postfix-2.3-20051011

2025-08-30 13:48:06 +00:00 · 2005-10-11 00:00:00 -05:00
parent 88a2e39fc7
commit 9dba3caad0
21 changed files with 128 additions and 82 deletions
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -11177,9 +11177,19 @@ Apologies for any names omitted.
 	due to expensive crypto operations.  Files: global/anvil_clnt.c,
 	anvil/anvil.c, smtpd/smtpd.c.
-	Cleanup: eliminated code duplicatiom in the anvil server
+	Cleanup: eliminated massive code duplicatiom in the anvil
-	that resulted from adding similar features one at a time.
+	server that resulted from adding similar features one at a
-	File: anvil/anvil.c.
+	time.  File: anvil/anvil.c.
 20051011
 	Bugfix: raise the "policy violation" flag when a client
 	request exceeds a concurrency or rate limit.  File:
 	smtpd/smtpd.c.
 	Bugfix (cut-and-paste error): don't reply with 421 (too
 	many MAIL FROM or RCPT TO commands) when we aren't closing
 	the connection.  File: smtpd/smtpd.c.
 Open problems:
--- a/postfix/README_FILES/SMTPD_POLICY_README
+++ b/postfix/README_FILES/SMTPD_POLICY_README
@@ -18,7 +18,7 @@ Policy delegation is now the preferred method for adding policies to Postfix.
 It's much easier to develop a new feature in few lines of Perl, than trying to
 do the same in C code. The difference in performance will be unnoticeable
 except in the most demanding environments. On active systems a policy daemon
-process is used multiple times, for up to 100 incoming SMTP connections.
+process is used multiple times, for up to $max_use incoming SMTP connections.
 This document covers the following topics:
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -17,7 +17,7 @@ Incompatibility with Postfix 2.1 and earlier
 If you upgrade from Postfix 2.1 or earlier, read RELEASE_NOTES-2.2
 before proceeding.
-Incompatibility with snapshot 20050923
+Incompatibility with snapshot 20051011
 ======================================
 The Postfix local(8) delivery agent no longer updates its idea of
@@ -26,9 +26,25 @@ files. With deeply nested aliases or .forward files, this can greatly
 reduce the number of queue files and cleanup process instances. To
 get the earlier behavior, specify "frozen_delivered_to = no".
-The frozen_delivered_to feature also fixes an old problem with
+The frozen_delivered_to feature also fixes a long-standing problem
-duplicate deliveries to recipients that are listed in multiple
+with multiple deliveries to recipients that are listed in multiple
-nested aliases.
+nested aliases, but does so only when only the top-level alias has
 an owner- alias, and none of the subordinate aliases.
 Major changes with snapshot 20051011
 ====================================
 Optional protection against SMTP clients that hammer the server
 with too many new (i.e. uncached) SMTP-over-TLS sessions. Cached
 sessions are much less expensive in terms of CPU cycles. Use the
 smtpd_client_new_tls_session_rate_limit parameter to specify a limit
 that is at least the inbound client concurrency limit, or else you
 may deny legitimate service requests.
 Optional suppression of remote SMTP client hostname lookup and
 hostname verification. Specify "smtpd_peername_lookup = no" to
 eliminate DNS lookup latencies, but do so only under extreme
 conditions, as it makes Postfix logging less informative.
 Incompatibility with snapshot 20050828
 ======================================
--- a/postfix/conf/aliases
+++ b/postfix/conf/aliases
@@ -201,12 +201,6 @@ decode:		root
 #               Delivered-To:  address  while  expanding aliases or
 #               .forward files.
 # 
 #        sticky_owner_alias
 #               When expanding a local(8) alias that has  an  owner
 #               alias  (see  owner-name  discussion above), use the
 #               owner information even when the expansion invokes a
 #               subordinate alias that has no owner alias.
 # 
 # STANDARDS
 #        RFC 822 (ARPA Internet Text Messages)
 # 
--- a/postfix/html/SMTPD_POLICY_README.html
+++ b/postfix/html/SMTPD_POLICY_README.html
@@ -37,7 +37,7 @@ to Postfix. It's much easier to develop a new feature in few lines
 of Perl, than trying to do the same in C code. The difference in
 performance will be unnoticeable except in the most demanding
 environments. On active systems a policy daemon process is used
-multiple times, for up to 100 incoming SMTP connections. </p>
+multiple times, for up to $<a href="postconf.5.html#max_use">max_use</a> incoming SMTP connections. </p>
 <p> This document covers the following topics: </p>
--- a/postfix/html/aliases.5.html
+++ b/postfix/html/aliases.5.html
@@ -169,12 +169,6 @@ ALIASES(5)                                                          ALIASES(5)
              Delivered-To:  address  while  expanding aliases or
              .forward files.
       <b><a href="postconf.5.html#sticky_owner_alias">sticky_owner_alias</a></b>
              When expanding a <a href="local.8.html">local(8)</a> alias that has  an  owner
              alias  (see  owner-<i>name</i>  discussion above), use the
              owner information even when the expansion invokes a
              subordinate alias that has no owner alias.
 <b>STANDARDS</b>
       <a href="http://www.faqs.org/rfcs/rfc822.html">RFC 822</a> (ARPA Internet Text Messages)
--- a/postfix/html/anvil.8.html
+++ b/postfix/html/anvil.8.html
@@ -97,14 +97,14 @@ ANVIL(8)                                                              ANVIL(8)
           <b>rate=</b><i>number</i>
       To retrieve new TLS session request rate information with-
-       out updating the counter information, use:
+       out updating the counter information, send:
           <b>request=newtls_report</b>
           <b>ident=</b><i>string</i>
       The <a href="anvil.8.html"><b>anvil</b>(8)</a> server answers with the  number  of  new  TLS
       session  requests  per unit time for the (service, client)
-       combination specified with <b>ident</b>.
+       combination specified with <b>ident</b>:
           <b>status=0</b>
           <b>rate=</b><i>number</i>
--- a/postfix/html/smtpd.8.html
+++ b/postfix/html/smtpd.8.html
@@ -587,8 +587,8 @@ SMTPD(8)                                                              SMTPD(8)
       <b><a href="postconf.5.html#smtpd_client_new_tls_session_rate_limit">smtpd_client_new_tls_session_rate_limit</a> (0)</b>
              The maximal number of new (i.e., uncached) TLS ses-
-              sions  that any client is allowed to negotiate with
+              sions that a remote SMTP client is allowed to nego-
-              this service per time unit.
+              tiate with this service per time unit.
 <b>TARPIT CONTROLS</b>
       When a remote SMTP client makes errors, the  Postfix  SMTP
--- a/postfix/man/man5/aliases.5
+++ b/postfix/man/man5/aliases.5
@@ -153,11 +153,6 @@ Update the local(8) delivery agent's Delivered-To: address
 (see prepend_delivered_header) only once, at the start of
 a delivery; do not update the Delivered-To: address while
 expanding aliases or .forward files.
 .IP \fBsticky_owner_alias\fR
 When expanding a local(8) alias that has an owner alias
 (see owner-\fIname\fR discussion above), use the owner
 information even when the expansion invokes a subordinate
 alias that has no owner alias.
 .SH "STANDARDS"
 .na
 .nf
--- a/postfix/man/man8/anvil.8
+++ b/postfix/man/man8/anvil.8
@@ -138,7 +138,7 @@ combination specified with \fBident\fR:
 .in
 .PP
 To retrieve new TLS session request rate information without
-updating the counter information, use:
+updating the counter information, send:
 .PP
 .in +4
 \fBrequest=newtls_report\fR
@@ -148,7 +148,7 @@ updating the counter information, use:
 .PP
 The \fBanvil\fR(8) server answers with the number of new
 TLS session requests per unit time for the (service, client)
-combination specified with \fBident\fR.
+combination specified with \fBident\fR:
 .PP
 .in +4
 \fBstatus=0\fR
--- a/postfix/man/man8/smtpd.8
+++ b/postfix/man/man8/smtpd.8
@@ -481,8 +481,9 @@ or SMTP request rate restrictions.
 .PP
 Available in Postfix version 2.3 and later:
 .IP "\fBsmtpd_client_new_tls_session_rate_limit (0)\fR"
-The maximal number of new (i.e., uncached) TLS sessions that any
+The maximal number of new (i.e., uncached) TLS sessions that a
-client is allowed to negotiate with this service per time unit.
+remote SMTP client is allowed to negotiate with this service per
 time unit.
 .SH "TARPIT CONTROLS"
 .na
 .nf
--- a/postfix/proto/SMTPD_POLICY_README.html
+++ b/postfix/proto/SMTPD_POLICY_README.html
@@ -37,7 +37,7 @@ to Postfix. It's much easier to develop a new feature in few lines
 of Perl, than trying to do the same in C code. The difference in
 performance will be unnoticeable except in the most demanding
 environments. On active systems a policy daemon process is used
-multiple times, for up to 100 incoming SMTP connections. </p>
+multiple times, for up to $max_use incoming SMTP connections. </p>
 <p> This document covers the following topics: </p>
--- a/postfix/proto/aliases
+++ b/postfix/proto/aliases
@@ -141,11 +141,6 @@
 #	(see prepend_delivered_header) only once, at the start of
 #	a delivery; do not update the Delivered-To: address while
 #	expanding aliases or .forward files.
 # .IP \fBsticky_owner_alias\fR
 #	When expanding a local(8) alias that has an owner alias
 #	(see owner-\fIname\fR discussion above), use the owner
 #	information even when the expansion invokes a subordinate
 #	alias that has no owner alias.
 # STANDARDS
 #	RFC 822 (ARPA Internet Text Messages)
 # SEE ALSO
--- a/postfix/src/anvil/anvil.c
+++ b/postfix/src/anvil/anvil.c
@@ -124,7 +124,7 @@
 /* .in
 /* .PP
 /*	To retrieve new TLS session request rate information without
-/*	updating the counter information, use:
+/*	updating the counter information, send:
 /* .PP
 /* .in +4
 /*	\fBrequest=newtls_report\fR
@@ -134,7 +134,7 @@
 /* .PP
 /*	The \fBanvil\fR(8) server answers with the number of new
 /*	TLS session requests per unit time for the (service, client)
-/*	combination specified with \fBident\fR.
+/*	combination specified with \fBident\fR:
 /* .PP
 /* .in +4
 /*	\fBstatus=0\fR
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
  * Patches change both the patchlevel and the release date. Snapshots have no
  * patchlevel; they change the release date only.
  */
-#define MAIL_RELEASE_DATE	"20051010"
+#define MAIL_RELEASE_DATE	"20051011"
 #define MAIL_VERSION_NUMBER	"2.3"
 #ifdef SNAPSHOT
--- a/postfix/src/global/smtp_stream.c
+++ b/postfix/src/global/smtp_stream.c
@@ -96,6 +96,12 @@
 /* .IP SMTP_ERR_TIME
 /*	The time limit specified to smtp_timeout_setup() was exceeded.
 /* .IP SMTP_ERR_PROTO
 /*	A protocol error happened.
 /*	This error is never generated by the smtp_stream(3) module, but
 /*	is defined for application-specific use.
 /* .IP SMTP_ERR_QUIET
 /*	Perform silent cleanup; the error was already reported by
 /*	the application.
 /*	This error is never generated by the smtp_stream(3) module, but
 /*	is defined for application-specific use.
 /* BUGS
--- a/postfix/src/global/smtp_stream.h
+++ b/postfix/src/global/smtp_stream.h
@@ -29,6 +29,7 @@
 #define SMTP_ERR_EOF	1		/* unexpected client disconnect */
 #define SMTP_ERR_TIME	2		/* time out */
 #define SMTP_ERR_PROTO	3		/* protocol (application) */
 #define SMTP_ERR_QUIET	4		/* silent cleanup (application) */
 extern void smtp_timeout_setup(VSTREAM *, int);
 extern void PRINTFLIKE(2, 3) smtp_printf(VSTREAM *, const char *,...);
--- a/postfix/src/lmtp/lmtp_trouble.c
+++ b/postfix/src/lmtp/lmtp_trouble.c
@@ -381,7 +381,7 @@ int     lmtp_stream_except(LMTP_STATE *state, int code, const char *description)
    case SMTP_ERR_PROTO:
 	lmtp_fill_dsn(state, &dsn, DSN_BY_LOCAL_MTA,
 		      "4.5.0", "403 remote protocol error",
-		      "protocol error in reply from %s while %s",
+		      "remote protocol error in reply from %s while %s",
 		      session->namaddr, description);
 	break;
    }
--- a/postfix/src/local/alias.c
+++ b/postfix/src/local/alias.c
@@ -260,9 +260,11 @@ int     deliver_alias(LOCAL_STATE state, USER_ATTR usr_attr,
 		&& (owner_rhs = maps_find(alias_maps, owner, DICT_FLAG_NONE)) != 0) {
 		canon_owner = canon_addr_internal(vstring_alloc(10),
 				     var_exp_own_alias ? owner_rhs : owner);
 		/* Set envelope sender and owner attribute. */
 		SET_OWNER_ATTR(state.msg_attr, STR(canon_owner), state.level);
 	    } else {
 		canon_owner = 0;
 		/* Note: this does not reset the envelope sender. */
 		RESET_OWNER_ATTR(state.msg_attr, state.level);
 	    }
--- a/postfix/src/smtp/smtp_trouble.c
+++ b/postfix/src/smtp/smtp_trouble.c
@@ -435,7 +435,7 @@ int     smtp_stream_except(SMTP_STATE *state, int code, const char *description)
    case SMTP_ERR_PROTO:
 	smtp_fill_dsn(state, &dsn, DSN_BY_LOCAL_MTA,
 		      "4.5.0", "403 remote protocol error",
-		      "protocol error in reply from %s while %s",
+		      "remote protocol error in reply from %s while %s",
 		      session->namaddr, description);
 	break;
    }
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@@ -443,8 +443,9 @@
 /* .PP
 /*	Available in Postfix version 2.3 and later:
 /* .IP "\fBsmtpd_client_new_tls_session_rate_limit (0)\fR"
-/*	The maximal number of new (i.e., uncached) TLS sessions that any
+/*	The maximal number of new (i.e., uncached) TLS sessions that a
-/*	client is allowed to negotiate with this service per time unit.
+/*	remote SMTP client is allowed to negotiate with this service per
 /*	time unit.
 /* TARPIT CONTROLS
 /* .ad
 /* .fi
@@ -1562,8 +1563,9 @@ static int mail_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
 	&& anvil_clnt_mail(anvil_clnt, state->service, state->addr,
 			   &rate) == ANVIL_STAT_OK
 	&& rate > var_smtpd_cmail_limit) {
-	smtpd_chat_reply(state, "421 4.7.0 %s Error: too much mail from %s",
+	state->error_mask |= MAIL_ERROR_POLICY;
-			 var_myhostname, state->addr);
+	smtpd_chat_reply(state, "450 4.7.1 Error: too much mail from %s",
 			 state->addr);
 	msg_warn("Message delivery request rate limit exceeded: %d from %s for service %s",
 		 rate, state->namaddr, state->service);
 	return (-1);
@@ -1814,9 +1816,9 @@ static int rcpt_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
 	&& anvil_clnt_rcpt(anvil_clnt, state->service, state->addr,
 			   &rate) == ANVIL_STAT_OK
 	&& rate > var_smtpd_crcpt_limit) {
-	smtpd_chat_reply(state,
+	state->error_mask |= MAIL_ERROR_POLICY;
-			 "421 4.7.0 %s Error: too many recipients from %s",
+	smtpd_chat_reply(state, "450 4.7.1 Error: too many recipients from %s",
-			 var_myhostname, state->addr);
+			 state->addr);
 	msg_warn("Recipient address rate limit exceeded: %d from %s for service %s",
 		 rate, state->namaddr, state->service);
 	return (-1);
@@ -3041,24 +3043,6 @@ static void smtpd_start_tls(SMTPD_STATE *state)
 {
    int     rate;
    /*
     * XXX The client event count/rate control must be consistent in its use
     * of client address information in connect and disconnect events. For
     * now we exclude xclient authorized hosts from event count/rate control.
     */
    if (SMTPD_STAND_ALONE(state) == 0
 	&& !xclient_allowed
 	&& anvil_clnt
 	&& var_smtpd_cntls_limit > 0
 	&& !namadr_list_match(hogger_list, state->name, state->addr)
 	&& anvil_clnt_newtls_stat(anvil_clnt, state->service, state->addr,
 				  &rate) == ANVIL_STAT_OK
 	&& rate > var_smtpd_cntls_limit) {
 	msg_warn("Refusing STARTTLS request from %s for service %s",
 		 state->namaddr, state->service);
 	vstream_longjmp(state->client, SMTP_ERR_EOF);
    }
    /*
     * Wrapper mode uses a dedicated port and always requires TLS.
     * 
@@ -3079,20 +3063,24 @@ static void smtpd_start_tls(SMTPD_STATE *state)
     * of client address information in connect and disconnect events. For
     * now we exclude xclient authorized hosts from event count/rate control.
     */
-    if (state->tls_context
+    if (var_smtpd_cntls_limit > 0
 	&& state->tls_context
 	&& state->tls_context->session_reused == 0
 	&& SMTPD_STAND_ALONE(state) == 0
 	&& !xclient_allowed
 	&& anvil_clnt
 	&& var_smtpd_cntls_limit > 0
 	&& !namadr_list_match(hogger_list, state->name, state->addr)
 	&& anvil_clnt_newtls(anvil_clnt, state->service, state->addr,
 			     &rate) == ANVIL_STAT_OK
 	&& rate > var_smtpd_cntls_limit) {
-	msg_warn("Too many uncached TLS sessions: "
+	state->error_mask |= MAIL_ERROR_POLICY;
-		 "%d from %s for service %s",
+	smtpd_chat_reply(state,
 		    "421 4.7.0 %s Error: too many new TLS sessions from %s",
 			 var_myhostname, state->namaddr);
 	msg_warn("Too many new TLS sessions: %d from %s for service %s",
 		 rate, state->namaddr, state->service);
-	tls_reset(state);
+	/* XXX Use regular return to signal end of session. */
 	vstream_longjmp(state->client, SMTP_ERR_QUIET);
    }
    /*
@@ -3121,6 +3109,8 @@ static void smtpd_start_tls(SMTPD_STATE *state)
 static int starttls_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
 {
    int     rate;
    if (argc != 1) {
 	state->error_mask |= MAIL_ERROR_PROTOCOL;
 	smtpd_chat_reply(state, "501 5.5.4 Syntax: STARTTLS");
@@ -3141,7 +3131,30 @@ static int starttls_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
 	smtpd_chat_reply(state, "454 4.3.0 TLS not available due to local problem");
 	return (-1);
    }
    /*
     * XXX The client event count/rate control must be consistent in its use
     * of client address information in connect and disconnect events. For
     * now we exclude xclient authorized hosts from event count/rate control.
     */
    if (var_smtpd_cntls_limit > 0
 	&& SMTPD_STAND_ALONE(state) == 0
 	&& !xclient_allowed
 	&& anvil_clnt
 	&& !namadr_list_match(hogger_list, state->name, state->addr)
 	&& anvil_clnt_newtls_stat(anvil_clnt, state->service, state->addr,
 				  &rate) == ANVIL_STAT_OK
 	&& rate > var_smtpd_cntls_limit) {
 	state->error_mask |= MAIL_ERROR_POLICY;
 	smtpd_chat_reply(state,
 		       "454 4.7.0 Error: too many new TLS sessions from %s",
 			 state->namaddr);
 	msg_warn("Refusing STARTTLS request from %s for service %s",
 		 state->namaddr, state->service);
 	return (-1);
    }
    smtpd_chat_reply(state, "220 2.0.0 Ready to start TLS");
    /* Flush before we switch the stream's read/write routines. */
    smtp_flush(state->client);
    /*
@@ -3271,6 +3284,9 @@ static void smtpd_proto(SMTPD_STATE *state, const char *service)
 	state->reason = REASON_LOST_CONNECTION;
 	break;
    case SMTP_ERR_QUIET:
 	break;
    case 0:
 	/*
@@ -3278,13 +3294,28 @@ static void smtpd_proto(SMTPD_STATE *state, const char *service)
 	 * the STARTTLS command. This code does not return when the handshake
 	 * fails.
 	 * 
-	 * XXX We must start TLS before we can apply the connection and rate
+	 * XXX We start TLS before we apply access control, concurrency or
-	 * limits, because otherwise there is no way to report transgressions
+	 * connection rate limits, so that we can inform the client why
-	 * to the client.  This is unfortunate.
+	 * service is denied. This means we spend a lot of CPU just to tell
 	 * the client that we don't provide service. TLS wrapper mode is
 	 * obsolete, so we don't have to provide perfect support.
 	 */
 #ifdef USE_TLS
-	if (SMTPD_STAND_ALONE(state) == 0 && var_smtpd_tls_wrappermode)
+	if (SMTPD_STAND_ALONE(state) == 0 && var_smtpd_tls_wrappermode) {
 	    if (var_smtpd_cntls_limit > 0
 		&& !xclient_allowed
 		&& anvil_clnt
 		&& !namadr_list_match(hogger_list, state->name, state->addr)
 		&& anvil_clnt_newtls_stat(anvil_clnt, state->service,
 				       state->addr, &crate) == ANVIL_STAT_OK
 		&& crate > var_smtpd_cntls_limit) {
 		state->error_mask |= MAIL_ERROR_POLICY;
 		msg_warn("Refusing TLS service request from %s for service %s",
 			 state->namaddr, state->service);
 		break;
 	    }
 	    smtpd_start_tls(state);
 	}
 #endif
 	/*
@@ -3305,6 +3336,7 @@ static void smtpd_proto(SMTPD_STATE *state, const char *service)
 	    && anvil_clnt_connect(anvil_clnt, service, state->addr,
 				  &count, &crate) == ANVIL_STAT_OK) {
 	    if (var_smtpd_cconn_limit > 0 && count > var_smtpd_cconn_limit) {
 		state->error_mask |= MAIL_ERROR_POLICY;
 		smtpd_chat_reply(state, "421 4.7.0 %s Error: too many connections from %s",
 				 var_myhostname, state->addr);
 		msg_warn("Connection concurrency limit exceeded: %d from %s for service %s",