From 9fefbf22a76f3bf9db86d12779d3fb03dfb13ef1 Mon Sep 17 00:00:00 2001 From: Wietse Venema Date: Mon, 10 Dec 2001 00:00:00 -0500 Subject: [PATCH] snapshot-20011210 --- postfix/HISTORY | 10 +++++-- postfix/RELEASE_NOTES | 42 ++++++++++++++++++++++++++++ postfix/VIRTUAL_README | 28 +++++++++++++------ postfix/conf/pcre_table | 12 +++++--- postfix/conf/regexp_table | 11 ++++++-- postfix/conf/sample-pcre-access.cf | 9 +++--- postfix/conf/sample-pcre-body.cf | 38 +++++++++++++++++++++++++ postfix/conf/sample-pcre-header.cf | 41 +++++++++++++++++++++++++++ postfix/conf/sample-regexp-access.cf | 10 +++++-- postfix/conf/sample-regexp-body.cf | 26 +++++++++++++++++ postfix/conf/sample-regexp-header.cf | 27 ++++++++++++++++++ postfix/conf/sample-smtp.cf | 23 +++++++++++++++ postfix/conf/sample-smtpd.cf | 4 +++ postfix/conf/transport | 14 +++++++--- postfix/html/pcre_table.5.html | 12 +++++--- postfix/html/regexp_table.5.html | 7 ++++- postfix/html/smtp.8.html | 22 +++++++++++---- postfix/man/man5/pcre_table.5 | 13 ++++++--- postfix/man/man5/regexp_table.5 | 12 ++++++-- postfix/man/man8/smtp.8 | 10 +++++-- postfix/proto/pcre_table | 11 +++++--- postfix/proto/regexp_table | 10 +++++-- postfix/src/global/mail_params.h | 8 ++++++ postfix/src/global/mail_stream.c | 3 ++ postfix/src/sendmail/sendmail.c | 1 + postfix/src/smtp/smtp.c | 16 ++++++++--- postfix/src/smtp/smtp_proto.c | 4 +-- postfix/src/smtpd/smtpd_check.c | 4 ++- postfix/src/smtpstone/smtp-source.c | 10 ++++++- 29 files changed, 373 insertions(+), 65 deletions(-) create mode 100644 postfix/conf/sample-pcre-body.cf create mode 100644 postfix/conf/sample-pcre-header.cf create mode 100644 postfix/conf/sample-regexp-body.cf create mode 100644 postfix/conf/sample-regexp-header.cf diff --git a/postfix/HISTORY b/postfix/HISTORY index 55d2a03e9..e7b96dc48 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -5759,13 +5759,17 @@ Apologies for any names omitted. third-party patches such as TLS that introduce their own files into the jail. - Feature: disable the PIX workaround for mail that is queued - for less than $minimal_backoff_time seconds. - Feature: static map type that always returns the map name as lookup value, regardless of lookup key value. Contributed Jeff Miller (jeffm at ghostgun.com) + Feature: turn off the PIX . workaround for + the first mail delivery attempt, i.e. when mail is queued + for less than $smtp_pix_workaround_threshold_time (default: + 500) seconds. New parameter $smtp_pix_workaround_delay_time + to control the delay before sending . (default: 10 + seconds) when doing the PIX . workaround. + Open problems: Low: after reorganizing configuration parameters, add flags diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 6e8734ad4..bd94c2723 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -1,3 +1,45 @@ +Incompatible changes with snapshot-20011210 +=========================================== + +Postfix SMTPD access maps no longer match non-local mail addresses +that contain multiple domains (user@dom1@dom2, user%dom1@dom2, +etcetera). This change prevents false or spurious matches. +Non-local multi-domain addresses are already prohibited from matching +permit_mx_backup and the relay_domains-based restrictions. + +Stricter checking of Postfix chroot configurations. The Postfix +startup procedure now warns if "system" directories (etc, bin, lib, +usr) under the Postfix top-level queue directory are not owned by +the super-user (usually the result of well-intended, but misguided, +applications of "chroot -R postfix /var/spool/postfix). + +The Postfix sendmail command no longer exits with status 1 when +mail submission fails, but instead returns a sendmail-compatible +status code as defined in /usr/include/sysexits.h. + +Major changes with snapshot-20011210 +==================================== + +Updated LDAP client module by LaMont Jones, with control over +verbose logging of LDAP library routines. + +More usable virtual delivery agent, thanks to a new "static" map +type by Jeff Miller that always returns its map name as the lookup +result. This eliminates the need for per-recipient user ID and +group ID tables. See the VIRTUAL_README file for more details. + +Much-needed documentation on how to configure header/body filters: +sample regexp and pcre lookup tables for header/body filtering, +and updated examples in the regexp_table(5) and pcre_table(5) manual +pages. + +Configurable PIX firewall . bug workaround behavior: +the workaround is turned off when mail is queued for less than +$smtp_pix_workaround_threshold_time seconds (default: 500 seconds) +so that the workaround is normally enabled only for deferred mail. +The delay before sending . is now controlled by the +$smtp_pix_workaround_delay_time setting (default: 10 seconds). + Major changes with snapshot-20011127 ==================================== diff --git a/postfix/VIRTUAL_README b/postfix/VIRTUAL_README index 94ed2f529..5f845dbcb 100644 --- a/postfix/VIRTUAL_README +++ b/postfix/VIRTUAL_README @@ -1,6 +1,6 @@ This code was created by Andrew McNamara -and adapted to snapshot 50001121 by Xavier Beaudouin. It was merged -with mainstream Postfix for 20010128 by Wietse. +and adapted to snapshot 20001121 by Xavier Beaudouin. It was merged +with mainstream Postfix for snapshot 20010128 by Wietse. Purpose of this software ======================== @@ -16,7 +16,7 @@ This is what Andrew McNamara wrote when he made the virtual delivery agent available. "This code is designed for ISP's who offer virtual mail hosting. -It looks up the location, uid and gid of user mailboxes via separate +It looks up the user mailbox location, uid and gid via separate maps, and the mailbox location map can specify either mailbox or maildir delivery (controlled by trailing slash on mailbox name). @@ -37,11 +37,17 @@ The result is the most secure local delivery agent that you will find with Postfix. This delivery agent requires three different lookup tables in order -to define its recipients. This is because Postfix table lookups -can't return multiple results. Until that limitation is fixed, use -an LDAP or MYSQL database if it is too inconvenient for you to -maintain three parallel tables (or generate the three tables from -one common template). +to define its recipients as (mailbox path, user ID, group ID). This +is because Postfix table lookups can't return multiple results. + +If your virtual mailboxes are all owned by the same user/group ID, +just specify "static" maps that always return the same result. See +below for examples. + +If your virtual mailboxes must be owned by different user/group +IDs, and if it is too inconvenient for you to maintain three parallel +tables, use an LDAP or MYSQL database (or generate the three parallel +tables from one common template). Configuration parameters ======================== @@ -119,7 +125,7 @@ virtual_mailbox_lock virtual_mailbox_size - An upper limit on the size of a mailbox or maildir file. + An upper limit on the size of a mailbox file or maildir file. Example 1: using the virtual delivery agent for all local mail ============================================================== @@ -157,6 +163,8 @@ types. # Example recipients, one UNIX-style mailbox, one qmail-style maildir: /etc/postfix/vmailbox: + virtual1.domain dummy to prevent relay access denied errors + virtual2.domain dummy to prevent relay access denied errors test1@virtual1.domain test1 test2@virtual2.domain test2/ @@ -226,6 +234,8 @@ types. # Example recipients, one UNIX-style mailbox, one qmail-style maildir: /etc/postfix/vmailbox: + virtual1.domain dummy to prevent relay access denied errors + virtual2.domain dummy to prevent relay access denied errors test1@virtual1.domain test1 test2@virtual2.domain test2/ diff --git a/postfix/conf/pcre_table b/postfix/conf/pcre_table index d34d5b28d..b4f6326b8 100644 --- a/postfix/conf/pcre_table +++ b/postfix/conf/pcre_table @@ -65,20 +65,24 @@ # string may need to be written as ${n} or $(n) if they # aren't followed by whitespace. # -# EXAMPLES +# EXAMPLE SMTPD ACCESS MAP # # Protect your outgoing majordomo exploders -# /^(?!owner-)(.*)-outgoing@(my.domain)$/ 550 Use ${1}@${2} instead +# /^(?!owner-)(.*)-outgoing@/ 550 Use ${1}@${2} instead # # # Bounce friend@whatever, except when whatever is our domain (you would # # be better just bouncing all friend@ mail - this is just an example). -# /^friend@(?!my.domain).*$/ 550 Stick this in your pipe $0 +# /^friend@(?!my\.domain)/ 550 Stick this in your pipe $0 # # # A multi-line entry. The text is sent as one line. # # -# /^noddy@connect.com.au$/ +# /^noddy@my\.domain$/ # 550 This user is a funny one. You really don't want to send mail to # them as it only makes their head spin. # +# EXAMPLE HEADER FILTER MAP +# /^Subject: make money fast/ REJECT +# /^To: friend@public\.com/ REJECT +# # SEE ALSO # regexp_table(5) format of POSIX regular expression tables # diff --git a/postfix/conf/regexp_table b/postfix/conf/regexp_table index 5da339f48..cd9866d92 100644 --- a/postfix/conf/regexp_table +++ b/postfix/conf/regexp_table @@ -68,17 +68,22 @@ # macros in the result string may need to be written as ${n} # or $(n) if they aren't followed by whitespace. # -# EXAMPLES +# EXAMPLE SMTPD ACCESS MAP # # Disallow sender-specified routing. This is a must if you relay mail # # for other domains. # /[%!@].*[%!@]/ 550 Sender-specified routing rejected # # # Postmaster is OK, that way they can talk to us about how to fix # # their problem. -# /^postmaster@.*$/ OK +# /^postmaster@/ OK # # # Protect your outgoing majordomo exploders -# /^(.*)-outgoing@(.*)$/!/^owner-.*/ 550 Use ${1}@${2} instead +# /^(.*)-outgoing@(.*)$/!/^owner-/ 550 Use ${1}@${2} instead +# +# EXAMPLE HEADER FILTER MAP +# # These were once common in junk mail. +# /^Subject: make money fast/ REJECT +# /^To: friend@public\.com/ REJECT # # SEE ALSO # pcre_table(5) format of PCRE tables diff --git a/postfix/conf/sample-pcre-access.cf b/postfix/conf/sample-pcre-access.cf index 59b2a5785..849641fc0 100644 --- a/postfix/conf/sample-pcre-access.cf +++ b/postfix/conf/sample-pcre-access.cf @@ -1,6 +1,7 @@ # # Sample pcre (PERL-compatible regular expression) map file for -# SMTPD access control. See pcre_table(5) for syntax description. +# SMTPD access control. See pcre_table(5) and access(5) for +# syntax descriptions. # # The first field is a perl-like regular expression. The expression # delimiter can be any character except whitespace, or characters @@ -38,16 +39,16 @@ # Protect your outgoing majordomo exploders # -/^(?!owner-)(.*)-outgoing@(connect.com.au)$/ 550 Use ${1}@${2} instead +/^(?!owner-)(.*)-outgoing@/ 550 Use ${1}@${2} instead # Bounce friend@whatever, except when whatever is our domain (you would # be better just bouncing all friend@ mail - this is just an example). # -/^friend@(?!connect.com.au).*$/ 550 Stick this in your pipe $0 +/^friend@(?!my\.domain)/ 550 Stick this in your pipe $0 # A multi-line response # -/^noddy@connect.com.au$/ +/^noddy@my\.domain$/ 550 This user is a funny one. You really don't want to send mail to them as it only makes their head spin. diff --git a/postfix/conf/sample-pcre-body.cf b/postfix/conf/sample-pcre-body.cf new file mode 100644 index 000000000..df3c6e03b --- /dev/null +++ b/postfix/conf/sample-pcre-body.cf @@ -0,0 +1,38 @@ +# +# Sample pcre (PERL-compatible regular expression) map file for +# mail body filtering. See pcre_table(5) for syntax description. +# +# Mail body lines are filtered one line at a time. In particular, +# multi-line MIME headers in the message body are filtered one text +# line at a time. +# +# The first field is a perl-like regular expression. The expression +# delimiter can be any character except whitespace, or characters +# that have special meaning to the regexp library (traditionally +# the forward slash is used). The regular expression can contain +# whitespace. +# +# By default, matching is case-INsensitive, although following +# the second slash with an 'i' will reverse this. Other flags are +# supported, but the only other useful one is 'U', which makes +# matching ungreedy (see PCRE documentation and source for more +# info). +# +# The second field is the "replacement" string - the text +# returned by the match. +# +# REJECT The entire message is rejected. +# REJECT text.... The text is sent to the originator. +# IGNORE The line is silently discarded. +# WARN The line is logged (not rejected) with a warning. +# +# Substitution of sub-strings from the matched expression is +# possible using the conventional perl syntax. The macros in the +# replacement string may need to be protected with curly braces +# if they aren't followed by whitespace (see the examples +# below). +# +# Lines starting with whitespace are continuation lines - they are +# appended to the previous line (there should be no whitespace +# before your regular expression!) +# diff --git a/postfix/conf/sample-pcre-header.cf b/postfix/conf/sample-pcre-header.cf new file mode 100644 index 000000000..6e5af4178 --- /dev/null +++ b/postfix/conf/sample-pcre-header.cf @@ -0,0 +1,41 @@ +# +# Sample pcre (PERL-compatible regular expression) map file for +# message header filtering. See pcre_table(5) for syntax description. +# +# Message headers are filtered one at a time. This filter understands +# multi-line message headers. However, the message header filter has +# no knowledge of MIME headers that are embedded in the message body. +# +# The first field is a perl-like regular expression. The expression +# delimiter can be any character except whitespace, or characters +# that have special meaning to the regexp library (traditionally +# the forward slash is used). The regular expression can contain +# whitespace. +# +# By default, matching is case-INsensitive, although following +# the second slash with an 'i' will reverse this. Other flags are +# supported, but the only other useful one is 'U', which makes +# matching ungreedy (see PCRE documentation and source for more +# info). +# +# The second field is the "replacement" string - the text +# returned by the match. +# +# REJECT The entire message is rejected. +# REJECT text.... The text is sent to the originator. +# IGNORE The header line is silently discarded. +# WARN The header is logged (not rejected) with a warning. +# +# Substitution of sub-strings from the matched expression is +# possible using the conventional perl syntax. The macros in the +# replacement string may need to be protected with curly braces +# if they aren't followed by whitespace (see the examples +# below). +# +# Lines starting with whitespace are continuation lines - they are +# appended to the previous line (there should be no whitespace +# before your regular expression!) +# + +/^Subject: Make Money Fast/ REJECT +/^To: friend@public.com/ REJECT diff --git a/postfix/conf/sample-regexp-access.cf b/postfix/conf/sample-regexp-access.cf index 5e02fbee2..9ac54c1ab 100644 --- a/postfix/conf/sample-regexp-access.cf +++ b/postfix/conf/sample-regexp-access.cf @@ -1,7 +1,9 @@ # Sample regexp SMTPD access lookup "table". See regexp_table(5) -# for a description of the syntax. +# and access(5) for a description of the syntax. # -# Format is /regexp/flags or /regexp/flags!/regexp/flags +# The general format of a table entry is PATTERN RESULT. +# +# The pattern format is /regexp/flags or /regexp/flags!/regexp/flags # where regexp is a regular expression as found in regexp(5), and flags are # i: toggle ignore case (REG_ICASE - default is to ignore case) # x: toggle extended expression (REG_EXTENDED - default is extended) @@ -10,13 +12,15 @@ # In order for a line to match, the first regexp must match, and the # second (if present) must not match. The first matching line wins, # terminating processing of the ruleset. +# +# The result syntax is described in the access(5) manual page. # Disallow sender-specified routing. This is a must if you relay mail #for other domains. /[%!@].*@/ 550 Sender-specified routing rejected # Postmaster is OK, that way they can talk to us about how to fix their problem. -/^postmaster@.*$/ OK +/^postmaster@/ OK # Protect your outgoing majordomo exploders /^(.*)-outgoing@(.*)$/!/^owner-.*/ 550 Use ${1}@${2} instead diff --git a/postfix/conf/sample-regexp-body.cf b/postfix/conf/sample-regexp-body.cf new file mode 100644 index 000000000..344c1ce38 --- /dev/null +++ b/postfix/conf/sample-regexp-body.cf @@ -0,0 +1,26 @@ +# Sample regexp message body filter lookup "table". See regexp_table(5) +# for a description of the syntax. +# +# Mail body lines are filtered one line at a time. In particular, multi-line +# MIME headers in the message body are filtered one text line at a time. +# +# The general format of a table entry is PATTERN RESULT. +# +# The pattern format is /regexp/flags or /regexp/flags!/regexp/flags +# where regexp is a regular expression as found in regexp(5), and flags are +# i: toggle ignore case (REG_ICASE - default is to ignore case) +# x: toggle extended expression (REG_EXTENDED - default is extended) +# m: toggle multiline mode (REG_NEWLINE - default is non-multiline mode) +# +# In order for a line to match, the first regexp must match, and the +# second (if present) must not match. The first matching line wins, +# terminating processing of the ruleset. +# +# The result is one of the following: +# REJECT The entire message is rejected. +# REJECT text.... The text is sent to the originator. +# IGNORE The header line is silently discarded. +# WARN The header is logged (not rejected) with a warning. + +/^Subject: Make Money Fast/ REJECT +/^To: friend@public.com/ REJECT diff --git a/postfix/conf/sample-regexp-header.cf b/postfix/conf/sample-regexp-header.cf new file mode 100644 index 000000000..6d46bdad2 --- /dev/null +++ b/postfix/conf/sample-regexp-header.cf @@ -0,0 +1,27 @@ +# Sample regexp message header filter lookup "table". See regexp_table(5) +# for a description of the syntax. +# +# Message headers are filtered one at a time. This filter understands +# multi-line mail headers. However, the message header filter has no +# knowledge of MIME headers that are embedded in the message body. +# +# The general format of a table entry is PATTERN RESULT. +# +# The pattern format is /regexp/flags or /regexp/flags!/regexp/flags +# where regexp is a regular expression as found in regexp(5), and flags are +# i: toggle ignore case (REG_ICASE - default is to ignore case) +# x: toggle extended expression (REG_EXTENDED - default is extended) +# m: toggle multiline mode (REG_NEWLINE - default is non-multiline mode) +# +# In order for a line to match, the first regexp must match, and the +# second (if present) must not match. The first matching line wins, +# terminating processing of the ruleset. +# +# The result is one of the following: +# REJECT the entire message is rejected. +# REJECT text.... The text is sent to the originator. +# IGNORE the header line is silently discarded. +# WARN the header is logged (not rejected) with a warning. + +/^Subject: Make Money Fast/ REJECT +/^To: friend@public.com/ REJECT diff --git a/postfix/conf/sample-smtp.cf b/postfix/conf/sample-smtp.cf index 888c49449..d2648e42c 100644 --- a/postfix/conf/sample-smtp.cf +++ b/postfix/conf/sample-smtp.cf @@ -99,6 +99,29 @@ smtp_skip_5xx_greeting = yes # smtp_skip_quit_response = yes +# The smtp_pix_workaround_sleep_time parameter specifies how long +# the Postfix SMTP client pauses before sending ., in order +# to work around the PIX firewall . bug. +# +# The default delay is 10 seconds. Choosing a too short time makes +# this workaround ineffective while sending large messages over slow +# network connections. +# +smtp_pix_workaround_delay_time = 10s + +# The smtp_pix_workaround_threshold_time parameter specifies how +# long a message must be queued before the PIX firewall . +# bug workaround is turned on. +# +# By default, the workaround is turned off for mail that is queued +# for less than 500 seconds. In other words, the workaround is normally +# turned off for the first delivery attempt. +# +# Specify 0 to enable the PIX firewall . bug workaround +# upon the first delivery attempt. +# +smtp_pix_workaround_threshold_time = 500s + # # RATE CONTROLS # diff --git a/postfix/conf/sample-smtpd.cf b/postfix/conf/sample-smtpd.cf index 4a5ec1995..39f48e9e9 100644 --- a/postfix/conf/sample-smtpd.cf +++ b/postfix/conf/sample-smtpd.cf @@ -376,6 +376,10 @@ smtpd_recipient_restrictions = permit_mynetworks,check_relay_domains # be tricked into forwarding junk mail to a primary MX host which # then spams it out to the world. # +# This parameter also controls if non-local addresses with sender-specified +# routing can match Postfix access tables. By default, such addresses +# cannot match Postfix access tables, because the address is ambigous. +# allow_untrusted_routing = no # The maps_rbl_domains parameter specifies an optional list of DNS diff --git a/postfix/conf/transport b/postfix/conf/transport index 33ccfc00f..adae6210a 100644 --- a/postfix/conf/transport +++ b/postfix/conf/transport @@ -150,6 +150,11 @@ # details and for default values. Use the postfix reload # command after a configuration change. # +# parent_domain_matches_subdomains (versions >= 20011119) +# List of Postfix features that use domain.name pat- +# terns to match sub.domain.name (as opposed to +# requiring .domain.name patterns). +# # transport_maps # List of transport lookup tables. # @@ -167,16 +172,17 @@ # postmap(1) create mapping table # trivial-rewrite(8) rewrite and resolve addresses # pcre_table(5) format of PCRE tables +# +# 3 +# +# TRANSPORT(5) TRANSPORT(5) +# # regexp_table(5) format of POSIX regular expression tables # # LICENSE # The Secure Mailer license must be distributed with this # software. # -# 3 -# -# TRANSPORT(5) TRANSPORT(5) -# # AUTHOR(S) # Wietse Venema # IBM T.J. Watson Research diff --git a/postfix/html/pcre_table.5.html b/postfix/html/pcre_table.5.html index 0b8cfba53..dcb944bd4 100644 --- a/postfix/html/pcre_table.5.html +++ b/postfix/html/pcre_table.5.html @@ -62,20 +62,24 @@ PCRE_TABLE(5) PCRE_TABLE(5) string may need to be written as ${n} or $(n) if they aren't followed by whitespace. -EXAMPLES +EXAMPLE SMTPD ACCESS MAP # Protect your outgoing majordomo exploders - /^(?!owner-)(.*)-outgoing@(my.domain)$/ 550 Use ${1}@${2} instead + /^(?!owner-)(.*)-outgoing@/ 550 Use ${1}@${2} instead # Bounce friend@whatever, except when whatever is our domain (you would # be better just bouncing all friend@ mail - this is just an example). - /^friend@(?!my.domain).*$/ 550 Stick this in your pipe $0 + /^friend@(?!my\.domain).*$/ 550 Stick this in your pipe $0 # A multi-line entry. The text is sent as one line. # - /^noddy@connect.com.au$/ + /^noddy@my\.domain$/ 550 This user is a funny one. You really don't want to send mail to them as it only makes their head spin. +EXAMPLE HEADER FILTER MAP + /^Subject: make money fast/ REJECT + /^To: friend@public\.com/ REJECT + SEE ALSO regexp_table(5) format of POSIX regular expression tables diff --git a/postfix/html/regexp_table.5.html b/postfix/html/regexp_table.5.html index 38548ce2f..cae7abe84 100644 --- a/postfix/html/regexp_table.5.html +++ b/postfix/html/regexp_table.5.html @@ -64,7 +64,7 @@ REGEXP_TABLE(5) REGEXP_TABLE(5) macros in the result string may need to be written as ${n} or $(n) if they aren't followed by whitespace. -EXAMPLES +EXAMPLE SMTPD ACCESS MAP # Disallow sender-specified routing. This is a must if you relay mail # for other domains. /[%!@].*[%!@]/ 550 Sender-specified routing rejected @@ -76,6 +76,11 @@ REGEXP_TABLE(5) REGEXP_TABLE(5) # Protect your outgoing majordomo exploders /^(.*)-outgoing@(.*)$/!/^owner-.*/ 550 Use ${1}@${2} instead +EXAMPLE HEADER FILTER MAP + # These were once common in junk mail. + /^Subject: make money fast/ REJECT + /^To: friend@public\.com/ REJECT + SEE ALSO pcre_table(5) format of PCRE tables diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html index 3d06c3a05..0e166ab1b 100644 --- a/postfix/html/smtp.8.html +++ b/postfix/html/smtp.8.html @@ -117,24 +117,34 @@ SMTP(8) SMTP(8) smtp_never_send_ehlo Never send EHLO at the start of a connection. + smtp_bind_address + Numerical source network address to bind to when + making a connection. + smtp_break_lines Break lines > $line_length_limit into multiple shorter lines. Some SMTP servers misbehave on long lines. smtp_skip_4xx_greeting - Skip servers that greet us with a 4xx status code. + Skip servers that greet us with a 4xx status code. smtp_skip_5xx_greeting - Skip servers that greet us with a 5xx status code. + Skip servers that greet us with a 5xx status code. smtp_skip_quit_response - Do not wait for the server response after sending + Do not wait for the server response after sending QUIT. - smtp_bind_address - Numerical network address to bind to when making a - connection. + smtp_pix_workaround_delay_time + The time to pause before sending .<CR><LF>, while + working around the CISCO PIX firewall + <CR><LF>.<CR><LF> bug. + + smtp_pix_workaround_threshold_time + The time a message must be queued before the CISCO + PIX firewall <CR><LF>.<CR><LF> bug workaround is + turned on. Authentication controls smtp_enable_sasl_auth diff --git a/postfix/man/man5/pcre_table.5 b/postfix/man/man5/pcre_table.5 index 852442305..dde2dcf42 100644 --- a/postfix/man/man5/pcre_table.5 +++ b/postfix/man/man5/pcre_table.5 @@ -56,21 +56,26 @@ Substitution of substrings from the matched expression into the result string is possible using the conventional perl syntax ($1, $2, etc.). The macros in the result string may need to be written as ${n} or $(n) if they aren't followed by whitespace. -.SH EXAMPLES +.SH EXAMPLE SMTPD ACCESS MAP .na .nf # Protect your outgoing majordomo exploders -/^(?!owner-)(.*)-outgoing@(my\.domain)$/ 550 Use ${1}@${2} instead +/^(?!owner-)(.*)-outgoing@/ 550 Use ${1}@${2} instead # Bounce friend@whatever, except when whatever is our domain (you would # be better just bouncing all friend@ mail - this is just an example). -/^friend@(?!my\.domain).*$/ 550 Stick this in your pipe $0 +/^friend@(?!my\\.domain)/ 550 Stick this in your pipe $0 # A multi-line entry. The text is sent as one line. # -/^noddy@connect\.com\.au$/ +/^noddy@my\\.domain$/ \ 550 This user is a funny one. You really don't want to send mail to \ them as it only makes their head spin. +.SH EXAMPLE HEADER FILTER MAP +.na +.nf +/^Subject: make money fast/ REJECT +/^To: friend@public\\.com/ REJECT .SH SEE ALSO .na .nf diff --git a/postfix/man/man5/regexp_table.5 b/postfix/man/man5/regexp_table.5 index efea3ef73..36ddf9f93 100644 --- a/postfix/man/man5/regexp_table.5 +++ b/postfix/man/man5/regexp_table.5 @@ -58,7 +58,7 @@ Substitution of substrings from the matched expression into the result string is possible using $1, $2, etc.. The macros in the result string may need to be written as ${n} or $(n) if they aren't followed by whitespace. -.SH EXAMPLES +.SH EXAMPLE SMTPD ACCESS MAP .na .nf # Disallow sender-specified routing. This is a must if you relay mail @@ -67,10 +67,16 @@ by whitespace. # Postmaster is OK, that way they can talk to us about how to fix # their problem. -/^postmaster@.*$/ OK +/^postmaster@/ OK # Protect your outgoing majordomo exploders -/^(.*)-outgoing@(.*)$/!/^owner-.*/ 550 Use ${1}@${2} instead +/^(.*)-outgoing@(.*)$/!/^owner-/ 550 Use ${1}@${2} instead +.SH EXAMPLE HEADER FILTER MAP +.na +.nf +# These were once common in junk mail. +/^Subject: make money fast/ REJECT +/^To: friend@public\\.com/ REJECT .SH SEE ALSO .na .nf diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8 index f05a893c1..c111772b1 100644 --- a/postfix/man/man8/smtp.8 +++ b/postfix/man/man8/smtp.8 @@ -111,6 +111,8 @@ postmaster with transcripts of SMTP sessions with protocol errors. Always send EHLO at the start of a connection. .IP \fBsmtp_never_send_ehlo\fR Never send EHLO at the start of a connection. +.IP \fBsmtp_bind_address\fR +Numerical source network address to bind to when making a connection. .IP \fBsmtp_break_lines\fR Break lines > \fB$line_length_limit\fR into multiple shorter lines. Some SMTP servers misbehave on long lines. @@ -120,8 +122,12 @@ Skip servers that greet us with a 4xx status code. Skip servers that greet us with a 5xx status code. .IP \fBsmtp_skip_quit_response\fR Do not wait for the server response after sending QUIT. -.IP \fBsmtp_bind_address\fR -Numerical network address to bind to when making a connection. +.IP \fBsmtp_pix_workaround_delay_time\fR +The time to pause before sending ., while working +around the CISCO PIX firewall . bug. +.IP \fBsmtp_pix_workaround_threshold_time\fR +The time a message must be queued before the CISCO PIX firewall +. bug workaround is turned on. .SH "Authentication controls" .IP \fBsmtp_enable_sasl_auth\fR Enable per-session authentication as per RFC 2554 (SASL). diff --git a/postfix/proto/pcre_table b/postfix/proto/pcre_table index 7f71dcc8e..249e9ed98 100644 --- a/postfix/proto/pcre_table +++ b/postfix/proto/pcre_table @@ -50,19 +50,22 @@ # string is possible using the conventional perl syntax ($1, $2, etc.). # The macros in the result string may need to be written as ${n} # or $(n) if they aren't followed by whitespace. -# EXAMPLES +# EXAMPLE SMTPD ACCESS MAP # # Protect your outgoing majordomo exploders -# /^(?!owner-)(.*)-outgoing@(my\.domain)$/ 550 Use ${1}@${2} instead +# /^(?!owner-)(.*)-outgoing@/ 550 Use ${1}@${2} instead # # # Bounce friend@whatever, except when whatever is our domain (you would # # be better just bouncing all friend@ mail - this is just an example). -# /^friend@(?!my\.domain).*$/ 550 Stick this in your pipe $0 +# /^friend@(?!my\\.domain)/ 550 Stick this in your pipe $0 # # # A multi-line entry. The text is sent as one line. # # -# /^noddy@connect\.com\.au$/ +# /^noddy@my\\.domain$/ # \ 550 This user is a funny one. You really don't want to send mail to # \ them as it only makes their head spin. +# EXAMPLE HEADER FILTER MAP +# /^Subject: make money fast/ REJECT +# /^To: friend@public\\.com/ REJECT # SEE ALSO # regexp_table(5) format of POSIX regular expression tables # AUTHOR(S) diff --git a/postfix/proto/regexp_table b/postfix/proto/regexp_table index bf4539404..cb388ab23 100644 --- a/postfix/proto/regexp_table +++ b/postfix/proto/regexp_table @@ -52,17 +52,21 @@ # string is possible using $1, $2, etc.. The macros in the result string # may need to be written as ${n} or $(n) if they aren't followed # by whitespace. -# EXAMPLES +# EXAMPLE SMTPD ACCESS MAP # # Disallow sender-specified routing. This is a must if you relay mail # # for other domains. # /[%!@].*[%!@]/ 550 Sender-specified routing rejected # # # Postmaster is OK, that way they can talk to us about how to fix # # their problem. -# /^postmaster@.*$/ OK +# /^postmaster@/ OK # # # Protect your outgoing majordomo exploders -# /^(.*)-outgoing@(.*)$/!/^owner-.*/ 550 Use ${1}@${2} instead +# /^(.*)-outgoing@(.*)$/!/^owner-/ 550 Use ${1}@${2} instead +# EXAMPLE HEADER FILTER MAP +# # These were once common in junk mail. +# /^Subject: make money fast/ REJECT +# /^To: friend@public\\.com/ REJECT # SEE ALSO # pcre_table(5) format of PCRE tables # AUTHOR(S) diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 30bb8c7d3..6818a56b9 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -733,6 +733,14 @@ extern bool var_smtp_rand_addr; #define DEF_SMTP_BREAK_LINES 1 extern bool var_smtp_break_lines; +#define VAR_SMTP_PIX_THRESH "smtp_pix_workaround_threshold_time" +#define DEF_SMTP_PIX_THRESH "500s" +extern int var_smtp_pix_thresh; + +#define VAR_SMTP_PIX_DELAY "smtp_pix_workaround_delay_time" +#define DEF_SMTP_PIX_DELAY "10s" +extern int var_smtp_pix_delay; + /* * SMTP server. The soft error limit determines how many errors an SMTP * client may make before we start to slow down; the hard error limit diff --git a/postfix/src/global/mail_stream.c b/postfix/src/global/mail_stream.c index ac5e232a2..7d00023da 100644 --- a/postfix/src/global/mail_stream.c +++ b/postfix/src/global/mail_stream.c @@ -281,6 +281,9 @@ MAIL_STREAM *mail_stream_command(const char *command) sleep(10); } argv_free(export_env); + vstream_control(stream, + VSTREAM_CTL_PATH, command, + VSTREAM_CTL_END); if (attr_scan(stream, ATTR_FLAG_MISSING, ATTR_TYPE_STR, MAIL_ATTR_QUEUEID, id_buf, 0) != 1) { diff --git a/postfix/src/sendmail/sendmail.c b/postfix/src/sendmail/sendmail.c index 8527cce0a..b87416a97 100644 --- a/postfix/src/sendmail/sendmail.c +++ b/postfix/src/sendmail/sendmail.c @@ -416,6 +416,7 @@ static void enqueue(const int flags, const char *sender, const char *full_name, MAIL_CLASS_PUBLIC, MAIL_SERVICE_PICKUP); sendmail_path = mystrdup(VSTREAM_PATH(handle->stream)); } else { + errno = 0; postdrop_command = concatenate(var_command_dir, "/postdrop", msg_verbose ? " -v" : (char *) 0, (char *) 0); if ((handle = mail_stream_command(postdrop_command)) == 0) diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c index 5c4196bc3..9c61d89db 100644 --- a/postfix/src/smtp/smtp.c +++ b/postfix/src/smtp/smtp.c @@ -95,6 +95,8 @@ /* Always send EHLO at the start of a connection. /* .IP \fBsmtp_never_send_ehlo\fR /* Never send EHLO at the start of a connection. +/* .IP \fBsmtp_bind_address\fR +/* Numerical source network address to bind to when making a connection. /* .IP \fBsmtp_break_lines\fR /* Break lines > \fB$line_length_limit\fR into multiple shorter lines. /* Some SMTP servers misbehave on long lines. @@ -104,8 +106,12 @@ /* Skip servers that greet us with a 5xx status code. /* .IP \fBsmtp_skip_quit_response\fR /* Do not wait for the server response after sending QUIT. -/* .IP \fBsmtp_bind_address\fR -/* Numerical network address to bind to when making a connection. +/* .IP \fBsmtp_pix_workaround_delay_time\fR +/* The time to pause before sending ., while working +/* around the CISCO PIX firewall . bug. +/* .IP \fBsmtp_pix_workaround_threshold_time\fR +/* The time a message must be queued before the CISCO PIX firewall +/* . bug workaround is turned on. /* .SH "Authentication controls" /* .IP \fBsmtp_enable_sasl_auth\fR /* Enable per-session authentication as per RFC 2554 (SASL). @@ -254,7 +260,8 @@ bool var_smtp_sasl_enable; char *var_smtp_bind_addr; bool var_smtp_rand_addr; bool var_smtp_break_lines; -int var_min_backoff_time; +int var_smtp_pix_thresh; +int var_smtp_pix_delay; /* * Global variables. smtp_errno is set by the address lookup routines and by @@ -417,7 +424,8 @@ int main(int argc, char **argv) VAR_SMTP_DATA1_TMOUT, DEF_SMTP_DATA1_TMOUT, &var_smtp_data1_tmout, 1, 0, VAR_SMTP_DATA2_TMOUT, DEF_SMTP_DATA2_TMOUT, &var_smtp_data2_tmout, 1, 0, VAR_SMTP_QUIT_TMOUT, DEF_SMTP_QUIT_TMOUT, &var_smtp_quit_tmout, 1, 0, - VAR_MIN_BACKOFF_TIME, DEF_MIN_BACKOFF_TIME, &var_min_backoff_time, 1, 0, + VAR_SMTP_PIX_THRESH, DEF_SMTP_PIX_THRESH, &var_smtp_pix_thresh, 0, 0, + VAR_SMTP_PIX_DELAY, DEF_SMTP_PIX_DELAY, &var_smtp_pix_delay, 1, 0, 0, }; static CONFIG_INT_TABLE int_table[] = { diff --git a/postfix/src/smtp/smtp_proto.c b/postfix/src/smtp/smtp_proto.c index af7cafb23..9f9201569 100644 --- a/postfix/src/smtp/smtp_proto.c +++ b/postfix/src/smtp/smtp_proto.c @@ -660,11 +660,11 @@ int smtp_xfer(SMTP_STATE *state) smtp_fputs("", 0, session->stream); if ((state->features & SMTP_FEATURE_MAYBEPIX) != 0 && request->arrival_time < vstream_ftime(session->stream) - - var_min_backoff_time) { + - var_smtp_pix_thresh) { msg_info("%s: enabling PIX . workaround for %s", request->queue_id, session->namaddr); vstream_fflush(session->stream);/* hurts performance */ - sleep(10); /* not to mention this */ + sleep(var_smtp_pix_delay); /* not to mention this */ } if (vstream_ferror(state->src)) msg_fatal("queue file read error"); diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c index 0d2bc320a..e3283c067 100644 --- a/postfix/src/smtpd/smtpd_check.c +++ b/postfix/src/smtpd/smtpd_check.c @@ -1717,7 +1717,9 @@ static int check_mail_access(SMTPD_STATE *state, const char *table, /* * Avoid surprise matches with source-routed, non-local addresses. */ - if (!resolve_local(ratsign + 1) && (reply->flags & RESOLVE_FLAG_ROUTED)) + if (var_allow_untrust_route == 0 + && (reply->flags & RESOLVE_FLAG_ROUTED) + && !resolve_local(ratsign + 1)) return (SMTPD_CHECK_DUNNO); /* diff --git a/postfix/src/smtpstone/smtp-source.c b/postfix/src/smtpstone/smtp-source.c index d315c9429..d05caae77 100644 --- a/postfix/src/smtpstone/smtp-source.c +++ b/postfix/src/smtpstone/smtp-source.c @@ -45,6 +45,8 @@ /* recipient address. /* .IP "\fB-s \fIsession_count\fR" /* Run the specified number of SMTP sessions in parallel (default: 1). +/* .IP "\fB-S \fIsubject\fR" +/* Send mail with the named subject line (default: none). /* .IP "\fB-t \fIto\fR" /* Use the specified recipient address (default: ). /* .IP "\fB-R \fIinterval\fR" @@ -165,6 +167,7 @@ static int connect_count = 1; static int random_delay = 0; static int fixed_delay = 0; static int talk_lmtp = 0; +static char *subject = 0; static void enqueue_connect(SESSION *); static void start_connect(SESSION *); @@ -653,6 +656,8 @@ static void data_done(int unused_event, char *context) smtp_printf(session->stream, "Date: %s", mydate); smtp_printf(session->stream, "Message-Id: <%04x.%04x.%04x@%s>", mypid, vstream_fileno(session->stream), message_count, var_myhostname); + if (subject) + smtp_printf(session->stream, "Subject: %s", subject); smtp_fputs("", 0, session->stream); } @@ -769,7 +774,7 @@ int main(int argc, char **argv) /* * Parse JCL. */ - while ((ch = GETOPT(argc, argv, "cC:df:l:Lm:or:R:s:t:vw:")) > 0) { + while ((ch = GETOPT(argc, argv, "cC:df:l:Lm:or:R:s:S:t:vw:")) > 0) { switch (ch) { case 'c': count++; @@ -818,6 +823,9 @@ int main(int argc, char **argv) if ((sessions = atoi(optarg)) <= 0) usage(argv[0]); break; + case 'S': + subject = optarg; + break; case 't': recipient = optarg; break;