mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-09-04 16:15:22 +00:00
Code Issues Releases Wiki Activity

postfix-2.10-20120226

Browse Source
This commit is contained in:
Wietse Venema
2012-02-26 00:00:00 -05:00
committed by Viktor Dukhovni
parent 3f5b9cff3c
commit 66c7fc33fb
14 changed files with 237 additions and 150 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
postfix/HISTORY
View File

@@ -17629,3 +17629,35 @@ Apologies for any names omitted.
to a missing guard statement after an smtpd_check_rewrite() to a missing guard statement after an smtpd_check_rewrite()
call was moved closer to the command processor loop. Fix call was moved closer to the command processor loop. Fix
by Bartek Szady. File: smtpd/smtpd.c. by Bartek Szady. File: smtpd/smtpd.c.
20120220
Cleanup: documentation of how to use only system-supplied
certificates with *CAfile and *CApath. File: proto/postconf.proto.
Cleanup: documentation of smtp_sasl_mechanism_filter. File:
proto/postconf.proto.
20120222
Cleanup: when multiple DNSBLs block an SMTP client, the
postscreen "reject" message now gives credit to the DNSBL
with the largest weight, instead of the DNSBL that replies
first. File: postscreen/postscreeb_dnsbl.c.
Cleanup: memcache_table(5) manpage. File proto/memcache_table.
20120225
Cleanup: eliminated the build-time Perl dependency. File:
bounce/annotate.sh.
Cleanup: when -DNO_DB support was added, the makedefs script
was not updated to skip the Linux Berkeley DB tests.
FreeBSD9 is now a supported platform. Files: makedefs,
util/sys_defs.h.
20120226
Cleanup: documentation in postfix-install.

93
postfix/html/memcache_table.5.html
View File

@@ -84,37 +84,38 @@ MEMCACHE_TABLE(5) MEMCACHE_TABLE(5)
<b>flags (default: 0)</b> <b>flags (default: 0)</b>
Optional flags that should be stored along with a Optional flags that should be stored along with a
memcache update. memcache update. The flags are ignored when looking
up information.
<b>ttl (default: 3600)</b> <b>ttl (default: 3600)</b>
The expiration time in seconds of memcache updates. The expiration time in seconds of memcache updates.
NOTE 1: When using a memcache table as NOTE 1: When using a memcache table as
<a href="postscreen.8.html"><b>postscreen</b>(8)</a> or <a href="verify.8.html"><b>verify</b>(8)</a> cache without persistent <a href="postscreen.8.html"><b>postscreen</b>(8)</a> or <a href="verify.8.html"><b>verify</b>(8)</a> cache without persistent
backup, specify a zero *_cache_cleanup_interval backup, specify a zero *_cache_cleanup_interval
value with all Postfix instances that use the mem- value with all Postfix instances that use the mem-
cache, and specify the largest <a href="postscreen.8.html"><b>postscreen</b>(8)</a> *_ttl cache, and specify the largest <a href="postscreen.8.html"><b>postscreen</b>(8)</a> *_ttl
value or <a href="verify.8.html"><b>verify</b>(8)</a> *_expire_time value as the mem- value or <a href="verify.8.html"><b>verify</b>(8)</a> *_expire_time value as the mem-
cache table's <b>ttl</b> value. cache table's <b>ttl</b> value.
NOTE 2: According to memcache protocol documenta- NOTE 2: According to memcache protocol documenta-
tion, a value greater than 30 days (2592000 sec- tion, a value greater than 30 days (2592000 sec-
onds) specifies absolute UNIX time. Smaller values onds) specifies absolute UNIX time. Smaller values
are relative to the time of the update. are relative to the time of the update.
<b>MEMCACHE KEY PARAMETERS</b> <b>MEMCACHE KEY PARAMETERS</b>
<b>key_format (default: %s)</b> <b>key_format (default: %s)</b>
Format of the lookup and update keys in memcache Format of the lookup and update keys in memcache
requests. By default, these are the same as the requests. By default, these are the same as the
lookup and update keys that are given to the Post- lookup and update keys that are given to the Post-
fix memcache client. fix memcache client.
NOTE: The <b>key_format</b> feature is not used for <b>backup</b> NOTE: The <b>key_format</b> feature is not used for <b>backup</b>
database requests. database requests.
When the same memcache database is used to cache When the same memcache database is used to cache
information from multiple tables, you can use the information from multiple tables, you can use the
<b>key_format</b> feature to avoid name collisions by <b>key_format</b> feature to avoid name collisions by
prepending a fixed string. Examples: prepending a fixed string. Examples:
key_format = aliases:%s key_format = aliases:%s
@@ -125,48 +126,48 @@ MEMCACHE_TABLE(5) MEMCACHE_TABLE(5)
<b>%%</b> This is replaced by a literal '%' character. <b>%%</b> This is replaced by a literal '%' character.
<b>%s</b> This is replaced by the memcache client <b>%s</b> This is replaced by the memcache client
input key. input key.
<b>%u</b> When the input key is an address of the form <b>%u</b> When the input key is an address of the form
user@domain, <b>%u</b> is replaced by the SQL user@domain, <b>%u</b> is replaced by the SQL
quoted local part of the address. Other- quoted local part of the address. Other-
wise, <b>%u</b> is replaced by the entire search wise, <b>%u</b> is replaced by the entire search
string. If the localpart is empty, a lookup string. If the localpart is empty, a lookup
is silently suppressed and returns no is silently suppressed and returns no
results (an update is skipped with a warn- results (an update is skipped with a warn-
ing). ing).
<b>%d</b> When the input key is an address of the form <b>%d</b> When the input key is an address of the form
user@domain, <b>%d</b> is replaced by the domain user@domain, <b>%d</b> is replaced by the domain
part of the address. Otherwise, a lookup is part of the address. Otherwise, a lookup is
silently suppressed and returns no results silently suppressed and returns no results
(an update is skipped with a warning). (an update is skipped with a warning).
<b>%[SUD]</b> The upper-case equivalents of the above <b>%[SUD]</b> The upper-case equivalents of the above
expansions behave in the <b>key_format</b> parame- expansions behave in the <b>key_format</b> parame-
ter identically to their lower-case counter- ter identically to their lower-case counter-
parts. parts.
<b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced by <b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced by
the corresponding most significant component the corresponding most significant component
of the input key's domain. If the input key of the input key's domain. If the input key
is <i>user@mail.example.com</i>, then %1 is <b>com</b>, %2 is <i>user@mail.example.com</i>, then %1 is <b>com</b>, %2
is <b>example</b> and %3 is <b>mail</b>. If the input key is <b>example</b> and %3 is <b>mail</b>. If the input key
is unqualified or does not have enough is unqualified or does not have enough
domain components to satisfy all the speci- domain components to satisfy all the speci-
fied patterns, a lookup is silently sup- fied patterns, a lookup is silently sup-
pressed and returns no results (an update is pressed and returns no results (an update is
skipped with a warning). skipped with a warning).
<b>domain (default: no domain list)</b> <b>domain (default: no domain list)</b>
This feature can significantly reduce database This feature can significantly reduce database
server load. Specify a list of domain names, paths server load. Specify a list of domain names, paths
to files, or "<a href="DATABASE_README.html">type:table</a>" databases. When speci- to files, or "<a href="DATABASE_README.html">type:table</a>" databases. When speci-
fied, only fully qualified search keys with a *non- fied, only fully qualified search keys with a *non-
empty* localpart and a matching domain are eligible empty* localpart and a matching domain are eligible
for lookup or update: bare 'user' lookups, bare for lookup or update: bare 'user' lookups, bare
domain lookups and "@domain" lookups are silently domain lookups and "@domain" lookups are silently
skipped (updates are skipped with a warning). skipped (updates are skipped with a warning).
Example: Example:
@@ -180,33 +181,33 @@ MEMCACHE_TABLE(5) MEMCACHE_TABLE(5)
The maximal memcache reply line length in bytes. The maximal memcache reply line length in bytes.
<b>max_try (default: 2)</b> <b>max_try (default: 2)</b>
The number of times to try a memcache command The number of times to try a memcache command
before giving up. The memcache client does not before giving up. The memcache client does not
retry a command when the memcache server accepts no retry a command when the memcache server accepts no
connection. connection.
<b>retry_pause (default: 1)</b> <b>retry_pause (default: 1)</b>
The time in seconds before retrying a failed mem- The time in seconds before retrying a failed mem-
cache command. cache command.
<b>timeout (default: 2)</b> <b>timeout (default: 2)</b>
The time limit for sending a memcache command and The time limit for sending a memcache command and
for receiving a memcache reply. for receiving a memcache reply.
<b>BUGS</b> <b>BUGS</b>
The Postfix memcache client cannot be used for security- The Postfix memcache client cannot be used for security-
sensitive tables such as <b><a href="postconf.5.html#alias_maps">alias_maps</a></b> (these may contain sensitive tables such as <b><a href="postconf.5.html#alias_maps">alias_maps</a></b> (these may contain
"<i>|command</i> and "<i>/file/name</i>" destinations), or <b><a href="postconf.5.html#virtual_uid_maps">vir</a>-</b> "<i>|command</i> and "<i>/file/name</i>" destinations), or <b><a href="postconf.5.html#virtual_uid_maps">vir</a>-</b>
<b><a href="postconf.5.html#virtual_uid_maps">tual_uid_maps</a></b>, <b><a href="postconf.5.html#virtual_gid_maps">virtual_gid_maps</a></b> and <b><a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a></b> <b><a href="postconf.5.html#virtual_uid_maps">tual_uid_maps</a></b>, <b><a href="postconf.5.html#virtual_gid_maps">virtual_gid_maps</a></b> and <b><a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a></b>
(these specify UNIX process privileges or "<i>/file/name</i>" (these specify UNIX process privileges or "<i>/file/name</i>"
destinations). In a typical deployment a memcache data- destinations). In a typical deployment a memcache data-
base is writable by any process that can talk to the mem- base is writable by any process that can talk to the mem-
cache server; in contrast, security-sensitive tables must cache server; in contrast, security-sensitive tables must
never be writable by the unprivileged Postfix user. never be writable by the unprivileged Postfix user.
The Postfix memcache client requires additional configura- The Postfix memcache client requires additional configura-
tion when used as <a href="postscreen.8.html"><b>postscreen</b>(8)</a> or <a href="verify.8.html"><b>verify</b>(8)</a> cache. For tion when used as <a href="postscreen.8.html"><b>postscreen</b>(8)</a> or <a href="verify.8.html"><b>verify</b>(8)</a> cache. For
details see the <b>backup</b> and <b>ttl</b> parameter discussions in details see the <b>backup</b> and <b>ttl</b> parameter discussions in
the MEMCACHE MAIN PARAMETERS section above. the MEMCACHE MAIN PARAMETERS section above.
<b>SEE ALSO</b> <b>SEE ALSO</b>
@@ -218,11 +219,11 @@ MEMCACHE_TABLE(5) MEMCACHE_TABLE(5)
<a href="MEMCACHE_README.html">MEMCACHE_README</a>, Postfix memcache client guide <a href="MEMCACHE_README.html">MEMCACHE_README</a>, Postfix memcache client guide
<b>LICENSE</b> <b>LICENSE</b>
The Secure Mailer license must be distributed with this The Secure Mailer license must be distributed with this
software. software.
<b>HISTORY</b> <b>HISTORY</b>
Memcache support was introduced with Postfix version 2.9. Memcache support was introduced with Postfix version 2.9.
<b>AUTHOR(S)</b> <b>AUTHOR(S)</b>
Wietse Venema Wietse Venema

22
postfix/html/postconf.5.html
View File

@@ -10201,10 +10201,10 @@ parameter, but the setting "no" does not. </p>
<p> <p>
If non-empty, a Postfix SMTP client filter for the remote SMTP If non-empty, a Postfix SMTP client filter for the remote SMTP
server's list of offered SASL mechanisms. Different client and server's list of offered SASL mechanisms. Different client and
server implementations may support different mechanism lists. By server implementations may support different mechanism lists; by
default, the Postfix SMTP client will use the intersection of the default, the Postfix SMTP client will use the intersection of the
two. <a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> further restricts what server two. <a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> specifies an optional third mechanism
mechanisms the client will take into consideration. </p> list to intersect with. </p>
<p> Specify mechanism names, "/file/name" patterns or "<a href="DATABASE_README.html">type:table</a>" <p> Specify mechanism names, "/file/name" patterns or "<a href="DATABASE_README.html">type:table</a>"
lookup tables. The right-hand side result from "<a href="DATABASE_README.html">type:table</a>" lookups lookup tables. The right-hand side result from "<a href="DATABASE_README.html">type:table</a>" lookups
@@ -10490,6 +10490,10 @@ file may also be used to augment the client certificate trust chain,
but it is best to include all the required certificates directly in but it is best to include all the required certificates directly in
$<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>. </p> $<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>. </p>
<p> Specify "<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> = /path/to/system_CA_file" to use
ONLY the system-supplied default certificate authority certificates.
</p>
<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from <p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party appending the system-supplied default CAs and trusting third-party
certificates. </p> certificates. </p>
@@ -10517,6 +10521,10 @@ with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
<p> To use this option in chroot mode, this directory (or a copy) <p> To use this option in chroot mode, this directory (or a copy)
must be inside the chroot jail. </p> must be inside the chroot jail. </p>
<p> Specify "<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> = /path/to/system_CA_directory" to
use ONLY the system-supplied default certificate authority certificates.
</p>
<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from <p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party appending the system-supplied default CAs and trusting third-party
certificates. </p> certificates. </p>
@@ -14196,6 +14204,10 @@ file may also be used to augment the server certificate trust chain,
but it is best to include all the required certificates directly in the but it is best to include all the required certificates directly in the
server certificate file. </p> server certificate file. </p>
<p> Specify "<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> = /path/to/system_CA_file" to use ONLY
the system-supplied default certificate authority certificates.
</p>
<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from <p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party appending the system-supplied default CAs and trusting third-party
certificates. </p> certificates. </p>
@@ -14231,6 +14243,10 @@ for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use
<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> in chroot mode, this directory (or a copy) must be <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> in chroot mode, this directory (or a copy) must be
inside the chroot jail. </p> inside the chroot jail. </p>
<p> Specify "<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> = /path/to/system_CA_directory" to
use ONLY the system-supplied default certificate authority certificates.
</p>
<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from <p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party appending the system-supplied default CAs and trusting third-party
certificates. </p> certificates. </p>

121
postfix/makedefs
View File

@@ -153,6 +153,8 @@ case "$SYSTEM.$RELEASE" in
;; ;;
FreeBSD.8*) SYSTYPE=FREEBSD8 FreeBSD.8*) SYSTYPE=FREEBSD8
;; ;;
FreeBSD.9*) SYSTYPE=FREEBSD9
;;
OpenBSD.2*) SYSTYPE=OPENBSD2 OpenBSD.2*) SYSTYPE=OPENBSD2
;; ;;
OpenBSD.3*) SYSTYPE=OPENBSD3 OpenBSD.3*) SYSTYPE=OPENBSD3
@@ -267,36 +269,31 @@ case "$SYSTEM.$RELEASE" in
esac;; esac;;
# Tested with RedHat 3.03 on 20020729. # Tested with RedHat 3.03 on 20020729.
Linux.1*) SYSTYPE=LINUX1 Linux.1*) SYSTYPE=LINUX1
SYSLIBS="-ldb" case "$CCARGS" in
*-DNO_DB*) ;;
*) SYSLIBS="-ldb";;
esac
;; ;;
Linux.2*) SYSTYPE=LINUX2 Linux.2*) SYSTYPE=LINUX2
# Postfix no longer needs DB 1.85 compatibility case "$CCARGS" in
if [ -f /usr/include/db.h ] *-DNO_DB*) ;;
then *) if [ -f /usr/include/db.h ]
: we are all set then
elif [ -f /usr/include/db/db.h ] : we are all set
then elif [ -f /usr/include/db/db.h ]
CCARGS="$CCARGS -I/usr/include/db" then
else CCARGS="$CCARGS -I/usr/include/db"
# No, we're not going to try db1 db2 db3 etc. else
# On a properly installed system, Postfix builds # No, we're not going to try db1 db2 db3 etc.
# by including <db.h> and by linking with -ldb # On a properly installed system, Postfix builds
echo "No <db.h> include file found." 1>&2 # by including <db.h> and by linking with -ldb
echo "Install the appropriate db*-devel package first." 1>&2 echo "No <db.h> include file found." 1>&2
echo "See the RELEASE_NOTES file for more information." 1>&2 echo "Install the appropriate db*-devel package first." 1>&2
exit 1 exit 1
fi fi
# GDBM locks the DBM .pag file after open. This breaks postmap. SYSLIBS="-ldb"
# if [ -f /usr/include/gdbm-ndbm.h ] ;;
# then esac
# CCARGS="$CCARGS -DHAS_DBM -DPATH_NDBM_H='<gdbm-ndbm.h>'"
# GDBM_LIBS=gdbm
# elif [ -f /usr/include/gdbm/ndbm.h ]
# then
# CCARGS="$CCARGS -DHAS_DBM -DPATH_NDBM_H='<gdbm/ndbm.h>'"
# GDBM_LIBS=gdbm
# fi
SYSLIBS="-ldb"
for name in nsl resolv $GDBM_LIBS for name in nsl resolv $GDBM_LIBS
do do
for lib in /usr/lib64 /lib64 /usr/lib /lib for lib in /usr/lib64 /lib64 /usr/lib /lib
@@ -350,21 +347,24 @@ EOF
esac esac
;; ;;
Linux.3*) SYSTYPE=LINUX3 Linux.3*) SYSTYPE=LINUX3
if [ -f /usr/include/db.h ] case "$CCARGS" in
then *-DNO_DB*) ;;
: we are all set *) if [ -f /usr/include/db.h ]
elif [ -f /usr/include/db/db.h ] then
then : we are all set
CCARGS="$CCARGS -I/usr/include/db" elif [ -f /usr/include/db/db.h ]
else then
# On a properly installed system, Postfix builds CCARGS="$CCARGS -I/usr/include/db"
# by including <db.h> and by linking with -ldb else
echo "No <db.h> include file found." 1>&2 # On a properly installed system, Postfix builds
echo "Install the appropriate db*-devel package first." 1>&2 # by including <db.h> and by linking with -ldb
echo "See the RELEASE_NOTES file for more information." 1>&2 echo "No <db.h> include file found." 1>&2
exit 1 echo "Install the appropriate db*-devel package first." 1>&2
fi exit 1
SYSLIBS="-ldb" fi
SYSLIBS="-ldb"
;;
esac
for name in nsl resolv for name in nsl resolv
do do
for lib in /usr/lib64 /lib64 /usr/lib /lib for lib in /usr/lib64 /lib64 /usr/lib /lib
@@ -378,23 +378,24 @@ EOF
;; ;;
GNU.0*|GNU/kFreeBSD.[567]*) GNU.0*|GNU/kFreeBSD.[567]*)
SYSTYPE=GNU0 SYSTYPE=GNU0
# Postfix no longer needs DB 1.85 compatibility case "$CCARGS" in
if [ -f /usr/include/db.h ] *-DNO_DB*) ;;
then *) if [ -f /usr/include/db.h ]
: we are all set then
elif [ -f /usr/include/db/db.h ] : we are all set
then elif [ -f /usr/include/db/db.h ]
CCARGS="$CCARGS -I/usr/include/db" then
else CCARGS="$CCARGS -I/usr/include/db"
# No, we're not going to try db1 db2 db3 etc. else
# On a properly installed system, Postfix builds # On a properly installed system, Postfix builds
# by including <db.h> and by linking with -ldb # by including <db.h> and by linking with -ldb
echo "No <db.h> include file found." 1>&2 echo "No <db.h> include file found." 1>&2
echo "Install the appropriate db*-devel package first." 1>&2 echo "Install the appropriate db*-devel package first." 1>&2
echo "See the RELEASE_NOTES file for more information." 1>&2 exit 1
exit 1 fi
fi SYSLIBS="-ldb"
SYSLIBS="-ldb" ;;
esac
for name in nsl resolv for name in nsl resolv
do do
for lib in /usr/lib64 /lib64 /usr/lib /lib for lib in /usr/lib64 /lib64 /usr/lib /lib

2
postfix/man/man5/memcache_table.5
View File

@@ -88,7 +88,7 @@ setting (depending on whether the access is read-only or
read-write). read-write).
.IP "\fBflags (default: 0)\fR" .IP "\fBflags (default: 0)\fR"
Optional flags that should be stored along with a memcache Optional flags that should be stored along with a memcache
update. update. The flags are ignored when looking up information.
.IP "\fBttl (default: 3600)\fR" .IP "\fBttl (default: 3600)\fR"
The expiration time in seconds of memcache updates. The expiration time in seconds of memcache updates.

18
postfix/man/man5/postconf.5
View File

@@ -5989,10 +5989,10 @@ This feature is available in Postfix 2.5 and later.
.SH smtp_sasl_mechanism_filter (default: empty) .SH smtp_sasl_mechanism_filter (default: empty)
If non-empty, a Postfix SMTP client filter for the remote SMTP If non-empty, a Postfix SMTP client filter for the remote SMTP
server's list of offered SASL mechanisms. Different client and server's list of offered SASL mechanisms. Different client and
server implementations may support different mechanism lists. By server implementations may support different mechanism lists; by
default, the Postfix SMTP client will use the intersection of the default, the Postfix SMTP client will use the intersection of the
two. smtp_sasl_mechanism_filter further restricts what server two. smtp_sasl_mechanism_filter specifies an optional third mechanism
mechanisms the client will take into consideration. list to intersect with.
.PP .PP
Specify mechanism names, "/file/name" patterns or "type:table" Specify mechanism names, "/file/name" patterns or "type:table"
lookup tables. The right-hand side result from "type:table" lookups lookup tables. The right-hand side result from "type:table" lookups
@@ -6160,6 +6160,9 @@ file may also be used to augment the client certificate trust chain,
but it is best to include all the required certificates directly in but it is best to include all the required certificates directly in
$smtp_tls_cert_file. $smtp_tls_cert_file.
.PP .PP
Specify "smtp_tls_CAfile = /path/to/system_CA_file" to use
ONLY the system-supplied default certificate authority certificates.
.PP
Specify "tls_append_default_CA = no" to prevent Postfix from Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party appending the system-supplied default CAs and trusting third-party
certificates. certificates.
@@ -6184,6 +6187,9 @@ with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
To use this option in chroot mode, this directory (or a copy) To use this option in chroot mode, this directory (or a copy)
must be inside the chroot jail. must be inside the chroot jail.
.PP .PP
Specify "smtp_tls_CApath = /path/to/system_CA_directory" to
use ONLY the system-supplied default certificate authority certificates.
.PP
Specify "tls_append_default_CA = no" to prevent Postfix from Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party appending the system-supplied default CAs and trusting third-party
certificates. certificates.
@@ -8993,6 +8999,9 @@ file may also be used to augment the server certificate trust chain,
but it is best to include all the required certificates directly in the but it is best to include all the required certificates directly in the
server certificate file. server certificate file.
.PP .PP
Specify "smtpd_tls_CAfile = /path/to/system_CA_file" to use ONLY
the system-supplied default certificate authority certificates.
.PP
Specify "tls_append_default_CA = no" to prevent Postfix from Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party appending the system-supplied default CAs and trusting third-party
certificates. certificates.
@@ -9026,6 +9035,9 @@ for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use
smtpd_tls_CApath in chroot mode, this directory (or a copy) must be smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
inside the chroot jail. inside the chroot jail.
.PP .PP
Specify "smtpd_tls_CApath = /path/to/system_CA_directory" to
use ONLY the system-supplied default certificate authority certificates.
.PP
Specify "tls_append_default_CA = no" to prevent Postfix from Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party appending the system-supplied default CAs and trusting third-party
certificates. certificates.

19
postfix/postfix-install
View File

@@ -104,7 +104,7 @@
# users. The built-in default directory name is system dependent. # users. The built-in default directory name is system dependent.
# This parameter setting is recorded in the installed main.cf file. # This parameter setting is recorded in the installed main.cf file.
# .IP html_directory # .IP html_directory
# The destination directory for the Postfix HTML files. # The final destination directory for the Postfix HTML files.
# This parameter setting is recorded in the installed main.cf file. # This parameter setting is recorded in the installed main.cf file.
# .IP queue_directory # .IP queue_directory
# The final destination directory for Postfix queues. # The final destination directory for Postfix queues.
@@ -138,14 +138,14 @@
# The built-in default group name is postdrop. # The built-in default group name is postdrop.
# This parameter setting is recorded in the installed main.cf file. # This parameter setting is recorded in the installed main.cf file.
# .IP manpage_directory # .IP manpage_directory
# The destination directory for the Postfix on-line manual pages. # The final destination directory for the Postfix on-line manual pages.
# This parameter setting is recorded in the installed main.cf file. # This parameter setting is recorded in the installed main.cf file.
# .IP sample_directory # .IP sample_directory
# The destination directory for the Postfix sample configuration files. # The final destination directory for the Postfix sample configuration
# This parameter is obsolete as of Postfix version 2.1. # files. This parameter is obsolete as of Postfix version 2.1.
# This parameter setting is recorded in the installed main.cf file. # This parameter setting is recorded in the installed main.cf file.
# .IP readme_directory # .IP readme_directory
# The destination directory for the Postfix README files. # The final destination directory for the Postfix README files.
# This parameter setting is recorded in the installed main.cf file. # This parameter setting is recorded in the installed main.cf file.
# SEE ALSO # SEE ALSO
# post-install(1) post-installation procedure # post-install(1) post-installation procedure
@@ -350,13 +350,14 @@ management commands. Specify a group name with a numerical group
ID that is not shared with other accounts, not even with the Postfix ID that is not shared with other accounts, not even with the Postfix
mail_owner account. You can no longer specify \"no\" here." mail_owner account. You can no longer specify \"no\" here."
manpage_directory_prompt="the destination directory for the Postfix on-line manpage_directory_prompt="the final destination directory for the
manual pages. You can no longer specify \"no\" here." Postfix on-line manual pages. You can no longer specify \"no\"
here."
readme_directory_prompt="the destination directory for the Postfix readme_directory_prompt="the final destination directory for the Postfix
README files. Specify \"no\" if you do not want to install these files." README files. Specify \"no\" if you do not want to install these files."
html_directory_prompt="the destination directory for the Postfix html_directory_prompt="the final destination directory for the Postfix
HTML files. Specify \"no\" if you do not want to install these files." HTML files. Specify \"no\" if you do not want to install these files."
# Default settings, just to get started. # Default settings, just to get started.

2
postfix/proto/memcache_table
View File

@@ -80,7 +80,7 @@
# read-write). # read-write).
# .IP "\fBflags (default: 0)\fR" # .IP "\fBflags (default: 0)\fR"
# Optional flags that should be stored along with a memcache # Optional flags that should be stored along with a memcache
# update. # update. The flags are ignored when looking up information.
# .IP "\fBttl (default: 3600)\fR" # .IP "\fBttl (default: 3600)\fR"
# The expiration time in seconds of memcache updates. # The expiration time in seconds of memcache updates.
# #

22
postfix/proto/postconf.proto
View File

@@ -4362,10 +4362,10 @@ smtp_sasl_security_options = noplaintext
<p> <p>
If non-empty, a Postfix SMTP client filter for the remote SMTP If non-empty, a Postfix SMTP client filter for the remote SMTP
server's list of offered SASL mechanisms. Different client and server's list of offered SASL mechanisms. Different client and
server implementations may support different mechanism lists. By server implementations may support different mechanism lists; by
default, the Postfix SMTP client will use the intersection of the default, the Postfix SMTP client will use the intersection of the
two. smtp_sasl_mechanism_filter further restricts what server two. smtp_sasl_mechanism_filter specifies an optional third mechanism
mechanisms the client will take into consideration. </p> list to intersect with. </p>
<p> Specify mechanism names, "/file/name" patterns or "type:table" <p> Specify mechanism names, "/file/name" patterns or "type:table"
lookup tables. The right-hand side result from "type:table" lookups lookup tables. The right-hand side result from "type:table" lookups
@@ -8811,6 +8811,10 @@ file may also be used to augment the server certificate trust chain,
but it is best to include all the required certificates directly in the but it is best to include all the required certificates directly in the
server certificate file. </p> server certificate file. </p>
<p> Specify "smtpd_tls_CAfile = /path/to/system_CA_file" to use ONLY
the system-supplied default certificate authority certificates.
</p>
<p> Specify "tls_append_default_CA = no" to prevent Postfix from <p> Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party appending the system-supplied default CAs and trusting third-party
certificates. </p> certificates. </p>
@@ -8842,6 +8846,10 @@ for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use
smtpd_tls_CApath in chroot mode, this directory (or a copy) must be smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
inside the chroot jail. </p> inside the chroot jail. </p>
<p> Specify "smtpd_tls_CApath = /path/to/system_CA_directory" to
use ONLY the system-supplied default certificate authority certificates.
</p>
<p> Specify "tls_append_default_CA = no" to prevent Postfix from <p> Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party appending the system-supplied default CAs and trusting third-party
certificates. </p> certificates. </p>
@@ -9221,6 +9229,10 @@ file may also be used to augment the client certificate trust chain,
but it is best to include all the required certificates directly in but it is best to include all the required certificates directly in
$smtp_tls_cert_file. </p> $smtp_tls_cert_file. </p>
<p> Specify "smtp_tls_CAfile = /path/to/system_CA_file" to use
ONLY the system-supplied default certificate authority certificates.
</p>
<p> Specify "tls_append_default_CA = no" to prevent Postfix from <p> Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party appending the system-supplied default CAs and trusting third-party
certificates. </p> certificates. </p>
@@ -9244,6 +9256,10 @@ with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
<p> To use this option in chroot mode, this directory (or a copy) <p> To use this option in chroot mode, this directory (or a copy)
must be inside the chroot jail. </p> must be inside the chroot jail. </p>
<p> Specify "smtp_tls_CApath = /path/to/system_CA_directory" to
use ONLY the system-supplied default certificate authority certificates.
</p>
<p> Specify "tls_append_default_CA = no" to prevent Postfix from <p> Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party appending the system-supplied default CAs and trusting third-party
certificates. </p> certificates. </p>

4
postfix/src/bounce/Makefile.in
View File

@@ -25,9 +25,9 @@ $(PROG): $(OBJS) $(LIBS)
$(CC) $(CFLAGS) -o $@ $(OBJS) $(LIBS) $(SYSLIBS) $(CC) $(CFLAGS) -o $@ $(OBJS) $(LIBS) $(SYSLIBS)
# Eliminate dependency on installed Postfix. # Eliminate dependency on installed Postfix.
../../conf/bounce.cf.default: template_test.ref annotate.pl ../../conf/bounce.cf.default: template_test.ref annotate.sh
rm -f $@ rm -f $@
perl annotate.pl <template_test.ref >$@ ./annotate.sh <template_test.ref >$@
main.cf: main.cf:
echo queue_directory=. >main.cf echo queue_directory=. >main.cf

33
postfix/src/bounce/annotate.pl → postfix/src/bounce/annotate.sh Normal file → Executable file
View File

@@ -1,4 +1,6 @@
print <<'EOF' #!/bin/sh
cat <<'EOF'
# #
# Do not edit this file. This file shows the default delivery status # Do not edit this file. This file shows the default delivery status
# notification (DSN) messages that are built into Postfix. # notification (DSN) messages that are built into Postfix.
@@ -60,10 +62,11 @@ EOF
# bounce_template_file = $config_directory/bounce.cf # bounce_template_file = $config_directory/bounce.cf
# #
#EOF #EOF
;
while (<>) { IFS=
if (/^failure_template/) { print <<'EOF' while read line; do
case "$line" in
failure_template*) cat <<'EOF'
# #
# The failure template is used when mail is returned to the sender; # The failure template is used when mail is returned to the sender;
@@ -72,8 +75,8 @@ while (<>) {
# #
EOF EOF
; ;;
} elsif (/^delay_template/) { print <<'EOF' delay_template*) cat <<'EOF'
# #
# The delay template is used when mail is delayed. Note a neat trick: # The delay template is used when mail is delayed. Note a neat trick:
@@ -90,8 +93,8 @@ EOF
# #
EOF EOF
; ;;
} elsif (/^success_template/) { print <<'EOF' success_template*) cat <<'EOF'
# #
# The success template is used when mail is delivered to mailbox, # The success template is used when mail is delivered to mailbox,
@@ -101,17 +104,17 @@ EOF
# #
EOF EOF
; ;;
} elsif (/^verify_template/) { print <<'EOF' verify_template*) cat <<'EOF'
# #
# The verify template is used for address verification (sendmail -bv # The verify template is used for address verification (sendmail -bv
# address...). or for verbose mail delivery (sendmail -v address...). # address...) or for verbose mail delivery (sendmail -v address...).
# It is an error to specify a Postmaster-Subject: here. # It is an error to specify a Postmaster-Subject: here.
# #
EOF EOF
; ;;
} esac
print $_; echo "$line";
} done

2
postfix/src/global/mail_version.h
View File

@@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no * Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only. * patchlevel; they change the release date only.
*/ */
#define MAIL_RELEASE_DATE "20120218" #define MAIL_RELEASE_DATE "20120226"
#define MAIL_VERSION_NUMBER "2.10" #define MAIL_VERSION_NUMBER "2.10"
#ifdef SNAPSHOT #ifdef SNAPSHOT

15
postfix/src/postscreen/postscreen_dnsbl.c
View File

@@ -139,7 +139,8 @@ typedef struct {
} PSC_CALL_BACK_ENTRY; } PSC_CALL_BACK_ENTRY;
typedef struct { typedef struct {
const char *dnsbl; /* one contributing DNSBL */ const char *dnsbl_name; /* DNSBL with largest contribution */
int dnsbl_weight; /* weight of largest contribution */
int total; /* combined blocklist score */ int total; /* combined blocklist score */
int refcount; /* score reference count */ int refcount; /* score reference count */
int pending_lookups; /* nr of DNS requests in flight */ int pending_lookups; /* nr of DNS requests in flight */
@@ -328,7 +329,7 @@ int psc_dnsbl_retrieve(const char *client_addr, const char **dnsbl_name,
* Reads are destructive. * Reads are destructive.
*/ */
result_score = score->total; result_score = score->total;
*dnsbl_name = score->dnsbl; *dnsbl_name = score->dnsbl_name;
score->refcount -= 1; score->refcount -= 1;
if (score->refcount < 1) { if (score->refcount < 1) {
if (msg_verbose > 1) if (msg_verbose > 1)
@@ -398,8 +399,11 @@ static void psc_dnsbl_receive(int event, char *context)
if (site->byte_codes == 0 if (site->byte_codes == 0
|| psc_dnsbl_match(site->byte_codes, reply_argv ? reply_argv : || psc_dnsbl_match(site->byte_codes, reply_argv ? reply_argv :
(reply_argv = argv_split(STR(reply_addr), " ")))) { (reply_argv = argv_split(STR(reply_addr), " ")))) {
if (score->dnsbl == 0) if (score->dnsbl_name == 0
score->dnsbl = head->safe_dnsbl; || score->dnsbl_weight < site->weight) {
score->dnsbl_name = head->safe_dnsbl;
score->dnsbl_weight = site->weight;
}
score->total += site->weight; score->total += site->weight;
if (msg_verbose > 1) if (msg_verbose > 1)
msg_info("%s: filter=\"%s\" weight=%d score=%d", msg_info("%s: filter=\"%s\" weight=%d score=%d",
@@ -477,7 +481,8 @@ int psc_dnsbl_request(const char *client_addr,
msg_info("%s: create blocklist score for %s", myname, client_addr); msg_info("%s: create blocklist score for %s", myname, client_addr);
score = (PSC_DNSBL_SCORE *) mymalloc(sizeof(*score)); score = (PSC_DNSBL_SCORE *) mymalloc(sizeof(*score));
score->request_id = request_count++; score->request_id = request_count++;
score->dnsbl = 0; score->dnsbl_name = 0;
score->dnsbl_weight = 0;
score->total = 0; score->total = 0;
score->refcount = 1; score->refcount = 1;
score->pending_lookups = 0; score->pending_lookups = 0;

2
postfix/src/util/sys_defs.h
View File

@@ -25,7 +25,7 @@
*/ */
#if defined(FREEBSD2) || defined(FREEBSD3) || defined(FREEBSD4) \ #if defined(FREEBSD2) || defined(FREEBSD3) || defined(FREEBSD4) \
|| defined(FREEBSD5) || defined(FREEBSD6) || defined(FREEBSD7) \ || defined(FREEBSD5) || defined(FREEBSD6) || defined(FREEBSD7) \
|| defined(FREEBSD8) \ || defined(FREEBSD8) || defined(FREEBSD9) \
|| defined(BSDI2) || defined(BSDI3) || defined(BSDI4) \ || defined(BSDI2) || defined(BSDI3) || defined(BSDI4) \
|| defined(OPENBSD2) || defined(OPENBSD3) || defined(OPENBSD4) \ || defined(OPENBSD2) || defined(OPENBSD3) || defined(OPENBSD4) \
|| defined(OPENBSD5) \ || defined(OPENBSD5) \