mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-22 09:57:34 +00:00
Code Issues Releases Wiki Activity

postfix-2.12-20140507

Browse Source
This commit is contained in:
Wietse Venema 2014-05-07 00:00:00 -05:00 committed by Viktor Dukhovni
parent 2cd314309b
commit 542b0c899e
27 changed files with 622 additions and 193 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
postfix/HISTORY
View File

@ -19605,8 +19605,8 @@ Apologies for any names omitted.
unusable; Don't leak dane handle when all TLSA records are
unusable. Viktor Dukhovni. File: smtp/smtp_tls_policy.c.
Cleanup: log TLS policy lookups as warnings. Viktor Dukhovni.
File: smtp/smtp_connect.c.
Cleanup: log TLS policy lookup errors as warnings. Viktor
Dukhovni. File: smtp/smtp_connect.c.
20140316
@ -19672,3 +19672,42 @@ Apologies for any names omitted.
proto/postconf.proto, global/mail_params.h, tls/tls_misc.c,
tls/tls_scache.h, tls/tls_server.c.
20140416
Cleanup: replace "~0 << positive" with "~0U << positive"
even if we use only the lower bytes. Jeffrey Walton. File:
util/mask_addr.c.
20140407
Documentation: the documentation for Postfix > 2.8 TLS
activity logging was incorrect. Loglevel 0 produces no
logging. Instead, information is logged only with loglevel
1 or higher. Viktor Dukhovni. Files: proto/TLS_README.html,
proto/postconf.proto.
20140501
Cleanup: postcreen_dnsbl_timeout parameter. Files:
mantools/postlink, proto/postconf.proto, global/mail_params.h,
postscreen/postscreen.c, postscreen/postscreen_dnsbl.c.
Cleanup: added table search order information to the
postconf(5) manpage. File: proto/postconf.proto.
20140505
Cleanup: added a client port attribute to the policy
delegation protocol. Jernej Porenta. File: smtpd/smtpd_check.c.
20140507
Bugfix (introduced: Postfix 2.11): with connection caching
enabled (the default), recipients could be given to the
wrong mail server. Root cause: due to an incorrect predicate,
the Postfix SMTP client could save and restore plaintext
connections that should not be cached, under nonsensical
lookup keys that did not distinguish by destination. Problem
reported by Sahil Tandon, predicate error found by Viktor,
redundant connection restore request eliminated by Wietse.
File: smtp/smtp_connect.c.

2
postfix/README_FILES/POSTSCREEN_README
View File

@ -623,7 +623,7 @@ mail:
/etc/postfix/dnsbl_reply:
# Secret DNSBL name Name in postscreen(8) replies
secret.zen.spamhaus.org zen.spamhaus.org
secret.zen.dq.spamhaus.net zen.spamhaus.org
The texthash: format is similar to hash: except that there is no need to
run postmap(1) before the file can be used, and that it does not detect

1
postfix/README_FILES/SMTPD_ACCESS_README
View File

@ -146,6 +146,7 @@ Examples of simple restriction lists are:
# (available with Postfix 2.10 and later).
reject_unauth_destination
reject_rbl_client zen.spamhaus.org,
reject_rhsbl_reverse_client dbl.spamhaus.org,
reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org

50
postfix/README_FILES/TLS_README
View File

@ -247,27 +247,25 @@ To get additional information about Postfix SMTP server TLS activity you can
increase the log level from 0..4. Each logging level also includes the
information that is logged at a lower logging level.
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
|LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr |EEaarrlliieerr rreelleeaasseess.. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|0 |Log only a summary message on TLS |Disable logging of TLS activity.|
| |handshake completion -- no logging| |
| |of client certificate trust-chain | |
| |verification errors if client | |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|0 |Disable logging of TLS activity. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|1 |Log only a summary message on TLS |Log the summary message, peer |
| |handshake completion -- no logging|certificate summary information|
| |of client certificate trust-chain |and unconditionally log trust- |
| |verification errors if client |chain verification errors. |
| |certificate verification is not | |
| |required. | |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|1 |Also log trust-chain verification |Also log TLS handshake and |
| |errors and peer certificate |certificate information. |
| |summary information. | |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|2 |Also log levels during TLS negotiation. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|3 |Also log hexadecimal and ASCII dump of TLS negotiation process. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|4 |Also log hexadecimal and ASCII dump of complete transmission after|
| |STARTTLS. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
Use log level 3 only in case of problems. Use of log level 4 is strongly
discouraged.
@ -1321,27 +1319,25 @@ To get additional information about Postfix SMTP client TLS activity you can
increase the loglevel from 0..4. Each logging level also includes the
information that is logged at a lower logging level.
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
|LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr |EEaarrlliieerr rreelleeaasseess.. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|0 |Log only a summary message on TLS |Disable logging of TLS activity.|
| |handshake completion -- no logging| |
| |of remote SMTP server certificate | |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|0 |Disable logging of TLS activity. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|1 |Log only a summary message on TLS |Log the summary message and |
| |handshake completion -- no logging|unconditionally log trust-chain|
| |of remote SMTP server certificate |verification errors. |
| |trust-chain verification errors if| |
| |server certificate verification is| |
| |not required. | |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|1 |Also log remote SMTP server trust-|Also log TLS handshake and |
| |chain verification errors and peer|certificate information. |
| |certificate summary information. | |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|2 |Also log levels during TLS negotiation. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|3 |Also log hexadecimal and ASCII dump of TLS negotiation process. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|4 |Also log hexadecimal and ASCII dump of complete transmission after|
| |STARTTLS. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
Example:

2
postfix/html/POSTSCREEN_README.html
View File

@ -873,7 +873,7 @@ For example: </p>
<pre>
/etc/postfix/dnsbl_reply:
# Secret DNSBL name Name in <a href="postscreen.8.html">postscreen(8)</a> replies
secret.zen.spamhaus.org zen.spamhaus.org
secret.zen.dq.spamhaus.net zen.spamhaus.org
</pre>
<p> The <a href="DATABASE_README.html#types">texthash</a>: format is similar to <a href="DATABASE_README.html#types">hash</a>: except that there is

1
postfix/html/SMTPD_ACCESS_README.html
View File

@ -202,6 +202,7 @@ described in the <a href="postconf.5.html">postconf(5)</a> manual page. </p>
# (available with Postfix 2.10 and later).
<a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
<a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> zen.spamhaus.org,
<a href="postconf.5.html#reject_rhsbl_reverse_client">reject_rhsbl_reverse_client</a> dbl.spamhaus.org,
<a href="postconf.5.html#reject_rhsbl_helo">reject_rhsbl_helo</a> dbl.spamhaus.org,
<a href="postconf.5.html#reject_rhsbl_sender">reject_rhsbl_sender</a> dbl.spamhaus.org

32
postfix/html/TLS_README.html
View File

@ -384,16 +384,15 @@ logging level. </p>
<tr> <th> Level </th> <th> Postfix 2.9 and later</th> <th> Earlier
releases. </th> </tr>
<tr> <td valign="top"> 0 </td> <td valign="top"> Log only a summary
<tr> <td valign="top"> 0 </td> <td valign="top" colspan="2"> Disable
logging of TLS activity. </td> </tr>
<tr> <td valign="top"> 1 </td> <td valign="top"> Log only a summary
message on TLS handshake completion &mdash; no logging of client
certificate trust-chain verification errors if client certificate
verification is not required. </td> <td valign="top"> Disable logging
of TLS activity.</td> </tr>
<tr> <td valign="top"> 1 </td> <td valign="top"> Also log trust-chain
verification errors and peer certificate summary information. </td>
<td valign="top"> Also log TLS handshake and certificate information.
</td> </tr>
verification is not required. </td> <td valign="top"> Log the summary
message, peer certificate summary information and unconditionally log
trust-chain verification errors. </td> </tr>
<tr> <td valign="top"> 2 </td> <td valign="top" colspan="2"> Also
log levels during TLS negotiation. </td> </tr>
@ -1750,16 +1749,15 @@ logging level. </p>
<tr> <th> Level </th> <th> Postfix 2.9 and later</th> <th> Earlier
releases. </th> </tr>
<tr> <td valign="top"> 0 </td> <td valign="top"> Log only a summary
message on TLS handshake completion &mdash; no logging of remote
SMTP server certificate trust-chain verification errors if server
certificate verification is not required. </td> <td valign="top">
Disable logging of TLS activity.</td> </tr>
<tr> <td valign="top"> 0 </td> <td valign="top" colspan="2"> Disable
logging of TLS activity. </td> </tr>
<tr> <td valign="top"> 1 </td> <td valign="top"> Also log remote
SMTP server trust-chain verification errors and peer certificate
summary information. </td> <td valign="top"> Also log TLS handshake
and certificate information. </td> </tr>
<tr> <td valign="top"> 1 </td> <td valign="top"> Log only a summary
message on TLS handshake completion &mdash; no logging of remote SMTP
server certificate trust-chain verification errors if server certificate
verification is not required. </td> <td valign="top"> Log the summary
message and unconditionally log trust-chain verification errors.
</td> </tr>
<tr> <td valign="top"> 2 </td> <td valign="top" colspan="2"> Also
log levels during TLS negotiation. </td> </tr>

12
postfix/html/dnsblog.8.html
View File

@ -19,12 +19,12 @@ DNSBLOG(8) DNSBLOG(8)
<b>PROTOCOL</b>
With each connection, the <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> server receives a DNS white/black-
list domain name, IP address, and an ID. If the address is listed
under the DNS white/blacklist, the <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> server logs the match and
replies with the query arguments plus an address list with the result-
ing IP addresses separated by whitespace. Otherwise it replies with
the query arguments plus an empty address list. Finally, The <a href="dnsblog.8.html"><b>dns-</b></a>
<a href="dnsblog.8.html"><b>blog</b>(8)</a> server closes the connection.
list domain name, an IP address, and an ID. If the IP address is
listed under the DNS white/blacklist, the <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> server logs the
match and replies with the query arguments plus an address list with
the resulting IP addresses separated by whitespace. Otherwise it
replies with the query arguments plus an empty address list. Finally,
The <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> server closes the connection.
<b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8).

206
postfix/html/postconf.5.html
View File

@ -559,6 +559,10 @@ Examples:
<p>
The alias databases that are used for <a href="local.8.html">local(8)</a> delivery. See
<a href="aliases.5.html">aliases(5)</a> for syntax details.
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
Note: these lookups are recursive.
</p>
<p>
@ -1343,6 +1347,13 @@ are documented in <a href="canonical.5.html">canonical(5)</a>. For an overview o
manipulations see the <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> document.
</p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
Note: these lookups are recursive.
</p>
<p>
If you use this feature, run "<b>postmap /etc/postfix/canonical</b>" to
build the necessary DBM or DB file after every change. The changes
@ -5346,6 +5357,12 @@ Technically, tables listed with $<a href="postconf.5.html#local_recipient_maps">
lists: Postfix needs to know only if a lookup string is found or
not, but it does not use the result from table lookup. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p>
If this parameter is non-empty (the default), then the Postfix SMTP
server will reject mail for unknown local users.
@ -5742,6 +5759,12 @@ is: aliases, .forward files, <a href="postconf.5.html#mailbox_transport_maps">ma
<a href="postconf.5.html#mailbox_command_maps">mailbox_command_maps</a>, <a href="postconf.5.html#mailbox_command">mailbox_command</a>, <a href="postconf.5.html#home_mailbox">home_mailbox</a>, <a href="postconf.5.html#mail_spool_directory">mail_spool_directory</a>,
<a href="postconf.5.html#fallback_transport_maps">fallback_transport_maps</a>, <a href="postconf.5.html#fallback_transport">fallback_transport</a> and <a href="postconf.5.html#luser_relay">luser_relay</a>. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
</DD>
@ -5816,6 +5839,12 @@ is: aliases, .forward files, <a href="postconf.5.html#mailbox_transport_maps">ma
<a href="postconf.5.html#mailbox_command_maps">mailbox_command_maps</a>, <a href="postconf.5.html#mailbox_command">mailbox_command</a>, <a href="postconf.5.html#home_mailbox">home_mailbox</a>, <a href="postconf.5.html#mail_spool_directory">mail_spool_directory</a>,
<a href="postconf.5.html#fallback_transport_maps">fallback_transport_maps</a>, <a href="postconf.5.html#fallback_transport">fallback_transport</a> and <a href="postconf.5.html#luser_relay">luser_relay</a>. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p> For safety reasons, this feature does not allow $number
substitutions in regular expression maps. </p>
@ -7550,6 +7579,18 @@ parameter. </p>
<p> This feature is available in Postfix 2.8. </p>
</DD>
<DT><b><a name="postscreen_dnsbl_timeout">postscreen_dnsbl_timeout</a>
(default: 10s)</b></DT><DD>
<p> The time limit for DNSBL or DNSWL lookups. This is separate from
the timeouts in the <a href="dnsblog.8.html">dnsblog(8)</a> daemon which are defined by system
resolver(3) routines. </p>
<p> This feature is available in Postfix 2.12. </p>
</DD>
<DT><b><a name="postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>
@ -8157,6 +8198,11 @@ Example:
<p>
The lookup tables that the <a href="proxymap.8.html">proxymap(8)</a> server is allowed to
access for the read-only service.
</p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma.
Table references that don't begin with <a href="proxymap.8.html">proxy</a>: are ignored.
</p>
@ -8584,7 +8630,9 @@ supported) is added when mail enters from outside of Postfix.
</p>
<p>
This feature is available in Postfix 2.1 and later.
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p>
@ -8610,11 +8658,6 @@ equals $<a href="postconf.5.html#myorigin">myorigin</a>, $<a href="postconf.5.ht
</ul>
<p>
Specify the types and names of databases to use. After change,
run "<b>postmap /etc/postfix/recipient_bcc</b>".
</p>
<p>
Note: with Postfix 2.3 and later the BCC address is added as if it
was specified with NOTIFY=NONE. The sender will not be notified
@ -8640,6 +8683,14 @@ Example:
<a href="postconf.5.html#recipient_bcc_maps">recipient_bcc_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/recipient_bcc
</pre>
<p>
After a change, run "<b>postmap /etc/postfix/recipient_bcc</b>".
</p>
<p>
This feature is available in Postfix 2.1 and later.
</p>
</DD>
@ -8728,7 +8779,7 @@ Examples:
<pre>
# Handle both Postfix and qmail extensions (Postfix 2.11 and later).
recipient_delimiters = +-
<a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> = +-
</pre>
<pre>
@ -8900,6 +8951,12 @@ listed with $<a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps
to know only if a lookup string is found or not, but it does not
use the result from table lookup. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p>
If this parameter is non-empty, then the Postfix SMTP server will reject
mail to unknown relay users. This feature is off by default.
@ -9007,6 +9064,12 @@ domains that no longer exist. The table format and lookups are
documented in <a href="relocated.5.html">relocated(5)</a>.
</p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p>
If you use this feature, run "<b>postmap /etc/postfix/relocated</b>" to
build the necessary DBM or DB file after change, then "<b>postfix
@ -9239,7 +9302,9 @@ by sender address. The BCC address (multiple results are not
supported) is added when mail enters from outside of Postfix. </p>
<p>
This feature is available in Postfix 2.1 and later.
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p>
@ -9265,11 +9330,6 @@ equals $<a href="postconf.5.html#myorigin">myorigin</a>, $<a href="postconf.5.ht
</ul>
<p>
Specify the types and names of databases to use. After change,
run "<b>postmap /etc/postfix/sender_bcc</b>".
</p>
<p>
Note: with Postfix 2.3 and later the BCC address is added as if it
was specified with NOTIFY=NONE. The sender will not be notified
@ -9295,6 +9355,14 @@ Example:
<a href="postconf.5.html#sender_bcc_maps">sender_bcc_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/sender_bcc
</pre>
<p>
After a change, run "<b>postmap /etc/postfix/sender_bcc</b>".
</p>
<p>
This feature is available in Postfix 2.1 and later.
</p>
</DD>
@ -9352,6 +9420,12 @@ address and @domain. A lookup result of DUNNO terminates the search
without overriding the global <a href="postconf.5.html#default_transport">default_transport</a> parameter setting.
This information is overruled with the <a href="transport.5.html">transport(5)</a> table. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p> Note: this overrides <a href="postconf.5.html#default_transport">default_transport</a>, not <a href="postconf.5.html#transport_maps">transport_maps</a>, and
therefore the expected syntax is that of <a href="postconf.5.html#default_transport">default_transport</a>, not the
syntax of <a href="postconf.5.html#transport_maps">transport_maps</a>. Specifically, this does not support the
@ -9377,6 +9451,12 @@ later). This information is overruled with <a href="postconf.5.html#relay_transp
<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a>, <a href="postconf.5.html#default_transport">default_transport</a> and with
the <a href="transport.5.html">transport(5)</a> table. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p> For safety reasons, this feature does not allow $number
substitutions in regular expression maps. </p>
@ -9930,6 +10010,12 @@ remote SMTP server. See <a href="postconf.5.html#smtp_discard_ehlo_keywords">smt
table is not indexed by hostname for consistency with
<a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a>. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p> This feature is available in Postfix 2.2 and later. </p>
@ -10146,6 +10232,12 @@ This is needed when the local machine does not have its own Internet
domain name, but uses something like <i>localdomain.local</i>
instead. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p> The table format and lookups are documented in <a href="generic.5.html">generic(5)</a>;
examples are shown in the <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> and
<a href="STANDARD_CONFIGURATION_README.html">STANDARD_CONFIGURATION_README</a> documents. </p>
@ -10406,6 +10498,12 @@ per-destination workarounds for CISCO PIX firewall bugs. The table
is not indexed by hostname for consistency with
<a href="postconf.5.html#smtp_discard_ehlo_keyword_address_maps">smtp_discard_ehlo_keyword_address_maps</a>. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p> This feature is available in Postfix 2.4 and later. </p>
@ -10751,6 +10849,12 @@ The Postfix SMTP client opens the lookup table before going to
chroot jail, so you can leave the password file in /etc/postfix.
</p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
</DD>
@ -11505,14 +11609,13 @@ a lower logging level. </p>
<dl compact>
<dt> </dt> <dd> 0 Log only a summary message on TLS handshake completion
<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
<dt> </dt> <dd> 1 Log only a summary message on TLS handshake completion
&mdash; no logging of remote SMTP server certificate trust-chain
verification errors if server certificate verification is not required.
With Postfix 2.8 and earlier, disable logging of TLS activity. </dd>
<dt> </dt> <dd> 1 Also log remote SMTP server trust-chain verification
errors and peer certificate summary information. With Postfix 2.8
and earlier, log TLS handshake and certificate information. </dd>
With Postfix 2.8 and earlier, log the summary message and unconditionally
log trust-chain verification errors. </dd>
<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd>
@ -11796,6 +11899,12 @@ this overrides the obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls
<a href="TLS_README.html">TLS_README</a> for a more detailed discussion of TLS security levels.
</p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p> The TLS policy table is indexed by the full next-hop destination,
which is either the recipient domain, or the verbatim next-hop
specified in the transport table, $<a href="postconf.5.html#local_transport">local_transport</a>, $<a href="postconf.5.html#virtual_transport">virtual_transport</a>,
@ -13379,7 +13488,13 @@ case insensitive lists of EHLO keywords (pipelining, starttls, auth,
etc.) that the Postfix SMTP server will not send in the EHLO response
to a
remote SMTP client. See <a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a> for details.
The table is not searched by hostname for robustness reasons. </p>
The tables are not searched by hostname for robustness reasons. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p> This feature is available in Postfix 2.2 and later. </p>
@ -14214,7 +14329,7 @@ non-permanent error code. This feature is available in Postfix
<dd>Reject the request when Postfix is not final destination for
the recipient domain, and the RCPT TO domain has 1) no DNS MX and
no DNS address
no DNS A
record or 2) a malformed MX record such as a record with
a zero-length MX hostname (Postfix version 2.3 and later). <br> The
<a href="postconf.5.html#unknown_address_reject_code">unknown_address_reject_code</a> parameter specifies the numerical
@ -14814,7 +14929,9 @@ Optional lookup table with the SASL login names that own sender
</p>
<p>
Specify zero or more "<a href="DATABASE_README.html">type:table</a>" lookup tables. With lookups from
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found. With lookups from
indexed files such as DB or DBM, or from networked tables such as
NIS, LDAP or SQL, the following search operations are done with a
sender address of <i>user@domain</i>: </p>
@ -14948,7 +15065,7 @@ Postfix version 2.1 and later. </dd>
<dd>Reject the request when Postfix is not final destination for
the sender address, and the MAIL FROM domain has 1) no DNS MX and
no DNS address
no DNS A
record, or 2) a malformed MX record such as a record with
a zero-length MX hostname (Postfix version 2.3 and later). <br> The
<a href="postconf.5.html#unknown_address_reject_code">unknown_address_reject_code</a> parameter specifies the numerical
@ -15700,15 +15817,13 @@ a lower logging level. </p>
<dl compact>
<dt> </dt> <dd> 0 Log only a summary message on TLS handshake completion
&mdash; no logging of remote SMTP client certificate trust-chain verification
errors
if client certificate verification is not required. With Postfix 2.8
and earlier, disable logging of TLS activity. </dd>
<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
<dt> </dt> <dd> 1 Also log trust-chain verification errors and peer
certificate name and issuer. With Postfix 2.8 and earlier, log TLS
handshake and certificate information. </dd>
<dt> </dt> <dd> 1 Log only a summary message on TLS handshake completion
&mdash; no logging of client certificate trust-chain verification errors
if client certificate verification is not required. With Postfix 2.8 and
earlier, log the summary message, peer certificate summary information
and unconditionally log trust-chain verification errors. </dd>
<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd>
@ -17650,7 +17765,9 @@ for details.
</p>
<p>
Specify zero or more "<a href="DATABASE_README.html">type:table</a>" lookup tables. If you use this
Specify zero or more "<a href="DATABASE_README.html">type:table</a>" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found. If you use this
feature with local files, run "<b>postmap /etc/postfix/transport</b>"
after making a change. </p>
@ -18226,6 +18343,13 @@ This feature is available in Postfix 2.0 and later. The default
value is backwards compatible with Postfix version 1.1.
</p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
Note: these lookups are recursive.
</p>
<p>
If you use this feature with indexed files, run "<b>postmap
/etc/postfix/virtual</b>" after changing the file.
@ -18311,6 +18435,12 @@ delivery.
It does not apply when mail is delivered with a different mail
delivery program. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p>
In a lookup table, specify a left-hand side of "@domain.tld" to
match any user in the specified domain that does not have a specific
@ -18440,6 +18570,12 @@ Optional lookup tables with all valid addresses in the domains that
match $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>.
</p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p>
In a lookup table, specify a left-hand side of "@domain.tld" to
match any user in the specified domain that does not have a specific
@ -18547,6 +18683,12 @@ delivery agent uses while writing to the recipient's mailbox.
It does not apply when mail is delivered with a different mail
delivery program. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p>
In a lookup table, specify a left-hand side of "@domain.tld"
to match any user in the specified domain that does not have a

5
postfix/html/postscreen.8.html
View File

@ -228,6 +228,11 @@ POSTSCREEN(8) POSTSCREEN(8)
greeting" protocol tests, based on its combined DNSBL score as
defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter.
Available in Postfix version 2.11 and later:
<b><a href="postconf.5.html#postscreen_dnsbl_timeout">postscreen_dnsbl_timeout</a> (10s)</b>
The time limit for DNSBL or DNSWL lookups.
<b>AFTER 220 GREETING TESTS</b>
These tests are executed after the remote SMTP client receives the "220
servername" greeting. If a client passes all tests during this phase,

152
postfix/man/man5/postconf.5
View File

@ -305,6 +305,10 @@ alias_database = hash:/etc/mail/aliases
.SH alias_maps (default: see "postconf -d" output)
The alias databases that are used for \fBlocal\fR(8) delivery. See
\fBaliases\fR(5) for syntax details.
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
Note: these lookups are recursive.
.PP
The default list is system dependent. On systems with NIS, the
default is to search the local alias database, then the NIS alias
@ -765,6 +769,11 @@ login names by Firstname.Lastname. The table format and lookups
are documented in \fBcanonical\fR(5). For an overview of Postfix address
manipulations see the ADDRESS_REWRITING_README document.
.PP
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
Note: these lookups are recursive.
.PP
If you use this feature, run "\fBpostmap /etc/postfix/canonical\fR" to
build the necessary DBM or DB file after every change. The changes
will become visible after a minute or so. Use "\fBpostfix reload\fR"
@ -3123,6 +3132,10 @@ Technically, tables listed with $local_recipient_maps are used as
lists: Postfix needs to know only if a lookup string is found or
not, but it does not use the result from table lookup.
.PP
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
.PP
If this parameter is non-empty (the default), then the Postfix SMTP
server will reject mail for unknown local users.
.PP
@ -3382,6 +3395,10 @@ The precedence of \fBlocal\fR(8) delivery features from high to low
is: aliases, .forward files, mailbox_transport_maps, mailbox_transport,
mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory,
fallback_transport_maps, fallback_transport and luser_relay.
.PP
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
.SH mailbox_delivery_lock (default: see "postconf -d" output)
How to lock a UNIX-style \fBlocal\fR(8) mailbox before attempting delivery.
For a list of available file locking methods, use the "\fBpostconf
@ -3421,6 +3438,10 @@ is: aliases, .forward files, mailbox_transport_maps, mailbox_transport,
mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory,
fallback_transport_maps, fallback_transport and luser_relay.
.PP
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
.PP
For safety reasons, this feature does not allow $number
substitutions in regular expression maps.
.PP
@ -4580,6 +4601,12 @@ its combined DNSBL score as defined with the postscreen_dnsbl_sites
parameter.
.PP
This feature is available in Postfix 2.8.
.SH postscreen_dnsbl_timeout (default: 10s)
The time limit for DNSBL or DNSWL lookups. This is separate from
the timeouts in the \fBdnsblog\fR(8) daemon which are defined by system
\fBresolver\fR(3) routines.
.PP
This feature is available in Postfix 2.12.
.SH postscreen_dnsbl_ttl (default: 1h)
The amount of time that \fBpostscreen\fR(8) will use the result from
a successful DNS blocklist test. During this time, the client IP address
@ -4964,6 +4991,9 @@ proxy_interfaces = 1.2.3.4
.SH proxy_read_maps (default: see "postconf -d" output)
The lookup tables that the \fBproxymap\fR(8) server is allowed to
access for the read-only service.
.PP
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma.
Table references that don't begin with proxy: are ignored.
.PP
This feature is available in Postfix 2.0 and later.
@ -5175,7 +5205,9 @@ Optional BCC (blind carbon-copy) address lookup tables, indexed by
recipient address. The BCC address (multiple results are not
supported) is added when mail enters from outside of Postfix.
.PP
This feature is available in Postfix 2.1 and later.
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
.PP
The table search order is as follows:
.IP \(bu
@ -5195,9 +5227,6 @@ equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces.
Look up the "@domain.tld" part.
.br
.PP
Specify the types and names of databases to use. After change,
run "\fBpostmap /etc/postfix/recipient_bcc\fR".
.PP
Note: with Postfix 2.3 and later the BCC address is added as if it
was specified with NOTIFY=NONE. The sender will not be notified
when the BCC address is undeliverable, as long as all down-stream
@ -5220,6 +5249,10 @@ recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
.fi
.ad
.ft R
.PP
After a change, run "\fBpostmap /etc/postfix/recipient_bcc\fR".
.PP
This feature is available in Postfix 2.1 and later.
.SH recipient_canonical_classes (default: envelope_recipient, header_recipient)
What addresses are subject to recipient_canonical_maps address
mapping. By default, recipient_canonical_maps address mapping is
@ -5291,7 +5324,7 @@ recipient_delimiter = +
.na
.ft C
# Handle both Postfix and qmail extensions (Postfix 2.11 and later).
recipient_delimiters = +-
recipient_delimiter = +-
.fi
.ad
.ft R
@ -5416,6 +5449,10 @@ listed with $relay_recipient_maps are used as lists: Postfix needs
to know only if a lookup string is found or not, but it does not
use the result from table lookup.
.PP
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
.PP
If this parameter is non-empty, then the Postfix SMTP server will reject
mail to unknown relay users. This feature is off by default.
.PP
@ -5485,6 +5522,10 @@ Optional lookup tables with new contact information for users or
domains that no longer exist. The table format and lookups are
documented in \fBrelocated\fR(5).
.PP
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
.PP
If you use this feature, run "\fBpostmap /etc/postfix/relocated\fR" to
build the necessary DBM or DB file after change, then "\fBpostfix
reload\fR" to make the changes visible.
@ -5646,7 +5687,9 @@ Optional BCC (blind carbon-copy) address lookup tables, indexed
by sender address. The BCC address (multiple results are not
supported) is added when mail enters from outside of Postfix.
.PP
This feature is available in Postfix 2.1 and later.
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
.PP
The table search order is as follows:
.IP \(bu
@ -5666,9 +5709,6 @@ equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces.
Look up the "@domain.tld" part.
.br
.PP
Specify the types and names of databases to use. After change,
run "\fBpostmap /etc/postfix/sender_bcc\fR".
.PP
Note: with Postfix 2.3 and later the BCC address is added as if it
was specified with NOTIFY=NONE. The sender will not be notified
when the BCC address is undeliverable, as long as all down-stream
@ -5691,6 +5731,10 @@ sender_bcc_maps = hash:/etc/postfix/sender_bcc
.fi
.ad
.ft R
.PP
After a change, run "\fBpostmap /etc/postfix/sender_bcc\fR".
.PP
This feature is available in Postfix 2.1 and later.
.SH sender_canonical_classes (default: envelope_sender, header_sender)
What addresses are subject to sender_canonical_maps address
mapping. By default, sender_canonical_maps address mapping is
@ -5726,6 +5770,10 @@ address and @domain. A lookup result of DUNNO terminates the search
without overriding the global default_transport parameter setting.
This information is overruled with the \fBtransport\fR(5) table.
.PP
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
.PP
Note: this overrides default_transport, not transport_maps, and
therefore the expected syntax is that of default_transport, not the
syntax of transport_maps. Specifically, this does not support the
@ -5745,6 +5793,10 @@ later). This information is overruled with relay_transport,
sender_dependent_default_transport_maps, default_transport and with
the \fBtransport\fR(5) table.
.PP
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
.PP
For safety reasons, this feature does not allow $number
substitutions in regular expression maps.
.PP
@ -6081,6 +6133,10 @@ remote SMTP server. See smtp_discard_ehlo_keywords for details. The
table is not indexed by hostname for consistency with
smtpd_discard_ehlo_keyword_address_maps.
.PP
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
.PP
This feature is available in Postfix 2.2 and later.
.SH smtp_discard_ehlo_keywords (default: empty)
A case insensitive list of EHLO keywords (pipelining, starttls,
@ -6246,6 +6302,10 @@ This is needed when the local machine does not have its own Internet
domain name, but uses something like \fIlocaldomain.local\fR
instead.
.PP
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
.PP
The table format and lookups are documented in \fBgeneric\fR(5);
examples are shown in the ADDRESS_REWRITING_README and
STANDARD_CONFIGURATION_README documents.
@ -6385,6 +6445,10 @@ per-destination workarounds for CISCO PIX firewall bugs. The table
is not indexed by hostname for consistency with
smtp_discard_ehlo_keyword_address_maps.
.PP
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
.PP
This feature is available in Postfix 2.4 and later.
.SH smtp_pix_workaround_threshold_time (default: 500s)
How long a message must be queued before the Postfix SMTP client
@ -6633,6 +6697,10 @@ attempt to authenticate to the remote host.
.PP
The Postfix SMTP client opens the lookup table before going to
chroot jail, so you can leave the password file in /etc/postfix.
.PP
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
.SH smtp_sasl_path (default: empty)
Implementation-specific information that the Postfix SMTP client
passes through to
@ -7244,15 +7312,14 @@ Enable additional Postfix SMTP client logging of TLS activity.
Each logging level also includes the information that is logged at
a lower logging level.
.IP ""
0 Log only a summary message on TLS handshake completion
- no logging of remote SMTP server certificate trust-chain
verification errors if server certificate verification is not required.
With Postfix 2.8 and earlier, disable logging of TLS activity.
0 Disable logging of TLS activity.
.br
.IP ""
1 Also log remote SMTP server trust-chain verification
errors and peer certificate summary information. With Postfix 2.8
and earlier, log TLS handshake and certificate information.
1 Log only a summary message on TLS handshake completion
- no logging of remote SMTP server certificate trust-chain
verification errors if server certificate verification is not required.
With Postfix 2.8 and earlier, log the summary message and unconditionally
log trust-chain verification errors.
.br
.IP ""
2 Also log levels during TLS negotiation.
@ -7512,6 +7579,10 @@ policy by next-hop destination; when a non-empty value is specified,
this overrides the obsolete smtp_tls_per_site parameter. See
TLS_README for a more detailed discussion of TLS security levels.
.PP
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
.PP
The TLS policy table is indexed by the full next-hop destination,
which is either the recipient domain, or the verbatim next-hop
specified in the transport table, $local_transport, $virtual_transport,
@ -8878,7 +8949,11 @@ case insensitive lists of EHLO keywords (pipelining, starttls, auth,
etc.) that the Postfix SMTP server will not send in the EHLO response
to a
remote SMTP client. See smtpd_discard_ehlo_keywords for details.
The table is not searched by hostname for robustness reasons.
The tables are not searched by hostname for robustness reasons.
.PP
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
.PP
This feature is available in Postfix 2.2 and later.
.SH smtpd_discard_ehlo_keywords (default: empty)
@ -9445,7 +9520,7 @@ non-permanent error code. This feature is available in Postfix
.IP "\fBreject_unknown_recipient_domain\fR"
Reject the request when Postfix is not final destination for
the recipient domain, and the RCPT TO domain has 1) no DNS MX and
no DNS address
no DNS A
record or 2) a malformed MX record such as a record with
a zero-length MX hostname (Postfix version 2.3 and later).
.br
@ -9916,7 +9991,9 @@ This feature is available in Postfix 2.3 and later.
Optional lookup table with the SASL login names that own sender
(MAIL FROM) addresses.
.PP
Specify zero or more "type:table" lookup tables. With lookups from
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found. With lookups from
indexed files such as DB or DBM, or from networked tables such as
NIS, LDAP or SQL, the following search operations are done with a
sender address of \fIuser@domain\fR:
@ -10019,7 +10096,7 @@ Postfix version 2.1 and later.
.IP "\fBreject_unknown_sender_domain\fR"
Reject the request when Postfix is not final destination for
the sender address, and the MAIL FROM domain has 1) no DNS MX and
no DNS address
no DNS A
record, or 2) a malformed MX record such as a record with
a zero-length MX hostname (Postfix version 2.3 and later).
.br
@ -10680,16 +10757,14 @@ Enable additional Postfix SMTP server logging of TLS activity.
Each logging level also includes the information that is logged at
a lower logging level.
.IP ""
0 Log only a summary message on TLS handshake completion
- no logging of remote SMTP client certificate trust-chain verification
errors
if client certificate verification is not required. With Postfix 2.8
and earlier, disable logging of TLS activity.
0 Disable logging of TLS activity.
.br
.IP ""
1 Also log trust-chain verification errors and peer
certificate name and issuer. With Postfix 2.8 and earlier, log TLS
handshake and certificate information.
1 Log only a summary message on TLS handshake completion
- no logging of client certificate trust-chain verification errors
if client certificate verification is not required. With Postfix 2.8 and
earlier, log the summary message, peer certificate summary information
and unconditionally log trust-chain verification errors.
.br
.IP ""
2 Also log levels during TLS negotiation.
@ -12031,7 +12106,9 @@ Optional lookup tables with mappings from recipient address to
(message delivery transport, next-hop destination). See \fBtransport\fR(5)
for details.
.PP
Specify zero or more "type:table" lookup tables. If you use this
Specify zero or more "type:table" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found. If you use this
feature with local files, run "\fBpostmap /etc/postfix/transport\fR"
after making a change.
.PP
@ -12361,6 +12438,11 @@ manipulations see the ADDRESS_REWRITING_README document.
This feature is available in Postfix 2.0 and later. The default
value is backwards compatible with Postfix version 1.1.
.PP
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
Note: these lookups are recursive.
.PP
If you use this feature with indexed files, run "\fBpostmap
/etc/postfix/virtual\fR" after changing the file.
.PP
@ -12410,6 +12492,10 @@ This parameter is specific to the \fBvirtual\fR(8) delivery agent.
It does not apply when mail is delivered with a different mail
delivery program.
.PP
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
.PP
In a lookup table, specify a left-hand side of "@domain.tld" to
match any user in the specified domain that does not have a specific
"user@domain.tld" entry.
@ -12488,6 +12574,10 @@ Note 2: the default setting of this parameter is system dependent.
Optional lookup tables with all valid addresses in the domains that
match $virtual_mailbox_domains.
.PP
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
.PP
In a lookup table, specify a left-hand side of "@domain.tld" to
match any user in the specified domain that does not have a specific
"user@domain.tld" entry.
@ -12551,6 +12641,10 @@ This parameter is specific to the \fBvirtual\fR(8) delivery agent.
It does not apply when mail is delivered with a different mail
delivery program.
.PP
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
.PP
In a lookup table, specify a left-hand side of "@domain.tld"
to match any user in the specified domain that does not have a
specific "user@domain.tld" entry.

4
postfix/man/man8/dnsblog.8
View File

@ -22,8 +22,8 @@ replaced by an UDP client that is built directly into the
.ad
.fi
With each connection, the \fBdnsblog\fR(8) server receives
a DNS white/blacklist domain name, IP address, and an ID.
If the address is listed under the DNS white/blacklist, the
a DNS white/blacklist domain name, an IP address, and an ID.
If the IP address is listed under the DNS white/blacklist, the
\fBdnsblog\fR(8) server logs the match and replies with the
query arguments plus an address list with the resulting IP
addresses separated by whitespace. Otherwise it replies

4
postfix/man/man8/postscreen.8
View File

@ -248,6 +248,10 @@ Available in Postfix version 2.11 and later:
Allow a remote SMTP client to skip "before" and "after 220
greeting" protocol tests, based on its combined DNSBL score as
defined with the postscreen_dnsbl_sites parameter.
.PP
Available in Postfix version 2.11 and later:
.IP "\fBpostscreen_dnsbl_timeout (10s)\fR"
The time limit for DNSBL or DNSWL lookups.
.SH "AFTER 220 GREETING TESTS"
.na
.nf

1
postfix/mantools/postlink
View File

@ -988,6 +988,7 @@ while (<>) {
s;\bpostscreen_dnsbl_whitelist_thresh[-</bB>]*\n* *[<bB>]*old\b;<a href="postconf.5.html#postscreen_dnsbl_whitelist_threshold">$&</a>;g;
s;\bpostscreen_dnsbl_action\b;<a href="postconf.5.html#postscreen_dnsbl_action">$&</a>;g;
s;\bpostscreen_dnsbl_ttl\b;<a href="postconf.5.html#postscreen_dnsbl_ttl">$&</a>;g;
s;\bpostscreen_dnsbl_timeout\b;<a href="postconf.5.html#postscreen_dnsbl_timeout">$&</a>;g;
s;\bpostscreen_for[-</bB>]*\n*[ <bB>]*bid[-</bB>]*\n* *[<bB>]*den_commands\b;<a href="postconf.5.html#postscreen_forbidden_commands">$&</a>;g;
s;\bpostscreen_helo_required\b;<a href="postconf.5.html#postscreen_helo_required">$&</a>;g;
s;\bpostscreen_non_smtp_command_enable\b;<a href="postconf.5.html#postscreen_non_smtp_command_enable">$&</a>;g;

2
postfix/proto/POSTSCREEN_README.html
View File

@ -873,7 +873,7 @@ For example: </p>
<pre>
/etc/postfix/dnsbl_reply:
# Secret DNSBL name Name in postscreen(8) replies
secret.zen.spamhaus.org zen.spamhaus.org
secret.zen.dq.spamhaus.net zen.spamhaus.org
</pre>
<p> The texthash: format is similar to hash: except that there is

1
postfix/proto/SMTPD_ACCESS_README.html
View File

@ -202,6 +202,7 @@ described in the postconf(5) manual page. </p>
# (available with Postfix 2.10 and later).
reject_unauth_destination
reject_rbl_client zen.spamhaus.org,
reject_rhsbl_reverse_client dbl.spamhaus.org,
reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org

32
postfix/proto/TLS_README.html
View File

@ -384,16 +384,15 @@ logging level. </p>
<tr> <th> Level </th> <th> Postfix 2.9 and later</th> <th> Earlier
releases. </th> </tr>
<tr> <td valign="top"> 0 </td> <td valign="top"> Log only a summary
<tr> <td valign="top"> 0 </td> <td valign="top" colspan="2"> Disable
logging of TLS activity. </td> </tr>
<tr> <td valign="top"> 1 </td> <td valign="top"> Log only a summary
message on TLS handshake completion &mdash; no logging of client
certificate trust-chain verification errors if client certificate
verification is not required. </td> <td valign="top"> Disable logging
of TLS activity.</td> </tr>
<tr> <td valign="top"> 1 </td> <td valign="top"> Also log trust-chain
verification errors and peer certificate summary information. </td>
<td valign="top"> Also log TLS handshake and certificate information.
</td> </tr>
verification is not required. </td> <td valign="top"> Log the summary
message, peer certificate summary information and unconditionally log
trust-chain verification errors. </td> </tr>
<tr> <td valign="top"> 2 </td> <td valign="top" colspan="2"> Also
log levels during TLS negotiation. </td> </tr>
@ -1750,16 +1749,15 @@ logging level. </p>
<tr> <th> Level </th> <th> Postfix 2.9 and later</th> <th> Earlier
releases. </th> </tr>
<tr> <td valign="top"> 0 </td> <td valign="top"> Log only a summary
message on TLS handshake completion &mdash; no logging of remote
SMTP server certificate trust-chain verification errors if server
certificate verification is not required. </td> <td valign="top">
Disable logging of TLS activity.</td> </tr>
<tr> <td valign="top"> 0 </td> <td valign="top" colspan="2"> Disable
logging of TLS activity. </td> </tr>
<tr> <td valign="top"> 1 </td> <td valign="top"> Also log remote
SMTP server trust-chain verification errors and peer certificate
summary information. </td> <td valign="top"> Also log TLS handshake
and certificate information. </td> </tr>
<tr> <td valign="top"> 1 </td> <td valign="top"> Log only a summary
message on TLS handshake completion &mdash; no logging of remote SMTP
server certificate trust-chain verification errors if server certificate
verification is not required. </td> <td valign="top"> Log the summary
message and unconditionally log trust-chain verification errors.
</td> </tr>
<tr> <td valign="top"> 2 </td> <td valign="top" colspan="2"> Also
log levels during TLS negotiation. </td> </tr>

201
postfix/proto/postconf.proto
View File

@ -481,6 +481,10 @@ alias_database = hash:/etc/mail/aliases
<p>
The alias databases that are used for local(8) delivery. See
aliases(5) for syntax details.
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
Note: these lookups are recursive.
</p>
<p>
@ -794,6 +798,13 @@ are documented in canonical(5). For an overview of Postfix address
manipulations see the ADDRESS_REWRITING_README document.
</p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
Note: these lookups are recursive.
</p>
<p>
If you use this feature, run "<b>postmap /etc/postfix/canonical</b>" to
build the necessary DBM or DB file after every change. The changes
@ -2301,6 +2312,12 @@ Technically, tables listed with $local_recipient_maps are used as
lists: Postfix needs to know only if a lookup string is found or
not, but it does not use the result from table lookup. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p>
If this parameter is non-empty (the default), then the Postfix SMTP
server will reject mail for unknown local users.
@ -3426,7 +3443,9 @@ supported) is added when mail enters from outside of Postfix.
</p>
<p>
This feature is available in Postfix 2.1 and later.
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p>
@ -3452,11 +3471,6 @@ equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces.
</ul>
<p>
Specify the types and names of databases to use. After change,
run "<b>postmap /etc/postfix/recipient_bcc</b>".
</p>
<p>
Note: with Postfix 2.3 and later the BCC address is added as if it
was specified with NOTIFY=NONE. The sender will not be notified
@ -3482,6 +3496,14 @@ Example:
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
</pre>
<p>
After a change, run "<b>postmap /etc/postfix/recipient_bcc</b>".
</p>
<p>
This feature is available in Postfix 2.1 and later.
</p>
%PARAM recipient_canonical_maps
<p>
@ -3546,7 +3568,7 @@ recipient_delimiter = +
<pre>
# Handle both Postfix and qmail extensions (Postfix 2.11 and later).
recipient_delimiters = +-
recipient_delimiter = +-
</pre>
<pre>
@ -3619,6 +3641,12 @@ listed with $relay_recipient_maps are used as lists: Postfix needs
to know only if a lookup string is found or not, but it does not
use the result from table lookup. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p>
If this parameter is non-empty, then the Postfix SMTP server will reject
mail to unknown relay users. This feature is off by default.
@ -3687,6 +3715,12 @@ domains that no longer exist. The table format and lookups are
documented in relocated(5).
</p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p>
If you use this feature, run "<b>postmap /etc/postfix/relocated</b>" to
build the necessary DBM or DB file after change, then "<b>postfix
@ -3749,7 +3783,9 @@ by sender address. The BCC address (multiple results are not
supported) is added when mail enters from outside of Postfix. </p>
<p>
This feature is available in Postfix 2.1 and later.
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p>
@ -3775,11 +3811,6 @@ equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces.
</ul>
<p>
Specify the types and names of databases to use. After change,
run "<b>postmap /etc/postfix/sender_bcc</b>".
</p>
<p>
Note: with Postfix 2.3 and later the BCC address is added as if it
was specified with NOTIFY=NONE. The sender will not be notified
@ -3805,6 +3836,14 @@ Example:
sender_bcc_maps = hash:/etc/postfix/sender_bcc
</pre>
<p>
After a change, run "<b>postmap /etc/postfix/sender_bcc</b>".
</p>
<p>
This feature is available in Postfix 2.1 and later.
</p>
%PARAM sender_canonical_maps
<p>
@ -4405,6 +4444,12 @@ The Postfix SMTP client opens the lookup table before going to
chroot jail, so you can leave the password file in /etc/postfix.
</p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
%PARAM smtp_sasl_security_options noplaintext, noanonymous
<p> Postfix SMTP client SASL security options; as of Postfix 2.3
@ -5897,7 +5942,7 @@ non-permanent error code. This feature is available in Postfix
<dd>Reject the request when Postfix is not final destination for
the recipient domain, and the RCPT TO domain has 1) no DNS MX and
no DNS address
no DNS A
record or 2) a malformed MX record such as a record with
a zero-length MX hostname (Postfix version 2.3 and later). <br> The
unknown_address_reject_code parameter specifies the numerical
@ -6226,7 +6271,9 @@ Optional lookup table with the SASL login names that own sender
</p>
<p>
Specify zero or more "type:table" lookup tables. With lookups from
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found. With lookups from
indexed files such as DB or DBM, or from networked tables such as
NIS, LDAP or SQL, the following search operations are done with a
sender address of <i>user@domain</i>: </p>
@ -6356,7 +6403,7 @@ Postfix version 2.1 and later. </dd>
<dd>Reject the request when Postfix is not final destination for
the sender address, and the MAIL FROM domain has 1) no DNS MX and
no DNS address
no DNS A
record, or 2) a malformed MX record such as a record with
a zero-length MX hostname (Postfix version 2.3 and later). <br> The
unknown_address_reject_code parameter specifies the numerical
@ -6565,7 +6612,9 @@ for details.
</p>
<p>
Specify zero or more "type:table" lookup tables. If you use this
Specify zero or more "type:table" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found. If you use this
feature with local files, run "<b>postmap /etc/postfix/transport</b>"
after making a change. </p>
@ -6823,6 +6872,13 @@ This feature is available in Postfix 2.0 and later. The default
value is backwards compatible with Postfix version 1.1.
</p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
Note: these lookups are recursive.
</p>
<p>
If you use this feature with indexed files, run "<b>postmap
/etc/postfix/virtual</b>" after changing the file.
@ -7651,6 +7707,12 @@ is: aliases, .forward files, mailbox_transport_maps, mailbox_transport,
mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory,
fallback_transport_maps, fallback_transport and luser_relay. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
%PARAM mailbox_delivery_lock see "postconf -d" output
<p>
@ -7872,6 +7934,11 @@ This is a read-only parameter.
<p>
The lookup tables that the proxymap(8) server is allowed to
access for the read-only service.
</p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma.
Table references that don't begin with proxy: are ignored.
</p>
@ -8493,6 +8560,12 @@ delivery.
It does not apply when mail is delivered with a different mail
delivery program. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p>
In a lookup table, specify a left-hand side of "@domain.tld" to
match any user in the specified domain that does not have a specific
@ -8602,6 +8675,12 @@ Optional lookup tables with all valid addresses in the domains that
match $virtual_mailbox_domains.
</p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p>
In a lookup table, specify a left-hand side of "@domain.tld" to
match any user in the specified domain that does not have a specific
@ -8684,6 +8763,12 @@ delivery agent uses while writing to the recipient's mailbox.
It does not apply when mail is delivered with a different mail
delivery program. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p>
In a lookup table, specify a left-hand side of "@domain.tld"
to match any user in the specified domain that does not have a
@ -8789,6 +8874,12 @@ remote SMTP server. See smtp_discard_ehlo_keywords for details. The
table is not indexed by hostname for consistency with
smtpd_discard_ehlo_keyword_address_maps. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p> This feature is available in Postfix 2.2 and later. </p>
%PARAM smtpd_discard_ehlo_keyword_address_maps
@ -8798,7 +8889,13 @@ case insensitive lists of EHLO keywords (pipelining, starttls, auth,
etc.) that the Postfix SMTP server will not send in the EHLO response
to a
remote SMTP client. See smtpd_discard_ehlo_keywords for details.
The table is not searched by hostname for robustness reasons. </p>
The tables are not searched by hostname for robustness reasons. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p> This feature is available in Postfix 2.2 and later. </p>
@ -9129,15 +9226,13 @@ a lower logging level. </p>
<dl compact>
<dt> </dt> <dd> 0 Log only a summary message on TLS handshake completion
&mdash; no logging of remote SMTP client certificate trust-chain verification
errors
if client certificate verification is not required. With Postfix 2.8
and earlier, disable logging of TLS activity. </dd>
<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
<dt> </dt> <dd> 1 Also log trust-chain verification errors and peer
certificate name and issuer. With Postfix 2.8 and earlier, log TLS
handshake and certificate information. </dd>
<dt> </dt> <dd> 1 Log only a summary message on TLS handshake completion
&mdash; no logging of client certificate trust-chain verification errors
if client certificate verification is not required. With Postfix 2.8 and
earlier, log the summary message, peer certificate summary information
and unconditionally log trust-chain verification errors. </dd>
<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd>
@ -9553,14 +9648,13 @@ a lower logging level. </p>
<dl compact>
<dt> </dt> <dd> 0 Log only a summary message on TLS handshake completion
<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
<dt> </dt> <dd> 1 Log only a summary message on TLS handshake completion
&mdash; no logging of remote SMTP server certificate trust-chain
verification errors if server certificate verification is not required.
With Postfix 2.8 and earlier, disable logging of TLS activity. </dd>
<dt> </dt> <dd> 1 Also log remote SMTP server trust-chain verification
errors and peer certificate summary information. With Postfix 2.8
and earlier, log TLS handshake and certificate information. </dd>
With Postfix 2.8 and earlier, log the summary message and unconditionally
log trust-chain verification errors. </dd>
<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd>
@ -9937,6 +10031,12 @@ This is needed when the local machine does not have its own Internet
domain name, but uses something like <i>localdomain.local</i>
instead. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p> The table format and lookups are documented in generic(5);
examples are shown in the ADDRESS_REWRITING_README and
STANDARD_CONFIGURATION_README documents. </p>
@ -10062,6 +10162,12 @@ later). This information is overruled with relay_transport,
sender_dependent_default_transport_maps, default_transport and with
the transport(5) table. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p> For safety reasons, this feature does not allow $number
substitutions in regular expression maps. </p>
@ -10467,6 +10573,12 @@ is: aliases, .forward files, mailbox_transport_maps, mailbox_transport,
mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory,
fallback_transport_maps, fallback_transport and luser_relay. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p> For safety reasons, this feature does not allow $number
substitutions in regular expression maps. </p>
@ -10637,6 +10749,12 @@ this overrides the obsolete smtp_tls_per_site parameter. See
TLS_README for a more detailed discussion of TLS security levels.
</p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p> The TLS policy table is indexed by the full next-hop destination,
which is either the recipient domain, or the verbatim next-hop
specified in the transport table, $local_transport, $virtual_transport,
@ -11830,6 +11948,12 @@ per-destination workarounds for CISCO PIX firewall bugs. The table
is not indexed by hostname for consistency with
smtp_discard_ehlo_keyword_address_maps. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p> This feature is available in Postfix 2.4 and later. </p>
%PARAM lmtp_pix_workarounds
@ -13856,6 +13980,12 @@ address and @domain. A lookup result of DUNNO terminates the search
without overriding the global default_transport parameter setting.
This information is overruled with the transport(5) table. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace of comma. Tables will be searched in the specified order
until a match is found.
</p>
<p> Note: this overrides default_transport, not transport_maps, and
therefore the expected syntax is that of default_transport, not the
syntax of transport_maps. Specifically, this does not support the
@ -14179,6 +14309,13 @@ the file is read). </p>
<p> This feature is available in Postfix 2.8. </p>
%PARAM postscreen_dnsbl_timeout 10s
<p> The time limit for DNSBL or DNSWL lookups. This is separate from
the timeouts in the dnsblog(8) daemon which are defined by system
resolver(3) routines. </p>
<p> This feature is available in Postfix 2.12. </p>
%PARAM postscreen_bare_newline_action ignore
<p> The action that postscreen(8) takes when a remote SMTP client sends

4
postfix/src/dnsblog/dnsblog.c
View File

@ -14,8 +14,8 @@
/* .ad
/* .fi
/* With each connection, the \fBdnsblog\fR(8) server receives
/* a DNS white/blacklist domain name, IP address, and an ID.
/* If the address is listed under the DNS white/blacklist, the
/* a DNS white/blacklist domain name, an IP address, and an ID.
/* If the IP address is listed under the DNS white/blacklist, the
/* \fBdnsblog\fR(8) server logs the match and replies with the
/* query arguments plus an address list with the resulting IP
/* addresses separated by whitespace. Otherwise it replies

4
postfix/src/global/mail_params.h
View File

@ -3447,6 +3447,10 @@ extern int var_psc_dnsbl_ttl;
#define DEF_PSC_DNSBL_REPLY ""
extern char *var_psc_dnsbl_reply;
#define VAR_PSC_DNSBL_TMOUT "postscreen_dnsbl_timeout"
#define DEF_PSC_DNSBL_TMOUT "10s"
extern int var_psc_dnsbl_tmout;
#define VAR_PSC_PIPEL_ENABLE "postscreen_pipelining_enable"
#define DEF_PSC_PIPEL_ENABLE 0
extern bool var_psc_pipel_enable;

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20140406"
#define MAIL_RELEASE_DATE "20140507"
#define MAIL_VERSION_NUMBER "2.12"
#ifdef SNAPSHOT

7
postfix/src/postscreen/postscreen.c
View File

@ -220,6 +220,10 @@
/* Allow a remote SMTP client to skip "before" and "after 220
/* greeting" protocol tests, based on its combined DNSBL score as
/* defined with the postscreen_dnsbl_sites parameter.
/* .PP
/* Available in Postfix version 2.11 and later:
/* .IP "\fBpostscreen_dnsbl_timeout (10s)\fR"
/* The time limit for DNSBL or DNSWL lookups.
/* AFTER 220 GREETING TESTS
/* .ad
/* .fi
@ -473,6 +477,7 @@ int var_psc_dnsbl_thresh;
int var_psc_dnsbl_wthresh;
char *var_psc_dnsbl_action;
int var_psc_dnsbl_ttl;
int var_psc_dnsbl_tmout;
bool var_psc_pipel_enable;
char *var_psc_pipel_action;
@ -1122,6 +1127,8 @@ int main(int argc, char **argv)
VAR_PSC_CACHE_SCAN, DEF_PSC_CACHE_SCAN, &var_psc_cache_scan, 0, 0,
VAR_PSC_WATCHDOG, DEF_PSC_WATCHDOG, &var_psc_watchdog, 10, 0,
VAR_PSC_UPROXY_TMOUT, DEF_PSC_UPROXY_TMOUT, &var_psc_uproxy_tmout, 1, 0,
VAR_PSC_DNSBL_TMOUT, DEF_PSC_DNSBL_TMOUT, &var_psc_dnsbl_tmout, 1, 0,
0,
};
static const CONFIG_BOOL_TABLE bool_table[] = {

5
postfix/src/postscreen/postscreen_dnsbl.c
View File

@ -86,7 +86,6 @@
/*
* Talking to the DNSBLOG service.
*/
#define DNSBLOG_TIMEOUT 10
static char *psc_dnsbl_service;
/*
@ -425,7 +424,7 @@ static void psc_dnsbl_receive(int event, char *context)
PSC_CALL_BACK_NOTIFY(score, PSC_NULL_EVENT);
} else if (event == EVENT_TIME) {
msg_warn("dnsblog reply timeout %ds for %s",
DNSBLOG_TIMEOUT, (char *) vstream_context(stream));
var_psc_dnsbl_tmout, (char *) vstream_context(stream));
}
/* Here, score may be a null pointer. */
vstream_fclose(stream);
@ -521,7 +520,7 @@ int psc_dnsbl_request(const char *client_addr,
continue;
}
PSC_READ_EVENT_REQUEST(vstream_fileno(stream), psc_dnsbl_receive,
(char *) stream, DNSBLOG_TIMEOUT);
(char *) stream, var_psc_dnsbl_tmout);
score->pending_lookups += 1;
}
return (PSC_CALL_BACK_INDEX_OF_LAST(score));

2
postfix/src/smtp/smtp.h
View File

@ -195,7 +195,7 @@ typedef struct SMTP_STATE {
STR((state)->iterator->request_nexthop)[0] = 0; \
}
#define HAVE_NEXTHOP_STATE(state) (STR((state)->iterator->request_nexthop) != 0)
#define HAVE_NEXTHOP_STATE(state) (STR((state)->iterator->request_nexthop)[0] != 0)
/*

1
postfix/src/smtp/smtp_connect.c
View File

@ -666,6 +666,7 @@ static int smtp_reuse_session(SMTP_STATE *state, DNS_RR **addr_list,
#endif
SMTP_ITER_SAVE_DEST(state->iterator);
if (*addr_list && SMTP_RCPT_LEFT(state) > 0
&& HAVE_NEXTHOP_STATE(state)
&& (session = smtp_reuse_nexthop(state, SMTP_KEY_MASK_SCACHE_DEST_LABEL)) != 0) {
session_count = 1;
smtp_update_addr_list(addr_list, STR(iter->addr), session_count);

1
postfix/src/smtpd/smtpd_check.c
View File

@ -3616,6 +3616,7 @@ static int check_policy_service(SMTPD_STATE *state, const char *server,
ATTR_TYPE_STR, MAIL_ATTR_ACT_PROTO_NAME, state->protocol,
ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_ADDR, state->addr,
ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_NAME, state->name,
ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_PORT, state->port,
ATTR_TYPE_STR, MAIL_ATTR_ACT_REVERSE_CLIENT_NAME,
state->reverse_name,
ATTR_TYPE_STR, MAIL_ATTR_ACT_HELO_NAME,

2
postfix/src/util/mask_addr.c
View File

@ -61,7 +61,7 @@ void mask_addr(unsigned char *addr_bytes,
network_bits %= CHAR_BIT;
if (network_bits != 0)
*p++ &= ~0 << (CHAR_BIT - network_bits);
*p++ &= ~0U << (CHAR_BIT - network_bits);
while (p < addr_bytes + addr_byte_count)
*p++ = 0;