mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-29 05:07:58 +00:00
Code Issues Releases Wiki Activity

postfix-2.2-20040827

Browse Source
This commit is contained in:
Wietse Venema 2004-08-27 00:00:00 -05:00 committed by Viktor Dukhovni
parent 5cd36a369b
commit 851738e9a2
57 changed files with 1022 additions and 257 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
postfix/HISTORY
View File

@ -9617,7 +9617,7 @@ Apologies for any names omitted.
queue manager is unable to schedule back-to-back deliveries.
File: *qmgr/qmgr_entry.c.
20040730
20040731
Hysteresis: turn on "opportunistic session caching" when
back-to-back deliveries happen, but don't turn if off
@ -9632,6 +9632,67 @@ Apologies for any names omitted.
Portability: h_errno is not an lvalue in the UnixWare 7.1
multi-threaded environment. Olivier PRENANT.
20040812
Bugfix: update SMTP server error counter when a client is
denied access with smtpd_delay_reject=no.
20040816
Bugfix: The smtp_chat_cmd() forced output flushing code in
the SMTP client could run before an I/O error handler was
set up. Problem diagnosed by Victor Duchovni, Morgan
Stanley. The fix is to disable the smtp_chat_cmd() forced
output flushing code as it duplicates better code in
smtp_loop(). File: smtp/smtp_chat.c.
Safety: set up an I/O error handler before the smtp_loop()
protocol engine starts; this handler logs a warning in case
it ever runs, because that means someone broke ESMTP command
pipelining. File: smtp/smtp_proto.c.
Feature: canonical_classes parameter by Kimmo Suominen, to
control what addresses are rewritten by canonical_maps.
Files: cleanup/cleanup_addr.c, cleanup/cleanup_message.c.
20040817
Bugfix: update the vstream I/O time AFTER the completion
of an I/O request, so that time-sensitive applications
don't force flush output too soon and possibly trigger
NAGLE delays. Problem diagnosed by Victor Duchovni, Morgan
Stanley. File: util/vstream.c.
Portability: avoid postmap/postalias test file name clashes
on Windows. Ian Lance Taylor (of Taylor UUCP fame).
20030823
Bugfix: vstream_popen() did not close the child pipe
after failure to fork(). File: util/vstream_popen.c.
20040826
Feature: support for systems with closefrom(), and emulation
for those without. Victor Duchovni, Morgan Stanley. Files:
util/sys_defs.h, util/sys_compat.c.
20040827
Feature: {sender,recipient}_canonical_classes parameters,
which give better control than sender_canonical_classes.
Files: cleanup/cleanup_addr.c, cleanup/cleanup_message.c.
Feature: the proxymap client now recognizes when a map
can't be proxied, and will open it directly instead. This
makes proxy maps easier to use for virtual mailbox domains.
File: global/dict_proxy.c.
Feature: smtp_sasl_mechanism_filter restricts what remote
SMTP server mechanism names the Postfix SMTP client passes
on to the SASL library. Victor Duchovni, Morgan Stanley.
Files: smtp/smtp.c. smtp/smtp_sasl_glue.c, smtp/smtp_sasl_proto.c.
Open problems:
Low: update events.c so that 1-second timer requests do

17
postfix/README_FILES/ADDRESS_REWRITING_README
View File

@ -214,11 +214,14 @@ address manipulations:
CCaannoonniiccaall aaddddrreessss mmaappppiinngg
The cleanup(8) daemon uses the canonical(5) tables to rewrite all addresses in
message envelopes and in message headers. This is done for local and remote
addresses. The mapping is useful to replace login names by "Firstname.Lastname"
style addresses, or to clean up invalid domains in mail addresses produced by
legacy mail systems.
The cleanup(8) daemon uses the canonical(5) tables to rewrite addresses in
message envelopes and in message headers. By default all header and envelope
addresses are rewritten; this is controlled with the canonical_classes
configuration parameter.
Address rewriting is done for local and remote addresses. The mapping is useful
to replace login names by "Firstname.Lastname" style addresses, or to clean up
invalid domains in mail addresses produced by legacy mail systems.
Canonical mapping is disabled by default. To enable, edit the canonical_maps
parameter in the main.cf file and specify one or more lookup tables, separated
@ -248,7 +251,9 @@ Example:
recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
The sender and recipient canonical maps are applied before the common canonical
maps.
maps. The sender_canonical_classes and recipient_canonical_classes parameters
control what addresses are subject to sender_canonical_maps and
recipient_canonical_maps mappings, respectively.
Sender-specific rewriting is useful when you want to rewrite ugly sender
addresses to pretty ones, and still want to be able to send mail to the those

6
postfix/README_FILES/SASL_README
View File

@ -319,6 +319,12 @@ plaintext authentication specify, for example:
The SASL client password file is opened before the SMTP server enters the
optional chroot jail, so you can keep the file in /etc/postfix.
Note: Some SMTP servers support authentication mechanisms that, although
available on the client system, may not in practice work or possess the
appropriate credentials to authenticate to the server. It is possible via the
smtp_sasl_mechanism_filter parameter to further restrict the list of server
mechanisms that the smtp(8) client will take into consideration.
The Postfix SMTP client is backwards compatible with SMTP servers that use the
non-standard "AUTH=method..." syntax in response to the EHLO command; there is
no Postfix client configuration needed to work around it.

16
postfix/README_FILES/STANDARD_CONFIGURATION_README
View File

@ -298,6 +298,22 @@ Translation:
listed in $mydestination, or when it matches $inet_interfaces or
$proxy_interfaces.
In some installations, there may be separate instances of Postfix processing
inbound and outbound mail on a multi-homed firewall. The inbound Postfix
instance has an SMTP server listening on the external firewall interface, and
the outbound Postfix instance has an SMTP server listening on the internal
interface. In such a configuration is it is tempting to configure
$inet_interfaces in each instance with just the corresponding interface
address.
In most cases using inet_interaces in this way will not work, because as
documented in the $inet_interfaces reference manual, the smtp(8) delivery agent
will also use the specified interface address as the source address for
outbound connections and will be unable to reach hosts on "the other side" of
the firewall. The symptoms are that the firewall is unable to connect to hosts
that are in fact up. See the inet_interfaces parameter documentation for
suggested work-arounds.
RRuunnnniinngg PPoossttffiixx bbeehhiinndd aa ffiirreewwaallll
The simplest way to set up Postfix on a host behind a firewalled network is to

19
postfix/RELEASE_NOTES
View File

@ -7,6 +7,25 @@ snapshot release). Patches are issued for the official release
and change the patchlevel and the release date. Patches are never
issued for snapshot releases.
Major changes with snapshot Postfix-2.2-20040827
================================================
Easier use of the proxymap service with the virtual(8) delivery
agent. As of now, the virtual(8) delivery agent will silently open
maps directly when they can't be proxied. This means you can now
specify "virtual_mailbox_maps = proxy:mysql:whatever" without
triggering fatal errors in the virtual(8) delivery agent.
Better SMTP client control over the use of SASL mechanisms. New
smtp_sasl_mechanism_filter mechanism to shorten the list of SASL
mechanisms from a remote server to just those that the local SASL
library can actually use.
Finer control over canonical mapping with canonical_classes,
sender_canonical_classes and recipient_canonical_classes. These
specify one or more of envelope_sender, header_sender, envelope_recipient
or header_recipient. The default settings are backwards compatible.
Incompatible changes with snapshot Postfix-2.2-20040729
=======================================================

91
postfix/conf/canonical
View File

@ -33,120 +33,131 @@
# way as described below under "REGULAR EXPRESSION TABLES"
# and "TCP-BASED TABLES".
#
# The canonical mapping affects both message header
# By default the canonical mapping affects both message
# header addresses (i.e. addresses that appear inside mes-
# sages) and message envelope addresses (for example, the
# addresses that are used in SMTP protocol commands). Think
# Sendmail rule set S3, if you like. This is controlled
# with the canonical_classes parameter.
#
# The canonical mapping affects both message header
# addresses (i.e. addresses that appear inside messages) and
# message envelope addresses (for example, the addresses
# that are used in SMTP protocol commands). Think Sendmail
# message envelope addresses (for example, the addresses
# that are used in SMTP protocol commands). Think Sendmail
# rule set S3, if you like.
#
# Typically, one would use the canonical table to replace
# login names by Firstname.Lastname, or to clean up
# Typically, one would use the canonical table to replace
# login names by Firstname.Lastname, or to clean up
# addresses produced by legacy mail systems.
#
# The canonical mapping is not to be confused with virtual
# The canonical mapping is not to be confused with virtual
# domain support. Use the virtual(5) map for that purpose.
#
# The canonical mapping is not to be confused with local
# The canonical mapping is not to be confused with local
# aliasing. Use the aliases(5) map for that purpose.
#
# TABLE FORMAT
# The input format for the postmap(1) command is as follows:
#
# pattern result
# When pattern matches a mail address, replace it by
# When pattern matches a mail address, replace it by
# the corresponding result.
#
# blank lines and comments
# Empty lines and whitespace-only lines are ignored,
# as are lines whose first non-whitespace character
# Empty lines and whitespace-only lines are ignored,
# as are lines whose first non-whitespace character
# is a `#'.
#
# multi-line text
# A logical line starts with non-whitespace text. A
# line that starts with whitespace continues a logi-
# A logical line starts with non-whitespace text. A
# line that starts with whitespace continues a logi-
# cal line.
#
# With lookups from indexed files such as DB or DBM, or from
# networked tables such as NIS, LDAP or SQL, patterns are
# networked tables such as NIS, LDAP or SQL, patterns are
# tried in the order as listed below:
#
# user@domain address
# user@domain is replaced by address. This form has
# user@domain is replaced by address. This form has
# the highest precedence.
#
# This is useful to clean up addresses produced by
# legacy mail systems. It can also be used to pro-
# duce Firstname.Lastname style addresses, but see
# This is useful to clean up addresses produced by
# legacy mail systems. It can also be used to pro-
# duce Firstname.Lastname style addresses, but see
# below for a simpler solution.
#
# user address
# user@site is replaced by address when site is equal
# to $myorigin, when site is listed in $mydestina-
# tion, or when it is listed in $inet_interfaces or
# to $myorigin, when site is listed in $mydestina-
# tion, or when it is listed in $inet_interfaces or
# $proxy_interfaces.
#
# This form is useful for replacing login names by
# This form is useful for replacing login names by
# Firstname.Lastname.
#
# @domain address
# Every address in domain is replaced by address.
# Every address in domain is replaced by address.
# This form has the lowest precedence.
#
# In all the above forms, when address has the form @other-
# In all the above forms, when address has the form @other-
# domain, the result is the same user in otherdomain.
#
# ADDRESS EXTENSION
# When a mail address localpart contains the optional recip-
# ient delimiter (e.g., user+foo@domain), the lookup order
# ient delimiter (e.g., user+foo@domain), the lookup order
# becomes: user+foo@domain, user@domain, user+foo, user, and
# @domain.
#
# The propagate_unmatched_extensions parameter controls
# whether an unmatched address extension (+foo) is propa-
# The propagate_unmatched_extensions parameter controls
# whether an unmatched address extension (+foo) is propa-
# gated to the result of table lookup.
#
# REGULAR EXPRESSION TABLES
# This section describes how the table lookups change when
# This section describes how the table lookups change when
# the table is given in the form of regular expressions. For
# a description of regular expression lookup table syntax,
# a description of regular expression lookup table syntax,
# see regexp_table(5) or pcre_table(5).
#
# Each pattern is a regular expression that is applied to
# Each pattern is a regular expression that is applied to
# the entire address being looked up. Thus, user@domain mail
# addresses are not broken up into their user and @domain
# addresses are not broken up into their user and @domain
# constituent parts, nor is user+foo broken up into user and
# foo.
#
# Patterns are applied in the order as specified in the
# table, until a pattern is found that matches the search
# Patterns are applied in the order as specified in the
# table, until a pattern is found that matches the search
# string.
#
# Results are the same as with indexed file lookups, with
# the additional feature that parenthesized substrings from
# Results are the same as with indexed file lookups, with
# the additional feature that parenthesized substrings from
# the pattern can be interpolated as $1, $2 and so on.
#
# TCP-BASED TABLES
# This section describes how the table lookups change when
# This section describes how the table lookups change when
# lookups are directed to a TCP-based server. For a descrip-
# tion of the TCP client/server lookup protocol, see
# tcp_table(5). This feature is not available in Postfix
# tion of the TCP client/server lookup protocol, see
# tcp_table(5). This feature is not available in Postfix
# version 2.1.
#
# Each lookup operation uses the entire address once. Thus,
# user@domain mail addresses are not broken up into their
# user@domain mail addresses are not broken up into their
# user and @domain constituent parts, nor is user+foo broken
# up into user and foo.
#
# Results are the same as with indexed file lookups.
#
# BUGS
# The table format does not understand quoting conventions.
# The table format does not understand quoting conventions.
#
# CONFIGURATION PARAMETERS
# The following main.cf parameters are especially relevant.
# The text below provides only a parameter summary. See
# The following main.cf parameters are especially relevant.
# The text below provides only a parameter summary. See
# postconf(5) for more details including examples.
#
# canonical_classes
# What addresses are subject to canonical address
# mapping.
#
# canonical_maps
# List of canonical mapping tables.
#

2
postfix/conf/header_checks
View File

@ -297,7 +297,7 @@
#
# /etc/postfix/header_checks:
# /^content-(type|disposition):.*name[[:space:]]*=.*\.(exe|vbs)/
# REJECT Bad attachment file name extension: $1
# REJECT Bad attachment file name extension: $2
#
# Body pattern to stop a specific HTML browser vulnerability
# exploit.

11
postfix/html/ADDRESS_REWRITING_README.html
View File

@ -410,7 +410,11 @@ address. </p> </dd>
<h3> <a name="canonical"> Canonical address mapping </a> </h3>
<p> The <a href="cleanup.8.html">cleanup(8)</a> daemon uses the <a href="canonical.5.html">canonical(5)</a> tables to rewrite
all addresses in message envelopes and in message headers. This is
addresses in message envelopes and in message headers. By default
all header and envelope addresses are rewritten; this is controlled
with the <a href="postconf.5.html#canonical_classes">canonical_classes</a> configuration parameter. </p>
<p> Address rewriting is
done for local and remote addresses. The mapping is useful to
replace login names by "Firstname.Lastname" style addresses, or to
clean up invalid domains in mail addresses produced by legacy mail
@ -453,7 +457,10 @@ applied only to sender addresses or to recipient addresses. </p>
</blockquote>
<p> The sender and recipient canonical maps are applied before the
common canonical maps. </p>
common canonical maps. The <a href="postconf.5.html#sender_canonical_classes">sender_canonical_classes</a> and
<a href="postconf.5.html#recipient_canonical_classes">recipient_canonical_classes</a> parameters control what addresses are
subject to <a href="postconf.5.html#sender_canonical_maps">sender_canonical_maps</a> and <a href="postconf.5.html#recipient_canonical_maps">recipient_canonical_maps</a>
mappings, respectively. </p>
<p> Sender-specific rewriting is useful when you want to rewrite
ugly sender addresses to pretty ones, and still want to be able to

7
postfix/html/SASL_README.html
View File

@ -473,6 +473,13 @@ for example: </p>
enters the optional chroot jail, so you can keep the file in
/etc/postfix. </p>
<p> Note: Some SMTP servers support authentication mechanisms that,
although available on the client system, may not in practice work or
possess the appropriate credentials to authenticate to the server. It
is possible via the <a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> parameter to further
restrict the list of server mechanisms that the <a href="smtp.8.html">smtp(8)</a> client will take
into consideration. </p>
<p> The Postfix SMTP client is backwards compatible with SMTP
servers that use the non-standard "AUTH=method..." syntax in response
to the EHLO command; there is no Postfix client configuration needed

16
postfix/html/STANDARD_CONFIGURATION_README.html
View File

@ -422,6 +422,22 @@ matches $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or $<a hr
</ul>
<p> In some installations, there may be separate instances of Postfix
processing inbound and outbound mail on a multi-homed firewall. The
inbound Postfix instance has an SMTP server listening on the external
firewall interface, and the outbound Postfix instance has an SMTP server
listening on the internal interface. In such a configuration is it is
tempting to configure $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> in each instance with just the
corresponding interface address. </p>
<p> In most cases using inet_interaces in this way will not work,
because as documented in the $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> reference manual, the
<a href="smtp.8.html">smtp(8)</a> delivery agent will also use the specified interface address
as the source address for outbound connections and will be unable to
reach hosts on "the other side" of the firewall. The symptoms are that
the firewall is unable to connect to hosts that are in fact up. See the
<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> parameter documentation for suggested work-arounds.</p>
<h2><a name="intranet">Running Postfix behind a firewall</a></h2>
<p> The simplest way to set up Postfix on a host behind a firewalled

91
postfix/html/canonical.5.html
View File

@ -39,120 +39,131 @@ CANONICAL(5) CANONICAL(5)
way as described below under "REGULAR EXPRESSION TABLES"
and "TCP-BASED TABLES".
The <b>canonical</b> mapping affects both message header
By default the <b>canonical</b> mapping affects both message
header addresses (i.e. addresses that appear inside mes-
sages) and message envelope addresses (for example, the
addresses that are used in SMTP protocol commands). Think
Sendmail rule set <b>S3</b>, if you like. This is controlled
with the <b>canonical_classes</b> parameter.
The <b>canonical</b> mapping affects both message header
addresses (i.e. addresses that appear inside messages) and
message envelope addresses (for example, the addresses
that are used in SMTP protocol commands). Think Sendmail
message envelope addresses (for example, the addresses
that are used in SMTP protocol commands). Think Sendmail
rule set <b>S3</b>, if you like.
Typically, one would use the <b>canonical</b> table to replace
login names by <i>Firstname.Lastname</i>, or to clean up
Typically, one would use the <b>canonical</b> table to replace
login names by <i>Firstname.Lastname</i>, or to clean up
addresses produced by legacy mail systems.
The <b>canonical</b> mapping is not to be confused with <i>virtual</i>
The <b>canonical</b> mapping is not to be confused with <i>virtual</i>
<i>domain</i> support. Use the <a href="virtual.5.html"><b>virtual</b>(5)</a> map for that purpose.
The <b>canonical</b> mapping is not to be confused with local
The <b>canonical</b> mapping is not to be confused with local
aliasing. Use the <a href="aliases.5.html"><b>aliases</b>(5)</a> map for that purpose.
<b>TABLE FORMAT</b>
The input format for the <a href="postmap.1.html"><b>postmap</b>(1)</a> command is as follows:
<i>pattern result</i>
When <i>pattern</i> matches a mail address, replace it by
When <i>pattern</i> matches a mail address, replace it by
the corresponding <i>result</i>.
blank lines and comments
Empty lines and whitespace-only lines are ignored,
as are lines whose first non-whitespace character
Empty lines and whitespace-only lines are ignored,
as are lines whose first non-whitespace character
is a `#'.
multi-line text
A logical line starts with non-whitespace text. A
line that starts with whitespace continues a logi-
A logical line starts with non-whitespace text. A
line that starts with whitespace continues a logi-
cal line.
With lookups from indexed files such as DB or DBM, or from
networked tables such as NIS, LDAP or SQL, patterns are
networked tables such as NIS, LDAP or SQL, patterns are
tried in the order as listed below:
<i>user</i>@<i>domain address</i>
<i>user</i>@<i>domain</i> is replaced by <i>address</i>. This form has
<i>user</i>@<i>domain</i> is replaced by <i>address</i>. This form has
the highest precedence.
This is useful to clean up addresses produced by
legacy mail systems. It can also be used to pro-
duce <i>Firstname.Lastname</i> style addresses, but see
This is useful to clean up addresses produced by
legacy mail systems. It can also be used to pro-
duce <i>Firstname.Lastname</i> style addresses, but see
below for a simpler solution.
<i>user address</i>
<i>user</i>@<i>site</i> is replaced by <i>address</i> when <i>site</i> is equal
to $<b><a href="postconf.5.html#myorigin">myorigin</a></b>, when <i>site</i> is listed in $<b><a href="postconf.5.html#mydestination">mydestina</a>-</b>
<b><a href="postconf.5.html#mydestination">tion</a></b>, or when it is listed in $<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a></b> or
to $<b><a href="postconf.5.html#myorigin">myorigin</a></b>, when <i>site</i> is listed in $<b><a href="postconf.5.html#mydestination">mydestina</a>-</b>
<b><a href="postconf.5.html#mydestination">tion</a></b>, or when it is listed in $<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a></b> or
$<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a></b>.
This form is useful for replacing login names by
This form is useful for replacing login names by
<i>Firstname.Lastname</i>.
@<i>domain address</i>
Every address in <i>domain</i> is replaced by <i>address</i>.
Every address in <i>domain</i> is replaced by <i>address</i>.
This form has the lowest precedence.
In all the above forms, when <i>address</i> has the form @<i>other-</i>
In all the above forms, when <i>address</i> has the form @<i>other-</i>
<i>domain</i>, the result is the same user in <i>otherdomain</i>.
<b>ADDRESS EXTENSION</b>
When a mail address localpart contains the optional recip-
ient delimiter (e.g., <i>user+foo</i>@<i>domain</i>), the lookup order
ient delimiter (e.g., <i>user+foo</i>@<i>domain</i>), the lookup order
becomes: <i>user+foo</i>@<i>domain</i>, <i>user</i>@<i>domain</i>, <i>user+foo</i>, <i>user</i>, and
@<i>domain</i>.
The <b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a></b> parameter controls
whether an unmatched address extension (<i>+foo</i>) is propa-
The <b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a></b> parameter controls
whether an unmatched address extension (<i>+foo</i>) is propa-
gated to the result of table lookup.
<b>REGULAR EXPRESSION TABLES</b>
This section describes how the table lookups change when
This section describes how the table lookups change when
the table is given in the form of regular expressions. For
a description of regular expression lookup table syntax,
a description of regular expression lookup table syntax,
see <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a> or <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a>.
Each pattern is a regular expression that is applied to
Each pattern is a regular expression that is applied to
the entire address being looked up. Thus, <i>user@domain</i> mail
addresses are not broken up into their <i>user</i> and <i>@domain</i>
addresses are not broken up into their <i>user</i> and <i>@domain</i>
constituent parts, nor is <i>user+foo</i> broken up into <i>user</i> and
<i>foo</i>.
Patterns are applied in the order as specified in the
table, until a pattern is found that matches the search
Patterns are applied in the order as specified in the
table, until a pattern is found that matches the search
string.
Results are the same as with indexed file lookups, with
the additional feature that parenthesized substrings from
Results are the same as with indexed file lookups, with
the additional feature that parenthesized substrings from
the pattern can be interpolated as <b>$1</b>, <b>$2</b> and so on.
<b>TCP-BASED TABLES</b>
This section describes how the table lookups change when
This section describes how the table lookups change when
lookups are directed to a TCP-based server. For a descrip-
tion of the TCP client/server lookup protocol, see
<a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>. This feature is not available in Postfix
tion of the TCP client/server lookup protocol, see
<a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>. This feature is not available in Postfix
version 2.1.
Each lookup operation uses the entire address once. Thus,
<i>user@domain</i> mail addresses are not broken up into their
<i>user@domain</i> mail addresses are not broken up into their
<i>user</i> and <i>@domain</i> constituent parts, nor is <i>user+foo</i> broken
up into <i>user</i> and <i>foo</i>.
Results are the same as with indexed file lookups.
<b>BUGS</b>
The table format does not understand quoting conventions.
The table format does not understand quoting conventions.
<b>CONFIGURATION PARAMETERS</b>
The following <b>main.cf</b> parameters are especially relevant.
The text below provides only a parameter summary. See
The following <b>main.cf</b> parameters are especially relevant.
The text below provides only a parameter summary. See
<a href="postconf.5.html">postconf(5)</a> for more details including examples.
<b>canonical_classes</b>
What addresses are subject to canonical address
mapping.
<b><a href="postconf.5.html#canonical_maps">canonical_maps</a></b>
List of canonical mapping tables.

60
postfix/html/cleanup.8.html
View File

@ -223,10 +223,26 @@ CLEANUP(8) CLEANUP(8)
addresses or domains to other local or remote
address.
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#canonical_classes">canonical_classes</a> (envelope_sender, envelope_recipient,</b>
<b>header_sender, header_recipient)</b>
What addresses are subject to <a href="postconf.5.html#canonical_maps">canonical_maps</a>
address mapping.
<b><a href="postconf.5.html#recipient_canonical_classes">recipient_canonical_classes</a> (envelope_recipient,</b>
<b>header_recipient)</b>
What addresses are subject to <a href="postconf.5.html#recipient_canonical_maps">recipient_canoni</a>-
<a href="postconf.5.html#recipient_canonical_maps">cal_maps</a> address mapping.
<b><a href="postconf.5.html#sender_canonical_classes">sender_canonical_classes</a> (envelope_sender, header_sender)</b>
What addresses are subject to <a href="postconf.5.html#sender_canonical_maps">sender_canonical_maps</a>
address mapping.
<b>RESOURCE AND RATE CONTROLS</b>
<b><a href="postconf.5.html#duplicate_filter_limit">duplicate_filter_limit</a> (1000)</b>
The maximal number of addresses remembered by the
address duplicate filter for <a href="aliases.5.html">aliases(5)</a> or vir-
The maximal number of addresses remembered by the
address duplicate filter for <a href="aliases.5.html">aliases(5)</a> or vir-
tual(5) alias expansion, or for <a href="showq.8.html">showq(8)</a> queue dis-
plays.
@ -235,16 +251,16 @@ CLEANUP(8) CLEANUP(8)
message header.
<b><a href="postconf.5.html#hopcount_limit">hopcount_limit</a> (50)</b>
The maximal number of Received: message headers
The maximal number of Received: message headers
that is allowed in the primary message headers.
<b><a href="postconf.5.html#in_flow_delay">in_flow_delay</a> (1s)</b>
Time to pause before accepting a new message, when
Time to pause before accepting a new message, when
the message arrival rate exceeds the message deliv-
ery rate.
<b><a href="postconf.5.html#message_size_limit">message_size_limit</a> (10240000)</b>
The maximal size in bytes of a message, including
The maximal size in bytes of a message, including
envelope information.
Available in Postfix version 2.0 and later:
@ -262,31 +278,31 @@ CLEANUP(8) CLEANUP(8)
will handle.
<b><a href="postconf.5.html#queue_file_attribute_count_limit">queue_file_attribute_count_limit</a> (100)</b>
The maximal number of (name=value) attributes that
The maximal number of (name=value) attributes that
may be stored in a Postfix queue file.
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#virtual_alias_expansion_limit">virtual_alias_expansion_limit</a> (1000)</b>
The maximal number of addresses that virtual alias
The maximal number of addresses that virtual alias
expansion produces from each original recipient.
<b><a href="postconf.5.html#virtual_alias_recursion_limit">virtual_alias_recursion_limit</a> (1000)</b>
The maximal nesting depth of virtual alias expan-
The maximal nesting depth of virtual alias expan-
sion.
<b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
The default location of the Postfix main.cf and
The default location of the Postfix main.cf and
master.cf configuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
How much time a Postfix daemon process may take to
handle a request before it is terminated by a
How much time a Postfix daemon process may take to
handle a request before it is terminated by a
built-in watchdog timer.
<b><a href="postconf.5.html#delay_warning_time">delay_warning_time</a> (0h)</b>
The time after which the sender receives the mes-
The time after which the sender receives the mes-
sage headers of mail that is still queued.
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
@ -294,12 +310,12 @@ CLEANUP(8) CLEANUP(8)
over an internal communication channel.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix
daemon process waits for the next service request
The maximum amount of time that an idle Postfix
daemon process waits for the next service request
before exiting.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
The maximal number of connection requests before a
The maximal number of connection requests before a
Postfix daemon process terminates.
<b><a href="postconf.5.html#myhostname">myhostname</a> (see 'postconf -d' output)</b>
@ -307,19 +323,19 @@ CLEANUP(8) CLEANUP(8)
<b><a href="postconf.5.html#myorigin">myorigin</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
The domain name that locally-posted mail appears to
come from, and that locally posted mail is deliv-
come from, and that locally posted mail is deliv-
ered to.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
The process ID of a Postfix command or daemon pro-
The process ID of a Postfix command or daemon pro-
cess.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
The process name of a Postfix command or daemon
The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
The location of the Postfix top-level queue direc-
The location of the Postfix top-level queue direc-
tory.
<b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b>
@ -330,14 +346,14 @@ CLEANUP(8) CLEANUP(8)
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
The mail system name that is prepended to the pro-
The mail system name that is prepended to the pro-
cess name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#enable_original_recipient">enable_original_recipient</a> (yes)</b>
Enable support for the X-Original-To message
Enable support for the X-Original-To message
header.
<b>FILES</b>
@ -359,7 +375,7 @@ CLEANUP(8) CLEANUP(8)
<a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> Postfix address manipulation
<b>LICENSE</b>
The Secure Mailer license must be distributed with this
The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>

2
postfix/html/header_checks.5.html
View File

@ -303,7 +303,7 @@ HEADER_CHECKS(5) HEADER_CHECKS(5)
/etc/postfix/header_checks:
/^content-(type|disposition):.*name[[:space:]]*=.*\.(exe|vbs)/
REJECT Bad attachment file name extension: $1
REJECT Bad attachment file name extension: $2
Body pattern to stop a specific HTML browser vulnerability
exploit.

135
postfix/html/postconf.5.html
View File

@ -528,8 +528,11 @@ Example:
<p>
Allow a recipient address to have `-' as the first character. By
default, this is not allowed, to avoid accidents with software that
passes email addresses via the command line.
</p>
passes email addresses via the command line. Such software
would not be able to distinguish a malicious address from a
bona fide command-line option. Although this can be prevented by
inserting a "--" option terminator into the command line, this is
difficult to enforce consistently and globally. </p>
</DD>
@ -945,6 +948,20 @@ AUTH support in a non-standard way.
</p>
</DD>
<DT><b><a name="canonical_classes">canonical_classes</a>
(default: envelope_sender, envelope_recipient, header_sender, header_recipient)</b></DT><DD>
<p> What addresses are subject to <a href="postconf.5.html#canonical_maps">canonical_maps</a> address mapping.
By default, <a href="postconf.5.html#canonical_maps">canonical_maps</a> address mapping is applied to envelope
sender and recipient addresses, and to header sender and header
recipient addresses. </p>
<p> Specify one or more of: envelope_sender, envelope_recipient,
header_sender, header_recipient </p>
</DD>
<DT><b><a name="canonical_maps">canonical_maps</a>
@ -953,7 +970,8 @@ AUTH support in a non-standard way.
<p>
Optional address mapping lookup tables for message headers and
envelopes. The mapping is applied to both sender and recipient
addresses, in both envelopes and in headers. This is typically used
addresses, in both envelopes and in headers, as controlled
with the <a href="postconf.5.html#canonical_classes">canonical_classes</a> parameter. This is typically used
to clean up dirty addresses from legacy mail systems, or to replace
login names by Firstname.Lastname. The table format and lookups
are documented in <a href="canonical.5.html">canonical(5)</a>.
@ -2405,6 +2423,26 @@ machine. The parameter also controls delivery of mail to
user@[ip.address].
</p>
<p>
When <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> consists of just one IP address that is not a
loopback (net 127) address, the Postfix SMTP client will use this address
as the IP source address for outbound mail. </p>
<p>
On a multi-homed firewall with separate Postfix instances listening on the
"inside" and "outside" interfaces, this can prevent each instance from
being able to reach servers on the "other side" of the firewall. Setting
<a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> to 0.0.0.0 avoids the potential problem. </p>
<p>
A better solution is to leave <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> at the default value
and instead use explicit IP addresses in master.cf. This preserves SMTP
loop detection, by ensuring that each side of the firewall knows that the
other IP address is still the same host. Setting $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> to a
single IP address is primarily useful with virtual hosting of domains on
secondary IP addresses, when each IP address serves a different domain
(and has a different $<a href="postconf.5.html#myhostname">myhostname</a> setting). </p>
<p>
See also the <a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> parameter, for network addresses that
are forwarded to us by way of a proxy or address translator.
@ -4557,6 +4595,20 @@ Example:
</pre>
</DD>
<DT><b><a name="recipient_canonical_classes">recipient_canonical_classes</a>
(default: envelope_recipient, header_recipient)</b></DT><DD>
<p> What addresses are subject to <a href="postconf.5.html#recipient_canonical_maps">recipient_canonical_maps</a> address
mapping. By default, <a href="postconf.5.html#recipient_canonical_maps">recipient_canonical_maps</a> address mapping is
applied to envelope recipient addresses, and to header recipient
addresses. </p>
<p> Specify one or more of: envelope_recipient, header_recipient
</p>
</DD>
<DT><b><a name="recipient_canonical_maps">recipient_canonical_maps</a>
@ -4971,6 +5023,19 @@ Example:
</pre>
</DD>
<DT><b><a name="sender_canonical_classes">sender_canonical_classes</a>
(default: envelope_sender, header_sender)</b></DT><DD>
<p> What addresses are subject to <a href="postconf.5.html#sender_canonical_maps">sender_canonical_maps</a> address
mapping. By default, <a href="postconf.5.html#sender_canonical_maps">sender_canonical_maps</a> address mapping is
applied to envelope sender addresses, and to header sender addresses.
</p>
<p> Specify one or more of: envelope_sender, header_sender </p>
</DD>
<DT><b><a name="sender_canonical_maps">sender_canonical_maps</a>
@ -5140,6 +5205,12 @@ for example:
smtp ... smtp -o <a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a>=11.22.33.44
</pre>
<p> Note: when <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> specifies exactly one address that
is a non-loopback address, it is automatically used as the
<a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a>. This supports virtual IP hosting, but can be
a problem on multi-homed firewalls. See the <a href="postconf.5.html#inet_interfaces">inet_interfaces</a>
documentation for more detail. </p>
</DD>
@ -5642,6 +5713,33 @@ Example:
</pre>
</DD>
<DT><b><a name="smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a>
(default: empty)</b></DT><DD>
<p>
If non-empty, filters the SMTP server's list of offered SASL mechanisms.
Different client and server implementations may support different
mechanism lists. By default, the client will use the intersection of the
two. <a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> further restricts what server mechanisms
the client will take into consideration. </p>
<p> Specify mechanism names, "/file/name" patterns or "<a href="DATABASE_README.html">type:table</a>"
lookup tables. The right-hand side result from "<a href="DATABASE_README.html">type:table</a>" lookups
is ignored. </p>
<p>
Examples:
</p>
<pre>
<a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> = plain, login
<a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> = /etc/postfix/smtp_mechs
<a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> = !gssapi, !login, static:rest
</pre>
</DD>
<DT><b><a name="smtp_sasl_password_maps">smtp_sasl_password_maps</a>
@ -6857,9 +6955,8 @@ from filling up with undeliverable MAILER-DAEMON messages.
or $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>, but the recipient is not listed in
$<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>, and $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> is not null.
<li> The recipient domain matches $<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> but the
recipient is not listed in $<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>, and $<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>
is not null.
<li> The recipient domain matches $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a> but the
recipient is not listed in $<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>.
<li> The recipient domain matches $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> but the
recipient is not listed in $<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>, and $<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>
@ -6892,9 +6989,8 @@ of forged mail from worms or viruses. </p>
$<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>, but the recipient is not listed in
$<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>, and $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> is not null.
<li> The sender domain matches $<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> but the recipient
is not listed in $<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>, and $<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> is
not null.
<li> The sender domain matches $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a> but the recipient
is not listed in $<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>.
<li> The sender domain matches $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> but the
recipient is not listed in $<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>, and $<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>
@ -7992,9 +8088,10 @@ lookup tables, because that would open a security hole.
</p>
<p>
Note 2: for security reasons, the <a href="virtual.8.html">virtual(8)</a> delivery agent does
not allow table lookup through the <a href="proxymap.8.html">proxymap(8)</a> service, because
that would open a security hole.
Note 2: for security reasons, the <a href="virtual.8.html">virtual(8)</a> delivery agent will
silently ignore requests to use the <a href="proxymap.8.html">proxymap(8)</a> server. Instead
it will open the table directly. Before Postfix version 2.2, the
<a href="virtual.8.html">virtual(8)</a> delivery agent will terminate with a fatal error.
</p>
@ -8118,9 +8215,10 @@ lookup tables, because that would open a security hole.
</p>
<p>
Note 2: for security reasons, the <a href="virtual.8.html">virtual(8)</a> delivery agent disallows
table lookup through the <a href="proxymap.8.html">proxymap(8)</a> server, because that would
open a security hole.
Note 2: for security reasons, the <a href="virtual.8.html">virtual(8)</a> delivery agent will
silently ignore requests to use the <a href="proxymap.8.html">proxymap(8)</a> server. Instead
it will open the table directly. Before Postfix version 2.2, the
<a href="virtual.8.html">virtual(8)</a> delivery agent will terminate with a fatal error.
</p>
@ -8203,9 +8301,10 @@ lookup tables, because that would open a security hole.
</p>
<p>
Note 2: for security reasons, the <a href="virtual.8.html">virtual(8)</a> delivery agent does
not allow table lookup through the <a href="proxymap.8.html">proxymap(8)</a> service, because
that would open a security hole.
Note 2: for security reasons, the <a href="virtual.8.html">virtual(8)</a> delivery agent will
silently ignore requests to use the <a href="proxymap.8.html">proxymap(8)</a> server. Instead
it will open the table directly. Before Postfix version 2.2, the
<a href="virtual.8.html">virtual(8)</a> delivery agent will terminate with a fatal error.
</p>

98
postfix/html/smtp.8.html
View File

@ -170,26 +170,32 @@ SMTP(8) SMTP(8)
What authentication mechanisms the Postfix SMTP
client is allowed to use.
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b>
If non-empty, filters the SMTP server's list of
offered SASL mechanisms.
<b>RESOURCE AND RATE CONTROLS</b>
<b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destina</a>-</b>
<b><a href="postconf.5.html#default_destination_concurrency_limit">tion_concurrency_limit</a>)</b>
The maximal number of parallel deliveries to the
same destination via the smtp message delivery
The maximal number of parallel deliveries to the
same destination via the smtp message delivery
transport.
<b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destina</a>-</b>
<b><a href="postconf.5.html#default_destination_recipient_limit">tion_recipient_limit</a>)</b>
The maximal number of recipients per delivery via
The maximal number of recipients per delivery via
the smtp message delivery transport.
<b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
The SMTP client time limit for completing a TCP
The SMTP client time limit for completing a TCP
connection, or zero (use the operating system
built-in time limit).
<b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
The SMTP client time limit for sending the HELO or
EHLO command, and for receiving the initial server
The SMTP client time limit for sending the HELO or
EHLO command, and for receiving the initial server
response.
<b><a href="postconf.5.html#smtp_xforward_timeout">smtp_xforward_timeout</a> (300s)</b>
@ -197,30 +203,30 @@ SMTP(8) SMTP(8)
command, and for receiving the server response.
<b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
The SMTP client time limit for sending the MAIL
FROM command, and for receiving the server
The SMTP client time limit for sending the MAIL
FROM command, and for receiving the server
response.
<b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
The SMTP client time limit for sending the SMTP
RCPT TO command, and for receiving the server
The SMTP client time limit for sending the SMTP
RCPT TO command, and for receiving the server
response.
<b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
The SMTP client time limit for sending the SMTP
DATA command, and for receiving the server
The SMTP client time limit for sending the SMTP
DATA command, and for receiving the server
response.
<b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
The SMTP client time limit for sending the SMTP
The SMTP client time limit for sending the SMTP
message content.
<b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
The SMTP client time limit for sending the SMTP
The SMTP client time limit for sending the SMTP
".", and for receiving the server response.
<b><a href="postconf.5.html#smtp_quit_timeout">smtp_quit_timeout</a> (300s)</b>
The SMTP client time limit for sending the QUIT
The SMTP client time limit for sending the QUIT
command, and for receiving the server response.
Available in Postfix version 2.1 and later:
@ -231,28 +237,28 @@ SMTP(8) SMTP(8)
lookups, or zero (no limit).
<b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
The maximal number of SMTP sessions per delivery
request before giving up or delivering to a fall-
The maximal number of SMTP sessions per delivery
request before giving up or delivering to a fall-
back relay host, or zero (no limit).
<b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
The SMTP client time limit for sending the RSET
The SMTP client time limit for sending the RSET
command, and for receiving the server response.
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
Permanently enable SMTP connection caching for the
Permanently enable SMTP connection caching for the
specified destinations.
<b>smtp_connection_cache_on_demand (yes)</b>
Temporarily enable SMTP session caching while a
Temporarily enable SMTP session caching while a
destination has a high volume of mail in the active
queue.
<b><a href="postconf.5.html#smtp_connection_cache_reuse_limit">smtp_connection_cache_reuse_limit</a> (10)</b>
When SMTP session caching is enabled, the number of
times that an SMTP session is reused before it is
times that an SMTP session is reused before it is
closed.
<b><a href="postconf.5.html#smtp_connection_cache_time_limit">smtp_connection_cache_time_limit</a> (2s)</b>
@ -262,46 +268,46 @@ SMTP(8) SMTP(8)
<b>TROUBLE SHOOTING CONTROLS</b>
<b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
The increment in verbose logging level when a
remote client or server matches a pattern in the
The increment in verbose logging level when a
remote client or server matches a pattern in the
<a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
<b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
Optional list of remote client or server hostname
or network address patterns that cause the verbose
logging level to increase by the amount specified
Optional list of remote client or server hostname
or network address patterns that cause the verbose
logging level to increase by the amount specified
in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
<b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
The recipient of postmaster notifications about
mail delivery problems that are caused by policy,
The recipient of postmaster notifications about
mail delivery problems that are caused by policy,
resource, software or protocol errors.
<b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
The list of error classes that are reported to the
The list of error classes that are reported to the
postmaster.
<b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
Where the Postfix SMTP client should deliver mail
Where the Postfix SMTP client should deliver mail
when it detects a "mail loops back to myself" error
condition.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
The default location of the Postfix main.cf and
The default location of the Postfix main.cf and
master.cf configuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
How much time a Postfix daemon process may take to
handle a request before it is terminated by a
How much time a Postfix daemon process may take to
handle a request before it is terminated by a
built-in watchdog timer.
<b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
Disable DNS lookups in the Postfix SMTP and LMTP
Disable DNS lookups in the Postfix SMTP and LMTP
clients.
<b><a href="postconf.5.html#fallback_relay">fallback_relay</a> (empty)</b>
Optional list of relay hosts for SMTP destinations
Optional list of relay hosts for SMTP destinations
that can't be found or that are unreachable.
<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
@ -313,25 +319,25 @@ SMTP(8) SMTP(8)
over an internal communication channel.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix
daemon process waits for the next service request
The maximum amount of time that an idle Postfix
daemon process waits for the next service request
before exiting.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
The maximal number of connection requests before a
The maximal number of connection requests before a
Postfix daemon process terminates.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
The process ID of a Postfix command or daemon pro-
The process ID of a Postfix command or daemon pro-
cess.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
The process name of a Postfix command or daemon
The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
The network interface addresses that this mail sys-
tem receives mail on by way of a proxy or network
tem receives mail on by way of a proxy or network
address translation unit.
<b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
@ -339,22 +345,22 @@ SMTP(8) SMTP(8)
client should bind to when making a connection.
<b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
The hostname to send in the SMTP EHLO or HELO com-
The hostname to send in the SMTP EHLO or HELO com-
mand.
<b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b>
What mechanisms when the SMTP client uses to look
What mechanisms when the SMTP client uses to look
up a host's IP address.
<b><a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a> (yes)</b>
Randomize the order of equal-preference MX host
Randomize the order of equal-preference MX host
addresses.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
The mail system name that is prepended to the pro-
The mail system name that is prepended to the pro-
cess name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
@ -370,7 +376,7 @@ SMTP(8) SMTP(8)
<a href="SASL_README.html">SASL_README</a>, Postfix SASL howto
<b>LICENSE</b>
The Secure Mailer license must be distributed with this
The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>

9
postfix/man/man5/canonical.5
View File

@ -36,6 +36,13 @@ can be directed to TCP-based server. In that case, the lookups are
done in a slightly different way as described below under
"REGULAR EXPRESSION TABLES" and "TCP-BASED TABLES".
By default the \fBcanonical\fR mapping affects both message
header addresses (i.e. addresses that appear inside messages)
and message envelope addresses (for example, the addresses
that are used in SMTP protocol commands). Think Sendmail
rule set \fBS3\fR, if you like. This is controlled with
the \fBcanonical_classes\fR parameter.
The \fBcanonical\fR mapping affects both message header addresses
(i.e. addresses that appear inside messages) and message envelope
addresses (for example, the addresses that are used in SMTP protocol
@ -152,6 +159,8 @@ The table format does not understand quoting conventions.
The following \fBmain.cf\fR parameters are especially relevant.
The text below provides only a parameter summary. See
postconf(5) for more details including examples.
.IP \fBcanonical_classes\fR
What addresses are subject to canonical address mapping.
.IP \fBcanonical_maps\fR
List of canonical mapping tables.
.IP \fBrecipient_canonical_maps\fR

2
postfix/man/man5/header_checks.5
View File

@ -282,7 +282,7 @@ header_checks = regexp:/etc/postfix/header_checks
.ti +4
/^content-(type|disposition):.*name[[:space:]]*=.*\\.(exe|vbs)/
.ti +8
REJECT Bad attachment file name extension: $1
REJECT Bad attachment file name extension: $2
.ad
.fi

106
postfix/man/man5/postconf.5
View File

@ -287,7 +287,11 @@ allow_mail_to_files = alias,forward,include
.SH allow_min_user (default: no)
Allow a recipient address to have `-' as the first character. By
default, this is not allowed, to avoid accidents with software that
passes email addresses via the command line.
passes email addresses via the command line. Such software
would not be able to distinguish a malicious address from a
bona fide command-line option. Although this can be prevented by
inserting a "--" option terminator into the command line, this is
difficult to enforce consistently and globally.
.SH allow_percent_hack (default: yes)
Enable the rewriting of the form "user%domain" to "user@domain".
This is enabled by default.
@ -483,10 +487,19 @@ version 5.0.
.PP
Specify "\fBbroken_sasl_auth_clients = yes\fR" to have Postfix advertise
AUTH support in a non-standard way.
.SH canonical_classes (default: envelope_sender, envelope_recipient, header_sender, header_recipient)
What addresses are subject to canonical_maps address mapping.
By default, canonical_maps address mapping is applied to envelope
sender and recipient addresses, and to header sender and header
recipient addresses.
.PP
Specify one or more of: envelope_sender, envelope_recipient,
header_sender, header_recipient
.SH canonical_maps (default: empty)
Optional address mapping lookup tables for message headers and
envelopes. The mapping is applied to both sender and recipient
addresses, in both envelopes and in headers. This is typically used
addresses, in both envelopes and in headers, as controlled
with the canonical_classes parameter. This is typically used
to clean up dirty addresses from legacy mail systems, or to replace
login names by Firstname.Lastname. The table format and lookups
are documented in canonical(5).
@ -1202,6 +1215,23 @@ on. By default, the software claims all active interfaces on the
machine. The parameter also controls delivery of mail to
user@[ip.address].
.PP
When inet_interfaces consists of just one IP address that is not a
loopback (net 127) address, the Postfix SMTP client will use this address
as the IP source address for outbound mail.
.PP
On a multi-homed firewall with separate Postfix instances listening on the
"inside" and "outside" interfaces, this can prevent each instance from
being able to reach servers on the "other side" of the firewall. Setting
smtp_bind_address to 0.0.0.0 avoids the potential problem.
.PP
A better solution is to leave inet_interfaces at the default value
and instead use explicit IP addresses in master.cf. This preserves SMTP
loop detection, by ensuring that each side of the firewall knows that the
other IP address is still the same host. Setting $inet_interfaces to a
single IP address is primarily useful with virtual hosting of domains on
secondary IP addresses, when each IP address serves a different domain
(and has a different $myhostname setting).
.PP
See also the proxy_interfaces parameter, for network addresses that
are forwarded to us by way of a proxy or address translator.
.PP
@ -2350,6 +2380,13 @@ recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
.fi
.ad
.ft R
.SH recipient_canonical_classes (default: envelope_recipient, header_recipient)
What addresses are subject to recipient_canonical_maps address
mapping. By default, recipient_canonical_maps address mapping is
applied to envelope recipient addresses, and to header recipient
addresses.
.PP
Specify one or more of: envelope_recipient, header_recipient
.SH recipient_canonical_maps (default: empty)
Optional address mapping lookup tables for envelope and header
recipient addresses.
@ -2606,6 +2643,12 @@ sender_bcc_maps = hash:/etc/postfix/sender_bcc
.fi
.ad
.ft R
.SH sender_canonical_classes (default: envelope_sender, header_sender)
What addresses are subject to sender_canonical_maps address
mapping. By default, sender_canonical_maps address mapping is
applied to envelope sender addresses, and to header sender addresses.
.PP
Specify one or more of: envelope_sender, header_sender
.SH sender_canonical_maps (default: empty)
Optional address mapping lookup tables for envelope and header
sender addresses.
@ -2686,6 +2729,12 @@ for example:
.fi
.ad
.ft R
.PP
Note: when inet_interfaces specifies exactly one address that
is a non-loopback address, it is automatically used as the
smtp_bind_address. This supports virtual IP hosting, but can be
a problem on multi-homed firewalls. See the inet_interfaces
documentation for more detail.
.SH smtp_connect_timeout (default: 30s)
The SMTP client time limit for completing a TCP connection, or
zero (use the operating system built-in time limit).
@ -2929,6 +2978,28 @@ smtp_sasl_auth_enable = yes
.fi
.ad
.ft R
.SH smtp_sasl_mechanism_filter (default: empty)
If non-empty, filters the SMTP server's list of offered SASL mechanisms.
Different client and server implementations may support different
mechanism lists. By default, the client will use the intersection of the
two. smtp_sasl_mechanism_filter further restricts what server mechanisms
the client will take into consideration.
.PP
Specify mechanism names, "/file/name" patterns or "type:table"
lookup tables. The right-hand side result from "type:table" lookups
is ignored.
.PP
Examples:
.PP
.nf
.na
.ft C
smtp_sasl_mechanism_filter = plain, login
smtp_sasl_mechanism_filter = /etc/postfix/smtp_mechs
smtp_sasl_mechanism_filter = !gssapi, !login, static:rest
.fi
.ad
.ft R
.SH smtp_sasl_password_maps (default: empty)
Optional SMTP client lookup tables with one username:password entry
per remote hostname or domain. If a remote host or domain has no
@ -3661,9 +3732,8 @@ The recipient domain matches $mydestination, $inet_interfaces
or $proxy_interfaces, but the recipient is not listed in
$local_recipient_maps, and $local_recipient_maps is not null.
.IP \(bu
The recipient domain matches $virtual_alias_maps but the
recipient is not listed in $virtual_alias_maps, and $virtual_alias_maps
is not null.
The recipient domain matches $virtual_alias_domains but the
recipient is not listed in $virtual_alias_maps.
.IP \(bu
The recipient domain matches $virtual_mailbox_domains but the
recipient is not listed in $virtual_mailbox_maps, and $virtual_mailbox_maps
@ -3684,9 +3754,8 @@ The sender domain matches $mydestination, $inet_interfaces or
$proxy_interfaces, but the recipient is not listed in
$local_recipient_maps, and $local_recipient_maps is not null.
.IP \(bu
The sender domain matches $virtual_alias_maps but the recipient
is not listed in $virtual_alias_maps, and $virtual_alias_maps is
not null.
The sender domain matches $virtual_alias_domains but the recipient
is not listed in $virtual_alias_maps.
.IP \(bu
The sender domain matches $virtual_mailbox_domains but the
recipient is not listed in $virtual_mailbox_maps, and $virtual_mailbox_maps
@ -4300,9 +4369,10 @@ Note 1: for security reasons, the virtual(8) delivery agent disallows
regular expression substitution of $1 etc. in regular expression
lookup tables, because that would open a security hole.
.PP
Note 2: for security reasons, the virtual(8) delivery agent does
not allow table lookup through the proxymap(8) service, because
that would open a security hole.
Note 2: for security reasons, the virtual(8) delivery agent will
silently ignore requests to use the proxymap(8) server. Instead
it will open the table directly. Before Postfix version 2.2, the
virtual(8) delivery agent will terminate with a fatal error.
.SH virtual_mailbox_base (default: empty)
A prefix that the virtual(8) delivery agent prepends to all pathname
results from $virtual_mailbox_maps table lookups. This is a safety
@ -4372,9 +4442,10 @@ Note 1: for security reasons, the virtual(8) delivery agent disallows
regular expression substitution of $1 etc. in regular expression
lookup tables, because that would open a security hole.
.PP
Note 2: for security reasons, the virtual(8) delivery agent disallows
table lookup through the proxymap(8) server, because that would
open a security hole.
Note 2: for security reasons, the virtual(8) delivery agent will
silently ignore requests to use the proxymap(8) server. Instead
it will open the table directly. Before Postfix version 2.2, the
virtual(8) delivery agent will terminate with a fatal error.
.SH virtual_maps (default: empty)
Optional lookup tables with a) names of domains for which all
addresses are aliased to addresses in other local or remote domains,
@ -4415,9 +4486,10 @@ Note 1: for security reasons, the virtual(8) delivery agent disallows
regular expression substitution of $1 etc. in regular expression
lookup tables, because that would open a security hole.
.PP
Note 2: for security reasons, the virtual(8) delivery agent does
not allow table lookup through the proxymap(8) service, because
that would open a security hole.
Note 2: for security reasons, the virtual(8) delivery agent will
silently ignore requests to use the proxymap(8) server. Instead
it will open the table directly. Before Postfix version 2.2, the
virtual(8) delivery agent will terminate with a fatal error.
.SH SEE ALSO
.na
.nf

10
postfix/man/man8/cleanup.8
View File

@ -194,6 +194,16 @@ Available in Postfix version 2.0 and later:
.IP "\fBvirtual_alias_maps ($virtual_maps)\fR"
Optional lookup tables that alias specific mail addresses or domains
to other local or remote address.
.PP
Available in Postfix version 2.2 and later:
.IP "\fBcanonical_classes (envelope_sender, envelope_recipient, header_sender, header_recipient)\fR"
What addresses are subject to canonical_maps address mapping.
.IP "\fBrecipient_canonical_classes (envelope_recipient, header_recipient)\fR"
What addresses are subject to recipient_canonical_maps address
mapping.
.IP "\fBsender_canonical_classes (envelope_sender, header_sender)\fR"
What addresses are subject to sender_canonical_maps address
mapping.
.SH "RESOURCE AND RATE CONTROLS"
.na
.nf

4
postfix/man/man8/smtp.8
View File

@ -162,6 +162,10 @@ per remote hostname or domain.
.IP "\fBsmtp_sasl_security_options (noplaintext, noanonymous)\fR"
What authentication mechanisms the Postfix SMTP client is allowed
to use.
.PP
Available in Postfix version 2.2 and later:
.IP "\fBsmtp_sasl_mechanism_filter (empty)\fR"
If non-empty, filters the SMTP server's list of offered SASL mechanisms.
.SH "RESOURCE AND RATE CONTROLS"
.na
.nf

1
postfix/mantools/docparam
View File

@ -185,6 +185,7 @@ BEGIN {
table["smtpd_sasl_local_domain"] = "var_smtpd_sasl_realm"
table["smtpd_sender_login_maps"] = "var_smtpd_snd_auth_maps"
table["smtp_sasl_auth_enable"] = "var_smtp_sasl_enable"
table["smtp_sasl_mechanism_filter"] = "var_smtp_sasl_mechs"
table["smtp_sasl_password_maps"] = "var_smtp_sasl_passwd"
table["smtp_sasl_security_options"] = "var_smtp_sasl_opts"
table["lmtpd_banner"] = "var_lmtpd_banner"

6
postfix/mantools/postlink
View File

@ -104,6 +104,7 @@ while (<>) {
s;\bbounce_service_name\b;<a href="postconf.5.html#bounce_service_name">$&</a>;g;
s;\bbounce_size_limit\b;<a href="postconf.5.html#bounce_size_limit">$&</a>;g;
s;\bbroken_sasl_auth_clients\b;<a href="postconf.5.html#broken_sasl_auth_clients">$&</a>;g;
s;\bcanonical_classes\b;<a href="postconf.5.html#canonical_classes">$&</a>;g;
s;\bcanonical_maps\b;<a href="postconf.5.html#canonical_maps">$&</a>;g;
s;\bcleanup_service_name\b;<a href="postconf.5.html#cleanup_service_name">$&</a>;g;
s;\bcommand_execu[-</bB>]*\n* *[<bB>]*tion_direc[-</bB>]*\n* *[<bB>]*tory\b;<a href="postconf.5.html#command_execution_directory">$&</a>;g;
@ -274,7 +275,8 @@ while (<>) {
s;\bno_address_mappings\b;<a href="postconf.5.html#no_address_mappings">$&</a>;g;
s;\bno_header_body_checks\b;<a href="postconf.5.html#no_header_body_checks">$&</a>;g;
s;\brecip[-</bB>]*\n* *[<bB>]*ient_bcc_maps\b;<a href="postconf.5.html#recipient_bcc_maps">$&</a>;g;
s;\brecip[-</bB>]*\n* *[<bB>]*ient_canonical_maps\b;<a href="postconf.5.html#recipient_canonical_maps">$&</a>;g;
s;\brecip[-</bB>]*\n* *[<bB>]*ient_canoni[-</bB>]*\n* *[<bB>]*cal_classes\b;<a href="postconf.5.html#recipient_canonical_classes">$&</a>;g;
s;\brecip[-</bB>]*\n* *[<bB>]*ient_canoni[-</bB>]*\n* *[<bB>]*cal_maps\b;<a href="postconf.5.html#recipient_canonical_maps">$&</a>;g;
s;\brecip[-</bB>]*\n* *[<bB>]*ient_delim[-</bB>]*\n* *[<bB>]*iter\b;<a href="postconf.5.html#recipient_delimiter">$&<\/a>;g;
s;\breject_code\b;<a href="postconf.5.html#reject_code">$&</a>;g;
s;\brelay_domains\b;<a href="postconf.5.html#relay_domains">$&</a>;g;
@ -289,6 +291,7 @@ while (<>) {
s;\bsample_directory\b;<a href="postconf.5.html#sample_directory">$&</a>;g;
s;\bsender_based_routing\b;<a href="postconf.5.html#sender_based_routing">$&</a>;g;
s;\bsender_bcc_maps\b;<a href="postconf.5.html#sender_bcc_maps">$&</a>;g;
s;\bsender_canonical_classes\b;<a href="postconf.5.html#sender_canonical_classes">$&</a>;g;
s;\bsender_canonical_maps\b;<a href="postconf.5.html#sender_canonical_maps">$&</a>;g;
s;\bsendmail_path\b;<a href="postconf.5.html#sendmail_path">$&</a>;g;
s;\bservice_throttle_time\b;<a href="postconf.5.html#service_throttle_time">$&</a>;g;
@ -336,6 +339,7 @@ while (<>) {
s;\bsmtp_rcpt_timeout\b;<a href="postconf.5.html#smtp_rcpt_timeout">$&</a>;g;
s;\bsmtp_rset_timeout\b;<a href="postconf.5.html#smtp_rset_timeout">$&</a>;g;
s;\bsmtp_sasl_auth_enable\b;<a href="postconf.5.html#smtp_sasl_auth_enable">$&</a>;g;
s;\bsmtp_sasl_mechanism_filter\b;<a href="postconf.5.html#smtp_sasl_mechanism_filter">$&</a>;g;
s;\bsmtp_sasl_password_maps\b;<a href="postconf.5.html#smtp_sasl_password_maps">$&</a>;g;
s;\bsmtp_sasl_security_options\b;<a href="postconf.5.html#smtp_sasl_security_options">$&</a>;g;
s;\bsmtp_send_xforward_command\b;<a href="postconf.5.html#smtp_send_xforward_command">$&</a>;g;

1
postfix/mantools/useparam
View File

@ -175,6 +175,7 @@ BEGIN {
table["var_smtpd_sasl_realm"] = "smtpd_sasl_local_domain"
table["var_smtpd_snd_auth_maps"] = "smtpd_sender_login_maps"
table["var_smtp_sasl_enable"] = "smtp_sasl_auth_enable"
table["var_smtp_sasl_mechs"] = "smtp_sasl_mechanism_filter"
table["var_smtp_sasl_passwd"] = "smtp_sasl_password_maps"
table["var_smtp_sasl_opts"] = "smtp_sasl_security_options"
table["var_lmtpd_banner"] = "lmtpd_banner"

11
postfix/proto/ADDRESS_REWRITING_README.html
View File

@ -410,7 +410,11 @@ address. </p> </dd>
<h3> <a name="canonical"> Canonical address mapping </a> </h3>
<p> The cleanup(8) daemon uses the canonical(5) tables to rewrite
all addresses in message envelopes and in message headers. This is
addresses in message envelopes and in message headers. By default
all header and envelope addresses are rewritten; this is controlled
with the canonical_classes configuration parameter. </p>
<p> Address rewriting is
done for local and remote addresses. The mapping is useful to
replace login names by "Firstname.Lastname" style addresses, or to
clean up invalid domains in mail addresses produced by legacy mail
@ -453,7 +457,10 @@ applied only to sender addresses or to recipient addresses. </p>
</blockquote>
<p> The sender and recipient canonical maps are applied before the
common canonical maps. </p>
common canonical maps. The sender_canonical_classes and
recipient_canonical_classes parameters control what addresses are
subject to sender_canonical_maps and recipient_canonical_maps
mappings, respectively. </p>
<p> Sender-specific rewriting is useful when you want to rewrite
ugly sender addresses to pretty ones, and still want to be able to

7
postfix/proto/SASL_README.html
View File

@ -473,6 +473,13 @@ for example: </p>
enters the optional chroot jail, so you can keep the file in
/etc/postfix. </p>
<p> Note: Some SMTP servers support authentication mechanisms that,
although available on the client system, may not in practice work or
possess the appropriate credentials to authenticate to the server. It
is possible via the smtp_sasl_mechanism_filter parameter to further
restrict the list of server mechanisms that the smtp(8) client will take
into consideration. </p>
<p> The Postfix SMTP client is backwards compatible with SMTP
servers that use the non-standard "AUTH=method..." syntax in response
to the EHLO command; there is no Postfix client configuration needed

16
postfix/proto/STANDARD_CONFIGURATION_README.html
View File

@ -422,6 +422,22 @@ matches $inet_interfaces or $proxy_interfaces. </p>
</ul>
<p> In some installations, there may be separate instances of Postfix
processing inbound and outbound mail on a multi-homed firewall. The
inbound Postfix instance has an SMTP server listening on the external
firewall interface, and the outbound Postfix instance has an SMTP server
listening on the internal interface. In such a configuration is it is
tempting to configure $inet_interfaces in each instance with just the
corresponding interface address. </p>
<p> In most cases using inet_interaces in this way will not work,
because as documented in the $inet_interfaces reference manual, the
smtp(8) delivery agent will also use the specified interface address
as the source address for outbound connections and will be unable to
reach hosts on "the other side" of the firewall. The symptoms are that
the firewall is unable to connect to hosts that are in fact up. See the
inet_interfaces parameter documentation for suggested work-arounds.</p>
<h2><a name="intranet">Running Postfix behind a firewall</a></h2>
<p> The simplest way to set up Postfix on a host behind a firewalled

9
postfix/proto/canonical
View File

@ -30,6 +30,13 @@
# done in a slightly different way as described below under
# "REGULAR EXPRESSION TABLES" and "TCP-BASED TABLES".
#
# By default the \fBcanonical\fR mapping affects both message
# header addresses (i.e. addresses that appear inside messages)
# and message envelope addresses (for example, the addresses
# that are used in SMTP protocol commands). Think Sendmail
# rule set \fBS3\fR, if you like. This is controlled with
# the \fBcanonical_classes\fR parameter.
#
# The \fBcanonical\fR mapping affects both message header addresses
# (i.e. addresses that appear inside messages) and message envelope
# addresses (for example, the addresses that are used in SMTP protocol
@ -134,6 +141,8 @@
# The following \fBmain.cf\fR parameters are especially relevant.
# The text below provides only a parameter summary. See
# postconf(5) for more details including examples.
# .IP \fBcanonical_classes\fR
# What addresses are subject to canonical address mapping.
# .IP \fBcanonical_maps\fR
# List of canonical mapping tables.
# .IP \fBrecipient_canonical_maps\fR

2
postfix/proto/header_checks
View File

@ -262,7 +262,7 @@
# .ti +4
# /^content-(type|disposition):.*name[[:space:]]*=.*\\.(exe|vbs)/
# .ti +8
# REJECT Bad attachment file name extension: $1
# REJECT Bad attachment file name extension: $2
#
# .ad
# .fi

119
postfix/proto/postconf.proto
View File

@ -486,8 +486,11 @@ allow_mail_to_files = alias,forward,include
<p>
Allow a recipient address to have `-' as the first character. By
default, this is not allowed, to avoid accidents with software that
passes email addresses via the command line.
</p>
passes email addresses via the command line. Such software
would not be able to distinguish a malicious address from a
bona fide command-line option. Although this can be prevented by
inserting a "--" option terminator into the command line, this is
difficult to enforce consistently and globally. </p>
%PARAM allow_percent_hack yes
@ -655,7 +658,8 @@ proportionally. </p>
<p>
Optional address mapping lookup tables for message headers and
envelopes. The mapping is applied to both sender and recipient
addresses, in both envelopes and in headers. This is typically used
addresses, in both envelopes and in headers, as controlled
with the canonical_classes parameter. This is typically used
to clean up dirty addresses from legacy mail systems, or to replace
login names by Firstname.Lastname. The table format and lookups
are documented in canonical(5).
@ -677,6 +681,35 @@ canonical_maps = dbm:/etc/postfix/canonical
canonical_maps = hash:/etc/postfix/canonical
</pre>
%PARAM canonical_classes envelope_sender, envelope_recipient, header_sender, header_recipient
<p> What addresses are subject to canonical_maps address mapping.
By default, canonical_maps address mapping is applied to envelope
sender and recipient addresses, and to header sender and header
recipient addresses. </p>
<p> Specify one or more of: envelope_sender, envelope_recipient,
header_sender, header_recipient </p>
%PARAM sender_canonical_classes envelope_sender, header_sender
<p> What addresses are subject to sender_canonical_maps address
mapping. By default, sender_canonical_maps address mapping is
applied to envelope sender addresses, and to header sender addresses.
</p>
<p> Specify one or more of: envelope_sender, header_sender </p>
%PARAM recipient_canonical_classes envelope_recipient, header_recipient
<p> What addresses are subject to recipient_canonical_maps address
mapping. By default, recipient_canonical_maps address mapping is
applied to envelope recipient addresses, and to header recipient
addresses. </p>
<p> Specify one or more of: envelope_recipient, header_recipient
</p>
%PARAM command_directory see "postconf -d" output
<p>
@ -1507,6 +1540,26 @@ machine. The parameter also controls delivery of mail to
user@[ip.address].
</p>
<p>
When inet_interfaces consists of just one IP address that is not a
loopback (net 127) address, the Postfix SMTP client will use this address
as the IP source address for outbound mail. </p>
<p>
On a multi-homed firewall with separate Postfix instances listening on the
"inside" and "outside" interfaces, this can prevent each instance from
being able to reach servers on the "other side" of the firewall. Setting
smtp_bind_address to 0.0.0.0 avoids the potential problem. </p>
<p>
A better solution is to leave inet_interfaces at the default value
and instead use explicit IP addresses in master.cf. This preserves SMTP
loop detection, by ensuring that each side of the firewall knows that the
other IP address is still the same host. Setting $inet_interfaces to a
single IP address is primarily useful with virtual hosting of domains on
secondary IP addresses, when each IP address serves a different domain
(and has a different $myhostname setting). </p>
<p>
See also the proxy_interfaces parameter, for network addresses that
are forwarded to us by way of a proxy or address translator.
@ -3172,6 +3225,12 @@ for example:
smtp ... smtp -o smtp_bind_address=11.22.33.44
</pre>
<p> Note: when inet_interfaces specifies exactly one address that
is a non-loopback address, it is automatically used as the
smtp_bind_address. This supports virtual IP hosting, but can be
a problem on multi-homed firewalls. See the inet_interfaces
documentation for more detail. </p>
%PARAM smtp_connection_cache_time_limit 2s
<p> When SMTP session caching is enabled, the amount of time that
@ -3654,6 +3713,29 @@ Example:
smtp_sasl_security_options = noplaintext
</pre>
%PARAM smtp_sasl_mechanism_filter
<p>
If non-empty, filters the SMTP server's list of offered SASL mechanisms.
Different client and server implementations may support different
mechanism lists. By default, the client will use the intersection of the
two. smtp_sasl_mechanism_filter further restricts what server mechanisms
the client will take into consideration. </p>
<p> Specify mechanism names, "/file/name" patterns or "type:table"
lookup tables. The right-hand side result from "type:table" lookups
is ignored. </p>
<p>
Examples:
</p>
<pre>
smtp_sasl_mechanism_filter = plain, login
smtp_sasl_mechanism_filter = /etc/postfix/smtp_mechs
smtp_sasl_mechanism_filter = !gssapi, !login, static:rest
</pre>
%PARAM smtp_send_xforward_command no
<p>
@ -6484,9 +6566,8 @@ from filling up with undeliverable MAILER-DAEMON messages.
or $proxy_interfaces, but the recipient is not listed in
$local_recipient_maps, and $local_recipient_maps is not null.
<li> The recipient domain matches $virtual_alias_maps but the
recipient is not listed in $virtual_alias_maps, and $virtual_alias_maps
is not null.
<li> The recipient domain matches $virtual_alias_domains but the
recipient is not listed in $virtual_alias_maps.
<li> The recipient domain matches $virtual_mailbox_domains but the
recipient is not listed in $virtual_mailbox_maps, and $virtual_mailbox_maps
@ -6515,9 +6596,8 @@ of forged mail from worms or viruses. </p>
$proxy_interfaces, but the recipient is not listed in
$local_recipient_maps, and $local_recipient_maps is not null.
<li> The sender domain matches $virtual_alias_maps but the recipient
is not listed in $virtual_alias_maps, and $virtual_alias_maps is
not null.
<li> The sender domain matches $virtual_alias_domains but the recipient
is not listed in $virtual_alias_maps.
<li> The sender domain matches $virtual_mailbox_domains but the
recipient is not listed in $virtual_mailbox_maps, and $virtual_mailbox_maps
@ -6729,9 +6809,10 @@ lookup tables, because that would open a security hole.
</p>
<p>
Note 2: for security reasons, the virtual(8) delivery agent does
not allow table lookup through the proxymap(8) service, because
that would open a security hole.
Note 2: for security reasons, the virtual(8) delivery agent will
silently ignore requests to use the proxymap(8) server. Instead
it will open the table directly. Before Postfix version 2.2, the
virtual(8) delivery agent will terminate with a fatal error.
</p>
%PARAM virtual_mailbox_base
@ -6835,9 +6916,10 @@ lookup tables, because that would open a security hole.
</p>
<p>
Note 2: for security reasons, the virtual(8) delivery agent disallows
table lookup through the proxymap(8) server, because that would
open a security hole.
Note 2: for security reasons, the virtual(8) delivery agent will
silently ignore requests to use the proxymap(8) server. Instead
it will open the table directly. Before Postfix version 2.2, the
virtual(8) delivery agent will terminate with a fatal error.
</p>
%PARAM virtual_minimum_uid 100
@ -6895,9 +6977,10 @@ lookup tables, because that would open a security hole.
</p>
<p>
Note 2: for security reasons, the virtual(8) delivery agent does
not allow table lookup through the proxymap(8) service, because
that would open a security hole.
Note 2: for security reasons, the virtual(8) delivery agent will
silently ignore requests to use the proxymap(8) server. Instead
it will open the table directly. Before Postfix version 2.2, the
virtual(8) delivery agent will terminate with a fatal error.
</p>
%PARAM config_directory see "postconf -d" output

1
postfix/proto/postconf.spec
View File

@ -293,6 +293,7 @@
%PARAM smtp_sasl_auth_enable
%PARAM smtp_sasl_password_maps
%PARAM smtp_sasl_security_options
%PARAM smtp_sasl_mechanism_filter
%CLASS lmtp-sasl
%PARAM lmtp_sasl_auth_enable

10
postfix/src/cleanup/cleanup.c
View File

@ -170,6 +170,16 @@
/* .IP "\fBvirtual_alias_maps ($virtual_maps)\fR"
/* Optional lookup tables that alias specific mail addresses or domains
/* to other local or remote address.
/* .PP
/* Available in Postfix version 2.2 and later:
/* .IP "\fBcanonical_classes (envelope_sender, envelope_recipient, header_sender, header_recipient)\fR"
/* What addresses are subject to canonical_maps address mapping.
/* .IP "\fBrecipient_canonical_classes (envelope_recipient, header_recipient)\fR"
/* What addresses are subject to recipient_canonical_maps address
/* mapping.
/* .IP "\fBsender_canonical_classes (envelope_sender, header_sender)\fR"
/* What addresses are subject to sender_canonical_maps address
/* mapping.
/* RESOURCE AND RATE CONTROLS
/* .ad
/* .fi

11
postfix/src/cleanup/cleanup.h
View File

@ -80,6 +80,9 @@ typedef struct CLEANUP_STATE {
extern MAPS *cleanup_comm_canon_maps;
extern MAPS *cleanup_send_canon_maps;
extern MAPS *cleanup_rcpt_canon_maps;
extern int cleanup_comm_canon_flags;
extern int cleanup_send_canon_flags;
extern int cleanup_rcpt_canon_flags;
extern MAPS *cleanup_header_checks;
extern MAPS *cleanup_mimehdr_checks;
extern MAPS *cleanup_nesthdr_checks;
@ -91,6 +94,14 @@ extern int cleanup_masq_flags;
extern MAPS *cleanup_send_bcc_maps;
extern MAPS *cleanup_rcpt_bcc_maps;
/*
* Address canonicalization fine control.
*/
#define CLEANUP_CANON_FLAG_ENV_FROM (1<<0) /* envelope sender */
#define CLEANUP_CANON_FLAG_ENV_RCPT (1<<1) /* envelope recipient */
#define CLEANUP_CANON_FLAG_HDR_FROM (1<<2) /* header sender */
#define CLEANUP_CANON_FLAG_HDR_RCPT (1<<3) /* header recipient */
/*
* Address masquerading fine control.
*/

18
postfix/src/cleanup/cleanup_addr.c
View File

@ -99,10 +99,12 @@ void cleanup_addr_sender(CLEANUP_STATE *state, const char *buf)
vstring_strcpy(clean_addr, "");
}
if (state->flags & CLEANUP_FLAG_MAP_OK) {
if (cleanup_send_canon_maps)
if (cleanup_send_canon_maps
&& (cleanup_send_canon_flags & CLEANUP_CANON_FLAG_ENV_FROM))
cleanup_map11_internal(state, clean_addr, cleanup_send_canon_maps,
cleanup_ext_prop_mask & EXT_PROP_CANONICAL);
if (cleanup_comm_canon_maps)
if (cleanup_comm_canon_maps
&& (cleanup_comm_canon_flags & CLEANUP_CANON_FLAG_ENV_FROM))
cleanup_map11_internal(state, clean_addr, cleanup_comm_canon_maps,
cleanup_ext_prop_mask & EXT_PROP_CANONICAL);
if (cleanup_masq_domains
@ -130,10 +132,12 @@ void cleanup_addr_recipient(CLEANUP_STATE *state, const char *buf)
cleanup_rewrite_internal(clean_addr, *buf ? buf : var_empty_addr);
if (state->flags & CLEANUP_FLAG_MAP_OK) {
if (cleanup_rcpt_canon_maps)
if (cleanup_rcpt_canon_maps
&& (cleanup_rcpt_canon_flags & CLEANUP_CANON_FLAG_ENV_RCPT))
cleanup_map11_internal(state, clean_addr, cleanup_rcpt_canon_maps,
cleanup_ext_prop_mask & EXT_PROP_CANONICAL);
if (cleanup_comm_canon_maps)
if (cleanup_comm_canon_maps
&& (cleanup_comm_canon_flags & CLEANUP_CANON_FLAG_ENV_RCPT))
cleanup_map11_internal(state, clean_addr, cleanup_comm_canon_maps,
cleanup_ext_prop_mask & EXT_PROP_CANONICAL);
if (cleanup_masq_domains
@ -160,10 +164,12 @@ void cleanup_addr_bcc(CLEANUP_STATE *state, const char *bcc)
cleanup_rewrite_internal(clean_addr, bcc);
if (state->flags & CLEANUP_FLAG_MAP_OK) {
if (cleanup_rcpt_canon_maps)
if (cleanup_rcpt_canon_maps
&& (cleanup_rcpt_canon_flags & CLEANUP_CANON_FLAG_ENV_RCPT))
cleanup_map11_internal(state, clean_addr, cleanup_rcpt_canon_maps,
cleanup_ext_prop_mask & EXT_PROP_CANONICAL);
if (cleanup_comm_canon_maps)
if (cleanup_comm_canon_maps
&& (cleanup_comm_canon_flags & CLEANUP_CANON_FLAG_ENV_RCPT))
cleanup_map11_internal(state, clean_addr, cleanup_comm_canon_maps,
cleanup_ext_prop_mask & EXT_PROP_CANONICAL);
if (cleanup_masq_domains

39
postfix/src/cleanup/cleanup_init.c
View File

@ -97,6 +97,9 @@ int var_hopcount_limit; /* max mailer hop count */
char *var_canonical_maps; /* common canonical maps */
char *var_send_canon_maps; /* sender canonical maps */
char *var_rcpt_canon_maps; /* recipient canonical maps */
char *var_canon_classes; /* what to canonicalize */
char *var_send_canon_classes; /* what sender to canonicalize */
char *var_rcpt_canon_classes; /* what recipient to canonicalize */
char *var_virt_alias_maps; /* virtual alias maps */
char *var_masq_domains; /* masquerade domains */
char *var_masq_exceptions; /* users not masqueraded */
@ -145,6 +148,9 @@ CONFIG_STR_TABLE cleanup_str_table[] = {
VAR_CANONICAL_MAPS, DEF_CANONICAL_MAPS, &var_canonical_maps, 0, 0,
VAR_SEND_CANON_MAPS, DEF_SEND_CANON_MAPS, &var_send_canon_maps, 0, 0,
VAR_RCPT_CANON_MAPS, DEF_RCPT_CANON_MAPS, &var_rcpt_canon_maps, 0, 0,
VAR_CANON_CLASSES, DEF_CANON_CLASSES, &var_canon_classes, 1, 0,
VAR_SEND_CANON_CLASSES, DEF_SEND_CANON_CLASSES, &var_send_canon_classes, 1, 0,
VAR_RCPT_CANON_CLASSES, DEF_RCPT_CANON_CLASSES, &var_rcpt_canon_classes, 1, 0,
VAR_VIRT_ALIAS_MAPS, DEF_VIRT_ALIAS_MAPS, &var_virt_alias_maps, 0, 0,
VAR_MASQ_DOMAINS, DEF_MASQ_DOMAINS, &var_masq_domains, 0, 0,
VAR_EMPTY_ADDR, DEF_EMPTY_ADDR, &var_empty_addr, 1, 0,
@ -168,6 +174,9 @@ CONFIG_STR_TABLE cleanup_str_table[] = {
MAPS *cleanup_comm_canon_maps;
MAPS *cleanup_send_canon_maps;
MAPS *cleanup_rcpt_canon_maps;
int cleanup_comm_canon_flags;
int cleanup_send_canon_flags;
int cleanup_rcpt_canon_flags;
MAPS *cleanup_header_checks;
MAPS *cleanup_mimehdr_checks;
MAPS *cleanup_nesthdr_checks;
@ -196,6 +205,24 @@ void cleanup_all(void)
void cleanup_pre_jail(char *unused_name, char **unused_argv)
{
static NAME_MASK send_canon_class_table[] = {
CANON_CLASS_ENV_FROM, CLEANUP_CANON_FLAG_ENV_FROM,
CANON_CLASS_HDR_FROM, CLEANUP_CANON_FLAG_HDR_FROM,
0,
};
static NAME_MASK rcpt_canon_class_table[] = {
CANON_CLASS_ENV_RCPT, CLEANUP_CANON_FLAG_ENV_RCPT,
CANON_CLASS_HDR_RCPT, CLEANUP_CANON_FLAG_HDR_RCPT,
0,
};
static NAME_MASK canon_class_table[] = {
CANON_CLASS_ENV_FROM, CLEANUP_CANON_FLAG_ENV_FROM,
CANON_CLASS_ENV_RCPT, CLEANUP_CANON_FLAG_ENV_RCPT,
CANON_CLASS_HDR_FROM, CLEANUP_CANON_FLAG_HDR_FROM,
CANON_CLASS_HDR_RCPT, CLEANUP_CANON_FLAG_HDR_RCPT,
0,
};
static NAME_MASK masq_class_table[] = {
MASQ_CLASS_ENV_FROM, CLEANUP_MASQ_FLAG_ENV_FROM,
MASQ_CLASS_ENV_RCPT, CLEANUP_MASQ_FLAG_ENV_RCPT,
@ -219,6 +246,18 @@ void cleanup_pre_jail(char *unused_name, char **unused_argv)
cleanup_virt_alias_maps = maps_create(VAR_VIRT_ALIAS_MAPS,
var_virt_alias_maps,
DICT_FLAG_LOCK);
if (*var_canon_classes)
cleanup_comm_canon_flags =
name_mask(VAR_CANON_CLASSES, canon_class_table,
var_canon_classes);
if (*var_send_canon_classes)
cleanup_send_canon_flags =
name_mask(VAR_CANON_CLASSES, send_canon_class_table,
var_send_canon_classes);
if (*var_rcpt_canon_classes)
cleanup_rcpt_canon_flags =
name_mask(VAR_CANON_CLASSES, rcpt_canon_class_table,
var_rcpt_canon_classes);
if (*var_masq_domains)
cleanup_masq_domains = argv_split(var_masq_domains, " ,\t\r\n");
if (*var_header_checks)

13
postfix/src/cleanup/cleanup_message.c
View File

@ -177,10 +177,12 @@ static void cleanup_rewrite_sender(CLEANUP_STATE *state, HEADER_OPTS *hdr_opts,
for (tpp = addr_list; *tpp; tpp++) {
cleanup_rewrite_tree(*tpp);
if (state->flags & CLEANUP_FLAG_MAP_OK) {
if (cleanup_send_canon_maps)
if (cleanup_send_canon_maps
&& (cleanup_send_canon_flags & CLEANUP_CANON_FLAG_HDR_FROM))
cleanup_map11_tree(state, *tpp, cleanup_send_canon_maps,
cleanup_ext_prop_mask & EXT_PROP_CANONICAL);
if (cleanup_comm_canon_maps)
if (cleanup_comm_canon_maps
&& (cleanup_comm_canon_flags & CLEANUP_CANON_FLAG_HDR_FROM))
cleanup_map11_tree(state, *tpp, cleanup_comm_canon_maps,
cleanup_ext_prop_mask & EXT_PROP_CANONICAL);
if (cleanup_masq_domains
@ -234,13 +236,14 @@ static void cleanup_rewrite_recip(CLEANUP_STATE *state, HEADER_OPTS *hdr_opts,
for (tpp = addr_list; *tpp; tpp++) {
cleanup_rewrite_tree(*tpp);
if (state->flags & CLEANUP_FLAG_MAP_OK) {
if (cleanup_rcpt_canon_maps)
if (cleanup_rcpt_canon_maps
&& (cleanup_rcpt_canon_flags & CLEANUP_CANON_FLAG_HDR_RCPT))
cleanup_map11_tree(state, *tpp, cleanup_rcpt_canon_maps,
cleanup_ext_prop_mask & EXT_PROP_CANONICAL);
if (cleanup_comm_canon_maps)
if (cleanup_comm_canon_maps
&& (cleanup_comm_canon_flags & CLEANUP_CANON_FLAG_HDR_RCPT))
cleanup_map11_tree(state, *tpp, cleanup_comm_canon_maps,
cleanup_ext_prop_mask & EXT_PROP_CANONICAL);
if (cleanup_masq_domains
&& (cleanup_masq_flags & CLEANUP_MASQ_FLAG_HDR_RCPT))
cleanup_masquerade_tree(*tpp, cleanup_masq_domains);

11
postfix/src/global/dict_proxy.c
View File

@ -173,13 +173,18 @@ DICT *dict_proxy_open(const char *map, int open_flags, int dict_flags)
/*
* Sanity checks.
*/
if (dict_flags & DICT_FLAG_NO_PROXY)
msg_fatal("%s: %s map is not allowed for security sensitive data",
map, DICT_TYPE_PROXY);
if (open_flags != O_RDONLY)
msg_fatal("%s: %s map open requires O_RDONLY access mode",
map, DICT_TYPE_PROXY);
/*
* OK. If this map can't be proxied then we silently do a direct open.
* This allows sites to benefit from proxying the virtual mailbox maps
* without unnecessary pain.
*/
if (dict_flags & DICT_FLAG_NO_PROXY)
return (dict_open(map, open_flags, dict_flags));
/*
* Local initialization.
*/

27
postfix/src/global/mail_params.h
View File

@ -334,6 +334,28 @@ extern char *var_send_canon_maps;
#define DEF_RCPT_CANON_MAPS ""
extern char *var_rcpt_canon_maps;
#define CANON_CLASS_ENV_FROM "envelope_sender"
#define CANON_CLASS_ENV_RCPT "envelope_recipient"
#define CANON_CLASS_HDR_FROM "header_sender"
#define CANON_CLASS_HDR_RCPT "header_recipient"
#define VAR_CANON_CLASSES "canonical_classes"
#define DEF_CANON_CLASSES CANON_CLASS_ENV_FROM ", " \
CANON_CLASS_ENV_RCPT ", " \
CANON_CLASS_HDR_FROM ", " \
CANON_CLASS_HDR_RCPT
extern char *var_canon_classes;
#define VAR_SEND_CANON_CLASSES "sender_canonical_classes"
#define DEF_SEND_CANON_CLASSES CANON_CLASS_ENV_FROM ", " \
CANON_CLASS_HDR_FROM
extern char *var_send_canon_classes;
#define VAR_RCPT_CANON_CLASSES "recipient_canonical_classes"
#define DEF_RCPT_CANON_CLASSES CANON_CLASS_ENV_RCPT ", " \
CANON_CLASS_HDR_RCPT
extern char *var_rcpt_canon_classes;
#define VAR_SEND_BCC_MAPS "sender_bcc_maps"
#define DEF_SEND_BCC_MAPS ""
extern char *var_send_bcc_maps;
@ -980,6 +1002,10 @@ extern char *var_smtp_sasl_passwd;
#define DEF_SMTP_SASL_OPTS "noplaintext, noanonymous"
extern char *var_smtp_sasl_opts;
#define VAR_SMTP_SASL_MECHS "smtp_sasl_mechanism_filter"
#define DEF_SMTP_SASL_MECHS ""
extern char *var_smtp_sasl_mechs;
/*
* LMTP server. The soft error limit determines how many errors an LMTP
* client may make before we start to slow down; the hard error limit
@ -2038,6 +2064,7 @@ extern int var_anvil_stat_time;
#define VAR_ANVIL_SERVICE "client_connection_rate_service"
#define DEF_ANVIL_SERVICE "local:" ANVIL_CLASS "/" ANVIL_SERVICE
extern char *var_anvil_service;
#endif
/* LICENSE

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change the patchlevel and the release date. Snapshots change the
* release date only.
*/
#define MAIL_RELEASE_DATE "20040801"
#define MAIL_RELEASE_DATE "20040827"
#define MAIL_VERSION_NUMBER "2.2"
#define VAR_MAIL_VERSION "mail_version"

6
postfix/src/master/master.c
View File

@ -209,7 +209,6 @@ int main(int argc, char **argv)
int fd;
int n;
int test_lock = 0;
int fd_limit = open_limit(0);
VSTRING *why;
WATCHDOG *watchdog;
ARGV *import_env;
@ -252,10 +251,7 @@ int main(int argc, char **argv)
* of this we have to close descriptors > 2, and pray that doing so does
* not break things.
*/
if (fd_limit > 500)
fd_limit = 500;
for (fd = 3; fd < fd_limit; fd++)
(void) close(fd);
closefrom(3);
/*
* Initialize logging and exit handler.

8
postfix/src/postalias/Makefile.in
View File

@ -22,7 +22,7 @@ update: ../../bin/$(PROG)
tests: test1 test2
test1: $(PROG) map.in map-abc1.ref map-ghi1.ref map-ABC1.ref
test1: $(PROG) map.in map-abc1.ref map-ghi1.ref map-uABC1.ref
./$(PROG) map.in
for key in abc ghi; \
do \
@ -31,11 +31,11 @@ test1: $(PROG) map.in map-abc1.ref map-ghi1.ref map-ABC1.ref
./$(PROG) -f map.in
for key in ABC; \
do \
./$(PROG) -fq $${key} map.in | diff map-$${key}1.ref -; \
./$(PROG) -fq $${key} map.in | diff map-u$${key}1.ref -; \
done
rm -f map.in.db
test2: $(PROG) map.in map-abc2.ref map-ghi2.ref map-ABC2.ref
test2: $(PROG) map.in map-abc2.ref map-ghi2.ref map-uABC2.ref
./$(PROG) map.in
for key in abc ghi; \
do \
@ -44,7 +44,7 @@ test2: $(PROG) map.in map-abc2.ref map-ghi2.ref map-ABC2.ref
./$(PROG) -f map.in
for key in ABC; \
do \
echo $${key} | ./$(PROG) -fq - map.in | diff map-$${key}2.ref -; \
echo $${key} | ./$(PROG) -fq - map.in | diff map-u$${key}2.ref -; \
done
rm -f map.in.db

0
postfix/src/postalias/map-ABC1.ref → postfix/src/postalias/map-uABC1.ref
View File

0
postfix/src/postalias/map-ABC2.ref → postfix/src/postalias/map-uABC2.ref
View File

8
postfix/src/postmap/Makefile.in
View File

@ -25,7 +25,7 @@ update: ../../bin/$(PROG)
tests: test1 test2
test1: $(PROG) map.in map-abc1.ref map-ghi1.ref map-ABC1.ref
test1: $(PROG) map.in map-abc1.ref map-ghi1.ref map-uABC1.ref
./$(PROG) map.in
for key in abc ghi; \
do \
@ -34,11 +34,11 @@ test1: $(PROG) map.in map-abc1.ref map-ghi1.ref map-ABC1.ref
./$(PROG) -f map.in
for key in ABC; \
do \
./$(PROG) -fq $${key} map.in | diff map-$${key}1.ref -; \
./$(PROG) -fq $${key} map.in | diff map-u$${key}1.ref -; \
done
rm -f map.in.db
test2: $(PROG) map.in map-abc2.ref map-ghi2.ref map-ABC2.ref
test2: $(PROG) map.in map-abc2.ref map-ghi2.ref map-uABC2.ref
./$(PROG) map.in
for key in abc ghi; \
do \
@ -47,7 +47,7 @@ test2: $(PROG) map.in map-abc2.ref map-ghi2.ref map-ABC2.ref
./$(PROG) -f map.in
for key in ABC; \
do \
echo $${key} | ./$(PROG) -fq - map.in | diff map-$${key}2.ref -; \
echo $${key} | ./$(PROG) -fq - map.in | diff map-u$${key}2.ref -; \
done
rm -f map.in.db

0
postfix/src/postmap/map-ABC1.ref → postfix/src/postmap/map-uABC1.ref
View File

0
postfix/src/postmap/map-ABC2.ref → postfix/src/postmap/map-uABC2.ref
View File

1
postfix/src/sendmail/sendmail.c
View File

@ -621,6 +621,7 @@ static void enqueue(const int flags, const char *encoding, const char *sender,
*/
rec_fputs(dst, REC_TYPE_MESG, "");
if (DEL_REQ_TRACE_ONLY(flags) != 0) {
rec_fprintf(dst, REC_TYPE_NORM, "From: %s", saved_sender);
rec_fprintf(dst, REC_TYPE_NORM, "Subject: probe");
if (recipients) {
rec_fprintf(dst, REC_TYPE_NORM, "To:");

6
postfix/src/smtp/smtp.c
View File

@ -138,6 +138,10 @@
/* .IP "\fBsmtp_sasl_security_options (noplaintext, noanonymous)\fR"
/* What authentication mechanisms the Postfix SMTP client is allowed
/* to use.
/* .PP
/* Available in Postfix version 2.2 and later:
/* .IP "\fBsmtp_sasl_mechanism_filter (empty)\fR"
/* If non-empty, filters the SMTP server's list of offered SASL mechanisms.
/* RESOURCE AND RATE CONTROLS
/* .ad
/* .fi
@ -365,6 +369,7 @@ int var_smtp_never_ehlo;
char *var_smtp_sasl_opts;
char *var_smtp_sasl_passwd;
bool var_smtp_sasl_enable;
char *var_smtp_sasl_mechs;
char *var_smtp_bind_addr;
bool var_smtp_rand_addr;
int var_smtp_pix_thresh;
@ -568,6 +573,7 @@ int main(int argc, char **argv)
VAR_ERROR_RCPT, DEF_ERROR_RCPT, &var_error_rcpt, 1, 0,
VAR_SMTP_SASL_PASSWD, DEF_SMTP_SASL_PASSWD, &var_smtp_sasl_passwd, 0, 0,
VAR_SMTP_SASL_OPTS, DEF_SMTP_SASL_OPTS, &var_smtp_sasl_opts, 0, 0,
VAR_SMTP_SASL_MECHS, DEF_SMTP_SASL_MECHS, &var_smtp_sasl_mechs, 0, 0,
VAR_SMTP_BIND_ADDR, DEF_SMTP_BIND_ADDR, &var_smtp_bind_addr, 0, 0,
VAR_SMTP_HELO_NAME, DEF_SMTP_HELO_NAME, &var_smtp_helo_name, 1, 0,
VAR_SMTP_HOST_LOOKUP, DEF_SMTP_HOST_LOOKUP, &var_smtp_host_lookup, 1, 0,

13
postfix/src/smtp/smtp_chat.c
View File

@ -163,6 +163,18 @@ void smtp_chat_cmd(SMTP_SESSION *session, char *fmt,...)
*/
smtp_fputs(STR(session->buffer), LEN(session->buffer), session->stream);
/*
* Force flushing of output does not belong here. It is done in the
* smtp_loop() main protocol loop when reading the server response, and
* in smtp_helo() when reading the EHLO response after sending the EHLO
* command.
*
* If we do forced flush here, then we must longjmp() on error, and a
* matching "prepare for disaster" error handler must be set up before
* every smtp_chat_cmd() call.
*/
#if 0
/*
* Flush unsent data to avoid timeouts after slow DNS lookups.
*/
@ -176,6 +188,7 @@ void smtp_chat_cmd(SMTP_SESSION *session, char *fmt,...)
vstream_longjmp(session->stream, SMTP_ERR_TIME);
if (vstream_ferror(session->stream))
vstream_longjmp(session->stream, SMTP_ERR_EOF);
#endif
}
/* smtp_chat_resp - read and process SMTP server response */

44
postfix/src/smtp/smtp_proto.c
View File

@ -525,6 +525,14 @@ static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state,
#define CANT_RSET_THIS_SESSION \
(session->features |= SMTP_FEATURE_RSET_REJECTED)
/*
* Sanity check. We don't want smtp_chat() to inadvertently flush the
* output buffer. That means someone broke pipelining support.
*/
if (session->sndbufsize > VSTREAM_BUFSIZE)
msg_panic("bad sndbufsize %d > VSTREAM_BUFSIZE %d",
session->sndbufsize, VSTREAM_BUFSIZE);
/*
* Miscellaneous initialization. Some of this might be done in
* smtp_xfer() but that just complicates interfaces and data structures.
@ -551,6 +559,42 @@ static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state,
next_rcpt = send_rcpt = recv_rcpt = 0;
mail_from_rejected = 0;
/*
* Prepare for disaster. This should not be needed because the design
* guarantees that no output is flushed before smtp_chat_resp() is
* called.
*
* 1) Every SMTP command fits entirely in a VSTREAM output buffer.
*
* 2) smtp_loop() never invokes smtp_chat_cmd() without making sure that
* there is sufficient space for the command in the output buffer.
*
* 3) smtp_loop() flushes the output buffer to avoid server timeouts.
*
* Changing any of these would violate the design, and would likely break
* SMTP pipelining.
*
* We set up the error handler anyway (only upon entry to avoid wasting
* resources) because 1) there is code below that expects that VSTREAM
* timeouts are enabled, and 2) this allows us to detect if someone broke
* Postfix by introducing spurious flush before read operations.
*/
if (send_state < SMTP_STATE_XFORWARD_NAME_ADDR
|| send_state > SMTP_STATE_QUIT)
msg_panic("%s: bad sender state %d (receiver state %d)",
myname, send_state, recv_state);
smtp_timeout_setup(session->stream,
*xfer_timeouts[send_state]);
if ((except = vstream_setjmp(session->stream)) != 0) {
msg_warn("smtp_proto: spurious flush before read in send state %d",
send_state);
RETURN(SENDING_MAIL ? smtp_stream_except(state, except,
xfer_states[send_state]) : -1);
}
/*
* The main protocol loop.
*/
do {
/*

1
postfix/src/smtp/smtp_sasl.h
View File

@ -23,6 +23,7 @@ extern int smtp_sasl_helo_login(SMTP_STATE *);
extern void smtp_sasl_passivate(SMTP_SESSION *, VSTRING *);
extern int smtp_sasl_activate(SMTP_SESSION *, char *);
extern STRING_LIST *smtp_sasl_mechs;
/* LICENSE
/* .ad

11
postfix/src/smtp/smtp_sasl_glue.c
View File

@ -190,6 +190,11 @@ static NAME_MASK smtp_sasl_sec_mask[] = {
*/
static MAPS *smtp_sasl_passwd_map;
/*
* Supported SASL mechanisms.
*/
STRING_LIST *smtp_sasl_mechs;
/* smtp_sasl_log - logging call-back routine */
static int smtp_sasl_log(void *unused_context, int priority,
@ -343,6 +348,12 @@ void smtp_sasl_initialize(void)
if (sasl_client_init(callbacks) != SASL_OK)
msg_fatal("SASL library initialization");
/*
* Initialize optional supported mechanism matchlist
*/
if (*var_smtp_sasl_mechs)
smtp_sasl_mechs = string_list_init(MATCH_FLAG_NONE,
var_smtp_sasl_mechs);
}
/* smtp_sasl_connect - per-session client initialization */

50
postfix/src/smtp/smtp_sasl_proto.c
View File

@ -61,6 +61,7 @@
#include <msg.h>
#include <mymalloc.h>
#include <stringops.h>
/* Global library. */
@ -73,28 +74,67 @@
#ifdef USE_SASL_AUTH
/* smtp_sasl_compat_mechs - Trim server's mechanism list */
static const char *smtp_sasl_compat_mechs(const char *words)
{
static VSTRING *buf;
char *mech_list;
char *save_mech;
char *mech;
int ret;
/*
* Use server's mechanisms if no filter specified
*/
if (smtp_sasl_mechs == 0 || *words == 0)
return (words);
if (buf == 0)
buf = vstring_alloc(10);
VSTRING_RESET(buf);
VSTRING_TERMINATE(buf);
save_mech = mech_list = mystrdup(words);
while (mech = mystrtok(&mech_list, " \t")) {
if (string_list_match(smtp_sasl_mechs, mech)) {
if (VSTRING_LEN(buf) > 0)
VSTRING_ADDCH(buf, ' ');
vstring_strcat(buf, mech);
}
}
myfree(save_mech);
return (vstring_str(buf));
}
/* smtp_sasl_helo_auth - handle AUTH option in EHLO reply */
void smtp_sasl_helo_auth(SMTP_SESSION *session, const char *words)
{
const char *mech_list = smtp_sasl_compat_mechs(words);
/*
* XXX If the server offers a null list of authentication mechanisms,
* XXX If the server offers no compatible authentication mechanisms,
* then pretend that the server doesn't support SASL authentication.
*/
if (session->sasl_mechanism_list) {
if (strcasecmp(session->sasl_mechanism_list, words) == 0)
if (strcasecmp(session->sasl_mechanism_list, mech_list) == 0)
return;
myfree(session->sasl_mechanism_list);
msg_warn("%s offered AUTH option multiple times", session->namaddr);
session->sasl_mechanism_list = 0;
session->features &= ~SMTP_FEATURE_AUTH;
}
if (strlen(words) > 0) {
session->sasl_mechanism_list = mystrdup(words);
if (strlen(mech_list) > 0) {
session->sasl_mechanism_list = mystrdup(mech_list);
session->features |= SMTP_FEATURE_AUTH;
} else {
msg_warn("%s offered null AUTH mechanism list", session->namaddr);
msg_warn(*words ? "%s offered no supported AUTH mechanisms: '%s'" :
"%s offered null AUTH mechanism list",
session->namaddr, words);
}
}

1
postfix/src/smtpd/smtpd.c
View File

@ -2438,6 +2438,7 @@ static void smtpd_proto(SMTPD_STATE *state, const char *service)
&& var_smtpd_delay_reject == 0
&& (state->access_denied = smtpd_check_client(state)) != 0) {
smtpd_chat_reply(state, "%s", state->access_denied);
state->error_count++;
} else {
smtpd_chat_reply(state, "220 %s", var_smtpd_banner);
}

28
postfix/src/util/sys_compat.c
View File

@ -6,6 +6,9 @@
/* SYNOPSIS
/* #include <sys_defs.h>
/*
/* void closefrom(int lowfd)
/* int lowfd;
/*
/* const char *strerror(err)
/* int err;
/*
@ -234,3 +237,28 @@ int dup2_pass_on_exec(int oldd, int newd)
}
#endif
#ifndef HAS_CLOSEFROM
#include <errno.h>
/* closefrom() - closes all file descriptors from the given one up */
int closefrom(int lowfd)
{
int fd_limit = open_limit(0);
int fd;
if (lowfd > fd_limit) {
errno = EINVAL;
return (-1);
}
if (fd_limit > 500)
fd_limit = 500;
for (fd = lowfd; fd < fd_limit; fd++)
(void) close(fd);
return (0);
}
#endif

23
postfix/src/util/sys_defs.h
View File

@ -92,20 +92,28 @@
#define SOCKOPT_SIZE socklen_t
#endif
#if OpenBSD >= 200405 /* 3.5 */
#define HAS_CLOSEFROM
#endif
/* __NetBSD_Version__ is major+minor */
#if __NetBSD_Version__ >= 103000000 /* XXX */
#if __NetBSD_Version__ >= 103000000 /* XXX maybe earlier */
#undef DEF_MAILBOX_LOCK
#define DEF_MAILBOX_LOCK "flock, dotlock"
#endif
#if __NetBSD_Version__ >= 105000000 /* XXX */
#if __NetBSD_Version__ >= 105000000 /* XXX maybe earlier */
#define HAS_ISSETUGID
#endif
#if __NetBSD_Version__ >= 106000000 /* XXX */
#if __NetBSD_Version__ >= 106000000 /* XXX maybe earlier */
#define SOCKADDR_SIZE socklen_t
#define SOCKOPT_SIZE socklen_t
#endif
#if __NetBSD_Version__ >= 200060000 /* 2.0F */
#define HAS_CLOSEFROM
#endif
/*
@ -303,6 +311,10 @@ extern int opterr;
#define HAS_VOLATILE_LOCKS
#define BROKEN_READ_SELECT_ON_TCP_SOCKET
#if SOLARIS >= 20900 || (SOLARIS < 10000 && SOLARIS >= 209)
#define HAS_CLOSEFROM
#endif
/*
* Allow build environment to override paths.
*/
@ -1067,6 +1079,11 @@ extern int setsid(void);
#endif
#ifndef HAS_CLOSEFROM
extern int closefrom(int);
#endif
#ifdef MISSING_STD_FILENOS
#define STDIN_FILENO 0
#define STDOUT_FILENO 1

8
postfix/src/util/vstream.c
View File

@ -543,14 +543,14 @@ static int vstream_fflush_some(VSTREAM *stream, int to_flush)
* any.
*/
for (data = (char *) bp->data, len = to_flush; len > 0; len -= n, data += n) {
if (stream->timeout)
stream->iotime = time((time_t *) 0);
if ((n = stream->write_fn(stream->fd, data, len, stream->timeout, stream->context)) <= 0) {
bp->flags |= VSTREAM_FLAG_ERR;
if (errno == ETIMEDOUT)
bp->flags |= VSTREAM_FLAG_TIMEOUT;
return (VSTREAM_EOF);
}
if (stream->timeout)
stream->iotime = time((time_t *) 0);
if (msg_verbose > 2 && stream != VSTREAM_ERR && n != to_flush)
msg_info("%s: %d flushed %d/%d", myname, stream->fd, n, to_flush);
}
@ -674,8 +674,6 @@ static int vstream_buf_get_ready(VBUF *bp)
* data as is available right now, whichever is less. Update the cached
* file seek position, if any.
*/
if (stream->timeout)
stream->iotime = time((time_t *) 0);
switch (n = stream->read_fn(stream->fd, bp->data, bp->len, stream->timeout, stream->context)) {
case -1:
bp->flags |= VSTREAM_FLAG_ERR;
@ -686,6 +684,8 @@ static int vstream_buf_get_ready(VBUF *bp)
bp->flags |= VSTREAM_FLAG_EOF;
return (VSTREAM_EOF);
default:
if (stream->timeout)
stream->iotime = time((time_t *) 0);
if (msg_verbose > 2)
msg_info("%s: fd %d got %d", myname, stream->fd, n);
bp->cnt = -n;

2
postfix/src/util/vstream_popen.c
View File

@ -213,6 +213,8 @@ VSTREAM *vstream_popen(int flags,...)
switch (pid = fork()) {
case -1: /* error */
(void) close(sockfd[0]);
(void) close(sockfd[1]);
return (0);
case 0: /* child */
if (close(sockfd[1]))