mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-22 09:57:34 +00:00
Code Issues Releases Wiki Activity

postfix-2.12-20140223

Browse Source
This commit is contained in:
Wietse Venema 2014-02-23 00:00:00 -05:00 committed by Viktor Dukhovni
parent b36a31ca30
commit 6605bfc21d
18 changed files with 428 additions and 316 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
postfix/HISTORY
View File

@ -19559,14 +19559,32 @@ Apologies for any names omitted.
Workaround: require that a queue file is older than Workaround: require that a queue file is older than
$minimal_backoff_time, before falling back from failed TLS $minimal_backoff_time, before falling back from failed TLS
(both during or after the TLS handshake) to plaintext to plaintext (both during or after the TLS handshake).
delivery. Viktor Dukhovni. Files: smtp/smtp.h, smtp/smtp.c, Viktor Dukhovni. Files: smtp/smtp.h, smtp/smtp.c,
smtp/lmtp_params.c, smtp/smtp_params.c. smtp/lmtp_params.c, smtp/smtp_params.c.
20140219 20140220
Workaround: disable the fallback to plaintext when all Workaround: in case "minimal_backoff_time = $queue_run_delay".
recipients have already been bounced or deferred. This Files: smtp/smtp.c, smtp/smtp_params.c, smtp/lmtp_params.c.
happens for example when TLS breaks after the TLS handshake
while talking to the "final" SMTP server. Wietse and Viktor. Cleanup: consolidate the code to log the start of a new
Files: smtp/smtp.h. mail transaction in one place, so that code can easily be
added to log TLS status information in addition to the
existing client and SASL status information. Files:
smtpd/smtpd_sasl_proto.h, smtpd/smtpd_sasl_proto.c,
smtpd/smtpd.c.
20140223
Workaround: when a session breaks after the TLS handshake,
do not fall back from TLS to plaintext when all recipients
were deferred or rejected during the TLS phase. Files:
smtp/smtp.h, smtp/smtp_rcpt.c.
Logging: the TLS client logged that an "Untrusted" TLS
connection was established instead of "Anonymous".
Viktor Dukhovni. File: tls/tls_client.c.
Documentation: new self-signed certificate example and
updated private CA example. File: proto/TLS_README.html.

46
postfix/README_FILES/TLS_README
View File

@ -2011,12 +2011,37 @@ key certificates of remote hosts.
In the examples below, user input is shown in bboolldd font, and a "#" prompt In the examples below, user input is shown in bboolldd font, and a "#" prompt
indicates a super-user shell. indicates a super-user shell.
* Become your own Certificate Authority, so that you can sign your own public * Self-signed server certificate.
keys. This example uses the CA.pl script that ships with OpenSSL. On some
systems, OpenSSL installs this as /usr/local/ssl/misc/CA.pl. Some systems * Private Certificate Authority.
install this as part of a package named openssl-perl or something similar.
The script creates a private key in ./demoCA/private/cakey.pem and a public SSeellff--ssiiggnneedd sseerrvveerr cceerrttiiffiiccaattee
key in ./demoCA/cacert.pem.
The following commands (credits: Viktor Dukhovni) generate and install a
private key and 10-year self-signed certificate for the local Postfix system.
This requires super-user privileges.
# dir="$(postconf -h config_directory)"
# fqdn=$(postconf -h myhostname)
# ymd=$(date +%Y-%m-%d)
# key="${dir}/key-${ymd}.pem"; rm -f "${key}"
# cert="${dir}/cert-${ymd}.pem"; rm -f "${cert}"
# (umask 077; openssl genrsa -out "${key}" 2048) &&
openssl req -new -key "${key}" \
-x509 -subj "/CN=${fqdn}" -days 3650 -out "${cert}" &&
postconf -e \
"smtpd_tls_cert_file = ${cert}" \
"smtpd_tls_key_file = ${key}"
PPrriivvaattee CCeerrttiiffiiccaattee AAuutthhoorriittyy
* Become your own Certificate Authority, so that you can sign your own
certificates, and so that your own systems can authenticate certificates
from your own CA. This example uses the CA.pl script that ships with
OpenSSL. On some systems, OpenSSL installs this as /usr/local/openssl/misc/
CA.pl. Some systems install this as part of a package named openssl-perl or
something similar. The script creates a private key in ./demoCA/private/
cakey.pem and a public key in ./demoCA/cacert.pem.
% //uussrr//llooccaall//ssssll//mmiisscc//CCAA..ppll --nneewwccaa % //uussrr//llooccaall//ssssll//mmiisscc//CCAA..ppll --nneewwccaa
CA certificate filename (or enter to create) CA certificate filename (or enter to create)
@ -2032,8 +2057,7 @@ indicates a super-user shell.
* Create an unpassworded private key for host foo.porcupine.org and create an * Create an unpassworded private key for host foo.porcupine.org and create an
unsigned public key certificate. unsigned public key certificate.
% ooppeennssssll rreeqq --nneeww --nnooddeess --kkeeyyoouutt ffoooo--kkeeyy..ppeemm --oouutt ffoooo--rreeqq..ppeemm --ddaayyss % ooppeennssssll rreeqq --nneeww --nnooddeess --kkeeyyoouutt ffoooo--kkeeyy..ppeemm --oouutt ffoooo--rreeqq..ppeemm
336655
Using configuration from /etc/ssl/openssl.cnf Using configuration from /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key Generating a 1024 bit RSA private key
........................................++++++ ........................................++++++
@ -2065,7 +2089,7 @@ indicates a super-user shell.
* Sign the public key certificate for host foo.porcupine.org with the * Sign the public key certificate for host foo.porcupine.org with the
Certification Authority private key that we created a few steps ago. Certification Authority private key that we created a few steps ago.
% ooppeennssssll ccaa --oouutt ffoooo--cceerrtt..ppeemm --iinnffiilleess ffoooo--rreeqq..ppeemm % ooppeennssssll ccaa --oouutt ffoooo--cceerrtt..ppeemm --ddaayyss 336655 --iinnffiilleess ffoooo--rreeqq..ppeemm
Using configuration from /etc/ssl/openssl.cnf Using configuration from /etc/ssl/openssl.cnf
Enter PEM pass phrase:wwhhaatteevveerr Enter PEM pass phrase:wwhhaatteevveerr
Check that the request matches the signature Check that the request matches the signature
@ -2089,6 +2113,10 @@ indicates a super-user shell.
Certification Authority certificate files. This requires super-user Certification Authority certificate files. This requires super-user
privileges. privileges.
The following commands assume that the key and certificate will be
installed for the local Postfix MTA. You will need to adjust the commands
if the Postfix MTA is on a different host.
# ccpp ddeemmooCCAA//ccaacceerrtt..ppeemm ffoooo--kkeeyy..ppeemm ffoooo--cceerrtt..ppeemm //eettcc//ppoossttffiixx # ccpp ddeemmooCCAA//ccaacceerrtt..ppeemm ffoooo--kkeeyy..ppeemm ffoooo--cceerrtt..ppeemm //eettcc//ppoossttffiixx
# cchhmmoodd 664444 //eettcc//ppoossttffiixx//ffoooo--cceerrtt..ppeemm //eettcc//ppoossttffiixx//ccaacceerrtt..ppeemm # cchhmmoodd 664444 //eettcc//ppoossttffiixx//ffoooo--cceerrtt..ppeemm //eettcc//ppoossttffiixx//ccaacceerrtt..ppeemm
# cchhmmoodd 440000 //eettcc//ppoossttffiixx//ffoooo--kkeeyy..ppeemm # cchhmmoodd 440000 //eettcc//ppoossttffiixx//ffoooo--kkeeyy..ppeemm

48
postfix/html/TLS_README.html
View File

@ -2635,10 +2635,44 @@ font, and a "<tt>#</tt>" prompt indicates a super-user shell. </p>
<ul> <ul>
<li> <p> <a name="#self-signed">Self-signed server certificate</a>.</p>
<li> <p> <a name="#private-ca">Private Certificate Authority</a>. </p>
</ul>
<h3><a name="self-signed">Self-signed server certificate</a></h3>
<p> The following commands (credits: Viktor Dukhovni) generate
and install a private key and 10-year self-signed certificate for
the local Postfix system. This requires super-user privileges. </p>
<blockquote>
<pre>
# dir="$(postconf -h <a href="postconf.5.html#config_directory">config_directory</a>)"
# fqdn=$(postconf -h <a href="postconf.5.html#myhostname">myhostname</a>)
# ymd=$(date +%Y-%m-%d)
# key="${dir}/key-${ymd}.pem"; rm -f "${key}"
# cert="${dir}/cert-${ymd}.pem"; rm -f "${cert}"
# (umask 077; openssl genrsa -out "${key}" 2048) &&
openssl req -new -key "${key}" \
-x509 -subj "/CN=${fqdn}" -days 3650 -out "${cert}" &&
postconf -e \
"<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = ${cert}" \
"<a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> = ${key}"
</pre>
</blockquote>
<h3><a name="private-ca">Private Certificate Authority</a></h3>
<ul>
<li> <p> Become your own Certificate Authority, so that you can <li> <p> Become your own Certificate Authority, so that you can
sign your own public keys. This example uses the CA.pl script that sign your own certificates, and so that your own systems can
ships with OpenSSL. On some systems, OpenSSL installs this as authenticate certificates from your own CA. This example uses the
<tt>/usr/local/ssl/misc/CA.pl</tt>. Some systems install this as CA.pl script that ships with OpenSSL. On some systems, OpenSSL
installs this as <tt>/usr/local/openssl/misc/CA.pl</tt>. Some systems
install this as
part of a package named <tt>openssl-perl</tt> or something similar. part of a package named <tt>openssl-perl</tt> or something similar.
The script creates a private key in <tt>./demoCA/private/cakey.pem</tt> The script creates a private key in <tt>./demoCA/private/cakey.pem</tt>
and a public key in <tt>./demoCA/cacert.pem</tt>.</p> and a public key in <tt>./demoCA/cacert.pem</tt>.</p>
@ -2663,7 +2697,7 @@ an unsigned public key certificate. </p>
<blockquote> <blockquote>
<pre> <pre>
% <b>openssl req -new -nodes -keyout foo-key.pem -out foo-req.pem -days 365</b> % <b>openssl req -new -nodes -keyout foo-key.pem -out foo-req.pem</b>
Using configuration from /etc/ssl/openssl.cnf Using configuration from /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key Generating a 1024 bit RSA private key
........................................++++++ ........................................++++++
@ -2698,7 +2732,7 @@ steps ago. </p>
<blockquote> <blockquote>
<pre> <pre>
% <b>openssl ca -out foo-cert.pem -infiles foo-req.pem</b> % <b>openssl ca -out foo-cert.pem -days 365 -infiles foo-req.pem</b>
Using configuration from /etc/ssl/openssl.cnf Using configuration from /etc/ssl/openssl.cnf
Enter PEM pass phrase:<b>whatever</b> Enter PEM pass phrase:<b>whatever</b>
Check that the request matches the signature Check that the request matches the signature
@ -2724,6 +2758,10 @@ Data Base Updated
and the Certification Authority certificate files. This requires and the Certification Authority certificate files. This requires
super-user privileges. </p> super-user privileges. </p>
<p> The following commands assume that the key and certificate will
be installed for the local Postfix MTA. You will need to adjust the
commands if the Postfix MTA is on a different host. </p>
<blockquote> <blockquote>
<pre> <pre>
# <b>cp demoCA/cacert.pem foo-key.pem foo-cert.pem /etc/postfix</b> # <b>cp demoCA/cacert.pem foo-key.pem foo-cert.pem /etc/postfix</b>

7
postfix/html/lmtp.8.html
View File

@ -219,9 +219,10 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.2.9 and later: Available in Postfix version 2.2.9 and later:
<b><a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> (version dependent)</b> <b><a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> (version dependent)</b>
Allow DNS CNAME records to override the servername that the When the remote SMTP servername is a DNS CNAME, replace the
Postfix SMTP client uses for logging, SASL password lookup, TLS servername with the result from CNAME expansion for the purpose
policy decisions, or TLS certificate verification. of logging, SASL password lookup, TLS policy decisions, or TLS
certificate verification.
Available in Postfix version 2.3 and later: Available in Postfix version 2.3 and later:

7
postfix/html/smtp.8.html
View File

@ -219,9 +219,10 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.2.9 and later: Available in Postfix version 2.2.9 and later:
<b><a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> (version dependent)</b> <b><a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> (version dependent)</b>
Allow DNS CNAME records to override the servername that the When the remote SMTP servername is a DNS CNAME, replace the
Postfix SMTP client uses for logging, SASL password lookup, TLS servername with the result from CNAME expansion for the purpose
policy decisions, or TLS certificate verification. of logging, SASL password lookup, TLS policy decisions, or TLS
certificate verification.
Available in Postfix version 2.3 and later: Available in Postfix version 2.3 and later:

5
postfix/man/man8/smtp.8
View File

@ -217,8 +217,9 @@ a globally valid address when sending mail across the Internet.
.PP .PP
Available in Postfix version 2.2.9 and later: Available in Postfix version 2.2.9 and later:
.IP "\fBsmtp_cname_overrides_servername (version dependent)\fR" .IP "\fBsmtp_cname_overrides_servername (version dependent)\fR"
Allow DNS CNAME records to override the servername that the When the remote SMTP servername is a DNS CNAME, replace the
Postfix SMTP client uses for logging, SASL password lookup, TLS servername with the result from CNAME expansion for the purpose of
logging, SASL password lookup, TLS
policy decisions, or TLS certificate verification. policy decisions, or TLS certificate verification.
.PP .PP
Available in Postfix version 2.3 and later: Available in Postfix version 2.3 and later:

48
postfix/proto/TLS_README.html
View File

@ -2635,10 +2635,44 @@ font, and a "<tt>#</tt>" prompt indicates a super-user shell. </p>
<ul> <ul>
<li> <p> <a name="#self-signed">Self-signed server certificate</a>.</p>
<li> <p> <a name="#private-ca">Private Certificate Authority</a>. </p>
</ul>
<h3><a name="self-signed">Self-signed server certificate</a></h3>
<p> The following commands (credits: Viktor Dukhovni) generate
and install a private key and 10-year self-signed certificate for
the local Postfix system. This requires super-user privileges. </p>
<blockquote>
<pre>
# dir="$(postconf -h config_directory)"
# fqdn=$(postconf -h myhostname)
# ymd=$(date +%Y-%m-%d)
# key="${dir}/key-${ymd}.pem"; rm -f "${key}"
# cert="${dir}/cert-${ymd}.pem"; rm -f "${cert}"
# (umask 077; openssl genrsa -out "${key}" 2048) &&
openssl req -new -key "${key}" \
-x509 -subj "/CN=${fqdn}" -days 3650 -out "${cert}" &&
postconf -e \
"smtpd_tls_cert_file = ${cert}" \
"smtpd_tls_key_file = ${key}"
</pre>
</blockquote>
<h3><a name="private-ca">Private Certificate Authority</a></h3>
<ul>
<li> <p> Become your own Certificate Authority, so that you can <li> <p> Become your own Certificate Authority, so that you can
sign your own public keys. This example uses the CA.pl script that sign your own certificates, and so that your own systems can
ships with OpenSSL. On some systems, OpenSSL installs this as authenticate certificates from your own CA. This example uses the
<tt>/usr/local/ssl/misc/CA.pl</tt>. Some systems install this as CA.pl script that ships with OpenSSL. On some systems, OpenSSL
installs this as <tt>/usr/local/openssl/misc/CA.pl</tt>. Some systems
install this as
part of a package named <tt>openssl-perl</tt> or something similar. part of a package named <tt>openssl-perl</tt> or something similar.
The script creates a private key in <tt>./demoCA/private/cakey.pem</tt> The script creates a private key in <tt>./demoCA/private/cakey.pem</tt>
and a public key in <tt>./demoCA/cacert.pem</tt>.</p> and a public key in <tt>./demoCA/cacert.pem</tt>.</p>
@ -2663,7 +2697,7 @@ an unsigned public key certificate. </p>
<blockquote> <blockquote>
<pre> <pre>
% <b>openssl req -new -nodes -keyout foo-key.pem -out foo-req.pem -days 365</b> % <b>openssl req -new -nodes -keyout foo-key.pem -out foo-req.pem</b>
Using configuration from /etc/ssl/openssl.cnf Using configuration from /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key Generating a 1024 bit RSA private key
........................................++++++ ........................................++++++
@ -2698,7 +2732,7 @@ steps ago. </p>
<blockquote> <blockquote>
<pre> <pre>
% <b>openssl ca -out foo-cert.pem -infiles foo-req.pem</b> % <b>openssl ca -out foo-cert.pem -days 365 -infiles foo-req.pem</b>
Using configuration from /etc/ssl/openssl.cnf Using configuration from /etc/ssl/openssl.cnf
Enter PEM pass phrase:<b>whatever</b> Enter PEM pass phrase:<b>whatever</b>
Check that the request matches the signature Check that the request matches the signature
@ -2724,6 +2758,10 @@ Data Base Updated
and the Certification Authority certificate files. This requires and the Certification Authority certificate files. This requires
super-user privileges. </p> super-user privileges. </p>
<p> The following commands assume that the key and certificate will
be installed for the local Postfix MTA. You will need to adjust the
commands if the Postfix MTA is on a different host. </p>
<blockquote> <blockquote>
<pre> <pre>
# <b>cp demoCA/cacert.pem foo-key.pem foo-cert.pem /etc/postfix</b> # <b>cp demoCA/cacert.pem foo-key.pem foo-cert.pem /etc/postfix</b>

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no * Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only. * patchlevel; they change the release date only.
*/ */
#define MAIL_RELEASE_DATE "20140219" #define MAIL_RELEASE_DATE "20140223"
#define MAIL_VERSION_NUMBER "2.12" #define MAIL_VERSION_NUMBER "2.12"
#ifdef SNAPSHOT #ifdef SNAPSHOT

3
postfix/src/smtp/lmtp_params.c
View File

@ -71,8 +71,9 @@
VAR_LMTP_RSET_TMOUT, DEF_LMTP_RSET_TMOUT, &var_smtp_rset_tmout, 1, 0, VAR_LMTP_RSET_TMOUT, DEF_LMTP_RSET_TMOUT, &var_smtp_rset_tmout, 1, 0,
VAR_LMTP_QUIT_TMOUT, DEF_LMTP_QUIT_TMOUT, &var_smtp_quit_tmout, 1, 0, VAR_LMTP_QUIT_TMOUT, DEF_LMTP_QUIT_TMOUT, &var_smtp_quit_tmout, 1, 0,
VAR_LMTP_PIX_THRESH, DEF_LMTP_PIX_THRESH, &var_smtp_pix_thresh, 0, 0, VAR_LMTP_PIX_THRESH, DEF_LMTP_PIX_THRESH, &var_smtp_pix_thresh, 0, 0,
VAR_MIN_BACKOFF_TIME, DEF_MIN_BACKOFF_TIME, &var_min_backoff_time, 1, 0,
VAR_LMTP_PIX_DELAY, DEF_LMTP_PIX_DELAY, &var_smtp_pix_delay, 1, 0, VAR_LMTP_PIX_DELAY, DEF_LMTP_PIX_DELAY, &var_smtp_pix_delay, 1, 0,
VAR_QUEUE_RUN_DELAY, DEF_QUEUE_RUN_DELAY, &var_queue_run_delay, 1, 0,
VAR_MIN_BACKOFF_TIME, DEF_MIN_BACKOFF_TIME, &var_min_backoff_time, 1, 0,
VAR_LMTP_CACHE_CONNT, DEF_LMTP_CACHE_CONNT, &var_smtp_cache_conn, 1, 0, VAR_LMTP_CACHE_CONNT, DEF_LMTP_CACHE_CONNT, &var_smtp_cache_conn, 1, 0,
VAR_LMTP_REUSE_TIME, DEF_LMTP_REUSE_TIME, &var_smtp_reuse_time, 1, 0, VAR_LMTP_REUSE_TIME, DEF_LMTP_REUSE_TIME, &var_smtp_reuse_time, 1, 0,
#ifdef USE_TLS #ifdef USE_TLS

6
postfix/src/smtp/smtp.c
View File

@ -195,8 +195,9 @@
/* .PP /* .PP
/* Available in Postfix version 2.2.9 and later: /* Available in Postfix version 2.2.9 and later:
/* .IP "\fBsmtp_cname_overrides_servername (version dependent)\fR" /* .IP "\fBsmtp_cname_overrides_servername (version dependent)\fR"
/* Allow DNS CNAME records to override the servername that the /* When the remote SMTP servername is a DNS CNAME, replace the
/* Postfix SMTP client uses for logging, SASL password lookup, TLS /* servername with the result from CNAME expansion for the purpose of
/* logging, SASL password lookup, TLS
/* policy decisions, or TLS certificate verification. /* policy decisions, or TLS certificate verification.
/* .PP /* .PP
/* Available in Postfix version 2.3 and later: /* Available in Postfix version 2.3 and later:
@ -797,6 +798,7 @@ char *var_smtp_bind_addr;
char *var_smtp_bind_addr6; char *var_smtp_bind_addr6;
bool var_smtp_rand_addr; bool var_smtp_rand_addr;
int var_smtp_pix_thresh; int var_smtp_pix_thresh;
int var_queue_run_delay;
int var_min_backoff_time; int var_min_backoff_time;
int var_smtp_pix_delay; int var_smtp_pix_delay;
int var_smtp_line_limit; int var_smtp_line_limit;

4
postfix/src/smtp/smtp.h
View File

@ -474,7 +474,7 @@ extern HBC_CALL_BACKS smtp_hbc_callbacks[];
#define PLAINTEXT_FALLBACK_OK_AFTER_TLS_SESSION_FAILURE \ #define PLAINTEXT_FALLBACK_OK_AFTER_TLS_SESSION_FAILURE \
(session->tls_context != 0 \ (session->tls_context != 0 \
&& SMTP_RCPT_LEFT(state) > 0 \ && SMTP_RCPT_LEFT(state) > SMTP_RCPT_MARK_COUNT(state) \
&& session->tls->level == TLS_LEV_MAY \ && session->tls->level == TLS_LEV_MAY \
&& PREACTIVE_DELAY >= var_min_backoff_time \ && PREACTIVE_DELAY >= var_min_backoff_time \
&& !HAVE_SASL_CREDENTIALS) && !HAVE_SASL_CREDENTIALS)
@ -553,6 +553,8 @@ extern void smtp_chat_notify(SMTP_SESSION *);
#define SMTP_RCPT_LEFT(state) (state)->rcpt_left #define SMTP_RCPT_LEFT(state) (state)->rcpt_left
#define SMTP_RCPT_MARK_COUNT(state) ((state)->rcpt_drop + (state)->rcpt_keep)
extern void smtp_rcpt_cleanup(SMTP_STATE *); extern void smtp_rcpt_cleanup(SMTP_STATE *);
extern void smtp_rcpt_done(SMTP_STATE *, SMTP_RESP *, RECIPIENT *); extern void smtp_rcpt_done(SMTP_STATE *, SMTP_RESP *, RECIPIENT *);

1
postfix/src/smtp/smtp_params.c
View File

@ -73,6 +73,7 @@
VAR_SMTP_QUIT_TMOUT, DEF_SMTP_QUIT_TMOUT, &var_smtp_quit_tmout, 1, 0, VAR_SMTP_QUIT_TMOUT, DEF_SMTP_QUIT_TMOUT, &var_smtp_quit_tmout, 1, 0,
VAR_SMTP_PIX_THRESH, DEF_SMTP_PIX_THRESH, &var_smtp_pix_thresh, 0, 0, VAR_SMTP_PIX_THRESH, DEF_SMTP_PIX_THRESH, &var_smtp_pix_thresh, 0, 0,
VAR_SMTP_PIX_DELAY, DEF_SMTP_PIX_DELAY, &var_smtp_pix_delay, 1, 0, VAR_SMTP_PIX_DELAY, DEF_SMTP_PIX_DELAY, &var_smtp_pix_delay, 1, 0,
VAR_QUEUE_RUN_DELAY, DEF_QUEUE_RUN_DELAY, &var_queue_run_delay, 1, 0,
VAR_MIN_BACKOFF_TIME, DEF_MIN_BACKOFF_TIME, &var_min_backoff_time, 1, 0, VAR_MIN_BACKOFF_TIME, DEF_MIN_BACKOFF_TIME, &var_min_backoff_time, 1, 0,
VAR_SMTP_CACHE_CONNT, DEF_SMTP_CACHE_CONNT, &var_smtp_cache_conn, 1, 0, VAR_SMTP_CACHE_CONNT, DEF_SMTP_CACHE_CONNT, &var_smtp_cache_conn, 1, 0,
VAR_SMTP_REUSE_TIME, DEF_SMTP_REUSE_TIME, &var_smtp_reuse_time, 1, 0, VAR_SMTP_REUSE_TIME, DEF_SMTP_REUSE_TIME, &var_smtp_reuse_time, 1, 0,

6
postfix/src/smtp/smtp_rcpt.c
View File

@ -26,6 +26,9 @@
/* int SMTP_RCPT_LEFT(state) /* int SMTP_RCPT_LEFT(state)
/* SMTP_STATE *state; /* SMTP_STATE *state;
/* /*
/* int SMTP_RCPT_MARK_COUNT(state)
/* SMTP_STATE *state;
/*
/* void smtp_rcpt_done(state, resp, rcpt) /* void smtp_rcpt_done(state, resp, rcpt)
/* SMTP_STATE *state; /* SMTP_STATE *state;
/* SMTP_RESP *resp; /* SMTP_RESP *resp;
@ -64,6 +67,9 @@
/* SMTP_RCPT_LEFT() returns the number of left_over recipients /* SMTP_RCPT_LEFT() returns the number of left_over recipients
/* (the total number of marked and non-marked recipients). /* (the total number of marked and non-marked recipients).
/* /*
/* SMTP_RCPT_MARK_COUNT() returns the number of left_over
/* recipients that are marked.
/*
/* smtp_rcpt_cleanup() cleans up the in-memory recipient list. /* smtp_rcpt_cleanup() cleans up the in-memory recipient list.
/* It removes the recipients marked DROP from the left-over /* It removes the recipients marked DROP from the left-over
/* recipients, unmarks the left-over recipients, and enforces /* recipients, unmarks the left-over recipients, and enforces

6
postfix/src/smtp/smtp_trouble.c
View File

@ -452,5 +452,11 @@ int smtp_stream_except(SMTP_STATE *state, int code, const char *description)
dsb_simple(why, "4.3.0", "local data error while talking to %s", dsb_simple(why, "4.3.0", "local data error while talking to %s",
session->namaddr); session->namaddr);
} }
/*
* The smtp_bulk_fail() call below will not throttle the destination when
* falling back to plaintext, because RETRY_AS_PLAINTEXT clears the
* FINAL_SERVER flag.
*/
return (smtp_bulk_fail(state, SMTP_THROTTLE)); return (smtp_bulk_fail(state, SMTP_THROTTLE));
} }

22
postfix/src/smtpd/smtpd.c
View File

@ -2036,23 +2036,25 @@ static int mail_open_stream(SMTPD_STATE *state)
/* /*
* Log the queue ID with the message origin. * Log the queue ID with the message origin.
*/ */
#ifdef USE_SASL_AUTH
if (state->sasl_username)
smtpd_sasl_mail_log(state);
else
#endif
/*
* See also: smtpd_sasl_proto.c, for a longer client= logfile record.
*/
#define PRINT_OR_NULL(cond, str) \ #define PRINT_OR_NULL(cond, str) \
((cond) ? (str) : "") ((cond) ? (str) : "")
#define PRINT2_OR_NULL(cond, name, value) \ #define PRINT2_OR_NULL(cond, name, value) \
PRINT_OR_NULL((cond), (name)), PRINT_OR_NULL((cond), (value)) PRINT_OR_NULL((cond), (name)), PRINT_OR_NULL((cond), (value))
msg_info("%s: client=%s%s%s%s%s", msg_info("%s: client=%s%s%s%s%s%s%s%s%s%s%s",
(state->queue_id ? state->queue_id : "NOQUEUE"), (state->queue_id ? state->queue_id : "NOQUEUE"),
state->namaddr, state->namaddr,
#ifdef USE_SASL_AUTH
PRINT2_OR_NULL(state->sasl_method,
", sasl_method=", state->sasl_method),
PRINT2_OR_NULL(state->sasl_username,
", sasl_username=", state->sasl_username),
PRINT2_OR_NULL(state->sasl_sender,
", sasl_sender=", state->sasl_sender),
#else
"", "", "", "", "", "",
#endif
/* Insert transaction TLS status here. */
PRINT2_OR_NULL(HAVE_FORWARDED_IDENT(state), PRINT2_OR_NULL(HAVE_FORWARDED_IDENT(state),
", orig_queue_id=", FORWARD_IDENT(state)), ", orig_queue_id=", FORWARD_IDENT(state)),
PRINT2_OR_NULL(HAVE_FORWARDED_CLIENT_ATTR(state), PRINT2_OR_NULL(HAVE_FORWARDED_CLIENT_ATTR(state),

34
postfix/src/smtpd/smtpd_sasl_proto.c
View File

@ -24,9 +24,6 @@
/* SMTPD_STATE *state; /* SMTPD_STATE *state;
/* const char *sender; /* const char *sender;
/* /*
/* void smtpd_sasl_mail_log(state)
/* SMTPD_STATE *state;
/*
/* void smtpd_sasl_mail_reset(state) /* void smtpd_sasl_mail_reset(state)
/* SMTPD_STATE *state; /* SMTPD_STATE *state;
/* /*
@ -64,9 +61,6 @@
/* option to the MAIL FROM command. The result is an error response /* option to the MAIL FROM command. The result is an error response
/* in case of problems. /* in case of problems.
/* /*
/* smtpd_sasl_mail_log() logs SASL-specific information after
/* processing the MAIL FROM command.
/*
/* smtpd_sasl_mail_reset() performs cleanup for the SASL-specific /* smtpd_sasl_mail_reset() performs cleanup for the SASL-specific
/* AUTH=sender option to the MAIL FROM command. /* AUTH=sender option to the MAIL FROM command.
/* /*
@ -253,34 +247,6 @@ char *smtpd_sasl_mail_opt(SMTPD_STATE *state, const char *addr)
return (0); return (0);
} }
/* smtpd_sasl_mail_log - SASL-specific MAIL FROM logging */
void smtpd_sasl_mail_log(SMTPD_STATE *state)
{
/*
* See also: smtpd.c, for a shorter client= logfile record.
*/
#define PRINT_OR_NULL(cond, str) \
((cond) ? (str) : "")
#define PRINT2_OR_NULL(cond, name, value) \
PRINT_OR_NULL((cond), (name)), PRINT_OR_NULL((cond), (value))
msg_info("%s: client=%s%s%s%s%s%s%s%s%s%s%s",
(state->queue_id ? state->queue_id : "NOQUEUE"),
state->namaddr,
PRINT2_OR_NULL(state->sasl_method,
", sasl_method=", state->sasl_method),
PRINT2_OR_NULL(state->sasl_username,
", sasl_username=", state->sasl_username),
PRINT2_OR_NULL(state->sasl_sender,
", sasl_sender=", state->sasl_sender),
PRINT2_OR_NULL(HAVE_FORWARDED_IDENT(state),
", orig_queue_id=", FORWARD_IDENT(state)),
PRINT2_OR_NULL(HAVE_FORWARDED_CLIENT_ATTR(state),
", orig_client=", FORWARD_NAMADDR(state)));
}
/* smtpd_sasl_mail_reset - SASL-specific MAIL FROM cleanup */ /* smtpd_sasl_mail_reset - SASL-specific MAIL FROM cleanup */
void smtpd_sasl_mail_reset(SMTPD_STATE *state) void smtpd_sasl_mail_reset(SMTPD_STATE *state)

1
postfix/src/smtpd/smtpd_sasl_proto.h
View File

@ -14,7 +14,6 @@
extern int smtpd_sasl_auth_cmd(SMTPD_STATE *, int, SMTPD_TOKEN *); extern int smtpd_sasl_auth_cmd(SMTPD_STATE *, int, SMTPD_TOKEN *);
extern void smtpd_sasl_auth_reset(SMTPD_STATE *); extern void smtpd_sasl_auth_reset(SMTPD_STATE *);
extern char *smtpd_sasl_mail_opt(SMTPD_STATE *, const char *); extern char *smtpd_sasl_mail_opt(SMTPD_STATE *, const char *);
extern void smtpd_sasl_mail_log(SMTPD_STATE *);
extern void smtpd_sasl_mail_reset(SMTPD_STATE *); extern void smtpd_sasl_mail_reset(SMTPD_STATE *);
#define smtpd_sasl_auth_extern smtpd_sasl_login #define smtpd_sasl_auth_extern smtpd_sasl_login

4
postfix/src/tls/tls_client.c
View File

@ -1045,7 +1045,9 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
*/ */
if (log_mask & TLS_LOG_SUMMARY) if (log_mask & TLS_LOG_SUMMARY)
msg_info("%s TLS connection established to %s: %s with cipher %s " msg_info("%s TLS connection established to %s: %s with cipher %s "
"(%d/%d bits)", TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" : "(%d/%d bits)",
!TLS_CERT_IS_PRESENT(TLScontext) ? "Anonymous" :
TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" :
TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted", TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted",
props->namaddr, TLScontext->protocol, TLScontext->cipher_name, props->namaddr, TLScontext->protocol, TLScontext->cipher_name,
TLScontext->cipher_usebits, TLScontext->cipher_algbits); TLScontext->cipher_usebits, TLScontext->cipher_algbits);