diff --git a/postfix/HISTORY b/postfix/HISTORY
index 4724653a9..2f788287e 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -14324,7 +14324,7 @@ Apologies for any names omitted.
Cleanup: preserve multi-line format of header/body Milter
replies. Files: cleanup/cleanup_milter.c, smtpd/smtpd.c.
- Cleanup: nicer multi-line support in the SMTP server. File:
+ Cleanup: multi-line support in SMTP server replies. File:
smtpd/smtpd_chat.c.
SAFETY: postfix-script, postfix-files and post-install are
@@ -14334,3 +14334,15 @@ Apologies for any names omitted.
with an unusable Postfix setup. Files: postfix-install,
Makefile.in, postfix/postfix.c, conf/postfix-files,
conf/postfix-script, conf/post-install.
+
+20080212
+
+ Feature: check_reverse_client_access, to make access decisions
+ based on the unverified client hostname. For safety reasons
+ an OK result is not allowed. Noel Jones. Files:
+ smtpd/smtpd_check.c plus header files and documentation.
+
+20080215
+
+ Safety: break SASL loop in case both the SASL library and the
+ remote SMTP server are confused. File: smtp/smtp_sasl_glue.c.
diff --git a/postfix/README_FILES/SMTPD_POLICY_README b/postfix/README_FILES/SMTPD_POLICY_README
index fe7f1b49b..e33829453 100644
--- a/postfix/README_FILES/SMTPD_POLICY_README
+++ b/postfix/README_FILES/SMTPD_POLICY_README
@@ -407,6 +407,13 @@ Postfix source as examples/smtpd-policy/greylist.pl.
$database_name="/var/mta/greylist.db";
$greylist_delay=60;
+#
+# Auto-whitelist threshold. Specify 0 to disable, or the number of
+# successful "come backs" after which a client is no longer subject
+# to greylisting.
+#
+$auto_whitelist_threshold = 10;
+
#
# Demo SMTPD access policy routine. The result is an action just like
# it would be specified on the right-hand side of a Postfix access
@@ -418,6 +425,14 @@ sub smtpd_access_policy {
# Open the database on the fly.
open_database() unless $database_obj;
+ # Search the auto-whitelist.
+ if ($auto_whitelist_threshold > 0) {
+ $count = read_database($attr{"client_address"});
+ if ($count > $auto_whitelist_threshold) {
+ return "dunno";
+ }
+ }
+
# Lookup the time stamp for this client/sender/recipient.
$key =
lc $attr{"client_address"}."/".$attr{"sender"}."/".$attr{"recipient"};
@@ -442,6 +457,10 @@ sub smtpd_access_policy {
#
syslog $syslog_priority, "request age %d", $now - $time_stamp if $verbose;
if ($now - $time_stamp > $greylist_delay) {
+ # Update the auto-whitelist.
+ if ($auto_whitelist_threshold > 0) {
+ update_database($attr{"client_address"}, $count + 1);
+ }
return "dunno";
} else {
return "defer_if_permit Service temporarily unavailable";
diff --git a/postfix/WISHLIST b/postfix/WISHLIST
index 854c89874..28a5a5d31 100644
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -1,7 +1,13 @@
Wish list:
+ To support ternary operator without a huge parsing effort,
+ consider ${value?{xxx}:{yyy}} where ${name} is existing
+ syntax, and where ?{text} and :{text} are new syntax that
+ is unlikely to break existing configurations. Or perhaps
+ it's just too ugly.
+
Make adding Date/From/Message-ID headers dependent on local
- rewrite context?
+ rewrite context.
Write delivery rate delay example (which _README?) and auth
failure cache example (SASL_README). Then include them in
diff --git a/postfix/conf/postfix-files b/postfix/conf/postfix-files
index f3632a45d..a46a6f987 100644
--- a/postfix/conf/postfix-files
+++ b/postfix/conf/postfix-files
@@ -62,9 +62,6 @@ $queue_directory/public:d:$mail_owner:$setgid_group:710:uc
$queue_directory/pid:d:root:-:755:uc
$queue_directory/saved:d:$mail_owner:-:700:ucr
$queue_directory/trace:d:$mail_owner:-:700:ucr
-$daemon_directory/postfix-script:f:root:-:755
-$daemon_directory/postfix-files:f:root:-:644
-$daemon_directory/post-install:f:root:-:755
$daemon_directory/anvil:f:root:-:755
$daemon_directory/bounce:f:root:-:755
$daemon_directory/cleanup:f:root:-:755
@@ -77,6 +74,9 @@ $daemon_directory/master:f:root:-:755
$daemon_directory/oqmgr:f:root:-:755
$daemon_directory/pickup:f:root:-:755
$daemon_directory/pipe:f:root:-:755
+$daemon_directory/post-install:f:root:-:755
+$daemon_directory/postfix-files:f:root:-:644
+$daemon_directory/postfix-script:f:root:-:755
$daemon_directory/proxymap:f:root:-:755
$daemon_directory/qmgr:f:root:-:755
$daemon_directory/qmqpd:f:root:-:755
diff --git a/postfix/html/SMTPD_POLICY_README.html b/postfix/html/SMTPD_POLICY_README.html
index 08704aa8e..f42eb0830 100644
--- a/postfix/html/SMTPD_POLICY_README.html
+++ b/postfix/html/SMTPD_POLICY_README.html
@@ -549,6 +549,13 @@ examples/smtpd-policy/greylist.pl.
$database_name="/var/mta/greylist.db";
$greylist_delay=60;
+#
+# Auto-whitelist threshold. Specify 0 to disable, or the number of
+# successful "come backs" after which a client is no longer subject
+# to greylisting.
+#
+$auto_whitelist_threshold = 10;
+
#
# Demo SMTPD access policy routine. The result is an action just like
# it would be specified on the right-hand side of a Postfix access
@@ -560,6 +567,14 @@ sub smtpd_access_policy {
# Open the database on the fly.
open_database() unless $database_obj;
+ # Search the auto-whitelist.
+ if ($auto_whitelist_threshold > 0) {
+ $count = read_database($attr{"client_address"});
+ if ($count > $auto_whitelist_threshold) {
+ return "dunno";
+ }
+ }
+
# Lookup the time stamp for this client/sender/recipient.
$key =
lc $attr{"client_address"}."/".$attr{"sender"}."/".$attr{"recipient"};
@@ -584,6 +599,10 @@ sub smtpd_access_policy {
#
syslog $syslog_priority, "request age %d", $now - $time_stamp if $verbose;
if ($now - $time_stamp > $greylist_delay) {
+ # Update the auto-whitelist.
+ if ($auto_whitelist_threshold > 0) {
+ update_database($attr{"client_address"}, $count + 1);
+ }
return "dunno";
} else {
return "defer_if_permit Service temporarily unavailable";
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index 4ac2db125..d8a05ce1a 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -7503,7 +7503,7 @@ the unix: prefix),
a /file/name with domain names and/or relay host names as
defined above,
- a "type:table" with domain names and/or relay hosts name on
+ a "type:table" with domain names and/or relay host names on
the left-hand side. The right-hand side result from "type:table"
lookups is ignored.
@@ -10021,6 +10021,16 @@ Postfix version 2.5). This feature is available with Postfix version
parent domains, client IP address, or networks obtained by stripping
least significant octets. See the access(5) manual page for details.
+check_reverse_client_hostname_access type:table
+
+Search the specified access database for the unverified reverse
+client hostname, parent domains, client IP address, or networks
+obtained by stripping least significant octets. See the access(5)
+manual page for details. Note: a result of "OK" is not allowed for
+safety reasons. Instead, use DUNNO in order to exclude specific
+hosts from blacklists. This feature is available in Postfix 2.6
+and later.
+
permit_inet_interfaces
Permit the request when the client IP address matches
diff --git a/postfix/html/postfix.1.html b/postfix/html/postfix.1.html
index f31564ebf..14da6a7f3 100644
--- a/postfix/html/postfix.1.html
+++ b/postfix/html/postfix.1.html
@@ -70,8 +70,8 @@ POSTFIX(1) POSTFIX(1)
setting for an already installed Postfix system.
This feature is available in Postfix 2.1 and later.
- With Postfix 2.0 and earlier, use "/etc/post-
- fix/post-install set-permissions".
+ With Postfix 2.0 and earlier, use "$config_direc-
+ tory/post-install set-permissions".
upgrade-configuration [name=value ...]
Update the main.cf and master.cf files with infor-
@@ -83,8 +83,8 @@ POSTFIX(1) POSTFIX(1)
main.cf configuration parameters.
This feature is available in Postfix 2.1 and later.
- With Postfix 2.0 and earlier, use "/etc/post-
- fix/post-install upgrade-configuration".
+ With Postfix 2.0 and earlier, use "$config_direc-
+ tory/post-install upgrade-configuration".
The following options are implemented:
@@ -199,8 +199,17 @@ POSTFIX(1) POSTFIX(1)
becomes, for example, "postfix/smtpd".
FILES
- /etc/postfix/main.cf, Postfix configuration parameters
- /etc/postfix/master.cf, Postfix daemon processes
+ Prior to Postfix version 2.6, all of the following files
+ were in $config_directory. Some files are now in $dae-
+ mon_directory so that they can be shared among multiple
+ instances that run the same Postfix version.
+
+ Use the command "postconf config_directory" or "postconf
+ daemon_directory" to expand the names into their actual
+ values.
+
+ $config_directory/main.cf, Postfix configuration parameters
+ $config_directory/master.cf, Postfix daemon processes
$daemon_directory/postfix-files, file/directory permissions
$daemon_directory/postfix-script, administrative commands
$daemon_directory/post-install, post-installation configuration
@@ -283,7 +292,7 @@ POSTFIX(1) POSTFIX(1)
QSHAPE_README, Postfix queue analysis
LICENSE
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
AUTHOR(S)
diff --git a/postfix/man/man1/postfix.1 b/postfix/man/man1/postfix.1
index 72918c627..26b827856 100644
--- a/postfix/man/man1/postfix.1
+++ b/postfix/man/man1/postfix.1
@@ -63,7 +63,7 @@ change the \fBmail_owner\fR or \fBsetgid_group\fR setting for an
already installed Postfix system.
.sp
This feature is available in Postfix 2.1 and later. With
-Postfix 2.0 and earlier, use "\fB/etc/postfix/post-install
+Postfix 2.0 and earlier, use "\fB$config_directory/post-install
set-permissions\fR".
.IP "\fBupgrade-configuration\fR \fB[\fIname\fR=\fIvalue ...\fB]\fR
Update the \fBmain.cf\fR and \fBmaster.cf\fR files with information
@@ -74,7 +74,7 @@ Specify \fIname\fR=\fIvalue\fR to override and update specific
main.cf configuration parameters.
.sp
This feature is available in Postfix 2.1 and later. With
-Postfix 2.0 and earlier, use "\fB/etc/postfix/post-install
+Postfix 2.0 and earlier, use "\fB$config_directory/post-install
upgrade-configuration\fR".
.PP
The following options are implemented:
@@ -162,8 +162,21 @@ records, so that "smtpd" becomes, for example, "postfix/smtpd".
.SH "FILES"
.na
.nf
-/etc/postfix/main.cf, Postfix configuration parameters
-/etc/postfix/master.cf, Postfix daemon processes
+.ad
+.fi
+Prior to Postfix version 2.6, all of the following files
+were in \fB$config_directory\fR. Some files are now in
+\fB$daemon_directory\fR so that they can be shared among
+multiple instances that run the same Postfix version.
+
+Use the command "\fBpostconf config_directory\fR" or
+"\fBpostconf daemon_directory\fR" to expand the names
+into their actual values.
+.na
+.nf
+
+$config_directory/main.cf, Postfix configuration parameters
+$config_directory/master.cf, Postfix daemon processes
$daemon_directory/postfix-files, file/directory permissions
$daemon_directory/postfix-script, administrative commands
$daemon_directory/post-install, post-installation configuration
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index bd8fe9670..0daa4fd84 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -4229,7 +4229,7 @@ the unix: prefix),
a /file/name with domain names and/or relay host names as
defined above,
.IP \(bu
-a "type:table" with domain names and/or relay hosts name on
+a "type:table" with domain names and/or relay host names on
the left-hand side. The right-hand side result from "type:table"
lookups is ignored.
.PP
@@ -6047,6 +6047,14 @@ Postfix version 2.5). This feature is available with Postfix version
Search the specified access database for the client hostname,
parent domains, client IP address, or networks obtained by stripping
least significant octets. See the \fBaccess\fR(5) manual page for details.
+.IP "\fBcheck_reverse_client_hostname_access \fItype:table\fR\fR"
+Search the specified access database for the unverified reverse
+client hostname, parent domains, client IP address, or networks
+obtained by stripping least significant octets. See the \fBaccess\fR(5)
+manual page for details. Note: a result of "OK" is not allowed for
+safety reasons. Instead, use DUNNO in order to exclude specific
+hosts from blacklists. This feature is available in Postfix 2.6
+and later.
.IP "\fBpermit_inet_interfaces\fR"
Permit the request when the client IP address matches
$inet_interfaces.
diff --git a/postfix/proto/SMTPD_POLICY_README.html b/postfix/proto/SMTPD_POLICY_README.html
index 9d4240b89..639b5ddf0 100644
--- a/postfix/proto/SMTPD_POLICY_README.html
+++ b/postfix/proto/SMTPD_POLICY_README.html
@@ -549,6 +549,13 @@ examples/smtpd-policy/greylist.pl.
$database_name="/var/mta/greylist.db";
$greylist_delay=60;
+#
+# Auto-whitelist threshold. Specify 0 to disable, or the number of
+# successful "come backs" after which a client is no longer subject
+# to greylisting.
+#
+$auto_whitelist_threshold = 10;
+
#
# Demo SMTPD access policy routine. The result is an action just like
# it would be specified on the right-hand side of a Postfix access
@@ -560,6 +567,14 @@ sub smtpd_access_policy {
# Open the database on the fly.
open_database() unless $database_obj;
+ # Search the auto-whitelist.
+ if ($auto_whitelist_threshold > 0) {
+ $count = read_database($attr{"client_address"});
+ if ($count > $auto_whitelist_threshold) {
+ return "dunno";
+ }
+ }
+
# Lookup the time stamp for this client/sender/recipient.
$key =
lc $attr{"client_address"}."/".$attr{"sender"}."/".$attr{"recipient"};
@@ -584,6 +599,10 @@ sub smtpd_access_policy {
#
syslog $syslog_priority, "request age %d", $now - $time_stamp if $verbose;
if ($now - $time_stamp > $greylist_delay) {
+ # Update the auto-whitelist.
+ if ($auto_whitelist_threshold > 0) {
+ update_database($attr{"client_address"}, $count + 1);
+ }
return "dunno";
} else {
return "defer_if_permit Service temporarily unavailable";
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 34338611d..1f66c1a47 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -3785,7 +3785,7 @@ the unix: prefix),
a /file/name with domain names and/or relay host names as
defined above,
- a "type:table" with domain names and/or relay hosts name on
+ a "type:table" with domain names and/or relay host names on
the left-hand side. The right-hand side result from "type:table"
lookups is ignored.
@@ -4718,6 +4718,16 @@ Postfix version 2.5). This feature is available with Postfix version
parent domains, client IP address, or networks obtained by stripping
least significant octets. See the access(5) manual page for details.
+check_reverse_client_hostname_access type:table
+
+Search the specified access database for the unverified reverse
+client hostname, parent domains, client IP address, or networks
+obtained by stripping least significant octets. See the access(5)
+manual page for details. Note: a result of "OK" is not allowed for
+safety reasons. Instead, use DUNNO in order to exclude specific
+hosts from blacklists. This feature is available in Postfix 2.6
+and later.
+
permit_inet_interfaces
Permit the request when the client IP address matches
diff --git a/postfix/src/cleanup/cleanup.h b/postfix/src/cleanup/cleanup.h
index e56511453..514b72066 100644
--- a/postfix/src/cleanup/cleanup.h
+++ b/postfix/src/cleanup/cleanup.h
@@ -122,29 +122,6 @@ typedef struct CLEANUP_STATE {
#define CLEANUP_FLAG_WARN_SEEN (1<<17) /* REC_TYPE_WARN record seen */
#define CLEANUP_FLAG_END_SEEN (1<<18) /* REC_TYPE_END record seen */
- /*
- * Milter replies.
- */
-#define CLEANUP_MILTER_REASON(__state, __reason) do { \
- if ((__state)->reason) \
- myfree((__state)->reason); \
- (__state)->reason = mystrdup(__reason); \
- if ((__state)->smtp_reply) { \
- myfree((__state)->smtp_reply); \
- (__state)->smtp_reply = 0; \
- } \
- } while (0)
-
-#define CLEANUP_MILTER_SMTP_REPLY(__state, __smtp_reply) do { \
- if ((__state)->reason) \
- myfree((__state)->reason); \
- (__state)->reason = mystrdup(__smtp_reply + 4); \
- printable((__state)->reason, '_'); \
- if ((__state)->smtp_reply) \
- myfree((__state)->smtp_reply); \
- (__state)->smtp_reply = mystrdup(__smtp_reply); \
- } while (0)
-
/*
* Mappings.
*/
diff --git a/postfix/src/cleanup/cleanup_milter.c b/postfix/src/cleanup/cleanup_milter.c
index 7c5fc9393..c9423c73e 100644
--- a/postfix/src/cleanup/cleanup_milter.c
+++ b/postfix/src/cleanup/cleanup_milter.c
@@ -216,6 +216,29 @@
#define STR(x) vstring_str(x)
#define LEN(x) VSTRING_LEN(x)
+ /*
+ * Milter replies.
+ */
+#define CLEANUP_MILTER_SET_REASON(__state, __reason) do { \
+ if ((__state)->reason) \
+ myfree((__state)->reason); \
+ (__state)->reason = mystrdup(__reason); \
+ if ((__state)->smtp_reply) { \
+ myfree((__state)->smtp_reply); \
+ (__state)->smtp_reply = 0; \
+ } \
+ } while (0)
+
+#define CLEANUP_MILTER_SET_SMTP_REPLY(__state, __smtp_reply) do { \
+ if ((__state)->reason) \
+ myfree((__state)->reason); \
+ (__state)->reason = mystrdup(__smtp_reply + 4); \
+ printable((__state)->reason, '_'); \
+ if ((__state)->smtp_reply) \
+ myfree((__state)->smtp_reply); \
+ (__state)->smtp_reply = mystrdup(__smtp_reply); \
+ } while (0)
+
/* cleanup_milter_set_error - set error flag from errno */
static void cleanup_milter_set_error(CLEANUP_STATE *state, int err)
@@ -1404,14 +1427,14 @@ static const char *cleanup_milter_apply(CLEANUP_STATE *state, const char *event,
* queue record processing, and prevents bounces from being sent.
*/
case '4':
- CLEANUP_MILTER_SMTP_REPLY(state, resp);
+ CLEANUP_MILTER_SET_SMTP_REPLY(state, resp);
ret = state->reason;
state->errs |= CLEANUP_STAT_DEFER;
action = "milter-reject";
text = resp + 4;
break;
case '5':
- CLEANUP_MILTER_SMTP_REPLY(state, resp);
+ CLEANUP_MILTER_SET_SMTP_REPLY(state, resp);
ret = state->reason;
state->errs |= CLEANUP_STAT_CONT;
action = "milter-reject";
@@ -1588,7 +1611,7 @@ void cleanup_milter_emul_rcpt(CLEANUP_STATE *state,
msg_warn("%s: milter configuration error: can't reject recipient "
"in non-smtpd(8) submission", state->queue_id);
msg_warn("%s: deferring delivery of this message", state->queue_id);
- CLEANUP_MILTER_REASON(state, "4.3.5 Server configuration error");
+ CLEANUP_MILTER_SET_REASON(state, "4.3.5 Server configuration error");
state->errs |= CLEANUP_STAT_DEFER;
}
}
diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h
index b8b0caf80..35c187be5 100644
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@@ -1970,6 +1970,7 @@ extern char *var_perm_mx_networks;
extern int var_access_map_code;
#define CHECK_CLIENT_ACL "check_client_access"
+#define CHECK_REVERSE_CLIENT_ACL "check_reverse_client_hostname_access"
#define CHECK_CCERT_ACL "check_ccert_access"
#define CHECK_HELO_ACL "check_helo_access"
#define CHECK_SENDER_ACL "check_sender_access"
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 86acee7dc..a49411f2b 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20080207"
+#define MAIL_RELEASE_DATE "20080216"
#define MAIL_VERSION_NUMBER "2.6"
#ifdef SNAPSHOT
diff --git a/postfix/src/milter/milter8.c b/postfix/src/milter/milter8.c
index be79cd8bc..4a3abb96d 100644
--- a/postfix/src/milter/milter8.c
+++ b/postfix/src/milter/milter8.c
@@ -1267,17 +1267,17 @@ static const char *milter8_event(MILTER8 *milter, int event,
break;
}
}
- for (cp = STR(milter->buf); /* void */ ; cp = next) {
- if (var_soft_bounce) {
+ if (var_soft_bounce) {
+ for (cp = STR(milter->buf); /* void */ ; cp = next) {
if (cp[0] == '5') {
cp[0] = '4';
if (cp[4] == '5')
cp[4] = '4';
}
+ if ((next = strstr(cp, "\r\n")) == 0)
+ break;
+ next += 2;
}
- if ((next = strstr(cp, "\r\n")) == 0)
- break;
- next += 2;
}
if (IN_CONNECT_EVENT(event)) {
#ifdef LIBMILTER_AUTO_DISCONNECT
diff --git a/postfix/src/postfix/postfix.c b/postfix/src/postfix/postfix.c
index 3b9154ca1..78d3945b9 100644
--- a/postfix/src/postfix/postfix.c
+++ b/postfix/src/postfix/postfix.c
@@ -57,7 +57,7 @@
/* already installed Postfix system.
/* .sp
/* This feature is available in Postfix 2.1 and later. With
-/* Postfix 2.0 and earlier, use "\fB/etc/postfix/post-install
+/* Postfix 2.0 and earlier, use "\fB$config_directory/post-install
/* set-permissions\fR".
/* .IP "\fBupgrade-configuration\fR \fB[\fIname\fR=\fIvalue ...\fB]\fR
/* Update the \fBmain.cf\fR and \fBmaster.cf\fR files with information
@@ -68,7 +68,7 @@
/* main.cf configuration parameters.
/* .sp
/* This feature is available in Postfix 2.1 and later. With
-/* Postfix 2.0 and earlier, use "\fB/etc/postfix/post-install
+/* Postfix 2.0 and earlier, use "\fB$config_directory/post-install
/* upgrade-configuration\fR".
/* .PP
/* The following options are implemented:
@@ -150,8 +150,21 @@
/* The mail system name that is prepended to the process name in syslog
/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
/* FILES
-/* /etc/postfix/main.cf, Postfix configuration parameters
-/* /etc/postfix/master.cf, Postfix daemon processes
+/* .ad
+/* .fi
+/* Prior to Postfix version 2.6, all of the following files
+/* were in \fB$config_directory\fR. Some files are now in
+/* \fB$daemon_directory\fR so that they can be shared among
+/* multiple instances that run the same Postfix version.
+/*
+/* Use the command "\fBpostconf config_directory\fR" or
+/* "\fBpostconf daemon_directory\fR" to expand the names
+/* into their actual values.
+/* .na
+/* .nf
+/*
+/* $config_directory/main.cf, Postfix configuration parameters
+/* $config_directory/master.cf, Postfix daemon processes
/* $daemon_directory/postfix-files, file/directory permissions
/* $daemon_directory/postfix-script, administrative commands
/* $daemon_directory/post-install, post-installation configuration
diff --git a/postfix/src/smtp/smtp_sasl_glue.c b/postfix/src/smtp/smtp_sasl_glue.c
index 41d150e3c..1b657e64b 100644
--- a/postfix/src/smtp/smtp_sasl_glue.c
+++ b/postfix/src/smtp/smtp_sasl_glue.c
@@ -291,6 +291,7 @@ int smtp_sasl_authenticate(SMTP_SESSION *session, DSN_BUF *why)
const char *mechanism;
int result;
char *line;
+ int steps = 0;
/*
* Sanity check.
@@ -356,6 +357,16 @@ int smtp_sasl_authenticate(SMTP_SESSION *session, DSN_BUF *why)
*/
while ((resp = smtp_chat_resp(session))->code / 100 == 3) {
+ /*
+ * Sanity check.
+ */
+ if (++steps > 100) {
+ dsb_simple(why, "4.3.0", "SASL authentication failed; "
+ "authentication protocol loop with server %s",
+ session->namaddr);
+ return (-1);
+ }
+
/*
* Process a server challenge.
*/
diff --git a/postfix/src/smtpd/smtpd_chat.c b/postfix/src/smtpd/smtpd_chat.c
index f7445d66c..05ef1e507 100644
--- a/postfix/src/smtpd/smtpd_chat.c
+++ b/postfix/src/smtpd/smtpd_chat.c
@@ -172,6 +172,7 @@ void smtpd_chat_reply(SMTPD_STATE *state, const char *format,...)
next = end;
}
smtp_chat_append(state, "Out: ", cp);
+
if (msg_verbose)
msg_info("> %s: %s", state->namaddr, cp);
diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index f1c0366da..796e40a76 100644
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -3502,8 +3502,8 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
if (strchr(name, ':') != 0) {
if (def_acl == NO_DEF_ACL) {
- msg_warn("specify one of (%s, %s, %s, %s, %s) before %s restriction \"%s\"",
- CHECK_CLIENT_ACL, CHECK_HELO_ACL, CHECK_SENDER_ACL,
+ msg_warn("specify one of (%s, %s, %s, %s, %s, %s) before %s restriction \"%s\"",
+ CHECK_CLIENT_ACL, CHECK_REVERSE_CLIENT_ACL, CHECK_HELO_ACL, CHECK_SENDER_ACL,
CHECK_RECIP_ACL, CHECK_ETRN_ACL, reply_class, name);
longjmp(smtpd_check_buf,
smtpd_check_reject(state, MAIL_ERROR_SOFTWARE,
@@ -3590,6 +3590,11 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
status = check_namadr_access(state, *cpp, state->name, state->addr,
FULL, &found, state->namaddr,
SMTPD_NAME_CLIENT, def_acl);
+ } else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_ACL, &cpp)) {
+ status = check_namadr_access(state, *cpp, state->reverse_name, state->addr,
+ FULL, &found, state->namaddr,
+ SMTPD_NAME_REV_CLIENT, def_acl);
+ forbid_whitelist(state, name, status, state->reverse_name);
} else if (strcasecmp(name, REJECT_MAPS_RBL) == 0) {
status = reject_maps_rbl(state);
} else if (strcasecmp(name, REJECT_RBL_CLIENT) == 0
diff --git a/postfix/src/smtpd/smtpd_dsn_fix.h b/postfix/src/smtpd/smtpd_dsn_fix.h
index a3a42dff5..30e0c93d3 100644
--- a/postfix/src/smtpd/smtpd_dsn_fix.h
+++ b/postfix/src/smtpd/smtpd_dsn_fix.h
@@ -13,6 +13,7 @@
* Internal interface.
*/
#define SMTPD_NAME_CLIENT "Client host"
+#define SMTPD_NAME_REV_CLIENT "Unverified Client host"
#define SMTPD_NAME_CCERT "Client certificate"
#define SMTPD_NAME_HELO "Helo command"
#define SMTPD_NAME_SENDER "Sender address"