diff --git a/postfix/AAAREADME b/postfix/AAAREADME index 5340587de..d68a0f16d 100644 --- a/postfix/AAAREADME +++ b/postfix/AAAREADME @@ -47,7 +47,6 @@ Web sites: Mail addresses (PLEASE send questions to the mailing list) postfix-users@postfix.org Postfix users mailing list - wietse@porcupine.org the original author In order to subscribe to the mailing list, see http://www.postfix.org/. @@ -162,8 +161,9 @@ Miscellaneous: auxiliary/ Auxiliary software etc. bin/ Postfix command executables conf/ Configuration files, run-time scripts - include/ Installed include files - lib/ Installed object libraries + include/ Include files + implementation-notes/ Background information + lib/ Object libraries libexec/ Postfix daemon executables - mantools/ Manual page utilities + mantools/ Documentation utilities proto/ Documentation source diff --git a/postfix/COMPATIBILITY b/postfix/COMPATIBILITY index b48862241..d5da65235 100644 --- a/postfix/COMPATIBILITY +++ b/postfix/COMPATIBILITY @@ -8,12 +8,13 @@ address probing yes (optional persistent database) aliases yes (can enable/disable mail to /file or |command) bare newlines yes (but will send CRLF) blacklisting yes (client name/addr; helo hostname; mail from; rcpt to) -connection caching yes (SMTP shared cache; LMTP in-process cache) +connection caching yes (SMTP shared cache; LMTP shared cache) content filter yes (before and after queue, internal and external) db tables yes (compile time option) dbm tables yes (compile time option) delivered-to yes (configurable with prepend_delivered_header) -dsn almost (supports enhanced status codes and DSN format bounces) +dsn yes +enhanced status codes yes errors-to: no (removed with Postfix 2.2) esmtp yes etrn support yes (per-destination log for authorized destinations only) @@ -23,9 +24,9 @@ genericstable yes (Postfix 2.2 generic(5) table) greylist yes (delegated policy script) home mailbox yes ident lookup no -ipv6 yes (compatibility for ipv4-only kernels/libraries) +ipv6 yes (compatibility for ipv4-only systems) ldap tables yes (contributed) -lmtp support yes (client) +lmtp support yes (client only) luser relay yes m4 config no mail to command yes (configurable for .forward, aliases, :include:) @@ -34,6 +35,7 @@ maildir yes (in home, system mailspool, /file/name/ alias) mailertable yes (it's called transport) mailq yes majordomo yes (edit approve script to delete /^delivered-to:/i) +milter yes (except body replacement) mime yes (including 8bit to quoted-printable conversion) mysql tables yes (contributed) netinfo tables yes (contributed) @@ -42,11 +44,11 @@ nis tables yes nis+ tables yes (contributed) no <> in smtp yes (most common address forms) pgsql tables yes (contributed) -pipeline option yes (server and client) -pop/imap yes (with third-party daemons that use mailbox or maildir) +pipeline option yes (SMTP server and client; LMTP client) +pop/imap no qmqp server yes (with verp support) rbl support yes -return-receipt: no +return-receipt: no (use DSN NOTIFY=SUCCESS) rhsbl support yes sasl support yes (compile time option) sendmail -bt no diff --git a/postfix/HISTORY b/postfix/HISTORY index fa1335af3..4fbba6adc 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -12461,6 +12461,24 @@ Apologies for any names omitted. Cleanup: comments, error messages, and crumbling interfaces. +20060707 + + Workaround: apparently, Solaris gettimeofday() can return + out-of range microsecond values. File: src/global/log_adhoc.c. + + Robustness: the SMTPD policy client now encodes the + ccert_subject and ccert-issuer attributes as xtext. Some + characters are replaced by +XX, where XX is the two-digit + hexadecimal code for the character value. File: + smtpd/smtpd_check.c. + + Safety: the SMTP/LMTP client now defers delivery when a + SASL password exists but the server does not offer SASL + authentication. Mail could be rejected otherwise. This + may become an issue now that Postfix retries delivery in + plaintext after an opportunistic TLS handshake fails. Specify + "smtp_sasl_auth_enforce = no" to deliver mail anyway. + Wish list: The usage of TLScontext->cache_type is unclear. It specifies @@ -12474,37 +12492,27 @@ Wish list: around as pointers. TLScontext->cache_type is a case in point. - In the SMTPD policy client (encode or strip) non-printable - non-ASCII in (TLS or all) attributes. - Are transport:nexthop null fields the same as in the case of default_transport etc. parameters? Introduce structured API for tls_server_mumble() just like with smtp(8): this eliminates ever-growing lists of arguments. - Defer delivery when a SASL password exists but the server - does not offer SASL authentication, as mail might otherwise - be bounced. This may become an issue now that Postfix will - retry in plaintext after optional TLS fails. Make this - configurable so people can get the old behavior. - Don't lose bits when converting st_dev into maildir file name. It's 64 bits on Linux. Found with the BEAM source - code analyzer. + code analyzer. Is this really a problem, or are they just + using 64 bits for upwards compatibility with LP64 systems? Do or don't introduce unknown_reverse_client_reject_code. - mail_addr/rcpt_addr should be externalized as they are in - Sendmail. Likewise, addresses in add/delete requests should - be internalized before updating the queue file. + In Milter events, mail_addr/rcpt_addr should be externalized + as they are in Sendmail. Likewise, addresses in add/delete + requests should be internalized before updating the queue + file. Check that "UINT32 == unsigned int" choice is ok (i.e. LP64 UNIX). - Fix milter_argv() so it does not forget how much memory it - has. - Tempfail when a Milter application wants content access, while it is configured in an SMTP server that runs before the smtpd_proxy filter. @@ -12531,8 +12539,8 @@ Wish list: Eliminate the (incoming,deferred)->active rename operation. Softbounce fallback-to-ISP for SOHO users. This requires - playing with with the soft_error test in the smtp_trouble.c - module, and a way to avoid trying direct-to-backup-MX. + playing with the soft_error test in the smtp_trouble.c + module, and avoiding delivery to backup MX hosts. select -> kqueue, epoll, /dev/poll, poll() ... diff --git a/postfix/README_FILES/SMTPD_POLICY_README b/postfix/README_FILES/SMTPD_POLICY_README index efa61a323..6ce119b84 100644 --- a/postfix/README_FILES/SMTPD_POLICY_README +++ b/postfix/README_FILES/SMTPD_POLICY_README @@ -58,7 +58,7 @@ a delegated SMTPD access policy request: sasl_sender= size=12345 ccert_subject=solaris9.porcupine.org - ccert_issuer=Wietse Venema + ccert_issuer=Wietse+20Venema ccert_fingerprint=C2:9D:F4:87:71:73:73:D9:18:E7:C2:F3:C1:DA:6E:04 PPoossttffiixx vveerrssiioonn 22..33 aanndd llaatteerr:: encryption_protocol=TLSv1/SSLv3 @@ -114,7 +114,9 @@ Notes: * The "ccert_*" attributes (Postfix 2.2 and later) specify information about how the client was authenticated via TLS. These attributes are empty in - case of no certificate authentication. + case of no certificate authentication. As of Postfix 2.2.11 these attribute + values are encoded as xtext: some characters are represented by +XX, where + XX is the two-digit hecadecimal representation of the character value. * The "encryption_*" attributes (Postfix 2.3 and later) specify information about how the connection is encrypted. With plaintext connections the diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 71e9c76a7..f40a26037 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -11,20 +11,19 @@ instead, a new snapshot is released. The mail_release_date configuration parameter (format: yyyymmdd) specifies the release date of a stable release or snapshot release. -Major changes - critical ------------------------- +Critical notes +-------------- See RELEASE_NOTES_2.2 if you upgrade from Postfix 2.1 or earlier. -Postfix internal protocols have has changed. You need to "postfix +Some Postfix internal protocols have changed. You need to "postfix reload" or restart Postfix, otherwise many servers will log warning messages with "unexpected attribute" or "problem talking to service rewrite: Unknown error: 0", and mail will not be delivered. -[Incompat 20060515] Milter support introduces a three new queue -file record types. Queue files created with this Postfix version -will be understood by older Postfix versions ONLY if Milter support -is turned off, which is the default. +The Sendmail-compatible Milter support introduces three new queue +file record types. As long as you leave this feature turned off, +you can still go back to Postfix version 2.2 without losing mail. Major changes - DNS lookups --------------------------- @@ -41,19 +40,11 @@ Major changes - DSN This gives senders control over successful and failed delivery notifications. DSN involves extra parameters to the SMTP MAIL FROM and RCPT TO commands, as well as extra Postfix sendmail command -line options that provide a sub-set of the functions of those extra -SMTP command parameters. +line options for mail submission. See DSN_README for details. Some implementation notes are in implementation-notes/DSN. -[Incompat 20050828] When the cleanup server rejects the content or -size of mail that was submitted with the Postfix sendmail command, -forwarded with the local(8) delivery agent, or that was re-queued -with "postsuper -r", Postfix no longer sends DSN SUCCESS notification -of virtual alias expansions. Since all the recipients are reported -as failed, the SUCCESS notification seems redundant. - [Incompat 20050615] The new DSN support conflicts with VERP support. For Sendmail compatibility, Postfix now uses the sendmail -V command line option for DSN. In order to request VERP style delivery, you @@ -61,16 +52,23 @@ must now specify -XV instead of -V. The Postfix sendmail command will recognize if you try to use -V for VERP-style delivery. It will do the right thing and will remind you of the new syntax. +[Incompat 20050828] When the cleanup server rejects the content or +size of mail that was submitted with the Postfix sendmail command, +that was forwarded with the local(8) delivery agent, or that was +re-queued with "postsuper -r", Postfix no longer sends DSN SUCCESS +notification after virtual alias expansions. Since all the recipients +are reported as failed, the SUCCESS notification seems redundant. + Major changes - LMTP client --------------------------- -[Feature 20051208] The SMTP client now implements the LMTP protocol. -Most but not all smtp_xxx parameters have an lmtp_xxx "ghost" -parameter. This means there are lot of new LMTP features, including -support for TLS and for the shared connection cache. +See the "SASL authentication" and "TLS" sections for changes related +to SASL authentication and TLS support, respectively. -[Feature 20060614] The unified SMTP/LMTP client now has complete -sets of configuration parameters for each protocol. +[Feature 20051208] The SMTP client now implements the LMTP protocol. +Most but not all smtp_xxx parameters now have an lmtp_xxx equivalent. +This means there are lot of new LMTP features, including support +for TLS and for the shared connection cache. [Incompat 20051208] The LMTP client now reports the server as "myhostname[/path/name]". With the real server hostname in delivery @@ -81,19 +79,18 @@ Major changes - Milter support [Feature 20060515] Milter (mail filter) application support, compatible with Sendmail version 8.13.6 and earlier. This allows -you to run a large number of plug-ins to reject unwanted mail and -to sign mail with, for example, domain keys. All Milter functions -are implemented except replacing the message body, which will be -added later. Milters are before-queue filters, so they don't change -the queue ID. +you to run a large number of plug-ins to reject unwanted mail, and +to sign mail with for example domain keys. All Milter functions are +implemented except replacing the message body, which will be added +later. Milters are before-queue filters, so they don't change the +queue ID. See the MILTER_README document for a discussion of how to use Milter -support with Postfix. +support with Postfix, and limitations of the current implementation. -[Incompat 20060515] Milter support introduces a three new queue -file record types. Queue files created with this Postfix version -will be understood by older Postfix versions ONLY if Milter support -is turned off, which is the default. +[Incompat 20060515] Milter support introduces three new queue file +record types. As long as you leave this feature turned off, you can +still go back to Postfix version 2.2 without losing mail. [Incompat 20060515] Milter support introduces new logfile event types: milter-reject, milter-discard and milter-hold, that identify @@ -103,8 +100,15 @@ software. Major changes - SASL authentication ----------------------------------- +[Incompat 20060707] The SMTP/LMTP client now defers delivery when +a SASL password exists but the server does not offer SASL authentication. +Otherwise, the server could reject the mail. This may become an +issue now that Postfix retries delivery in plaintext after an +opportunistic TLS handshake fails. Specify "smtp_sasl_auth_enforce += no" to deliver mail anyway. + [Feature 20051220] Plug-in support for SASL authentication in the -SMTP server and in the SMTP+LMTP client. With this, Postfix can +SMTP server and in the SMTP/LMTP client. With this, Postfix can support multiple SASL implementations without source code patches. Some distributors may even make SASL support a run-time linking option, just like they already do with Postfix lookup tables. @@ -117,7 +121,7 @@ are slightly different, but these are generally improvements. The "postconf -a" command shows what plug-in implementations are available for the SMTP server, and "postconf -A" does the same for -the SMTP+LMTP client. Plug-in implementations are selected with +the SMTP/LMTP client. Plug-in implementations are selected with the smtpd_sasl_type, smtp_sasl_type and lmtp_sasl_type configuration parameters. @@ -163,15 +167,13 @@ ISP accounts. Major changes - SMTP client --------------------------- -[Feature 20051208] The SMTP client now implements the LMTP protocol. -Most but not all smtp_xxx parameters have an lmtp_xxx "ghost" -parameter. This means there are lot of new LMTP features, including -support for TLS and for the shared connection cache. There are no -lmtp_xxx "ghost" parameters for the HELO or EHLO commands, because -those commands exist only in SMTP. +See the "SASL authentication" and "TLS" sections for changes related +to SASL authentication and TLS support, respectively. -[Feature 20060614] The unified SMTP/LMTP client now has complete -sets of configuration parameters for each protocol. +[Feature 20051208] The SMTP client now implements the LMTP protocol. +Most but not all smtp_xxx parameters now have an lmtp_xxx equivalent. +This means there are lot of new LMTP features, including support +for TLS and for the shared connection cache. [Incompat 20060112] The Postfix SMTP/LMTP client by default no longer allows DNS CNAME records to override the server hostname @@ -180,13 +182,13 @@ and TLS server certificate verification. Specify "smtp_cname_overrides_servername = yes" to get the old behavior. [Incompat 20060103] The Postfix SMTP/LMTP client no longer defers -mail when it receives a malformed SMTP server reply in a session -with command pipelining. When helpful warnings are enabled, it -will suggest that command pipelining be disabled for the affected +mail delivery when it receives a malformed SMTP server reply in a +session with command pipelining. When helpful warnings are enabled, +it will suggest that command pipelining be disabled for the affected destination. [Incompat 20051208] The fallback_relay feature is renamed to -smtp_fallback_relay, to make clear that the combined SMTP+LMTP +smtp_fallback_relay, to make clear that the combined SMTP/LMTP client uses this setting only for SMTP deliveries. The old name still works. @@ -274,29 +276,27 @@ this limit was disabled by default. The new limit prevents Postfix from spending lots of time trying to connect to lots of bogus MX servers. -[Incompat 20050622] The Postfix SMTP handling of [45]XX server -greetings was cleaned up. The server reply is now properly reported. - Major changes - SMTP server --------------------------- -[Incompat 20060207] The Postfix SMTP server no longer complains -when TLS support is not compiled in, but permit_tls_clientcerts, -permit_tls_all_clientcerts, or check_ccert_access are used. These -features now are effectively ignored. However, the -reject_plaintext_session feature is not ignored and will reject -mail. +See the "SASL authentication" and "TLS" sections for changes related +to SASL authentication and TLS support, respectively. -[Incompat 20051202] The Postfix SMTP daemon will not receive mail -from the network if it isn't running with postfix mail_owner +[Feature 20051222] You can now use "resolve_numeric_domain = yes" +to stop Postfix from rejecting user@ipaddress as an invalid +destination. It will deliver the mail to user@[ipaddress] instead. + +[Incompat 20051202] The Postfix SMTP server now refuses to receive +mail from the network if it isn't running with postfix mail_owner privileges. This prevents surprises when, for example, "sendmail -bs" is configured to run as root from xinetd. -[Incompat 20051121] The permit_mx_backup feature still accepts mail -for authorized destinations (see permit_mx_backup for definition), -but with other destinations it requires that the local MTA is listed -as non-primary MX. This prevents mail loop problems when someone -points the primary MX record at Postfix. +[Incompat 20051121] Although the permit_mx_backup feature still +accepts mail for authorized destinations (see permit_mx_backup for +definition), with all other destinations it now requires that the +local MTA is listed as non-primary MX. This prevents mail loop +problems when someone points the primary MX record at a Postfix +system. [Feature 20051011] Optional protection against SMTP clients that hammer the server with too many new (i.e. uncached) SMTP-over-TLS @@ -339,8 +339,8 @@ parameters. The old parameters are still supported but will be removed in a future Postfix release. [Feature 20060614] New smtpd_tls_protocols parameter complements -the smtp_tls_mandatory_protocols parameter, only recommended for -MSA configurations, not MX hosts. +the smtp_tls_mandatory_protocols parameter. This recommended for +MSA configurations, not for MX for hosts that face the Internet. [Feature 20060626] Both the SMTP client and server can be configured without a client or server certificate. An SMTP server without @@ -356,11 +356,15 @@ is required (notably Postfix 2.3 in "opportunistic" mode) and the administrator has not excluded the "aNULL" OpenSSL cipher type with smtp_tls_exclude_ciphers. -[Feature 20060626] You can specify cipher grades with the -smtp_tls_mandatory_ciphers, lmtp_tls_mandatory_ciphers and -smtpd_tls_ciphers parameters. Specify -one of "high", "medium", "low", "export" or "null". See TLS_README -for details. +[Feature 20060626] You can specify cipher grades (instead of cipher +names) with the smtp_tls_mandatory_ciphers, lmtp_tls_mandatory_ciphers +and smtpd_tls_ciphers parameters. Specify one of "high", "medium", +"low", "export" or "null". See TLS_README for details. + +[Incompat 20060707] The SMTPD policy client now encodes the +ccert_subject and ccert_issuer attributes as xtext. Some characters +are represented by +XX, where XX is the two-digit hexadecimal +representation of the character value. [Incompat 20060614] The smtp_sasl_tls_verified_security_options feature is not yet complete, and will therefore not appear in the @@ -378,9 +382,9 @@ now also logs TLS session cache activity. Use level 2 and higher for debugging only, use levels 0 or 1 as production settings. [Incompat 20060207] The Postfix SMTP server no longer complains -when TLS support is not compiled in, but permit_tls_clientcerts, -permit_tls_all_clientcerts, or check_ccert_access are used. These -features now are effectively ignored. However, the +when TLS support is not compiled in while permit_tls_clientcerts, +permit_tls_all_clientcerts, or check_ccert_access are specified in +main.cf. These features now are effectively ignored. However, the reject_plaintext_session feature is not ignored and will reject mail. @@ -388,7 +392,8 @@ mail. smtp_tls_per_site feature, without changes to the user interface. Some Postfix internals had to be re-structured in preparation for a more general TLS policy mechanism; this required that smtp_tls_per_site -be re-implemented from scratch. +be re-implemented from scratch. The obscure behavior was found +during compatibility testing. [Feature 20051011] Optional protection against SMTP clients that hammer the server with too many new (i.e. uncached) SMTP-over-TLS @@ -412,13 +417,14 @@ Major changes - XCLIENT and XFORWARD [Incompat 20060611] The SMTP server XCLIENT implementation has changed. The SMTP server now resets state to the initial server -greeting stage, so that it can accurately simulate the effect of -connection-level access restrictions. Without this change, XCLIENT -will not work at all with Milter applications. +greeting stage, immediately before the EHLO/HELO greeting. This +was needed to correctly simulate the effect of connection-level +access restrictions. Without this change, XCLIENT would not work +with Milter applications. [Incompat 20060611] The SMTP server XCLIENT and XFORWARD commands now expect that attributes are xtext encoded (RFC 1891). For backwards -compatibility they will accept unencoded attribute values. The +compatibility they will also accept unencoded attribute values. The XFORWARD client code in the SMTP client and in the SMTPD_PROXY client will always encode attribute values. This change will have effect only for malformed hostname and helo parameter values. @@ -426,8 +432,8 @@ effect only for malformed hostname and helo parameter values. For more details, see the XCLIENT_README and XFORWARD_README documents. -Major changes - address rewriting ---------------------------------- +Major changes - address manipulation +------------------------------------ [Incompat 20060123] Postfix now preserves uppercase information while mapping addresses with canonical, virtual, relocated or generic @@ -435,6 +441,10 @@ maps; this happens even with $number substitutions in regular expression maps. However, the local(8) and virtual(8) delivery agents still fold addresses to lower case. +As a side effect, Postfix now also does a better job at being case +insensitive where it should be, for example while searching per-host +TLS policies or SASL passwords. + By default, Postfix now folds the search string to lowercase only with tables that have fixed-case lookup fields such as btree:, hash:, dbm:, ldap:, or *sql:. The search string is no longer case @@ -444,13 +454,6 @@ case, such as regexp:, pcre:, or cidr:. For safety reasons, Postfix no longer allows $number substitution in regexp: or pcre: transport tables or per-sender relayhost tables. -[Feature 20060123] Postfix now does a better job at preserving -upper/lower case information while transforming addresses. The -table lookup code was revised, and is now more careful about when -it folds search strings to lower case. As a side effect, Postfix -now also does a better job at being case insensitive where it should, -for example while searching per-host TLS policies or SASL passwords. - Major changes - bounce message templates ---------------------------------------- @@ -481,13 +484,6 @@ this: The $mail_name program EOF -Major changes - broken SMTP clients ------------------------------------ - -[Feature 20051222] You can now use "resolve_numeric_domain = yes" -to stop Postfix from rejecting user@ipaddress as an invalid -destination. It will deliver the mail to user@[ipaddress] instead. - Major changes - built-in filters -------------------------------- @@ -503,55 +499,6 @@ command (or re-queued with "postsuper -r"), the returned message is now limited to just the message headers, to avoid the risk of exposure to harmful content in the message body or attachments. -Major changes - connection caching ----------------------------------- - -[Incompat 20051026] The smtp_connection_cache_reuse_limit parameter -(which limits the number of deliveries per SMTP connection) is -replaced by the new smtp_connection_reuse_time_limit parameter (the -time after which a connection is no longer stored into the connection -cache). - -[Feature 20051026] This snapshot addresses a performance stability -problem with remote SMTP servers. The problem is not specific to -Postfix: it can happen when any MTA sends large amounts of SMTP -email to a site that has multiple MX hosts. The insight that led -to the solution, as well as an initial implementation, are due to -Victor Duchovni. - -The problem starts when one of a set of MX hosts becomes slower -than the rest. Even though SMTP clients connect to fast and slow -MX hosts with equal probability, the slow MX host ends up with more -simultaneous inbound connections than the faster MX hosts, because -the slow MX host needs more time to serve each client request. - -The slow MX host becomes a connection attractor. If one MX host -becomes N times slower than the rest, it dominates mail delivery -latency unless there are more than N fast MX hosts to counter the -effect. And if the number of MX hosts is smaller than N, the mail -delivery latency becomes effectively that of the slowest MX host -divided by the total number of MX hosts. - -The solution uses connection caching in a way that differs from -Postfix 2.2. By limiting the amount of time during which a connection -can be used repeatedly (instead of limiting the number of deliveries -over that connection), Postfix not only restores fairness in the -distribution of simultaneous connections across a set of MX hosts, -it also favors deliveries over connections that perform well, which -is exactly what we want. - -The smtp_connection_reuse_time_limit feature implements the connection -reuse time limit as discussed above. It limits the amount of time -after which an SMTP connection is no longer stored into the connection -cache. The default limit, 300s, can result in a huge number of -deliveries over a single connection. - -This solution will be complete when Postfix logging is updated to -include information about the number of times that a connection was -used. This information is needed to diagnose inter-operability -problems with servers that exhibit bugs when they receive multiple -messages over the same connection. - Major changes - database support -------------------------------- @@ -639,18 +586,17 @@ software. [Incompat 20051106] The relay=... logging has changed and now includes the remote SMTP server port number as hostname[hostaddr]:port. +[Incompat 20060112] The Postfix SMTP/LMTP client by default no +longer allows DNS CNAME records to override the server hostname +that is used for logging, SASL password lookup, TLS policy selection +and TLS server certificate verification. Specify +"smtp_cname_overrides_servername = yes" to get the old behavior. + [Incompat 20051105] All delay logging now has sub-second resolution, including the over-all "delay=nnn" logging. A patch is available for pflogsumm (pflogsumm-conn-delays-dsn-patch). The qshape script has been updated (auxiliary/qshape/qshape.pl). -At this point the Postfix logging for a recipient looks like this: - - Nov 3 16:04:31 myname postfix/smtp[30840]: 19B6B2900FE: - to=, orig_to=, - relay=mail.example.com[1.2.3.4], conn_use=2, delay=0.22, - delays=0.04/0.01/0.05/0.1, dsn=2.0.0, status=sent (250 2.0.0 Ok) - [Feature 20051103] This release makes a beginning with a series of new attributes in Postfix logfile records. @@ -664,8 +610,9 @@ new attributes in Postfix logfile records. - Logging of the connection reuse count when SMTP connections are used for more than one message delivery. This information is needed because Postfix can now reuse connections hundreds of times - or more, and can help to diagnose inter-operability problems with - servers that suffer from memory leaks or other resource leaks. + or more. Logging of the connection reuse count can help to diagnose + inter-operability problems with servers that suffer from memory + leaks or other resource leaks. At this point the Postfix logging for a recipient looks like this: @@ -696,6 +643,12 @@ where y and z can be up to three digits each. Major changes - performance --------------------------- +[Incompat 20050622] The Postfix SMTP client by default limits the +number of MX server addresses to smtp_mx_address_limit=5. Previously +this limit was disabled by default. The new limit prevents Postfix +from spending lots of time trying to connect to lots of bogus MX +servers. + [Feature 20051026] This snapshot addresses a performance stability problem with remote SMTP servers. The problem is not specific to Postfix: it can happen when any MTA sends large amounts of SMTP @@ -752,42 +705,41 @@ Major changes - portability --------------------------- [Incompat 20050716] Internal interfaces have changed; this may break -third-party patches because the text of function argument and result -type definitions has changed. The type of buffer lengths and offsets -were changed from "(unsigned) int" (32 bit on 32-bit and LP64 -systems) to "(s)size_t" (64 bit on LP64 systems, 32 bit on 32-bit -systems). +third-party patches because the types of function arguments and of +result values have changed. The types of buffer lengths and offsets +were changed from "int" or "unsigned int" (32 bit on 32-bit and +LP64 systems) to "ssize_t" or "size_t" (64 bit on LP64 systems, 32 +bit on 32-bit systems). -Otherwise, this change makes no difference on 32-bit systems. On -LP64 systems, however, software may mis-behave 1) when Postfix is +This change makes no difference in Postfix behavior on 32-bit +systems. On LP64 systems, however, this change not only eliminates +some obscure portability bugs, it also eliminates unnecessary +conversions between 32/64 bit integer types, because many system +library routines take "(s)size_t" arguments or return "(s)size_t" +values. + +This change may break software on LP64 systems 1) when Postfix is linked with pre-compiled code that was compiled with old Postfix interface definitions and 2) when compiling Postfix source that was -modified by a third-party patch: incorrect code may be generated +modified by a third-party patch: incorrect code will be generated when the patch passes the wrong integer argument type in contexts that disable automatic argument type conversions. Examples of such contexts are formatting with printf-like arguments, and invoking functions that write Postfix request or reply attributes across inter-process communication channels. Unfortunately, gcc does not report "(unsigned) int" versus "(s)size_t" format string argument -mis-matches on 32-bit systems; they can be found only on 64-bit +mis-matches on 32-bit systems; it reports them only on 64-bit systems. -[Feature 20050716] Improved portability to LP64 systems, by converting -the type of buffer lengths and offsets from "(unsigned) int" to -"(s)size_t". This change has zero effect on 32-bit systems. On -LP64 platforms, however, this change not only eliminates some obscure -portability bugs, it also eliminates unnecessary conversions between -32/64 bit integer types, because many system library routines take -"(s)size_t" arguments or return "(s)size_t" values. - Major changes - safety ---------------------- -[Incompat 20051121] The permit_mx_backup feature still accepts mail -for authorized destinations (see permit_mx_backup for definition), -but with other destinations it requires that the local MTA is listed -as non-primary MX. This prevents mail loop problems when someone -points the primary MX record at Postfix. +[Incompat 20051121] Although the permit_mx_backup feature still +accepts mail for authorized destinations (see permit_mx_backup for +definition), with all other destinations it now requires that the +local MTA is listed as non-primary MX. This prevents mail loop +problems when someone points the primary MX record at a Postfix +system. [Incompat 20051011] The Postfix local(8) delivery agent no longer updates its idea of the Delivered-To: address while it expands @@ -808,8 +760,17 @@ command (or re-queued with "postsuper -r"), the returned message is now limited to just the message headers, to avoid the risk of exposure to harmful content in the message body or attachments. -[Incompat 20051202] The Postfix SMTP daemon will not receive mail -from the network if it isn't running with postfix mail_owner +[Incompat 20051202] The Postfix SMTP server now refuses to receive +mail from the network if it isn't running with postfix mail_owner privileges. This prevents surprises when, for example, "sendmail -bs" is configured to run as root from xinetd. +[Incompat 20060123] For safety reasons, Postfix no longer allows +$number substitution in regexp: or pcre: transport tables or +per-sender relayhost tables. + +[Incompat 20060112] The Postfix SMTP/LMTP client by default no +longer allows DNS CNAME records to override the server hostname +that is used for logging, SASL password lookup, TLS policy selection +and TLS server certificate verification. Specify +"smtp_cname_overrides_servername = yes" to get the old behavior. diff --git a/postfix/html/SMTPD_POLICY_README.html b/postfix/html/SMTPD_POLICY_README.html index d1b0c73f9..76f4cd8e6 100644 --- a/postfix/html/SMTPD_POLICY_README.html +++ b/postfix/html/SMTPD_POLICY_README.html @@ -90,7 +90,7 @@ sasl_username=you sasl_sender= size=12345 ccert_subject=solaris9.porcupine.org -ccert_issuer=Wietse Venema +ccert_issuer=Wietse+20Venema ccert_fingerprint=C2:9D:F4:87:71:73:73:D9:18:E7:C2:F3:C1:DA:6E:04 Postfix version 2.3 and later: encryption_protocol=TLSv1/SSLv3 @@ -161,6 +161,9 @@ etrn_domain=

  • The "ccert_*" attributes (Postfix 2.2 and later) specify information about how the client was authenticated via TLS. These attributes are empty in case of no certificate authentication. + As of Postfix 2.2.11 these attribute values are encoded as + xtext: some characters are represented by +XX, where XX is the + two-digit hecadecimal representation of the character value.

  • The "encryption_*" attributes (Postfix 2.3 and later) diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index adfe89dd6..5e47f0555 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -3528,6 +3528,17 @@ Enable SASL authentication in the Postfix LMTP client.

    + + +
    lmtp_sasl_auth_enforce +(default: yes)
    + +

    The LMTP-specific version of the smtp_sasl_auth_enforce +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +
    lmtp_sasl_mechanism_filter @@ -7550,6 +7561,18 @@ Example: + + +
    smtp_sasl_auth_enforce +(default: yes)
    + +

    Defer mail delivery when an SMTP server does not support SASL +authentication, while smtp_sasl_password_maps contains SASL +login/password information for that server.

    + +

    This feature is available in Postfix 2.3 and later.

    + +
    smtp_sasl_mechanism_filter diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html index f4ce54915..dd82883d2 100644 --- a/postfix/html/smtp.8.html +++ b/postfix/html/smtp.8.html @@ -293,60 +293,66 @@ SMTP(8) SMTP(8) Available in Postfix version 2.3 and later: + smtp_sasl_auth_enforce (yes) + Defer mail delivery when an SMTP server does not + support SASL authentication, while smtp_sasl_pass- + word_maps contains SASL login/password information + for that server. + smtp_sender_dependent_authentication (no) - Enable sender-dependent authentication in the SMTP - client; this is available only with SASL authenti- - cation, and disables SMTP connection caching to - ensure that mail from different senders will use + Enable sender-dependent authentication in the SMTP + client; this is available only with SASL authenti- + cation, and disables SMTP connection caching to + ensure that mail from different senders will use the appropriate credentials. smtp_sasl_path (empty) - Implementation-specific information that is passed - through to the SASL plug-in implementation that is + Implementation-specific information that is passed + through to the SASL plug-in implementation that is selected with smtp_sasl_type. smtp_sasl_type (cyrus) - The SASL plug-in type that the Postfix SMTP client + The SASL plug-in type that the Postfix SMTP client should use for authentication. STARTTLS SUPPORT CONTROLS - Detailed information about STARTTLS configuration may be + Detailed information about STARTTLS configuration may be found in the TLS_README document. smtp_tls_security_level (empty) - The default SMTP TLS security level for all desti- - nations; when a non-empty value is specified, this + The default SMTP TLS security level for all desti- + nations; when a non-empty value is specified, this overrides the obsolete parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername. smtp_sasl_tls_security_options ($smtp_sasl_secu- rity_options) - The SASL authentication security options that the - Postfix SMTP client uses for TLS encrypted SMTP + The SASL authentication security options that the + Postfix SMTP client uses for TLS encrypted SMTP sessions. smtp_starttls_timeout (300s) - Time limit for Postfix SMTP client write and read - operations during TLS startup and shutdown hand- + Time limit for Postfix SMTP client write and read + operations during TLS startup and shutdown hand- shake procedures. smtp_tls_CAfile (empty) - The file with the certificate of the certification - authority (CA) that issued the Postfix SMTP client + The file with the certificate of the certification + authority (CA) that issued the Postfix SMTP client certificate. smtp_tls_CApath (empty) - Directory with PEM format certificate authority - certificates that the Postfix SMTP client uses to + Directory with PEM format certificate authority + certificates that the Postfix SMTP client uses to verify a remote SMTP server certificate. smtp_tls_cert_file (empty) - File with the Postfix SMTP client RSA certificate + File with the Postfix SMTP client RSA certificate in PEM format. smtp_tls_mandatory_ciphers (medium) - The minimum SMTP client TLS cipher grade that is - strong enough to be used with the "encrypt" secu- + The minimum SMTP client TLS cipher grade that is + strong enough to be used with the "encrypt" secu- rity level and higher. smtp_tls_exclude_ciphers (empty) @@ -355,43 +361,43 @@ SMTP(8) SMTP(8) smtp_tls_mandatory_exclude_ciphers (empty) List of ciphers or cipher types to exclude from the - SMTP client cipher list at the mandatory TLS secu- + SMTP client cipher list at the mandatory TLS secu- rity levels: "encrypt", "verify" and "secure". smtp_tls_dcert_file (empty) - File with the Postfix SMTP client DSA certificate + File with the Postfix SMTP client DSA certificate in PEM format. smtp_tls_dkey_file ($smtp_tls_dcert_file) - File with the Postfix SMTP client DSA private key + File with the Postfix SMTP client DSA private key in PEM format. smtp_tls_key_file ($smtp_tls_cert_file) - File with the Postfix SMTP client RSA private key + File with the Postfix SMTP client RSA private key in PEM format. smtp_tls_loglevel (0) - Enable additional Postfix SMTP client logging of + Enable additional Postfix SMTP client logging of TLS activity. smtp_tls_note_starttls_offer (no) - Log the hostname of a remote SMTP server that - offers STARTTLS, when TLS is not already enabled + Log the hostname of a remote SMTP server that + offers STARTTLS, when TLS is not already enabled for that server. smtp_tls_policy_maps (empty) Optional lookup tables with the Postfix SMTP client TLS security policy by next-hop destination; when a - non-empty value is specified, this overrides the + non-empty value is specified, this overrides the obsolete smtp_tls_per_site parameter. smtp_tls_mandatory_protocols (SSLv3, TLSv1) - List of TLS protocol versions that are secure + List of TLS protocol versions that are secure enough to be used with the "encrypt" security level and higher. smtp_tls_scert_verifydepth (5) - The verification depth for remote SMTP server cer- + The verification depth for remote SMTP server cer- tificates. smtp_tls_secure_cert_match (nexthop, dot-nexthop) @@ -399,7 +405,7 @@ SMTP(8) SMTP(8) for the "secure" TLS security level. smtp_tls_session_cache_database (empty) - Name of the file containing the optional Postfix + Name of the file containing the optional Postfix SMTP client TLS session cache. smtp_tls_session_cache_timeout (3600s) @@ -411,9 +417,9 @@ SMTP(8) SMTP(8) for the "verify" TLS security level. tls_daemon_random_bytes (32) - The number of pseudo-random bytes that an smtp(8) - or smtpd(8) process requests from the tlsmgr(8) - server in order to seed its internal pseudo random + The number of pseudo-random bytes that an smtp(8) + or smtpd(8) process requests from the tlsmgr(8) + server in order to seed its internal pseudo random number generator (PRNG). tls_high_cipherlist @@ -425,7 +431,7 @@ SMTP(8) SMTP(8) ciphers. tls_low_cipherlist (!EXPORT:ALL:+RC4:@STRENGTH) - The OpenSSL cipherlist for "LOW" or higher grade + The OpenSSL cipherlist for "LOW" or higher grade ciphers. tls_export_cipherlist (ALL:+RC4:@STRENGTH) @@ -433,66 +439,66 @@ SMTP(8) SMTP(8) ciphers. tls_null_cipherlist (!aNULL:eNULL+kRSA) - The OpenSSL cipherlist for "NULL" grade ciphers + The OpenSSL cipherlist for "NULL" grade ciphers that provide authentication without encryption. Available in Postfix version 2.4 and later: smtp_sasl_tls_verified_security_options ($smtp_sasl_tls_security_options) - The SASL authentication security options that the - Postfix SMTP client uses for TLS encrypted SMTP + The SASL authentication security options that the + Postfix SMTP client uses for TLS encrypted SMTP sessions with a verified server certificate. OBSOLETE STARTTLS CONTROLS - The following configuration parameters exist for compati- + The following configuration parameters exist for compati- bility with Postfix versions before 2.3. Support for these will be removed in a future release. smtp_use_tls (no) - Opportunistic mode: use TLS when a remote SMTP - server announces STARTTLS support, otherwise send + Opportunistic mode: use TLS when a remote SMTP + server announces STARTTLS support, otherwise send the mail in the clear. smtp_enforce_tls (no) - Enforcement mode: require that remote SMTP servers - use TLS encryption, and never send mail in the + Enforcement mode: require that remote SMTP servers + use TLS encryption, and never send mail in the clear. smtp_tls_enforce_peername (yes) - When TLS encryption is enforced, require that the + When TLS encryption is enforced, require that the remote SMTP server hostname matches the information in the remote SMTP server certificate. smtp_tls_per_site (empty) Optional lookup tables with the Postfix SMTP client - TLS usage policy by next-hop destination and by + TLS usage policy by next-hop destination and by remote SMTP server hostname. RESOURCE AND RATE CONTROLS smtp_destination_concurrency_limit ($default_destina- tion_concurrency_limit) - The maximal number of parallel deliveries to the - same destination via the smtp message delivery + The maximal number of parallel deliveries to the + same destination via the smtp message delivery transport. smtp_destination_recipient_limit ($default_destina- tion_recipient_limit) - The maximal number of recipients per delivery via + The maximal number of recipients per delivery via the smtp message delivery transport. smtp_connect_timeout (30s) - The SMTP client time limit for completing a TCP + The SMTP client time limit for completing a TCP connection, or zero (use the operating system built-in time limit). smtp_helo_timeout (300s) - The SMTP client time limit for sending the HELO or - EHLO command, and for receiving the initial server + The SMTP client time limit for sending the HELO or + EHLO command, and for receiving the initial server response. lmtp_lhlo_timeout (300s) - The LMTP client time limit for sending the LHLO + The LMTP client time limit for sending the LHLO command, and for receiving the initial server response. @@ -501,30 +507,30 @@ SMTP(8) SMTP(8) command, and for receiving the server response. smtp_mail_timeout (300s) - The SMTP client time limit for sending the MAIL - FROM command, and for receiving the server + The SMTP client time limit for sending the MAIL + FROM command, and for receiving the server response. smtp_rcpt_timeout (300s) - The SMTP client time limit for sending the SMTP - RCPT TO command, and for receiving the server + The SMTP client time limit for sending the SMTP + RCPT TO command, and for receiving the server response. smtp_data_init_timeout (120s) - The SMTP client time limit for sending the SMTP - DATA command, and for receiving the server + The SMTP client time limit for sending the SMTP + DATA command, and for receiving the server response. smtp_data_xfer_timeout (180s) - The SMTP client time limit for sending the SMTP + The SMTP client time limit for sending the SMTP message content. smtp_data_done_timeout (600s) - The SMTP client time limit for sending the SMTP + The SMTP client time limit for sending the SMTP ".", and for receiving the server response. smtp_quit_timeout (300s) - The SMTP client time limit for sending the QUIT + The SMTP client time limit for sending the QUIT command, and for receiving the server response. Available in Postfix version 2.1 and later: @@ -535,12 +541,12 @@ SMTP(8) SMTP(8) lookups, or zero (no limit). smtp_mx_session_limit (2) - The maximal number of SMTP sessions per delivery - request before giving up or delivering to a fall- + The maximal number of SMTP sessions per delivery + request before giving up or delivering to a fall- back relay host, or zero (no limit). smtp_rset_timeout (20s) - The SMTP client time limit for sending the RSET + The SMTP client time limit for sending the RSET command, and for receiving the server response. Available in Postfix version 2.2 and earlier: @@ -552,11 +558,11 @@ SMTP(8) SMTP(8) Available in Postfix version 2.2 and later: smtp_connection_cache_destinations (empty) - Permanently enable SMTP connection caching for the + Permanently enable SMTP connection caching for the specified destinations. smtp_connection_cache_on_demand (yes) - Temporarily enable SMTP connection caching while a + Temporarily enable SMTP connection caching while a destination has a high volume of mail in the active queue. @@ -566,57 +572,57 @@ SMTP(8) SMTP(8) smtp_connection_cache_time_limit (2s) When SMTP connection caching is enabled, the amount - of time that an unused SMTP client socket is kept + of time that an unused SMTP client socket is kept open before it is closed. Available in Postfix version 2.3 and later: connection_cache_protocol_timeout (5s) - Time limit for connection cache connect, send or + Time limit for connection cache connect, send or receive operations. TROUBLE SHOOTING CONTROLS debug_peer_level (2) - The increment in verbose logging level when a - remote client or server matches a pattern in the + The increment in verbose logging level when a + remote client or server matches a pattern in the debug_peer_list parameter. debug_peer_list (empty) - Optional list of remote client or server hostname - or network address patterns that cause the verbose - logging level to increase by the amount specified + Optional list of remote client or server hostname + or network address patterns that cause the verbose + logging level to increase by the amount specified in $debug_peer_level. error_notice_recipient (postmaster) - The recipient of postmaster notifications about - mail delivery problems that are caused by policy, + The recipient of postmaster notifications about + mail delivery problems that are caused by policy, resource, software or protocol errors. notify_classes (resource, software) - The list of error classes that are reported to the + The list of error classes that are reported to the postmaster. MISCELLANEOUS CONTROLS best_mx_transport (empty) - Where the Postfix SMTP client should deliver mail + Where the Postfix SMTP client should deliver mail when it detects a "mail loops back to myself" error condition. config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and + The default location of the Postfix main.cf and master.cf configuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to - handle a request before it is terminated by a + How much time a Postfix daemon process may take to + handle a request before it is terminated by a built-in watchdog timer. delay_logging_resolution_limit (2) - The maximal number of digits after the decimal + The maximal number of digits after the decimal point when logging sub-second delay values. disable_dns_lookups (no) - Disable DNS lookups in the Postfix SMTP and LMTP + Disable DNS lookups in the Postfix SMTP and LMTP clients. inet_interfaces (all) @@ -624,7 +630,7 @@ SMTP(8) SMTP(8) tem receives mail on. inet_protocols (ipv4) - The Internet protocols Postfix will attempt to use + The Internet protocols Postfix will attempt to use when making or accepting connections. ipc_timeout (3600s) @@ -632,74 +638,74 @@ SMTP(8) SMTP(8) over an internal communication channel. lmtp_tcp_port (24) - The default TCP port that the Postfix LMTP client + The default TCP port that the Postfix LMTP client connects to. max_idle (100s) - The maximum amount of time that an idle Postfix - daemon process waits for the next service request + The maximum amount of time that an idle Postfix + daemon process waits for the next service request before exiting. max_use (100) - The maximal number of connection requests before a + The maximal number of connection requests before a Postfix daemon process terminates. process_id (read-only) - The process ID of a Postfix command or daemon + The process ID of a Postfix command or daemon process. process_name (read-only) - The process name of a Postfix command or daemon + The process name of a Postfix command or daemon process. proxy_interfaces (empty) The network interface addresses that this mail sys- - tem receives mail on by way of a proxy or network + tem receives mail on by way of a proxy or network address translation unit. smtp_bind_address (empty) An optional numerical network address that the SMTP - client should bind to when making an IPv4 connec- + client should bind to when making an IPv4 connec- tion. smtp_bind_address6 (empty) An optional numerical network address that the SMTP - client should bind to when making an IPv6 connec- + client should bind to when making an IPv6 connec- tion. smtp_helo_name ($myhostname) - The hostname to send in the SMTP EHLO or HELO com- + The hostname to send in the SMTP EHLO or HELO com- mand. lmtp_lhlo_name ($myhostname) The hostname to send in the LMTP LHLO command. smtp_host_lookup (dns) - What mechanisms when the SMTP client uses to look + What mechanisms when the SMTP client uses to look up a host's IP address. smtp_randomize_addresses (yes) - Randomize the order of equal-preference MX host + Randomize the order of equal-preference MX host addresses. syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (postfix) - The mail system name that is prepended to the - process name in syslog records, so that "smtpd" + The mail system name that is prepended to the + process name in syslog records, so that "smtpd" becomes, for example, "postfix/smtpd". Available with Postfix 2.2 and earlier: fallback_relay (empty) - Optional list of relay hosts for SMTP destinations + Optional list of relay hosts for SMTP destinations that can't be found or that are unreachable. Available with Postfix 2.3 and later: smtp_fallback_relay ($fallback_relay) - Optional list of relay hosts for SMTP destinations + Optional list of relay hosts for SMTP destinations that can't be found or that are unreachable. SEE ALSO @@ -717,7 +723,7 @@ SMTP(8) SMTP(8) TLS_README, Postfix STARTTLS howto LICENSE - The Secure Mailer license must be distributed with this + The Secure Mailer license must be distributed with this software. AUTHOR(S) diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 5c3b18570..3a75dc5ed 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -1883,6 +1883,11 @@ Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is s (seconds). .SH lmtp_sasl_auth_enable (default: no) Enable SASL authentication in the Postfix LMTP client. +.SH lmtp_sasl_auth_enforce (default: yes) +The LMTP-specific version of the smtp_sasl_auth_enforce +configuration parameter. See there for details. +.PP +This feature is available in Postfix 2.3 and later. .SH lmtp_sasl_mechanism_filter (default: empty) The LMTP-specific version of the smtp_sasl_mechanism_filter configuration parameter. See there for details. @@ -4194,6 +4199,12 @@ smtp_sasl_auth_enable = yes .fi .ad .ft R +.SH smtp_sasl_auth_enforce (default: yes) +Defer mail delivery when an SMTP server does not support SASL +authentication, while smtp_sasl_password_maps contains SASL +login/password information for that server. +.PP +This feature is available in Postfix 2.3 and later. .SH smtp_sasl_mechanism_filter (default: empty) If non-empty, a Postfix SMTP client filter for the remote SMTP server's list of offered SASL mechanisms. Different client and diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8 index d7ae64655..2facc965f 100644 --- a/postfix/man/man8/smtp.8 +++ b/postfix/man/man8/smtp.8 @@ -262,6 +262,10 @@ If non-empty, a Postfix SMTP client filter for the remote SMTP server's list of offered SASL mechanisms. .PP Available in Postfix version 2.3 and later: +.IP "\fBsmtp_sasl_auth_enforce (yes)\fR" +Defer mail delivery when an SMTP server does not support SASL +authentication, while smtp_sasl_password_maps contains SASL +login/password information for that server. .IP "\fBsmtp_sender_dependent_authentication (no)\fR" Enable sender-dependent authentication in the SMTP client; this is available only with SASL authentication, and disables SMTP connection diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index f5b803bbd..5d4c6edd0 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -252,6 +252,7 @@ while (<>) { s;\blmtp_rcpt_timeout\b;$&;g; s;\blmtp_rset_timeout\b;$&;g; s;\blmtp_sasl_auth_enable\b;$&;g; + s;\blmtp_sasl_auth_enforce\b;$&;g; s;\blmtp_sasl_password_maps\b;$&;g; s;\blmtp_sasl_security_options\b;$&;g; s;\blmtp_sasl_type\b;$&;g; @@ -418,7 +419,7 @@ while (<>) { s;\bsmtp_rset_timeout\b;$&;g; s;\bsmtp_sasl_auth_enable\b;$&;g; s;\bsmtp_sasl_mechanism_filter\b;$&;g; - s;\bsmtp_sasl_password_maps\b;$&;g; + s;\bsmtp_sasl_pass[-]*\n* *[]*word_maps\b;$&;g; s;\bsmtp_sasl_path\b;$&;g; s;\bsmtp_sasl_secu[-]*\n* *[]*rity_options\b;$&;g; s;\bsmtp_send_xforward_command\b;$&;g; @@ -524,6 +525,7 @@ while (<>) { s;\bsmtp_[-]*\n* *[]*sasl_[-]*\n* *[]*tls_[-]*\n* *[]*secu[-]*\n* *[]*rity_options\b;$&;g; s;\bsmtp_sasl_tls_verified_secu[-]*\n* *[]*rity_options\b;$&;g; s;\bsmtp_sasl_type\b;$&;g; + s;\bsmtp_sasl_auth_enforce\b;$&;g; s;\bsmtp_starttls_timeout\b;$&;g; s;\bsmtp_tls_CAfile\b;$&;g; s;\bsmtp_tls_CApath\b;$&;g; diff --git a/postfix/proto/SMTPD_POLICY_README.html b/postfix/proto/SMTPD_POLICY_README.html index a722f99a0..6030d6183 100644 --- a/postfix/proto/SMTPD_POLICY_README.html +++ b/postfix/proto/SMTPD_POLICY_README.html @@ -90,7 +90,7 @@ sasl_username=you sasl_sender= size=12345 ccert_subject=solaris9.porcupine.org -ccert_issuer=Wietse Venema +ccert_issuer=Wietse+20Venema ccert_fingerprint=C2:9D:F4:87:71:73:73:D9:18:E7:C2:F3:C1:DA:6E:04 Postfix version 2.3 and later: encryption_protocol=TLSv1/SSLv3 @@ -161,6 +161,9 @@ etrn_domain=

  • The "ccert_*" attributes (Postfix 2.2 and later) specify information about how the client was authenticated via TLS. These attributes are empty in case of no certificate authentication. + As of Postfix 2.2.11 these attribute values are encoded as + xtext: some characters are represented by +XX, where XX is the + two-digit hecadecimal representation of the character value.

  • The "encryption_*" attributes (Postfix 2.3 and later) diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index f6f807bbb..1b0de24cb 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -10345,3 +10345,18 @@ configuration parameter. See there for details.

    configuration parameter. See there for details.

    This feature is available in Postfix 2.3 and later.

    + +%PARAM smtp_sasl_auth_enforce yes + +

    Defer mail delivery when an SMTP server does not support SASL +authentication, while smtp_sasl_password_maps contains SASL +login/password information for that server.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_sasl_auth_enforce yes + +

    The LMTP-specific version of the smtp_sasl_auth_enforce +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    diff --git a/postfix/src/cleanup/cleanup_milter.c b/postfix/src/cleanup/cleanup_milter.c index 3cf7194cf..f675c34a7 100644 --- a/postfix/src/cleanup/cleanup_milter.c +++ b/postfix/src/cleanup/cleanup_milter.c @@ -1187,6 +1187,11 @@ static const char *cleanup_milter_eval(const char *name, void *ptr) { CLEANUP_STATE *state = (CLEANUP_STATE *) ptr; + /* + * Note: if we use XFORWARD attributes here, then consistency requires + * that we forward all Sendmail macros via XFORWARD. + */ + /* * Canonicalize the name. */ diff --git a/postfix/src/global/log_adhoc.c b/postfix/src/global/log_adhoc.c index b32c1bf12..43b3f01fd 100644 --- a/postfix/src/global/log_adhoc.c +++ b/postfix/src/global/log_adhoc.c @@ -133,15 +133,22 @@ void log_adhoc(const char *id, MSG_STATS *stats, RECIPIENT *recipient, * * Don't compute the sdelay (connection setup latency) if there is no time * stamp for connection setup completion. + * + * XXX Apparently, Solaris gettimeofday() can return out-of-range + * microsecond values. */ #define DELTA(x, y, z) \ do { \ (x).dt_sec = (y).tv_sec - (z).tv_sec; \ (x).dt_usec = (y).tv_usec - (z).tv_usec; \ - if ((x).dt_usec < 0) { \ + while ((x).dt_usec < 0) { \ (x).dt_usec += 1000000; \ (x).dt_sec -= 1; \ } \ + while ((x).dt_usec >= 1000000) { \ + (x).dt_usec -= 1000000; \ + (x).dt_sec += 1; \ + } \ if ((x).dt_sec < 0) \ (x).dt_sec = (x).dt_usec = 0; \ } while (0) diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 7f0b9810b..44d6738e9 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -1384,6 +1384,10 @@ extern bool var_smtp_sasl_enable; #define DEF_SMTP_SASL_PASSWD "" extern char *var_smtp_sasl_passwd; +#define VAR_SMTP_SASL_ENFORCE "smtp_sasl_auth_enforce" +#define DEF_SMTP_SASL_ENFORCE 1 +extern bool var_smtp_sasl_enforce; + #define VAR_SMTP_SASL_OPTS "smtp_sasl_security_options" #define DEF_SMTP_SASL_OPTS "noplaintext, noanonymous" extern char *var_smtp_sasl_opts; @@ -1479,6 +1483,9 @@ extern bool var_lmtp_sasl_enable; #define DEF_LMTP_SASL_PASSWD "" extern char *var_lmtp_sasl_passwd; +#define VAR_LMTP_SASL_ENFORCE "lmtp_sasl_auth_enforce" +#define DEF_LMTP_SASL_ENFORCE 1 + #define VAR_LMTP_SASL_OPTS "lmtp_sasl_security_options" #define DEF_LMTP_SASL_OPTS "noplaintext, noanonymous" extern char *var_lmtp_sasl_opts; diff --git a/postfix/src/global/mail_proto.h b/postfix/src/global/mail_proto.h index 5ca8c8cb1..de83b6cc6 100644 --- a/postfix/src/global/mail_proto.h +++ b/postfix/src/global/mail_proto.h @@ -135,7 +135,7 @@ extern char *mail_pathname(const char *, const char *); #define MAIL_ATTR_LABEL "label" #define MAIL_ATTR_PROP "property" #define MAIL_ATTR_CCERT_SUBJECT "ccert_subject" -#define MAIL_ATTR_CCERT_ISSSUER "ccert_issuer" +#define MAIL_ATTR_CCERT_ISSUER "ccert_issuer" #define MAIL_ATTR_CCERT_FINGERPRINT "ccert_fingerprint" #define MAIL_ATTR_CRYPTO_PROTOCOL "encryption_protocol" #define MAIL_ATTR_CRYPTO_CIPHER "encryption_cipher" diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 0797b8bf1..996bdf5c1 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20060706" -#define MAIL_VERSION_NUMBER "2.3-RC7" +#define MAIL_RELEASE_DATE "20060707" +#define MAIL_VERSION_NUMBER "2.3-RC8" #define VAR_MAIL_VERSION "mail_version" #define DEF_MAIL_VERSION MAIL_VERSION_NUMBER diff --git a/postfix/src/smtp/lmtp_params.c b/postfix/src/smtp/lmtp_params.c index 2f2cbacad..f59b0d0b2 100644 --- a/postfix/src/smtp/lmtp_params.c +++ b/postfix/src/smtp/lmtp_params.c @@ -95,5 +95,6 @@ #endif VAR_LMTP_SENDER_AUTH, DEF_LMTP_SENDER_AUTH, &var_smtp_sender_auth, VAR_LMTP_CNAME_OVERR, DEF_LMTP_CNAME_OVERR, &var_smtp_cname_overr, + VAR_LMTP_SASL_ENFORCE, DEF_LMTP_SASL_ENFORCE, &var_smtp_sasl_enforce, 0, }; diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c index 5202b73c7..a7f5bdd5c 100644 --- a/postfix/src/smtp/smtp.c +++ b/postfix/src/smtp/smtp.c @@ -234,6 +234,10 @@ /* server's list of offered SASL mechanisms. /* .PP /* Available in Postfix version 2.3 and later: +/* .IP "\fBsmtp_sasl_auth_enforce (yes)\fR" +/* Defer mail delivery when an SMTP server does not support SASL +/* authentication, while smtp_sasl_password_maps contains SASL +/* login/password information for that server. /* .IP "\fBsmtp_sender_dependent_authentication (no)\fR" /* Enable sender-dependent authentication in the SMTP client; this is /* available only with SASL authentication, and disables SMTP connection @@ -691,6 +695,7 @@ bool var_smtp_sender_auth; char *var_lmtp_tcp_port; int var_scache_proto_tmout; bool var_smtp_cname_overr; +bool var_smtp_sasl_enforce; /* * Global variables. diff --git a/postfix/src/smtp/smtp_params.c b/postfix/src/smtp/smtp_params.c index db27bc961..4f8c997e3 100644 --- a/postfix/src/smtp/smtp_params.c +++ b/postfix/src/smtp/smtp_params.c @@ -99,5 +99,6 @@ #endif VAR_SMTP_SENDER_AUTH, DEF_SMTP_SENDER_AUTH, &var_smtp_sender_auth, VAR_SMTP_CNAME_OVERR, DEF_SMTP_CNAME_OVERR, &var_smtp_cname_overr, + VAR_SMTP_SASL_ENFORCE, DEF_SMTP_SASL_ENFORCE, &var_smtp_sasl_enforce, 0, }; diff --git a/postfix/src/smtp/smtp_proto.c b/postfix/src/smtp/smtp_proto.c index 1345158e9..e187f6efe 100644 --- a/postfix/src/smtp/smtp_proto.c +++ b/postfix/src/smtp/smtp_proto.c @@ -600,6 +600,15 @@ int smtp_helo(SMTP_STATE *state) #ifdef USE_SASL_AUTH if (var_smtp_sasl_enable && (session->features & SMTP_FEATURE_AUTH)) return (smtp_sasl_helo_login(state)); + else if (var_smtp_sasl_enable + && *var_smtp_sasl_passwd + && var_smtp_sasl_enforce + && smtp_sasl_passwd_lookup(session) != 0) + return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, + SMTP_RESP_FAKE(&fake, "4.7.0"), + "SASL login/password exists, but host %s " + "does not announce SASL authentication support", + session->namaddr)); #endif return (0); diff --git a/postfix/src/smtpd/Makefile.in b/postfix/src/smtpd/Makefile.in index 868965acb..a6ee5150d 100644 --- a/postfix/src/smtpd/Makefile.in +++ b/postfix/src/smtpd/Makefile.in @@ -286,6 +286,7 @@ smtpd_check.o: ../../include/vbuf.h smtpd_check.o: ../../include/verify_clnt.h smtpd_check.o: ../../include/vstream.h smtpd_check.o: ../../include/vstring.h +smtpd_check.o: ../../include/xtext.h smtpd_check.o: smtpd.h smtpd_check.o: smtpd_check.c smtpd_check.o: smtpd_check.h diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c index 8d26c6e87..865930d24 100644 --- a/postfix/src/smtpd/smtpd_check.c +++ b/postfix/src/smtpd/smtpd_check.c @@ -236,6 +236,7 @@ #include #include #include +#include /* Application-specific. */ @@ -3251,6 +3252,15 @@ static int check_policy_service(SMTPD_STATE *state, const char *server, static VSTRING *action = 0; ATTR_CLNT *policy_clnt; +#ifdef USE_TLS + VSTRING *subject_buf; + VSTRING *issuer_buf; + const char *subject; + const char *issuer; + +#endif + int ret; + /* * Sanity check. */ @@ -3265,6 +3275,23 @@ static int check_policy_service(SMTPD_STATE *state, const char *server, if (action == 0) action = vstring_alloc(10); +#ifdef USE_TLS +#define ENCODE_CN(coded_CN, coded_CN_buf, CN) do { \ + if (state->tls_context == 0 \ + || state->tls_context->peer_verified == 0 || (CN) == 0) { \ + coded_CN_buf = 0; \ + coded_CN = ""; \ + } else { \ + coded_CN_buf = vstring_alloc(strlen(CN)); \ + xtext_quote(coded_CN_buf, CN, ""); \ + coded_CN = STR(coded_CN_buf); \ + } \ + } while (0); + + ENCODE_CN(subject, subject_buf, state->tls_context->peer_CN); + ENCODE_CN(issuer, issuer_buf, state->tls_context->issuer_CN); +#endif + if (attr_clnt_request(policy_clnt, ATTR_FLAG_NONE, /* Query attributes. */ ATTR_TYPE_STR, MAIL_ATTR_REQ, "smtpd_access_policy", @@ -3308,10 +3335,8 @@ static int check_policy_service(SMTPD_STATE *state, const char *server, #define IF_VERIFIED(x) \ ((state->tls_context && \ state->tls_context->peer_verified && ((x) != 0)) ? (x) : "") - ATTR_TYPE_STR, MAIL_ATTR_CCERT_SUBJECT, - IF_VERIFIED(state->tls_context->peer_CN), - ATTR_TYPE_STR, MAIL_ATTR_CCERT_ISSSUER, - IF_VERIFIED(state->tls_context->issuer_CN), + ATTR_TYPE_STR, MAIL_ATTR_CCERT_SUBJECT, subject, + ATTR_TYPE_STR, MAIL_ATTR_CCERT_ISSUER, issuer, ATTR_TYPE_STR, MAIL_ATTR_CCERT_FINGERPRINT, IF_VERIFIED(state->tls_context->peer_fingerprint), #define IF_ENCRYPTED(x, y) ((state->tls_context && ((x) != 0)) ? (x) : (y)) @@ -3326,19 +3351,26 @@ static int check_policy_service(SMTPD_STATE *state, const char *server, ATTR_FLAG_MISSING, /* Reply attributes. */ ATTR_TYPE_STR, MAIL_ATTR_ACTION, action, ATTR_TYPE_END) != 1) { - return (smtpd_check_reject(state, MAIL_ERROR_POLICY, - 451, "4.3.5", - "Server configuration problem")); + ret = smtpd_check_reject(state, MAIL_ERROR_POLICY, + 451, "4.3.5", + "Server configuration problem"); } else { /* * XXX This produces bogus error messages when the reply is * malformed. */ - return (check_table_result(state, server, STR(action), - "policy query", reply_name, - reply_class, def_acl)); + ret = check_table_result(state, server, STR(action), + "policy query", reply_name, + reply_class, def_acl); } +#ifdef USE_TLS + if (subject_buf) + vstring_free(subject_buf); + if (issuer_buf) + vstring_free(issuer_buf); +#endif + return (ret); } /* is_map_command - restriction has form: check_xxx_access type:name */ diff --git a/postfix/src/smtpd/smtpd_peer.c b/postfix/src/smtpd/smtpd_peer.c index 269d0565b..8dacecffb 100644 --- a/postfix/src/smtpd/smtpd_peer.c +++ b/postfix/src/smtpd/smtpd_peer.c @@ -138,6 +138,15 @@ void smtpd_peer_init(SMTPD_STATE *state) /* * Look up the peer address information. + * + * XXX If we make local endpoint (getsockname) information available to + * Milter applications as {if_name} and {if_addr}, then we also must be + * able to provide this via the XCLIENT command for Milter testing. + * + * XXX If support were to be added for Milter applications in down-stream + * MTAs, then consistency demands that we propagate a lot of Sendmail + * macro information via the XFORWARD command. Otherwise we could end up + * with a very confusing situation. */ if (getpeername(vstream_fileno(state->client), sa, &sa_length) >= 0) { errno = 0;