mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-22 09:57:34 +00:00
Code Issues Releases Wiki Activity

postfix-2.8-20100213

Browse Source
This commit is contained in:
Wietse Venema 2010-02-13 00:00:00 -05:00 committed by Viktor Dukhovni
parent bde0246003
commit 8a6397deff
25 changed files with 238 additions and 195 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
postfix/HISTORY
View File

@ -15723,3 +15723,9 @@ Apologies for any names omitted.
reuses the workaround that was implemented to report a
Delivered-To: loop. Files: local/file.c, local/command.c,
local/recipient.c, local/bounce_workaround.c.
20100209
The tcp_table(5) interface is now part of the stable release.
The last protocol change was in Postfix 2.1. File:
util/dict_open.c.

8
postfix/README_FILES/ADDRESS_REWRITING_README
View File

@ -366,7 +366,7 @@ This feature is available in Postfix version 2.1 and later.
Example:
/etc/postfix/master.cf:
:10026 inet n - n - - smtpd
127.0.0.1:10026 inet n - n - - smtpd
-o receive_override_options=no_address_mappings
Note: do not specify whitespace around the "=" here.
@ -439,7 +439,7 @@ file. This feature is available in Postfix version 2.1 and later.
Example:
/etc/postfix/master.cf:
:10026 inet n - n - - smtpd
127.0.0.1:10026 inet n - n - - smtpd
-o receive_override_options=no_address_mappings
Note: do not specify whitespace around the "=" here.
@ -475,7 +475,7 @@ settings in the master.cf file. This feature is available in Postfix version
Example:
/etc/postfix/master.cf:
:10026 inet n - n - - smtpd
127.0.0.1:10026 inet n - n - - smtpd
-o receive_override_options=no_address_mappings
Note: do not specify whitespace around the "=" here.
@ -520,7 +520,7 @@ This feature is available in Postfix version 2.1 and later.
Example:
/etc/postfix/master.cf:
:10026 inet n - n - - smtpd
127.0.0.1:10026 inet n - n - - smtpd
-o receive_override_options=no_address_mappings
Note: do not specify whitespace around the "=" here.

3
postfix/README_FILES/DATABASE_README
View File

@ -248,8 +248,7 @@ To find out what database types your Postfix system supports, use the "ppooss
Access information through a TCP/IP server. The protocol is described
in tcp_table(5). The lookup table name is "tcp:host:port" where "host"
specifies a symbolic hostname or a numeric IP address, and "port"
specifies a symbolic service name or a numeric port number. This
protocol is not available in the stable Postfix release.
specifies a symbolic service name or a numeric port number.
uunniixx (read-only)
A limited way to query the UNIX authentication database. The following
tables are implemented:

88
postfix/README_FILES/SASL_README
View File

@ -17,12 +17,12 @@ to remote destinations, or only to destinations that the server itself is
responsible for. Usually, SMTP servers allow mail to remote destinations when
the client's IP address is in the "same network" as the server's IP address.
Sometimes an SMTP client needs "same network" privileges when it connects from
elsewhere. To address this problem, Postfix supports SASL authentication (RFC
4954, formerly RFC 2554). With this a remote SMTP client can authenticate to
the Postfix SMTP server, and the Postfix SMTP client can authenticate to a
remote SMTP server. Once a client is authenticated, a server can give it "same
network" privileges.
SMTP clients outside the SMTP server's network need a different way to get
"same network" privileges. To address this need, Postfix supports SASL
authentication (RFC 4954, formerly RFC 2554). With this a remote SMTP client
can authenticate to the Postfix SMTP server, and the Postfix SMTP client can
authenticate to a remote SMTP server. Once a client is authenticated, a server
can give it "same network" privileges.
Postfix does not implement SASL itself, but instead uses existing
implementations as building blocks. This means that some SASL-related
@ -101,10 +101,10 @@ These commands are available only with Postfix version 2.3 and later.
CCoonnffiigguurriinngg DDoovveeccoott SSAASSLL
Dovecot is a POP/IMAP server that must be configured to authenticate POP/IMAP
clients. When the Postfix SMTP server uses Dovecot SASL, it also reuses this
configuration. Consult the Dovecot documentation for how to configure and
operate the Dovecot authentication server.
Dovecot is a POP/IMAP server that has its own configuration to authenticate
POP/IMAP clients. When the Postfix SMTP server uses Dovecot SASL, it reuses
parts of this configuration. Consult the Dovecot documentation for how to
configure and operate the Dovecot authentication server.
PPoossttffiixx ttoo DDoovveeccoott SSAASSLL ccoommmmuunniiccaattiioonn
@ -141,9 +141,9 @@ Postfix SMTP server" to turn on and use SASL in the Postfix SMTP server.
CCoonnffiigguurriinngg CCyyrruuss SSAASSLL
The Cyrus SASL framework was supports a wide variety of applications. Different
applications may require different configurations. As a consequence each
application may have its own configuration file.
The Cyrus SASL framework supports a wide variety of applications (POP, IMAP,
SMTP, etc.). Different applications may require different configurations. As a
consequence each application may have its own configuration file.
The first step configuring Cyrus SASL is to determine name and location of a
configuration file that describes how the Postfix SMTP server will use the SASL
@ -256,8 +256,8 @@ its password verification service:
Additionally the saslauthd server itself must be configured. It must be told
which authentication backend to turn to for password verification. The backend
is choosen as a command line option when saslauthd is started and will be shown
in the following examples.
is selected with a saslauthd command-line option and will be shown in the
following examples.
NNoottee
@ -335,8 +335,8 @@ shows the response when authentication is successful:
-debug packages.
Specify an additional "-s smtp" if saslauthd was configured to contact the PAM
authentication framework and an additional "-f //ppaatthh//ttoo//ssoocckkeettddiirr//mmuuxx" if
saslauthd establishes the UNIX-domain socket in a non-default location.
authentication framework, and specify an additional "-f //ppaatthh//ttoo//ssoocckkeettddiirr//mmuuxx"
if saslauthd establishes the UNIX-domain socket in a non-default location.
If authentication succeeds, proceed with the section "Enabling SASL
authentication and authorization in the Postfix SMTP server".
@ -347,14 +347,15 @@ Cyrus SASL uses a plugin infrastructure (called auxprop) to expand libsasl's
capabilities. Currently Cyrus SASL sources provide three authentication
plugins.
sasldb
Accounts are stored stored in a Cyrus SASL Berkeley DB database
sql
Accounts are stored in a SQL database
ldapdb
Accounts are stored stored in an LDAP database
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
|PPlluuggiinn|DDeessccrriippttiioonn |
|_ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|sasldb|Accounts are stored stored in a Cyrus SASL Berkeley DB database|
|_ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|sql |Accounts are stored in a SQL database |
|_ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|ldapdb|Accounts are stored stored in an LDAP database |
|_ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
IImmppoorrttaanntt
@ -425,11 +426,12 @@ requires that SASL client passwords are stored as plaintext.
TTiipp
If you must store encrypted passwords, see section "Using saslauthd with
PAM", and configure PAM to look up the encrypted passwords with, for
example, the pam_mysql module. You will not be able to use any of the
methods that require access to plaintext passwords, such as the shared-
secret methods CRAM-MD5 and DIGEST-MD5.
If you must store encrypted passwords, you cannot use the sql auxprop
plugin. Instead, see section "Using saslauthd with PAM", and configure PAM
to look up the encrypted passwords with, for example, the pam_mysql module.
You will not be able to use any of the methods that require access to
plaintext passwords, such as the shared-secret methods CRAM-MD5 and DIGEST-
MD5.
The following example configures libsasl to use the sql plugin and connects it
to a PostgreSQL server:
@ -514,12 +516,12 @@ plaintext.
TTiipp
If you must store encrypted passwords, you can use "saslauthd -a ldap" to
query the LDAP database directly, with appropriate configuration in
saslauthd.conf. This may be documented in a later version of this document.
You will not be able to use any of the methods that require access to
plaintext passwords, such as the shared-secret methods CRAM-MD5 and DIGEST-
MD5.
If you must store encrypted passwords, you cannot use the ldapdb auxprop
plugin. Instead, you can use "saslauthd -a ldap" to query the LDAP database
directly, with appropriate configuration in saslauthd.conf. This may be
documented in a later version of this document. You will not be able to use
any of the methods that require access to plaintext passwords, such as the
shared-secret methods CRAM-MD5 and DIGEST-MD5.
The ldapdb plugin implements proxy authorization. This means that the ldapdb
plugin uses its own username and password to authenticate with the LDAP server,
@ -659,7 +661,7 @@ SASL socket:
EEnnaabblliinngg SSAASSLL aauutthheennttiiccaattiioonn iinn tthhee PPoossttffiixx SSMMTTPP sseerrvveerr
Regardless of the SASL implementation type, enabling SMTP authentication in the
Postfix SMTP server always requires seting the smtpd_sasl_auth_enable option:
Postfix SMTP server always requires setting the smtpd_sasl_auth_enable option:
/etc/postfix/main.cf:
smtpd_sasl_auth_enable = yes
@ -1105,12 +1107,18 @@ mechanisms are not allowed (nor is any anonymous mechanism):
/etc/postfix/main.cf:
smtp_sasl_security_options = noplaintext, noanonymous
This default policy leads to authentication failures if the remote server only
offers plaintext authentication mechanisms. In such cases the SMTP client will
log the following error message:
This default policy, which allows no plaintext passwords, leads to
authentication failures if the remote server only offers plaintext
authentication mechanisms (the SMTP server announces "AUTH PLAIN LOGIN"). In
such cases the SMTP client will log the following error message:
SASL authentication failure: No worthy mechs found
NNoottee
This same error message will also be logged when the libplain.so or
liblogin.so modules are not installed in the /usr/lib/sasl2 directory.
The less secure approach is to lower the security standards and permit
plaintext authentication mechanisms:

4
postfix/WISHLIST
View File

@ -2,8 +2,6 @@ Wish list:
Remove this file from the stable release.
instead of ipc_idle, reduce ipc_ttl.
Add smtpd_sender_login_maps to proxy_read_maps. What other
parameters are worthy of being whitelisted for proxy access?
Is there a way to automate this decision?
@ -24,7 +22,7 @@ Wish list:
the result exceeds the limit.
Should the postscreen save permanent white/black list lookup
results int the temporary cache, and query the temporary
results to the temporary cache, and query the temporary
cache first? Skipping white/black list lookups will speed
up the handling of "good" clients without a permanent
whitelist entry. Of course, this means that updates to the

8
postfix/html/ADDRESS_REWRITING_README.html
View File

@ -602,7 +602,7 @@ in the <a href="master.5.html">master.cf</a> file. This feature is available in
<blockquote>
<pre>
/etc/postfix/<a href="master.5.html">master.cf</a>:
:10026 inet n - n - - smtpd
127.0.0.1:10026 inet n - n - - smtpd
-o <a href="postconf.5.html#receive_override_options">receive_override_options</a>=<a href="postconf.5.html#no_address_mappings">no_address_mappings</a>
</pre>
</blockquote>
@ -701,7 +701,7 @@ Postfix version 2.1 and later. </p>
<blockquote>
<pre>
/etc/postfix/<a href="master.5.html">master.cf</a>:
:10026 inet n - n - - smtpd
127.0.0.1:10026 inet n - n - - smtpd
-o <a href="postconf.5.html#receive_override_options">receive_override_options</a>=<a href="postconf.5.html#no_address_mappings">no_address_mappings</a>
</pre>
</blockquote>
@ -751,7 +751,7 @@ is available in Postfix version 2.1 and later. </p>
<blockquote>
<pre>
/etc/postfix/<a href="master.5.html">master.cf</a>:
:10026 inet n - n - - smtpd
127.0.0.1:10026 inet n - n - - smtpd
-o <a href="postconf.5.html#receive_override_options">receive_override_options</a>=<a href="postconf.5.html#no_address_mappings">no_address_mappings</a>
</pre>
</blockquote>
@ -810,7 +810,7 @@ in the <a href="master.5.html">master.cf</a> file. This feature is available in
<blockquote>
<pre>
/etc/postfix/<a href="master.5.html">master.cf</a>:
:10026 inet n - n - - smtpd
127.0.0.1:10026 inet n - n - - smtpd
-o <a href="postconf.5.html#receive_override_options">receive_override_options</a>=<a href="postconf.5.html#no_address_mappings">no_address_mappings</a>
</pre>
</blockquote>

2
postfix/html/DATABASE_README.html
View File

@ -370,7 +370,7 @@ example, the lookup table "static:foobar" always returns the string
described in <a href="tcp_table.5.html">tcp_table(5)</a>. The lookup table name is "<a href="tcp_table.5.html">tcp</a>:host:port"
where "host" specifies a symbolic hostname or a numeric IP address,
and "port" specifies a symbolic service name or a numeric port
number. This protocol is not available in the stable Postfix release.
number.
</dd>
<dt> <b>unix</b> (read-only) </dt>

104
postfix/html/SASL_README.html
View File

@ -32,8 +32,8 @@ the server itself is responsible for. Usually, SMTP servers allow
mail to remote destinations when the client's IP address is in the
"same network" as the server's IP address. </p>
<p> Sometimes an SMTP client needs "same network" privileges when
it connects from elsewhere. To address this problem, Postfix
<p> SMTP clients outside the SMTP server's network need a different
way to get "same network" privileges. To address this need, Postfix
supports SASL authentication (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>, formerly RFC 2554). With
this a remote SMTP client can authenticate to the Postfix SMTP
server, and the Postfix SMTP client can authenticate to a remote
@ -176,10 +176,10 @@ later. </p>
<h3><a name="server_dovecot">Configuring Dovecot SASL</a></h3>
<p> Dovecot is a POP/IMAP server that must be configured to
<p> Dovecot is a POP/IMAP server that has its own configuration to
authenticate POP/IMAP clients. When the Postfix SMTP server uses
Dovecot SASL, it also reuses this configuration. Consult the <a
href="http://wiki.dovecot.org">Dovecot documentation</a> for how
Dovecot SASL, it reuses parts of this configuration. Consult the
<a href="http://wiki.dovecot.org">Dovecot documentation</a> for how
to configure and operate the Dovecot authentication server. </p>
<h4><a name="server_dovecot_comm">Postfix to Dovecot SASL communication</a></h4>
@ -220,16 +220,14 @@ SASL socket in <code>/var/spool/postfix/private/auth</code>, and
lines 11-13 limit read+write permissions to user and group
<code>postfix</code> only. </p>
<p> Proceed with the section "<a href="#server_sasl_enable"
title="Enabling SASL authentication and configuring authorization
in the Postfix SMTP server">Enabling SASL authentication and
authorization in the Postfix SMTP server</a>" to turn on and use
SASL in the Postfix SMTP server. </p>
<p> Proceed with the section "<a href="#server_sasl_enable">Enabling
SASL authentication and authorization in the Postfix SMTP server</a>"
to turn on and use SASL in the Postfix SMTP server. </p>
<h3><a name="server_cyrus">Configuring Cyrus SASL</a></h3>
<p> The Cyrus SASL framework was supports a wide variety of
applications. Different applications may require different
<p> The Cyrus SASL framework supports a wide variety of applications
(POP, IMAP, SMTP, etc.). Different applications may require different
configurations. As a consequence each application may have its own
configuration file. </p>
@ -438,9 +436,9 @@ by an additional security layer such as a TLS-encrypted SMTP session
<p> Additionally the <code>saslauthd</code> server itself must be
configured. It must be told which authentication backend to turn
to for password verification. The backend is choosen as a command
line option when <code>saslauthd</code> is started and will be shown
in the following examples. </p>
to for password verification. The backend is selected with a
<code>saslauthd</code> command-line option and will be shown in the
following examples. </p>
<blockquote>
@ -561,14 +559,15 @@ when authentication is successful: </p>
<p> Sometimes the <code>testsaslauthd</code> program is not distributed
with a the Cyrus SASL main package. In that case, it may be
distributed with -devel, -dev or -debug packages. </p>
distributed with <code>-devel</code>, <code>-dev</code> or
<code>-debug</code> packages. </p>
</blockquote>
<p> Specify an additional "<code>-s smtp</code>" if <code>saslauthd</code>
was configured to contact the PAM authentication framework and an
additional "<code>-f <em>/path/to/socketdir/mux</em></code>" if
<code>saslauthd</code> establishes the UNIX-domain socket in a
was configured to contact the PAM authentication framework, and
specify an additional "<code>-f <em>/path/to/socketdir/mux</em></code>"
if <code>saslauthd</code> establishes the UNIX-domain socket in a
non-default location. </p>
<p> If authentication succeeds, proceed with the section "<a
@ -584,22 +583,20 @@ SASL sources provide three authentication plugins. </p>
<blockquote>
<dl>
<table border="1">
<dt><a href="#auxprop_sasldb">sasldb</a></dt>
<tr> <th>Plugin </th> <th>Description </th> </tr>
<dd> <p> Accounts are stored stored in a Cyrus SASL Berkeley DB
database </p> </dd>
<tr> <td><a href="#auxprop_sasldb">sasldb</a></dt> <td> Accounts
are stored stored in a Cyrus SASL Berkeley DB database </td> </tr>
<dt><a href="#auxprop_sql">sql</a></dt>
<tr> <td><a href="#auxprop_sql">sql</a></dt> <td> Accounts are
stored in a SQL database </td> </tr>
<dd> <p> Accounts are stored in a SQL database </p> </dd>
<tr> <td><a href="#auxprop_ldapdb">ldapdb</a></dt> <td> Accounts
are stored stored in an LDAP database </td> </tr>
<dt><a href="#auxprop_ldapdb">ldapdb</a></dt>
<dd> <p> Accounts are stored stored in an LDAP database </p> </dd>
</dl>
</table>
</blockquote>
@ -718,12 +715,13 @@ stored as plaintext. </p>
<strong>Tip</strong>
<p> If you must store encrypted passwords, see section "<a
href="#saslauthd_pam">Using saslauthd with PAM</a>", and configure
PAM to look up the encrypted passwords with, for example, the
<code>pam_mysql</code> module. You will not be able to use any of
the methods that require access to plaintext passwords, such as the
shared-secret methods CRAM-MD5 and DIGEST-MD5. </p>
<p> If you must store encrypted passwords, you cannot use the sql
auxprop plugin. Instead, see section "<a href="#saslauthd_pam">Using
saslauthd with PAM</a>", and configure PAM to look up the encrypted
passwords with, for example, the <code>pam_mysql</code> module.
You will not be able to use any of the methods that require access
to plaintext passwords, such as the shared-secret methods CRAM-MD5
and DIGEST-MD5. </p>
</blockquote>
@ -896,12 +894,13 @@ stored as plaintext. </p>
<strong>Tip</strong>
<p> If you must store encrypted passwords, you can use "<code>saslauthd
-a ldap</code>" to query the LDAP database directly, with appropriate
configuration in <code>saslauthd.conf</code>. This may be documented
in a later version of this document. You will not be able to use
any of the methods that require access to plaintext passwords, such
as the shared-secret methods CRAM-MD5 and DIGEST-MD5. </p>
<p> If you must store encrypted passwords, you cannot use the ldapdb
auxprop plugin. Instead, you can use "<code>saslauthd -a ldap</code>"
to query the LDAP database directly, with appropriate configuration
in <code>saslauthd.conf</code>. This may be documented in a later
version of this document. You will not be able to use any of the
methods that require access to plaintext passwords, such as the
shared-secret methods CRAM-MD5 and DIGEST-MD5. </p>
</blockquote>
@ -1123,7 +1122,7 @@ server runs chrooted. </p>
in the Postfix SMTP server</a></h4>
<p> Regardless of the SASL implementation type, enabling SMTP
authentication in the Postfix SMTP server always requires seting
authentication in the Postfix SMTP server always requires setting
the <code><a href="postconf.5.html#smtpd_sasl_auth_enable">smtpd_sasl_auth_enable</a></code> option: </p>
<blockquote>
@ -1775,10 +1774,11 @@ mechanism): </p>
</pre>
</blockquote>
<p> This default policy leads to authentication failures if the
remote server only offers plaintext authentication mechanisms. In
such cases the SMTP client will log the following error message:
</p>
<p> This default policy, which allows no plaintext passwords, leads
to authentication failures if the remote server only offers plaintext
authentication mechanisms (the SMTP server announces "<code>AUTH
PLAIN LOGIN</code>"). In such cases the SMTP client will log the
following error message: </p>
<blockquote>
<pre>
@ -1786,6 +1786,16 @@ SASL authentication failure: No worthy mechs found
</pre>
</blockquote>
<blockquote>
<strong>Note</strong>
<p> This same error message will also be logged when the
<code>libplain.so</code> or <code>liblogin.so</code> modules are
not installed in the <code>/usr/lib/sasl2</code> directory. </p>
</blockquote>
<p> The less secure approach is to lower the security standards and
permit plaintext authentication mechanisms: </p>

3
postfix/html/bounce.8.html
View File

@ -45,10 +45,11 @@ BOUNCE(8) BOUNCE(8)
<b>STANDARDS</b>
<a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
<a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (Format of Internet Message Bodies)
<a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (ARPA Internet Text Messages)
<a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (Internet Message Format)
<a href="http://tools.ietf.org/html/rfc3462">RFC 3462</a> (Delivery Status Notifications)
<a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery Status Notifications)
<a href="http://tools.ietf.org/html/rfc3834">RFC 3834</a> (Auto-Submitted: message header)
<a href="http://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
<b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8).

3
postfix/html/defer.8.html
View File

@ -45,10 +45,11 @@ BOUNCE(8) BOUNCE(8)
<b>STANDARDS</b>
<a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
<a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (Format of Internet Message Bodies)
<a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (ARPA Internet Text Messages)
<a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (Internet Message Format)
<a href="http://tools.ietf.org/html/rfc3462">RFC 3462</a> (Delivery Status Notifications)
<a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery Status Notifications)
<a href="http://tools.ietf.org/html/rfc3834">RFC 3834</a> (Auto-Submitted: message header)
<a href="http://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
<b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8).

18
postfix/html/postconf.5.html
View File

@ -274,19 +274,18 @@ This feature is available in Postfix 2.1 and later.
</DD>
<DT><b><a name="address_verify_poll_count">address_verify_poll_count</a>
(default: see "postconf -d" output)</b></DT><DD>
(default: ${stress?1}${stress:3})</b></DT><DD>
<p>
How many times to query the <a href="verify.8.html">verify(8)</a> service for the completion
of an address verification request in progress.
</p>
<p>
The Postfix SMTP server polls the <a href="verify.8.html">verify(8)</a> service up to three
times under non-overload conditions, and only once when under
overload. With Postfix version 2.6 and earlier, the SMTP server
always polls the <a href="verify.8.html">verify(8)</a> service up to three times.
</p>
<p> By default, the Postfix SMTP server polls the <a href="verify.8.html">verify(8)</a> service
up to three times under non-overload conditions, and only once when
under overload. With Postfix version 2.6 and earlier, the SMTP
server always polls the <a href="verify.8.html">verify(8)</a> service up to three times by
default. </p>
<p>
Specify 1 to implement a crude form of greylisting, that is, always
@ -294,10 +293,13 @@ defer the first delivery request for a new address.
</p>
<p>
Example:
Examples:
</p>
<pre>
# Postfix &le; 2.6 default
<a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> = 3
# Poor man's greylisting
<a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> = 1
</pre>

4
postfix/html/smtpd.8.html
View File

@ -345,7 +345,7 @@ SMTPD(8) SMTPD(8)
Available in Postfix version 2.1 and 2.2:
<b>smtpd_sasl_application_name (smtpd)</b>
<b><a href="postconf.5.html#smtpd_sasl_application_name">smtpd_sasl_application_name</a> (smtpd)</b>
The application name that the Postfix SMTP server
uses for SASL server initialization.
@ -992,7 +992,7 @@ SMTPD(8) SMTPD(8)
and operate the Postfix sender/recipient address verifica-
tion service.
<b><a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> (see 'postconf -d' output)</b>
<b><a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> (${stress?1}${stress:3})</b>
How many times to query the <a href="verify.8.html"><b>verify</b>(8)</a> service for
the completion of an address verification request
in progress.

3
postfix/html/trace.8.html
View File

@ -45,10 +45,11 @@ BOUNCE(8) BOUNCE(8)
<b>STANDARDS</b>
<a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
<a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (Format of Internet Message Bodies)
<a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (ARPA Internet Text Messages)
<a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (Internet Message Format)
<a href="http://tools.ietf.org/html/rfc3462">RFC 3462</a> (Delivery Status Notifications)
<a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery Status Notifications)
<a href="http://tools.ietf.org/html/rfc3834">RFC 3834</a> (Auto-Submitted: message header)
<a href="http://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
<b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8).

16
postfix/man/man5/postconf.5
View File

@ -157,23 +157,27 @@ be refreshed.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
.PP
This feature is available in Postfix 2.1 and later.
.SH address_verify_poll_count (default: see "postconf -d" output)
.SH address_verify_poll_count (default: ${stress?1}${stress:3})
How many times to query the \fBverify\fR(8) service for the completion
of an address verification request in progress.
.PP
The Postfix SMTP server polls the \fBverify\fR(8) service up to three
times under non-overload conditions, and only once when under
overload. With Postfix version 2.6 and earlier, the SMTP server
always polls the \fBverify\fR(8) service up to three times.
By default, the Postfix SMTP server polls the \fBverify\fR(8) service
up to three times under non-overload conditions, and only once when
under overload. With Postfix version 2.6 and earlier, the SMTP
server always polls the \fBverify\fR(8) service up to three times by
default.
.PP
Specify 1 to implement a crude form of greylisting, that is, always
defer the first delivery request for a new address.
.PP
Example:
Examples:
.PP
.nf
.na
.ft C
# Postfix <= 2.6 default
address_verify_poll_count = 3
# Poor man's greylisting
address_verify_poll_count = 1
.fi
.ad

3
postfix/man/man8/bounce.8
View File

@ -43,10 +43,11 @@ themselves, and that depend on retry logic in their own client.
.nf
RFC 822 (ARPA Internet Text Messages)
RFC 2045 (Format of Internet Message Bodies)
RFC 2822 (ARPA Internet Text Messages)
RFC 2822 (Internet Message Format)
RFC 3462 (Delivery Status Notifications)
RFC 3464 (Delivery Status Notifications)
RFC 3834 (Auto-Submitted: message header)
RFC 5322 (Internet Message Format)
.SH DIAGNOSTICS
.ad
.fi

6
postfix/man/man8/smtpd.8
View File

@ -384,8 +384,8 @@ File with the Postfix SMTP server RSA private key in PEM format.
.IP "\fBsmtpd_tls_loglevel (0)\fR"
Enable additional Postfix SMTP server logging of TLS activity.
.IP "\fBsmtpd_tls_mandatory_ciphers (medium)\fR"
The minimum TLS cipher grade that the Postfix SMTP server
will use with mandatory TLS encryption.
The minimum TLS cipher grade that the Postfix SMTP server will
use with mandatory TLS encryption.
.IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
Additional list of ciphers or cipher types to exclude from the
SMTP server cipher list at mandatory TLS security levels.
@ -794,7 +794,7 @@ verification probes is maintained by the \fBverify\fR(8) server.
See the file ADDRESS_VERIFICATION_README for information
about how to configure and operate the Postfix sender/recipient
address verification service.
.IP "\fBaddress_verify_poll_count (see 'postconf -d' output)\fR"
.IP "\fBaddress_verify_poll_count (${stress?1}${stress:3})\fR"
How many times to query the \fBverify\fR(8) service for the completion
of an address verification request in progress.
.IP "\fBaddress_verify_poll_delay (3s)\fR"

8
postfix/proto/ADDRESS_REWRITING_README.html
View File

@ -602,7 +602,7 @@ in the master.cf file. This feature is available in Postfix version
<blockquote>
<pre>
/etc/postfix/master.cf:
:10026 inet n - n - - smtpd
127.0.0.1:10026 inet n - n - - smtpd
-o receive_override_options=no_address_mappings
</pre>
</blockquote>
@ -701,7 +701,7 @@ Postfix version 2.1 and later. </p>
<blockquote>
<pre>
/etc/postfix/master.cf:
:10026 inet n - n - - smtpd
127.0.0.1:10026 inet n - n - - smtpd
-o receive_override_options=no_address_mappings
</pre>
</blockquote>
@ -751,7 +751,7 @@ is available in Postfix version 2.1 and later. </p>
<blockquote>
<pre>
/etc/postfix/master.cf:
:10026 inet n - n - - smtpd
127.0.0.1:10026 inet n - n - - smtpd
-o receive_override_options=no_address_mappings
</pre>
</blockquote>
@ -810,7 +810,7 @@ in the master.cf file. This feature is available in Postfix version
<blockquote>
<pre>
/etc/postfix/master.cf:
:10026 inet n - n - - smtpd
127.0.0.1:10026 inet n - n - - smtpd
-o receive_override_options=no_address_mappings
</pre>
</blockquote>

2
postfix/proto/DATABASE_README.html
View File

@ -370,7 +370,7 @@ example, the lookup table "static:foobar" always returns the string
described in tcp_table(5). The lookup table name is "tcp:host:port"
where "host" specifies a symbolic hostname or a numeric IP address,
and "port" specifies a symbolic service name or a numeric port
number. This protocol is not available in the stable Postfix release.
number.
</dd>
<dt> <b>unix</b> (read-only) </dt>

104
postfix/proto/SASL_README.html
View File

@ -32,8 +32,8 @@ the server itself is responsible for. Usually, SMTP servers allow
mail to remote destinations when the client's IP address is in the
"same network" as the server's IP address. </p>
<p> Sometimes an SMTP client needs "same network" privileges when
it connects from elsewhere. To address this problem, Postfix
<p> SMTP clients outside the SMTP server's network need a different
way to get "same network" privileges. To address this need, Postfix
supports SASL authentication (RFC 4954, formerly RFC 2554). With
this a remote SMTP client can authenticate to the Postfix SMTP
server, and the Postfix SMTP client can authenticate to a remote
@ -176,10 +176,10 @@ later. </p>
<h3><a name="server_dovecot">Configuring Dovecot SASL</a></h3>
<p> Dovecot is a POP/IMAP server that must be configured to
<p> Dovecot is a POP/IMAP server that has its own configuration to
authenticate POP/IMAP clients. When the Postfix SMTP server uses
Dovecot SASL, it also reuses this configuration. Consult the <a
href="http://wiki.dovecot.org">Dovecot documentation</a> for how
Dovecot SASL, it reuses parts of this configuration. Consult the
<a href="http://wiki.dovecot.org">Dovecot documentation</a> for how
to configure and operate the Dovecot authentication server. </p>
<h4><a name="server_dovecot_comm">Postfix to Dovecot SASL communication</a></h4>
@ -220,16 +220,14 @@ SASL socket in <code>/var/spool/postfix/private/auth</code>, and
lines 11-13 limit read+write permissions to user and group
<code>postfix</code> only. </p>
<p> Proceed with the section "<a href="#server_sasl_enable"
title="Enabling SASL authentication and configuring authorization
in the Postfix SMTP server">Enabling SASL authentication and
authorization in the Postfix SMTP server</a>" to turn on and use
SASL in the Postfix SMTP server. </p>
<p> Proceed with the section "<a href="#server_sasl_enable">Enabling
SASL authentication and authorization in the Postfix SMTP server</a>"
to turn on and use SASL in the Postfix SMTP server. </p>
<h3><a name="server_cyrus">Configuring Cyrus SASL</a></h3>
<p> The Cyrus SASL framework was supports a wide variety of
applications. Different applications may require different
<p> The Cyrus SASL framework supports a wide variety of applications
(POP, IMAP, SMTP, etc.). Different applications may require different
configurations. As a consequence each application may have its own
configuration file. </p>
@ -438,9 +436,9 @@ by an additional security layer such as a TLS-encrypted SMTP session
<p> Additionally the <code>saslauthd</code> server itself must be
configured. It must be told which authentication backend to turn
to for password verification. The backend is choosen as a command
line option when <code>saslauthd</code> is started and will be shown
in the following examples. </p>
to for password verification. The backend is selected with a
<code>saslauthd</code> command-line option and will be shown in the
following examples. </p>
<blockquote>
@ -561,14 +559,15 @@ when authentication is successful: </p>
<p> Sometimes the <code>testsaslauthd</code> program is not distributed
with a the Cyrus SASL main package. In that case, it may be
distributed with -devel, -dev or -debug packages. </p>
distributed with <code>-devel</code>, <code>-dev</code> or
<code>-debug</code> packages. </p>
</blockquote>
<p> Specify an additional "<code>-s smtp</code>" if <code>saslauthd</code>
was configured to contact the PAM authentication framework and an
additional "<code>-f <em>/path/to/socketdir/mux</em></code>" if
<code>saslauthd</code> establishes the UNIX-domain socket in a
was configured to contact the PAM authentication framework, and
specify an additional "<code>-f <em>/path/to/socketdir/mux</em></code>"
if <code>saslauthd</code> establishes the UNIX-domain socket in a
non-default location. </p>
<p> If authentication succeeds, proceed with the section "<a
@ -584,22 +583,20 @@ SASL sources provide three authentication plugins. </p>
<blockquote>
<dl>
<table border="1">
<dt><a href="#auxprop_sasldb">sasldb</a></dt>
<tr> <th>Plugin </th> <th>Description </th> </tr>
<dd> <p> Accounts are stored stored in a Cyrus SASL Berkeley DB
database </p> </dd>
<tr> <td><a href="#auxprop_sasldb">sasldb</a></dt> <td> Accounts
are stored stored in a Cyrus SASL Berkeley DB database </td> </tr>
<dt><a href="#auxprop_sql">sql</a></dt>
<tr> <td><a href="#auxprop_sql">sql</a></dt> <td> Accounts are
stored in a SQL database </td> </tr>
<dd> <p> Accounts are stored in a SQL database </p> </dd>
<tr> <td><a href="#auxprop_ldapdb">ldapdb</a></dt> <td> Accounts
are stored stored in an LDAP database </td> </tr>
<dt><a href="#auxprop_ldapdb">ldapdb</a></dt>
<dd> <p> Accounts are stored stored in an LDAP database </p> </dd>
</dl>
</table>
</blockquote>
@ -718,12 +715,13 @@ stored as plaintext. </p>
<strong>Tip</strong>
<p> If you must store encrypted passwords, see section "<a
href="#saslauthd_pam">Using saslauthd with PAM</a>", and configure
PAM to look up the encrypted passwords with, for example, the
<code>pam_mysql</code> module. You will not be able to use any of
the methods that require access to plaintext passwords, such as the
shared-secret methods CRAM-MD5 and DIGEST-MD5. </p>
<p> If you must store encrypted passwords, you cannot use the sql
auxprop plugin. Instead, see section "<a href="#saslauthd_pam">Using
saslauthd with PAM</a>", and configure PAM to look up the encrypted
passwords with, for example, the <code>pam_mysql</code> module.
You will not be able to use any of the methods that require access
to plaintext passwords, such as the shared-secret methods CRAM-MD5
and DIGEST-MD5. </p>
</blockquote>
@ -896,12 +894,13 @@ stored as plaintext. </p>
<strong>Tip</strong>
<p> If you must store encrypted passwords, you can use "<code>saslauthd
-a ldap</code>" to query the LDAP database directly, with appropriate
configuration in <code>saslauthd.conf</code>. This may be documented
in a later version of this document. You will not be able to use
any of the methods that require access to plaintext passwords, such
as the shared-secret methods CRAM-MD5 and DIGEST-MD5. </p>
<p> If you must store encrypted passwords, you cannot use the ldapdb
auxprop plugin. Instead, you can use "<code>saslauthd -a ldap</code>"
to query the LDAP database directly, with appropriate configuration
in <code>saslauthd.conf</code>. This may be documented in a later
version of this document. You will not be able to use any of the
methods that require access to plaintext passwords, such as the
shared-secret methods CRAM-MD5 and DIGEST-MD5. </p>
</blockquote>
@ -1123,7 +1122,7 @@ server runs chrooted. </p>
in the Postfix SMTP server</a></h4>
<p> Regardless of the SASL implementation type, enabling SMTP
authentication in the Postfix SMTP server always requires seting
authentication in the Postfix SMTP server always requires setting
the <code>smtpd_sasl_auth_enable</code> option: </p>
<blockquote>
@ -1775,10 +1774,11 @@ mechanism): </p>
</pre>
</blockquote>
<p> This default policy leads to authentication failures if the
remote server only offers plaintext authentication mechanisms. In
such cases the SMTP client will log the following error message:
</p>
<p> This default policy, which allows no plaintext passwords, leads
to authentication failures if the remote server only offers plaintext
authentication mechanisms (the SMTP server announces "<code>AUTH
PLAIN LOGIN</code>"). In such cases the SMTP client will log the
following error message: </p>
<blockquote>
<pre>
@ -1786,6 +1786,16 @@ SASL authentication failure: No worthy mechs found
</pre>
</blockquote>
<blockquote>
<strong>Note</strong>
<p> This same error message will also be logged when the
<code>libplain.so</code> or <code>liblogin.so</code> modules are
not installed in the <code>/usr/lib/sasl2</code> directory. </p>
</blockquote>
<p> The less secure approach is to lower the security standards and
permit plaintext authentication mechanisms: </p>

18
postfix/proto/postconf.proto
View File

@ -301,19 +301,18 @@ seconds. </p>
<p> This feature is available in Postfix 2.7. </p>
%PARAM address_verify_poll_count see "postconf -d" output
%PARAM address_verify_poll_count ${stress?1}${stress:3}
<p>
How many times to query the verify(8) service for the completion
of an address verification request in progress.
</p>
<p>
The Postfix SMTP server polls the verify(8) service up to three
times under non-overload conditions, and only once when under
overload. With Postfix version 2.6 and earlier, the SMTP server
always polls the verify(8) service up to three times.
</p>
<p> By default, the Postfix SMTP server polls the verify(8) service
up to three times under non-overload conditions, and only once when
under overload. With Postfix version 2.6 and earlier, the SMTP
server always polls the verify(8) service up to three times by
default. </p>
<p>
Specify 1 to implement a crude form of greylisting, that is, always
@ -321,10 +320,13 @@ defer the first delivery request for a new address.
</p>
<p>
Example:
Examples:
</p>
<pre>
# Postfix &le; 2.6 default
address_verify_poll_count = 3
# Poor man's greylisting
address_verify_poll_count = 1
</pre>

3
postfix/src/bounce/bounce.c
View File

@ -35,10 +35,11 @@
/* STANDARDS
/* RFC 822 (ARPA Internet Text Messages)
/* RFC 2045 (Format of Internet Message Bodies)
/* RFC 2822 (ARPA Internet Text Messages)
/* RFC 2822 (Internet Message Format)
/* RFC 3462 (Delivery Status Notifications)
/* RFC 3464 (Delivery Status Notifications)
/* RFC 3834 (Auto-Submitted: message header)
/* RFC 5322 (Internet Message Format)
/* DIAGNOSTICS
/* Problems and transactions are logged to \fBsyslogd\fR(8).
/* CONFIGURATION PARAMETERS

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20100208"
#define MAIL_RELEASE_DATE "20100213"
#define MAIL_VERSION_NUMBER "2.8"
#ifdef SNAPSHOT

9
postfix/src/local/bounce_workaround.c
View File

@ -19,14 +19,15 @@
/*
/* Sender address override is a problem only when delivering
/* to command or file, or when breaking a Delivered-To loop.
/* The local(8) delivery agent saves other recipients to a new
/* queue file, together with the replacement envelope sender
/* address; delivery then proceeds from that new queue file.
/* The local(8) delivery agent saves normal recipients to a
/* new queue file, together with the replacement envelope
/* sender address; delivery then proceeds from that new queue
/* file, and no workaround is needed.
/*
/* The workaround sends one non-delivery notification for each
/* failed delivery that has a replacement sender address. The
/* notifications are not aggregated, unlike notifications to
/* non-replaced sender addresses). In practice, a local alias
/* non-replaced sender addresses. In practice, a local alias
/* rarely has more than one file or command destination (if
/* only because soft error handling is problematic).
/*

6
postfix/src/smtpd/smtpd.c
View File

@ -352,8 +352,8 @@
/* .IP "\fBsmtpd_tls_loglevel (0)\fR"
/* Enable additional Postfix SMTP server logging of TLS activity.
/* .IP "\fBsmtpd_tls_mandatory_ciphers (medium)\fR"
/* The minimum TLS cipher grade that the Postfix SMTP server
/* will use with mandatory TLS encryption.
/* The minimum TLS cipher grade that the Postfix SMTP server will
/* use with mandatory TLS encryption.
/* .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
/* Additional list of ciphers or cipher types to exclude from the
/* SMTP server cipher list at mandatory TLS security levels.
@ -744,7 +744,7 @@
/* See the file ADDRESS_VERIFICATION_README for information
/* about how to configure and operate the Postfix sender/recipient
/* address verification service.
/* .IP "\fBaddress_verify_poll_count (see 'postconf -d' output)\fR"
/* .IP "\fBaddress_verify_poll_count (${stress?1}${stress:3})\fR"
/* How many times to query the \fBverify\fR(8) service for the completion
/* of an address verification request in progress.
/* .IP "\fBaddress_verify_poll_delay (3s)\fR"

2
postfix/src/util/dict_open.c
View File

@ -223,9 +223,7 @@ static const DICT_OPEN_INFO dict_open_info[] = {
DICT_TYPE_ENVIRON, dict_env_open,
DICT_TYPE_HT, dict_ht_open,
DICT_TYPE_UNIX, dict_unix_open,
#ifdef SNAPSHOT
DICT_TYPE_TCP, dict_tcp_open,
#endif
#ifdef HAS_SDBM
DICT_TYPE_SDBM, dict_sdbm_open,
#endif