mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-22 18:07:41 +00:00
Code Issues Releases Wiki Activity

postfix-2.8-20100213

Browse Source
This commit is contained in:
Wietse Venema 2010-02-13 00:00:00 -05:00 committed by Viktor Dukhovni
parent bde0246003
commit 8a6397deff
25 changed files with 238 additions and 195 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
postfix/HISTORY
View File

@ -15723,3 +15723,9 @@ Apologies for any names omitted.
reuses the workaround that was implemented to report a reuses the workaround that was implemented to report a
Delivered-To: loop. Files: local/file.c, local/command.c, Delivered-To: loop. Files: local/file.c, local/command.c,
local/recipient.c, local/bounce_workaround.c. local/recipient.c, local/bounce_workaround.c.
20100209
The tcp_table(5) interface is now part of the stable release.
The last protocol change was in Postfix 2.1. File:
util/dict_open.c.

8
postfix/README_FILES/ADDRESS_REWRITING_README
View File

@ -366,7 +366,7 @@ This feature is available in Postfix version 2.1 and later.
Example: Example:
/etc/postfix/master.cf: /etc/postfix/master.cf:
:10026 inet n - n - - smtpd 127.0.0.1:10026 inet n - n - - smtpd
-o receive_override_options=no_address_mappings -o receive_override_options=no_address_mappings
Note: do not specify whitespace around the "=" here. Note: do not specify whitespace around the "=" here.
@ -439,7 +439,7 @@ file. This feature is available in Postfix version 2.1 and later.
Example: Example:
/etc/postfix/master.cf: /etc/postfix/master.cf:
:10026 inet n - n - - smtpd 127.0.0.1:10026 inet n - n - - smtpd
-o receive_override_options=no_address_mappings -o receive_override_options=no_address_mappings
Note: do not specify whitespace around the "=" here. Note: do not specify whitespace around the "=" here.
@ -475,7 +475,7 @@ settings in the master.cf file. This feature is available in Postfix version
Example: Example:
/etc/postfix/master.cf: /etc/postfix/master.cf:
:10026 inet n - n - - smtpd 127.0.0.1:10026 inet n - n - - smtpd
-o receive_override_options=no_address_mappings -o receive_override_options=no_address_mappings
Note: do not specify whitespace around the "=" here. Note: do not specify whitespace around the "=" here.
@ -520,7 +520,7 @@ This feature is available in Postfix version 2.1 and later.
Example: Example:
/etc/postfix/master.cf: /etc/postfix/master.cf:
:10026 inet n - n - - smtpd 127.0.0.1:10026 inet n - n - - smtpd
-o receive_override_options=no_address_mappings -o receive_override_options=no_address_mappings
Note: do not specify whitespace around the "=" here. Note: do not specify whitespace around the "=" here.

3
postfix/README_FILES/DATABASE_README
View File

@ -248,8 +248,7 @@ To find out what database types your Postfix system supports, use the "ppooss
Access information through a TCP/IP server. The protocol is described Access information through a TCP/IP server. The protocol is described
in tcp_table(5). The lookup table name is "tcp:host:port" where "host" in tcp_table(5). The lookup table name is "tcp:host:port" where "host"
specifies a symbolic hostname or a numeric IP address, and "port" specifies a symbolic hostname or a numeric IP address, and "port"
specifies a symbolic service name or a numeric port number. This specifies a symbolic service name or a numeric port number.
protocol is not available in the stable Postfix release.
uunniixx (read-only) uunniixx (read-only)
A limited way to query the UNIX authentication database. The following A limited way to query the UNIX authentication database. The following
tables are implemented: tables are implemented:

88
postfix/README_FILES/SASL_README
View File

@ -17,12 +17,12 @@ to remote destinations, or only to destinations that the server itself is
responsible for. Usually, SMTP servers allow mail to remote destinations when responsible for. Usually, SMTP servers allow mail to remote destinations when
the client's IP address is in the "same network" as the server's IP address. the client's IP address is in the "same network" as the server's IP address.
Sometimes an SMTP client needs "same network" privileges when it connects from SMTP clients outside the SMTP server's network need a different way to get
elsewhere. To address this problem, Postfix supports SASL authentication (RFC "same network" privileges. To address this need, Postfix supports SASL
4954, formerly RFC 2554). With this a remote SMTP client can authenticate to authentication (RFC 4954, formerly RFC 2554). With this a remote SMTP client
the Postfix SMTP server, and the Postfix SMTP client can authenticate to a can authenticate to the Postfix SMTP server, and the Postfix SMTP client can
remote SMTP server. Once a client is authenticated, a server can give it "same authenticate to a remote SMTP server. Once a client is authenticated, a server
network" privileges. can give it "same network" privileges.
Postfix does not implement SASL itself, but instead uses existing Postfix does not implement SASL itself, but instead uses existing
implementations as building blocks. This means that some SASL-related implementations as building blocks. This means that some SASL-related
@ -101,10 +101,10 @@ These commands are available only with Postfix version 2.3 and later.
CCoonnffiigguurriinngg DDoovveeccoott SSAASSLL CCoonnffiigguurriinngg DDoovveeccoott SSAASSLL
Dovecot is a POP/IMAP server that must be configured to authenticate POP/IMAP Dovecot is a POP/IMAP server that has its own configuration to authenticate
clients. When the Postfix SMTP server uses Dovecot SASL, it also reuses this POP/IMAP clients. When the Postfix SMTP server uses Dovecot SASL, it reuses
configuration. Consult the Dovecot documentation for how to configure and parts of this configuration. Consult the Dovecot documentation for how to
operate the Dovecot authentication server. configure and operate the Dovecot authentication server.
PPoossttffiixx ttoo DDoovveeccoott SSAASSLL ccoommmmuunniiccaattiioonn PPoossttffiixx ttoo DDoovveeccoott SSAASSLL ccoommmmuunniiccaattiioonn
@ -141,9 +141,9 @@ Postfix SMTP server" to turn on and use SASL in the Postfix SMTP server.
CCoonnffiigguurriinngg CCyyrruuss SSAASSLL CCoonnffiigguurriinngg CCyyrruuss SSAASSLL
The Cyrus SASL framework was supports a wide variety of applications. Different The Cyrus SASL framework supports a wide variety of applications (POP, IMAP,
applications may require different configurations. As a consequence each SMTP, etc.). Different applications may require different configurations. As a
application may have its own configuration file. consequence each application may have its own configuration file.
The first step configuring Cyrus SASL is to determine name and location of a The first step configuring Cyrus SASL is to determine name and location of a
configuration file that describes how the Postfix SMTP server will use the SASL configuration file that describes how the Postfix SMTP server will use the SASL
@ -256,8 +256,8 @@ its password verification service:
Additionally the saslauthd server itself must be configured. It must be told Additionally the saslauthd server itself must be configured. It must be told
which authentication backend to turn to for password verification. The backend which authentication backend to turn to for password verification. The backend
is choosen as a command line option when saslauthd is started and will be shown is selected with a saslauthd command-line option and will be shown in the
in the following examples. following examples.
NNoottee NNoottee
@ -335,8 +335,8 @@ shows the response when authentication is successful:
-debug packages. -debug packages.
Specify an additional "-s smtp" if saslauthd was configured to contact the PAM Specify an additional "-s smtp" if saslauthd was configured to contact the PAM
authentication framework and an additional "-f //ppaatthh//ttoo//ssoocckkeettddiirr//mmuuxx" if authentication framework, and specify an additional "-f //ppaatthh//ttoo//ssoocckkeettddiirr//mmuuxx"
saslauthd establishes the UNIX-domain socket in a non-default location. if saslauthd establishes the UNIX-domain socket in a non-default location.
If authentication succeeds, proceed with the section "Enabling SASL If authentication succeeds, proceed with the section "Enabling SASL
authentication and authorization in the Postfix SMTP server". authentication and authorization in the Postfix SMTP server".
@ -347,14 +347,15 @@ Cyrus SASL uses a plugin infrastructure (called auxprop) to expand libsasl's
capabilities. Currently Cyrus SASL sources provide three authentication capabilities. Currently Cyrus SASL sources provide three authentication
plugins. plugins.
sasldb _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Accounts are stored stored in a Cyrus SASL Berkeley DB database |PPlluuggiinn|DDeessccrriippttiioonn |
|_ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
sql |sasldb|Accounts are stored stored in a Cyrus SASL Berkeley DB database|
Accounts are stored in a SQL database |_ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|sql |Accounts are stored in a SQL database |
ldapdb |_ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
Accounts are stored stored in an LDAP database |ldapdb|Accounts are stored stored in an LDAP database |
|_ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
IImmppoorrttaanntt IImmppoorrttaanntt
@ -425,11 +426,12 @@ requires that SASL client passwords are stored as plaintext.
TTiipp TTiipp
If you must store encrypted passwords, see section "Using saslauthd with If you must store encrypted passwords, you cannot use the sql auxprop
PAM", and configure PAM to look up the encrypted passwords with, for plugin. Instead, see section "Using saslauthd with PAM", and configure PAM
example, the pam_mysql module. You will not be able to use any of the to look up the encrypted passwords with, for example, the pam_mysql module.
methods that require access to plaintext passwords, such as the shared- You will not be able to use any of the methods that require access to
secret methods CRAM-MD5 and DIGEST-MD5. plaintext passwords, such as the shared-secret methods CRAM-MD5 and DIGEST-
MD5.
The following example configures libsasl to use the sql plugin and connects it The following example configures libsasl to use the sql plugin and connects it
to a PostgreSQL server: to a PostgreSQL server:
@ -514,12 +516,12 @@ plaintext.
TTiipp TTiipp
If you must store encrypted passwords, you can use "saslauthd -a ldap" to If you must store encrypted passwords, you cannot use the ldapdb auxprop
query the LDAP database directly, with appropriate configuration in plugin. Instead, you can use "saslauthd -a ldap" to query the LDAP database
saslauthd.conf. This may be documented in a later version of this document. directly, with appropriate configuration in saslauthd.conf. This may be
You will not be able to use any of the methods that require access to documented in a later version of this document. You will not be able to use
plaintext passwords, such as the shared-secret methods CRAM-MD5 and DIGEST- any of the methods that require access to plaintext passwords, such as the
MD5. shared-secret methods CRAM-MD5 and DIGEST-MD5.
The ldapdb plugin implements proxy authorization. This means that the ldapdb The ldapdb plugin implements proxy authorization. This means that the ldapdb
plugin uses its own username and password to authenticate with the LDAP server, plugin uses its own username and password to authenticate with the LDAP server,
@ -659,7 +661,7 @@ SASL socket:
EEnnaabblliinngg SSAASSLL aauutthheennttiiccaattiioonn iinn tthhee PPoossttffiixx SSMMTTPP sseerrvveerr EEnnaabblliinngg SSAASSLL aauutthheennttiiccaattiioonn iinn tthhee PPoossttffiixx SSMMTTPP sseerrvveerr
Regardless of the SASL implementation type, enabling SMTP authentication in the Regardless of the SASL implementation type, enabling SMTP authentication in the
Postfix SMTP server always requires seting the smtpd_sasl_auth_enable option: Postfix SMTP server always requires setting the smtpd_sasl_auth_enable option:
/etc/postfix/main.cf: /etc/postfix/main.cf:
smtpd_sasl_auth_enable = yes smtpd_sasl_auth_enable = yes
@ -1105,12 +1107,18 @@ mechanisms are not allowed (nor is any anonymous mechanism):
/etc/postfix/main.cf: /etc/postfix/main.cf:
smtp_sasl_security_options = noplaintext, noanonymous smtp_sasl_security_options = noplaintext, noanonymous
This default policy leads to authentication failures if the remote server only This default policy, which allows no plaintext passwords, leads to
offers plaintext authentication mechanisms. In such cases the SMTP client will authentication failures if the remote server only offers plaintext
log the following error message: authentication mechanisms (the SMTP server announces "AUTH PLAIN LOGIN"). In
such cases the SMTP client will log the following error message:
SASL authentication failure: No worthy mechs found SASL authentication failure: No worthy mechs found
NNoottee
This same error message will also be logged when the libplain.so or
liblogin.so modules are not installed in the /usr/lib/sasl2 directory.
The less secure approach is to lower the security standards and permit The less secure approach is to lower the security standards and permit
plaintext authentication mechanisms: plaintext authentication mechanisms:

4
postfix/WISHLIST
View File

@ -2,8 +2,6 @@ Wish list:
Remove this file from the stable release. Remove this file from the stable release.
instead of ipc_idle, reduce ipc_ttl.
Add smtpd_sender_login_maps to proxy_read_maps. What other Add smtpd_sender_login_maps to proxy_read_maps. What other
parameters are worthy of being whitelisted for proxy access? parameters are worthy of being whitelisted for proxy access?
Is there a way to automate this decision? Is there a way to automate this decision?
@ -24,7 +22,7 @@ Wish list:
the result exceeds the limit. the result exceeds the limit.
Should the postscreen save permanent white/black list lookup Should the postscreen save permanent white/black list lookup
results int the temporary cache, and query the temporary results to the temporary cache, and query the temporary
cache first? Skipping white/black list lookups will speed cache first? Skipping white/black list lookups will speed
up the handling of "good" clients without a permanent up the handling of "good" clients without a permanent
whitelist entry. Of course, this means that updates to the whitelist entry. Of course, this means that updates to the

8
postfix/html/ADDRESS_REWRITING_README.html
View File

@ -602,7 +602,7 @@ in the <a href="master.5.html">master.cf</a> file. This feature is available in
<blockquote> <blockquote>
<pre> <pre>
/etc/postfix/<a href="master.5.html">master.cf</a>: /etc/postfix/<a href="master.5.html">master.cf</a>:
:10026 inet n - n - - smtpd 127.0.0.1:10026 inet n - n - - smtpd
-o <a href="postconf.5.html#receive_override_options">receive_override_options</a>=<a href="postconf.5.html#no_address_mappings">no_address_mappings</a> -o <a href="postconf.5.html#receive_override_options">receive_override_options</a>=<a href="postconf.5.html#no_address_mappings">no_address_mappings</a>
</pre> </pre>
</blockquote> </blockquote>
@ -701,7 +701,7 @@ Postfix version 2.1 and later. </p>
<blockquote> <blockquote>
<pre> <pre>
/etc/postfix/<a href="master.5.html">master.cf</a>: /etc/postfix/<a href="master.5.html">master.cf</a>:
:10026 inet n - n - - smtpd 127.0.0.1:10026 inet n - n - - smtpd
-o <a href="postconf.5.html#receive_override_options">receive_override_options</a>=<a href="postconf.5.html#no_address_mappings">no_address_mappings</a> -o <a href="postconf.5.html#receive_override_options">receive_override_options</a>=<a href="postconf.5.html#no_address_mappings">no_address_mappings</a>
</pre> </pre>
</blockquote> </blockquote>
@ -751,7 +751,7 @@ is available in Postfix version 2.1 and later. </p>
<blockquote> <blockquote>
<pre> <pre>
/etc/postfix/<a href="master.5.html">master.cf</a>: /etc/postfix/<a href="master.5.html">master.cf</a>:
:10026 inet n - n - - smtpd 127.0.0.1:10026 inet n - n - - smtpd
-o <a href="postconf.5.html#receive_override_options">receive_override_options</a>=<a href="postconf.5.html#no_address_mappings">no_address_mappings</a> -o <a href="postconf.5.html#receive_override_options">receive_override_options</a>=<a href="postconf.5.html#no_address_mappings">no_address_mappings</a>
</pre> </pre>
</blockquote> </blockquote>
@ -810,7 +810,7 @@ in the <a href="master.5.html">master.cf</a> file. This feature is available in
<blockquote> <blockquote>
<pre> <pre>
/etc/postfix/<a href="master.5.html">master.cf</a>: /etc/postfix/<a href="master.5.html">master.cf</a>:
:10026 inet n - n - - smtpd 127.0.0.1:10026 inet n - n - - smtpd
-o <a href="postconf.5.html#receive_override_options">receive_override_options</a>=<a href="postconf.5.html#no_address_mappings">no_address_mappings</a> -o <a href="postconf.5.html#receive_override_options">receive_override_options</a>=<a href="postconf.5.html#no_address_mappings">no_address_mappings</a>
</pre> </pre>
</blockquote> </blockquote>

2
postfix/html/DATABASE_README.html
View File

@ -370,7 +370,7 @@ example, the lookup table "static:foobar" always returns the string
described in <a href="tcp_table.5.html">tcp_table(5)</a>. The lookup table name is "<a href="tcp_table.5.html">tcp</a>:host:port" described in <a href="tcp_table.5.html">tcp_table(5)</a>. The lookup table name is "<a href="tcp_table.5.html">tcp</a>:host:port"
where "host" specifies a symbolic hostname or a numeric IP address, where "host" specifies a symbolic hostname or a numeric IP address,
and "port" specifies a symbolic service name or a numeric port and "port" specifies a symbolic service name or a numeric port
number. This protocol is not available in the stable Postfix release. number.
</dd> </dd>
<dt> <b>unix</b> (read-only) </dt> <dt> <b>unix</b> (read-only) </dt>

104
postfix/html/SASL_README.html
View File

@ -32,8 +32,8 @@ the server itself is responsible for. Usually, SMTP servers allow
mail to remote destinations when the client's IP address is in the mail to remote destinations when the client's IP address is in the
"same network" as the server's IP address. </p> "same network" as the server's IP address. </p>
<p> Sometimes an SMTP client needs "same network" privileges when <p> SMTP clients outside the SMTP server's network need a different
it connects from elsewhere. To address this problem, Postfix way to get "same network" privileges. To address this need, Postfix
supports SASL authentication (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>, formerly RFC 2554). With supports SASL authentication (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>, formerly RFC 2554). With
this a remote SMTP client can authenticate to the Postfix SMTP this a remote SMTP client can authenticate to the Postfix SMTP
server, and the Postfix SMTP client can authenticate to a remote server, and the Postfix SMTP client can authenticate to a remote
@ -176,10 +176,10 @@ later. </p>
<h3><a name="server_dovecot">Configuring Dovecot SASL</a></h3> <h3><a name="server_dovecot">Configuring Dovecot SASL</a></h3>
<p> Dovecot is a POP/IMAP server that must be configured to <p> Dovecot is a POP/IMAP server that has its own configuration to
authenticate POP/IMAP clients. When the Postfix SMTP server uses authenticate POP/IMAP clients. When the Postfix SMTP server uses
Dovecot SASL, it also reuses this configuration. Consult the <a Dovecot SASL, it reuses parts of this configuration. Consult the
href="http://wiki.dovecot.org">Dovecot documentation</a> for how <a href="http://wiki.dovecot.org">Dovecot documentation</a> for how
to configure and operate the Dovecot authentication server. </p> to configure and operate the Dovecot authentication server. </p>
<h4><a name="server_dovecot_comm">Postfix to Dovecot SASL communication</a></h4> <h4><a name="server_dovecot_comm">Postfix to Dovecot SASL communication</a></h4>
@ -220,16 +220,14 @@ SASL socket in <code>/var/spool/postfix/private/auth</code>, and
lines 11-13 limit read+write permissions to user and group lines 11-13 limit read+write permissions to user and group
<code>postfix</code> only. </p> <code>postfix</code> only. </p>
<p> Proceed with the section "<a href="#server_sasl_enable" <p> Proceed with the section "<a href="#server_sasl_enable">Enabling
title="Enabling SASL authentication and configuring authorization SASL authentication and authorization in the Postfix SMTP server</a>"
in the Postfix SMTP server">Enabling SASL authentication and to turn on and use SASL in the Postfix SMTP server. </p>
authorization in the Postfix SMTP server</a>" to turn on and use
SASL in the Postfix SMTP server. </p>
<h3><a name="server_cyrus">Configuring Cyrus SASL</a></h3> <h3><a name="server_cyrus">Configuring Cyrus SASL</a></h3>
<p> The Cyrus SASL framework was supports a wide variety of <p> The Cyrus SASL framework supports a wide variety of applications
applications. Different applications may require different (POP, IMAP, SMTP, etc.). Different applications may require different
configurations. As a consequence each application may have its own configurations. As a consequence each application may have its own
configuration file. </p> configuration file. </p>
@ -438,9 +436,9 @@ by an additional security layer such as a TLS-encrypted SMTP session
<p> Additionally the <code>saslauthd</code> server itself must be <p> Additionally the <code>saslauthd</code> server itself must be
configured. It must be told which authentication backend to turn configured. It must be told which authentication backend to turn
to for password verification. The backend is choosen as a command to for password verification. The backend is selected with a
line option when <code>saslauthd</code> is started and will be shown <code>saslauthd</code> command-line option and will be shown in the
in the following examples. </p> following examples. </p>
<blockquote> <blockquote>
@ -561,14 +559,15 @@ when authentication is successful: </p>
<p> Sometimes the <code>testsaslauthd</code> program is not distributed <p> Sometimes the <code>testsaslauthd</code> program is not distributed
with a the Cyrus SASL main package. In that case, it may be with a the Cyrus SASL main package. In that case, it may be
distributed with -devel, -dev or -debug packages. </p> distributed with <code>-devel</code>, <code>-dev</code> or
<code>-debug</code> packages. </p>
</blockquote> </blockquote>
<p> Specify an additional "<code>-s smtp</code>" if <code>saslauthd</code> <p> Specify an additional "<code>-s smtp</code>" if <code>saslauthd</code>
was configured to contact the PAM authentication framework and an was configured to contact the PAM authentication framework, and
additional "<code>-f <em>/path/to/socketdir/mux</em></code>" if specify an additional "<code>-f <em>/path/to/socketdir/mux</em></code>"
<code>saslauthd</code> establishes the UNIX-domain socket in a if <code>saslauthd</code> establishes the UNIX-domain socket in a
non-default location. </p> non-default location. </p>
<p> If authentication succeeds, proceed with the section "<a <p> If authentication succeeds, proceed with the section "<a
@ -584,22 +583,20 @@ SASL sources provide three authentication plugins. </p>
<blockquote> <blockquote>
<dl> <table border="1">
<dt><a href="#auxprop_sasldb">sasldb</a></dt> <tr> <th>Plugin </th> <th>Description </th> </tr>
<dd> <p> Accounts are stored stored in a Cyrus SASL Berkeley DB <tr> <td><a href="#auxprop_sasldb">sasldb</a></dt> <td> Accounts
database </p> </dd> are stored stored in a Cyrus SASL Berkeley DB database </td> </tr>
<dt><a href="#auxprop_sql">sql</a></dt> <tr> <td><a href="#auxprop_sql">sql</a></dt> <td> Accounts are
stored in a SQL database </td> </tr>
<dd> <p> Accounts are stored in a SQL database </p> </dd> <tr> <td><a href="#auxprop_ldapdb">ldapdb</a></dt> <td> Accounts
are stored stored in an LDAP database </td> </tr>
<dt><a href="#auxprop_ldapdb">ldapdb</a></dt> </table>
<dd> <p> Accounts are stored stored in an LDAP database </p> </dd>
</dl>
</blockquote> </blockquote>
@ -718,12 +715,13 @@ stored as plaintext. </p>
<strong>Tip</strong> <strong>Tip</strong>
<p> If you must store encrypted passwords, see section "<a <p> If you must store encrypted passwords, you cannot use the sql
href="#saslauthd_pam">Using saslauthd with PAM</a>", and configure auxprop plugin. Instead, see section "<a href="#saslauthd_pam">Using
PAM to look up the encrypted passwords with, for example, the saslauthd with PAM</a>", and configure PAM to look up the encrypted
<code>pam_mysql</code> module. You will not be able to use any of passwords with, for example, the <code>pam_mysql</code> module.
the methods that require access to plaintext passwords, such as the You will not be able to use any of the methods that require access
shared-secret methods CRAM-MD5 and DIGEST-MD5. </p> to plaintext passwords, such as the shared-secret methods CRAM-MD5
and DIGEST-MD5. </p>
</blockquote> </blockquote>
@ -896,12 +894,13 @@ stored as plaintext. </p>
<strong>Tip</strong> <strong>Tip</strong>
<p> If you must store encrypted passwords, you can use "<code>saslauthd <p> If you must store encrypted passwords, you cannot use the ldapdb
-a ldap</code>" to query the LDAP database directly, with appropriate auxprop plugin. Instead, you can use "<code>saslauthd -a ldap</code>"
configuration in <code>saslauthd.conf</code>. This may be documented to query the LDAP database directly, with appropriate configuration
in a later version of this document. You will not be able to use in <code>saslauthd.conf</code>. This may be documented in a later
any of the methods that require access to plaintext passwords, such version of this document. You will not be able to use any of the
as the shared-secret methods CRAM-MD5 and DIGEST-MD5. </p> methods that require access to plaintext passwords, such as the
shared-secret methods CRAM-MD5 and DIGEST-MD5. </p>
</blockquote> </blockquote>
@ -1123,7 +1122,7 @@ server runs chrooted. </p>
in the Postfix SMTP server</a></h4> in the Postfix SMTP server</a></h4>
<p> Regardless of the SASL implementation type, enabling SMTP <p> Regardless of the SASL implementation type, enabling SMTP
authentication in the Postfix SMTP server always requires seting authentication in the Postfix SMTP server always requires setting
the <code><a href="postconf.5.html#smtpd_sasl_auth_enable">smtpd_sasl_auth_enable</a></code> option: </p> the <code><a href="postconf.5.html#smtpd_sasl_auth_enable">smtpd_sasl_auth_enable</a></code> option: </p>
<blockquote> <blockquote>
@ -1775,10 +1774,11 @@ mechanism): </p>
</pre> </pre>
</blockquote> </blockquote>
<p> This default policy leads to authentication failures if the <p> This default policy, which allows no plaintext passwords, leads
remote server only offers plaintext authentication mechanisms. In to authentication failures if the remote server only offers plaintext
such cases the SMTP client will log the following error message: authentication mechanisms (the SMTP server announces "<code>AUTH
</p> PLAIN LOGIN</code>"). In such cases the SMTP client will log the
following error message: </p>
<blockquote> <blockquote>
<pre> <pre>
@ -1786,6 +1786,16 @@ SASL authentication failure: No worthy mechs found
</pre> </pre>
</blockquote> </blockquote>
<blockquote>
<strong>Note</strong>
<p> This same error message will also be logged when the
<code>libplain.so</code> or <code>liblogin.so</code> modules are
not installed in the <code>/usr/lib/sasl2</code> directory. </p>
</blockquote>
<p> The less secure approach is to lower the security standards and <p> The less secure approach is to lower the security standards and
permit plaintext authentication mechanisms: </p> permit plaintext authentication mechanisms: </p>

3
postfix/html/bounce.8.html
View File

@ -45,10 +45,11 @@ BOUNCE(8) BOUNCE(8)
<b>STANDARDS</b> <b>STANDARDS</b>
<a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages) <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
<a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (Format of Internet Message Bodies) <a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (Format of Internet Message Bodies)
<a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (ARPA Internet Text Messages) <a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (Internet Message Format)
<a href="http://tools.ietf.org/html/rfc3462">RFC 3462</a> (Delivery Status Notifications) <a href="http://tools.ietf.org/html/rfc3462">RFC 3462</a> (Delivery Status Notifications)
<a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery Status Notifications) <a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery Status Notifications)
<a href="http://tools.ietf.org/html/rfc3834">RFC 3834</a> (Auto-Submitted: message header) <a href="http://tools.ietf.org/html/rfc3834">RFC 3834</a> (Auto-Submitted: message header)
<a href="http://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
<b>DIAGNOSTICS</b> <b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8). Problems and transactions are logged to <b>syslogd</b>(8).

3
postfix/html/defer.8.html
View File

@ -45,10 +45,11 @@ BOUNCE(8) BOUNCE(8)
<b>STANDARDS</b> <b>STANDARDS</b>
<a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages) <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
<a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (Format of Internet Message Bodies) <a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (Format of Internet Message Bodies)
<a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (ARPA Internet Text Messages) <a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (Internet Message Format)
<a href="http://tools.ietf.org/html/rfc3462">RFC 3462</a> (Delivery Status Notifications) <a href="http://tools.ietf.org/html/rfc3462">RFC 3462</a> (Delivery Status Notifications)
<a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery Status Notifications) <a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery Status Notifications)
<a href="http://tools.ietf.org/html/rfc3834">RFC 3834</a> (Auto-Submitted: message header) <a href="http://tools.ietf.org/html/rfc3834">RFC 3834</a> (Auto-Submitted: message header)
<a href="http://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
<b>DIAGNOSTICS</b> <b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8). Problems and transactions are logged to <b>syslogd</b>(8).

18
postfix/html/postconf.5.html
View File

@ -274,19 +274,18 @@ This feature is available in Postfix 2.1 and later.
</DD> </DD>
<DT><b><a name="address_verify_poll_count">address_verify_poll_count</a> <DT><b><a name="address_verify_poll_count">address_verify_poll_count</a>
(default: see "postconf -d" output)</b></DT><DD> (default: ${stress?1}${stress:3})</b></DT><DD>
<p> <p>
How many times to query the <a href="verify.8.html">verify(8)</a> service for the completion How many times to query the <a href="verify.8.html">verify(8)</a> service for the completion
of an address verification request in progress. of an address verification request in progress.
</p> </p>
<p> <p> By default, the Postfix SMTP server polls the <a href="verify.8.html">verify(8)</a> service
The Postfix SMTP server polls the <a href="verify.8.html">verify(8)</a> service up to three up to three times under non-overload conditions, and only once when
times under non-overload conditions, and only once when under under overload. With Postfix version 2.6 and earlier, the SMTP
overload. With Postfix version 2.6 and earlier, the SMTP server server always polls the <a href="verify.8.html">verify(8)</a> service up to three times by
always polls the <a href="verify.8.html">verify(8)</a> service up to three times. default. </p>
</p>
<p> <p>
Specify 1 to implement a crude form of greylisting, that is, always Specify 1 to implement a crude form of greylisting, that is, always
@ -294,10 +293,13 @@ defer the first delivery request for a new address.
</p> </p>
<p> <p>
Example: Examples:
</p> </p>
<pre> <pre>
# Postfix &le; 2.6 default
<a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> = 3
# Poor man's greylisting
<a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> = 1 <a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> = 1
</pre> </pre>

4
postfix/html/smtpd.8.html
View File

@ -345,7 +345,7 @@ SMTPD(8) SMTPD(8)
Available in Postfix version 2.1 and 2.2: Available in Postfix version 2.1 and 2.2:
<b>smtpd_sasl_application_name (smtpd)</b> <b><a href="postconf.5.html#smtpd_sasl_application_name">smtpd_sasl_application_name</a> (smtpd)</b>
The application name that the Postfix SMTP server The application name that the Postfix SMTP server
uses for SASL server initialization. uses for SASL server initialization.
@ -992,7 +992,7 @@ SMTPD(8) SMTPD(8)
and operate the Postfix sender/recipient address verifica- and operate the Postfix sender/recipient address verifica-
tion service. tion service.
<b><a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> (${stress?1}${stress:3})</b>
How many times to query the <a href="verify.8.html"><b>verify</b>(8)</a> service for How many times to query the <a href="verify.8.html"><b>verify</b>(8)</a> service for
the completion of an address verification request the completion of an address verification request
in progress. in progress.

3
postfix/html/trace.8.html
View File

@ -45,10 +45,11 @@ BOUNCE(8) BOUNCE(8)
<b>STANDARDS</b> <b>STANDARDS</b>
<a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages) <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
<a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (Format of Internet Message Bodies) <a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (Format of Internet Message Bodies)
<a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (ARPA Internet Text Messages) <a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (Internet Message Format)
<a href="http://tools.ietf.org/html/rfc3462">RFC 3462</a> (Delivery Status Notifications) <a href="http://tools.ietf.org/html/rfc3462">RFC 3462</a> (Delivery Status Notifications)
<a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery Status Notifications) <a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery Status Notifications)
<a href="http://tools.ietf.org/html/rfc3834">RFC 3834</a> (Auto-Submitted: message header) <a href="http://tools.ietf.org/html/rfc3834">RFC 3834</a> (Auto-Submitted: message header)
<a href="http://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
<b>DIAGNOSTICS</b> <b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8). Problems and transactions are logged to <b>syslogd</b>(8).

16
postfix/man/man5/postconf.5
View File

@ -157,23 +157,27 @@ be refreshed.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
.PP .PP
This feature is available in Postfix 2.1 and later. This feature is available in Postfix 2.1 and later.
.SH address_verify_poll_count (default: see "postconf -d" output) .SH address_verify_poll_count (default: ${stress?1}${stress:3})
How many times to query the \fBverify\fR(8) service for the completion How many times to query the \fBverify\fR(8) service for the completion
of an address verification request in progress. of an address verification request in progress.
.PP .PP
The Postfix SMTP server polls the \fBverify\fR(8) service up to three By default, the Postfix SMTP server polls the \fBverify\fR(8) service
times under non-overload conditions, and only once when under up to three times under non-overload conditions, and only once when
overload. With Postfix version 2.6 and earlier, the SMTP server under overload. With Postfix version 2.6 and earlier, the SMTP
always polls the \fBverify\fR(8) service up to three times. server always polls the \fBverify\fR(8) service up to three times by
default.
.PP .PP
Specify 1 to implement a crude form of greylisting, that is, always Specify 1 to implement a crude form of greylisting, that is, always
defer the first delivery request for a new address. defer the first delivery request for a new address.
.PP .PP
Example: Examples:
.PP .PP
.nf .nf
.na .na
.ft C .ft C
# Postfix <= 2.6 default
address_verify_poll_count = 3
# Poor man's greylisting
address_verify_poll_count = 1 address_verify_poll_count = 1
.fi .fi
.ad .ad

3
postfix/man/man8/bounce.8
View File

@ -43,10 +43,11 @@ themselves, and that depend on retry logic in their own client.
.nf .nf
RFC 822 (ARPA Internet Text Messages) RFC 822 (ARPA Internet Text Messages)
RFC 2045 (Format of Internet Message Bodies) RFC 2045 (Format of Internet Message Bodies)
RFC 2822 (ARPA Internet Text Messages) RFC 2822 (Internet Message Format)
RFC 3462 (Delivery Status Notifications) RFC 3462 (Delivery Status Notifications)
RFC 3464 (Delivery Status Notifications) RFC 3464 (Delivery Status Notifications)
RFC 3834 (Auto-Submitted: message header) RFC 3834 (Auto-Submitted: message header)
RFC 5322 (Internet Message Format)
.SH DIAGNOSTICS .SH DIAGNOSTICS
.ad .ad
.fi .fi

6
postfix/man/man8/smtpd.8
View File

@ -384,8 +384,8 @@ File with the Postfix SMTP server RSA private key in PEM format.
.IP "\fBsmtpd_tls_loglevel (0)\fR" .IP "\fBsmtpd_tls_loglevel (0)\fR"
Enable additional Postfix SMTP server logging of TLS activity. Enable additional Postfix SMTP server logging of TLS activity.
.IP "\fBsmtpd_tls_mandatory_ciphers (medium)\fR" .IP "\fBsmtpd_tls_mandatory_ciphers (medium)\fR"
The minimum TLS cipher grade that the Postfix SMTP server The minimum TLS cipher grade that the Postfix SMTP server will
will use with mandatory TLS encryption. use with mandatory TLS encryption.
.IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR" .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
Additional list of ciphers or cipher types to exclude from the Additional list of ciphers or cipher types to exclude from the
SMTP server cipher list at mandatory TLS security levels. SMTP server cipher list at mandatory TLS security levels.
@ -794,7 +794,7 @@ verification probes is maintained by the \fBverify\fR(8) server.
See the file ADDRESS_VERIFICATION_README for information See the file ADDRESS_VERIFICATION_README for information
about how to configure and operate the Postfix sender/recipient about how to configure and operate the Postfix sender/recipient
address verification service. address verification service.
.IP "\fBaddress_verify_poll_count (see 'postconf -d' output)\fR" .IP "\fBaddress_verify_poll_count (${stress?1}${stress:3})\fR"
How many times to query the \fBverify\fR(8) service for the completion How many times to query the \fBverify\fR(8) service for the completion
of an address verification request in progress. of an address verification request in progress.
.IP "\fBaddress_verify_poll_delay (3s)\fR" .IP "\fBaddress_verify_poll_delay (3s)\fR"

8
postfix/proto/ADDRESS_REWRITING_README.html
View File

@ -602,7 +602,7 @@ in the master.cf file. This feature is available in Postfix version
<blockquote> <blockquote>
<pre> <pre>
/etc/postfix/master.cf: /etc/postfix/master.cf:
:10026 inet n - n - - smtpd 127.0.0.1:10026 inet n - n - - smtpd
-o receive_override_options=no_address_mappings -o receive_override_options=no_address_mappings
</pre> </pre>
</blockquote> </blockquote>
@ -701,7 +701,7 @@ Postfix version 2.1 and later. </p>
<blockquote> <blockquote>
<pre> <pre>
/etc/postfix/master.cf: /etc/postfix/master.cf:
:10026 inet n - n - - smtpd 127.0.0.1:10026 inet n - n - - smtpd
-o receive_override_options=no_address_mappings -o receive_override_options=no_address_mappings
</pre> </pre>
</blockquote> </blockquote>
@ -751,7 +751,7 @@ is available in Postfix version 2.1 and later. </p>
<blockquote> <blockquote>
<pre> <pre>
/etc/postfix/master.cf: /etc/postfix/master.cf:
:10026 inet n - n - - smtpd 127.0.0.1:10026 inet n - n - - smtpd
-o receive_override_options=no_address_mappings -o receive_override_options=no_address_mappings
</pre> </pre>
</blockquote> </blockquote>
@ -810,7 +810,7 @@ in the master.cf file. This feature is available in Postfix version
<blockquote> <blockquote>
<pre> <pre>
/etc/postfix/master.cf: /etc/postfix/master.cf:
:10026 inet n - n - - smtpd 127.0.0.1:10026 inet n - n - - smtpd
-o receive_override_options=no_address_mappings -o receive_override_options=no_address_mappings
</pre> </pre>
</blockquote> </blockquote>

2
postfix/proto/DATABASE_README.html
View File

@ -370,7 +370,7 @@ example, the lookup table "static:foobar" always returns the string
described in tcp_table(5). The lookup table name is "tcp:host:port" described in tcp_table(5). The lookup table name is "tcp:host:port"
where "host" specifies a symbolic hostname or a numeric IP address, where "host" specifies a symbolic hostname or a numeric IP address,
and "port" specifies a symbolic service name or a numeric port and "port" specifies a symbolic service name or a numeric port
number. This protocol is not available in the stable Postfix release. number.
</dd> </dd>
<dt> <b>unix</b> (read-only) </dt> <dt> <b>unix</b> (read-only) </dt>

104
postfix/proto/SASL_README.html
View File

@ -32,8 +32,8 @@ the server itself is responsible for. Usually, SMTP servers allow
mail to remote destinations when the client's IP address is in the mail to remote destinations when the client's IP address is in the
"same network" as the server's IP address. </p> "same network" as the server's IP address. </p>
<p> Sometimes an SMTP client needs "same network" privileges when <p> SMTP clients outside the SMTP server's network need a different
it connects from elsewhere. To address this problem, Postfix way to get "same network" privileges. To address this need, Postfix
supports SASL authentication (RFC 4954, formerly RFC 2554). With supports SASL authentication (RFC 4954, formerly RFC 2554). With
this a remote SMTP client can authenticate to the Postfix SMTP this a remote SMTP client can authenticate to the Postfix SMTP
server, and the Postfix SMTP client can authenticate to a remote server, and the Postfix SMTP client can authenticate to a remote
@ -176,10 +176,10 @@ later. </p>
<h3><a name="server_dovecot">Configuring Dovecot SASL</a></h3> <h3><a name="server_dovecot">Configuring Dovecot SASL</a></h3>
<p> Dovecot is a POP/IMAP server that must be configured to <p> Dovecot is a POP/IMAP server that has its own configuration to
authenticate POP/IMAP clients. When the Postfix SMTP server uses authenticate POP/IMAP clients. When the Postfix SMTP server uses
Dovecot SASL, it also reuses this configuration. Consult the <a Dovecot SASL, it reuses parts of this configuration. Consult the
href="http://wiki.dovecot.org">Dovecot documentation</a> for how <a href="http://wiki.dovecot.org">Dovecot documentation</a> for how
to configure and operate the Dovecot authentication server. </p> to configure and operate the Dovecot authentication server. </p>
<h4><a name="server_dovecot_comm">Postfix to Dovecot SASL communication</a></h4> <h4><a name="server_dovecot_comm">Postfix to Dovecot SASL communication</a></h4>
@ -220,16 +220,14 @@ SASL socket in <code>/var/spool/postfix/private/auth</code>, and
lines 11-13 limit read+write permissions to user and group lines 11-13 limit read+write permissions to user and group
<code>postfix</code> only. </p> <code>postfix</code> only. </p>
<p> Proceed with the section "<a href="#server_sasl_enable" <p> Proceed with the section "<a href="#server_sasl_enable">Enabling
title="Enabling SASL authentication and configuring authorization SASL authentication and authorization in the Postfix SMTP server</a>"
in the Postfix SMTP server">Enabling SASL authentication and to turn on and use SASL in the Postfix SMTP server. </p>
authorization in the Postfix SMTP server</a>" to turn on and use
SASL in the Postfix SMTP server. </p>
<h3><a name="server_cyrus">Configuring Cyrus SASL</a></h3> <h3><a name="server_cyrus">Configuring Cyrus SASL</a></h3>
<p> The Cyrus SASL framework was supports a wide variety of <p> The Cyrus SASL framework supports a wide variety of applications
applications. Different applications may require different (POP, IMAP, SMTP, etc.). Different applications may require different
configurations. As a consequence each application may have its own configurations. As a consequence each application may have its own
configuration file. </p> configuration file. </p>
@ -438,9 +436,9 @@ by an additional security layer such as a TLS-encrypted SMTP session
<p> Additionally the <code>saslauthd</code> server itself must be <p> Additionally the <code>saslauthd</code> server itself must be
configured. It must be told which authentication backend to turn configured. It must be told which authentication backend to turn
to for password verification. The backend is choosen as a command to for password verification. The backend is selected with a
line option when <code>saslauthd</code> is started and will be shown <code>saslauthd</code> command-line option and will be shown in the
in the following examples. </p> following examples. </p>
<blockquote> <blockquote>
@ -561,14 +559,15 @@ when authentication is successful: </p>
<p> Sometimes the <code>testsaslauthd</code> program is not distributed <p> Sometimes the <code>testsaslauthd</code> program is not distributed
with a the Cyrus SASL main package. In that case, it may be with a the Cyrus SASL main package. In that case, it may be
distributed with -devel, -dev or -debug packages. </p> distributed with <code>-devel</code>, <code>-dev</code> or
<code>-debug</code> packages. </p>
</blockquote> </blockquote>
<p> Specify an additional "<code>-s smtp</code>" if <code>saslauthd</code> <p> Specify an additional "<code>-s smtp</code>" if <code>saslauthd</code>
was configured to contact the PAM authentication framework and an was configured to contact the PAM authentication framework, and
additional "<code>-f <em>/path/to/socketdir/mux</em></code>" if specify an additional "<code>-f <em>/path/to/socketdir/mux</em></code>"
<code>saslauthd</code> establishes the UNIX-domain socket in a if <code>saslauthd</code> establishes the UNIX-domain socket in a
non-default location. </p> non-default location. </p>
<p> If authentication succeeds, proceed with the section "<a <p> If authentication succeeds, proceed with the section "<a
@ -584,22 +583,20 @@ SASL sources provide three authentication plugins. </p>
<blockquote> <blockquote>
<dl> <table border="1">
<dt><a href="#auxprop_sasldb">sasldb</a></dt> <tr> <th>Plugin </th> <th>Description </th> </tr>
<dd> <p> Accounts are stored stored in a Cyrus SASL Berkeley DB <tr> <td><a href="#auxprop_sasldb">sasldb</a></dt> <td> Accounts
database </p> </dd> are stored stored in a Cyrus SASL Berkeley DB database </td> </tr>
<dt><a href="#auxprop_sql">sql</a></dt> <tr> <td><a href="#auxprop_sql">sql</a></dt> <td> Accounts are
stored in a SQL database </td> </tr>
<dd> <p> Accounts are stored in a SQL database </p> </dd> <tr> <td><a href="#auxprop_ldapdb">ldapdb</a></dt> <td> Accounts
are stored stored in an LDAP database </td> </tr>
<dt><a href="#auxprop_ldapdb">ldapdb</a></dt> </table>
<dd> <p> Accounts are stored stored in an LDAP database </p> </dd>
</dl>
</blockquote> </blockquote>
@ -718,12 +715,13 @@ stored as plaintext. </p>
<strong>Tip</strong> <strong>Tip</strong>
<p> If you must store encrypted passwords, see section "<a <p> If you must store encrypted passwords, you cannot use the sql
href="#saslauthd_pam">Using saslauthd with PAM</a>", and configure auxprop plugin. Instead, see section "<a href="#saslauthd_pam">Using
PAM to look up the encrypted passwords with, for example, the saslauthd with PAM</a>", and configure PAM to look up the encrypted
<code>pam_mysql</code> module. You will not be able to use any of passwords with, for example, the <code>pam_mysql</code> module.
the methods that require access to plaintext passwords, such as the You will not be able to use any of the methods that require access
shared-secret methods CRAM-MD5 and DIGEST-MD5. </p> to plaintext passwords, such as the shared-secret methods CRAM-MD5
and DIGEST-MD5. </p>
</blockquote> </blockquote>
@ -896,12 +894,13 @@ stored as plaintext. </p>
<strong>Tip</strong> <strong>Tip</strong>
<p> If you must store encrypted passwords, you can use "<code>saslauthd <p> If you must store encrypted passwords, you cannot use the ldapdb
-a ldap</code>" to query the LDAP database directly, with appropriate auxprop plugin. Instead, you can use "<code>saslauthd -a ldap</code>"
configuration in <code>saslauthd.conf</code>. This may be documented to query the LDAP database directly, with appropriate configuration
in a later version of this document. You will not be able to use in <code>saslauthd.conf</code>. This may be documented in a later
any of the methods that require access to plaintext passwords, such version of this document. You will not be able to use any of the
as the shared-secret methods CRAM-MD5 and DIGEST-MD5. </p> methods that require access to plaintext passwords, such as the
shared-secret methods CRAM-MD5 and DIGEST-MD5. </p>
</blockquote> </blockquote>
@ -1123,7 +1122,7 @@ server runs chrooted. </p>
in the Postfix SMTP server</a></h4> in the Postfix SMTP server</a></h4>
<p> Regardless of the SASL implementation type, enabling SMTP <p> Regardless of the SASL implementation type, enabling SMTP
authentication in the Postfix SMTP server always requires seting authentication in the Postfix SMTP server always requires setting
the <code>smtpd_sasl_auth_enable</code> option: </p> the <code>smtpd_sasl_auth_enable</code> option: </p>
<blockquote> <blockquote>
@ -1775,10 +1774,11 @@ mechanism): </p>
</pre> </pre>
</blockquote> </blockquote>
<p> This default policy leads to authentication failures if the <p> This default policy, which allows no plaintext passwords, leads
remote server only offers plaintext authentication mechanisms. In to authentication failures if the remote server only offers plaintext
such cases the SMTP client will log the following error message: authentication mechanisms (the SMTP server announces "<code>AUTH
</p> PLAIN LOGIN</code>"). In such cases the SMTP client will log the
following error message: </p>
<blockquote> <blockquote>
<pre> <pre>
@ -1786,6 +1786,16 @@ SASL authentication failure: No worthy mechs found
</pre> </pre>
</blockquote> </blockquote>
<blockquote>
<strong>Note</strong>
<p> This same error message will also be logged when the
<code>libplain.so</code> or <code>liblogin.so</code> modules are
not installed in the <code>/usr/lib/sasl2</code> directory. </p>
</blockquote>
<p> The less secure approach is to lower the security standards and <p> The less secure approach is to lower the security standards and
permit plaintext authentication mechanisms: </p> permit plaintext authentication mechanisms: </p>

18
postfix/proto/postconf.proto
View File

@ -301,19 +301,18 @@ seconds. </p>
<p> This feature is available in Postfix 2.7. </p> <p> This feature is available in Postfix 2.7. </p>
%PARAM address_verify_poll_count see "postconf -d" output %PARAM address_verify_poll_count ${stress?1}${stress:3}
<p> <p>
How many times to query the verify(8) service for the completion How many times to query the verify(8) service for the completion
of an address verification request in progress. of an address verification request in progress.
</p> </p>
<p> <p> By default, the Postfix SMTP server polls the verify(8) service
The Postfix SMTP server polls the verify(8) service up to three up to three times under non-overload conditions, and only once when
times under non-overload conditions, and only once when under under overload. With Postfix version 2.6 and earlier, the SMTP
overload. With Postfix version 2.6 and earlier, the SMTP server server always polls the verify(8) service up to three times by
always polls the verify(8) service up to three times. default. </p>
</p>
<p> <p>
Specify 1 to implement a crude form of greylisting, that is, always Specify 1 to implement a crude form of greylisting, that is, always
@ -321,10 +320,13 @@ defer the first delivery request for a new address.
</p> </p>
<p> <p>
Example: Examples:
</p> </p>
<pre> <pre>
# Postfix &le; 2.6 default
address_verify_poll_count = 3
# Poor man's greylisting
address_verify_poll_count = 1 address_verify_poll_count = 1
</pre> </pre>

3
postfix/src/bounce/bounce.c
View File

@ -35,10 +35,11 @@
/* STANDARDS /* STANDARDS
/* RFC 822 (ARPA Internet Text Messages) /* RFC 822 (ARPA Internet Text Messages)
/* RFC 2045 (Format of Internet Message Bodies) /* RFC 2045 (Format of Internet Message Bodies)
/* RFC 2822 (ARPA Internet Text Messages) /* RFC 2822 (Internet Message Format)
/* RFC 3462 (Delivery Status Notifications) /* RFC 3462 (Delivery Status Notifications)
/* RFC 3464 (Delivery Status Notifications) /* RFC 3464 (Delivery Status Notifications)
/* RFC 3834 (Auto-Submitted: message header) /* RFC 3834 (Auto-Submitted: message header)
/* RFC 5322 (Internet Message Format)
/* DIAGNOSTICS /* DIAGNOSTICS
/* Problems and transactions are logged to \fBsyslogd\fR(8). /* Problems and transactions are logged to \fBsyslogd\fR(8).
/* CONFIGURATION PARAMETERS /* CONFIGURATION PARAMETERS

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no * Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only. * patchlevel; they change the release date only.
*/ */
#define MAIL_RELEASE_DATE "20100208" #define MAIL_RELEASE_DATE "20100213"
#define MAIL_VERSION_NUMBER "2.8" #define MAIL_VERSION_NUMBER "2.8"
#ifdef SNAPSHOT #ifdef SNAPSHOT

9
postfix/src/local/bounce_workaround.c
View File

@ -19,14 +19,15 @@
/* /*
/* Sender address override is a problem only when delivering /* Sender address override is a problem only when delivering
/* to command or file, or when breaking a Delivered-To loop. /* to command or file, or when breaking a Delivered-To loop.
/* The local(8) delivery agent saves other recipients to a new /* The local(8) delivery agent saves normal recipients to a
/* queue file, together with the replacement envelope sender /* new queue file, together with the replacement envelope
/* address; delivery then proceeds from that new queue file. /* sender address; delivery then proceeds from that new queue
/* file, and no workaround is needed.
/* /*
/* The workaround sends one non-delivery notification for each /* The workaround sends one non-delivery notification for each
/* failed delivery that has a replacement sender address. The /* failed delivery that has a replacement sender address. The
/* notifications are not aggregated, unlike notifications to /* notifications are not aggregated, unlike notifications to
/* non-replaced sender addresses). In practice, a local alias /* non-replaced sender addresses. In practice, a local alias
/* rarely has more than one file or command destination (if /* rarely has more than one file or command destination (if
/* only because soft error handling is problematic). /* only because soft error handling is problematic).
/* /*

6
postfix/src/smtpd/smtpd.c
View File

@ -352,8 +352,8 @@
/* .IP "\fBsmtpd_tls_loglevel (0)\fR" /* .IP "\fBsmtpd_tls_loglevel (0)\fR"
/* Enable additional Postfix SMTP server logging of TLS activity. /* Enable additional Postfix SMTP server logging of TLS activity.
/* .IP "\fBsmtpd_tls_mandatory_ciphers (medium)\fR" /* .IP "\fBsmtpd_tls_mandatory_ciphers (medium)\fR"
/* The minimum TLS cipher grade that the Postfix SMTP server /* The minimum TLS cipher grade that the Postfix SMTP server will
/* will use with mandatory TLS encryption. /* use with mandatory TLS encryption.
/* .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR" /* .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
/* Additional list of ciphers or cipher types to exclude from the /* Additional list of ciphers or cipher types to exclude from the
/* SMTP server cipher list at mandatory TLS security levels. /* SMTP server cipher list at mandatory TLS security levels.
@ -744,7 +744,7 @@
/* See the file ADDRESS_VERIFICATION_README for information /* See the file ADDRESS_VERIFICATION_README for information
/* about how to configure and operate the Postfix sender/recipient /* about how to configure and operate the Postfix sender/recipient
/* address verification service. /* address verification service.
/* .IP "\fBaddress_verify_poll_count (see 'postconf -d' output)\fR" /* .IP "\fBaddress_verify_poll_count (${stress?1}${stress:3})\fR"
/* How many times to query the \fBverify\fR(8) service for the completion /* How many times to query the \fBverify\fR(8) service for the completion
/* of an address verification request in progress. /* of an address verification request in progress.
/* .IP "\fBaddress_verify_poll_delay (3s)\fR" /* .IP "\fBaddress_verify_poll_delay (3s)\fR"

2
postfix/src/util/dict_open.c
View File

@ -223,9 +223,7 @@ static const DICT_OPEN_INFO dict_open_info[] = {
DICT_TYPE_ENVIRON, dict_env_open, DICT_TYPE_ENVIRON, dict_env_open,
DICT_TYPE_HT, dict_ht_open, DICT_TYPE_HT, dict_ht_open,
DICT_TYPE_UNIX, dict_unix_open, DICT_TYPE_UNIX, dict_unix_open,
#ifdef SNAPSHOT
DICT_TYPE_TCP, dict_tcp_open, DICT_TYPE_TCP, dict_tcp_open,
#endif
#ifdef HAS_SDBM #ifdef HAS_SDBM
DICT_TYPE_SDBM, dict_sdbm_open, DICT_TYPE_SDBM, dict_sdbm_open,
#endif #endif