mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-30 21:55:20 +00:00
Code Issues Releases Wiki Activity

snapshot-20010806

Browse Source
This commit is contained in:
Wietse Venema
2001-08-06 00:00:00 -05:00
committed by Viktor Dukhovni
parent eb91b741af
commit 89867bfc4b
26 changed files with 487 additions and 87 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
postfix/HISTORY
View File

@@ -5405,3 +5405,19 @@ Apologies for any names omitted.
for myhostname, inet_interfaces, and mynetworks_style.
This broke the default mynetworks setting calculation.
File: postconf/postconf.c.
20010803
Feature: masquerade_classes parameter for fine control of
address masquerading. The default setting is backwards
compatible: envelope_sender header_sender header_recipient.
Files: cleanup/whatever.c.
20010806
Bugfix: did not address masquerade the always_bcc recipient
after extracting envelope recipients from message headers.
File: cleanup/cleanup_extracted.c.
Bugfix: did not address masquerade the envelope recipients
extracted from message headers. File: cleanup/cleanup_message.c.

24
postfix/RELEASE_NOTES
View File

@@ -1,17 +1,29 @@
Incompatible changes with snapshot-20010801
Incompatible changes with snapshot-20010802
===========================================
The default setting for the maps_rbl_domains parameter is "empty",
because mail-abuse.org has become a subscription-based service.
The permit_mx_backup feature has changed. It accepts mail only when
the primary MX hosts for the recipient match the networks that are
specified with the new auth_permit_mx_backup configuration parameter.
Postfix will not accept mail when permit_mx_backup is used while
auth_permit_mx_backup is not configured.
The protocol between Postfix master and child processes has changed.
You must stop and start Postfix in order to switch between Snapshot
20010801 and releases that implement the older protocol.
Major changes with snapshot-20010801
Major changes with snapshot-20010802
====================================
Specify "disable_verp_bounces = yes" to have Postfix send one
RFC-standard, non-VERP, bounce report for multi-recipient mail,
even when VERP style delivery is requested.
Fine control over address masquerading. The masquerade_classes
parameter controls header and envelope sender and recipient addresses.
Variable coupling between message receiving rates and message
delivery rates. When the message receiving rate exceeds the message
delivery rate, an SMTP server will pause for $in_flow_delay seconds
@@ -20,14 +32,14 @@ a chance catch up and access the disk, while still allowing new
mail to arrive.
The in_flow_delay feature has effect mainly when your system is
being flooded port through a limited number of SMTP connections.
This is also useful for mass-mailing applications, because it avoids
the need to hand-tune the rate at which mail is sent into Postfix.
being flooded through a limited number of SMTP connections. This
is useful for mass-mailing applications, because it eliminates the
need to hand-tune the rate for sending mail into Postfix.
The in_flow_delay feature has negligible effect when mail arrives
via many different SMTP connections. With the default limit of 50
SMTP server processes and with the default $in_flow_delay of 1
second, total mail inflow is limited to 50 messages per second more
second, the mail inflow is limited to 50 messages per second more
than the number of messages that are delivered per second. Many
systems saturate at values much smaller than 50 messages per second.

14
postfix/conf/canonical
View File

@@ -151,6 +151,11 @@
# The network interface addresses that this system
# receives mail on.
#
# masquerade_classes
# List of address classes subject to masquerading:
# zero or more of envelope_sender, envelope_recipi-
# ent, header_sender, header_recipient.
#
# masquerade_domains
# List of domains that hide their subdomain struc-
# ture.
@@ -166,17 +171,16 @@
# myorigin
# The domain that is appended to locally-posted mail.
#
# 3
#
# CANONICAL(5) CANONICAL(5)
#
# owner_request_special
# Give special treatment to owner-xxx and xxx-request
# addresses.
#
# SEE ALSO
# cleanup(8) canonicalize and enqueue mail
#
# 3
#
# CANONICAL(5) CANONICAL(5)
#
# postmap(1) create mapping table
# virtual(5) virtual domain mapping
# pcre_table(5) format of PCRE tables

5
postfix/conf/master.cf
View File

@@ -84,6 +84,11 @@ error unix - - n - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
# The Cyrus deliver program has changed incompatibly.
#
cyrus unix - n n - - pipe
flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
uucp unix - n n - - pipe

24
postfix/conf/pcre_table
View File

@@ -43,13 +43,13 @@
# is `U', which makes matching ungreedy (see PCRE documenta-
# tion and source for more info).
#
# Each pattern is applied to the entire string being looked
# up. Depending on the application, that string is an
# entire client hostname, an entire client IP address, or an
# entire mail address. Thus, no parent domain or parent
# network search is done, and user@domain mail addresses are
# not broken up into their user and domain constituent
# parts, nor is user+foo broken up into user and foo.
# Each pattern is applied to the entire lookup key string.
# Depending on the application, that string is an entire
# client hostname, an entire client IP address, or an entire
# mail address. Thus, no parent domain or parent network
# search is done, and user@domain mail addresses are not
# broken up into their user and domain constituent parts,
# nor is user+foo broken up into user and foo.
#
# Patterns are applied in the order as specified in the
# table, until a pattern is found that matches the search
@@ -59,11 +59,11 @@
#
# PCRE_TABLE(5) PCRE_TABLE(5)
#
# Substitution of sub-strings from the matched expression is
# possible using the conventional perl syntax ($1, $2,
# etc.). The macros in the replacement string may need to be
# written as ${n} or $(n) if they aren't followed by whites-
# pace.
# Substitution of substrings from the matched expression
# into the result string is possible using the conventional
# perl syntax ($1, $2, etc.). The macros in the result
# string may need to be written as ${n} or $(n) if they
# aren't followed by whitespace.
#
# EXAMPLES
# # Protect your outgoing majordomo exploders

22
postfix/conf/regexp_table
View File

@@ -46,13 +46,13 @@
# Other flags are `x' (disable extended expression syntax),
# and `m' (enable multi-line mode).
#
# Each pattern is applied to the entire string being looked
# up. Depending on the application, that string is an
# entire client hostname, an entire client IP address, or an
# entire mail address. Thus, no parent domain or parent
# network search is done, and user@domain mail addresses are
# not broken up into their user and domain constituent
# parts, nor is user+foo broken up into user and foo.
# Each pattern is applied to the entire lookup key string.
# Depending on the application, that string is an entire
# client hostname, an entire client IP address, or an entire
# mail address. Thus, no parent domain or parent network
# search is done, and user@domain mail addresses are not
# broken up into their user and domain constituent parts,
# nor is user+foo broken up into user and foo.
#
# Patterns are applied in the order as specified in the
#
@@ -63,10 +63,10 @@
# table, until a pattern is found that matches the search
# string.
#
# Substitution of sub-strings from the matched expression is
# possible using $1, $2, etc.. The macros in the replacement
# string may need to be written as ${n} or $(n) if they
# aren't followed by whitespace.
# Substitution of substrings from the matched expression
# into the result string is possible using $1, $2, etc.. The
# macros in the result string may need to be written as ${n}
# or $(n) if they aren't followed by whitespace.
#
# EXAMPLES
# # Disallow sender-specified routing. This is a must if you relay mail

13
postfix/conf/sample-rewrite.cf
View File

@@ -27,6 +27,19 @@ append_dot_mydomain = yes
#
empty_address_recipient = MAILER-DAEMON
# The masquerade_classes parameter controls what addresses are
# subject to address masquerading.
#
# By default, address masquerading is limited to envelope recipient
# addresses, and to header sender and header recipient addresses.
# This allows you to use address masquerading on a mail gateway while
# still being able to forward mail to users on individual machines.
#
# Specify zero or more of: envelope_sender, envelope_recipient,
# header_sender, header_recipient
#
masquerade_classes = envelope_sender, header_sender, header_recipient
# The masquerade_domains parameter gives an optional list of domains
# that must have their subdomain structure stripped off.
#

17
postfix/conf/sample-smtpd.cf
View File

@@ -282,7 +282,8 @@ smtpd_sender_restrictions =
# - to destinations matching $relay_domains or subdomain thereof,
# except for addresses with sender-specified routing.
# reject_unauth_pipelining: reject mail from improperly pipelining spamware
# permit_mx_backup: accept mail for sites that list me as MX host.
# permit_mx_backup: accept mail for sites whose primary MX hosts
# match the networks specified with auth_mx_backup_networks.
# reject_unknown_recipient_domain: reject domains without A or MX record.
# check_recipient_access maptype:mapname
# maptype:mapname: look up recipient address, parent domain, or localpart@.
@@ -309,6 +310,20 @@ smtpd_sender_restrictions =
#
smtpd_recipient_restrictions = permit_mynetworks,check_relay_domains
# The auth_mx_backup_networks parameter specifies a list of networks
# for which the permit_mx_backup feature (see above) can be used.
#
# By default, auth_mx_backup_networks is empty and no networks are
# authorized to use the permit_mx_backup feature. You can specify
# a complete class A network (X.0.0.0/8), a complete class B network
# (X.X.0.0/16), and so on. If you want stricter control, specify a
# list of network/mask patterns, where the mask specifies the number
# of bits in the network part of a host address. You can also specify
# the absolute pathname of a pattern file instead of listing the
# patterns here.
#
auth_mx_backup_networks =
#
# ADDITIONAL UCE CONTROLS
#

5
postfix/html/canonical.5.html
View File

@@ -143,6 +143,11 @@ CANONICAL(5) CANONICAL(5)
The network interface addresses that this system
receives mail on.
<b>masquerade</b><i>_</i><b>classes</b>
List of address classes subject to masquerading:
zero or more of <b>envelope</b><i>_</i><b>sender</b>, <b>envelope</b><i>_</i><b>recipi-</b>
<b>ent</b>, <b>header</b><i>_</i><b>sender</b>, <b>header</b><i>_</i><b>recipient</b>.
<b>masquerade</b><i>_</i><b>domains</b>
List of domains that hide their subdomain struc-
ture.

54
postfix/html/cleanup.8.html
View File

@@ -40,17 +40,18 @@ CLEANUP(8) CLEANUP(8)
and message header addresses (i.e. strip host or
domain information below all domains listed in the
<b>masquerade</b><i>_</i><b>domains</b> parameter, except for user names
listed in <b>masquerade</b><i>_</i><b>exceptions</b>). Address mas-
querading does not affect envelope recipients.
listed in <b>masquerade</b><i>_</i><b>exceptions</b>). By default,
address masquerading does not affect envelope
recipients.
<b>o</b> Optionally, expand envelope recipients according to
information found in the <a href="virtual.5.html"><b>virtual</b>(5)</a> lookup tables.
information found in the <a href="virtual.5.html"><b>virtual</b>(5)</a> lookup tables.
The <b>cleanup</b> daemon performs sanity checks on the content
of each message. When it finds a problem, by default it
returns a diagnostic status to the client, and leaves it
up to the client to deal with the problem. Alternatively,
the client can request the <b>cleanup</b> daemon to bounce the
The <b>cleanup</b> daemon performs sanity checks on the content
of each message. When it finds a problem, by default it
returns a diagnostic status to the client, and leaves it
up to the client to deal with the problem. Alternatively,
the client can request the <b>cleanup</b> daemon to bounce the
message back to the sender in case of trouble.
<b>STANDARDS</b>
@@ -60,30 +61,30 @@ CLEANUP(8) CLEANUP(8)
Problems and transactions are logged to <b>syslogd</b>(8).
<b>BUGS</b>
Table-driven rewriting rules make it hard to express <b>if</b>
Table-driven rewriting rules make it hard to express <b>if</b>
<b>then</b> <b>else</b> and other logical relationships.
<b>CONFIGURATION</b> <b>PARAMETERS</b>
The following <b>main.cf</b> parameters are especially relevant
to this program. See the Postfix <b>main.cf</b> file for syntax
details and for default values. Use the <b>postfix</b> <b>reload</b>
The following <b>main.cf</b> parameters are especially relevant
to this program. See the Postfix <b>main.cf</b> file for syntax
details and for default values. Use the <b>postfix</b> <b>reload</b>
command after a configuration change.
<b>Content</b> <b>filtering</b>
<b>body</b><i>_</i><b>checks</b>
Lookup tables with content filters for message body
lines. These filters see physical lines one at a
lines. These filters see physical lines one at a
time, in chunks of at most line_length_limit bytes.
<b>header</b><i>_</i><b>checks</b>
Lookup tables with content filters for message
header lines. These filters see logical headers
Lookup tables with content filters for message
header lines. These filters see logical headers
one at a time, including headers that span multiple
lines.
<b>Miscellaneous</b>
<b>always</b><i>_</i><b>bcc</b>
Address to send a copy of each message that enters
Address to send a copy of each message that enters
the system.
<b>hopcount</b><i>_</i><b>limit</b>
@@ -96,8 +97,8 @@ CLEANUP(8) CLEANUP(8)
<b>Address</b> <b>transformations</b>
<b>empty</b><i>_</i><b>address</b><i>_</i><b>recipient</b>
The destination for undeliverable mail from &lt;&gt;.
This substitution is done before all other address
The destination for undeliverable mail from &lt;&gt;.
This substitution is done before all other address
rewriting.
<b>canonical</b><i>_</i><b>maps</b>
@@ -112,12 +113,17 @@ CLEANUP(8) CLEANUP(8)
Address mapping lookup table for envelope and
header sender addresses.
<b>masquerade</b><i>_</i><b>classes</b>
List of address classes subject to masquerading:
zero or more of <b>envelope</b><i>_</i><b>sender</b>, <b>envelope</b><i>_</i><b>recipi-</b>
<b>ent</b>, <b>header</b><i>_</i><b>sender</b>, <b>header</b><i>_</i><b>recipient</b>.
<b>masquerade</b><i>_</i><b>domains</b>
List of domains that hide their subdomain struc-
List of domains that hide their subdomain struc-
ture.
<b>masquerade</b><i>_</i><b>exceptions</b>
List of user names that are not subject to address
List of user names that are not subject to address
masquerading.
<b>virtual</b><i>_</i><b>maps</b>
@@ -126,7 +132,7 @@ CLEANUP(8) CLEANUP(8)
<b>Resource</b> <b>controls</b>
<b>duplicate</b><i>_</i><b>filter</b><i>_</i><b>limit</b>
Limit the number of envelope recipients that are
Limit the number of envelope recipients that are
remembered.
<b>header</b><i>_</i><b>size</b><i>_</i><b>limit</b>
@@ -135,11 +141,11 @@ CLEANUP(8) CLEANUP(8)
<b>in</b><i>_</i><b>flow</b><i>_</i><b>delay</b>
Amount of time to pause before accepting a message,
when the message arrival rate exceeds the message
when the message arrival rate exceeds the message
delivery rate.
<b>extract</b><i>_</i><b>recipient</b><i>_</i><b>limit</b>
Limit the amount of recipients extracted from mes-
Limit the amount of recipients extracted from mes-
sage headers.
<b>SEE</b> <b>ALSO</b>
@@ -154,7 +160,7 @@ CLEANUP(8) CLEANUP(8)
/etc/postfix/virtual*, virtual mapping table
<b>LICENSE</b>
The Secure Mailer license must be distributed with this
The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>

5
postfix/html/faq.html
View File

@@ -1521,7 +1521,10 @@ href="uce.html#reject_unauth_destination">reject_unauth_destination</a>:
reject when the destination is not local.
<li> <a href="uce.html#permit_mx_backup">permit_mx_backup</a>:
reject when the destination is not local.
permit if the local system is listed as MX host for the recipient
domain, provided that the primary MX host for the recipient domain
is within the networks specified with <a
href="uce.html#auth_mx_backup_networks">auth_mx_backup_networks</a>.
<li> Other UCE restrictions (e.g., SMTPD access maps) are not aware
of sender-provided routing information.

26
postfix/html/rewrite.html
View File

@@ -226,7 +226,7 @@ send mail to the those ugly address without creating a mailer loop.
<a name="masquerade"> <h2> Address masquerading</h2>
Address masquerading is a method to hide all hosts below a domain
Address masquerading is a method to hide all hosts inside a domain
behind their mail gateway, and to make it appear as if the mail
comes from the gateway itself, instead of from individual machines.
@@ -267,8 +267,28 @@ For example,
By default, Postfix makes no exceptions.
<p>
Subtle point: address masquerading is applied only to message
headers and envelope sender addresses, not to envelope recipients.
Subtle point: by default, address masquerading is applied only to
message headers and to envelope sender addresses, but not to envelope
recipients. This allows you to use address masquerading on a mail
gateway machine, while still being able to forward mail from outside
to users on individual machines.
<p>
In order to subject envelope recipient addresses to masquerading,
too, specify (only available with Postfix versions after 20010802):
<dl>
<dd><b>masquerade_classes = envelope_sender, envelope_recipient,
header_sender, header_recipient</b>
</dl>
<p>
If you do this, Postfix will no longer be able to send mail to
individual machines.
<a name="virtual"> <h2> Virtual address mapping</h2>

63
postfix/html/uce.html
View File

@@ -722,17 +722,20 @@ code for rejected requests (default: <b>554</b>).
<a name="permit_mx_backup">
<dt> <b>permit_mx_backup</b> <dd> Permit the request when the local
mail system is MX host for the resolved destination. This includes
the case that the local mail system is the final destination.
However, the SMTP server will not forward mail with addresses that
have sender-specified routing information (example:
mail system is MX host for the resolved destination, provided that
the primary MX host is within the networks specified with <a
href="#auth_mx_backup_networks">auth_mx_backup_networks</a> parameter.
This includes the case that the local mail system is the final
destination. However, the SMTP server will not forward mail with
addresses that have sender-specified routing information (example:
<i>user@elsewhere@domain</i>),
<p>
Relevant configuration parameters: <a href="basic.html#mydestination">
$mydestination</a>, <a href="basic.html#inet_interfaces">
$inet_interfaces</a>.
Relevant configuration parameters: <a
href="#auth_mx_backup_networks">auth_mx_backup_networks</a>, <a
href="basic.html#mydestination"> $mydestination</a>, <a
href="basic.html#inet_interfaces"> $inet_interfaces</a>.
<p>
@@ -966,6 +969,52 @@ to speed up deliveries.
<dl>
<a name="auth_mx_backup_networks">
<dt> <b>auth_mx_backup_networks</b>
<dd>This parameter specifies the networks that are allowed to
use the <a href="#permit_mx_backup">permit_mx_backup</a>
relay control feature.
<p>
<dl>
<dt>Default:
<dd><b>auth_mx_backup_networks = </b>
<p>
That is, no networks are authorized by default.
<p>
<dt>Syntax:
<dd> Specify a list of network
blocks in CIDR (network/mask) notation, for example:
<p>
<dl>
<dd> <b>auth_mx_backup_networks = 168.100.0.0/16</b>
</dl>
<p>
You can also specify the absolute pathname of a pattern file instead
of listing the patterns in the <b>main.cf</b> file.
</dl>
</dl>
<dl>
<a name="maps_rbl_domains">
<dt> <b>maps_rbl_domains</b>

4
postfix/man/man5/canonical.5
View File

@@ -139,6 +139,10 @@ addresses.
Other parameters of interest:
.IP \fBinet_interfaces\fR
The network interface addresses that this system receives mail on.
.IP \fBmasquerade_classes\fR
List of address classes subject to masquerading: zero or more of
\fBenvelope_sender\fR, \fBenvelope_recipient\fR, \fBheader_sender\fR,
\fBheader_recipient\fR.
.IP \fBmasquerade_domains\fR
List of domains that hide their subdomain structure.
.IP \fBmasquerade_exceptions\fR

6
postfix/man/man8/cleanup.8
View File

@@ -41,7 +41,7 @@ Optionally, masquerade envelope sender addresses and message
header addresses (i.e. strip host or domain information below
all domains listed in the \fBmasquerade_domains\fR parameter,
except for user names listed in \fBmasquerade_exceptions\fR).
Address masquerading does not affect envelope recipients.
By default, address masquerading does not affect envelope recipients.
.IP \(bu
Optionally, expand envelope recipients according to information
found in the \fBvirtual\fR(5) lookup tables.
@@ -108,6 +108,10 @@ addresses.
.IP \fBsender_canonical_maps\fR
Address mapping lookup table for envelope and header sender
addresses.
.IP \fBmasquerade_classes\fR
List of address classes subject to masquerading: zero or
more of \fBenvelope_sender\fR, \fBenvelope_recipient\fR,
\fBheader_sender\fR, \fBheader_recipient\fR.
.IP \fBmasquerade_domains\fR
List of domains that hide their subdomain structure.
.IP \fBmasquerade_exceptions\fR

4
postfix/proto/canonical
View File

@@ -123,6 +123,10 @@
# Other parameters of interest:
# .IP \fBinet_interfaces\fR
# The network interface addresses that this system receives mail on.
# .IP \fBmasquerade_classes\fR
# List of address classes subject to masquerading: zero or more of
# \fBenvelope_sender\fR, \fBenvelope_recipient\fR, \fBheader_sender\fR,
# \fBheader_recipient\fR.
# .IP \fBmasquerade_domains\fR
# List of domains that hide their subdomain structure.
# .IP \fBmasquerade_exceptions\fR

6
postfix/src/cleanup/cleanup.c
View File

@@ -35,7 +35,7 @@
/* header addresses (i.e. strip host or domain information below
/* all domains listed in the \fBmasquerade_domains\fR parameter,
/* except for user names listed in \fBmasquerade_exceptions\fR).
/* Address masquerading does not affect envelope recipients.
/* By default, address masquerading does not affect envelope recipients.
/* .IP \(bu
/* Optionally, expand envelope recipients according to information
/* found in the \fBvirtual\fR(5) lookup tables.
@@ -94,6 +94,10 @@
/* .IP \fBsender_canonical_maps\fR
/* Address mapping lookup table for envelope and header sender
/* addresses.
/* .IP \fBmasquerade_classes\fR
/* List of address classes subject to masquerading: zero or
/* more of \fBenvelope_sender\fR, \fBenvelope_recipient\fR,
/* \fBheader_sender\fR, \fBheader_recipient\fR.
/* .IP \fBmasquerade_domains\fR
/* List of domains that hide their subdomain structure.
/* .IP \fBmasquerade_exceptions\fR

9
postfix/src/cleanup/cleanup.h
View File

@@ -71,6 +71,15 @@ extern MAPS *cleanup_header_checks;
extern MAPS *cleanup_body_checks;
extern MAPS *cleanup_virtual_maps;
extern ARGV *cleanup_masq_domains;
extern int cleanup_masq_flags;
/*
* Address masquerading fine control.
*/
#define CLEANUP_MASQ_FLAG_ENV_FROM (1<<0) /* envelope sender */
#define CLEANUP_MASQ_FLAG_ENV_RCPT (1<<1) /* envelope recipient */
#define CLEANUP_MASQ_FLAG_HDR_FROM (1<<2) /* header sender */
#define CLEANUP_MASQ_FLAG_HDR_RCPT (1<<3) /* header recipient */
/*
* Restrictions on extension propagation.

6
postfix/src/cleanup/cleanup_envelope.c
View File

@@ -149,7 +149,8 @@ static void cleanup_envelope_process(CLEANUP_STATE *state, int type, char *buf,
if (cleanup_comm_canon_maps)
cleanup_map11_internal(state, clean_addr, cleanup_comm_canon_maps,
cleanup_ext_prop_mask & EXT_PROP_CANONICAL);
if (cleanup_masq_domains)
if (cleanup_masq_domains
&& (cleanup_masq_flags & CLEANUP_MASQ_FLAG_ENV_FROM))
cleanup_masquerade_internal(clean_addr, cleanup_masq_domains);
CLEANUP_OUT_BUF(state, type, clean_addr);
if (state->sender == 0)
@@ -171,6 +172,9 @@ static void cleanup_envelope_process(CLEANUP_STATE *state, int type, char *buf,
if (cleanup_comm_canon_maps)
cleanup_map11_internal(state, clean_addr, cleanup_comm_canon_maps,
cleanup_ext_prop_mask & EXT_PROP_CANONICAL);
if (cleanup_masq_domains
&& (cleanup_masq_flags & CLEANUP_MASQ_FLAG_ENV_RCPT))
cleanup_masquerade_internal(clean_addr, cleanup_masq_domains);
cleanup_out_recipient(state, STR(clean_addr));
if (state->recip == 0)
state->recip = mystrdup(STR(clean_addr));

18
postfix/src/cleanup/cleanup_extracted.c
View File

@@ -123,6 +123,9 @@ static void cleanup_extracted_process(CLEANUP_STATE *state, int type, char *buf,
if (cleanup_comm_canon_maps)
cleanup_map11_internal(state, clean_addr, cleanup_comm_canon_maps,
cleanup_ext_prop_mask & EXT_PROP_CANONICAL);
if (cleanup_masq_domains
&& (cleanup_masq_flags & CLEANUP_MASQ_FLAG_ENV_RCPT))
cleanup_masquerade_internal(clean_addr, cleanup_masq_domains);
cleanup_out_recipient(state, STR(clean_addr));
if (state->recip == 0)
state->recip = mystrdup(STR(clean_addr));
@@ -150,8 +153,8 @@ static void cleanup_extracted_process(CLEANUP_STATE *state, int type, char *buf,
if (rcpt->argc >= var_extra_rcpt_limit) {
state->errs |= CLEANUP_STAT_ROVFL;
} else {
clean_addr = vstring_alloc(100);
if (*var_always_bcc && rcpt->argv[0]) {
clean_addr = vstring_alloc(100);
cleanup_rewrite_internal(clean_addr, var_always_bcc);
if (cleanup_rcpt_canon_maps)
cleanup_map11_internal(state, clean_addr, cleanup_rcpt_canon_maps,
@@ -160,13 +163,20 @@ static void cleanup_extracted_process(CLEANUP_STATE *state, int type, char *buf,
cleanup_map11_internal(state, clean_addr, cleanup_comm_canon_maps,
cleanup_ext_prop_mask & EXT_PROP_CANONICAL);
argv_add(rcpt, STR(clean_addr), (char *) 0);
vstring_free(clean_addr);
}
argv_terminate(rcpt);
for (cpp = rcpt->argv; CLEANUP_OUT_OK(state) && *cpp; cpp++)
cleanup_out_recipient(state, *cpp);
for (cpp = rcpt->argv; CLEANUP_OUT_OK(state) && *cpp; cpp++) {
if (cleanup_masq_domains
&& (cleanup_masq_flags & CLEANUP_MASQ_FLAG_ENV_RCPT)) {
vstring_strcpy(clean_addr, *cpp);
cleanup_masquerade_internal(clean_addr, cleanup_masq_domains);
cleanup_out_recipient(state, STR(clean_addr));
} else
cleanup_out_recipient(state, *cpp);
}
if (rcpt->argv[0])
state->recip = mystrdup(rcpt->argv[0]);
vstring_free(clean_addr);
}
}

17
postfix/src/cleanup/cleanup_init.c
View File

@@ -69,6 +69,7 @@
#include <msg.h>
#include <iostuff.h>
#include <name_mask.h>
/* Global library. */
@@ -106,6 +107,7 @@ char *var_prop_extension; /* propagate unmatched extension */
char *var_always_bcc; /* big brother */
int var_extra_rcpt_limit; /* recipient extract limit */
char *var_rcpt_witheld; /* recipients not disclosed */
char *var_masq_classes; /* what to masquerade */
CONFIG_INT_TABLE cleanup_int_table[] = {
VAR_HOPCOUNT_LIMIT, DEF_HOPCOUNT_LIMIT, &var_hopcount_limit, 1, 0,
@@ -133,6 +135,7 @@ CONFIG_STR_TABLE cleanup_str_table[] = {
VAR_PROP_EXTENSION, DEF_PROP_EXTENSION, &var_prop_extension, 0, 0,
VAR_ALWAYS_BCC, DEF_ALWAYS_BCC, &var_always_bcc, 0, 0,
VAR_RCPT_WITHELD, DEF_RCPT_WITHELD, &var_rcpt_witheld, 1, 0,
VAR_MASQ_CLASSES, DEF_MASQ_CLASSES, &var_masq_classes, 0, 0,
0,
};
@@ -146,6 +149,7 @@ MAPS *cleanup_header_checks;
MAPS *cleanup_body_checks;
MAPS *cleanup_virtual_maps;
ARGV *cleanup_masq_domains;
int cleanup_masq_flags;
/*
* Address extension propagation restrictions.
@@ -164,9 +168,17 @@ void cleanup_all(void)
void cleanup_pre_jail(char *unused_name, char **unused_argv)
{
static NAME_MASK masq_class_table[] = {
MASQ_CLASS_ENV_FROM, CLEANUP_MASQ_FLAG_ENV_FROM,
MASQ_CLASS_ENV_RCPT, CLEANUP_MASQ_FLAG_ENV_RCPT,
MASQ_CLASS_HDR_FROM, CLEANUP_MASQ_FLAG_HDR_FROM,
MASQ_CLASS_HDR_RCPT, CLEANUP_MASQ_FLAG_HDR_RCPT,
0,
};
if (*var_canonical_maps)
cleanup_comm_canon_maps =
maps_create(VAR_CANONICAL_MAPS, var_canonical_maps, DICT_FLAG_LOCK);
maps_create(VAR_CANONICAL_MAPS, var_canonical_maps, DICT_FLAG_LOCK);
if (*var_send_canon_maps)
cleanup_send_canon_maps =
maps_create(VAR_SEND_CANON_MAPS, var_send_canon_maps,
@@ -186,6 +198,9 @@ void cleanup_pre_jail(char *unused_name, char **unused_argv)
if (*var_body_checks)
cleanup_body_checks =
maps_create(VAR_BODY_CHECKS, var_body_checks, DICT_FLAG_LOCK);
if (*var_masq_classes)
cleanup_masq_flags = name_mask(VAR_MASQ_CLASSES, masq_class_table,
var_masq_classes);
}
/* cleanup_post_jail - initialize after entering the chroot jail */

6
postfix/src/cleanup/cleanup_message.c
View File

@@ -178,7 +178,8 @@ static void cleanup_rewrite_sender(CLEANUP_STATE *state, HEADER_OPTS *hdr_opts)
if (cleanup_comm_canon_maps)
cleanup_map11_tree(state, *tpp, cleanup_comm_canon_maps,
cleanup_ext_prop_mask & EXT_PROP_CANONICAL);
if (cleanup_masq_domains)
if (cleanup_masq_domains
&& (cleanup_masq_flags & CLEANUP_MASQ_FLAG_HDR_FROM))
cleanup_masquerade_tree(*tpp, cleanup_masq_domains);
if (hdr_opts->type == HDR_FROM && state->from == 0)
state->from = cleanup_extract_internal(state->header_buf, *tpp);
@@ -230,7 +231,8 @@ static void cleanup_rewrite_recip(CLEANUP_STATE *state, HEADER_OPTS *hdr_opts)
argv_add(rcpt, vstring_str(state->temp1), (char *) 0);
}
}
if (cleanup_masq_domains)
if (cleanup_masq_domains
&& (cleanup_masq_flags & CLEANUP_MASQ_FLAG_HDR_RCPT))
cleanup_masquerade_tree(*tpp, cleanup_masq_domains);
if (hdr_opts->type == HDR_RETURN_RECEIPT_TO && !state->return_receipt)
state->return_receipt =

17
postfix/src/global/mail_params.h
View File

@@ -124,6 +124,17 @@ extern char *var_masq_domains;
#define DEF_MASQ_EXCEPTIONS ""
extern char *var_masq_exceptions;
#define MASQ_CLASS_ENV_FROM "envelope_sender"
#define MASQ_CLASS_ENV_RCPT "envelope_recipient"
#define MASQ_CLASS_HDR_FROM "header_sender"
#define MASQ_CLASS_HDR_RCPT "header_recipient"
#define VAR_MASQ_CLASSES "masquerade_classes"
#define DEF_MASQ_CLASSES MASQ_CLASS_ENV_FROM ", " \
MASQ_CLASS_HDR_FROM ", " \
MASQ_CLASS_HDR_RCPT
extern char *var_masq_classes;
/*
* Intranet versus internet.
*/
@@ -1111,6 +1122,10 @@ extern int var_relay_code;
#define PERMIT_MX_BACKUP "permit_mx_backup"
#define VAR_AUTH_MX_NETWORKS "auth_mx_backup_networks"
#define DEF_AUTH_MX_NETWORKS ""
extern char *var_auth_mx_networks;
#define VAR_ACCESS_MAP_CODE "access_map_reject_code"
#define DEF_ACCESS_MAP_CODE 554
extern int var_access_map_code;
@@ -1127,7 +1142,7 @@ extern int var_access_map_code;
extern int var_maps_rbl_code;
#define VAR_MAPS_RBL_DOMAINS "maps_rbl_domains"
#define DEF_MAPS_RBL_DOMAINS "blackholes.mail-abuse.org"
#define DEF_MAPS_RBL_DOMAINS ""
extern char *var_maps_rbl_domains;
#define VAR_SMTPD_DELAY_REJECT "smtpd_delay_reject"

2
postfix/src/global/mail_version.h
View File

@@ -15,7 +15,7 @@
* Version of this program.
*/
#define VAR_MAIL_VERSION "mail_version"
#define DEF_MAIL_VERSION "Snapshot-20010801"
#define DEF_MAIL_VERSION "Snapshot-20010806"
extern char *var_mail_version;
/* LICENSE

2
postfix/src/smtpd/smtpd.c
View File

@@ -356,6 +356,7 @@ char *var_smtpd_sasl_opts;
char *var_smtpd_sasl_realm;
char *var_filter_xport;
bool var_broken_auth_clients;
char *var_auth_mx_networks;
/*
* Global state, for stand-alone mode queue file cleanup. When this is
@@ -1590,6 +1591,7 @@ int main(int argc, char **argv)
VAR_SMTPD_SASL_OPTS, DEF_SMTPD_SASL_OPTS, &var_smtpd_sasl_opts, 0, 0,
VAR_SMTPD_SASL_REALM, DEF_SMTPD_SASL_REALM, &var_smtpd_sasl_realm, 1, 0,
VAR_FILTER_XPORT, DEF_FILTER_XPORT, &var_filter_xport, 0, 0,
VAR_AUTH_MX_NETWORKS, DEF_AUTH_MX_NETWORKS, &var_auth_mx_networks, 0, 0,
0,
};

189
postfix/src/smtpd/smtpd_check.c
View File

@@ -145,9 +145,10 @@
/* Reject the request when the client has already sent the next request
/* without being told that the server implements SMTP command pipelining.
/* .IP permit_mx_backup
/* Allow the request when the local mail system is mail exchanger
/* for the recipient domain (this includes the case where the local
/* system is the final destination).
/* Allow the request when all primary MX hosts for the recipient
/* are in the networks specified with the $auth_mx_backup_networks
/* configuration parameter, or when the local system is the final
/* destination.
/* .IP restriction_classes
/* Defines a list of parameter names, each parameter being a list
/* of restrictions that can be used anywhere a restriction is legal.
@@ -307,6 +308,11 @@ static jmp_buf smtpd_check_buf;
#define SMTPD_CHECK_OK 1 /* explicitly permit */
#define SMTPD_CHECK_REJECT 2 /* explicitly reject */
/*
* XXX For now define SMTPD_CHECK_TRYAGAIN as SMTPD_CHECK_OK.
*/
#define SMTPD_CHECK_TRYAGAIN 1 /* return 4xx try again */
/*
* Intermediate results. These are static to avoid unnecessary stress on the
* memory manager routines.
@@ -331,6 +337,7 @@ static MAPS *relocated_maps;
*/
static DOMAIN_LIST *relay_domains;
static NAMADR_LIST *mynetworks;
static NAMADR_LIST *auth_mx_networks;
/*
* Pre-parsed restriction lists.
@@ -499,6 +506,7 @@ void smtpd_check_init(void)
*/
mynetworks = namadr_list_init(var_mynetworks);
relay_domains = domain_list_init(var_relay_domains);
auth_mx_networks = namadr_list_init(var_auth_mx_networks);
/*
* Pre-parse and pre-open the recipient maps.
@@ -1014,6 +1022,59 @@ static int reject_unauth_pipelining(SMTPD_STATE *state)
return (SMTPD_CHECK_DUNNO);
}
/* all_auth_mx_addr - match host addresses against auth_mx_backup_networks */
static int all_auth_mx_addr(char *host)
{
char *myname = "all_auth_mx_addr";
struct in_addr addr;
DNS_RR *rr;
DNS_RR *addr_list;
int dns_status;
if (msg_verbose)
msg_info("%s: host %s", myname, host);
/*
* If we can't lookup the host, try again.
*/
#define NOPE 0
#define YUP 1
#define TRYAGAIN 2
/*
* Resolve this host into IP addresses, and check if thy are within
* auth_mx_backup_networks
*/
dns_status = dns_lookup(host, T_A, 0, &addr_list, (VSTRING *) 0, (VSTRING *) 0);
if (dns_status != DNS_OK)
return (TRYAGAIN);
for (rr = addr_list; rr != 0; rr = rr->next) {
if (rr->data_len > sizeof(addr)) {
msg_warn("skipping address length %d", rr->data_len);
continue;
}
memcpy((char *) &addr, rr->data, sizeof(addr));
if (msg_verbose)
msg_info("%s: checking: %s", myname, inet_ntoa(addr));
if (!namadr_list_match(auth_mx_networks, host, inet_ntoa(addr))) {
/*
* Reject: IP address not listed in auth_mx_backup_networks.
*/
if (msg_verbose)
msg_info("%s: address %s does not match %s",
myname, inet_ntoa(addr), VAR_AUTH_MX_NETWORKS);
dns_rr_free(addr_list);
return (NOPE);
}
}
dns_rr_free(addr_list);
return (YUP);
}
/* has_my_addr - see if this host name lists one of my network addresses */
static int has_my_addr(const char *host)
@@ -1055,6 +1116,8 @@ static int has_my_addr(const char *host)
return (NOPE);
}
#if 0
/* permit_mx_backup - permit use of me as MX backup for recipient domain */
static int permit_mx_backup(SMTPD_STATE *state, const char *recipient)
@@ -1117,7 +1180,7 @@ static int permit_mx_backup(SMTPD_STATE *state, const char *recipient)
if (dns_status == DNS_NOTFOUND)
return (has_my_addr(domain) ? SMTPD_CHECK_OK : SMTPD_CHECK_DUNNO);
if (dns_status != DNS_OK)
return (SMTPD_CHECK_OK);
return (SMTPD_CHECK_TRYAGAIN);
/*
* First, see if we match any of the MX host names listed. Only if no
@@ -1150,6 +1213,122 @@ static int permit_mx_backup(SMTPD_STATE *state, const char *recipient)
return (SMTPD_CHECK_DUNNO);
}
#endif
/* permit_auth_mx_backup - relay for authorized networks */
static int permit_auth_mx_backup(SMTPD_STATE *state, const char *recipient)
{
char *myname = "permit_auth_mx_backup";
const RESOLVE_REPLY *reply;
const char *domain;
DNS_RR *mx_list;
DNS_RR *mx;
int dns_status;
int best_pref;
if (msg_verbose)
msg_info("%s: %s", myname, recipient);
/*
* Sanity check.
*/
if (*var_auth_mx_networks == 0) {
msg_warn("The %s feature requires that you specify authorized networks",
PERMIT_MX_BACKUP);
msg_warn("via the %s configuration parameter. See examples",
VAR_AUTH_MX_NETWORKS);
msg_warn("in the %s/sample-smtpd.cf configuration file.",
var_config_dir);
longjmp(smtpd_check_buf, smtpd_check_reject(state, MAIL_ERROR_SOFTWARE,
"%d <%s>: Configuration error in %s",
451, recipient,
VAR_AUTH_MX_NETWORKS));
}
/*
* Resolve the address.
*/
reply = (const RESOLVE_REPLY *)
ctable_locate(smtpd_resolve_cache, recipient);
/*
* If the destination is local, it is acceptable, because we are
* supposedly MX for our own address.
*/
if ((domain = strrchr(CONST_STR(reply->recipient), '@')) == 0)
return (SMTPD_CHECK_OK);
domain += 1;
if (resolve_local(domain)
|| (*var_virtual_maps
&& check_maps_find(state, recipient, virtual_maps, domain, 0))
|| (*var_virt_mailbox_maps
&& check_maps_find(state, recipient, virt_mailbox_maps, domain, 0)))
return (SMTPD_CHECK_OK);
if (msg_verbose)
msg_info("%s: not local: %s", myname, recipient);
/*
* Skip source-routed mail (uncertain destination).
*/
if (var_allow_untrust_route == 0 && (reply->flags & RESOLVE_FLAG_ROUTED))
return (SMTPD_CHECK_DUNNO);
/*
* Skip numerical forms that didn't match the local system.
*/
if (domain[0] == '#'
|| (domain[0] == '[' && domain[strlen(domain) - 1] == ']'))
return (SMTPD_CHECK_DUNNO);
/*
* Look up the list of MX host names for this domain. If no MX host is
* found, perhaps it is a CNAME for the local machine. Clients aren't
* supposed to send CNAMEs in SMTP commands, but it happens anyway.
*/
dns_status = dns_lookup(domain, T_MX, 0, &mx_list,
(VSTRING *) 0, (VSTRING *) 0);
if (dns_status == DNS_NOTFOUND)
return (has_my_addr(domain) ? SMTPD_CHECK_OK : SMTPD_CHECK_DUNNO);
if (dns_status != DNS_OK)
return (SMTPD_CHECK_TRYAGAIN);
/*
* Find the preference of the primary MX hosts.
*/
for (best_pref = 0xffff, mx = mx_list; mx != 0; mx = mx->next)
if (mx->pref < best_pref)
best_pref = mx->pref;
/*
* See if each best MX host has all IP addresses in
* auth_mx_backup_networks.
*/
for (mx = mx_list; mx != 0; mx = mx->next) {
if (mx->pref != best_pref)
continue;
switch (all_auth_mx_addr((char *) mx->data)) {
case NOPE:
dns_rr_free(mx_list);
return (SMTPD_CHECK_DUNNO);
case YUP:
continue;
case TRYAGAIN:
dns_rr_free(mx_list);
return (SMTPD_CHECK_TRYAGAIN);
}
}
/*
* All IP addresses of the best MX hosts are within
* auth_mx_backup_networks.
*/
dns_rr_free(mx_list);
return (SMTPD_CHECK_OK);
}
/* reject_non_fqdn_address - fail if address is not in fqdn form */
static int reject_non_fqdn_address(SMTPD_STATE *state, char *addr,
@@ -1808,7 +1987,7 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
SMTPD_NAME_RECIPIENT, def_acl);
} else if (strcasecmp(name, PERMIT_MX_BACKUP) == 0) {
if (state->recipient)
status = permit_mx_backup(state, state->recipient);
status = permit_auth_mx_backup(state, state->recipient);
} else if (strcasecmp(name, PERMIT_AUTH_DEST) == 0) {
if (state->recipient)
status = permit_auth_destination(state, state->recipient);