snapshot-20011210

postfix/HISTORY

@@ -5759,13 +5759,17 @@ Apologies for any names omitted.
 	third-party patches such as TLS that introduce their own
 	files into the jail.
 
-	Feature: disable the PIX workaround for mail that is queued
-	for less than $minimal_backoff_time seconds.
-
 	Feature: static map type that always returns the map name
 	as lookup value, regardless of lookup key value. Contributed
 	Jeff Miller (jeffm at ghostgun.com)
 
+	Feature: turn off the PIX <CR><LF>.<CR><LF> workaround for
+	the first mail delivery attempt, i.e. when mail is queued
+	for less than $smtp_pix_workaround_threshold_time (default:
+	500) seconds. New parameter $smtp_pix_workaround_delay_time
+	to control the delay before sending .<CR><LF> (default: 10
+	seconds) when doing the PIX <CR><LF>.<CR><LF> workaround.
+
 Open problems:
 
 	Low: after reorganizing configuration parameters, add flags

postfix/RELEASE_NOTES

@@ -1,3 +1,45 @@
+Incompatible changes with snapshot-20011210
+===========================================
+
+Postfix SMTPD access maps no longer match non-local mail addresses
+that contain multiple domains (user@dom1@dom2, user%dom1@dom2,
+etcetera).  This change prevents false or spurious matches.
+Non-local multi-domain addresses are already prohibited from matching
+permit_mx_backup and the relay_domains-based restrictions.
+
+Stricter checking of Postfix chroot configurations.  The Postfix
+startup procedure now warns if "system" directories (etc, bin, lib,
+usr) under the Postfix top-level queue directory are not owned by
+the super-user (usually the result of well-intended, but misguided,
+applications of "chroot -R postfix /var/spool/postfix).
+
+The Postfix sendmail command no longer exits with status 1 when
+mail submission fails, but instead returns a sendmail-compatible
+status code as defined in /usr/include/sysexits.h.
+
+Major changes with snapshot-20011210
+====================================
+
+Updated LDAP client module by LaMont Jones, with control over
+verbose logging of LDAP library routines.
+
+More usable virtual delivery agent, thanks to a new "static" map
+type by Jeff Miller that always returns its map name as the lookup
+result. This eliminates the need for per-recipient user ID and
+group ID tables.  See the VIRTUAL_README file for more details.
+
+Much-needed documentation on how to configure header/body filters:
+sample regexp and pcre lookup tables for header/body filtering,
+and updated examples in the regexp_table(5) and pcre_table(5) manual
+pages.
+
+Configurable PIX firewall <CR><LF>.<CR><LF> bug workaround behavior:
+the workaround is turned off when mail is queued for less than
+$smtp_pix_workaround_threshold_time seconds (default:  500 seconds)
+so that the workaround is normally enabled only for deferred mail.
+The delay before sending .<CR><LF> is now controlled by the
+$smtp_pix_workaround_delay_time setting (default: 10 seconds).
+
 Major changes with snapshot-20011127
 ====================================
 

postfix/VIRTUAL_README

@@ -1,6 +1,6 @@
 This code was created by Andrew McNamara <andrew@connect.com.au>
-and adapted to snapshot 50001121 by Xavier Beaudouin. It was merged
-with mainstream Postfix for 20010128 by Wietse.
+and adapted to snapshot 20001121 by Xavier Beaudouin. It was merged
+with mainstream Postfix for snapshot 20010128 by Wietse.
 
 Purpose of this software
 ========================
@@ -16,7 +16,7 @@ This is what Andrew McNamara wrote when he made the virtual delivery
 agent available.
 
 "This code is designed for ISP's who offer virtual mail hosting.
-It looks up the location, uid and gid of user mailboxes via separate
+It looks up the user mailbox location, uid and gid via separate
 maps, and the mailbox location map can specify either mailbox or
 maildir delivery (controlled by trailing slash on mailbox name).
 
@@ -37,11 +37,17 @@ The result is the most secure local delivery agent that you will
 find with Postfix.
 
 This delivery agent requires three different lookup tables in order
-to define its recipients. This is because Postfix table lookups
-can't return multiple results. Until that limitation is fixed, use
-an LDAP or MYSQL database if it is too inconvenient for you to
-maintain three parallel tables (or generate the three tables from
-one common template).
+to define its recipients as (mailbox path, user ID, group ID). This
+is because Postfix table lookups can't return multiple results.
+
+If your virtual mailboxes are all owned by the same user/group ID,
+just specify "static" maps that always return the same result. See
+below for examples.
+
+If your virtual mailboxes must be owned by different user/group
+IDs, and if it is too inconvenient for you to maintain three parallel
+tables, use an LDAP or MYSQL database (or generate the three parallel
+tables from one common template).
 
 Configuration parameters
 ========================
@@ -119,7 +125,7 @@ virtual_mailbox_lock
 
 virtual_mailbox_size
 
-    An upper limit on the size of a mailbox or maildir file.
+    An upper limit on the size of a mailbox file or maildir file.
 
 Example 1: using the virtual delivery agent for all local mail
 ==============================================================
@@ -157,6 +163,8 @@ types.
     # Example recipients, one UNIX-style mailbox, one qmail-style maildir:
 
     /etc/postfix/vmailbox:
+	virtual1.domain		dummy to prevent relay access denied errors
+	virtual2.domain		dummy to prevent relay access denied errors
 	test1@virtual1.domain test1
 	test2@virtual2.domain test2/
 
@@ -226,6 +234,8 @@ types.
     # Example recipients, one UNIX-style mailbox, one qmail-style maildir:
 
     /etc/postfix/vmailbox:
+	virtual1.domain		dummy to prevent relay access denied errors
+	virtual2.domain		dummy to prevent relay access denied errors
 	test1@virtual1.domain test1
 	test2@virtual2.domain test2/
 

postfix/conf/pcre_table

@@ -65,20 +65,24 @@
 #        string may need to be written as  ${n}  or  $(n)  if  they
 #        aren't followed by whitespace.
 # 
-# EXAMPLES
+# EXAMPLE SMTPD ACCESS MAP
 #        # Protect your outgoing majordomo exploders
-#        /^(?!owner-)(.*)-outgoing@(my.domain)$/    550 Use ${1}@${2} instead
+#        /^(?!owner-)(.*)-outgoing@/     550 Use ${1}@${2} instead
 # 
 #        # Bounce friend@whatever, except when whatever is our domain (you would
 #        # be better just bouncing all friend@ mail - this is just an example).
-#        /^friend@(?!my.domain).*$/         550 Stick this in your pipe $0
+#        /^friend@(?!my\.domain)/        550 Stick this in your pipe $0
 # 
 #        # A multi-line entry. The text is sent as one line.
 #        #
-#        /^noddy@connect.com.au$/
+#        /^noddy@my\.domain$/
 #         550 This user is a funny one. You really don't want to send mail to
 #         them as it only makes their head spin.
 # 
+# EXAMPLE HEADER FILTER MAP
+#        /^Subject: make money fast/     REJECT
+#        /^To: friend@public\.com/        REJECT
+# 
 # SEE ALSO
 #        regexp_table(5) format of POSIX regular expression tables
 # 

postfix/conf/regexp_table

@@ -68,17 +68,22 @@
 #        macros in the result string may need to be written as ${n}
 #        or $(n) if they aren't followed by whitespace.
 # 
-# EXAMPLES
+# EXAMPLE SMTPD ACCESS MAP
 #        # Disallow sender-specified routing. This is a must if you relay mail
 #        # for other domains.
 #        /[%!@].*[%!@]/            550 Sender-specified routing rejected
 # 
 #        # Postmaster is OK, that way they can talk to us about how to fix
 #        # their problem.
-#        /^postmaster@.*$/         OK
+#        /^postmaster@/            OK
 # 
 #        # Protect your outgoing majordomo exploders
-#        /^(.*)-outgoing@(.*)$/!/^owner-.*/      550 Use ${1}@${2} instead
+#        /^(.*)-outgoing@(.*)$/!/^owner-/        550 Use ${1}@${2} instead
+# 
+# EXAMPLE HEADER FILTER MAP
+#        # These were once common in junk mail.
+#        /^Subject: make money fast/     REJECT
+#        /^To: friend@public\.com/        REJECT
 # 
 # SEE ALSO
 #        pcre_table(5) format of PCRE tables

postfix/conf/sample-pcre-access.cf

@@ -1,6 +1,7 @@
 # 
 #	Sample pcre (PERL-compatible regular expression) map file for
-#	SMTPD access control. See pcre_table(5) for syntax description.
+#	SMTPD access control. See pcre_table(5) and access(5) for
+#	syntax descriptions.
 #
 #	The first field is a perl-like regular expression. The expression
 #	delimiter can be any character except whitespace, or characters
@@ -38,16 +39,16 @@
 
 # Protect your outgoing majordomo exploders
 #
-/^(?!owner-)(.*)-outgoing@(connect.com.au)$/	550 Use ${1}@${2} instead
+/^(?!owner-)(.*)-outgoing@/		550 Use ${1}@${2} instead
 
 
 # Bounce friend@whatever, except when whatever is our domain (you would
 # be better just bouncing all friend@ mail - this is just an example).
 #
-/^friend@(?!connect.com.au).*$/		550 Stick this in your pipe $0
+/^friend@(?!my\.domain)/		550 Stick this in your pipe $0
 
 # A multi-line response
 #
-/^noddy@connect.com.au$/
+/^noddy@my\.domain$/
  550 This user is a funny one. You really don't want to send mail to them
  as it only makes their head spin. 

postfix/conf/sample-pcre-body.cf

@@ -0,0 +1,38 @@
+# 
+#	Sample pcre (PERL-compatible regular expression) map file for
+#	mail body filtering. See pcre_table(5) for syntax description.
+#
+#	Mail body lines are filtered one line at a time. In particular,
+#	multi-line MIME headers in the message body are filtered one text
+#	line at a time.
+#
+#	The first field is a perl-like regular expression. The expression
+#	delimiter can be any character except whitespace, or characters
+#	that have special meaning to the regexp library (traditionally
+#	the forward slash is used). The regular expression can contain
+#	whitespace.
+#
+#	By default, matching is case-INsensitive, although following
+#	the second slash with an 'i' will reverse this. Other flags are
+#	supported, but the only other useful one is 'U', which makes
+#	matching ungreedy (see PCRE documentation and source for more
+#	info).
+#
+#	The second field is the "replacement" string - the text
+#	returned by the match. 
+#
+#	REJECT		The entire message is rejected.
+#	REJECT text.... The text is sent to the originator.
+#	IGNORE		The line is silently discarded.
+#	WARN		The line is logged (not rejected) with a warning.
+#
+#	Substitution of sub-strings from the matched expression is
+#	possible using the conventional perl syntax. The macros in the
+#	replacement string may need to be protected with curly braces
+#	if they aren't followed by whitespace (see the examples
+#	below).
+#
+#	Lines starting with whitespace are continuation lines - they are
+#	appended to the previous line (there should be no whitespace
+#	before your regular expression!)
+#

postfix/conf/sample-pcre-header.cf

@@ -0,0 +1,41 @@
+# 
+#	Sample pcre (PERL-compatible regular expression) map file for
+#	message header filtering. See pcre_table(5) for syntax description.
+#
+#	Message headers are filtered one at a time. This filter understands
+#	multi-line message headers. However, the message header filter has
+#	no knowledge of MIME headers that are embedded in the message body.
+#
+#	The first field is a perl-like regular expression. The expression
+#	delimiter can be any character except whitespace, or characters
+#	that have special meaning to the regexp library (traditionally
+#	the forward slash is used). The regular expression can contain
+#	whitespace.
+#
+#	By default, matching is case-INsensitive, although following
+#	the second slash with an 'i' will reverse this. Other flags are
+#	supported, but the only other useful one is 'U', which makes
+#	matching ungreedy (see PCRE documentation and source for more
+#	info).
+#
+#	The second field is the "replacement" string - the text
+#	returned by the match. 
+#
+#	REJECT		The entire message is rejected.
+#	REJECT text.... The text is sent to the originator.
+#	IGNORE		The header line is silently discarded.
+#	WARN		The header is logged (not rejected) with a warning.
+#
+#	Substitution of sub-strings from the matched expression is
+#	possible using the conventional perl syntax. The macros in the
+#	replacement string may need to be protected with curly braces
+#	if they aren't followed by whitespace (see the examples
+#	below).
+#
+#	Lines starting with whitespace are continuation lines - they are
+#	appended to the previous line (there should be no whitespace
+#	before your regular expression!)
+#
+
+/^Subject: Make Money Fast/	REJECT
+/^To: friend@public.com/	REJECT

postfix/conf/sample-regexp-access.cf

@@ -1,7 +1,9 @@
 # Sample regexp SMTPD access lookup "table". See regexp_table(5)
-# for a description of the syntax.
+# and access(5) for a description of the syntax.
 #
-# Format is /regexp/flags or /regexp/flags!/regexp/flags
+# The general format of a table entry is PATTERN RESULT.
+#
+# The pattern format is /regexp/flags or /regexp/flags!/regexp/flags
 # where regexp is a regular expression as found in regexp(5), and flags are
 #   i: toggle ignore case (REG_ICASE - default is to ignore case)
 #   x: toggle extended expression (REG_EXTENDED - default is extended)
@@ -10,13 +12,15 @@
 # In order for a line to match, the first regexp must match, and the
 # second (if present) must not match.  The first matching line wins,
 # terminating processing of the ruleset.
+#
+# The result syntax is described in the access(5) manual page.
 
 # Disallow sender-specified routing. This is a must if you relay mail
 #for other domains.
 /[%!@].*@/				550 Sender-specified routing rejected
 
 # Postmaster is OK, that way they can talk to us about how to fix their problem.
-/^postmaster@.*$/			OK
+/^postmaster@/				OK
 
 # Protect your outgoing majordomo exploders
 /^(.*)-outgoing@(.*)$/!/^owner-.*/	550 Use ${1}@${2} instead

postfix/conf/sample-regexp-body.cf

@@ -0,0 +1,26 @@
+# Sample regexp message body filter lookup "table". See regexp_table(5)
+# for a description of the syntax.
+#
+# Mail body lines are filtered one line at a time. In particular, multi-line
+# MIME headers in the message body are filtered one text line at a time.
+#
+# The general format of a table entry is PATTERN RESULT.
+#
+# The pattern format is /regexp/flags or /regexp/flags!/regexp/flags
+# where regexp is a regular expression as found in regexp(5), and flags are
+#   i: toggle ignore case (REG_ICASE - default is to ignore case)
+#   x: toggle extended expression (REG_EXTENDED - default is extended)
+#   m: toggle multiline mode (REG_NEWLINE - default is non-multiline mode)
+#
+# In order for a line to match, the first regexp must match, and the
+# second (if present) must not match.  The first matching line wins,
+# terminating processing of the ruleset.
+#
+# The result is one of the following:
+#   REJECT          The entire message is rejected.
+#   REJECT text.... The text is sent to the originator.
+#   IGNORE          The header line is silently discarded.
+#   WARN            The header is logged (not rejected) with a warning.
+
+/^Subject: Make Money Fast/	REJECT
+/^To: friend@public.com/	REJECT

postfix/conf/sample-regexp-header.cf

@@ -0,0 +1,27 @@
+# Sample regexp message header filter lookup "table". See regexp_table(5)
+# for a description of the syntax.
+#
+# Message headers are filtered one at a time. This filter understands
+# multi-line mail headers. However, the message header filter has no
+# knowledge of MIME headers that are embedded in the message body.
+#
+# The general format of a table entry is PATTERN RESULT. 
+#
+# The pattern format is /regexp/flags or /regexp/flags!/regexp/flags
+# where regexp is a regular expression as found in regexp(5), and flags are
+#   i: toggle ignore case (REG_ICASE - default is to ignore case)
+#   x: toggle extended expression (REG_EXTENDED - default is extended)
+#   m: toggle multiline mode (REG_NEWLINE - default is non-multiline mode)
+#
+# In order for a line to match, the first regexp must match, and the
+# second (if present) must not match.  The first matching line wins,
+# terminating processing of the ruleset.
+#
+# The result is one of the following:
+#   REJECT          the entire message is rejected.
+#   REJECT text.... The text is sent to the originator.
+#   IGNORE          the header line is silently discarded.
+#   WARN            the header is logged (not rejected) with a warning.
+
+/^Subject: Make Money Fast/	REJECT
+/^To: friend@public.com/	REJECT

postfix/conf/sample-smtp.cf

@@ -99,6 +99,29 @@ smtp_skip_5xx_greeting = yes
 # 
 smtp_skip_quit_response = yes
 
+# The smtp_pix_workaround_sleep_time parameter specifies how long
+# the Postfix SMTP client pauses before sending .<CR><LF>, in order
+# to work around the PIX firewall <CR><LF>.<CR><LF> bug.
+#
+# The default delay is 10 seconds.  Choosing a too short time makes
+# this workaround ineffective while sending large messages over slow
+# network connections.
+#
+smtp_pix_workaround_delay_time = 10s
+
+# The smtp_pix_workaround_threshold_time parameter specifies how
+# long a message must be queued before the PIX firewall <CR><LF>.<CR><LF>
+# bug workaround is turned on.
+# 
+# By default, the workaround is turned off for mail that is queued
+# for less than 500 seconds. In other words, the workaround is normally
+# turned off for the first delivery attempt.
+# 
+# Specify 0 to enable the PIX firewall <CR><LF>.<CR><LF> bug workaround
+# upon the first delivery attempt.
+# 
+smtp_pix_workaround_threshold_time = 500s
+
 #
 # RATE CONTROLS
 #

postfix/conf/sample-smtpd.cf

@@ -376,6 +376,10 @@ smtpd_recipient_restrictions = permit_mynetworks,check_relay_domains
 # be tricked into forwarding junk mail to a primary MX host which
 # then spams it out to the world.
 #
+# This parameter also controls if non-local addresses with sender-specified
+# routing can match Postfix access tables. By default, such addresses
+# cannot match Postfix access tables, because the address is ambigous.
+#
 allow_untrusted_routing = no
 
 # The maps_rbl_domains parameter specifies an optional list of DNS

postfix/conf/transport

@@ -150,6 +150,11 @@
 #        details  and  for  default  values. Use the postfix reload
 #        command after a configuration change.
 # 
+#        parent_domain_matches_subdomains (versions >= 20011119)
+#               List of Postfix features that use domain.name  pat-
+#               terns  to  match  sub.domain.name  (as  opposed  to
+#               requiring .domain.name patterns).
+# 
 #        transport_maps
 #               List of transport lookup tables.
 # 
@@ -167,16 +172,17 @@
 #        postmap(1) create mapping table
 #        trivial-rewrite(8) rewrite and resolve addresses
 #        pcre_table(5) format of PCRE tables
+# 
+#                                                                 3
+# 
+# TRANSPORT(5)                                         TRANSPORT(5)
+# 
 #        regexp_table(5) format of POSIX regular expression tables
 # 
 # LICENSE
 #        The Secure Mailer license must be  distributed  with  this
 #        software.
 # 
-#                                                                 3
-# 
-# TRANSPORT(5)                                         TRANSPORT(5)
-# 
 # AUTHOR(S)
 #        Wietse Venema
 #        IBM T.J. Watson Research

postfix/html/pcre_table.5.html

@@ -62,20 +62,24 @@ PCRE_TABLE(5)                                       PCRE_TABLE(5)
        string may need to be written as  ${n}  or  $(n)  if  they
        aren't followed by whitespace.
 
-<b>EXAMPLES</b>
+<b>EXAMPLE</b> <b>SMTPD</b> <b>ACCESS</b> <b>MAP</b>
        # Protect your outgoing majordomo exploders
-       /^(?!owner-)(.*)-outgoing@(my.domain)$/    550 Use ${1}@${2} instead
+       /^(?!owner-)(.*)-outgoing@/     550 Use ${1}@${2} instead
 
        # Bounce friend@whatever, except when whatever is our domain (you would
        # be better just bouncing all friend@ mail - this is just an example).
-       /^friend@(?!my.domain).*$/         550 Stick this in your pipe $0
+       /^friend@(?!my\.domain).*$/     550 Stick this in your pipe $0
 
        # A multi-line entry. The text is sent as one line.
        #
-       /^noddy@connect.com.au$/
+       /^noddy@my\.domain$/
         550 This user is a funny one. You really don't want to send mail to
         them as it only makes their head spin.
 
+<b>EXAMPLE</b> <b>HEADER</b> <b>FILTER</b> <b>MAP</b>
+       /^Subject: make money fast/     REJECT
+       /^To: friend@public\.com/        REJECT
+
 <b>SEE</b> <b>ALSO</b>
        <a href="regexp_table.5.html">regexp_table(5)</a> format of POSIX regular expression tables
 

postfix/html/regexp_table.5.html

@@ -64,7 +64,7 @@ REGEXP_TABLE(5)                                   REGEXP_TABLE(5)
        macros in the result string may need to be written as ${n}
        or $(n) if they aren't followed by whitespace.
 
-<b>EXAMPLES</b>
+<b>EXAMPLE</b> <b>SMTPD</b> <b>ACCESS</b> <b>MAP</b>
        # Disallow sender-specified routing. This is a must if you relay mail
        # for other domains.
        /[%!@].*[%!@]/            550 Sender-specified routing rejected
@@ -76,6 +76,11 @@ REGEXP_TABLE(5)                                   REGEXP_TABLE(5)
        # Protect your outgoing majordomo exploders
        /^(.*)-outgoing@(.*)$/!/^owner-.*/      550 Use ${1}@${2} instead
 
+<b>EXAMPLE</b> <b>HEADER</b> <b>FILTER</b> <b>MAP</b>
+       # These were once common in junk mail.
+       /^Subject: make money fast/     REJECT
+       /^To: friend@public\.com/        REJECT
+
 <b>SEE</b> <b>ALSO</b>
        <a href="pcre_table.5.html">pcre_table(5)</a> format of PCRE tables
 

postfix/html/smtp.8.html

@@ -117,24 +117,34 @@ SMTP(8)                                                   SMTP(8)
        <b>smtp</b><i>_</i><b>never</b><i>_</i><b>send</b><i>_</i><b>ehlo</b>
               Never send EHLO at the start of a connection.
 
+       <b>smtp</b><i>_</i><b>bind</b><i>_</i><b>address</b>
+              Numerical source network address to  bind  to  when
+              making a connection.
+
        <b>smtp</b><i>_</i><b>break</b><i>_</i><b>lines</b>
               Break  lines  &gt;  <b>$line</b><i>_</i><b>length</b><i>_</i><b>limit</b>  into  multiple
               shorter lines.  Some SMTP servers misbehave on long
               lines.
 
        <b>smtp</b><i>_</i><b>skip</b><i>_</i><b>4xx</b><i>_</i><b>greeting</b>
-              Skip servers that greet us with a 4xx status  code.
+              Skip  servers that greet us with a 4xx status code.
 
        <b>smtp</b><i>_</i><b>skip</b><i>_</i><b>5xx</b><i>_</i><b>greeting</b>
-              Skip  servers that greet us with a 5xx status code.
+              Skip servers that greet us with a 5xx status  code.
 
        <b>smtp</b><i>_</i><b>skip</b><i>_</i><b>quit</b><i>_</i><b>response</b>
-              Do not wait for the server response  after  sending
+              Do  not  wait for the server response after sending
               QUIT.
 
-       <b>smtp</b><i>_</i><b>bind</b><i>_</i><b>address</b>
-              Numerical  network address to bind to when making a
-              connection.
+       <b>smtp</b><i>_</i><b>pix</b><i>_</i><b>workaround</b><i>_</i><b>delay</b><i>_</i><b>time</b>
+              The time to pause before sending  .&lt;CR&gt;&lt;LF&gt;,  while
+              working    around    the    CISCO    PIX   firewall
+              &lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt; bug.
+
+       <b>smtp</b><i>_</i><b>pix</b><i>_</i><b>workaround</b><i>_</i><b>threshold</b><i>_</i><b>time</b>
+              The time a message must be queued before the  CISCO
+              PIX  firewall  &lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;  bug workaround is
+              turned on.
 
 <b>Authentication</b> <b>controls</b>
        <b>smtp</b><i>_</i><b>enable</b><i>_</i><b>sasl</b><i>_</i><b>auth</b>

postfix/man/man5/pcre_table.5

@@ -56,21 +56,26 @@ Substitution of substrings from the matched expression into the result
 string is possible using the conventional perl syntax ($1, $2, etc.).
 The macros in the result string may need to be written as ${n}
 or $(n) if they aren't followed by whitespace.
-.SH EXAMPLES
+.SH EXAMPLE SMTPD ACCESS MAP
 .na
 .nf
 # Protect your outgoing majordomo exploders
-/^(?!owner-)(.*)-outgoing@(my\.domain)$/    550 Use ${1}@${2} instead
+/^(?!owner-)(.*)-outgoing@/     550 Use ${1}@${2} instead
 
 # Bounce friend@whatever, except when whatever is our domain (you would
 # be better just bouncing all friend@ mail - this is just an example).
-/^friend@(?!my\.domain).*$/         550 Stick this in your pipe $0
+/^friend@(?!my\\.domain)/        550 Stick this in your pipe $0
 
 # A multi-line entry. The text is sent as one line.
 #
-/^noddy@connect\.com\.au$/
+/^noddy@my\\.domain$/
 \ 550 This user is a funny one. You really don't want to send mail to
 \ them as it only makes their head spin.
+.SH EXAMPLE HEADER FILTER MAP
+.na
+.nf
+/^Subject: make money fast/     REJECT
+/^To: friend@public\\.com/        REJECT
 .SH SEE ALSO
 .na
 .nf

postfix/man/man5/regexp_table.5

@@ -58,7 +58,7 @@ Substitution of substrings from the matched expression into the result
 string is possible using $1, $2, etc.. The macros in the result string
 may need to be written as ${n} or $(n) if they aren't followed
 by whitespace.
-.SH EXAMPLES
+.SH EXAMPLE SMTPD ACCESS MAP
 .na
 .nf
 # Disallow sender-specified routing. This is a must if you relay mail
@@ -67,10 +67,16 @@ by whitespace.
 
 # Postmaster is OK, that way they can talk to us about how to fix
 # their problem.
-/^postmaster@.*$/         OK
+/^postmaster@/            OK
 
 # Protect your outgoing majordomo exploders
-/^(.*)-outgoing@(.*)$/!/^owner-.*/      550 Use ${1}@${2} instead
+/^(.*)-outgoing@(.*)$/!/^owner-/        550 Use ${1}@${2} instead
+.SH EXAMPLE HEADER FILTER MAP
+.na
+.nf
+# These were once common in junk mail.
+/^Subject: make money fast/     REJECT
+/^To: friend@public\\.com/        REJECT
 .SH SEE ALSO
 .na
 .nf

postfix/man/man8/smtp.8

@@ -111,6 +111,8 @@ postmaster with transcripts of SMTP sessions with protocol errors.
 Always send EHLO at the start of a connection.
 .IP \fBsmtp_never_send_ehlo\fR
 Never send EHLO at the start of a connection.
+.IP \fBsmtp_bind_address\fR
+Numerical source network address to bind to when making a connection.
 .IP \fBsmtp_break_lines\fR
 Break lines > \fB$line_length_limit\fR into multiple shorter lines.
 Some SMTP servers misbehave on long lines.
@@ -120,8 +122,12 @@ Skip servers that greet us with a 4xx status code.
 Skip servers that greet us with a 5xx status code.
 .IP \fBsmtp_skip_quit_response\fR
 Do not wait for the server response after sending QUIT.
-.IP \fBsmtp_bind_address\fR
-Numerical network address to bind to when making a connection.
+.IP \fBsmtp_pix_workaround_delay_time\fR
+The time to pause before sending .<CR><LF>, while working
+around the CISCO PIX firewall <CR><LF>.<CR><LF> bug.
+.IP \fBsmtp_pix_workaround_threshold_time\fR
+The time a message must be queued before the CISCO PIX firewall
+<CR><LF>.<CR><LF> bug workaround is turned on.
 .SH "Authentication controls"
 .IP \fBsmtp_enable_sasl_auth\fR
 Enable per-session authentication as per RFC 2554 (SASL).

postfix/proto/pcre_table

@@ -50,19 +50,22 @@
 #	string is possible using the conventional perl syntax ($1, $2, etc.).
 #	The macros in the result string may need to be written as ${n}
 #	or $(n) if they aren't followed by whitespace.
-# EXAMPLES
+# EXAMPLE SMTPD ACCESS MAP
 #	# Protect your outgoing majordomo exploders
-#	/^(?!owner-)(.*)-outgoing@(my\.domain)$/    550 Use ${1}@${2} instead
+#	/^(?!owner-)(.*)-outgoing@/     550 Use ${1}@${2} instead
 #
 #	# Bounce friend@whatever, except when whatever is our domain (you would
 #	# be better just bouncing all friend@ mail - this is just an example).
-#	/^friend@(?!my\.domain).*$/         550 Stick this in your pipe $0
+#	/^friend@(?!my\\.domain)/        550 Stick this in your pipe $0
 #
 #	# A multi-line entry. The text is sent as one line.
 #	#
-#	/^noddy@connect\.com\.au$/
+#	/^noddy@my\\.domain$/
 #	\ 550 This user is a funny one. You really don't want to send mail to
 #	\ them as it only makes their head spin.
+# EXAMPLE HEADER FILTER MAP
+#	/^Subject: make money fast/     REJECT
+#	/^To: friend@public\\.com/        REJECT
 # SEE ALSO
 #	regexp_table(5) format of POSIX regular expression tables
 # AUTHOR(S)

postfix/proto/regexp_table

@@ -52,17 +52,21 @@
 #	string is possible using $1, $2, etc.. The macros in the result string
 #	may need to be written as ${n} or $(n) if they aren't followed
 #	by whitespace.
-# EXAMPLES
+# EXAMPLE SMTPD ACCESS MAP
 #	# Disallow sender-specified routing. This is a must if you relay mail
 #	# for other domains.
 #	/[%!@].*[%!@]/            550 Sender-specified routing rejected
 #
 #	# Postmaster is OK, that way they can talk to us about how to fix
 #	# their problem.
-#	/^postmaster@.*$/         OK
+#	/^postmaster@/            OK
 #
 #	# Protect your outgoing majordomo exploders
-#	/^(.*)-outgoing@(.*)$/!/^owner-.*/      550 Use ${1}@${2} instead
+#	/^(.*)-outgoing@(.*)$/!/^owner-/        550 Use ${1}@${2} instead
+# EXAMPLE HEADER FILTER MAP
+#	# These were once common in junk mail.
+#	/^Subject: make money fast/     REJECT
+#	/^To: friend@public\\.com/        REJECT
 # SEE ALSO
 #	pcre_table(5) format of PCRE tables
 # AUTHOR(S)

postfix/src/global/mail_params.h

@@ -733,6 +733,14 @@ extern bool var_smtp_rand_addr;
 #define DEF_SMTP_BREAK_LINES	1
 extern bool var_smtp_break_lines;
 
+#define VAR_SMTP_PIX_THRESH	"smtp_pix_workaround_threshold_time"
+#define DEF_SMTP_PIX_THRESH	"500s"
+extern int var_smtp_pix_thresh;
+
+#define VAR_SMTP_PIX_DELAY	"smtp_pix_workaround_delay_time"
+#define DEF_SMTP_PIX_DELAY	"10s"
+extern int var_smtp_pix_delay;
+
  /*
   * SMTP server. The soft error limit determines how many errors an SMTP
   * client may make before we start to slow down; the hard error limit

postfix/src/global/mail_stream.c

@@ -281,6 +281,9 @@ MAIL_STREAM *mail_stream_command(const char *command)
 	sleep(10);
     }
     argv_free(export_env);
+    vstream_control(stream,
+		    VSTREAM_CTL_PATH, command,
+		    VSTREAM_CTL_END);
 
     if (attr_scan(stream, ATTR_FLAG_MISSING,
 		  ATTR_TYPE_STR, MAIL_ATTR_QUEUEID, id_buf, 0) != 1) {

postfix/src/sendmail/sendmail.c

@@ -416,6 +416,7 @@ static void enqueue(const int flags, const char *sender, const char *full_name,
 				  MAIL_CLASS_PUBLIC, MAIL_SERVICE_PICKUP);
 	sendmail_path = mystrdup(VSTREAM_PATH(handle->stream));
     } else {
+	errno = 0;
 	postdrop_command = concatenate(var_command_dir, "/postdrop",
 			      msg_verbose ? " -v" : (char *) 0, (char *) 0);
 	if ((handle = mail_stream_command(postdrop_command)) == 0)

postfix/src/smtp/smtp.c

@@ -95,6 +95,8 @@
 /*	Always send EHLO at the start of a connection.
 /* .IP \fBsmtp_never_send_ehlo\fR
 /*	Never send EHLO at the start of a connection.
+/* .IP \fBsmtp_bind_address\fR
+/*	Numerical source network address to bind to when making a connection.
 /* .IP \fBsmtp_break_lines\fR
 /*	Break lines > \fB$line_length_limit\fR into multiple shorter lines.
 /*	Some SMTP servers misbehave on long lines.
@@ -104,8 +106,12 @@
 /*	Skip servers that greet us with a 5xx status code.
 /* .IP \fBsmtp_skip_quit_response\fR
 /*	Do not wait for the server response after sending QUIT.
-/* .IP \fBsmtp_bind_address\fR
-/*	Numerical network address to bind to when making a connection.
+/* .IP \fBsmtp_pix_workaround_delay_time\fR
+/*	The time to pause before sending .<CR><LF>, while working
+/*	around the CISCO PIX firewall <CR><LF>.<CR><LF> bug.
+/* .IP \fBsmtp_pix_workaround_threshold_time\fR
+/*	The time a message must be queued before the CISCO PIX firewall
+/*	<CR><LF>.<CR><LF> bug workaround is turned on.
 /* .SH "Authentication controls"
 /* .IP \fBsmtp_enable_sasl_auth\fR
 /*	Enable per-session authentication as per RFC 2554 (SASL).
@@ -254,7 +260,8 @@ bool    var_smtp_sasl_enable;
 char   *var_smtp_bind_addr;
 bool    var_smtp_rand_addr;
 bool    var_smtp_break_lines;
-int     var_min_backoff_time;
+int     var_smtp_pix_thresh;
+int     var_smtp_pix_delay;
 
  /*
   * Global variables. smtp_errno is set by the address lookup routines and by
@@ -417,7 +424,8 @@ int     main(int argc, char **argv)
 	VAR_SMTP_DATA1_TMOUT, DEF_SMTP_DATA1_TMOUT, &var_smtp_data1_tmout, 1, 0,
 	VAR_SMTP_DATA2_TMOUT, DEF_SMTP_DATA2_TMOUT, &var_smtp_data2_tmout, 1, 0,
 	VAR_SMTP_QUIT_TMOUT, DEF_SMTP_QUIT_TMOUT, &var_smtp_quit_tmout, 1, 0,
-	VAR_MIN_BACKOFF_TIME, DEF_MIN_BACKOFF_TIME, &var_min_backoff_time, 1, 0,
+	VAR_SMTP_PIX_THRESH, DEF_SMTP_PIX_THRESH, &var_smtp_pix_thresh, 0, 0,
+	VAR_SMTP_PIX_DELAY, DEF_SMTP_PIX_DELAY, &var_smtp_pix_delay, 1, 0,
 	0,
     };
     static CONFIG_INT_TABLE int_table[] = {

postfix/src/smtp/smtp_proto.c

@@ -660,11 +660,11 @@ int     smtp_xfer(SMTP_STATE *state)
 		smtp_fputs("", 0, session->stream);
 	    if ((state->features & SMTP_FEATURE_MAYBEPIX) != 0
 		&& request->arrival_time < vstream_ftime(session->stream)
-		- var_min_backoff_time) {
+		- var_smtp_pix_thresh) {
 		msg_info("%s: enabling PIX <CRLF>.<CRLF> workaround for %s",
 			 request->queue_id, session->namaddr);
 		vstream_fflush(session->stream);/* hurts performance */
-		sleep(10);			/* not to mention this */
+		sleep(var_smtp_pix_delay);	/* not to mention this */
 	    }
 	    if (vstream_ferror(state->src))
 		msg_fatal("queue file read error");

postfix/src/smtpd/smtpd_check.c

@@ -1717,7 +1717,9 @@ static int check_mail_access(SMTPD_STATE *state, const char *table,
     /*
      * Avoid surprise matches with source-routed, non-local addresses.
      */
-    if (!resolve_local(ratsign + 1) && (reply->flags & RESOLVE_FLAG_ROUTED))
+    if (var_allow_untrust_route == 0
+	&& (reply->flags & RESOLVE_FLAG_ROUTED)
+	&& !resolve_local(ratsign + 1))
 	return (SMTPD_CHECK_DUNNO);
 
     /*

postfix/src/smtpstone/smtp-source.c

@@ -45,6 +45,8 @@
 /*	recipient address.
 /* .IP "\fB-s \fIsession_count\fR"
 /*	Run the specified number of SMTP sessions in parallel (default: 1).
+/* .IP "\fB-S \fIsubject\fR"
+/*	Send mail with the named subject line (default: none).
 /* .IP "\fB-t \fIto\fR"
 /*	Use the specified recipient address (default: <foo@myhostname>).
 /* .IP "\fB-R \fIinterval\fR"
@@ -165,6 +167,7 @@ static int connect_count = 1;
 static int random_delay = 0;
 static int fixed_delay = 0;
 static int talk_lmtp = 0;
+static char *subject = 0;
 
 static void enqueue_connect(SESSION *);
 static void start_connect(SESSION *);
@@ -653,6 +656,8 @@ static void data_done(int unused_event, char *context)
 	smtp_printf(session->stream, "Date: %s", mydate);
 	smtp_printf(session->stream, "Message-Id: <%04x.%04x.%04x@%s>",
 		    mypid, vstream_fileno(session->stream), message_count, var_myhostname);
+	if (subject)
+	    smtp_printf(session->stream, "Subject: %s", subject);
 	smtp_fputs("", 0, session->stream);
     }
 
@@ -769,7 +774,7 @@ int     main(int argc, char **argv)
     /*
      * Parse JCL.
      */
-    while ((ch = GETOPT(argc, argv, "cC:df:l:Lm:or:R:s:t:vw:")) > 0) {
+    while ((ch = GETOPT(argc, argv, "cC:df:l:Lm:or:R:s:S:t:vw:")) > 0) {
 	switch (ch) {
 	case 'c':
 	    count++;
@@ -818,6 +823,9 @@ int     main(int argc, char **argv)
 	    if ((sessions = atoi(optarg)) <= 0)
 		usage(argv[0]);
 	    break;
+	case 'S':
+	    subject = optarg;
+	    break;
 	case 't':
 	    recipient = optarg;
 	    break;