postfix-2.3-20051011

postfix/HISTORY

@@ -11177,9 +11177,19 @@ Apologies for any names omitted.
 	due to expensive crypto operations.  Files: global/anvil_clnt.c,
 	anvil/anvil.c, smtpd/smtpd.c.
 
-	Cleanup: eliminated code duplicatiom in the anvil server
-	that resulted from adding similar features one at a time.
-	File: anvil/anvil.c.
+	Cleanup: eliminated massive code duplicatiom in the anvil
+	server that resulted from adding similar features one at a
+	time.  File: anvil/anvil.c.
+
+20051011
+
+	Bugfix: raise the "policy violation" flag when a client
+	request exceeds a concurrency or rate limit.  File:
+	smtpd/smtpd.c.
+
+	Bugfix (cut-and-paste error): don't reply with 421 (too
+	many MAIL FROM or RCPT TO commands) when we aren't closing
+	the connection.  File: smtpd/smtpd.c.
 
 Open problems:
 

postfix/README_FILES/SMTPD_POLICY_README

@@ -18,7 +18,7 @@ Policy delegation is now the preferred method for adding policies to Postfix.
 It's much easier to develop a new feature in few lines of Perl, than trying to
 do the same in C code. The difference in performance will be unnoticeable
 except in the most demanding environments. On active systems a policy daemon
-process is used multiple times, for up to 100 incoming SMTP connections.
+process is used multiple times, for up to $max_use incoming SMTP connections.
 
 This document covers the following topics:
 

postfix/RELEASE_NOTES

@@ -17,7 +17,7 @@ Incompatibility with Postfix 2.1 and earlier
 If you upgrade from Postfix 2.1 or earlier, read RELEASE_NOTES-2.2
 before proceeding.
 
-Incompatibility with snapshot 20050923
+Incompatibility with snapshot 20051011
 ======================================
 
 The Postfix local(8) delivery agent no longer updates its idea of
@@ -26,9 +26,25 @@ files. With deeply nested aliases or .forward files, this can greatly
 reduce the number of queue files and cleanup process instances. To
 get the earlier behavior, specify "frozen_delivered_to = no".
 
-The frozen_delivered_to feature also fixes an old problem with
-duplicate deliveries to recipients that are listed in multiple
-nested aliases.
+The frozen_delivered_to feature also fixes a long-standing problem
+with multiple deliveries to recipients that are listed in multiple
+nested aliases, but does so only when only the top-level alias has
+an owner- alias, and none of the subordinate aliases.
+
+Major changes with snapshot 20051011
+====================================
+
+Optional protection against SMTP clients that hammer the server
+with too many new (i.e. uncached) SMTP-over-TLS sessions. Cached
+sessions are much less expensive in terms of CPU cycles. Use the
+smtpd_client_new_tls_session_rate_limit parameter to specify a limit
+that is at least the inbound client concurrency limit, or else you
+may deny legitimate service requests.
+
+Optional suppression of remote SMTP client hostname lookup and
+hostname verification. Specify "smtpd_peername_lookup = no" to
+eliminate DNS lookup latencies, but do so only under extreme
+conditions, as it makes Postfix logging less informative.
 
 Incompatibility with snapshot 20050828
 ======================================

postfix/conf/aliases

@@ -201,12 +201,6 @@ decode:		root
 #               Delivered-To:  address  while  expanding aliases or
 #               .forward files.
 # 
-#        sticky_owner_alias
-#               When expanding a local(8) alias that has  an  owner
-#               alias  (see  owner-name  discussion above), use the
-#               owner information even when the expansion invokes a
-#               subordinate alias that has no owner alias.
-# 
 # STANDARDS
 #        RFC 822 (ARPA Internet Text Messages)
 # 
@@ -217,12 +211,12 @@ decode:		root
 #        postconf(5), configuration parameters
 # 
 # README FILES
-#        Use  "postconf  readme_directory" or "postconf html_direc-
+#        Use "postconf readme_directory" or  "postconf  html_direc-
 #        tory" to locate this information.
 #        DATABASE_README, Postfix lookup table overview
 # 
 # LICENSE
-#        The Secure Mailer license must be  distributed  with  this
+#        The  Secure  Mailer  license must be distributed with this
 #        software.
 # 
 # AUTHOR(S)

postfix/html/SMTPD_POLICY_README.html

@@ -37,7 +37,7 @@ to Postfix. It's much easier to develop a new feature in few lines
 of Perl, than trying to do the same in C code. The difference in
 performance will be unnoticeable except in the most demanding
 environments. On active systems a policy daemon process is used
-multiple times, for up to 100 incoming SMTP connections. </p>
+multiple times, for up to $<a href="postconf.5.html#max_use">max_use</a> incoming SMTP connections. </p>
 
 <p> This document covers the following topics: </p>
 

postfix/html/aliases.5.html

@@ -169,12 +169,6 @@ ALIASES(5)                                                          ALIASES(5)
               Delivered-To:  address  while  expanding aliases or
               .forward files.
 
-       <b><a href="postconf.5.html#sticky_owner_alias">sticky_owner_alias</a></b>
-              When expanding a <a href="local.8.html">local(8)</a> alias that has  an  owner
-              alias  (see  owner-<i>name</i>  discussion above), use the
-              owner information even when the expansion invokes a
-              subordinate alias that has no owner alias.
-
 <b>STANDARDS</b>
        <a href="http://www.faqs.org/rfcs/rfc822.html">RFC 822</a> (ARPA Internet Text Messages)
 
@@ -188,7 +182,7 @@ ALIASES(5)                                                          ALIASES(5)
        <a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview
 
 <b>LICENSE</b>
-       The Secure Mailer license must be  distributed  with  this
+       The  Secure  Mailer  license must be distributed with this
        software.
 
 <b>AUTHOR(S)</b>

postfix/html/anvil.8.html

@@ -97,14 +97,14 @@ ANVIL(8)                                                              ANVIL(8)
            <b>rate=</b><i>number</i>
 
        To retrieve new TLS session request rate information with-
-       out updating the counter information, use:
+       out updating the counter information, send:
 
            <b>request=newtls_report</b>
            <b>ident=</b><i>string</i>
 
        The <a href="anvil.8.html"><b>anvil</b>(8)</a> server answers with the  number  of  new  TLS
        session  requests  per unit time for the (service, client)
-       combination specified with <b>ident</b>.
+       combination specified with <b>ident</b>:
 
            <b>status=0</b>
            <b>rate=</b><i>number</i>

postfix/html/smtpd.8.html

@@ -587,8 +587,8 @@ SMTPD(8)                                                              SMTPD(8)
 
        <b><a href="postconf.5.html#smtpd_client_new_tls_session_rate_limit">smtpd_client_new_tls_session_rate_limit</a> (0)</b>
               The maximal number of new (i.e., uncached) TLS ses-
-              sions  that any client is allowed to negotiate with
-              this service per time unit.
+              sions that a remote SMTP client is allowed to nego-
+              tiate with this service per time unit.
 
 <b>TARPIT CONTROLS</b>
        When a remote SMTP client makes errors, the  Postfix  SMTP

postfix/man/man5/aliases.5

@@ -153,11 +153,6 @@ Update the local(8) delivery agent's Delivered-To: address
 (see prepend_delivered_header) only once, at the start of
 a delivery; do not update the Delivered-To: address while
 expanding aliases or .forward files.
-.IP \fBsticky_owner_alias\fR
-When expanding a local(8) alias that has an owner alias
-(see owner-\fIname\fR discussion above), use the owner
-information even when the expansion invokes a subordinate
-alias that has no owner alias.
 .SH "STANDARDS"
 .na
 .nf

postfix/man/man8/anvil.8

@@ -138,7 +138,7 @@ combination specified with \fBident\fR:
 .in
 .PP
 To retrieve new TLS session request rate information without
-updating the counter information, use:
+updating the counter information, send:
 .PP
 .in +4
 \fBrequest=newtls_report\fR
@@ -148,7 +148,7 @@ updating the counter information, use:
 .PP
 The \fBanvil\fR(8) server answers with the number of new
 TLS session requests per unit time for the (service, client)
-combination specified with \fBident\fR.
+combination specified with \fBident\fR:
 .PP
 .in +4
 \fBstatus=0\fR

postfix/man/man8/smtpd.8

@@ -481,8 +481,9 @@ or SMTP request rate restrictions.
 .PP
 Available in Postfix version 2.3 and later:
 .IP "\fBsmtpd_client_new_tls_session_rate_limit (0)\fR"
-The maximal number of new (i.e., uncached) TLS sessions that any
-client is allowed to negotiate with this service per time unit.
+The maximal number of new (i.e., uncached) TLS sessions that a
+remote SMTP client is allowed to negotiate with this service per
+time unit.
 .SH "TARPIT CONTROLS"
 .na
 .nf

postfix/proto/SMTPD_POLICY_README.html

@@ -37,7 +37,7 @@ to Postfix. It's much easier to develop a new feature in few lines
 of Perl, than trying to do the same in C code. The difference in
 performance will be unnoticeable except in the most demanding
 environments. On active systems a policy daemon process is used
-multiple times, for up to 100 incoming SMTP connections. </p>
+multiple times, for up to $max_use incoming SMTP connections. </p>
 
 <p> This document covers the following topics: </p>
 

postfix/proto/aliases

@@ -141,11 +141,6 @@
 #	(see prepend_delivered_header) only once, at the start of
 #	a delivery; do not update the Delivered-To: address while
 #	expanding aliases or .forward files.
-# .IP \fBsticky_owner_alias\fR
-#	When expanding a local(8) alias that has an owner alias
-#	(see owner-\fIname\fR discussion above), use the owner
-#	information even when the expansion invokes a subordinate
-#	alias that has no owner alias.
 # STANDARDS
 #	RFC 822 (ARPA Internet Text Messages)
 # SEE ALSO

postfix/src/anvil/anvil.c

@@ -124,7 +124,7 @@
 /* .in
 /* .PP
 /*	To retrieve new TLS session request rate information without
-/*	updating the counter information, use:
+/*	updating the counter information, send:
 /* .PP
 /* .in +4
 /*	\fBrequest=newtls_report\fR
@@ -134,7 +134,7 @@
 /* .PP
 /*	The \fBanvil\fR(8) server answers with the number of new
 /*	TLS session requests per unit time for the (service, client)
-/*	combination specified with \fBident\fR.
+/*	combination specified with \fBident\fR:
 /* .PP
 /* .in +4
 /*	\fBstatus=0\fR

postfix/src/global/mail_version.h

@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20051010"
+#define MAIL_RELEASE_DATE	"20051011"
 #define MAIL_VERSION_NUMBER	"2.3"
 
 #ifdef SNAPSHOT

postfix/src/global/smtp_stream.c

@@ -96,6 +96,12 @@
 /* .IP SMTP_ERR_TIME
 /*	The time limit specified to smtp_timeout_setup() was exceeded.
 /* .IP SMTP_ERR_PROTO
+/*	A protocol error happened.
+/*	This error is never generated by the smtp_stream(3) module, but
+/*	is defined for application-specific use.
+/* .IP SMTP_ERR_QUIET
+/*	Perform silent cleanup; the error was already reported by
+/*	the application.
 /*	This error is never generated by the smtp_stream(3) module, but
 /*	is defined for application-specific use.
 /* BUGS

postfix/src/global/smtp_stream.h

@@ -29,6 +29,7 @@
 #define SMTP_ERR_EOF	1		/* unexpected client disconnect */
 #define SMTP_ERR_TIME	2		/* time out */
 #define SMTP_ERR_PROTO	3		/* protocol (application) */
+#define SMTP_ERR_QUIET	4		/* silent cleanup (application) */
 
 extern void smtp_timeout_setup(VSTREAM *, int);
 extern void PRINTFLIKE(2, 3) smtp_printf(VSTREAM *, const char *,...);

postfix/src/lmtp/lmtp_trouble.c

@@ -381,7 +381,7 @@ int     lmtp_stream_except(LMTP_STATE *state, int code, const char *description)
     case SMTP_ERR_PROTO:
 	lmtp_fill_dsn(state, &dsn, DSN_BY_LOCAL_MTA,
 		      "4.5.0", "403 remote protocol error",
-		      "protocol error in reply from %s while %s",
+		      "remote protocol error in reply from %s while %s",
 		      session->namaddr, description);
 	break;
     }

postfix/src/local/alias.c

@@ -260,9 +260,11 @@ int     deliver_alias(LOCAL_STATE state, USER_ATTR usr_attr,
 		&& (owner_rhs = maps_find(alias_maps, owner, DICT_FLAG_NONE)) != 0) {
 		canon_owner = canon_addr_internal(vstring_alloc(10),
 				     var_exp_own_alias ? owner_rhs : owner);
+		/* Set envelope sender and owner attribute. */
 		SET_OWNER_ATTR(state.msg_attr, STR(canon_owner), state.level);
 	    } else {
 		canon_owner = 0;
+		/* Note: this does not reset the envelope sender. */
 		RESET_OWNER_ATTR(state.msg_attr, state.level);
 	    }
 

postfix/src/smtp/smtp_trouble.c

@@ -435,7 +435,7 @@ int     smtp_stream_except(SMTP_STATE *state, int code, const char *description)
     case SMTP_ERR_PROTO:
 	smtp_fill_dsn(state, &dsn, DSN_BY_LOCAL_MTA,
 		      "4.5.0", "403 remote protocol error",
-		      "protocol error in reply from %s while %s",
+		      "remote protocol error in reply from %s while %s",
 		      session->namaddr, description);
 	break;
     }

postfix/src/smtpd/smtpd.c

@@ -443,8 +443,9 @@
 /* .PP
 /*	Available in Postfix version 2.3 and later:
 /* .IP "\fBsmtpd_client_new_tls_session_rate_limit (0)\fR"
-/*	The maximal number of new (i.e., uncached) TLS sessions that any
-/*	client is allowed to negotiate with this service per time unit.
+/*	The maximal number of new (i.e., uncached) TLS sessions that a
+/*	remote SMTP client is allowed to negotiate with this service per
+/*	time unit.
 /* TARPIT CONTROLS
 /* .ad
 /* .fi
@@ -1562,8 +1563,9 @@ static int mail_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
 	&& anvil_clnt_mail(anvil_clnt, state->service, state->addr,
 			   &rate) == ANVIL_STAT_OK
 	&& rate > var_smtpd_cmail_limit) {
-	smtpd_chat_reply(state, "421 4.7.0 %s Error: too much mail from %s",
-			 var_myhostname, state->addr);
+	state->error_mask |= MAIL_ERROR_POLICY;
+	smtpd_chat_reply(state, "450 4.7.1 Error: too much mail from %s",
+			 state->addr);
 	msg_warn("Message delivery request rate limit exceeded: %d from %s for service %s",
 		 rate, state->namaddr, state->service);
 	return (-1);
@@ -1814,9 +1816,9 @@ static int rcpt_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
 	&& anvil_clnt_rcpt(anvil_clnt, state->service, state->addr,
 			   &rate) == ANVIL_STAT_OK
 	&& rate > var_smtpd_crcpt_limit) {
-	smtpd_chat_reply(state,
-			 "421 4.7.0 %s Error: too many recipients from %s",
-			 var_myhostname, state->addr);
+	state->error_mask |= MAIL_ERROR_POLICY;
+	smtpd_chat_reply(state, "450 4.7.1 Error: too many recipients from %s",
+			 state->addr);
 	msg_warn("Recipient address rate limit exceeded: %d from %s for service %s",
 		 rate, state->namaddr, state->service);
 	return (-1);
@@ -3041,24 +3043,6 @@ static void smtpd_start_tls(SMTPD_STATE *state)
 {
     int     rate;
 
-    /*
-     * XXX The client event count/rate control must be consistent in its use
-     * of client address information in connect and disconnect events. For
-     * now we exclude xclient authorized hosts from event count/rate control.
-     */
-    if (SMTPD_STAND_ALONE(state) == 0
-	&& !xclient_allowed
-	&& anvil_clnt
-	&& var_smtpd_cntls_limit > 0
-	&& !namadr_list_match(hogger_list, state->name, state->addr)
-	&& anvil_clnt_newtls_stat(anvil_clnt, state->service, state->addr,
-				  &rate) == ANVIL_STAT_OK
-	&& rate > var_smtpd_cntls_limit) {
-	msg_warn("Refusing STARTTLS request from %s for service %s",
-		 state->namaddr, state->service);
-	vstream_longjmp(state->client, SMTP_ERR_EOF);
-    }
-
     /*
      * Wrapper mode uses a dedicated port and always requires TLS.
      * 
@@ -3079,20 +3063,24 @@ static void smtpd_start_tls(SMTPD_STATE *state)
      * of client address information in connect and disconnect events. For
      * now we exclude xclient authorized hosts from event count/rate control.
      */
-    if (state->tls_context
+    if (var_smtpd_cntls_limit > 0
+	&& state->tls_context
 	&& state->tls_context->session_reused == 0
 	&& SMTPD_STAND_ALONE(state) == 0
 	&& !xclient_allowed
 	&& anvil_clnt
-	&& var_smtpd_cntls_limit > 0
 	&& !namadr_list_match(hogger_list, state->name, state->addr)
 	&& anvil_clnt_newtls(anvil_clnt, state->service, state->addr,
 			     &rate) == ANVIL_STAT_OK
 	&& rate > var_smtpd_cntls_limit) {
-	msg_warn("Too many uncached TLS sessions: "
-		 "%d from %s for service %s",
+	state->error_mask |= MAIL_ERROR_POLICY;
+	smtpd_chat_reply(state,
+		    "421 4.7.0 %s Error: too many new TLS sessions from %s",
+			 var_myhostname, state->namaddr);
+	msg_warn("Too many new TLS sessions: %d from %s for service %s",
 		 rate, state->namaddr, state->service);
-	tls_reset(state);
+	/* XXX Use regular return to signal end of session. */
+	vstream_longjmp(state->client, SMTP_ERR_QUIET);
     }
 
     /*
@@ -3121,6 +3109,8 @@ static void smtpd_start_tls(SMTPD_STATE *state)
 
 static int starttls_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
 {
+    int     rate;
+
     if (argc != 1) {
 	state->error_mask |= MAIL_ERROR_PROTOCOL;
 	smtpd_chat_reply(state, "501 5.5.4 Syntax: STARTTLS");
@@ -3141,7 +3131,30 @@ static int starttls_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
 	smtpd_chat_reply(state, "454 4.3.0 TLS not available due to local problem");
 	return (-1);
     }
+
+    /*
+     * XXX The client event count/rate control must be consistent in its use
+     * of client address information in connect and disconnect events. For
+     * now we exclude xclient authorized hosts from event count/rate control.
+     */
+    if (var_smtpd_cntls_limit > 0
+	&& SMTPD_STAND_ALONE(state) == 0
+	&& !xclient_allowed
+	&& anvil_clnt
+	&& !namadr_list_match(hogger_list, state->name, state->addr)
+	&& anvil_clnt_newtls_stat(anvil_clnt, state->service, state->addr,
+				  &rate) == ANVIL_STAT_OK
+	&& rate > var_smtpd_cntls_limit) {
+	state->error_mask |= MAIL_ERROR_POLICY;
+	smtpd_chat_reply(state,
+		       "454 4.7.0 Error: too many new TLS sessions from %s",
+			 state->namaddr);
+	msg_warn("Refusing STARTTLS request from %s for service %s",
+		 state->namaddr, state->service);
+	return (-1);
+    }
     smtpd_chat_reply(state, "220 2.0.0 Ready to start TLS");
+    /* Flush before we switch the stream's read/write routines. */
     smtp_flush(state->client);
 
     /*
@@ -3271,6 +3284,9 @@ static void smtpd_proto(SMTPD_STATE *state, const char *service)
 	state->reason = REASON_LOST_CONNECTION;
 	break;
 
+    case SMTP_ERR_QUIET:
+	break;
+
     case 0:
 
 	/*
@@ -3278,13 +3294,28 @@ static void smtpd_proto(SMTPD_STATE *state, const char *service)
 	 * the STARTTLS command. This code does not return when the handshake
 	 * fails.
 	 * 
-	 * XXX We must start TLS before we can apply the connection and rate
-	 * limits, because otherwise there is no way to report transgressions
-	 * to the client.  This is unfortunate.
+	 * XXX We start TLS before we apply access control, concurrency or
+	 * connection rate limits, so that we can inform the client why
+	 * service is denied. This means we spend a lot of CPU just to tell
+	 * the client that we don't provide service. TLS wrapper mode is
+	 * obsolete, so we don't have to provide perfect support.
 	 */
 #ifdef USE_TLS
-	if (SMTPD_STAND_ALONE(state) == 0 && var_smtpd_tls_wrappermode)
+	if (SMTPD_STAND_ALONE(state) == 0 && var_smtpd_tls_wrappermode) {
+	    if (var_smtpd_cntls_limit > 0
+		&& !xclient_allowed
+		&& anvil_clnt
+		&& !namadr_list_match(hogger_list, state->name, state->addr)
+		&& anvil_clnt_newtls_stat(anvil_clnt, state->service,
+				       state->addr, &crate) == ANVIL_STAT_OK
+		&& crate > var_smtpd_cntls_limit) {
+		state->error_mask |= MAIL_ERROR_POLICY;
+		msg_warn("Refusing TLS service request from %s for service %s",
+			 state->namaddr, state->service);
+		break;
+	    }
 	    smtpd_start_tls(state);
+	}
 #endif
 
 	/*
@@ -3305,6 +3336,7 @@ static void smtpd_proto(SMTPD_STATE *state, const char *service)
 	    && anvil_clnt_connect(anvil_clnt, service, state->addr,
 				  &count, &crate) == ANVIL_STAT_OK) {
 	    if (var_smtpd_cconn_limit > 0 && count > var_smtpd_cconn_limit) {
+		state->error_mask |= MAIL_ERROR_POLICY;
 		smtpd_chat_reply(state, "421 4.7.0 %s Error: too many connections from %s",
 				 var_myhostname, state->addr);
 		msg_warn("Connection concurrency limit exceeded: %d from %s for service %s",