From 9dba3caad027e1c220b6f6cf80841d8da392fd92 Mon Sep 17 00:00:00 2001 From: Wietse Venema Date: Tue, 11 Oct 2005 00:00:00 -0500 Subject: [PATCH] postfix-2.3-20051011 --- postfix/HISTORY | 16 +++- postfix/README_FILES/SMTPD_POLICY_README | 2 +- postfix/RELEASE_NOTES | 24 +++++- postfix/conf/aliases | 10 +-- postfix/html/SMTPD_POLICY_README.html | 2 +- postfix/html/aliases.5.html | 8 +- postfix/html/anvil.8.html | 4 +- postfix/html/smtpd.8.html | 4 +- postfix/man/man5/aliases.5 | 5 -- postfix/man/man8/anvil.8 | 4 +- postfix/man/man8/smtpd.8 | 5 +- postfix/proto/SMTPD_POLICY_README.html | 2 +- postfix/proto/aliases | 5 -- postfix/src/anvil/anvil.c | 4 +- postfix/src/global/mail_version.h | 2 +- postfix/src/global/smtp_stream.c | 6 ++ postfix/src/global/smtp_stream.h | 1 + postfix/src/lmtp/lmtp_trouble.c | 2 +- postfix/src/local/alias.c | 2 + postfix/src/smtp/smtp_trouble.c | 2 +- postfix/src/smtpd/smtpd.c | 100 +++++++++++++++-------- 21 files changed, 128 insertions(+), 82 deletions(-) diff --git a/postfix/HISTORY b/postfix/HISTORY index 36ddd3356..418176d83 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -11177,9 +11177,19 @@ Apologies for any names omitted. due to expensive crypto operations. Files: global/anvil_clnt.c, anvil/anvil.c, smtpd/smtpd.c. - Cleanup: eliminated code duplicatiom in the anvil server - that resulted from adding similar features one at a time. - File: anvil/anvil.c. + Cleanup: eliminated massive code duplicatiom in the anvil + server that resulted from adding similar features one at a + time. File: anvil/anvil.c. + +20051011 + + Bugfix: raise the "policy violation" flag when a client + request exceeds a concurrency or rate limit. File: + smtpd/smtpd.c. + + Bugfix (cut-and-paste error): don't reply with 421 (too + many MAIL FROM or RCPT TO commands) when we aren't closing + the connection. File: smtpd/smtpd.c. Open problems: diff --git a/postfix/README_FILES/SMTPD_POLICY_README b/postfix/README_FILES/SMTPD_POLICY_README index b8a1436fb..0a21779cb 100644 --- a/postfix/README_FILES/SMTPD_POLICY_README +++ b/postfix/README_FILES/SMTPD_POLICY_README @@ -18,7 +18,7 @@ Policy delegation is now the preferred method for adding policies to Postfix. It's much easier to develop a new feature in few lines of Perl, than trying to do the same in C code. The difference in performance will be unnoticeable except in the most demanding environments. On active systems a policy daemon -process is used multiple times, for up to 100 incoming SMTP connections. +process is used multiple times, for up to $max_use incoming SMTP connections. This document covers the following topics: diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 1f24d92df..a6fd5a217 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -17,7 +17,7 @@ Incompatibility with Postfix 2.1 and earlier If you upgrade from Postfix 2.1 or earlier, read RELEASE_NOTES-2.2 before proceeding. -Incompatibility with snapshot 20050923 +Incompatibility with snapshot 20051011 ====================================== The Postfix local(8) delivery agent no longer updates its idea of @@ -26,9 +26,25 @@ files. With deeply nested aliases or .forward files, this can greatly reduce the number of queue files and cleanup process instances. To get the earlier behavior, specify "frozen_delivered_to = no". -The frozen_delivered_to feature also fixes an old problem with -duplicate deliveries to recipients that are listed in multiple -nested aliases. +The frozen_delivered_to feature also fixes a long-standing problem +with multiple deliveries to recipients that are listed in multiple +nested aliases, but does so only when only the top-level alias has +an owner- alias, and none of the subordinate aliases. + +Major changes with snapshot 20051011 +==================================== + +Optional protection against SMTP clients that hammer the server +with too many new (i.e. uncached) SMTP-over-TLS sessions. Cached +sessions are much less expensive in terms of CPU cycles. Use the +smtpd_client_new_tls_session_rate_limit parameter to specify a limit +that is at least the inbound client concurrency limit, or else you +may deny legitimate service requests. + +Optional suppression of remote SMTP client hostname lookup and +hostname verification. Specify "smtpd_peername_lookup = no" to +eliminate DNS lookup latencies, but do so only under extreme +conditions, as it makes Postfix logging less informative. Incompatibility with snapshot 20050828 ====================================== diff --git a/postfix/conf/aliases b/postfix/conf/aliases index ef9cca165..d2a6eb460 100644 --- a/postfix/conf/aliases +++ b/postfix/conf/aliases @@ -201,12 +201,6 @@ decode: root # Delivered-To: address while expanding aliases or # .forward files. # -# sticky_owner_alias -# When expanding a local(8) alias that has an owner -# alias (see owner-name discussion above), use the -# owner information even when the expansion invokes a -# subordinate alias that has no owner alias. -# # STANDARDS # RFC 822 (ARPA Internet Text Messages) # @@ -217,12 +211,12 @@ decode: root # postconf(5), configuration parameters # # README FILES -# Use "postconf readme_directory" or "postconf html_direc- +# Use "postconf readme_directory" or "postconf html_direc- # tory" to locate this information. # DATABASE_README, Postfix lookup table overview # # LICENSE -# The Secure Mailer license must be distributed with this +# The Secure Mailer license must be distributed with this # software. # # AUTHOR(S) diff --git a/postfix/html/SMTPD_POLICY_README.html b/postfix/html/SMTPD_POLICY_README.html index c6c6fe8a6..a6e075d3e 100644 --- a/postfix/html/SMTPD_POLICY_README.html +++ b/postfix/html/SMTPD_POLICY_README.html @@ -37,7 +37,7 @@ to Postfix. It's much easier to develop a new feature in few lines of Perl, than trying to do the same in C code. The difference in performance will be unnoticeable except in the most demanding environments. On active systems a policy daemon process is used -multiple times, for up to 100 incoming SMTP connections.

+multiple times, for up to $max_use incoming SMTP connections.

This document covers the following topics:

diff --git a/postfix/html/aliases.5.html b/postfix/html/aliases.5.html index ee57e794f..708f24edc 100644 --- a/postfix/html/aliases.5.html +++ b/postfix/html/aliases.5.html @@ -169,12 +169,6 @@ ALIASES(5) ALIASES(5) Delivered-To: address while expanding aliases or .forward files. - sticky_owner_alias - When expanding a local(8) alias that has an owner - alias (see owner-name discussion above), use the - owner information even when the expansion invokes a - subordinate alias that has no owner alias. - STANDARDS RFC 822 (ARPA Internet Text Messages) @@ -188,7 +182,7 @@ ALIASES(5) ALIASES(5) DATABASE_README, Postfix lookup table overview LICENSE - The Secure Mailer license must be distributed with this + The Secure Mailer license must be distributed with this software. AUTHOR(S) diff --git a/postfix/html/anvil.8.html b/postfix/html/anvil.8.html index b10dd5705..2852582ff 100644 --- a/postfix/html/anvil.8.html +++ b/postfix/html/anvil.8.html @@ -97,14 +97,14 @@ ANVIL(8) ANVIL(8) rate=number To retrieve new TLS session request rate information with- - out updating the counter information, use: + out updating the counter information, send: request=newtls_report ident=string The anvil(8) server answers with the number of new TLS session requests per unit time for the (service, client) - combination specified with ident. + combination specified with ident: status=0 rate=number diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html index edd1fca3d..9509bc555 100644 --- a/postfix/html/smtpd.8.html +++ b/postfix/html/smtpd.8.html @@ -587,8 +587,8 @@ SMTPD(8) SMTPD(8) smtpd_client_new_tls_session_rate_limit (0) The maximal number of new (i.e., uncached) TLS ses- - sions that any client is allowed to negotiate with - this service per time unit. + sions that a remote SMTP client is allowed to nego- + tiate with this service per time unit. TARPIT CONTROLS When a remote SMTP client makes errors, the Postfix SMTP diff --git a/postfix/man/man5/aliases.5 b/postfix/man/man5/aliases.5 index 547906875..305543bef 100644 --- a/postfix/man/man5/aliases.5 +++ b/postfix/man/man5/aliases.5 @@ -153,11 +153,6 @@ Update the local(8) delivery agent's Delivered-To: address (see prepend_delivered_header) only once, at the start of a delivery; do not update the Delivered-To: address while expanding aliases or .forward files. -.IP \fBsticky_owner_alias\fR -When expanding a local(8) alias that has an owner alias -(see owner-\fIname\fR discussion above), use the owner -information even when the expansion invokes a subordinate -alias that has no owner alias. .SH "STANDARDS" .na .nf diff --git a/postfix/man/man8/anvil.8 b/postfix/man/man8/anvil.8 index bcb2d76c5..f4aca61f2 100644 --- a/postfix/man/man8/anvil.8 +++ b/postfix/man/man8/anvil.8 @@ -138,7 +138,7 @@ combination specified with \fBident\fR: .in .PP To retrieve new TLS session request rate information without -updating the counter information, use: +updating the counter information, send: .PP .in +4 \fBrequest=newtls_report\fR @@ -148,7 +148,7 @@ updating the counter information, use: .PP The \fBanvil\fR(8) server answers with the number of new TLS session requests per unit time for the (service, client) -combination specified with \fBident\fR. +combination specified with \fBident\fR: .PP .in +4 \fBstatus=0\fR diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8 index 7ecb1c2e4..19ea129ce 100644 --- a/postfix/man/man8/smtpd.8 +++ b/postfix/man/man8/smtpd.8 @@ -481,8 +481,9 @@ or SMTP request rate restrictions. .PP Available in Postfix version 2.3 and later: .IP "\fBsmtpd_client_new_tls_session_rate_limit (0)\fR" -The maximal number of new (i.e., uncached) TLS sessions that any -client is allowed to negotiate with this service per time unit. +The maximal number of new (i.e., uncached) TLS sessions that a +remote SMTP client is allowed to negotiate with this service per +time unit. .SH "TARPIT CONTROLS" .na .nf diff --git a/postfix/proto/SMTPD_POLICY_README.html b/postfix/proto/SMTPD_POLICY_README.html index 9e8c32917..5a3b5e26a 100644 --- a/postfix/proto/SMTPD_POLICY_README.html +++ b/postfix/proto/SMTPD_POLICY_README.html @@ -37,7 +37,7 @@ to Postfix. It's much easier to develop a new feature in few lines of Perl, than trying to do the same in C code. The difference in performance will be unnoticeable except in the most demanding environments. On active systems a policy daemon process is used -multiple times, for up to 100 incoming SMTP connections.

+multiple times, for up to $max_use incoming SMTP connections.

This document covers the following topics:

diff --git a/postfix/proto/aliases b/postfix/proto/aliases index bce2d9d2f..84062f509 100644 --- a/postfix/proto/aliases +++ b/postfix/proto/aliases @@ -141,11 +141,6 @@ # (see prepend_delivered_header) only once, at the start of # a delivery; do not update the Delivered-To: address while # expanding aliases or .forward files. -# .IP \fBsticky_owner_alias\fR -# When expanding a local(8) alias that has an owner alias -# (see owner-\fIname\fR discussion above), use the owner -# information even when the expansion invokes a subordinate -# alias that has no owner alias. # STANDARDS # RFC 822 (ARPA Internet Text Messages) # SEE ALSO diff --git a/postfix/src/anvil/anvil.c b/postfix/src/anvil/anvil.c index 9f8a08439..972144470 100644 --- a/postfix/src/anvil/anvil.c +++ b/postfix/src/anvil/anvil.c @@ -124,7 +124,7 @@ /* .in /* .PP /* To retrieve new TLS session request rate information without -/* updating the counter information, use: +/* updating the counter information, send: /* .PP /* .in +4 /* \fBrequest=newtls_report\fR @@ -134,7 +134,7 @@ /* .PP /* The \fBanvil\fR(8) server answers with the number of new /* TLS session requests per unit time for the (service, client) -/* combination specified with \fBident\fR. +/* combination specified with \fBident\fR: /* .PP /* .in +4 /* \fBstatus=0\fR diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index ac5579892..343b7fa40 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20051010" +#define MAIL_RELEASE_DATE "20051011" #define MAIL_VERSION_NUMBER "2.3" #ifdef SNAPSHOT diff --git a/postfix/src/global/smtp_stream.c b/postfix/src/global/smtp_stream.c index fc83695f5..5b3d6e040 100644 --- a/postfix/src/global/smtp_stream.c +++ b/postfix/src/global/smtp_stream.c @@ -96,6 +96,12 @@ /* .IP SMTP_ERR_TIME /* The time limit specified to smtp_timeout_setup() was exceeded. /* .IP SMTP_ERR_PROTO +/* A protocol error happened. +/* This error is never generated by the smtp_stream(3) module, but +/* is defined for application-specific use. +/* .IP SMTP_ERR_QUIET +/* Perform silent cleanup; the error was already reported by +/* the application. /* This error is never generated by the smtp_stream(3) module, but /* is defined for application-specific use. /* BUGS diff --git a/postfix/src/global/smtp_stream.h b/postfix/src/global/smtp_stream.h index 3ca7a0452..190baf50d 100644 --- a/postfix/src/global/smtp_stream.h +++ b/postfix/src/global/smtp_stream.h @@ -29,6 +29,7 @@ #define SMTP_ERR_EOF 1 /* unexpected client disconnect */ #define SMTP_ERR_TIME 2 /* time out */ #define SMTP_ERR_PROTO 3 /* protocol (application) */ +#define SMTP_ERR_QUIET 4 /* silent cleanup (application) */ extern void smtp_timeout_setup(VSTREAM *, int); extern void PRINTFLIKE(2, 3) smtp_printf(VSTREAM *, const char *,...); diff --git a/postfix/src/lmtp/lmtp_trouble.c b/postfix/src/lmtp/lmtp_trouble.c index 9aafe927f..ce0966739 100644 --- a/postfix/src/lmtp/lmtp_trouble.c +++ b/postfix/src/lmtp/lmtp_trouble.c @@ -381,7 +381,7 @@ int lmtp_stream_except(LMTP_STATE *state, int code, const char *description) case SMTP_ERR_PROTO: lmtp_fill_dsn(state, &dsn, DSN_BY_LOCAL_MTA, "4.5.0", "403 remote protocol error", - "protocol error in reply from %s while %s", + "remote protocol error in reply from %s while %s", session->namaddr, description); break; } diff --git a/postfix/src/local/alias.c b/postfix/src/local/alias.c index 5ff6f4e47..ce5ebfc1b 100644 --- a/postfix/src/local/alias.c +++ b/postfix/src/local/alias.c @@ -260,9 +260,11 @@ int deliver_alias(LOCAL_STATE state, USER_ATTR usr_attr, && (owner_rhs = maps_find(alias_maps, owner, DICT_FLAG_NONE)) != 0) { canon_owner = canon_addr_internal(vstring_alloc(10), var_exp_own_alias ? owner_rhs : owner); + /* Set envelope sender and owner attribute. */ SET_OWNER_ATTR(state.msg_attr, STR(canon_owner), state.level); } else { canon_owner = 0; + /* Note: this does not reset the envelope sender. */ RESET_OWNER_ATTR(state.msg_attr, state.level); } diff --git a/postfix/src/smtp/smtp_trouble.c b/postfix/src/smtp/smtp_trouble.c index 2896f96ea..73d3abf2b 100644 --- a/postfix/src/smtp/smtp_trouble.c +++ b/postfix/src/smtp/smtp_trouble.c @@ -435,7 +435,7 @@ int smtp_stream_except(SMTP_STATE *state, int code, const char *description) case SMTP_ERR_PROTO: smtp_fill_dsn(state, &dsn, DSN_BY_LOCAL_MTA, "4.5.0", "403 remote protocol error", - "protocol error in reply from %s while %s", + "remote protocol error in reply from %s while %s", session->namaddr, description); break; } diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c index 107e80343..92becfb57 100644 --- a/postfix/src/smtpd/smtpd.c +++ b/postfix/src/smtpd/smtpd.c @@ -443,8 +443,9 @@ /* .PP /* Available in Postfix version 2.3 and later: /* .IP "\fBsmtpd_client_new_tls_session_rate_limit (0)\fR" -/* The maximal number of new (i.e., uncached) TLS sessions that any -/* client is allowed to negotiate with this service per time unit. +/* The maximal number of new (i.e., uncached) TLS sessions that a +/* remote SMTP client is allowed to negotiate with this service per +/* time unit. /* TARPIT CONTROLS /* .ad /* .fi @@ -1562,8 +1563,9 @@ static int mail_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) && anvil_clnt_mail(anvil_clnt, state->service, state->addr, &rate) == ANVIL_STAT_OK && rate > var_smtpd_cmail_limit) { - smtpd_chat_reply(state, "421 4.7.0 %s Error: too much mail from %s", - var_myhostname, state->addr); + state->error_mask |= MAIL_ERROR_POLICY; + smtpd_chat_reply(state, "450 4.7.1 Error: too much mail from %s", + state->addr); msg_warn("Message delivery request rate limit exceeded: %d from %s for service %s", rate, state->namaddr, state->service); return (-1); @@ -1814,9 +1816,9 @@ static int rcpt_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) && anvil_clnt_rcpt(anvil_clnt, state->service, state->addr, &rate) == ANVIL_STAT_OK && rate > var_smtpd_crcpt_limit) { - smtpd_chat_reply(state, - "421 4.7.0 %s Error: too many recipients from %s", - var_myhostname, state->addr); + state->error_mask |= MAIL_ERROR_POLICY; + smtpd_chat_reply(state, "450 4.7.1 Error: too many recipients from %s", + state->addr); msg_warn("Recipient address rate limit exceeded: %d from %s for service %s", rate, state->namaddr, state->service); return (-1); @@ -3041,24 +3043,6 @@ static void smtpd_start_tls(SMTPD_STATE *state) { int rate; - /* - * XXX The client event count/rate control must be consistent in its use - * of client address information in connect and disconnect events. For - * now we exclude xclient authorized hosts from event count/rate control. - */ - if (SMTPD_STAND_ALONE(state) == 0 - && !xclient_allowed - && anvil_clnt - && var_smtpd_cntls_limit > 0 - && !namadr_list_match(hogger_list, state->name, state->addr) - && anvil_clnt_newtls_stat(anvil_clnt, state->service, state->addr, - &rate) == ANVIL_STAT_OK - && rate > var_smtpd_cntls_limit) { - msg_warn("Refusing STARTTLS request from %s for service %s", - state->namaddr, state->service); - vstream_longjmp(state->client, SMTP_ERR_EOF); - } - /* * Wrapper mode uses a dedicated port and always requires TLS. * @@ -3079,20 +3063,24 @@ static void smtpd_start_tls(SMTPD_STATE *state) * of client address information in connect and disconnect events. For * now we exclude xclient authorized hosts from event count/rate control. */ - if (state->tls_context + if (var_smtpd_cntls_limit > 0 + && state->tls_context && state->tls_context->session_reused == 0 && SMTPD_STAND_ALONE(state) == 0 && !xclient_allowed && anvil_clnt - && var_smtpd_cntls_limit > 0 && !namadr_list_match(hogger_list, state->name, state->addr) && anvil_clnt_newtls(anvil_clnt, state->service, state->addr, &rate) == ANVIL_STAT_OK && rate > var_smtpd_cntls_limit) { - msg_warn("Too many uncached TLS sessions: " - "%d from %s for service %s", + state->error_mask |= MAIL_ERROR_POLICY; + smtpd_chat_reply(state, + "421 4.7.0 %s Error: too many new TLS sessions from %s", + var_myhostname, state->namaddr); + msg_warn("Too many new TLS sessions: %d from %s for service %s", rate, state->namaddr, state->service); - tls_reset(state); + /* XXX Use regular return to signal end of session. */ + vstream_longjmp(state->client, SMTP_ERR_QUIET); } /* @@ -3121,6 +3109,8 @@ static void smtpd_start_tls(SMTPD_STATE *state) static int starttls_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv) { + int rate; + if (argc != 1) { state->error_mask |= MAIL_ERROR_PROTOCOL; smtpd_chat_reply(state, "501 5.5.4 Syntax: STARTTLS"); @@ -3141,7 +3131,30 @@ static int starttls_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv) smtpd_chat_reply(state, "454 4.3.0 TLS not available due to local problem"); return (-1); } + + /* + * XXX The client event count/rate control must be consistent in its use + * of client address information in connect and disconnect events. For + * now we exclude xclient authorized hosts from event count/rate control. + */ + if (var_smtpd_cntls_limit > 0 + && SMTPD_STAND_ALONE(state) == 0 + && !xclient_allowed + && anvil_clnt + && !namadr_list_match(hogger_list, state->name, state->addr) + && anvil_clnt_newtls_stat(anvil_clnt, state->service, state->addr, + &rate) == ANVIL_STAT_OK + && rate > var_smtpd_cntls_limit) { + state->error_mask |= MAIL_ERROR_POLICY; + smtpd_chat_reply(state, + "454 4.7.0 Error: too many new TLS sessions from %s", + state->namaddr); + msg_warn("Refusing STARTTLS request from %s for service %s", + state->namaddr, state->service); + return (-1); + } smtpd_chat_reply(state, "220 2.0.0 Ready to start TLS"); + /* Flush before we switch the stream's read/write routines. */ smtp_flush(state->client); /* @@ -3271,6 +3284,9 @@ static void smtpd_proto(SMTPD_STATE *state, const char *service) state->reason = REASON_LOST_CONNECTION; break; + case SMTP_ERR_QUIET: + break; + case 0: /* @@ -3278,13 +3294,28 @@ static void smtpd_proto(SMTPD_STATE *state, const char *service) * the STARTTLS command. This code does not return when the handshake * fails. * - * XXX We must start TLS before we can apply the connection and rate - * limits, because otherwise there is no way to report transgressions - * to the client. This is unfortunate. + * XXX We start TLS before we apply access control, concurrency or + * connection rate limits, so that we can inform the client why + * service is denied. This means we spend a lot of CPU just to tell + * the client that we don't provide service. TLS wrapper mode is + * obsolete, so we don't have to provide perfect support. */ #ifdef USE_TLS - if (SMTPD_STAND_ALONE(state) == 0 && var_smtpd_tls_wrappermode) + if (SMTPD_STAND_ALONE(state) == 0 && var_smtpd_tls_wrappermode) { + if (var_smtpd_cntls_limit > 0 + && !xclient_allowed + && anvil_clnt + && !namadr_list_match(hogger_list, state->name, state->addr) + && anvil_clnt_newtls_stat(anvil_clnt, state->service, + state->addr, &crate) == ANVIL_STAT_OK + && crate > var_smtpd_cntls_limit) { + state->error_mask |= MAIL_ERROR_POLICY; + msg_warn("Refusing TLS service request from %s for service %s", + state->namaddr, state->service); + break; + } smtpd_start_tls(state); + } #endif /* @@ -3305,6 +3336,7 @@ static void smtpd_proto(SMTPD_STATE *state, const char *service) && anvil_clnt_connect(anvil_clnt, service, state->addr, &count, &crate) == ANVIL_STAT_OK) { if (var_smtpd_cconn_limit > 0 && count > var_smtpd_cconn_limit) { + state->error_mask |= MAIL_ERROR_POLICY; smtpd_chat_reply(state, "421 4.7.0 %s Error: too many connections from %s", var_myhostname, state->addr); msg_warn("Connection concurrency limit exceeded: %d from %s for service %s",