mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-30 13:48:06 +00:00
Code Issues Releases Wiki Activity

postfix-2.4-20061229

Browse Source
This commit is contained in:
Wietse Venema 2006-12-29 00:00:00 -05:00 committed by Viktor Dukhovni
parent 42dbfa896e
commit c9e081a9dc
13 changed files with 4364 additions and 156 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
postfix/HISTORY
View File

@ -13047,6 +13047,17 @@ Apologies for any names omitted.
Feature: time unit suffix support in _command_time_limit.
Files: pipe/pipe.c, spawn/spawn.c.
20061227
Bugfix: the MX hostname syntax check was accidentally skipped
with reject_unknown_helo_hostname/sender_domain/recipient_domain.
File: smtpd/smtpd_check.c.
20061229
Cleanup: use separate TLS_LEGACY_README to document the old
TLS user interface. This will simplify TLS_README dramatically.
Wish list:
Update MILTER_README with Martinec info.

1
postfix/README_FILES/AAAREADME
View File

@ -9,6 +9,7 @@ GGeenneerraall ccoonnffiigguurraattiioonn
* VIRTUAL_README: Virtual domain hosting
* SASL_README: SASL Authentication
* TLS_README: TLS Encryption and authentication
* TLS_LEGACY_README: Legacy TLS support
* IPV6_README: IP Version 6 Support
* INSTALL: Installation from source code

1111
postfix/README_FILES/TLS_LEGACY_README Normal file
View File

File diff suppressed because it is too large Load Diff

45
postfix/README_FILES/TLS_README
View File

@ -16,10 +16,10 @@ Transport Layer Security (TLS, formerly called SSL) provides certificate-based
authentication and encrypted sessions. An encrypted session protects the
information that is transmitted with SMTP mail or with SASL authentication.
Postfix version 2.2 introduces support for TLS as described in RFC 3207. TLS
Support for older Postfix versions was available as an add-on patch. The
section "Compatibility with Postfix < 2.2 TLS support" below discusses the
differences between these implementations.
This document describes a TLS user interface that was introduced with Postfix
version 2.3. Support for an older user interface is documented in
TLS_LEGACY_README, which also describes the differences between Postfix and the
third-party patch on which Postfix version 2.2 TLS support was based.
Topics covered in this document:
@ -29,7 +29,6 @@ Topics covered in this document:
* SMTP Client specific settings
* TLS manager specific settings
* Reporting problems
* Compatibility with Postfix < 2.2 TLS support
* Credits
And last but not least, for the impatient:
@ -1735,42 +1734,6 @@ www.postfix.org/lists.html for subscription information. When reporting a
problem, please be thorough in the report. Patches, when possible, are greatly
appreciated too.
CCoommppaattiibbiilliittyy wwiitthh PPoossttffiixx << 22..22 TTLLSS ssuuppppoorrtt
Postfix version 2.2 TLS support is based on the Postfix/TLS patch by Lutz
Jänicke, but differs in a few minor ways.
* main.cf: Specify "btree" instead of "sdbm" for TLS session cache databases.
TLS session cache databases are now accessed only by the tlsmgr(8) process,
so there are no more concurrency issues. Although Postfix has an sdbm
client, the sdbm library (1000 lines of code) is not included with Postfix.
TLS session caches can use any database that can store objects of several
kbytes or more, and that implements the sequence operation. In most cases,
btree databases should be adequate.
NOTE: You cannot use DBM databases. TLS session objects are too large.
* master.cf: Specify "unix" instead of "fifo" as the tlsmgr service type.
The smtp(8) and smtpd(8) processes now use a client-server protocol in
order to access the tlsmgr(8) pseudo-random number generation (PRNG) pool,
and in order to access the TLS session cache databases. Such a protocol
cannot be run across fifos.
* smtp_tls_per_site: the MUST_NOPEERMATCH per-site policy cannot override the
global "smtp_tls_enforce_peername = yes" setting.
* smtp_tls_per_site: a combined (NONE + MAY) lookup result for (hostname and
next-hop destination) produces counter-intuitive results for different
main.cf settings. TLS is enabled with "smtp_tls_enforce_peername = no", but
it is disabled when both "smtp_enforce_tls = yes" and
"smtp_tls_enforce_peername = yes".
The smtp_tls_per_site limitations were removed by the end of the Postfix 2.2
support cycle.
CCrreeddiittss
* TLS support for Postfix was originally developed by Lutz Jänicke at Cottbus

1596
postfix/html/TLS_LEGACY_README.html Normal file
View File

File diff suppressed because it is too large Load Diff

58
postfix/html/TLS_README.html
View File

@ -34,11 +34,11 @@ certificate-based authentication and encrypted sessions. An
encrypted session protects the information that is transmitted with
SMTP mail or with SASL authentication.
<p> Postfix version 2.2 introduces support for TLS as described in
<a href="http://www.faqs.org/rfcs/rfc3207.html">RFC 3207</a>. TLS Support for older Postfix versions was available as
an add-on patch. The section "<a href="#compat">Compatibility with
Postfix &lt; 2.2 TLS support</a>" below discusses the differences
between these implementations. </p>
<p> This document describes a TLS user interface that was introduced
with Postfix version 2.3. Support for an older user interface is
documented in <a href="TLS_LEGACY_README.html">TLS_LEGACY_README</a>, which also describes the differences
between Postfix and the third-party patch on which Postfix version
2.2 TLS support was based. </p>
<p> Topics covered in this document: </p>
@ -56,8 +56,6 @@ between these implementations. </p>
<li><a href="#problems"> Reporting problems </a>
<li><a href="#compat">Compatibility with Postfix &lt; 2.2 TLS support</a>
<li><a href="#credits"> Credits </a>
</ul>
@ -2330,52 +2328,6 @@ See <a href="http://www.postfix.org/lists.html">http://www.postfix.org/lists.htm
When reporting a problem, please be thorough in the report. Patches,
when possible, are greatly appreciated too. </p>
<h2><a name="compat">Compatibility with Postfix &lt; 2.2 TLS support</a></h2>
<p> Postfix version 2.2 TLS support is based on the Postfix/TLS
patch by Lutz J&auml;nicke, but differs in a few minor ways. </p>
<ul>
<li> <p> <a href="postconf.5.html">main.cf</a>: Specify "btree" instead of "sdbm" for TLS
session cache databases. </p>
<p> TLS session cache databases are now accessed only by the
<a href="tlsmgr.8.html">tlsmgr(8)</a> process, so there are no more concurrency issues. Although
Postfix has an sdbm client, the sdbm library (1000
lines of code) is not included with Postfix. </p>
<p> TLS session caches can use any database that can store objects
of several kbytes or more, and that implements the sequence operation.
In most cases, btree databases should be adequate. </p>
<p> NOTE: You cannot use DBM databases. TLS session objects
are too large. </p>
<li> <p> <a href="master.5.html">master.cf</a>: Specify "unix" instead of "fifo" as
the tlsmgr service type. </p>
<p> The <a href="smtp.8.html">smtp(8)</a> and <a href="smtpd.8.html">smtpd(8)</a> processes now use a client-server
protocol in order to access the <a href="tlsmgr.8.html">tlsmgr(8)</a> pseudo-random number
generation (PRNG) pool, and in order to access the TLS session
cache databases. Such a protocol cannot be run across fifos. </p>
<li> <p> <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>: the MUST_NOPEERMATCH per-site policy
cannot override the global "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes" setting.
</p>
<li> <p> <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>: a combined (NONE + MAY) lookup result
for (hostname and next-hop destination) produces counter-intuitive
results for different <a href="postconf.5.html">main.cf</a> settings. TLS is enabled with
"<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = no", but it is disabled when both
"<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" and "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes".
</p>
</ul>
<p> The <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> limitations were removed by the end of
the Postfix 2.2 support cycle. </p>
<h2><a name="credits">Credits </a> </h2>
<ul>

2
postfix/html/index.html
View File

@ -40,6 +40,8 @@ configuration examples </a>
<li> <a href="TLS_README.html"> TLS Encryption and authentication </a>
<li> <a href="TLS_LEGACY_README.html"> Legacy TLS support </a>
<li> <a href="IPV6_README.html"> IP Version 6 Support </a>
<li> <a href="INSTALL.html"> Installation from source code </a>

10
postfix/proto/Makefile.in
View File

@ -35,7 +35,7 @@ HTML = ../html/ADDRESS_CLASS_README.html \
../html/SMTPD_POLICY_README.html \
../html/SMTPD_PROXY_README.html \
../html/STANDARD_CONFIGURATION_README.html \
../html/TLS_README.html \
../html/TLS_README.html ../html/TLS_LEGACY_README.html \
../html/TUNING_README.html \
../html/UUCP_README.html ../html/ULTRIX_README.html \
../html/VERP_README.html ../html/VIRTUAL_README.html \
@ -71,7 +71,7 @@ README = ../README_FILES/ADDRESS_CLASS_README \
../README_FILES/SMTPD_ACCESS_README \
../README_FILES/SMTPD_POLICY_README ../README_FILES/SMTPD_PROXY_README \
../README_FILES/STANDARD_CONFIGURATION_README \
../README_FILES/TLS_README \
../README_FILES/TLS_README ../README_FILES/TLS_LEGACY_README \
../README_FILES/TUNING_README \
../README_FILES/UUCP_README ../README_FILES/ULTRIX_README \
../README_FILES/VERP_README ../README_FILES/VIRTUAL_README \
@ -264,6 +264,9 @@ clobber:
../html/TLS_README.html: TLS_README.html
$(POSTLINK) $? >$@
../html/TLS_LEGACY_README.html: TLS_LEGACY_README.html
$(POSTLINK) $? >$@
../README_FILES/ADDRESS_CLASS_README: ADDRESS_CLASS_README.html
$(HT2READ) $? >$@
@ -405,6 +408,9 @@ clobber:
../README_FILES/TLS_README: TLS_README.html
$(HT2READ) $? >$@
../README_FILES/TLS_LEGACY_README: TLS_LEGACY_README.html
$(HT2READ) $? >$@
../README_FILES/AAAREADME: ../html/index.html $(MAKEAAA)
$(MAKEAAA) ../html/index.html | $(HT2READ) >$@

1596
postfix/proto/TLS_LEGACY_README.html Normal file
View File

File diff suppressed because it is too large Load Diff

58
postfix/proto/TLS_README.html
View File

@ -34,11 +34,11 @@ certificate-based authentication and encrypted sessions. An
encrypted session protects the information that is transmitted with
SMTP mail or with SASL authentication.
<p> Postfix version 2.2 introduces support for TLS as described in
RFC 3207. TLS Support for older Postfix versions was available as
an add-on patch. The section "<a href="#compat">Compatibility with
Postfix &lt; 2.2 TLS support</a>" below discusses the differences
between these implementations. </p>
<p> This document describes a TLS user interface that was introduced
with Postfix version 2.3. Support for an older user interface is
documented in TLS_LEGACY_README, which also describes the differences
between Postfix and the third-party patch on which Postfix version
2.2 TLS support was based. </p>
<p> Topics covered in this document: </p>
@ -56,8 +56,6 @@ between these implementations. </p>
<li><a href="#problems"> Reporting problems </a>
<li><a href="#compat">Compatibility with Postfix &lt; 2.2 TLS support</a>
<li><a href="#credits"> Credits </a>
</ul>
@ -2330,52 +2328,6 @@ See http://www.postfix.org/lists.html for subscription information.
When reporting a problem, please be thorough in the report. Patches,
when possible, are greatly appreciated too. </p>
<h2><a name="compat">Compatibility with Postfix &lt; 2.2 TLS support</a></h2>
<p> Postfix version 2.2 TLS support is based on the Postfix/TLS
patch by Lutz J&auml;nicke, but differs in a few minor ways. </p>
<ul>
<li> <p> main.cf: Specify "btree" instead of "sdbm" for TLS
session cache databases. </p>
<p> TLS session cache databases are now accessed only by the
tlsmgr(8) process, so there are no more concurrency issues. Although
Postfix has an sdbm client, the sdbm library (1000
lines of code) is not included with Postfix. </p>
<p> TLS session caches can use any database that can store objects
of several kbytes or more, and that implements the sequence operation.
In most cases, btree databases should be adequate. </p>
<p> NOTE: You cannot use DBM databases. TLS session objects
are too large. </p>
<li> <p> master.cf: Specify "unix" instead of "fifo" as
the tlsmgr service type. </p>
<p> The smtp(8) and smtpd(8) processes now use a client-server
protocol in order to access the tlsmgr(8) pseudo-random number
generation (PRNG) pool, and in order to access the TLS session
cache databases. Such a protocol cannot be run across fifos. </p>
<li> <p> smtp_tls_per_site: the MUST_NOPEERMATCH per-site policy
cannot override the global "smtp_tls_enforce_peername = yes" setting.
</p>
<li> <p> smtp_tls_per_site: a combined (NONE + MAY) lookup result
for (hostname and next-hop destination) produces counter-intuitive
results for different main.cf settings. TLS is enabled with
"smtp_tls_enforce_peername = no", but it is disabled when both
"smtp_enforce_tls = yes" and "smtp_tls_enforce_peername = yes".
</p>
</ul>
<p> The smtp_tls_per_site limitations were removed by the end of
the Postfix 2.2 support cycle. </p>
<h2><a name="credits">Credits </a> </h2>
<ul>

6
postfix/src/dns/dns_lookup.c
View File

@ -100,6 +100,12 @@
/* The DNS query succeeded; the requested information was not found.
/* .IP DNS_INVAL
/* The DNS query succeeded; the result failed the valid_hostname() test.
/*
/* NOTE: the valid_hostname() test is skipped for results that
/* the caller suppresses explicitly. For example, when the
/* caller requests MX record lookup but specifies a null
/* resource record list argument, no syntax check will be done
/* for MX server names.
/* .IP DNS_RETRY
/* The query failed, or the reply was malformed.
/* The problem is considered transient.

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20061224"
#define MAIL_RELEASE_DATE "20061229"
#define MAIL_VERSION_NUMBER "2.4"
#ifdef SNAPSHOT

24
postfix/src/smtpd/smtpd_check.c
View File

@ -1142,6 +1142,7 @@ static int reject_unknown_hostname(SMTPD_STATE *state, char *name,
{
const char *myname = "reject_unknown_hostname";
int dns_status;
DNS_RR *dummy;
if (msg_verbose)
msg_info("%s: %s", myname, name);
@ -1152,15 +1153,20 @@ static int reject_unknown_hostname(SMTPD_STATE *state, char *name,
#define RR_ADDR_TYPES T_A
#endif
dns_status = dns_lookup_l(name, 0, (DNS_RR **) 0, (VSTRING *) 0,
dns_status = dns_lookup_l(name, 0, &dummy, (VSTRING *) 0,
(VSTRING *) 0, DNS_REQ_FLAG_STOP_OK,
RR_ADDR_TYPES, T_MX, 0);
if (dummy)
dns_rr_free(dummy);
if (dns_status != DNS_OK) { /* incl. DNS_INVAL */
if (dns_status != DNS_RETRY)
return (smtpd_check_reject(state, MAIL_ERROR_POLICY,
var_unk_name_code, "4.7.1",
"<%s>: %s rejected: Host not found",
reply_name, reply_class));
"<%s>: %s rejected: %s",
reply_name, reply_class,
dns_status == DNS_INVAL ?
"Malformed DNS server reply" :
"Host not found"));
else
DEFER_IF_PERMIT2(state, MAIL_ERROR_POLICY,
450, "4.7.1",
@ -1177,23 +1183,29 @@ static int reject_unknown_mailhost(SMTPD_STATE *state, const char *name,
{
const char *myname = "reject_unknown_mailhost";
int dns_status;
DNS_RR *dummy;
if (msg_verbose)
msg_info("%s: %s", myname, name);
#define MAILHOST_LOOKUP_FLAGS (DNS_REQ_FLAG_STOP_OK | DNS_REQ_FLAG_STOP_INVAL)
dns_status = dns_lookup_l(name, 0, (DNS_RR **) 0, (VSTRING *) 0,
dns_status = dns_lookup_l(name, 0, &dummy, (VSTRING *) 0,
(VSTRING *) 0, MAILHOST_LOOKUP_FLAGS,
T_MX, RR_ADDR_TYPES, 0);
if (dummy)
dns_rr_free(dummy);
if (dns_status != DNS_OK) { /* incl. DNS_INVAL */
if (dns_status != DNS_RETRY)
return (smtpd_check_reject(state, MAIL_ERROR_POLICY,
var_unk_addr_code,
strcmp(reply_class, SMTPD_NAME_SENDER) == 0 ?
"4.1.8" : "4.1.2",
"<%s>: %s rejected: Domain not found",
reply_name, reply_class));
"<%s>: %s rejected: %s",
reply_name, reply_class,
dns_status == DNS_INVAL ?
"Malformed DNS server reply" :
"Domain not found"));
else
DEFER_IF_PERMIT2(state, MAIL_ERROR_POLICY,
450, strcmp(reply_class, SMTPD_NAME_SENDER) == 0 ?