mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-30 05:38:06 +00:00
Code Issues Releases Wiki Activity

snapshot-20010124

Browse Source
This commit is contained in:
Wietse Venema 2001-01-24 00:00:00 -05:00 committed by Viktor Dukhovni
parent 19ca5e1319
commit bcd247acbf
20 changed files with 214 additions and 233 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
postfix/FILTER_README
View File

@ -1,6 +1,6 @@
This is a very first implementation of Postfix content filtering.
A Postfix content filter receives unfiltered mail from Postfix and
re-injects filtered mail back into Postfix.
either bounces the mail or re-injects filtered mail back into Postfix.
It involves an incompatible change to queue file formats. Older
Postfix versions will reject mail that needs to be content filtered,
@ -24,32 +24,34 @@ The example assumes that only mail arriving via SMTP needs to be
content filtered.
..................................
. Postfix .
------smtpd \ /local-----
. -cleanup->queue- .
-----pickup / \smtp------
^ . | .
| . \pipe-----+
: Postfix :
----->smtpd \ /local---->
: -cleanup->queue- :
---->pickup / \smtp----->
^ : | :
| : \pipe-----+
| .................................. |
| |
| |
+------sendmail<-------filter<---------+
Create a dedicated local user account called "filter". The user
will never log in, and can be given a "*" password and non-existent
shell and home.
1 - Create a dedicated local user account called "filter". The
user will never log in, and can be given a "*" password and
non-existent shell and home directory. This user handles all
potentially dangerous mail content - that is why it should be
a separate account.
Create a directory /var/spool/filter that is accessible only to
the "filter" user. This is where the content filtering will store
its temporary files.
2 - Create a directory /var/spool/filter that is accessible only
to the "filter" user. This is where the content filtering will
store its temporary files.
Define a content filtering entry in the Postfix master file:
3 - Define a content filtering entry in the Postfix master file:
/etc/postfix/master.cf:
filter unix - n n - - pipe
user=filter argv=/some/where/filter -f ${sender} -- ${recipient}
filter unix - n n - - pipe
flags=R user=filter argv=/some/where/filter -f ${sender} -- ${recipient}
The filter program can start out as a simple shell script like this:
The /some/where/filter program can be a simple shell script like this:
#!/bin/sh
@ -85,20 +87,11 @@ content is OK, it is given as input to Postfix sendmail, and the
exit status of the filter command is whatever exit status Postfix
sendmail produces.
The problem with content filters like this is that they are not
very robust, because the software does not talk a well-defined
protocol with Postfix. If the filter shell script aborts because
the shell runs into some memory allocation problem, the script will
not produce a nice exit status as per /usr/include/sysexits.h and
mail will probably bounce. The same lack of robustness is possible
when the content filtering software itself runs into a resource
problem.
I suggest that you play with this script for a while until you are
satisfied with the results. Run it as root or as the filter user,
with a real message (headers+body) as input:
satisfied with the results. Run it as the filter user, with a real
message (headers+body) as input:
# /some/where/filter -f sender recipient... <message-file
% /some/where/filter -f sender recipient... <message-file
Turn on content filtering for mail arriving via SMTP only, by
appending "-o content_filter=filter:dummy" to the master.cf
@ -111,9 +104,17 @@ entry that defines the Postfix SMTP server:
The content_filter configuration parameter accepts the same
syntax as the right-hand side in a Postfix transport table.
Postfix snapshot-20000529 requires that you specify a dummy
destination as shown in the example. This is no longer necessary
with later Postfix versions.
Simple content filter limitations
=================================
The problem with content filters like the one above is that they
are not very robust, because the software does not talk a well-defined
protocol with Postfix. If the filter shell script aborts because
the shell runs into some memory allocation problem, the script will
not produce a nice exit status as per /usr/include/sysexits.h and
mail will probably bounce. The same lack of robustness is possible
when the content filtering software itself runs into a resource
problem.
Advanced content filtering example
===================================
@ -132,20 +133,20 @@ port 10025 that receives mail via the SMTP protocol, and that
submits mail back into Postfix via localhost port 10026.
..................................
. Postfix .
------smtpd \ /local-----
. -cleanup->queue- .
-----pickup / ^ | \smtp------
. | v .
. smtpd smtp .
. 10026 | .
: Postfix :
----->smtpd \ /local---->
: -cleanup->queue- :
---->pickup / ^ | \smtp----->
: | v :
: smtpd smtp :
: 10026 | :
......................|...........
^ |
| v
....|............
. | 10025 .
. filtering .
. .
: | 10025 :
: filter :
: :
.................
To enable content filtering in this manner, specify in main.cf a
@ -174,12 +175,8 @@ up to 10 content filtering processes on demand:
"filter" is a dedicated local user account. The user will never
log in, and can be given a "*" password and non-existent shell and
home.
The spawn server is part of Postfix but is not installed by default.
Edit the top-level Makefile.in file, run "make makefiles", "make",
and "make install". The manual page isn't installed by default,
either. See the spawn.c source file.
home directory. This user handles all potentially dangerous mail
content - that is why it should be a separate account.
The /some/where/filter command is most likely a PERL script. PERL
has modules that make talking SMTP easy. The command-line specifies
@ -192,7 +189,8 @@ it can be used with other mailers too, which is a nice spin-off.
The simplest content filter just copies SMTP commands and data
between its inputs and outputs. If it has a problem, all it has to
do is to reply to an input of `.' with `550 content rejected', and
to disconnect its output side instead of sending `.'.
to disconnect without sending `.' on the connection that injects
mail back into Postfix.
The job of the content filter is to either bounce mail with a
suitable diagnostic, or to feed the mail back into Postfix through

3
postfix/INSTALL.sh
View File

@ -6,6 +6,7 @@
PATH=/bin:/usr/bin:/usr/sbin:/usr/etc:/sbin:/etc
umask 022
test -t 0 &&
cat <<EOF
Warning: this script replaces existing sendmail or Postfix programs.
@ -124,6 +125,7 @@ fi
# Find out the location of configuration files.
test -t 0 &&
for name in install_root tempdir config_directory
do
while :
@ -168,6 +170,7 @@ test -f $CONFIG_DIRECTORY/install.cf && . $CONFIG_DIRECTORY/install.cf
# Override default settings.
test -t 0 &&
for name in daemon_directory command_directory \
queue_directory sendmail_path newaliases_path mailq_path mail_owner\
setgid manpages

204
postfix/LMTP_README
View File

@ -1,14 +1,12 @@
[Based on information that was provided by Amous Gouaux]
Postfix LMTP support
====================
LMTP stands for Local Mail Transfer Protocol, and is detailed in
RFC2033. This protocol is used to communicate with the final
delivery agent, which may be on the local host or a remote host.
delivery agent, which may run on the local host or a remote host.
This protocol opens up interesting possibilities: one Postfix front
end system can drive multiple mailbox back end systems over LMTP.
end machine can drive multiple mailbox back end machines over LMTP.
As the mail load increases you add Postfix front end systems and
LMTP mailbox back end systems. You can use LDAP or mysql to share
the user database among the front end and back end systems.
@ -51,54 +49,68 @@ given in the lmtp(8) manual page.
Using main.cf configuration
===========================
This is the simplest LMTP configuration. The settings
local_transport, mailbox_transport, and fallback_transport can
support the following connections:
This is the simplest LMTP configuration.
1. LMTP over TCP sockets.
1. LMTP over UNIX-domain sockets.
mailbox_transport = lmtp
The UNIX-domain socket is specified as a name in the local file
system. This "/path/name" should be the socket created by the
LMTP server on the local machine. See the specific examples
later in this document.
Instead of delivering local mail to a mail box such as
/var/mail/$user, a connection will be made over TCP to an LMTP
server. Currently the default port for this connection is 24,
but this can be customized in the "/etc/services" file.
The settings local_transport, mailbox_transport, and
fallback_transport support the following connections:
mailbox_transport = lmtp:unix:/path/name
The Postfix local delivery agent expands aliases and .forward
files, and delegates mailbox delivery to the LMTP server.
local_transport = lmtp:unix:/path/name
Mail that resolves as local is directly given to the LMTP server.
The mail is not processed by the Postfix local delivery agent;
therefore aliases and .forward files are not expanded.
fallback_transport = lmtp:unix:/path/name
The Postfix local delivery agent expands aliases and .forward files,
and delivers to /var/mail/$user for users that have a UNIX account.
Mail for other local users is delegated to the LMTP server.
NOTE:
With connections over TCP sockets, some Cyrus implementations
insist on SASL-style authentication, which is not currently
supported by the Postfix LMTP client. See the examples below
for additional details.
2. LMTP over UNIX-domain sockets.
mailbox_transport = lmtp:unix:/path/name
In this case the LMTP connection will be made over a UNIX-domain
socket. This "/path/name" should be the socket created by the
LMTP server on the local machine.
NOTE 1:
If you configured Cyrus using the "--with-libwrap" option, be
sure to allow access to the "lmtpd" service from "0.0.0.0".
Otherwise LMTP deliveries over UNIX-domain sockets will be
blocked. See the examples below for more on using libwrap.
NOTE 2:
If you run the lmtp client chrooted, the interpretation of
the /path/name is relative to the Postfix queue directory
(typically, /var/spool/postfix).
NOTE 3:
By default, the Postfix LMTP client does not run chrooted.
With LMTP delivery to the local machine there is no good
reason to run the Postfix LMTP client chrooted.
2. LMTP over TCP sockets.
Currently the default TCP port number for this type of connection
is 24, but this can be customized in the "/etc/services" file.
Specific examples are given later in this document.
The settings local_transport, mailbox_transport, and
fallback_transport support the following connections:
mailbox_transport = lmtp:hostname:port
local_transport = lmtp:hostname:port
fallback_transport = lmtp:hostname:port
See the previous section for a discussion of the differences
between these three delivery methods.
NOTE:
With connections over TCP sockets, later Cyrus implementations
insist on SASL-style authentication. This means that Postfix
must be built with SASL support (see SASL_README). The
examples below show how to enable this in the Postfix LMTP
client.
Examples:
@ -120,15 +132,9 @@ Examples:
mailbox_transport = lmtp:unix:/var/imap/socket/lmtp
In this case, mail that is resolved to be local will be delivered
to the Cyrus lmtpd server via the socket "/var/imap/socket/lmtp".
If you configured Cyrus using the "--with-libwrap" option, you
will need the following:
/etc/hosts.allow:
lmtpd : 0.0.0.0
In this case, the Postfix local delivery agent expands aliases
and .forward files, and delegates mailbox delivery to the Cyrus
lmtpd server via the socket "/var/imap/socket/lmtp".
2. LMTP over TCP sockets.
@ -139,104 +145,50 @@ Examples:
SERVICES {
...
lmtp cmd="lmtpd -a" listen="127.0.0.1:lmtp" prefork=0
lmtp cmd="lmtpd" listen="127.0.0.1:lmtp" prefork=0
...
}
XXX does this mean that connections will be accepted only on 127.0.0.1?
/etc/services:
lmtp 2003/tcp
lmtp 24/tcp
/etc/postfix/main.cf:
mailbox_transport = lmtp
mailbox_transport = lmtp:localhost
lmtp_sasl_auth_enable = yes
lmtp_sasl_password_maps = hash:/etc/postfix/lmtp_sasl_pass
/etc/postfix/master.cf:
lmtp unix - - n - - lmtp
Mail that Postfix resolves to be local will be delivered via TCP
to the Cyrus LMTP server. Postfix will make a connection to port
2003 on the local host, subsequently transmitting the message to
the lmtpd server managed by the Cyrus master process. Since
Postfix does not currently support LMTP-AUTH, the "-a" lmtpd
option is required.
/etc/postfix/lmtp_sasl_pass:
localhost.my.domain username:password
CAUTION:
Instead of "hash", use the map type of your choice. Some
systems use "dbm" instead. Use "postconf -m" to find out what
map types are supported.
If you run lmtpd with the "-a" option, be certain that you
restrict what systems can connect to this service. This can
be done in either one of two ways:
a. Compile Cyrus with libwrap support, configuring
"/etc/hosts.allow" to restrict access to this service to
only your mail server.
b. In the cyrus.conf file, for the "listen" argument to the
"lmtp" service, specify the address (in this case
localhost), that the service should bind to. This can
also be convenient if you have a private network between
your Postfix server and your Cyrus server.
If neither of these actions are taken, anybody will be able
to drop junk into your Cyrus message store!
3. LMTP over TCP sockets, using hosts.allow.
While similar to the previous example, this one varies in how the
lmtpd service is protected from unauthorized use. Instead of
binding the lmtpd service to a specific Internet address, access
will be controlled using the "/etc/hosts.allow" tcp_wrappers
configuration file. The tcp_wrappers package is available from:
ftp://ftp.porcupine.org/pub/security/index.html
To take advantage of tcp_wrappers, Cyrus will need to be
configured using the "--with-libwrap" option. See the Cyrus
documentation for more details.
Here are excerpts of the pertinent files:
/etc/hosts.allow:
lmtpd : localhost : ALLOW
lmtpd : ALL@ALL : DENY
/etc/cyrus.conf:
SERVICES {
...
lmtp cmd="lmtpd -a" listen="lmtp" prefork=0
...
}
/etc/services:
lmtp 2003/tcp
/etc/postfix/main.cf:
mailbox_transport = lmtp
The syntax shown in the hosts.allow excerpt above is valid if
tcp_wrappers is compiled using a "make" argument of:
STYLE=-DPROCESS_OPTIONS
See the tcp_wrappers hosts_options(5) man page for more details.
With the above settings, the Postfix local delivery agent
expands aliases and .forward files, and delegates mailbox
delivery to the the Cyrus LMTP server. Postfix makes a
connection to port 24 on the local host, subsequently
transmitting the message to the lmtpd server managed by the
Cyrus master process.
Using transport map configuration
=================================
This approach is quite similar to specifying the LMTP service in the
Postfix main.cf configuration file. However, now we will use a
transport map to route mail to the appropriate LMTP server. Why
might this approach be useful? This could be handy if you wish to
route mail for multiple domains to their respective mail retrieval
This approach is quite similar to specifying the LMTP service in
the Postfix main.cf configuration file. However, now we will use
a transport map to route mail to the appropriate LMTP server,
instead of depending on delegation by the Postfix local delivery
agent.
Why might this approach be useful? This could be handy if you wish
to route mail for multiple domains to their respective mail retrieval
(IMAP/POP) server. Example:
/etc/postfix/transport:
@ -399,7 +351,7 @@ configure inetd. This involves the following file edits:
/etc/services:
lmtp 2003/tcp
lmtp 24/tcp
/etc/inetd.conf:

13
postfix/SASL_README
View File

@ -62,11 +62,14 @@ Reportedly, Microsoft Internet Explorer version 5 requires the
non-standard SASL LOGIN authentication method. To enable this
authentication method, specify ``./configure --enable-login''.
Reportedly, older Microsoft software mis-implements the AUTH
protocol, and requires that the server replies to EHLO with
"250-AUTH=stuff..." instead of "250-AUTH stuff...". To accomodate
such clients, set "allow_broken_auth_clients = yes" in the main.cf
file.
Older Microsoft SMTP client software implements a non-standard
version of the AUTH protocol syntax, and expects that the SMTP
server replies to EHLO with "250 AUTH=stuff" instead of "250 AUTH
stuff". To accomodate such clients in addition to conformant
clients, set "broken_sasl_auth_clients = yes" in the main.cf file.
The Postfix SMTP client is backwards compatible with SMTP servers
that use the non-standard AUTH protocol syntax.
Building Postfix with SASL authentication support
=================================================

33
postfix/conf/access
View File

@ -83,35 +83,36 @@
# REJECT Reject the address etc. that matches the pattern. A
# generic error response message is generated.
#
# OK
# OK Accept the address etc. that matches the pattern.
#
# Any other text
# Accept the address etc. that matches the pattern.
# restriction...
# Apply the named UCE restriction (permit, reject,
# reject_unauth_destination, and so on).
#
# REGULAR EXPRESSION TABLES
# This section describes how the table lookups change when
# This section describes how the table lookups change when
# the table is given in the form of regular expressions. For
# a description of regular expression lookup table syntax,
# a description of regular expression lookup table syntax,
# see regexp_table(5) or pcre_table(5).
#
# Each pattern is a regular expression that is applied to
# Each pattern is a regular expression that is applied to
# the entire string being looked up. Depending on the appli-
# cation, that string is an entire client hostname, an
# cation, that string is an entire client hostname, an
# entire client IP address, or an entire mail address. Thus,
# no parent domain or parent network search is done, and
# user@domain mail addresses are not broken up into their
# no parent domain or parent network search is done, and
# user@domain mail addresses are not broken up into their
# user@ and domain constituent parts.
#
# Patterns are applied in the order as specified in the
# table, until a pattern is found that matches the search
# Patterns are applied in the order as specified in the
# table, until a pattern is found that matches the search
# string.
#
# Actions are the same as with normal indexed file lookups,
# with the additional feature that parenthesized substrings
# from the pattern can be interpolated as $1, $2 and so on.
# Actions are the same as with normal indexed file lookups,
# with the additional feature that parenthesized substrings
# from the pattern can be interpolated as $1, $2 and so on.
#
# BUGS
# The table format does not understand quoting conventions.
# The table format does not understand quoting conventions.
#
# 2
#
@ -124,7 +125,7 @@
# regexp_table(5) format of POSIX regular expression tables
#
# LICENSE
# The Secure Mailer license must be distributed with this
# The Secure Mailer license must be distributed with this
# software.
#
# AUTHOR(S)

34
postfix/html/access.5.html
View File

@ -94,36 +94,36 @@ ACCESS(5) ACCESS(5)
<b>REJECT</b> Reject the address etc. that matches the pattern. A
generic error response message is generated.
<b>OK</b>
<b>OK</b> Accept the address etc. that matches the pattern.
<i>Any</i> <i>other</i> <i>text</i>
Accept the address etc. that matches the pattern.
<i>restriction...</i>
Apply the named UCE restriction (<b>permit</b>, reject,
<b>reject</b><i>_</i><b>unauth</b><i>_</i><b>destination</b>, and so on).
<b>REGULAR</b> <b>EXPRESSION</b> <b>TABLES</b>
This section describes how the table lookups change when
This section describes how the table lookups change when
the table is given in the form of regular expressions. For
a description of regular expression lookup table syntax,
a description of regular expression lookup table syntax,
see <a href="regexp_table.5.html"><b>regexp</b><i>_</i><b>table</b>(5)</a> or <a href="pcre_table.5.html"><b>pcre</b><i>_</i><b>table</b>(5)</a>.
Each pattern is a regular expression that is applied to
Each pattern is a regular expression that is applied to
the entire string being looked up. Depending on the appli-
cation, that string is an entire client hostname, an
cation, that string is an entire client hostname, an
entire client IP address, or an entire mail address. Thus,
no parent domain or parent network search is done, and
<i>user@domain</i> mail addresses are not broken up into their
no parent domain or parent network search is done, and
<i>user@domain</i> mail addresses are not broken up into their
<i>user@</i> and <i>domain</i> constituent parts.
Patterns are applied in the order as specified in the
table, until a pattern is found that matches the search
Patterns are applied in the order as specified in the
table, until a pattern is found that matches the search
string.
Actions are the same as with normal indexed file lookups,
with the additional feature that parenthesized substrings
from the pattern can be interpolated as <b>$1</b>, <b>$2</b> and so on.
Actions are the same as with normal indexed file lookups,
with the additional feature that parenthesized substrings
from the pattern can be interpolated as <b>$1</b>, <b>$2</b> and so on.
<b>BUGS</b>
The table format does not understand quoting conventions.
The table format does not understand quoting conventions.
@ -144,7 +144,7 @@ ACCESS(5) ACCESS(5)
<a href="regexp_table.5.html">regexp_table(5)</a> format of POSIX regular expression tables
<b>LICENSE</b>
The Secure Mailer license must be distributed with this
The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>

4
postfix/html/smtpd.8.html
View File

@ -77,7 +77,7 @@ SMTPD(8) SMTPD(8)
For example, allow <a href="http://www.faqs.org/rfcs/rfc822.html">RFC822</a>-style address forms with
comments, like Sendmail does.
<b>allow</b><i>_</i><b>broken</b><i>_</i><b>auth</b><i>_</i><b>clients</b>
<b>broken</b><i>_</i><b>sasl</b><i>_</i><b>auth</b><i>_</i><b>clients</b>
Support older Microsoft clients that mis-implement
the AUTH protocol, and that expect an EHLO response
of "250 AUTH=list" instead of "250 AUTH list".
@ -90,7 +90,7 @@ SMTPD(8) SMTPD(8)
same syntax as the right-hand side of a Postfix
transport table.
<b>Authenication</b> <b>controls</b>
<b>Authentication</b> <b>controls</b>
<b>enable</b><i>_</i><b>sasl</b><i>_</i><b>authentication</b>
Enable per-session authentication as per <a href="http://www.faqs.org/rfcs/rfc2554.html">RFC 2554</a>
(SASL). This functionality is available only when

4
postfix/man/man5/access.5
View File

@ -76,8 +76,10 @@ the numerical code and text.
Reject the address etc. that matches the pattern. A generic
error response message is generated.
.IP \fBOK\fR
.IP "\fIAny other text\fR"
Accept the address etc. that matches the pattern.
.IP \fIrestriction...\fR
Apply the named UCE restriction (\fBpermit\fR, \fRreject\fR,
\fBreject_unauth_destination\fR, and so on).
.SH REGULAR EXPRESSION TABLES
.na
.nf

4
postfix/man/man8/smtpd.8
View File

@ -71,7 +71,7 @@ a configuration change.
.IP \fBstrict_rfc821_envelopes\fR
Disallow non-RFC 821 style addresses in envelopes. For example,
allow RFC822-style address forms with comments, like Sendmail does.
.IP \fBallow_broken_auth_clients\fR
.IP \fBbroken_sasl_auth_clients\fR
Support older Microsoft clients that mis-implement the AUTH
protocol, and that expect an EHLO response of "250 AUTH=list"
instead of "250 AUTH list".
@ -81,7 +81,7 @@ The name of a mail delivery transport that filters mail and that
either bounces mail or re-injects the result back into Postfix.
This parameter uses the same syntax as the right-hand side of
a Postfix transport table.
.SH "Authenication controls"
.SH "Authentication controls"
.IP \fBenable_sasl_authentication\fR
Enable per-session authentication as per RFC 2554 (SASL).
This functionality is available only when explicitly selected

4
postfix/proto/access
View File

@ -64,8 +64,10 @@
# Reject the address etc. that matches the pattern. A generic
# error response message is generated.
# .IP \fBOK\fR
# .IP "\fIAny other text\fR"
# Accept the address etc. that matches the pattern.
# .IP \fIrestriction...\fR
# Apply the named UCE restriction (\fBpermit\fR, \fRreject\fR,
# \fBreject_unauth_destination\fR, and so on).
# REGULAR EXPRESSION TABLES
# .ad
# .fi

2
postfix/src/global/mail_params.h
View File

@ -241,7 +241,7 @@ extern bool var_strict_rfc821_env;
* Standards violation: send "250 AUTH=list" in order to accomodate broken
* Microsoft clients.
*/
#define VAR_BROKEN_AUTH_CLNTS "allow_broken_auth_clients"
#define VAR_BROKEN_AUTH_CLNTS "broken_sasl_auth_clients"
#define DEF_BROKEN_AUTH_CLNTS 0
extern bool var_broken_auth_clients;

2
postfix/src/global/mail_version.h
View File

@ -15,7 +15,7 @@
* Version of this program.
*/
#define VAR_MAIL_VERSION "mail_version"
#define DEF_MAIL_VERSION "Snapshot-20010122"
#define DEF_MAIL_VERSION "Snapshot-20010124"
extern char *var_mail_version;
/* LICENSE

6
postfix/src/lmtp/lmtp.c
View File

@ -458,9 +458,12 @@ static void post_init(char *unused_name, char **unused_argv)
static void pre_init(char *unused_name, char **unused_argv)
{
debug_peer_init();
#ifdef USE_SASL_AUTH
if (var_lmtp_sasl_enable)
#ifdef USE_SASL_AUTH
lmtp_sasl_initialize();
#else
msg_warn("%s is true, but SASL support is not compiled in",
VAR_LMTP_SASL_ENABLE);
#endif
}
@ -525,6 +528,7 @@ int main(int argc, char **argv)
static CONFIG_BOOL_TABLE bool_table[] = {
VAR_LMTP_CACHE_CONN, DEF_LMTP_CACHE_CONN, &var_lmtp_cache_conn,
VAR_LMTP_SKIP_QUIT_RESP, DEF_LMTP_SKIP_QUIT_RESP, &var_lmtp_skip_quit_resp,
VAR_LMTP_SASL_ENABLE, DEF_LMTP_SASL_ENABLE, &var_lmtp_sasl_enable,
0,
};

4
postfix/src/postconf/postconf.c
View File

@ -658,9 +658,7 @@ static void print_parameter(int mode, char *ptr)
#define INSIDE(p,t) (ptr >= (char *) t && ptr < ((char *) t) + sizeof(t))
/*
* This is gross, but the best we can do on short notice. Instead of
* guessing we should use a tagged union. This is what code looks like
* when written under the pressure of a first public release.
* This is gross, but the best we can do on short notice.
*/
if (INSIDE(ptr, time_table))
print_time(mode, (CONFIG_TIME_TABLE *) ptr);

5
postfix/src/sendmail/sendmail.c
View File

@ -735,7 +735,8 @@ int main(int argc, char **argv)
* reset the saved set-userid, which would be a security vulnerability.
*/
if (geteuid() == 0 && getuid() != 0) {
msg_warn("sendmail has set-uid root file permissions, or is run from a set-uid root process");
msg_warn("the Postfix sendmail command has set-uid root file permissions");
msg_warn("or the command is run from a set-uid root process");
msg_warn("the Postfix sendmail command must be installed without set-uid root file permissions");
set_ugid(getuid(), getgid());
}
@ -903,7 +904,7 @@ int main(int argc, char **argv)
msg_fatal("-t can be used only in delivery mode");
if (site_to_flush && mode != SM_MODE_ENQUEUE)
msg_fatal("-t can be used only in delivery mode");
msg_fatal("-qR can be used only in delivery mode");
if (extract_recipients && argv[OPTIND])
msg_fatal("cannot handle command-line recipients with -t");

5
postfix/src/smtp/smtp.c
View File

@ -360,9 +360,12 @@ static void pre_init(char *unused_name, char **unused_argv)
{
debug_peer_init();
#ifdef USE_SASL_AUTH
if (var_smtp_sasl_enable)
#ifdef USE_SASL_AUTH
smtp_sasl_initialize();
#else
msg_warn("%s is true, but SASL support is not compiled in",
VAR_SMTP_SASL_ENABLE);
#endif
}

9
postfix/src/smtpd/smtpd.c
View File

@ -57,7 +57,7 @@
/* .IP \fBstrict_rfc821_envelopes\fR
/* Disallow non-RFC 821 style addresses in envelopes. For example,
/* allow RFC822-style address forms with comments, like Sendmail does.
/* .IP \fBallow_broken_auth_clients\fR
/* .IP \fBbroken_sasl_auth_clients\fR
/* Support older Microsoft clients that mis-implement the AUTH
/* protocol, and that expect an EHLO response of "250 AUTH=list"
/* instead of "250 AUTH list".
@ -67,7 +67,7 @@
/* either bounces mail or re-injects the result back into Postfix.
/* This parameter uses the same syntax as the right-hand side of
/* a Postfix transport table.
/* .SH "Authenication controls"
/* .SH "Authentication controls"
/* .IP \fBenable_sasl_authentication\fR
/* Enable per-session authentication as per RFC 2554 (SASL).
/* This functionality is available only when explicitly selected
@ -1415,9 +1415,12 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
debug_peer_init();
msg_cleanup(smtpd_cleanup);
#ifdef USE_SASL_AUTH
if (var_smtpd_sasl_enable)
#ifdef USE_SASL_AUTH
smtpd_sasl_initialize();
#else
msg_warn("%s is true, but SASL support is not compiled in",
VAR_SMTPD_SASL_ENABLE);
#endif
}

5
postfix/src/smtpd/smtpd.h
View File

@ -8,6 +8,11 @@
/* DESCRIPTION
/* .nf
/*
* System library.
*/
#include <unistd.h>
/*
* SASL library.
*/

1
postfix/src/smtpd/smtpd_check.c
View File

@ -281,6 +281,7 @@
/* Application-specific. */
#include "smtpd.h"
#include "smtpd_sasl_glue.h"
#include "smtpd_check.h"
/*

9
postfix/src/smtpstone/smtp-sink.c
View File

@ -336,11 +336,16 @@ static void connect_event(int unused_event, char *context)
if ((fd = accept(sock, &sa, &len)) >= 0) {
if (msg_verbose)
msg_info("connect (%s)", sa.sa_family == AF_LOCAL ? "AF_LOCAL" :
msg_info("connect (%s)",
#ifdef AF_LOCAL
sa.sa_family == AF_LOCAL ? "AF_LOCAL" :
#else
sa.sa_family == AF_UNIX ? "AF_UNIX" :
#endif
sa.sa_family == AF_INET ? "AF_INET" :
#ifdef AF_INET6
sa.sa_family == AF_INET6 ? "AF_INET6" :
#endif
sa.sa_family == AF_INET ? "AF_INET" :
"unknown protocol family");
non_blocking(fd, NON_BLOCKING);
state = (SINK_STATE *) mymalloc(sizeof(*state));