
The table format does not understand quoting conventions.
|
||||
|
||||
<b>SEE ALSO</b>
|
||||
<a href="postmap.1.html">postmap(1)</a>, Postfix lookup table manager
|
||||
@ -404,7 +405,7 @@ ACCESS(5) ACCESS(5)
|
||||
<a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview
|
||||
|
||||
<b>LICENSE</b>
|
||||
The Secure Mailer license must be distributed with this
|
||||
The Secure Mailer license must be distributed with this
|
||||
software.
|
||||
|
||||
<b>AUTHOR(S)</b>
|
||||
|
@ -7,7 +7,7 @@
|
||||
HEADER_CHECKS(5) HEADER_CHECKS(5)
|
||||
|
||||
<b>NAME</b>
|
||||
<a href="postconf.5.html#header_checks">header_checks</a> - Postfix built-in header/body inspection
|
||||
<a href="postconf.5.html#header_checks">header_checks</a> - Postfix built-in content inspection
|
||||
|
||||
<b>SYNOPSIS</b>
|
||||
<b><a href="postconf.5.html#header_checks">header_checks</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/header_checks</b>
|
||||
@ -19,48 +19,49 @@ HEADER_CHECKS(5) HEADER_CHECKS(5)
|
||||
<b>postmap -fq - <a href="pcre_table.5.html">pcre</a>:/etc/postfix/</b><i>filename</i> <<i>inputfile</i>
|
||||
|
||||
<b>DESCRIPTION</b>
|
||||
The Postfix <a href="cleanup.8.html"><b>cleanup</b>(8)</a> server supports access control on
|
||||
the content of message headers and message body lines.
|
||||
See <a href="access.5.html"><b>access</b>(5)</a> for access control on remote SMTP client
|
||||
This document describes access control on the content of
|
||||
message headers and message body lines; it is implemented
|
||||
by the Postfix <a href="cleanup.8.html">cleanup(8)</a> server before mail is queued.
|
||||
See <a href="access.5.html"><b>access</b>(5)</a> for access control on remote SMTP client
|
||||
information.
|
||||
|
||||
Each message header or message body line is compared
|
||||
against a list of patterns. When a match is found the
|
||||
Each message header or message body line is compared
|
||||
against a list of patterns. When a match is found the
|
||||
corresponding action is executed, and the matching process
|
||||
is repeated for the next message header or message body
|
||||
is repeated for the next message header or message body
|
||||
line.
|
||||
|
||||
For examples, see the EXAMPLES section at the end of this
|
||||
For examples, see the EXAMPLES section at the end of this
|
||||
manual page.
|
||||
|
||||
Postfix header or <a href="postconf.5.html#body_checks">body_checks</a> are designed to stop a flood
|
||||
of mail from worms or viruses; they do not decode attach-
|
||||
ments, and they do not unzip archives. See the documents
|
||||
referenced below in the README FILES section if you need
|
||||
of mail from worms or viruses; they do not decode attach-
|
||||
ments, and they do not unzip archives. See the documents
|
||||
referenced below in the README FILES section if you need
|
||||
more sophisticated content analysis.
|
||||
|
||||
Postfix supports four built-in content inspection classes:
|
||||
|
||||
<b><a href="postconf.5.html#header_checks">header_checks</a></b>
|
||||
These are applied to initial message headers
|
||||
(except for the headers that are processed with
|
||||
These are applied to initial message headers
|
||||
(except for the headers that are processed with
|
||||
<b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a></b>).
|
||||
|
||||
<b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a></b> (default: <b>$<a href="postconf.5.html#header_checks">header_checks</a></b>)
|
||||
These are applied to MIME related message headers
|
||||
These are applied to MIME related message headers
|
||||
only.
|
||||
|
||||
This feature is available in Postfix 2.0 and later.
|
||||
|
||||
<b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a></b> (default: <b>$<a href="postconf.5.html#header_checks">header_checks</a></b>)
|
||||
These are applied to message headers of attached
|
||||
email messages (except for the headers that are
|
||||
These are applied to message headers of attached
|
||||
email messages (except for the headers that are
|
||||
processed with <b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a></b>).
|
||||
|
||||
This feature is available in Postfix 2.0 and later.
|
||||
|
||||
<b><a href="postconf.5.html#body_checks">body_checks</a></b>
|
||||
These are applied to all other content, including
|
||||
These are applied to all other content, including
|
||||
multi-part message boundaries.
|
||||
|
||||
With Postfix versions before 2.0, all content after
|
||||
@ -68,73 +69,73 @@ HEADER_CHECKS(5) HEADER_CHECKS(5)
|
||||
tent.
|
||||
|
||||
Note: message headers are examined one logical header at a
|
||||
time, even when a message header spans multiple lines.
|
||||
time, even when a message header spans multiple lines.
|
||||
Body lines are always examined one line at a time.
|
||||
|
||||
<b>TABLE FORMAT</b>
|
||||
This document assumes that header and <a href="postconf.5.html#body_checks">body_checks</a> rules
|
||||
are specified in the form of Postfix regular expression
|
||||
lookup tables. Usually the best performance is obtained
|
||||
This document assumes that header and <a href="postconf.5.html#body_checks">body_checks</a> rules
|
||||
are specified in the form of Postfix regular expression
|
||||
lookup tables. Usually the best performance is obtained
|
||||
with <b>pcre</b> (Perl Compatible Regular Expression) tables, but
|
||||
the slower <b>regexp</b> (POSIX regular expressions) support is
|
||||
more widely available. Use the command "<b>postconf -m</b>" to
|
||||
find out what lookup table types your Postfix system sup-
|
||||
the slower <b>regexp</b> (POSIX regular expressions) support is
|
||||
more widely available. Use the command "<b>postconf -m</b>" to
|
||||
find out what lookup table types your Postfix system sup-
|
||||
ports.
|
||||
|
||||
The general format of Postfix regular expression tables is
|
||||
given below. For a discussion of specific pattern or
|
||||
flags syntax, see <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a> or <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a>,
|
||||
given below. For a discussion of specific pattern or
|
||||
flags syntax, see <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a> or <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a>,
|
||||
respectively.
|
||||
|
||||
<b>/</b><i>pattern</i><b>/</b><i>flags action</i>
|
||||
When <i>pattern</i> matches the input string, execute the
|
||||
corresponding <i>action</i>. See below for a list of pos-
|
||||
When <i>pattern</i> matches the input string, execute the
|
||||
corresponding <i>action</i>. See below for a list of pos-
|
||||
sible actions.
|
||||
|
||||
<b>!/</b><i>pattern</i><b>/</b><i>flags action</i>
|
||||
When <i>pattern</i> does <b>not</b> match the input string, exe-
|
||||
When <i>pattern</i> does <b>not</b> match the input string, exe-
|
||||
cute the corresponding <i>action</i>.
|
||||
|
||||
<b>if /</b><i>pattern</i><b>/</b><i>flags</i>
|
||||
|
||||
<b>endif</b> Match the input string against the patterns between
|
||||
<b>if</b> and <b>endif</b>, if and only if the input string also
|
||||
matches <i>pattern</i>. The <b>if</b>..<b>endif</b> can nest.
|
||||
<b>if</b> and <b>endif</b>, if and only if the same input string
|
||||
also matches <i>pattern</i>. The <b>if</b>..<b>endif</b> can nest.
|
||||
|
||||
Note: do not prepend whitespace to patterns inside
|
||||
Note: do not prepend whitespace to patterns inside
|
||||
<b>if</b>..<b>endif</b>.
|
||||
|
||||
<b>if !/</b><i>pattern</i><b>/</b><i>flags</i>
|
||||
|
||||
<b>endif</b> Match the input string against the patterns between
|
||||
<b>if</b> and <b>endif</b>, if and only if the input string does
|
||||
<b>not</b> match <i>pattern</i>. The <b>if</b>..<b>endif</b> can nest.
|
||||
<b>if</b> and <b>endif</b>, if and only if the same input string
|
||||
does <b>not</b> match <i>pattern</i>. The <b>if</b>..<b>endif</b> can nest.
|
||||
|
||||
blank lines and comments
|
||||
Empty lines and whitespace-only lines are ignored,
|
||||
as are lines whose first non-whitespace character
|
||||
Empty lines and whitespace-only lines are ignored,
|
||||
as are lines whose first non-whitespace character
|
||||
is a `#'.
|
||||
|
||||
multi-line text
|
||||
A pattern/action line starts with non-whitespace
|
||||
text. A line that starts with whitespace continues
|
||||
A pattern/action line starts with non-whitespace
|
||||
text. A line that starts with whitespace continues
|
||||
a logical line.
|
||||
|
||||
<b>TABLE SEARCH ORDER</b>
|
||||
For each line of message input, the patterns are applied
|
||||
in the order as specified in the table. When a pattern is
|
||||
found that matches the input line, the corresponding
|
||||
action is executed and then the next input line is
|
||||
For each line of message input, the patterns are applied
|
||||
in the order as specified in the table. When a pattern is
|
||||
found that matches the input line, the corresponding
|
||||
action is executed and then the next input line is
|
||||
inspected.
|
||||
|
||||
<b>TEXT SUBSTITUTION</b>
|
||||
Substitution of substrings from the matched expression
|
||||
into the <i>action</i> string is possible using the conventional
|
||||
Perl syntax (<b>$1</b>, <b>$2</b>, etc.). The macros in the result
|
||||
string may need to be written as <b>${n}</b> or <b>$(n)</b> if they
|
||||
Substitution of substrings from the matched expression
|
||||
into the <i>action</i> string is possible using the conventional
|
||||
Perl syntax (<b>$1</b>, <b>$2</b>, etc.). The macros in the result
|
||||
string may need to be written as <b>${n}</b> or <b>$(n)</b> if they
|
||||
aren't followed by whitespace.
|
||||
|
||||
Note: since negated patterns (those preceded by <b>!</b>) return
|
||||
Note: since negated patterns (those preceded by <b>!</b>) return
|
||||
a result when the expression does not match, substitutions
|
||||
are not available for negated patterns.
|
||||
|
||||
@ -143,12 +144,12 @@ HEADER_CHECKS(5) HEADER_CHECKS(5)
|
||||
case for consistency with other Postfix documentation.
|
||||
|
||||
<b>DISCARD</b> <i>optional text...</i>
|
||||
Claim successful delivery and silently discard the
|
||||
message. Log the optional text if specified, oth-
|
||||
Claim successful delivery and silently discard the
|
||||
message. Log the optional text if specified, oth-
|
||||
erwise log a generic message.
|
||||
|
||||
Note: this action disables further header or
|
||||
<a href="postconf.5.html#body_checks">body_checks</a> inspection of the current message and
|
||||
Note: this action disables further header or
|
||||
<a href="postconf.5.html#body_checks">body_checks</a> inspection of the current message and
|
||||
affects all recipients. To discard only one recip-
|
||||
ient without discarding the entire message, use the
|
||||
<a href="transport.5.html">transport(5)</a> table to direct mail to the <a href="discard.8.html">discard(8)</a>
|
||||
@ -156,74 +157,74 @@ HEADER_CHECKS(5) HEADER_CHECKS(5)
|
||||
|
||||
This feature is available in Postfix 2.0 and later.
|
||||
|
||||
<b>DUNNO</b> Pretend that the input line did not match any pat-
|
||||
tern, and inspect the next input line. This action
|
||||
<b>DUNNO</b> Pretend that the input line did not match any pat-
|
||||
tern, and inspect the next input line. This action
|
||||
can be used to shorten the table search.
|
||||
|
||||
For backwards compatibility reasons, Postfix also
|
||||
accepts <b>OK</b> but it is (and always has been) treated
|
||||
For backwards compatibility reasons, Postfix also
|
||||
accepts <b>OK</b> but it is (and always has been) treated
|
||||
as <b>DUNNO</b>.
|
||||
|
||||
This feature is available in Postfix 2.1 and later.
|
||||
|
||||
<b>FILTER</b> <i>transport:destination</i>
|
||||
Write a content filter request to the queue file
|
||||
and inspect the next input line. After the com-
|
||||
plete message is received it will be sent through
|
||||
Write a content filter request to the queue file,
|
||||
and inspect the next input line. After the com-
|
||||
plete message is received it will be sent through
|
||||
the specified external content filter. More infor-
|
||||
mation about external content filters is in the
|
||||
mation about external content filters is in the
|
||||
Postfix <a href="FILTER_README.html">FILTER_README</a> file.
|
||||
|
||||
Note: this action overrides the <a href="postconf.5.html"><b>main.cf</a> <a href="postconf.5.html#content_filter">con</a>-</b>
|
||||
<b><a href="postconf.5.html#content_filter">tent_filter</a></b> setting, and affects all recipients of
|
||||
the message. In the case that multiple <b>FILTER</b>
|
||||
actions fire, only the last one is executed.
|
||||
Note: this action overrides the <b><a href="postconf.5.html#content_filter">content_filter</a></b> set-
|
||||
ting, and affects all recipients of the message. In
|
||||
the case that multiple <b>FILTER</b> actions fire, only
|
||||
the last one is executed.
|
||||
|
||||
This feature is available in Postfix 2.0 and later.
|
||||
|
||||
<b>HOLD</b> <i>optional text...</i>
|
||||
Arrange for the message to be placed on the <b>hold</b>
|
||||
queue, and inspect the next input line. The mes-
|
||||
sage remains on <b>hold</b> until someone either deletes
|
||||
it or releases it for delivery. Log the optional
|
||||
Arrange for the message to be placed on the <b>hold</b>
|
||||
queue, and inspect the next input line. The mes-
|
||||
sage remains on <b>hold</b> until someone either deletes
|
||||
it or releases it for delivery. Log the optional
|
||||
text if specified, otherwise log a generic message.
|
||||
|
||||
Mail that is placed on hold can be examined with
|
||||
the <a href="postcat.1.html"><b>postcat</b>(1)</a> command, and can be destroyed or
|
||||
Mail that is placed on hold can be examined with
|
||||
the <a href="postcat.1.html"><b>postcat</b>(1)</a> command, and can be destroyed or
|
||||
released with the <a href="postsuper.1.html"><b>postsuper</b>(1)</a> command.
|
||||
|
||||
Note: use "<b>postsuper -r</b>" to release mail that was
|
||||
kept on hold for a significant fraction of <b>$<a href="postconf.5.html#maximal_queue_lifetime">maxi</a>-</b>
|
||||
Note: use "<b>postsuper -r</b>" to release mail that was
|
||||
kept on hold for a significant fraction of <b>$<a href="postconf.5.html#maximal_queue_lifetime">maxi</a>-</b>
|
||||
<b><a href="postconf.5.html#maximal_queue_lifetime">mal_queue_lifetime</a></b> or <b>$<a href="postconf.5.html#bounce_queue_lifetime">bounce_queue_lifetime</a></b>, or
|
||||
longer. Use "<b>postsuper -H</b>" only for mail that will
|
||||
longer. Use "<b>postsuper -H</b>" only for mail that will
|
||||
not expire within a few delivery attempts.
|
||||
|
||||
Note: this action affects all recipients of the
|
||||
Note: this action affects all recipients of the
|
||||
message.
|
||||
|
||||
This feature is available in Postfix 2.0 and later.
|
||||
|
||||
<b>IGNORE</b> Delete the current line from the input and inspect
|
||||
<b>IGNORE</b> Delete the current line from the input, and inspect
|
||||
the next input line.
|
||||
|
||||
<b>PREPEND</b> <i>text...</i>
|
||||
Prepend one line with the specified text and
|
||||
Prepend one line with the specified text, and
|
||||
inspect the next input line.
|
||||
|
||||
Notes:
|
||||
|
||||
<b>o</b> The prepended text is output on a separate
|
||||
<b>o</b> The prepended text is output on a separate
|
||||
line, immediately before the input that
|
||||
triggered the <b>PREPEND</b> action.
|
||||
|
||||
<b>o</b> The prepended text is not considered part of
|
||||
the input stream: it is not subject to
|
||||
the input stream: it is not subject to
|
||||
header/body checks or address rewriting, and
|
||||
it does not affect the way that Postfix adds
|
||||
missing message headers.
|
||||
|
||||
<b>o</b> When prepending text before a message header
|
||||
line, the prepended text must begin with a
|
||||
line, the prepended text must begin with a
|
||||
valid message header label.
|
||||
|
||||
<b>o</b> This action cannot be used to prepend multi-
|
||||
@ -232,46 +233,46 @@ HEADER_CHECKS(5) HEADER_CHECKS(5)
|
||||
This feature is available in Postfix 2.1 and later.
|
||||
|
||||
<b>REDIRECT</b> <i>user@domain</i>
|
||||
Write a message redirection request to the queue
|
||||
file and inspect the next input line. After the
|
||||
Write a message redirection request to the queue
|
||||
file, and inspect the next input line. After the
|
||||
message is queued, it will be sent to the specified
|
||||
address instead of the intended recipient(s).
|
||||
|
||||
Note: this action overrides the <b>FILTER</b> action, and
|
||||
affects all recipients of the message. If multiple
|
||||
<b>REDIRECT</b> actions fire, only the last one is exe-
|
||||
Note: this action overrides the <b>FILTER</b> action, and
|
||||
affects all recipients of the message. If multiple
|
||||
<b>REDIRECT</b> actions fire, only the last one is exe-
|
||||
cuted.
|
||||
|
||||
This feature is available in Postfix 2.1 and later.
|
||||
|
||||
<b>REPLACE</b> <i>text...</i>
|
||||
Replace the current line with the specified text
|
||||
Replace the current line with the specified text,
|
||||
and inspect the next input line.
|
||||
|
||||
This feature is available in Postfix 2.2 and later.
|
||||
The description below applies to Postfix 2.2.2 and
|
||||
The description below applies to Postfix 2.2.2 and
|
||||
later.
|
||||
|
||||
Notes:
|
||||
|
||||
<b>o</b> When replacing a message header line, the
|
||||
replacement text must begin with a valid
|
||||
<b>o</b> When replacing a message header line, the
|
||||
replacement text must begin with a valid
|
||||
header label.
|
||||
|
||||
<b>o</b> The replaced text remains part of the input
|
||||
stream. Unlike the result from the <b>PREPEND</b>
|
||||
action, a replaced message header may be
|
||||
subject to address rewriting and may affect
|
||||
the way that Postfix adds missing message
|
||||
<b>o</b> The replaced text remains part of the input
|
||||
stream. Unlike the result from the <b>PREPEND</b>
|
||||
action, a replaced message header may be
|
||||
subject to address rewriting and may affect
|
||||
the way that Postfix adds missing message
|
||||
headers.
|
||||
|
||||
<b>REJECT</b> <i>optional text...</i>
|
||||
Reject the entire message. Reply with <i>optional</i>
|
||||
Reject the entire message. Reply with <i>optional</i>
|
||||
<i>text...</i> when the optional text is specified, other-
|
||||
wise reply with a generic error message.
|
||||
|
||||
Note: this action disables further header or
|
||||
<a href="postconf.5.html#body_checks">body_checks</a> inspection of the current message and
|
||||
Note: this action disables further header or
|
||||
<a href="postconf.5.html#body_checks">body_checks</a> inspection of the current message and
|
||||
affects all recipients.
|
||||
|
||||
Postfix version 2.3 and later support enhanced sta-
|
||||
@ -280,26 +281,32 @@ HEADER_CHECKS(5) HEADER_CHECKS(5)
|
||||
enhanced status code of "5.7.1".
|
||||
|
||||
<b>WARN</b> <i>optional text...</i>
|
||||
Log a warning with the <i>optional text...</i> (or log a
|
||||
generic message) and inspect the next input line.
|
||||
Log a warning with the <i>optional text...</i> (or log a
|
||||
generic message), and inspect the next input line.
|
||||
This action is useful for debugging and for testing
|
||||
a pattern before applying more drastic actions.
|
||||
|
||||
<b>BUGS</b>
|
||||
Many people overlook the main limitations of header and
|
||||
<a href="postconf.5.html#body_checks">body_checks</a> rules. These rules operate on one logical
|
||||
message header or one body line at a time, and a decision
|
||||
made for one line is not carried over to the next line.
|
||||
If text in the message body is encoded (<a href="http://www.faqs.org/rfcs/rfc2045.html">RFC 2045</a>) then the
|
||||
rules have to specified for the encoded form. Likewise,
|
||||
when message headers are encoded (<a href="http://www.faqs.org/rfcs/rfc2047.html">RFC 2047</a>) then the rules
|
||||
need to be specified for the encoded form.
|
||||
Many people overlook the main limitations of header and
|
||||
<a href="postconf.5.html#body_checks">body_checks</a> rules.
|
||||
|
||||
Message headers added by the <a href="cleanup.8.html"><b>cleanup</b>(8)</a> daemon itself are
|
||||
<b>o</b> These rules operate on one logical message header
|
||||
or one body line at a time. A decision made for one
|
||||
line is not carried over to the next line.
|
||||
|
||||
<b>o</b> If text in the message body is encoded (<a href="http://www.faqs.org/rfcs/rfc2045.html">RFC 2045</a>)
|
||||
then the rules have to specified for the encoded
|
||||
form.
|
||||
|
||||
<b>o</b> Likewise, when message headers are encoded (<a href="http://www.faqs.org/rfcs/rfc2047.html">RFC</a>
|
||||
<a href="http://www.faqs.org/rfcs/rfc2047.html">2047</a>) then the rules need to be specified for the
|
||||
encoded form.
|
||||
|
||||
Message headers added by the <a href="cleanup.8.html"><b>cleanup</b>(8)</a> daemon itself are
|
||||
excluded from inspection. Examples of such message headers
|
||||
are <b>From:</b>, <b>To:</b>, <b>Message-ID:</b>, <b>Date:</b>.
|
||||
|
||||
Message headers deleted by the <a href="cleanup.8.html"><b>cleanup</b>(8)</a> daemon will be
|
||||
Message headers deleted by the <a href="cleanup.8.html"><b>cleanup</b>(8)</a> daemon will be
|
||||
examined before they are deleted. Examples are: <b>Bcc:, Con-</b>
|
||||
<b>tent-Length:</b>, <b>Return-Path:</b>.
|
||||
|
||||
@ -307,11 +314,11 @@ HEADER_CHECKS(5) HEADER_CHECKS(5)
|
||||
<b><a href="postconf.5.html#body_checks">body_checks</a></b>
|
||||
Lookup tables with content filter rules for message
|
||||
body lines. These filters see one physical line at
|
||||
a time, in chunks of at most <b>$<a href="postconf.5.html#line_length_limit">line_length_limit</a></b>
|
||||
a time, in chunks of at most <b>$<a href="postconf.5.html#line_length_limit">line_length_limit</a></b>
|
||||
bytes.
|
||||
|
||||
<b><a href="postconf.5.html#body_checks_size_limit">body_checks_size_limit</a></b>
|
||||
The amount of content per message body segment
|
||||
The amount of content per message body segment
|
||||
(attachment) that is subjected to <b>$<a href="postconf.5.html#body_checks">body_checks</a></b> fil-
|
||||
tering.
|
||||
|
||||
@ -321,32 +328,32 @@ HEADER_CHECKS(5) HEADER_CHECKS(5)
|
||||
|
||||
<b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a></b> (default: <b>$<a href="postconf.5.html#header_checks">header_checks</a></b>)
|
||||
Lookup tables with content filter rules for message
|
||||
header lines: respectively, these are applied to
|
||||
the initial message headers (not including MIME
|
||||
headers), to the MIME headers anywhere in the mes-
|
||||
sage, and to the initial headers of attached mes-
|
||||
header lines: respectively, these are applied to
|
||||
the initial message headers (not including MIME
|
||||
headers), to the MIME headers anywhere in the mes-
|
||||
sage, and to the initial headers of attached mes-
|
||||
sages.
|
||||
|
||||
Note: these filters see one logical message header
|
||||
at a time, even when a message header spans multi-
|
||||
ple lines. Message headers that are longer than
|
||||
Note: these filters see one logical message header
|
||||
at a time, even when a message header spans multi-
|
||||
ple lines. Message headers that are longer than
|
||||
<b>$<a href="postconf.5.html#header_size_limit">header_size_limit</a></b> characters are truncated.
|
||||
|
||||
<b><a href="postconf.5.html#disable_mime_input_processing">disable_mime_input_processing</a></b>
|
||||
While receiving mail, give no special treatment to
|
||||
MIME related message headers; all text after the
|
||||
While receiving mail, give no special treatment to
|
||||
MIME related message headers; all text after the
|
||||
initial message headers is considered to be part of
|
||||
the message body. This means that <b><a href="postconf.5.html#header_checks">header_checks</a></b> is
|
||||
applied to all the initial message headers, and
|
||||
the message body. This means that <b><a href="postconf.5.html#header_checks">header_checks</a></b> is
|
||||
applied to all the initial message headers, and
|
||||
that <b><a href="postconf.5.html#body_checks">body_checks</a></b> is applied to the remainder of the
|
||||
message.
|
||||
|
||||
Note: when used in this manner, <b><a href="postconf.5.html#body_checks">body_checks</a></b> will
|
||||
process a multi-line message header one line at a
|
||||
Note: when used in this manner, <b><a href="postconf.5.html#body_checks">body_checks</a></b> will
|
||||
process a multi-line message header one line at a
|
||||
time.
|
||||
|
||||
<b>EXAMPLES</b>
|
||||
Header pattern to block attachments with bad file name
|
||||
Header pattern to block attachments with bad file name
|
||||
extensions.
|
||||
|
||||
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
|
||||
@ -384,7 +391,7 @@ HEADER_CHECKS(5) HEADER_CHECKS(5)
|
||||
<a href="BACKSCATTER_README.html">BACKSCATTER_README</a>, blocking returned forged mail
|
||||
|
||||
<b>LICENSE</b>
|
||||
The Secure Mailer license must be distributed with this
|
||||
The Secure Mailer license must be distributed with this
|
||||
software.
|
||||
|
||||
<b>AUTHOR(S)</b>
|
||||
|
@ -58,8 +58,6 @@ configuration examples </a>
|
||||
|
||||
<li> <a href="DEBUG_README.html"> Debugging strategies </a>
|
||||
|
||||
<li> Error messages (*)
|
||||
|
||||
</ul>
|
||||
|
||||
<p><strong>Content inspection </strong></p>
|
||||
@ -134,8 +132,6 @@ Per-client/user/etc. access </a>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> qmail/ezmlm support (*)
|
||||
|
||||
<li> <a href="VERP_README.html"> VERP Support </a>
|
||||
|
||||
</ul>
|
||||
@ -152,20 +148,14 @@ Per-client/user/etc. access </a>
|
||||
|
||||
<li> <a href="NFS_README.html"> NFS issues </a>
|
||||
|
||||
<li> <a href="ULTRIX_README.html"> Ultrix support </a>
|
||||
|
||||
</ul>
|
||||
|
||||
<p><strong> Other mail delivery agents </strong></p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> Cyrus (*)
|
||||
|
||||
<li> <a href="MAILDROP_README.html"> Maildrop </a>
|
||||
|
||||
<li> LMTP (*)
|
||||
|
||||
</ul>
|
||||
|
||||
<p><strong> Other topics </strong></p>
|
||||
@ -200,10 +190,6 @@ Recipients </a>
|
||||
|
||||
</td>
|
||||
|
||||
<tr> <td colspan="3"> <font size="-1"> (*) These documents will be
|
||||
made available via <a href="http://www.postfix.org/">
|
||||
http://www.postfix.org/</a> and mirror sites. </font> </td> </tr>
|
||||
|
||||
</table>
|
||||
|
||||
</body>
|
||||
|
@ -374,29 +374,30 @@ LDAP_TABLE(5) LDAP_TABLE(5)
|
||||
|
||||
terminal_result_attribute = maildrop
|
||||
|
||||
This feature is available with Postfix >= 2.4.
|
||||
This feature is available with Postfix 2.4 or
|
||||
later.
|
||||
|
||||
<b>leaf_result_attribute (default: empty)</b>
|
||||
When one or more special result attributes are
|
||||
found in a non-terminal (see above) LDAP entry,
|
||||
When one or more special result attributes are
|
||||
found in a non-terminal (see above) LDAP entry,
|
||||
leaf result attributes are excluded from the expan-
|
||||
sion of that entry. This is useful when expanding
|
||||
sion of that entry. This is useful when expanding
|
||||
groups and the desired mail address attribute(s) of
|
||||
the member objects obtained via DN or URI recursion
|
||||
are also present in the group object. To only
|
||||
return the attribute values from the leaf objects
|
||||
and not the containing group, add the attribute to
|
||||
the leaf_result_attribute list, and not the
|
||||
result_attribute list, which is always expanded.
|
||||
Note, the default value of "result_attribute" is
|
||||
not empty, you may want to set it explicitly empty
|
||||
when using "leaf_result_attribute" to expand the
|
||||
group to a list of member DN addresses. If groups
|
||||
have both member DN references AND attributes that
|
||||
hold multiple string valued rfc822 addresses, then
|
||||
the string attributes go in "result_attribute".
|
||||
The attributes that represent the email addresses
|
||||
of objects referenced via a DN (or LDAP URI) go in
|
||||
are also present in the group object. To only
|
||||
return the attribute values from the leaf objects
|
||||
and not the containing group, add the attribute to
|
||||
the leaf_result_attribute list, and not the
|
||||
result_attribute list, which is always expanded.
|
||||
Note, the default value of "result_attribute" is
|
||||
not empty, you may want to set it explicitly empty
|
||||
when using "leaf_result_attribute" to expand the
|
||||
group to a list of member DN addresses. If groups
|
||||
have both member DN references AND attributes that
|
||||
hold multiple string valued rfc822 addresses, then
|
||||
the string attributes go in "result_attribute".
|
||||
The attributes that represent the email addresses
|
||||
of objects referenced via a DN (or LDAP URI) go in
|
||||
"leaf_result_attribute".
|
||||
|
||||
result_attribute = memberaddr
|
||||
@ -404,7 +405,8 @@ LDAP_TABLE(5) LDAP_TABLE(5)
|
||||
terminal_result_attribute = maildrop
|
||||
leaf_result_attribute = mail
|
||||
|
||||
This feature is available with Postfix >= 2.4.
|
||||
This feature is available with Postfix 2.4 or
|
||||
later.
|
||||
|
||||
<b>scope (default: sub)</b>
|
||||
The LDAP search scope: <b>sub</b>, <b>base</b>, or <b>one</b>. These
|
||||
|
@ -674,8 +674,8 @@ are calculated.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
This feature is implemented by the <a href="anvil.8.html">anvil(8)</a> service which is not
|
||||
part of the stable Postfix version 2.1 release.
|
||||
This feature is implemented by the <a href="anvil.8.html">anvil(8)</a> service which is available
|
||||
in Postfix version 2.2 and later.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
@ -5254,17 +5254,18 @@ This feature is available in Postfix 2.0 and later.
|
||||
</DD>
|
||||
|
||||
<DT><b><a name="minimal_backoff_time">minimal_backoff_time</a>
|
||||
(default: version dependent)</b></DT><DD>
|
||||
(default: 300s)</b></DT><DD>
|
||||
|
||||
<p>
|
||||
The minimal time between attempts to deliver a deferred message;
|
||||
prior to Postfix 2.4 the default value was 1000s.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
The minimal time between attempts to deliver a deferred message.
|
||||
This parameter also limits the time an unreachable destination is
|
||||
kept in the short-term, in-memory, destination status cache.
|
||||
</p>
|
||||
|
||||
<p> With Postfix 2.4 the default value was reduced from 1000s to
|
||||
300s. </p>
|
||||
|
||||
<p> This parameter should be set greater than or equal to
|
||||
$<a href="postconf.5.html#queue_run_delay">queue_run_delay</a>. See also $<a href="postconf.5.html#maximal_backoff_time">maximal_backoff_time</a>. </p>
|
||||
|
||||
@ -6057,14 +6058,11 @@ zero means there is no minimum required amount of free space.
|
||||
</DD>
|
||||
|
||||
<DT><b><a name="queue_run_delay">queue_run_delay</a>
|
||||
(default: version dependent)</b></DT><DD>
|
||||
(default: 300s)</b></DT><DD>
|
||||
|
||||
<p>
|
||||
The time between <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> scans by the queue manager.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
With Postfix 2.4 the default value was reduced from 1000s to 300s.
|
||||
The time between <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> scans by the queue manager;
|
||||
prior to Postfix 2.4 the default value was 1000s.
|
||||
</p>
|
||||
|
||||
<p> This parameter should be set less than or equal to
|
||||
@ -8476,7 +8474,7 @@ and higher the optional "ciphers" attribute overrides the <a href="postconf.5.ht
|
||||
<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> parameter and the optional "protocols"
|
||||
keyword overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> parameter.
|
||||
In the policy table, multiple protocols must be separated by colons,
|
||||
as attribute values may not contain whitespace or commas. </p>
|
||||
as attribute values may not contain whitespace or commas. </dd>
|
||||
|
||||
<dt><b>verify</b></dt> <dd>Mandatory TLS verification. At this security
|
||||
level, DNS MX lookups are trusted to be secure enough, and the name
|
||||
|
@ -374,6 +374,14 @@ Rhapsody.5*|Darwin.*)
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
"Mac OS".10.[0-3]*)
|
||||
SYSTYPE=MACOSX
|
||||
# Use the native compiler by default
|
||||
: ${CC=cc}
|
||||
AWK=gawk
|
||||
CCARGS="$CCARGS -DNO_KQUEUE"
|
||||
;;
|
||||
|
||||
"Mac OS".10*) SYSTYPE=MACOSX
|
||||
# Use the native compiler by default
|
||||
: ${CC=cc}
|
||||
|
@ -16,10 +16,10 @@ Postfix SMTP server access table
|
||||
.SH DESCRIPTION
|
||||
.ad
|
||||
.fi
|
||||
The Postfix SMTP server supports access control on remote
|
||||
SMTP client information: host names, network addresses, and
|
||||
envelope sender
|
||||
or recipient addresses. See \fBheader_checks\fR(5) or
|
||||
This document describes access control on remote SMTP client
|
||||
information: host names, network addresses, and envelope
|
||||
sender or recipient addresses; it is implemented by the
|
||||
Postfix SMTP server. See \fBheader_checks\fR(5) or
|
||||
\fBbody_checks\fR(5) for access control on the content of
|
||||
email messages.
|
||||
|
||||
@ -239,7 +239,7 @@ syntax is described in the \fBtransport\fR(5) manual page.
|
||||
More information
|
||||
about external content filters is in the Postfix FILTER_README file.
|
||||
.sp
|
||||
Note: this action overrides the \fBmain.cf content_filter\fR setting,
|
||||
Note: this action overrides the \fBcontent_filter\fR setting,
|
||||
and currently affects all recipients of the message.
|
||||
.sp
|
||||
This feature is available in Postfix 2.0 and later.
|
||||
|
@ -4,7 +4,7 @@
|
||||
.SH NAME
|
||||
header_checks
|
||||
\-
|
||||
Postfix built-in header/body inspection
|
||||
Postfix built-in content inspection
|
||||
.SH "SYNOPSIS"
|
||||
.na
|
||||
.nf
|
||||
@ -22,8 +22,9 @@ Postfix built-in header/body inspection
|
||||
.SH DESCRIPTION
|
||||
.ad
|
||||
.fi
|
||||
The Postfix \fBcleanup\fR(8) server supports access control
|
||||
on the content of message headers and message body lines.
|
||||
This document describes access control on the content of
|
||||
message headers and message body lines; it is implemented
|
||||
by the Postfix cleanup(8) server before mail is queued.
|
||||
See \fBaccess\fR(5) for access control on remote SMTP client
|
||||
information.
|
||||
|
||||
@ -92,16 +93,17 @@ execute the corresponding \fIaction\fR.
|
||||
.IP "\fBif /\fIpattern\fB/\fIflags\fR"
|
||||
.IP "\fBendif\fR"
|
||||
Match the input string against the patterns between \fBif\fR
|
||||
and \fBendif\fR, if and only if the input string also matches
|
||||
\fIpattern\fR. The \fBif\fR..\fBendif\fR can nest.
|
||||
and \fBendif\fR, if and only if the same input string also
|
||||
matches \fIpattern\fR. The \fBif\fR..\fBendif\fR can nest.
|
||||
.sp
|
||||
Note: do not prepend whitespace to patterns inside
|
||||
\fBif\fR..\fBendif\fR.
|
||||
.IP "\fBif !/\fIpattern\fB/\fIflags\fR"
|
||||
.IP "\fBendif\fR"
|
||||
Match the input string against the patterns between \fBif\fR
|
||||
and \fBendif\fR, if and only if the input string does \fBnot\fR
|
||||
match \fIpattern\fR. The \fBif\fR..\fBendif\fR can nest.
|
||||
and \fBendif\fR, if and only if the same input string does
|
||||
\fBnot\fR match \fIpattern\fR. The \fBif\fR..\fBendif\fR
|
||||
can nest.
|
||||
.IP "blank lines and comments"
|
||||
Empty lines and whitespace-only lines are ignored, as
|
||||
are lines whose first non-whitespace character is a `#'.
|
||||
@ -159,13 +161,13 @@ For backwards compatibility reasons, Postfix also accepts
|
||||
.sp
|
||||
This feature is available in Postfix 2.1 and later.
|
||||
.IP "\fBFILTER \fItransport:destination\fR"
|
||||
Write a content filter request to the queue file and
|
||||
Write a content filter request to the queue file, and
|
||||
inspect the next input line.
|
||||
After the complete message is received it will be sent through
|
||||
the specified external content filter. More information about
|
||||
external content filters is in the Postfix FILTER_README file.
|
||||
.sp
|
||||
Note: this action overrides the \fBmain.cf content_filter\fR setting,
|
||||
Note: this action overrides the \fBcontent_filter\fR setting,
|
||||
and affects all recipients of the message. In the case that multiple
|
||||
\fBFILTER\fR actions fire, only the last one is executed.
|
||||
.sp
|
||||
@ -190,10 +192,10 @@ Note: this action affects all recipients of the message.
|
||||
.sp
|
||||
This feature is available in Postfix 2.0 and later.
|
||||
.IP \fBIGNORE\fR
|
||||
Delete the current line from the input and inspect
|
||||
Delete the current line from the input, and inspect
|
||||
the next input line.
|
||||
.IP "\fBPREPEND \fItext...\fR"
|
||||
Prepend one line with the specified text and inspect the next
|
||||
Prepend one line with the specified text, and inspect the next
|
||||
input line.
|
||||
.sp
|
||||
Notes:
|
||||
@ -215,7 +217,7 @@ This action cannot be used to prepend multi-line text.
|
||||
.IP
|
||||
This feature is available in Postfix 2.1 and later.
|
||||
.IP "\fBREDIRECT \fIuser@domain\fR"
|
||||
Write a message redirection request to the queue file and
|
||||
Write a message redirection request to the queue file, and
|
||||
inspect the next input line. After the message is queued,
|
||||
it will be sent to the specified address instead of the
|
||||
intended recipient(s).
|
||||
@ -226,7 +228,7 @@ fire, only the last one is executed.
|
||||
.sp
|
||||
This feature is available in Postfix 2.1 and later.
|
||||
.IP "\fBREPLACE \fItext...\fR"
|
||||
Replace the current line with the specified text and inspect the next
|
||||
Replace the current line with the specified text, and inspect the next
|
||||
input line.
|
||||
.sp
|
||||
This feature is available in Postfix 2.2 and later. The
|
||||
@ -257,21 +259,27 @@ text...\fR, Postfix inserts a default enhanced status code of
|
||||
"5.7.1".
|
||||
.IP "\fBWARN \fIoptional text...\fR
|
||||
Log a warning with the \fIoptional text...\fR (or log a
|
||||
generic message) and inspect the next input line. This
|
||||
generic message), and inspect the next input line. This
|
||||
action is useful for debugging and for testing a pattern
|
||||
before applying more drastic actions.
|
||||
.SH BUGS
|
||||
.ad
|
||||
.fi
|
||||
Many people overlook the main limitations of header and body_checks
|
||||
rules. These rules operate on one logical message header or one body
|
||||
line at a time, and a decision made for one line is not carried over
|
||||
to the next line. If text in the message body is encoded
|
||||
rules.
|
||||
.IP \(bu
|
||||
These rules operate on one logical message header or one body
|
||||
line at a time. A decision made for one line is not carried over
|
||||
to the next line.
|
||||
.IP \(bu
|
||||
If text in the message body is encoded
|
||||
(RFC 2045) then the rules have to specified for the encoded
|
||||
form. Likewise, when message headers are encoded (RFC
|
||||
form.
|
||||
.IP \(bu
|
||||
Likewise, when message headers are encoded (RFC
|
||||
2047) then the rules need to be specified for the encoded
|
||||
form.
|
||||
|
||||
.PP
|
||||
Message headers added by the \fBcleanup\fR(8) daemon itself
|
||||
are excluded from inspection. Examples of such message headers
|
||||
are \fBFrom:\fR, \fBTo:\fR, \fBMessage-ID:\fR, \fBDate:\fR.
|
||||
|
@ -352,7 +352,7 @@ other special processing.
|
||||
.ti +4
|
||||
terminal_result_attribute = maildrop
|
||||
|
||||
This feature is available with Postfix >= 2.4.
|
||||
This feature is available with Postfix 2.4 or later.
|
||||
.IP "\fBleaf_result_attribute (default: empty)\fR"
|
||||
When one or more special result attributes are found in a non-terminal
|
||||
(see above) LDAP entry, leaf result attributes are excluded from the
|
||||
@ -380,7 +380,7 @@ terminal_result_attribute = maildrop
|
||||
leaf_result_attribute = mail
|
||||
.in -4
|
||||
|
||||
This feature is available with Postfix >= 2.4.
|
||||
This feature is available with Postfix 2.4 or later.
|
||||
.IP "\fBscope (default: sub)\fR"
|
||||
The LDAP search scope: \fBsub\fR, \fBbase\fR, or \fBone\fR.
|
||||
These translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
|
||||
|
@ -368,8 +368,8 @@ generates itself.
|
||||
The time unit over which client connection rates and other rates
|
||||
are calculated.
|
||||
.PP
|
||||
This feature is implemented by the \fBanvil\fR(8) service which is not
|
||||
part of the stable Postfix version 2.1 release.
|
||||
This feature is implemented by the \fBanvil\fR(8) service which is available
|
||||
in Postfix version 2.2 and later.
|
||||
.PP
|
||||
The default interval is relatively short. Because of the high
|
||||
frequency of updates, the \fBanvil\fR(8) server uses volatile memory
|
||||
@ -2850,14 +2850,13 @@ The maximal recursion level that the MIME processor will handle.
|
||||
Postfix refuses mail that is nested deeper than the specified limit.
|
||||
.PP
|
||||
This feature is available in Postfix 2.0 and later.
|
||||
.SH minimal_backoff_time (default: version dependent)
|
||||
The minimal time between attempts to deliver a deferred message.
|
||||
.SH minimal_backoff_time (default: 300s)
|
||||
The minimal time between attempts to deliver a deferred message;
|
||||
prior to Postfix 2.4 the default value was 1000s.
|
||||
.PP
|
||||
This parameter also limits the time an unreachable destination is
|
||||
kept in the short-term, in-memory, destination status cache.
|
||||
.PP
|
||||
With Postfix 2.4 the default value was reduced from 1000s to
|
||||
300s.
|
||||
.PP
|
||||
This parameter should be set greater than or equal to
|
||||
$queue_run_delay. See also $maximal_backoff_time.
|
||||
.PP
|
||||
@ -3306,10 +3305,9 @@ value that is at least 1.5*$message_size_limit.
|
||||
.PP
|
||||
With Postfix versions 2.0 and earlier, a queue_minfree value of
|
||||
zero means there is no minimum required amount of free space.
|
||||
.SH queue_run_delay (default: version dependent)
|
||||
The time between deferred queue scans by the queue manager.
|
||||
.PP
|
||||
With Postfix 2.4 the default value was reduced from 1000s to 300s.
|
||||
.SH queue_run_delay (default: 300s)
|
||||
The time between deferred queue scans by the queue manager;
|
||||
prior to Postfix 2.4 the default value was 1000s.
|
||||
.PP
|
||||
This parameter should be set less than or equal to
|
||||
$minimal_backoff_time. See also $maximal_backoff_time.
|
||||
|
@ -14,7 +14,7 @@ while (<>) {
|
||||
|
||||
{
|
||||
Again:
|
||||
if (/-[<\/bB>]*$/) {
|
||||
if (/(-[<\/bB>]*|RFC)$/) {
|
||||
$_ .= "\n";
|
||||
$len1 = length;
|
||||
$_ .= <>;
|
||||
@ -778,7 +778,13 @@ while (<>) {
|
||||
s;\bmilter_unknown_command_macros\b;<a href="postconf.5.html#milter_unknown_command_macros">$&</a>;g;
|
||||
s;\bmilter_end_of_data_macros\b;<a href="postconf.5.html#milter_end_of_data_macros">$&</a>;g;
|
||||
|
||||
# Split *README, parameter or restriction hyperlinks across line breaks
|
||||
# Hyperlink URLs and RFC documents
|
||||
|
||||
s/(http:\/\/[^ ,"\(\)]*[^ ,"\(\):;!?.])/<a href="$1">$1<\/a>/;
|
||||
s/(ftp:\/\/[^ ,"\(\)]*[^ ,"\(\):;!?.])/<a href="$1">$1<\/a>/;
|
||||
s/\bRFC\s*([1-9]\d*)/<a href="http:\/\/www.faqs.org\/rfcs\/rfc$1.html">$&<\/a>/;
|
||||
|
||||
# Split README/RFC/parameter/restriction hyperlinks that span line breaks
|
||||
|
||||
s/(<a href="[^"]*">)([-A-Za-z0-9_]*)\b([-<\/bB>]*\n *[<bB>]*)\b([-A-Za-z0-9_]*)(<\/a>)/$1$2$5$3$1$4$5/;
|
||||
|
||||
@ -787,12 +793,6 @@ while (<>) {
|
||||
s/(<a href="[^"]*">)([<bB>]*[-a-zA-Z0-9._]*[<bB>]*)<\/a>\1/$1$2/g;
|
||||
s/(<a href="[^"]*">)([<bB>]*[-a-zA-Z0-9._]*[<bB>]*)<\/a>\1/$1$2/g;
|
||||
|
||||
# Hyperlink URLs and RFC documents
|
||||
|
||||
s/(http:\/\/[^ ,"\(\)]*[^ ,"\(\):;!?.])/<a href="$1">$1<\/a>/;
|
||||
s/(ftp:\/\/[^ ,"\(\)]*[^ ,"\(\):;!?.])/<a href="$1">$1<\/a>/;
|
||||
s/\bRFC *([1-9]\d*)/<a href="http:\/\/www.faqs.org\/rfcs\/rfc$1.html">$&<\/a>/;
|
||||
|
||||
# Hyperlink phrases not in headers.
|
||||
|
||||
if (/<\/*h\d>/) {
|
||||
|
@ -53,8 +53,9 @@ address classes are very important for the operation of Postfix. </p>
|
||||
<li> <p> The list of domains that are a member of the class: for
|
||||
example, all local domains, or all relay domains. </p>
|
||||
|
||||
<li> <p> The default delivery method. For example, the local or
|
||||
smtp delivery agent. This helps to keep Postfix configurations
|
||||
<li> <p> The default delivery transport. For example, the local or
|
||||
relay delivery transport (delivery transports are defined in
|
||||
master.cf). This helps to keep Postfix configurations
|
||||
simple. </p>
|
||||
|
||||
<li> <p> The list of valid recipient addresses for that address
|
||||
|
@ -229,7 +229,10 @@ MAILER-DAEMON messages. </p>
|
||||
<p> Recipient address verification is relatively straightforward
|
||||
and there are no surprises. If a recipient probe fails, then Postfix
|
||||
rejects mail for the recipient address. If a recipient probe
|
||||
succeeds, then Postfix accepts mail for the recipient address. </p>
|
||||
succeeds, then Postfix accepts mail for the recipient address.
|
||||
However, recipient address verification probes can increase the
|
||||
load on down-stream MTAs when you're being flooded by backscatter
|
||||
bounces, or when some spammer is mounting a dictionary attack. </p>
|
||||
|
||||
<p> By default, address verification results are not saved. To avoid
|
||||
probing the same address repeatedly, you can store the result in a
|
||||
|
@ -92,28 +92,38 @@ by the mail delivering process that creates the connection. To get
|
||||
the same performance improvement as with a shared connection cache,
|
||||
non-shared connections need to be kept open for a longer time. </p>
|
||||
|
||||
<p> The scache(8) server, introduced with Postfix version 2.2,
|
||||
maintains the shared connection cache. With Postfix version 2.2,
|
||||
only the smtp(8) client has support to access this cache. </p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<table>
|
||||
|
||||
<tr> <td> Internet <-- </td> <td align="center" bgcolor="#f0f0ff">
|
||||
<br> smtp(8) <br> </td> <td> <tt> <-> </tt> </td> <td
|
||||
align="center" bgcolor="#f0f0ff"> <br> scache(8) <br> </td>
|
||||
<td> <tt> <-> </tt> </td> <td align="center" bgcolor="#f0f0ff">
|
||||
<br> smtp(8) <br> </td> <td> --> Internet </td>
|
||||
<tr> <td align="center" colspan="3" bgcolor="#f0f0ff"> <br> smtp(8)
|
||||
<br> </td> <td colspan="2"> --> Internet </td> </tr>
|
||||
|
||||
<tr> <td align="center" rowspan="3"> </td> <td align="center"
|
||||
rowspan="3"><tt>|<br>|<br>|<br>|<br>|<br>|<br>v</tt></td>
|
||||
<td> </td> </tr>
|
||||
|
||||
<tr> <td align="center"
|
||||
colspan="2" bgcolor="#f0f0ff"> <br> smtp(8) <br> </td> <td
|
||||
align="left"> --> Internet </td> </tr>
|
||||
|
||||
<tr> <td align="center"><tt>^<br>|</tt></td> <td> </td> </tr>
|
||||
|
||||
<tr> <td align="center" colspan="3" bgcolor="#f0f0ff"> <br> scache(8)
|
||||
<br> </td> </tr>
|
||||
|
||||
</table>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<p> The scache(8) server, introduced with Postfix version 2.2,
|
||||
maintains the shared connection cache. With Postfix version 2.2,
|
||||
only the smtp(8) client has support to access this cache. </p>
|
||||
|
||||
<p> When SMTP connection caching is enabled (see next section), the
|
||||
smtp(8) client does not disconnect after a mail transaction, but
|
||||
gives the connection to the scache(8) server which keeps the
|
||||
connection open for a limited amount of time. </p>
|
||||
connection open for a limited amount of time. </p>
|
||||
|
||||
<p> After handing over the open connection to the scache(8) server,
|
||||
the smtp(8) client continues with some other mail delivery request.
|
||||
|
@ -1,24 +0,0 @@
|
||||
<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
|
||||
"http://www.w3.org/TR/html4/loose.dtd">
|
||||
|
||||
<html>
|
||||
|
||||
<head>
|
||||
|
||||
<title>Postfix Cyrus Howto</title>
|
||||
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
|
||||
|
||||
</head>
|
||||
|
||||
<body>
|
||||
|
||||
<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix Cyrus Howto</h1>
|
||||
|
||||
<hr>
|
||||
|
||||
<p> This document will be made available via http://www.postfix.org/. </p>
|
||||
|
||||
</body>
|
||||
|
||||
</html>
|
@ -80,7 +80,8 @@ below.
|
||||
|
||||
<li> You can use Berkeley DB files with fixed lookup strings for
|
||||
simple address rewriting operations and you can use regular expression
|
||||
tables for the more complicated work.
|
||||
tables for the more complicated work. In other words, you don't
|
||||
have to put everything into the same table.
|
||||
|
||||
</ul>
|
||||
|
||||
@ -189,8 +190,9 @@ because something else happens. This is because commands such as
|
||||
postmap(1) or postalias(1) overwrite existing files. If the update
|
||||
fails in the middle then you have no usable database, and Postfix
|
||||
will stop working. This is not an issue with the CDB database type
|
||||
available with Postfix 2.2 and later, because <a href="CDB_README.html">CDB</a>
|
||||
database rebuilds are atomic. </p>
|
||||
available with Postfix 2.2 and later: <a href="CDB_README.html">CDB</a>
|
||||
creates a new file, and renames the file upon successful completion.
|
||||
</p>
|
||||
|
||||
<p> With multi-file databases such as DBM, there is no simple
|
||||
solution. With Berkeley DB and other "one file" databases, it is
|
||||
|
@ -49,15 +49,17 @@ versions. </p>
|
||||
<h2><a name="no_db">Building Postfix on systems without Berkeley
|
||||
DB</a></h2>
|
||||
|
||||
<p> Many commercial UNIXes ship without Berkeley DB support. Examples
|
||||
are Solaris, HP-UX, IRIX, UNIXWARE. In order to build Postfix with
|
||||
<p> Some UNIXes ship without Berkeley DB support; for historical
|
||||
reasons these use DBM files instead. A problem with DBM files is
|
||||
that they can store only limited amounts of data. To build Postfix
|
||||
with
|
||||
Berkeley DB support you need to download and install the source
|
||||
code from http://www.sleepycat.com/ </p>
|
||||
code from http://www.oracle.com/database/berkeley-db/. </p>
|
||||
|
||||
<p> Warning: some Linux system libraries use Berkeley DB, as do
|
||||
some third-party libraries such as SASL. If you compile Postfix
|
||||
with a different Berkeley DB implementation, then every Postfix
|
||||
program will dump core because either the system library, SASL
|
||||
program will dump core because either the system library, the SASL
|
||||
library, or Postfix itself ends up using the wrong version. </p>
|
||||
|
||||
<p>The more recent Berkeley DB versions have a compile-time switch,
|
||||
@ -67,7 +69,7 @@ Although wasteful, this may be the only way to keep things from
|
||||
falling apart. </p>
|
||||
|
||||
<p> To build Postfix after you installed the Berkeley DB from
|
||||
http://www.sleepycat.com/, use something like: </p>
|
||||
source code, use something like: </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
@ -214,7 +216,8 @@ undefined reference to `pthread_mutex_trylock'
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> More information is available at http://www.sleepycat.com/. </p>
|
||||
<p> More information is available at
|
||||
http://www.oracle.com/database/berkeley-db/. </p>
|
||||
|
||||
</body>
|
||||
|
||||
|
@ -100,8 +100,9 @@ is fixed. </p>
|
||||
permissions, incorrect configuration file settings that you can
|
||||
fix. Postfix cannot proceed until this is fixed. </p>
|
||||
|
||||
<li> <p> "<b>error</b>" reports a fatal or non-fatal error condition.
|
||||
Postfix cannot proceed until this is fixed. </p>
|
||||
<li> <p> "<b>error</b>" reports an error condition. For safety
|
||||
reasons, a Postfix process will terminate when more than 13 of these
|
||||
happen. </p>
|
||||
|
||||
<li> <p> "<b>warning</b>" indicates a non-fatal error. These are
|
||||
problems that you may not be able to fix (such as a broken DNS
|
||||
@ -145,7 +146,7 @@ Mail Delivery Status Report will be mailed to <your login name>.
|
||||
</ul>
|
||||
|
||||
<p> These reports contain information that is generated by Postfix
|
||||
delivery agents. Since these run as daemon processes and do not
|
||||
delivery agents. Since these run as daemon processes that cannot
|
||||
interact with users directly, the result is sent as mail to the
|
||||
sender of the test message. The format of these reports is practically
|
||||
identical to that of ordinary non-delivery notifications. </p>
|
||||
@ -209,18 +210,21 @@ command "<b>postfix reload</b>". </p>
|
||||
<h2><a name="sniffer">Record the SMTP session with a network sniffer</a></h2>
|
||||
|
||||
<p> This example uses <b>tcpdump</b>. In order to record a conversation
|
||||
you need to specify a large enough buffer with the "-s" option or
|
||||
else you will miss some or all of the packet payload. </p>
|
||||
you need to specify a large enough buffer with the "<b>-s</b>"
|
||||
option or else you will miss some or all of the packet payload.
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
# <b>tcpdump -w /file/name -s 2000 host example.com and port 25</b>
|
||||
# <b>tcpdump -w /file/name -s 0 host example.com and port 25</b>
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> Older tcpdump versions don't support "<b>-s 0</b>"; in that case,
|
||||
use "<b>-s 2000</b>" instead. </p>
|
||||
|
||||
<p> Run this for a while, stop with Ctrl-C when done. To view the
|
||||
data use a binary viewer, or <b>ethereal</b>, or use my <b>tcpdumpx</b>
|
||||
utility that is available from ftp://ftp.porcupine.org/pub/debugging/.
|
||||
data use a binary viewer, <b>ethereal</b>, or good old <b>less</b>.
|
||||
</p>
|
||||
|
||||
<h2><a name="verbose">Making Postfix daemon programs more verbose</a></h2>
|
||||
@ -228,7 +232,7 @@ utility that is available from ftp://ftp.porcupine.org/pub/debugging/.
|
||||
<p> Append one or more "<b>-v</b>" options to selected daemon
|
||||
definitions in /etc/postfix/master.cf and type "<b>postfix reload</b>".
|
||||
This will cause a lot of activity to be logged to the syslog daemon.
|
||||
Example: </p>
|
||||
For example, to make the Postfix SMTP server process more verbose: </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
@ -237,10 +241,9 @@ Example: </p>
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> This makes the Postfix SMTP server more verbose. To diagnose
|
||||
problems with address rewriting one would specify a "<b>-v</b>"
|
||||
<p> To diagnose problems with address rewriting specify a "<b>-v</b>"
|
||||
option for the cleanup(8) and/or trivial-rewrite(8) daemon, and to
|
||||
diagnose problems with mail delivery one would specify a "<b>-v</b>"
|
||||
diagnose problems with mail delivery specify a "<b>-v</b>"
|
||||
option for the qmgr(8) or oqmgr(8) queue manager, or for the lmtp(8),
|
||||
local(8), pipe(8), smtp(8), or virtual(8) delivery agent. </p>
|
||||
|
||||
@ -538,20 +541,23 @@ attachments, instead of reciting information from memory.
|
||||
|
||||
<li> <p> Postfix logging. See the text at the top of the DEBUG_README
|
||||
document to find out where logging is stored. Please do not frustrate
|
||||
the helpers by word wrapping the logging. </p>
|
||||
the helpers by word wrapping the logging. If the logging is more
|
||||
than a few kbytes of text, consider posting an URL on a web or ftp
|
||||
site. </p>
|
||||
|
||||
<li> <p> Consider using a test email address so that you don't have
|
||||
to reveal email addresses or passwords of innocent people. </p>
|
||||
|
||||
<li> <p> If you can't use a test email address, please anonymize
|
||||
information consistently. Replace each letter by "A", each digit
|
||||
email addresses and host names consistently. Replace each letter
|
||||
by "A", each digit
|
||||
by "D" so that the helpers can still recognize syntactical errors.
|
||||
</p>
|
||||
|
||||
<li> <p> Output from "<b>postconf -n</b>". Please do not send your
|
||||
main.cf file or 400+ lines of <b>postconf</b> output. </p>
|
||||
main.cf file, or 500+ lines of <b>postconf</b> output. </p>
|
||||
|
||||
<li> <p> Better, provide output from the <b>postfinger</b> tool.
|
||||
<li> <p> Better, provide output from the <b>postfinger</b> tool.
|
||||
This can be found at http://ftp.wl0.org/SOURCES/postfinger. </p>
|
||||
|
||||
<li> <p> If the problem is SASL related, consider including the
|
||||
@ -562,7 +568,7 @@ http://postfix.state-of-mind.de/patrick.koetter/saslfinger/. </p>
|
||||
including output from the <b>qshape</b> tool, as described in the
|
||||
QSHAPE_README file. </p>
|
||||
|
||||
<li> <p> If the problem is protocol related (connections time out
|
||||
<li> <p> If the problem is protocol related (connections time out,
|
||||
or an SMTP server complains about syntax errors etc.) consider
|
||||
recording a session with <b>tcpdump</b>, as described in the <a
|
||||
href="#sniffer">DEBUG_README</a> document. </ul>
|
||||
|
@ -44,7 +44,7 @@ identifies the message <i>content</i>. </p>
|
||||
</ul>
|
||||
|
||||
<p> The implementation of DSN support involves extra parameters to
|
||||
the SMTP MAIL FROM and RCPT TO commands, as well as new Postfix
|
||||
the SMTP MAIL FROM and RCPT TO commands, as well as two Postfix
|
||||
sendmail command line options that provide a sub-set of the functions
|
||||
of the extra SMTP command parameters. </p>
|
||||
|
||||
|
@ -27,11 +27,6 @@ searches the queue for mail to the customer, and delivers that mail
|
||||
not delivered via the connection that was used for sending ETRN.
|
||||
</p>
|
||||
|
||||
<p> Postfix versions before 1.0 (also known as version 20010228)
|
||||
implemented the ETRN command in an inefficient manner: they simply
|
||||
attempted to deliver all queued mail. This is slow on mail servers
|
||||
that queue mail for many customers. </p>
|
||||
|
||||
<p> As of version 1.0, Postfix has a fast ETRN implementation that
|
||||
does not require Postfix to examine every queue file. Instead,
|
||||
Postfix maintains a record of what queue files contain mail for
|
||||
@ -74,11 +69,11 @@ font. </p>
|
||||
<blockquote>
|
||||
<pre>
|
||||
220 my.server.tld ESMTP Postfix
|
||||
<b>helo my.client.tld</b>
|
||||
<b>HELO my.client.tld</b>
|
||||
250 Ok
|
||||
<b>etrn some.customer.domain</b>
|
||||
<b>ETRN some.customer.domain</b>
|
||||
250 Queuing started
|
||||
<b>quit</b>
|
||||
<b>QUIT</b>
|
||||
221 Bye
|
||||
</pre>
|
||||
</blockquote>
|
||||
@ -90,6 +85,8 @@ the connection that was used to send the ETRN command. </p>
|
||||
<p> The Postfix operator can request delivery for a specific customer
|
||||
by using the command "sendmail -qR<i>destination</i>" and, with
|
||||
Postfix version 1.1 and later, "postqueue -s<i>destination</i>".
|
||||
Access to this feature is controlled with the authorized_flush_users
|
||||
configuration parameter (Postfix version 2.2 and later).
|
||||
</p>
|
||||
|
||||
<h2><a name="how">How Postfix fast ETRN works</a></h2>
|
||||
@ -149,12 +146,13 @@ want to turn on fast ETRN service for every possible destination.
|
||||
with queue file names. When a request to "deliver mail now" arrives,
|
||||
Postfix will attempt to deliver all recipients in the queue files
|
||||
that have mail for the destination in question. This does not
|
||||
perform well when queue files have recipients in many different
|
||||
domains. </p>
|
||||
perform well with queue files that have recipients in many different
|
||||
domains, such as queue files with outbound mailing list traffic.
|
||||
</p>
|
||||
|
||||
<li> <p> The flush(8) daemon maintains per-destination logfiles
|
||||
only for destinations listed with $fast_flush_domains. With other
|
||||
destinations it not possible to trigger delivery with "sendmail
|
||||
destinations you cannot request delivery with "sendmail
|
||||
-qR<i>destination</i>" or, with Postfix version 1.1 and later,
|
||||
"postqueue -s<i>destination</i>". </p>
|
||||
|
||||
@ -166,6 +164,11 @@ does not ignore the volatile in-memory list of dead domains, and
|
||||
the list of message delivery transports specified with the
|
||||
defer_transports configuration parameter. </p>
|
||||
|
||||
<li> <p> Up to and including Postfix version 2.3, the "fast flush"
|
||||
service may not deliver some messages if the request to "deliver
|
||||
mail now" arrives while an incoming queue scan is already in progress.
|
||||
</p>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2><a name="config">Configuring the Postfix fast ETRN service</a></h2>
|
||||
@ -302,9 +305,9 @@ boldface: </p>
|
||||
<blockquote>
|
||||
<pre>
|
||||
220 my.server.tld ESMTP Postfix
|
||||
<b>helo my.client.tld</b>
|
||||
<b>HELO my.client.tld</b>
|
||||
250 Ok
|
||||
<b>etrn some.customer.domain</b>
|
||||
<b>ETRN some.customer.domain</b>
|
||||
250 Queuing started
|
||||
</pre>
|
||||
</blockquote>
|
||||
@ -338,9 +341,9 @@ commands that you type: </p>
|
||||
<blockquote>
|
||||
<pre>
|
||||
220 my.server.tld ESMTP Postfix
|
||||
<b>helo my.client.tld</b>
|
||||
<b>HELO my.client.tld</b>
|
||||
250 Ok
|
||||
<b>etrn some.other.customer.domain</b>
|
||||
<b>ETRN some.other.customer.domain</b>
|
||||
250 Queuing started
|
||||
</pre>
|
||||
</blockquote>
|
||||
@ -356,9 +359,9 @@ server has mail queued for that destination. </p>
|
||||
<blockquote>
|
||||
<pre>
|
||||
220 my.server.tld ESMTP Postfix
|
||||
<b>helo my.client.tld</b>
|
||||
<b>HELO my.client.tld</b>
|
||||
250 Ok
|
||||
<b>etrn not.a.customer.domain</b>
|
||||
<b>ETRN not.a.customer.domain</b>
|
||||
459 <not.a.customer.domain>: service unavailable
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
@ -71,7 +71,8 @@ mail. Applications that use two separate Postfix instances will
|
||||
be covered by a later version of this document. </p>
|
||||
|
||||
<p> The after-queue content filter is not to be confused with the
|
||||
approach that is described in the SMTPD_PROXY_README document,
|
||||
approaches described in the SMTPD_PROXY_README or MILTER_README
|
||||
documents,
|
||||
where incoming SMTP mail is filtered BEFORE it is stored into the
|
||||
Postfix queue. </p>
|
||||
|
||||
@ -125,16 +126,18 @@ all email, as well as several options to filter mail selectively: </p>
|
||||
|
||||
<h2><a name="principles">Principles of operation</a> </h2>
|
||||
|
||||
<p> An external content filter receives unfiltered mail from Postfix
|
||||
(as described further below) and does one of the following: </p>
|
||||
<p> An after-queue content filter receives unfiltered mail from Postfix
|
||||
(as described further below) and can do one of the following: </p>
|
||||
|
||||
<ol>
|
||||
|
||||
<li> <p> Re-inject the mail back into Postfix, perhaps after changing
|
||||
content and/or destination. </p>
|
||||
|
||||
<li> <p> Discard or quarantine the mail. </p>
|
||||
|
||||
<li> <p> Reject the mail (by sending a suitable status code back to
|
||||
Postfix). Postfix will return the mail to the sender. </p>
|
||||
Postfix). Postfix will send the mail back to the sender address. </p>
|
||||
|
||||
</ol>
|
||||
|
||||
@ -146,7 +149,8 @@ suspect so that a human can decide what to do with it. </p>
|
||||
|
||||
<h2><a name="simple_filter">Simple content filter example</a></h2>
|
||||
|
||||
<p> The first example is simple to set up. Postfix receives
|
||||
<p> The first example is simple to set up, but has major limitations
|
||||
that will be addressed in a second example. Postfix receives
|
||||
unfiltered mail from the network with the smtpd(8) server, and
|
||||
delivers unfiltered mail to a content filter with the Postfix
|
||||
pipe(8) delivery agent. The content filter injects filtered mail
|
||||
@ -282,21 +286,23 @@ document for an introduction to the Postfix architecture. </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> Line 8: The -G option does nothing before Postfix 2.3,
|
||||
otherwise it disables address rewriting of message headers. </p>
|
||||
<li> <p> Line 8: The -G option says the filter output is not a local
|
||||
mail submission: don't do silly things like appending the local
|
||||
domain name to addresses in message headers. This option does
|
||||
nothing before Postfix version 2.3. </p>
|
||||
|
||||
<li> <p> Line 8: The -i option says don't stop reading input when
|
||||
a line contains "." only. </p>
|
||||
|
||||
<li> <p> Line 8: NEVER NEVER NEVER use the "-t" command-line option
|
||||
here. It will mis-deliver mail, like sending mailing list mail back
|
||||
to the mailing list. </p>
|
||||
here. It will mis-deliver mail, like sending messages from a mailing
|
||||
list back to the mailing list. </p>
|
||||
|
||||
<li> <p> Line 21: The idea is to first capture the message to
|
||||
file and then run the content through a third-party content filter
|
||||
program. </p>
|
||||
|
||||
<li> <p> Line 22: If the mail cannot be captured to file, mail
|
||||
<li> <p> Line 22: If the message cannot be captured to file, mail
|
||||
delivery is deferred by terminating with exit status 75 (EX_TEMPFAIL).
|
||||
Postfix places the message in the deferred mail queue and tries
|
||||
again later. </p>
|
||||
@ -306,13 +312,14 @@ program here that receives the content on standard input. </p>
|
||||
|
||||
<li> <p> Line 26: If the content filter program finds a problem,
|
||||
the mail is bounced by terminating with exit status 69 (EX_UNAVAILABLE).
|
||||
Postfix will return the message to the sender as undeliverable.
|
||||
Postfix will send the message back to the sender as undeliverable
|
||||
mail.
|
||||
</p>
|
||||
|
||||
<li> <p> Note: in this time of mail worms and spam, it is a BAD
|
||||
<li> <p> NOTE: in this time of mail worms and spam, it is a BAD
|
||||
IDEA to send known viruses or spam back to the sender, because that
|
||||
address is likely to be forged. It is safer to discard known to be
|
||||
bad content and to quarantine suspicious content so that it can
|
||||
address is likely to be forged. It is safer to discard known viruses
|
||||
and to quarantine suspicious content so that it can
|
||||
be inspected by a human being. </p>
|
||||
|
||||
<li> <p> Line 28: If the content is OK, it is given as input to
|
||||
@ -331,7 +338,7 @@ as input: </p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
% /path/to/script -f sender recipient... <message-file
|
||||
% /path/to/script -f sender -- recipient... <message-file
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
@ -381,7 +388,7 @@ entry that defines the Postfix SMTP server: </p>
|
||||
-o content_filter=filter:dummy
|
||||
</pre>
|
||||
|
||||
<p> The "content_filter" line causes Postfix to add one content
|
||||
<p> The "-o content_filter" line causes Postfix to add one content
|
||||
filter request record to each incoming mail message, with content
|
||||
"filter:dummy". This record overrides the normal mail routing
|
||||
and causes mail to be given to the content filter instead. </p>
|
||||
@ -432,7 +439,7 @@ content_filter=filter:dummy" text from the entry that defines the
|
||||
Postfix SMTP server. </p>
|
||||
|
||||
<li> <p> Execute "<b>postsuper -r ALL</b>" to remove content
|
||||
filter information from existing queue files. </p>
|
||||
filter request records from existing queue files. </p>
|
||||
|
||||
<li> <p> Execute another "<b>postfix reload</b>". </p>
|
||||
|
||||
@ -553,7 +560,9 @@ document for an introduction to the Postfix architecture. </p>
|
||||
|
||||
<p> The example given here filters all mail, including mail that
|
||||
arrives via SMTP and mail that is locally submitted via the Postfix
|
||||
sendmail command. See examples near the end of this document for
|
||||
sendmail command (local submissions enter Postfix via the pickup(8)
|
||||
server; to keep the figure simple we omit local submission details).
|
||||
See examples near the end of this document for
|
||||
how to exclude local users from filtering, or how to configure a
|
||||
destination dependent content filter. </p>
|
||||
|
||||
@ -638,7 +647,7 @@ for more information. </p>
|
||||
<li> <p> The "-o disable_mime_output_conversion=yes" is a workaround
|
||||
that prevents the breaking of domainkeys and other digital signatures.
|
||||
This is needed because some SMTP-based content filters don't announce
|
||||
8BITMIME support, even though they can handle it just fine. </p>
|
||||
8BITMIME support, even though they can handle 8-bit mail. </p>
|
||||
|
||||
<li> <p> The "-o smtp_generic_maps=" is a workaround that prevents
|
||||
local address rewriting with generic(5) maps. Such rewriting should
|
||||
@ -672,6 +681,10 @@ shell and home directory. This user handles all potentially
|
||||
dangerous mail content - that is why it should be a separate account.
|
||||
</p>
|
||||
|
||||
<li> <p> By default, Postfix will terminate a command that runs
|
||||
longer than command_time_limit seconds (default: 1000s). This is a
|
||||
safety measure that prevents filters from running forever. </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<p> If you want to have your filter listening on port localhost:10025
|
||||
@ -711,15 +724,14 @@ that injects mail back into Postfix. </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> Note: do not use spaces around the "=" or "," characters. </p>
|
||||
<li> <p> NOTE: do not use spaces around the "=" or "," characters. </p>
|
||||
|
||||
<li> <p> Note: the SMTP server must not have a smaller process
|
||||
<li> <p> NOTE: the SMTP server must not have a smaller process
|
||||
limit than the "filter" master.cf entry. </p>
|
||||
|
||||
<li> <p> The "-o content_filter=" overrides main.cf settings, and
|
||||
requests no content filtering for mail from the content filter.
|
||||
This is required or else mail will stay in the content filtering
|
||||
loop. </p>
|
||||
This is required or else mail will loop. </p>
|
||||
|
||||
<li> <p> The "-o receive_override_options" overrides main.cf settings
|
||||
to avoid duplicating work that was already done before the content
|
||||
@ -737,7 +749,7 @@ specified in main.cf: </p>
|
||||
<li> <p> We specify "no_milters" to disable Milter applications
|
||||
(this option is available only in Postfix 2.3 and later). </p>
|
||||
|
||||
<li> <p> We don't specify "no_address_mapping" here. This
|
||||
<li> <p> We don't specify "no_address_mappings" here. This
|
||||
enables virtual alias expansion, canonical mappings, address
|
||||
masquerading, and other address mappings after the content
|
||||
filter. The main.cf setting of "receive_override_options"
|
||||
@ -794,7 +806,7 @@ when content filtering is turned off. </p>
|
||||
</blockquote>
|
||||
|
||||
<li> <p> Execute "<b>postsuper -r ALL</b>" to remove content
|
||||
filter information from existing queue files. </p>
|
||||
filter request records from existing queue files. </p>
|
||||
|
||||
<li> <p> Execute another "<b>postfix reload</b>". </p>
|
||||
|
||||
|
@ -350,7 +350,7 @@ assume for the moment that groups never have a "maildrop" (the "bgroup"
|
||||
</blockquote>
|
||||
|
||||
<p> Note: if the desired member object result attribute is always also
|
||||
present in the group, you get suprising results, the expansion also
|
||||
present in the group, you get surprising results, the expansion also
|
||||
returns the address of the group. This is a known limitation of Postfix
|
||||
releases prior to 2.4, and is addressed in the new with Postfix 2.4
|
||||
"leaf_result_attribute" feature described in ldap_table(5). </p>
|
||||
|
@ -1,2 +0,0 @@
|
||||
See the files in auxiliary/MacOSX for hints and tips to set up
|
||||
Postfix.
|
@ -28,9 +28,13 @@ this happens before mail is queued. </p>
|
||||
<p> The reason for adding Milter support to Postfix is that there
|
||||
exists a large collection of applications, not only to block unwanted
|
||||
mail, but also to verify authenticity (examples: <a
|
||||
href="http://sourceforge.net/projects/dkim-milter/">Domain keys
|
||||
identified mail</a>, <a
|
||||
href="http://sourceforge.net/projects/sid-milter/">SenderID+SPF</a> and
|
||||
<a href="http://sourceforge.net/projects/dk-milter/">Domain keys</a>)
|
||||
or to digitally sign mail (example: <a
|
||||
or to digitally sign mail (examples: <a
|
||||
href="http://sourceforge.net/projects/dkim-milter/">Domain keys
|
||||
identified mail</a>, <a
|
||||
href="http://sourceforge.net/projects/dk-milter/">Domain keys</a>).
|
||||
Having yet another Postfix-specific version of all that software
|
||||
is a poor use of human and system resources. </p>
|
||||
@ -202,14 +206,14 @@ does. </p>
|
||||
|
||||
<p> On some Linux and *BSD distributions, the Sendmail libmilter
|
||||
library is installed by default. With this, applications such as
|
||||
<a href="http://sourceforge.net/projects/dk-milter/">dk-milter</a>
|
||||
<a href="http://sourceforge.net/projects/dkim-milter/">dkim-milter</a>
|
||||
and <a href="http://sourceforge.net/projects/sid-milter/">sid-milter</a>
|
||||
build out of the box without requiring any tinkering:</p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
$ <b>gzcat dk-milter-<i>x.y.z</i>.tar.gz | tar xf -</b>
|
||||
$ <b>cd dk-milter-<i>x.y.z</i></b>
|
||||
$ <b>gzcat dkim-milter-<i>x.y.z</i>.tar.gz | tar xf -</b>
|
||||
$ <b>cd dkim-milter-<i>x.y.z</i></b>
|
||||
$ <b>make</b>
|
||||
[...<i>lots of output omitted</i>...]
|
||||
</pre>
|
||||
@ -260,7 +264,7 @@ for options. A typical command looks like this:</p>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
# <b>/some/where/dk-filter -u <i>userid</i> -p inet:<i>portnumber</i>@localhost ...<i>other options</i>...</b>
|
||||
# <b>/some/where/dkim-filter -u <i>userid</i> -p inet:<i>portnumber</i>@localhost ...<i>other options</i>...</b>
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
@ -652,23 +656,70 @@ X-SenderID: Sendmail Sender-ID Filter vx.y.z host.example.com <unknown-msgid&
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> This happens because some Milter applications expect that the
|
||||
<p> This happens because those Milter applications expect that the
|
||||
queue ID is known <i>before</i> the MTA accepts the MAIL FROM
|
||||
(sender) command. Postfix, on the other hand, does not choose a
|
||||
queue file name until <i>after</i> it accepts the first valid RCPT
|
||||
TO (recipient) command. Postfix queue file names must be unique
|
||||
TO (recipient) command (Postfix queue file names must be unique
|
||||
across multiple directories, so the name can't be chosen before the
|
||||
file is created. If multiple messages were to use the same queue
|
||||
ID <i>simultaneously</i>, mail would be lost. </p>
|
||||
file is created; if multiple messages were to use the same queue
|
||||
ID <i>simultaneously</i>, mail would be lost). </p>
|
||||
|
||||
<p> To work around the ugly message header from Milter applications,
|
||||
we add a little code to the Milter source to look up the queue ID
|
||||
after Postfix receives the end of the message. </p>
|
||||
</ul>
|
||||
|
||||
<p> Fixing the ugly header maybe as simple as upgrading to a recent
|
||||
version of the Milter application. For example, current versions
|
||||
of dkim-filter and dk-filter have code that looks up the Postfix
|
||||
queue ID at a later protocol stage. </p>
|
||||
|
||||
<p> To fix the ugly message header with sid-filter applications,
|
||||
we change the source code, so that it does the queue ID lookup after
|
||||
Postfix receives the end of the message. </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> Edit the filter source file (named
|
||||
<tt>sid-filter/sid-filter.c</tt>). </p>
|
||||
|
||||
<li> <p> Look up the <tt>smfilter</tt> table and replace
|
||||
<tt>mlfi_eoh</tt> by <tt>NULL</tt>.
|
||||
</p>
|
||||
|
||||
<li> <p> Look up the <tt>mlfi_eom()</tt> function and add code near
|
||||
the top that calls <tt>mlfi_eoh()</tt> as shown by the <b>bold</b>
|
||||
text below: </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
assert(ctx != NULL);
|
||||
#endif /* !DEBUG */
|
||||
<b>
|
||||
ret = mlfi_eoh(ctx);
|
||||
if (ret != SMFIS_CONTINUE)
|
||||
return ret;</b>
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> NOTES: </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> This was tested with sid-milter-0.2.10 and sid-milter-0.2.14. </p>
|
||||
|
||||
<li> <p> This fixes only the ugly message header, but not the WARNING
|
||||
message. Fortunately, sid-milter logs that message only once. </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<p> To fix the ugly message header with other Milter applications,
|
||||
you will need to do something like this: </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> Edit the filter source file (typically named
|
||||
<tt>dk-filter/dk-filter.c</tt> or similar). </p>
|
||||
<tt>xxx-filter/xxx-filter.c</tt> or similar). </p>
|
||||
|
||||
<li> <p> Look up the <tt>mlfi_eom()</tt> function and add code near
|
||||
the top shown as <b>bold</b> text below: </p>
|
||||
@ -700,43 +751,7 @@ variables. If the above code does not compile, look for the code
|
||||
at the start of the <tt>mlfi_eoh()</tt> routine. </p>
|
||||
|
||||
<li> <p> This fixes only the ugly message header, but not the WARNING
|
||||
message. Fortunately, dk-filter logs that message only once. </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<p> With some Milter applications we can fix both the WARNING and
|
||||
the "unknown-msgid" by postponing the call of <tt>mlfi_eoh()</tt>
|
||||
(or whatever routine logs the WARNING) until the end of the message.
|
||||
</p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> Edit the filter source file (typically named
|
||||
<tt>sid-filter/sid-filter.c</tt> or similar). </p>
|
||||
|
||||
<li> <p> Look up the <tt>smfilter</tt> table and replace
|
||||
<tt>mlfi_eoh</tt> (or whatever routine logs the WARNING) by NULL.
|
||||
</p>
|
||||
|
||||
<li> <p> Look up the <tt>mlfi_eom()</tt> function and add code near
|
||||
the top that calls <tt>mlfi_eoh()</tt> as shown by the <b>bold</b>
|
||||
text below: </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<pre>
|
||||
assert(ctx != NULL);
|
||||
#endif /* !DEBUG */
|
||||
<b>
|
||||
ret = mlfi_eoh(ctx);
|
||||
if (ret != SMFIS_CONTINUE)
|
||||
return ret;</b>
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> This works with sid-milter-0.2.10. Other Milter applications
|
||||
will dump core when you do this. </p>
|
||||
message. Fortunately, many Milters log that message only once. </p>
|
||||
|
||||
</ul>
|
||||
|
||||
|
@ -15,7 +15,6 @@ HTML = ../html/ADDRESS_CLASS_README.html \
|
||||
../html/CDB_README.html \
|
||||
../html/CONNECTION_CACHE_README.html \
|
||||
../html/CONTENT_INSPECTION_README.html \
|
||||
../html/CYRUS_README.html \
|
||||
../html/DATABASE_README.html ../html/DB_README.html \
|
||||
../html/DEBUG_README.html \
|
||||
../html/DSN_README.html \
|
||||
@ -37,7 +36,7 @@ HTML = ../html/ADDRESS_CLASS_README.html \
|
||||
../html/STANDARD_CONFIGURATION_README.html \
|
||||
../html/TLS_README.html ../html/TLS_LEGACY_README.html \
|
||||
../html/TUNING_README.html \
|
||||
../html/UUCP_README.html ../html/ULTRIX_README.html \
|
||||
../html/UUCP_README.html \
|
||||
../html/VERP_README.html ../html/VIRTUAL_README.html \
|
||||
../html/XCLIENT_README.html ../html/XFORWARD_README.html \
|
||||
../html/postconf.5.html
|
||||
@ -51,7 +50,6 @@ README = ../README_FILES/ADDRESS_CLASS_README \
|
||||
../README_FILES/CDB_README \
|
||||
../README_FILES/CONNECTION_CACHE_README \
|
||||
../README_FILES/CONTENT_INSPECTION_README \
|
||||
../README_FILES/CYRUS_README \
|
||||
../README_FILES/DATABASE_README ../README_FILES/DB_README \
|
||||
../README_FILES/DEBUG_README \
|
||||
../README_FILES/DSN_README \
|
||||
@ -73,7 +71,7 @@ README = ../README_FILES/ADDRESS_CLASS_README \
|
||||
../README_FILES/STANDARD_CONFIGURATION_README \
|
||||
../README_FILES/TLS_README ../README_FILES/TLS_LEGACY_README \
|
||||
../README_FILES/TUNING_README \
|
||||
../README_FILES/UUCP_README ../README_FILES/ULTRIX_README \
|
||||
../README_FILES/UUCP_README \
|
||||
../README_FILES/VERP_README ../README_FILES/VIRTUAL_README \
|
||||
../README_FILES/XCLIENT_README ../README_FILES/XFORWARD_README \
|
||||
../README_FILES/AAAREADME
|
||||
|
@ -27,8 +27,8 @@ Postfix distributions for general use. </p>
|
||||
file</h2>
|
||||
|
||||
<p> The installed main.cf file must be small. PLEASE resist the
|
||||
temptation to list all 400+ parameters in the main.cf file. Postfix
|
||||
is supposed to be easy to configure. Listing all 400+ in main.cf
|
||||
temptation to list all parameters in the main.cf file. Postfix
|
||||
is supposed to be easy to configure. Listing all parameters in main.cf
|
||||
defeats the purpose. It is an invitation for hobbyists to make
|
||||
random changes without understanding what they do, and gets them
|
||||
into endless trouble. </p>
|
||||
|
@ -164,7 +164,7 @@ etrn_domain=
|
||||
These attributes are empty in case of no certificate authentication.
|
||||
As of Postfix 2.2.11 these attribute values are encoded as
|
||||
xtext: some characters are represented by +XX, where XX is the
|
||||
two-digit hecadecimal representation of the character value.
|
||||
two-digit hexadecimal representation of the character value.
|
||||
</p>
|
||||
|
||||
<li> <p> The "encryption_*" attributes (Postfix 2.3 and later)
|
||||
|
@ -224,8 +224,8 @@ seconds or $smtpd_error_sleep_time, whichever is more. </p>
|
||||
|
||||
<h2><a name="conn_limit">Measures against clients that make too many connections</a></h2>
|
||||
|
||||
<p> Note: the anvil(8) service was introduced with Postfix version
|
||||
2.2. </p>
|
||||
<p> Note: these features use the Postfix anvil(8) service, introduced
|
||||
with Postfix version 2.2. </p>
|
||||
|
||||
<p> The Postfix smtpd(8) server can limit the number of simultaneous
|
||||
connections from the same SMTP client, as well as the number of
|
||||
@ -233,34 +233,47 @@ connections that a client is allowed to make per unit time.
|
||||
These statistics are maintained by the anvil(8) server (translation:
|
||||
if anvil(8) breaks, then connection limits stop working). </p>
|
||||
|
||||
<p> IMPORTANT: These limits are designed to protect the smtpd(8) server
|
||||
against flagrant abuse. Do not use these limits to regulate legitimate
|
||||
traffic: mail will suffer grotesque delays if you do so. </p>
|
||||
<p> IMPORTANT: These limits must not be used to regulate legitimate
|
||||
traffic: mail will suffer grotesque delays if you do so. The limits
|
||||
are designed to protect the smtpd(8) server against abuse by
|
||||
out-of-control clients. </p>
|
||||
|
||||
<ul>
|
||||
<blockquote>
|
||||
|
||||
<li> <p> An SMTP client may make up to $smtpd_client_connection_count_limit
|
||||
simultaneous connections (default: 50). This is half the default
|
||||
process limit. </p>
|
||||
<dl>
|
||||
|
||||
<li> <p> An SMTP client may make up to $smtpd_client_message_rate_limit
|
||||
message delivery requests per unit time (default: no limit). </p>
|
||||
<dt> smtpd_client_connection_count_limit (default: 50) </dt> <dd>
|
||||
The maximum number of connections than an SMTP client may make
|
||||
simultaneously. </dd>
|
||||
|
||||
<li> <p> An SMTP client may send up to $smtpd_client_recipient_rate_limit
|
||||
recipient addresses per unit time (default: no limit). </p>
|
||||
<dt> smtpd_client_connection_rate_limit (default: no limit) </dt>
|
||||
<dd> The maximum number of connections that an SMTP client may make
|
||||
in the time interval specified with anvil_rate_time_unit (default:
|
||||
60s). </dd>
|
||||
|
||||
<li> <p> An SMTP client may make up to $smtpd_client_connection_rate_limit
|
||||
connections per unit time (default: no limit). </p>
|
||||
<dt> smtpd_client_message_rate_limit (default: no limit) </dt> <dd>
|
||||
The maximum number of message delivery requests that an SMTP client
|
||||
may make in the time interval specified with anvil_rate_time_unit
|
||||
(default: 60s). </dd>
|
||||
|
||||
<li> <p> These limits are not applied to SMTP clients in the networks
|
||||
specified with $smtpd_client_event_limit_exceptions (default:
|
||||
clients in $mynetworks may make an unlimited number of connections).
|
||||
<dt> smtpd_client_recipient_rate_limit (default: no limit) </dt>
|
||||
<dd> The maximum number of recipient addresses that an SMTP client
|
||||
may specify in the time interval specified with anvil_rate_time_unit
|
||||
(default: 60s). </dd>
|
||||
|
||||
<li> <p> The anvil_rate_time_unit parameter specifies the time
|
||||
unit over which client connection rates are computed (default:
|
||||
60s).
|
||||
<dt> smtpd_client_new_tls_session_rate_limit (default: no limit)
|
||||
</dt> <dd> The maximum number of new TLS sessions (without using
|
||||
the TLS session cache) that an SMTP client may negotiate in the
|
||||
time interval specified with anvil_rate_time_unit (default: 60s).
|
||||
</dd>
|
||||
|
||||
</ul>
|
||||
<dt> smtpd_client_event_limit_exceptions (default: $mynetworks)
|
||||
</dt> <dd> SMTP clients that are excluded from connection and rate
|
||||
limits specified above. </dd>
|
||||
|
||||
</dl>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<h2><a name="mailing_tips">General mail delivery performance tips</a></h2>
|
||||
|
||||
@ -360,7 +373,7 @@ is not useful. Another good reason to limit delivery concurrency
|
||||
to the same recipient: if the recipient has an expensive shell
|
||||
command in her .forward file, or if the recipient is a mailing list
|
||||
manager, you don't want to run too many instances of those processes
|
||||
the same time. </p>
|
||||
at the same time. </p>
|
||||
|
||||
<li> <p> The default smtp_destination_concurrency_limit of 20 seems
|
||||
enough to noticeably load a system without bringing it to its knees.
|
||||
@ -465,10 +478,12 @@ some amount of time. </p>
|
||||
|
||||
<dl>
|
||||
|
||||
<dt> queue_run_delay (default: 1000 seconds) </dt> <dd> How often
|
||||
<dt> queue_run_delay (default: 300 seconds; before Postfix 2.4:
|
||||
1000s) </dt> <dd> How often
|
||||
the queue manager scans the queue for deferred mail. </dd>
|
||||
|
||||
<dt> minimal_backoff_time (default: 1000 seconds) </dt> <dd> The
|
||||
<dt> minimal_backoff_time (default: 300 seconds; before Postfix
|
||||
2.4: 1000s) </dt> <dd> The
|
||||
minimal amount of time a message won't be looked at, and the minimal
|
||||
amount of time to stay away from a "dead" destination. </dd>
|
||||
|
||||
@ -519,7 +534,8 @@ that usually requires timing out one or more SMTP connections. </p>
|
||||
always better than increasing the frequency of delivery attempts.
|
||||
However, if you can control only the delivery attempt frequency,
|
||||
consider using a dedicated fallback_relay "graveyard" machine for
|
||||
bad destinations so that they do not ruin the performance of normal
|
||||
bad destinations, so that these destinations do not ruin the
|
||||
performance of normal
|
||||
mail deliveries. </p>
|
||||
|
||||
<h2><a name="proc_limit">Tuning the number of Postfix processes</a></h2>
|
||||
@ -573,6 +589,20 @@ errors. </p>
|
||||
|
||||
<ul>
|
||||
|
||||
<li> <p> Depending on your Postfix and operating system versions
|
||||
you may need to recompile Postfix if you need more than 1024 file
|
||||
descriptors per process: </p>
|
||||
|
||||
<ul> <li> <p> No recompilation is needed for Postfix version 2.4
|
||||
and later, when it was compiled for systems that support BSD kqueue(2)
|
||||
(FreeBSD 4.1, NetBSD 2.0, OpenBSD 2.9), Solaris 8 /dev/poll, or
|
||||
Linux 2.6 epoll(4). </p>
|
||||
|
||||
<li> <p> Otherwise, Postfix needs to be recompiled to override the
|
||||
default FD_SETSIZE value. </p>
|
||||
|
||||
</ul>
|
||||
|
||||
<li> <p> Reduce the number of processes as described under "<a
|
||||
href="#proc_limit">Tuning the number of Postfix processes</a>" above.
|
||||
Fewer processes need fewer open files and sockets. </p>
|
||||
@ -585,7 +615,8 @@ with your system tuning guide: </p>
|
||||
<ul>
|
||||
|
||||
<li> <p> Some FreeBSD kernel parameters can be specified in
|
||||
/boot/loader.conf, and some can be changed with sysctl commands.
|
||||
/boot/loader.conf, and some can be specified in /etc/sysctl.conf
|
||||
or changed with sysctl commands.
|
||||
Which is which depends on the version.
|
||||
</p>
|
||||
|
||||
@ -598,7 +629,7 @@ kern.maxfilesperproc="16384"
|
||||
</pre>
|
||||
|
||||
<li> <p> Linux kernel parameters can be specified in /etc/sysctl.conf
|
||||
and can also be changed with sysctl commands: </p>
|
||||
or changed with sysctl commands: </p>
|
||||
|
||||
<pre>
|
||||
fs.file-max=16384
|
||||
@ -607,7 +638,7 @@ kernel.threads-max=2048
|
||||
|
||||
<li> <p> Solaris kernel parameters can be specified in /etc/system,
|
||||
as described in the <a
|
||||
href="http://www.science.uva.nl/pub/solaris/solaris2.html#q3.46">Solaris
|
||||
href="http://www.science.uva.nl/pub/solaris/solaris2.html#q3.48">Solaris
|
||||
FAQ</a> entry titled "How can I increase the number of file
|
||||
descriptors per process?" </p>
|
||||
|
||||
|
@ -1,71 +0,0 @@
|
||||
<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
|
||||
"http://www.w3.org/TR/html4/loose.dtd">
|
||||
|
||||
<html>
|
||||
|
||||
<head>
|
||||
|
||||
<title>Postfix and Ultrix </title>
|
||||
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
|
||||
|
||||
</head>
|
||||
|
||||
<body>
|
||||
|
||||
<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix and Ultrix </h1>
|
||||
|
||||
<hr>
|
||||
|
||||
<h2> Postfix on Ultrix </h2>
|
||||
|
||||
<p> This document is probably only of historical value, because
|
||||
Ultrix version 4 dates from the early 1990s. However, as long as
|
||||
Wietse keeps Postfix alive for SunOS 4, it is likely to run on
|
||||
Ultrix 4 with very little change. Feedback is welcome if anyone
|
||||
actually still uses Postfix on any version of Ultrix. </p>
|
||||
|
||||
<p> The source of this document is an email message by Christian von Roques
|
||||
that was sent on Jun 2, 1999. </p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<p> I've upgraded the MTA of our DECstation-3100 running Ultrix4.3a to
|
||||
postfix-19990317-pl05 and am sending you the patches I needed to get
|
||||
it running under Ultrix. </p>
|
||||
|
||||
<p> . . . </p>
|
||||
|
||||
<p> One of the bugs of Ultrix's /bin/sh is that shell-variables
|
||||
set in arguments of `:' expand to garbage if expanded in here-documents.
|
||||
Using a different shell helps. I needed to replace all calls of
|
||||
``sh .../makedefs'' by ``$(SHELL) .../makedefs'' in all the
|
||||
Makefile.in and am now able to use ``make SHELL=/bin/sh5'' or zsh.
|
||||
|
||||
<p> . . . </p>
|
||||
|
||||
<p> Ultrix's FD_SET_SIZE is 4096, but getdtablesize()
|
||||
returns 64 by default, if not increased when building a new
|
||||
kernel. getrlimit() doesn't know RLIMIT_NOFILE. This makes
|
||||
event_init() always log the warning: `could allocate space for
|
||||
only 64 open files'. </p>
|
||||
|
||||
<p> I just reduced the threshold from 256 to 64, but this is not good.
|
||||
The initial problem still remains: How to disable this warning on
|
||||
Ultrix without making the source ugly? </p>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<p> To work around the first problem, all the Makefile.in files
|
||||
have been updated to use `$(SHELL)' instead of `sh'. So you only
|
||||
need to supply a non-default shell in order to eliminate Ultrix
|
||||
shell trouble. </p>
|
||||
|
||||
<p> To work around the latter, util/sys_defs.h was updated for
|
||||
Ultrix, with a default FD_SETSIZE of 100. This should be sufficient
|
||||
for a workstation. Even in 1999, no-one would run a major mail hub
|
||||
on Ultrix 4. </p>
|
||||
|
||||
</body>
|
||||
|
||||
</html>
|
@ -10,10 +10,10 @@
|
||||
#
|
||||
# \fBpostmap -q - /etc/postfix/access <\fIinputfile\fR
|
||||
# DESCRIPTION
|
||||
# The Postfix SMTP server supports access control on remote
|
||||
# SMTP client information: host names, network addresses, and
|
||||
# envelope sender
|
||||
# or recipient addresses. See \fBheader_checks\fR(5) or
|
||||
# This document describes access control on remote SMTP client
|
||||
# information: host names, network addresses, and envelope
|
||||
# sender or recipient addresses; it is implemented by the
|
||||
# Postfix SMTP server. See \fBheader_checks\fR(5) or
|
||||
# \fBbody_checks\fR(5) for access control on the content of
|
||||
# email messages.
|
||||
#
|
||||
@ -244,7 +244,7 @@
|
||||
# More information
|
||||
# about external content filters is in the Postfix FILTER_README file.
|
||||
# .sp
|
||||
# Note: this action overrides the \fBmain.cf content_filter\fR setting,
|
||||
# Note: this action overrides the \fBcontent_filter\fR setting,
|
||||
# and currently affects all recipients of the message.
|
||||
# .sp
|
||||
# This feature is available in Postfix 2.0 and later.
|
||||
|
@ -2,7 +2,7 @@
|
||||
# NAME
|
||||
# header_checks 5
|
||||
# SUMMARY
|
||||
# Postfix built-in header/body inspection
|
||||
# Postfix built-in content inspection
|
||||
# SYNOPSIS
|
||||
# \fBheader_checks = pcre:/etc/postfix/header_checks\fR
|
||||
# .br
|
||||
@ -16,8 +16,9 @@
|
||||
# .br
|
||||
# \fBpostmap -fq - pcre:/etc/postfix/\fIfilename\fR <\fIinputfile\fR
|
||||
# DESCRIPTION
|
||||
# The Postfix \fBcleanup\fR(8) server supports access control
|
||||
# on the content of message headers and message body lines.
|
||||
# This document describes access control on the content of
|
||||
# message headers and message body lines; it is implemented
|
||||
# by the Postfix cleanup(8) server before mail is queued.
|
||||
# See \fBaccess\fR(5) for access control on remote SMTP client
|
||||
# information.
|
||||
#
|
||||
@ -84,16 +85,17 @@
|
||||
# .IP "\fBif /\fIpattern\fB/\fIflags\fR"
|
||||
# .IP "\fBendif\fR"
|
||||
# Match the input string against the patterns between \fBif\fR
|
||||
# and \fBendif\fR, if and only if the input string also matches
|
||||
# \fIpattern\fR. The \fBif\fR..\fBendif\fR can nest.
|
||||
# and \fBendif\fR, if and only if the same input string also
|
||||
# matches \fIpattern\fR. The \fBif\fR..\fBendif\fR can nest.
|
||||
# .sp
|
||||
# Note: do not prepend whitespace to patterns inside
|
||||
# \fBif\fR..\fBendif\fR.
|
||||
# .IP "\fBif !/\fIpattern\fB/\fIflags\fR"
|
||||
# .IP "\fBendif\fR"
|
||||
# Match the input string against the patterns between \fBif\fR
|
||||
# and \fBendif\fR, if and only if the input string does \fBnot\fR
|
||||
# match \fIpattern\fR. The \fBif\fR..\fBendif\fR can nest.
|
||||
# and \fBendif\fR, if and only if the same input string does
|
||||
# \fBnot\fR match \fIpattern\fR. The \fBif\fR..\fBendif\fR
|
||||
# can nest.
|
||||
# .IP "blank lines and comments"
|
||||
# Empty lines and whitespace-only lines are ignored, as
|
||||
# are lines whose first non-whitespace character is a `#'.
|
||||
@ -172,13 +174,13 @@
|
||||
# .sp
|
||||
# This feature is available in Postfix 2.1 and later.
|
||||
# .IP "\fBFILTER \fItransport:destination\fR"
|
||||
# Write a content filter request to the queue file and
|
||||
# Write a content filter request to the queue file, and
|
||||
# inspect the next input line.
|
||||
# After the complete message is received it will be sent through
|
||||
# the specified external content filter. More information about
|
||||
# external content filters is in the Postfix FILTER_README file.
|
||||
# .sp
|
||||
# Note: this action overrides the \fBmain.cf content_filter\fR setting,
|
||||
# Note: this action overrides the \fBcontent_filter\fR setting,
|
||||
# and affects all recipients of the message. In the case that multiple
|
||||
# \fBFILTER\fR actions fire, only the last one is executed.
|
||||
# .sp
|
||||
@ -203,10 +205,10 @@
|
||||
# .sp
|
||||
# This feature is available in Postfix 2.0 and later.
|
||||
# .IP \fBIGNORE\fR
|
||||
# Delete the current line from the input and inspect
|
||||
# Delete the current line from the input, and inspect
|
||||
# the next input line.
|
||||
# .IP "\fBPREPEND \fItext...\fR"
|
||||
# Prepend one line with the specified text and inspect the next
|
||||
# Prepend one line with the specified text, and inspect the next
|
||||
# input line.
|
||||
# .sp
|
||||
# Notes:
|
||||
@ -228,7 +230,7 @@
|
||||
# .IP
|
||||
# This feature is available in Postfix 2.1 and later.
|
||||
# .IP "\fBREDIRECT \fIuser@domain\fR"
|
||||
# Write a message redirection request to the queue file and
|
||||
# Write a message redirection request to the queue file, and
|
||||
# inspect the next input line. After the message is queued,
|
||||
# it will be sent to the specified address instead of the
|
||||
# intended recipient(s).
|
||||
@ -239,7 +241,7 @@
|
||||
# .sp
|
||||
# This feature is available in Postfix 2.1 and later.
|
||||
# .IP "\fBREPLACE \fItext...\fR"
|
||||
# Replace the current line with the specified text and inspect the next
|
||||
# Replace the current line with the specified text, and inspect the next
|
||||
# input line.
|
||||
# .sp
|
||||
# This feature is available in Postfix 2.2 and later. The
|
||||
@ -270,19 +272,25 @@
|
||||
# "5.7.1".
|
||||
# .IP "\fBWARN \fIoptional text...\fR
|
||||
# Log a warning with the \fIoptional text...\fR (or log a
|
||||
# generic message) and inspect the next input line. This
|
||||
# generic message), and inspect the next input line. This
|
||||
# action is useful for debugging and for testing a pattern
|
||||
# before applying more drastic actions.
|
||||
# BUGS
|
||||
# Many people overlook the main limitations of header and body_checks
|
||||
# rules. These rules operate on one logical message header or one body
|
||||
# line at a time, and a decision made for one line is not carried over
|
||||
# to the next line. If text in the message body is encoded
|
||||
# rules.
|
||||
# .IP \(bu
|
||||
# These rules operate on one logical message header or one body
|
||||
# line at a time. A decision made for one line is not carried over
|
||||
# to the next line.
|
||||
# .IP \(bu
|
||||
# If text in the message body is encoded
|
||||
# (RFC 2045) then the rules have to specified for the encoded
|
||||
# form. Likewise, when message headers are encoded (RFC
|
||||
# form.
|
||||
# .IP \(bu
|
||||
# Likewise, when message headers are encoded (RFC
|
||||
# 2047) then the rules need to be specified for the encoded
|
||||
# form.
|
||||
#
|
||||
# .PP
|
||||
# Message headers added by the \fBcleanup\fR(8) daemon itself
|
||||
# are excluded from inspection. Examples of such message headers
|
||||
# are \fBFrom:\fR, \fBTo:\fR, \fBMessage-ID:\fR, \fBDate:\fR.
|
||||
|
@ -340,7 +340,7 @@
|
||||
# .ti +4
|
||||
# terminal_result_attribute = maildrop
|
||||
#
|
||||
# This feature is available with Postfix >= 2.4.
|
||||
# This feature is available with Postfix 2.4 or later.
|
||||
# .IP "\fBleaf_result_attribute (default: empty)\fR"
|
||||
# When one or more special result attributes are found in a non-terminal
|
||||
# (see above) LDAP entry, leaf result attributes are excluded from the
|
||||
@ -368,7 +368,7 @@
|
||||
# leaf_result_attribute = mail
|
||||
# .in -4
|
||||
#
|
||||
# This feature is available with Postfix >= 2.4.
|
||||
# This feature is available with Postfix 2.4 or later.
|
||||
# .IP "\fBscope (default: sub)\fR"
|
||||
# The LDAP search scope: \fBsub\fR, \fBbase\fR, or \fBone\fR.
|
||||
# These translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
|
||||
|
@ -2622,17 +2622,18 @@ Specify 0 when mail delivery should be tried only once.
|
||||
The maximal size in bytes of a message, including envelope information.
|
||||
</p>
|
||||
|
||||
%PARAM minimal_backoff_time version dependent
|
||||
%PARAM minimal_backoff_time 300s
|
||||
|
||||
<p>
|
||||
The minimal time between attempts to deliver a deferred message;
|
||||
prior to Postfix 2.4 the default value was 1000s.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
The minimal time between attempts to deliver a deferred message.
|
||||
This parameter also limits the time an unreachable destination is
|
||||
kept in the short-term, in-memory, destination status cache.
|
||||
</p>
|
||||
|
||||
<p> With Postfix 2.4 the default value was reduced from 1000s to
|
||||
300s. </p>
|
||||
|
||||
<p> This parameter should be set greater than or equal to
|
||||
$queue_run_delay. See also $maximal_backoff_time. </p>
|
||||
|
||||
@ -3076,14 +3077,11 @@ With Postfix versions 2.0 and earlier, a queue_minfree value of
|
||||
zero means there is no minimum required amount of free space.
|
||||
</p>
|
||||
|
||||
%PARAM queue_run_delay version dependent
|
||||
%PARAM queue_run_delay 300s
|
||||
|
||||
<p>
|
||||
The time between deferred queue scans by the queue manager.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
With Postfix 2.4 the default value was reduced from 1000s to 300s.
|
||||
The time between deferred queue scans by the queue manager;
|
||||
prior to Postfix 2.4 the default value was 1000s.
|
||||
</p>
|
||||
|
||||
<p> This parameter should be set less than or equal to
|
||||
@ -6491,8 +6489,8 @@ are calculated.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
This feature is implemented by the anvil(8) service which is not
|
||||
part of the stable Postfix version 2.1 release.
|
||||
This feature is implemented by the anvil(8) service which is available
|
||||
in Postfix version 2.2 and later.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
@ -9631,7 +9629,7 @@ and higher the optional "ciphers" attribute overrides the main.cf
|
||||
smtp_tls_mandatory_ciphers parameter and the optional "protocols"
|
||||
keyword overrides the main.cf smtp_tls_mandatory_protocols parameter.
|
||||
In the policy table, multiple protocols must be separated by colons,
|
||||
as attribute values may not contain whitespace or commas. </p>
|
||||
as attribute values may not contain whitespace or commas. </dd>
|
||||
|
||||
<dt><b>verify</b></dt> <dd>Mandatory TLS verification. At this security
|
||||
level, DNS MX lookups are trusted to be secure enough, and the name
|
||||
|
@ -91,6 +91,7 @@ static const char *dict_proxy_lookup(DICT *dict, const char *key)
|
||||
VSTREAM *stream;
|
||||
int status;
|
||||
int count = 0;
|
||||
int request_flags;
|
||||
|
||||
/*
|
||||
* The client and server live in separate processes that may start and
|
||||
@ -101,6 +102,8 @@ static const char *dict_proxy_lookup(DICT *dict, const char *key)
|
||||
*/
|
||||
VSTRING_RESET(dict_proxy->result);
|
||||
VSTRING_TERMINATE(dict_proxy->result);
|
||||
request_flags = (dict_proxy->in_flags & DICT_FLAG_RQST_MASK)
|
||||
| (dict->flags & DICT_FLAG_RQST_MASK);
|
||||
for (;;) {
|
||||
stream = clnt_stream_access(proxy_stream);
|
||||
errno = 0;
|
||||
@ -108,7 +111,7 @@ static const char *dict_proxy_lookup(DICT *dict, const char *key)
|
||||
if (attr_print(stream, ATTR_FLAG_NONE,
|
||||
ATTR_TYPE_STR, MAIL_ATTR_REQ, PROXY_REQ_LOOKUP,
|
||||
ATTR_TYPE_STR, MAIL_ATTR_TABLE, dict->name,
|
||||
ATTR_TYPE_INT, MAIL_ATTR_FLAGS, dict_proxy->in_flags,
|
||||
ATTR_TYPE_INT, MAIL_ATTR_FLAGS, request_flags,
|
||||
ATTR_TYPE_STR, MAIL_ATTR_KEY, key,
|
||||
ATTR_TYPE_END) != 0
|
||||
|| vstream_fflush(stream)
|
||||
@ -122,7 +125,7 @@ static const char *dict_proxy_lookup(DICT *dict, const char *key)
|
||||
if (msg_verbose)
|
||||
msg_info("%s: table=%s flags=%s key=%s -> status=%d result=%s",
|
||||
myname, dict->name,
|
||||
dict_flags_str(dict_proxy->in_flags), key,
|
||||
dict_flags_str(request_flags), key,
|
||||
status, STR(dict_proxy->result));
|
||||
switch (status) {
|
||||
case PROXY_STAT_BAD:
|
||||
|
@ -20,8 +20,8 @@
|
||||
* Patches change both the patchlevel and the release date. Snapshots have no
|
||||
* patchlevel; they change the release date only.
|
||||
*/
|
||||
#define MAIL_RELEASE_DATE "20070320"
|
||||
#define MAIL_VERSION_NUMBER "2.4.0-RC7"
|
||||
#define MAIL_RELEASE_DATE "20070323"
|
||||
#define MAIL_VERSION_NUMBER "2.4.0-RC8"
|
||||
|
||||
#ifdef SNAPSHOT
|
||||
# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
|
||||
|
@ -161,9 +161,9 @@ MBOX *mbox_open(const char *path, int flags, mode_t mode, struct stat * st,
|
||||
*/
|
||||
if ((fp = safe_open(path, flags | O_NONBLOCK, mode, st,
|
||||
chown_uid, chown_gid, why->reason)) == 0) {
|
||||
dsb_status(why, mbox_dsn(errno, def_dsn));
|
||||
if (locked & MBOX_DOT_LOCK)
|
||||
dot_unlockfile(path);
|
||||
dsb_status(why, mbox_dsn(errno, def_dsn));
|
||||
return (0);
|
||||
}
|
||||
close_on_exec(vstream_fileno(fp), CLOSE_ON_EXEC);
|
||||
|
@ -208,6 +208,12 @@
|
||||
#define NATIVE_NEWALIAS_PATH "/usr/bin/newaliases"
|
||||
#define NATIVE_COMMAND_DIR "/usr/sbin"
|
||||
#define NATIVE_DAEMON_DIR "/usr/libexec/postfix"
|
||||
|
||||
#ifndef NO_KQUEUE
|
||||
# define EVENTS_STYLE EVENTS_STYLE_KQUEUE
|
||||
# define USE_SYSV_POLL
|
||||
#endif
|
||||
|
||||
#endif
|
||||
|
||||
/*
|
||||
|
Loading…
x
Reference in New Issue
Block a user