mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-09-01 22:55:29 +00:00
Code Issues Releases Wiki Activity

postfix-2.2-20050208

Browse Source
This commit is contained in:
Wietse Venema
2005-02-08 00:00:00 -05:00
committed by Viktor Dukhovni
parent 3414d539d2
commit d2c73aa0fe
41 changed files with 344 additions and 746 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
postfix/HISTORY
View File

@@ -10300,12 +10300,33 @@ Apologies for any names omitted.
the input when the action is NOT executed. File: the input when the action is NOT executed. File:
cleanup/cleanup_message.c. cleanup/cleanup_message.c.
Bugfix? Cleanup? Documentation? main.cf now implements
${name[?:]value} as promised in the postconf(5) manual.
Implemented by deleting the macro processor in dict_eval(),
and using the one in mac_expand() instead. File: util/dict.c.
20050208
Feature: check_ccert_access maptype:mapname for access(5)
control, based on code by Victor Duchovni. File:
smtpd/smtpd_check.c and documentation.
Sanity check: don't allow unlimited message size with
limited mailbox size. File: local/local.c, virtual/virtual.c.
Open problems: Open problems:
Med: local and remote source port and IP address for smtpd Med: local and remote source port and IP address for smtpd
policy hook. policy hook.
Med: smtp_connect_timeout_budget (default: 2x smtp_connect_timeout) Med: disable address rewriting after XCLIENT? Introduce a
better concept of original submission?
Med: find out what TLS attributes to export via the policy
servicer hooks: peer CN, issuer CN, peer fingerprint,
verification status.
Med: smtp_connect_timeout_budget (default: 3x smtp_connect_timeout)
to limit the total time spent trying to connect. to limit the total time spent trying to connect.
Med: transform IPv4-in-IPv6 address literals to IPv4 form Med: transform IPv4-in-IPv6 address literals to IPv4 form
@@ -10336,9 +10357,6 @@ Open problems:
Med: eliminate the tls_info data structure. Med: eliminate the tls_info data structure.
Med: implement ${name[?:]value} in main.cf or update the
postconf(5) manual.
Low: reject HELO with any domain name or IP address that Low: reject HELO with any domain name or IP address that
this MTA is the final destination for. this MTA is the final destination for.
@@ -10384,7 +10402,9 @@ Open problems:
Med: silly queue file bit so that the queue manager doesn't Med: silly queue file bit so that the queue manager doesn't
skip files when fast flush is requested while a queue scan skip files when fast flush is requested while a queue scan
is in progress. is in progress. The bit is set by the flush server and is
reset when the mail is deferred, so that it survives queue
manager restart.
Med: postsuper -r should do something with recipients in Med: postsuper -r should do something with recipients in
bounce logfiles. bounce logfiles.

6
postfix/README_FILES/SMTPD_ACCESS_README
View File

@@ -125,6 +125,12 @@ Examples of simple restriction lists are:
# Whitelisting: local clients may specify any destination. Others may not. # Whitelisting: local clients may specify any destination. Others may not.
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
# Block clients that speak too early.
smtpd_data_restrictions = reject_unauth_pipelining
# Enforce mail volume quota via policy service callouts.
smtpd_end_of_data_restrictions = check_policy_service unix:private/policy
Each restriction list is evaluated from left to right until some restriction Each restriction list is evaluated from left to right until some restriction
produces a result of PERMIT, REJECT or DEFER (try again later). The end of the produces a result of PERMIT, REJECT or DEFER (try again later). The end of the
list is equivalent to a PERMIT result. By placing a PERMIT restriction before a list is equivalent to a PERMIT result. By placing a PERMIT restriction before a

8
postfix/README_FILES/TLS_README
View File

@@ -382,8 +382,8 @@ Example:
SSeerrvveerr aacccceessss ccoonnttrrooll SSeerrvveerr aacccceessss ccoonnttrrooll
Postfix TLS support introduces two additional features for Postfix SMTP server Postfix TLS support introduces three additional features for Postfix SMTP
access control: server access control:
permit_tls_clientcerts permit_tls_clientcerts
Allow the remote SMTP client SMTP request if the client certificate Allow the remote SMTP client SMTP request if the client certificate
@@ -394,6 +394,10 @@ access control:
Allow the remote client SMTP request if the client certificate passes Allow the remote client SMTP request if the client certificate passes
verification. verification.
check_ccert_access type:table
If the client certificate passes verification, use its fingerprint as a
key for the specified access(5) table.
The permit_tls_all_clientcerts feature must be used with caution, because it The permit_tls_all_clientcerts feature must be used with caution, because it
can result in too many access permissions. Use this feature only if a special can result in too many access permissions. Use this feature only if a special
CA issues the client certificates, and only if this CA is listed as trusted CA. CA issues the client certificates, and only if this CA is listed as trusted CA.

16
postfix/RELEASE_NOTES
View File

@@ -7,17 +7,25 @@ snapshot release). Patches are issued for the official release
and change the patchlevel and the release date. Patches are never and change the patchlevel and the release date. Patches are never
issued for snapshot releases. issued for snapshot releases.
Major changes with snapshot Postfix-2.2-20050208
================================================
New "check_ccert_maps maptype:mapname" feature to enforce access
control based on (hexadecimal) client certificate fingerprints.
Major changes with snapshot Postfix-2.2-20050206 Major changes with snapshot Postfix-2.2-20050206
================================================ ================================================
Support for address rewriting in outgoing SMTP mail. This is useful Support for address rewriting in outgoing SMTP mail. This is useful
for sites that have no valid Internet domain name, and that use a for sites that have no valid Internet domain name, and that use a
domain name such as localdomain.local instead. Mail addresses that domain name such as localdomain.local instead. Mail addresses that
use such domain names are often rejected by mail servers. The new use such domain names are often rejected by mail servers.
smtp_generics_maps feature allows you to replace local mail addresses
by valid Internet addresses when mail needs to be sent across the The new smtp_generics_maps feature allows you to replace local mail
addresses by valid Internet addresses when mail is sent across the
Internet. It has no effect on mail that is sent between accounts Internet. It has no effect on mail that is sent between accounts
on the local machine. on the local machine. The syntax is described in generics(5) and
a detailed example is in the STANDARD_CONFIGURATION_README file.
Example: Example:

4
postfix/conf/relocated
View File

@@ -62,8 +62,8 @@
# in $inet_interfaces or $proxy_interfaces. # in $inet_interfaces or $proxy_interfaces.
# #
# @domain # @domain
# Matches every other address in domain. This form # Matches other addresses in domain. This form has
# has the lowest precedence. # the lowest precedence.
# #
# ADDRESS EXTENSION # ADDRESS EXTENSION
# When a mail address localpart contains the optional recip- # When a mail address localpart contains the optional recip-

4
postfix/html/ADDRESS_REWRITING_README.html
View File

@@ -685,12 +685,12 @@ recipients. Postfix provides three mechanisms: </p>
the specified address. In Postfix versions before 2.1, this feature the specified address. In Postfix versions before 2.1, this feature
is implemented by <a href="smtpd.8.html">smtpd(8)</a>, <a href="qmqpd.8.html">qmqpd(8)</a>, or <a href="pickup.8.html">pickup(8)</a>. </dd> is implemented by <a href="smtpd.8.html">smtpd(8)</a>, <a href="qmqpd.8.html">qmqpd(8)</a>, or <a href="pickup.8.html">pickup(8)</a>. </dd>
<dt> <a href="postconf.5.html#sender_bcc_maps">sender_bcc_maps</a> = type:table </dt> <dd> Search the specified <dt> <a href="postconf.5.html#sender_bcc_maps">sender_bcc_maps</a> = <a href="DATABASE_README.html">type:table</a> </dt> <dd> Search the specified
"<a href="DATABASE_README.html">type:table</a>" lookup table with the envelope sender address for an "<a href="DATABASE_README.html">type:table</a>" lookup table with the envelope sender address for an
automatic BCC address. This feature is available in Postfix 2.1 automatic BCC address. This feature is available in Postfix 2.1
and later. </dd> and later. </dd>
<dt> <a href="postconf.5.html#recipient_bcc_maps">recipient_bcc_maps</a> = type:table </dt> <dd> Search the specified <dt> <a href="postconf.5.html#recipient_bcc_maps">recipient_bcc_maps</a> = <a href="DATABASE_README.html">type:table</a> </dt> <dd> Search the specified
"<a href="DATABASE_README.html">type:table</a>" lookup table with the envelope recipient address for "<a href="DATABASE_README.html">type:table</a>" lookup table with the envelope recipient address for
an automatic BCC address. This feature is available in Postfix 2.1 an automatic BCC address. This feature is available in Postfix 2.1
and later. </dd> and later. </dd>

2
postfix/html/DATABASE_README.html
View File

@@ -335,7 +335,7 @@ are given in <a href="pgsql_table.5.html">pgsql_table(5)</a>. </dd>
<dt> <b>proxy</b> (read-only) </dt> <dt> <b>proxy</b> (read-only) </dt>
<dd> Access information via the Postfix <a href="proxymap.8.html">proxymap(8)</a> service. The <dd> Access information via the Postfix <a href="proxymap.8.html">proxymap(8)</a> service. The
lookup table name syntax is "<a href="proxymap.8.html">proxy</a>:type:table". </dd> lookup table name syntax is "<a href="proxymap.8.html">proxy</a>:<a href="DATABASE_README.html">type:table</a>". </dd>
<dt> <b>regexp</b> (read-only) </dt> <dt> <b>regexp</b> (read-only) </dt>

2
postfix/html/IPV6_README.html
View File

@@ -192,7 +192,7 @@ information inside "<tt>[]</tt>", like this: </p>
IPv6 address information inside "<tt>[]</tt>" in the main.cf parameter IPv6 address information inside "<tt>[]</tt>" in the main.cf parameter
value and in files specified with a "<i>/file/name</i>" pattern. value and in files specified with a "<i>/file/name</i>" pattern.
IPv6 addresses contain the ":" character, and would otherwise be IPv6 addresses contain the ":" character, and would otherwise be
confused with a "<i>type:table</i>" pattern. </b> </p> confused with a "<i><a href="DATABASE_README.html">type:table</a></i>" pattern. </b> </p>
<h2><a name="limitations">Known Limitations</a></h2> <h2><a name="limitations">Known Limitations</a></h2>

258
postfix/html/Makefile.in.snapshot
View File

@@ -1,258 +0,0 @@
SHELL = /bin/sh
# For now, just hard-coded rules for daemons, commands, config files.
DAEMONS = bounce.8.html cleanup.8.html defer.8.html error.8.html local.8.html \
lmtp.8.html master.8.html pickup.8.html pipe.8.html qmgr.8.html \
showq.8.html smtp.8.html smtpd.8.html trivial-rewrite.8.html \
oqmgr.8.html spawn.8.html flush.8.html virtual.8.html qmqpd.8.html \
trace.8.html verify.8.html proxymap.8.html anvil.8.html
COMMANDS= mailq.1.html newaliases.1.html postalias.1.html postcat.1.html \
postconf.1.html postfix.1.html postkick.1.html postlock.1.html \
postlog.1.html postdrop.1.html postmap.1.html sendmail.1.html \
postqueue.1.html postsuper.1.html smtp-source.1.html \
smtp-sink.1.html qmqp-source.1.html qmqp-sink.1.html
CONFIG = access.5.html aliases.5.html canonical.5.html relocated.5.html \
transport.5.html virtual.5.html pcre_table.5.html regexp_table.5.html \
cidr_table.5.html tcp_table.5.html header_checks.5.html \
ldap_table.5.html mysql_table.5.html pgsql_table.5.html
AWK = awk '{ print; if (NR == 1) print ".pl 9999" }'
MAN2HTML = man2html -t "Postfix manual - `IFS=.; set \`echo $@\`; echo \"$$1($$2)\"`"
update: $(DAEMONS) $(COMMANDS) $(CONFIG)
Makefile: Makefile.in
(set -e; echo "# DO NOT EDIT"; $(OPTS) $(SHELL) ../src/makedefs; cat $?) >$@
clean:
echo clean
tidy: clean
clobber:
rm -f $(DAEMONS) $(COMMANDS) $(CONFIG)
bounce.8.html: ../src/bounce/bounce.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
defer.8.html: bounce.8.html
rm -f $@
ln -s $? $@
error.8.html: ../src/error/error.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
flush.8.html: ../src/flush/flush.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
cleanup.8.html: ../src/cleanup/cleanup.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
anvil.8.html: ../src/anvil/anvil.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
lmtp.8.html: ../src/lmtp/lmtp.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
local.8.html: ../src/local/local.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
master.8.html: ../src/master/master.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
oqmgr.8.html: ../src/oqmgr/qmgr.c
PATH=../mantools:$$PATH; \
srctoman $? | sed -e 's/qmgr[^_]/o&/' \
-e 's/qmgr$$/o&/' \
-e 's/QMGR[^_]/O&/' | \
$(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
pickup.8.html: ../src/pickup/pickup.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
pipe.8.html: ../src/pipe/pipe.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
proxymap.8.html: ../src/proxymap/proxymap.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
qmgr.8.html: ../src/qmgr/qmgr.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
qmqpd.8.html: ../src/qmqpd/qmqpd.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
showq.8.html: ../src/showq/showq.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
spawn.8.html: ../src/spawn/spawn.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
smtp.8.html: ../src/smtp/smtp.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
smtpd.8.html: ../src/smtpd/smtpd.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
virtual.8.html: ../src/virtual/virtual.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
trace.8.html: bounce.8.html
rm -f $@
ln -s $? $@
trivial-rewrite.8.html: ../src/trivial-rewrite/trivial-rewrite.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
verify.8.html: ../src/verify/verify.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
postalias.1.html: ../src/postalias/postalias.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
postcat.1.html: ../src/postcat/postcat.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
postconf.1.html: ../src/postconf/postconf.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
postdrop.1.html: ../src/postdrop/postdrop.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
postfix.1.html: ../src/postfix/postfix.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
postkick.1.html: ../src/postkick/postkick.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
postlock.1.html: ../src/postlock/postlock.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
postlog.1.html: ../src/postlog/postlog.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
postmap.1.html: ../src/postmap/postmap.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
postqueue.1.html: ../src/postqueue/postqueue.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
postsuper.1.html: ../src/postsuper/postsuper.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
sendmail.1.html: ../src/sendmail/sendmail.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
mailq.1.html: sendmail.1.html
PATH=../mantools:$$PATH; \
rm -f $@
ln -s $? $@
newaliases.1.html: sendmail.1.html
PATH=../mantools:$$PATH; \
rm -f $@
ln -s $? $@
smtp-source.1.html: ../src/smtpstone/smtp-source.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
smtp-sink.1.html: ../src/smtpstone/smtp-sink.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
qmqp-source.1.html: ../src/smtpstone/qmqp-source.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
qmqp-sink.1.html: ../src/smtpstone/qmqp-sink.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
access.5.html: ../proto/access
PATH=../mantools:$$PATH; \
srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
aliases.5.html: ../proto/aliases
PATH=../mantools:$$PATH; \
srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
canonical.5.html: ../proto/canonical
PATH=../mantools:$$PATH; \
srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
cidr_table.5.html: ../proto/cidr_table
PATH=../mantools:$$PATH; \
srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
header_checks.5.html: ../proto/header_checks
PATH=../mantools:$$PATH; \
srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
ldap_table.5.html: ../proto/ldap_table
PATH=../mantools:$$PATH; \
srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
mysql_table.5.html: ../proto/mysql_table
PATH=../mantools:$$PATH; \
srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
pcre_table.5.html: ../proto/pcre_table
PATH=../mantools:$$PATH; \
srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
pgsql_table.5.html: ../proto/pgsql_table
PATH=../mantools:$$PATH; \
srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
regexp_table.5.html: ../proto/regexp_table
PATH=../mantools:$$PATH; \
srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
relocated.5.html: ../proto/relocated
PATH=../mantools:$$PATH; \
srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
tcp_table.5.html: ../proto/tcp_table
PATH=../mantools:$$PATH; \
srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
transport.5.html: ../proto/transport
PATH=../mantools:$$PATH; \
srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
virtual.5.html: ../proto/virtual
PATH=../mantools:$$PATH; \
srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@

258
postfix/html/Makefile.in.stable
View File

@@ -1,258 +0,0 @@
SHELL = /bin/sh
# For now, just hard-coded rules for daemons, commands, config files.
DAEMONS = bounce.8.html cleanup.8.html defer.8.html error.8.html local.8.html \
lmtp.8.html master.8.html pickup.8.html pipe.8.html qmgr.8.html \
showq.8.html smtp.8.html smtpd.8.html trivial-rewrite.8.html \
oqmgr.8.html spawn.8.html flush.8.html virtual.8.html qmqpd.8.html \
trace.8.html verify.8.html proxymap.8.html
COMMANDS= mailq.1.html newaliases.1.html postalias.1.html postcat.1.html \
postconf.1.html postfix.1.html postkick.1.html postlock.1.html \
postlog.1.html postdrop.1.html postmap.1.html sendmail.1.html \
postqueue.1.html postsuper.1.html smtp-source.1.html \
smtp-sink.1.html qmqp-source.1.html qmqp-sink.1.html
CONFIG = access.5.html aliases.5.html canonical.5.html relocated.5.html \
transport.5.html virtual.5.html pcre_table.5.html regexp_table.5.html \
cidr_table.5.html header_checks.5.html \
ldap_table.5.html mysql_table.5.html pgsql_table.5.html
AWK = awk '{ print; if (NR == 1) print ".pl 9999" }'
MAN2HTML = man2html -t "Postfix manual - `IFS=.; set \`echo $@\`; echo \"$$1($$2)\"`"
update: $(DAEMONS) $(COMMANDS) $(CONFIG)
Makefile: Makefile.in
(set -e; echo "# DO NOT EDIT"; $(OPTS) $(SHELL) ../src/makedefs; cat $?) >$@
clean:
echo clean
tidy: clean
clobber:
rm -f $(DAEMONS) $(COMMANDS) $(CONFIG)
bounce.8.html: ../src/bounce/bounce.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
defer.8.html: bounce.8.html
rm -f $@
ln -s $? $@
error.8.html: ../src/error/error.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
flush.8.html: ../src/flush/flush.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
cleanup.8.html: ../src/cleanup/cleanup.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
anvil.8.html: ../src/anvil/anvil.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
lmtp.8.html: ../src/lmtp/lmtp.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
local.8.html: ../src/local/local.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
master.8.html: ../src/master/master.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
oqmgr.8.html: ../src/oqmgr/qmgr.c
PATH=../mantools:$$PATH; \
srctoman $? | sed -e 's/qmgr[^_]/o&/' \
-e 's/qmgr$$/o&/' \
-e 's/QMGR[^_]/O&/' | \
$(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
pickup.8.html: ../src/pickup/pickup.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
pipe.8.html: ../src/pipe/pipe.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
proxymap.8.html: ../src/proxymap/proxymap.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
qmgr.8.html: ../src/qmgr/qmgr.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
qmqpd.8.html: ../src/qmqpd/qmqpd.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
showq.8.html: ../src/showq/showq.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
spawn.8.html: ../src/spawn/spawn.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
smtp.8.html: ../src/smtp/smtp.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
smtpd.8.html: ../src/smtpd/smtpd.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
virtual.8.html: ../src/virtual/virtual.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
trace.8.html: bounce.8.html
rm -f $@
ln -s $? $@
trivial-rewrite.8.html: ../src/trivial-rewrite/trivial-rewrite.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
verify.8.html: ../src/verify/verify.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
postalias.1.html: ../src/postalias/postalias.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
postcat.1.html: ../src/postcat/postcat.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
postconf.1.html: ../src/postconf/postconf.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
postdrop.1.html: ../src/postdrop/postdrop.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
postfix.1.html: ../src/postfix/postfix.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
postkick.1.html: ../src/postkick/postkick.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
postlock.1.html: ../src/postlock/postlock.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
postlog.1.html: ../src/postlog/postlog.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
postmap.1.html: ../src/postmap/postmap.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
postqueue.1.html: ../src/postqueue/postqueue.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
postsuper.1.html: ../src/postsuper/postsuper.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
sendmail.1.html: ../src/sendmail/sendmail.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
mailq.1.html: sendmail.1.html
PATH=../mantools:$$PATH; \
rm -f $@
ln -s $? $@
newaliases.1.html: sendmail.1.html
PATH=../mantools:$$PATH; \
rm -f $@
ln -s $? $@
smtp-source.1.html: ../src/smtpstone/smtp-source.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
smtp-sink.1.html: ../src/smtpstone/smtp-sink.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
qmqp-source.1.html: ../src/smtpstone/qmqp-source.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
qmqp-sink.1.html: ../src/smtpstone/qmqp-sink.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
access.5.html: ../proto/access
PATH=../mantools:$$PATH; \
srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
aliases.5.html: ../proto/aliases
PATH=../mantools:$$PATH; \
srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
canonical.5.html: ../proto/canonical
PATH=../mantools:$$PATH; \
srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
cidr_table.5.html: ../proto/cidr_table
PATH=../mantools:$$PATH; \
srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
header_checks.5.html: ../proto/header_checks
PATH=../mantools:$$PATH; \
srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
ldap_table.5.html: ../proto/ldap_table
PATH=../mantools:$$PATH; \
srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
mysql_table.5.html: ../proto/mysql_table
PATH=../mantools:$$PATH; \
srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
pcre_table.5.html: ../proto/pcre_table
PATH=../mantools:$$PATH; \
srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
pgsql_table.5.html: ../proto/pgsql_table
PATH=../mantools:$$PATH; \
srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
regexp_table.5.html: ../proto/regexp_table
PATH=../mantools:$$PATH; \
srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
relocated.5.html: ../proto/relocated
PATH=../mantools:$$PATH; \
srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
tcp_table.5.html: ../proto/tcp_table
PATH=../mantools:$$PATH; \
srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
transport.5.html: ../proto/transport
PATH=../mantools:$$PATH; \
srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
virtual.5.html: ../proto/virtual
PATH=../mantools:$$PATH; \
srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@

6
postfix/html/SMTPD_ACCESS_README.html
View File

@@ -179,6 +179,12 @@ described in the <a href="postconf.5.html">postconf(5)</a> manual page. </p>
# Whitelisting: local clients may specify any destination. Others may not. # Whitelisting: local clients may specify any destination. Others may not.
<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
# Block clients that speak too early.
<a href="postconf.5.html#smtpd_data_restrictions">smtpd_data_restrictions</a> = <a href="postconf.5.html#reject_unauth_pipelining">reject_unauth_pipelining</a>
# Enforce mail volume quota via policy service callouts.
<a href="postconf.5.html#smtpd_end_of_data_restrictions">smtpd_end_of_data_restrictions</a> = <a href="postconf.5.html#check_policy_service">check_policy_service</a> unix:private/policy
</pre> </pre>
<p> Each restriction list is evaluated from left to right until <p> Each restriction list is evaluated from left to right until

6
postfix/html/TLS_README.html
View File

@@ -580,7 +580,7 @@ recommends a maximum of 24 hours. </p>
<h3><a name="server_access">Server access control</a> </h3> <h3><a name="server_access">Server access control</a> </h3>
<p> Postfix TLS support introduces two additional features for <p> Postfix TLS support introduces three additional features for
Postfix SMTP server access control: </p> Postfix SMTP server access control: </p>
<blockquote> <blockquote>
@@ -596,6 +596,10 @@ and if its fingerprint is listed in the list of client certificates
client SMTP request if the client certificate passes verification. client SMTP request if the client certificate passes verification.
</p> </dd> </p> </dd>
<dt> <a href="postconf.5.html#check_ccert_access">check_ccert_access</a> <a href="DATABASE_README.html">type:table</a></dt> <dd>
<p> If the client certificate passes verification, use its fingerprint
as a key for the specified <a href="access.5.html">access(5)</a> table. </p> </dd>
</dl> </dl>
</blockquote> </blockquote>

4
postfix/html/cleanup.8.html
View File

@@ -243,8 +243,8 @@ CLEANUP(8) CLEANUP(8)
<b>RESOURCE AND RATE CONTROLS</b> <b>RESOURCE AND RATE CONTROLS</b>
<b><a href="postconf.5.html#duplicate_filter_limit">duplicate_filter_limit</a> (1000)</b> <b><a href="postconf.5.html#duplicate_filter_limit">duplicate_filter_limit</a> (1000)</b>
The maximal number of addresses remembered by the The maximal number of addresses remembered by the
address duplicate filter for <a href="aliases.5.html"><b>aliases</b>(5)</a> or <b>vir-</b> address duplicate filter for <a href="aliases.5.html"><b>aliases</b>(5)</a> or <a href="virtual.5.html"><b>vir-</b></a>
<b>tual</b>(5) alias expansion, or for <a href="showq.8.html"><b>showq</b>(8)</a> queue dis- <a href="virtual.5.html"><b>tual</b>(5)</a> alias expansion, or for <a href="showq.8.html"><b>showq</b>(8)</a> queue dis-
plays. plays.
<b><a href="postconf.5.html#header_size_limit">header_size_limit</a> (102400)</b> <b><a href="postconf.5.html#header_size_limit">header_size_limit</a> (102400)</b>

4
postfix/html/local.8.html
View File

@@ -445,8 +445,8 @@ LOCAL(8) LOCAL(8)
<b><a href="postconf.5.html#duplicate_filter_limit">duplicate_filter_limit</a> (1000)</b> <b><a href="postconf.5.html#duplicate_filter_limit">duplicate_filter_limit</a> (1000)</b>
The maximal number of addresses remembered by the The maximal number of addresses remembered by the
address duplicate filter for <a href="aliases.5.html"><b>aliases</b>(5)</a> or <b>vir-</b> address duplicate filter for <a href="aliases.5.html"><b>aliases</b>(5)</a> or <a href="virtual.5.html"><b>vir-</b></a>
<b>tual</b>(5) alias expansion, or for <a href="showq.8.html"><b>showq</b>(8)</a> queue dis- <a href="virtual.5.html"><b>tual</b>(5)</a> alias expansion, or for <a href="showq.8.html"><b>showq</b>(8)</a> queue dis-
plays. plays.
<b><a href="postconf.5.html#local_destination_concurrency_limit">local_destination_concurrency_limit</a> (2)</b> <b><a href="postconf.5.html#local_destination_concurrency_limit">local_destination_concurrency_limit</a> (2)</b>

22
postfix/html/postconf.5.html
View File

@@ -46,10 +46,12 @@ that starts with whitespace continues a logical line. </p>
recursively replaced by the value of the named parameter. </p> recursively replaced by the value of the named parameter. </p>
<li> <p> The expression "${name?value}" expands to "value" when <li> <p> The expression "${name?value}" expands to "value" when
"$name" is non-empty. </p> "$name" is non-empty. This form is supported with Postfix version
2.2 and later. </p>
<li> <p> The expression "${name:value}" expands to "value" when <li> <p> The expression "${name:value}" expands to "value" when
"$name" is empty. </p> "$name" is empty. This form is supported with Postfix version 2.2
and later. </p>
</ul> </ul>
@@ -5073,6 +5075,12 @@ D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home </p>
relay_clientcerts = hash:/etc/postfix/relay_clientcerts relay_clientcerts = hash:/etc/postfix/relay_clientcerts
</pre> </pre>
<p>For more fine-grained control, use <a href="postconf.5.html#check_ccert_access">check_ccert_access</a> to select
an appropriate <a href="access.5.html">access(5)</a> policy for each client.
See <a href="RESTRICTION_CLASS_README.html">RESTRICTION_CLASS_README</a>.</p>
<p>This feature is available with Postfix 2.2.</p>
</DD> </DD>
@@ -7050,6 +7058,12 @@ client network address information.
<dl> <dl>
<dt><b><a name="check_ccert_access">check_ccert_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
<dd>When the remote SMTP client certificate is verified successfully,
use the client certificate fingerprint as lookup key for the specified
<a href="access.5.html">access(5)</a> database. This feature is available with Postfix 2.2.</dd>
<dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> <dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
<dd>Search the specified access database for the client hostname, <dd>Search the specified access database for the client hostname,
@@ -7077,13 +7091,13 @@ authenticated via the <a href="http://www.faqs.org/rfcs/rfc2554.html">RFC 2554</
verified successfully. This option must be used only if a special verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted CA issues the certificates and only this CA is listed as trusted
CA, otherwise all clients with a recognized certificate would be CA, otherwise all clients with a recognized certificate would be
allowed to relay. </dd> allowed to relay. This feature is available with Postfix 2.2.</dd>
<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt> <dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
<dd>Permit the request when the remote SMTP client certificate is <dd>Permit the request when the remote SMTP client certificate is
verified successfully, and the certificate fingerprint is listed verified successfully, and the certificate fingerprint is listed
in $relay_clientcerts. </dd> in $relay_clientcerts. This feature is available with Postfix 2.2.</dd>
<dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt> <dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>
<dd>Reject the request when the reversed client network address is <dd>Reject the request when the reversed client network address is

7
postfix/html/postfix.1.html
View File

@@ -26,16 +26,15 @@ POSTFIX(1) POSTFIX(1)
The following commands are implemented: The following commands are implemented:
<b>check</b> Validate the Postfix mail system configuration. <b>check</b> Warn about bad directory/file ownership or permis-
Warn about bad directory/file ownership or permis-
sions, and create missing directories. sions, and create missing directories.
<b>start</b> Start the Postfix mail system. This also runs the <b>start</b> Start the Postfix mail system. This also runs the
configuration check described above. configuration check described above.
<b>stop</b> Stop the Postfix mail system in an orderly fashion. <b>stop</b> Stop the Postfix mail system in an orderly fashion.
Running processes are allowed to terminate at their If possible, running processes are allowed to ter-
earliest convenience. minate at their earliest convenience.
Note: in order to refresh the Postfix mail system Note: in order to refresh the Postfix mail system
after a configuration change, do not use the <b>start</b> after a configuration change, do not use the <b>start</b>

23
postfix/html/postsuper.1.html
View File

@@ -38,10 +38,12 @@ POSTSUPER(1) POSTSUPER(1)
<b>-d</b> <i>queue</i><b>_</b><i>id</i> <b>-d</b> <i>queue</i><b>_</b><i>id</i>
Delete one message with the named queue ID from the Delete one message with the named queue ID from the
named mail queue(s) (default: <b>hold</b>, <b>incoming</b>, named mail queue(s) (default: <b>hold</b>, <b>incoming</b>,
<b>active</b> and <b>deferred</b>). If a <i>queue</i><b>_</b><i>id</i> of <b>-</b> is speci- <b>active</b> and <b>deferred</b>).
fied, the program reads queue IDs from standard
input. For example, to delete all mail with exactly If a <i>queue</i><b>_</b><i>id</i> of <b>-</b> is specified, the program reads
one recipient <b>user@example.com</b>: queue IDs from standard input. For example, to
delete all mail with exactly one recipient
<b>user@example.com</b>:
mailq | tail +2 | awk 'BEGIN { RS = "" } mailq | tail +2 | awk 'BEGIN { RS = "" }
# $7=sender, $8=recipient1, $9=recipient2 # $7=sender, $8=recipient1, $9=recipient2
@@ -83,9 +85,10 @@ POSTSUPER(1) POSTSUPER(1)
Put mail "on hold" so that no attempt is made to Put mail "on hold" so that no attempt is made to
deliver it. Move one message with the named queue deliver it. Move one message with the named queue
ID from the named mail queue(s) (default: <b>incoming</b>, ID from the named mail queue(s) (default: <b>incoming</b>,
<b>active</b> and <b>deferred</b>) to the <b>hold</b> queue. If a <b>active</b> and <b>deferred</b>) to the <b>hold</b> queue.
<i>queue</i><b>_</b><i>id</i> of <b>-</b> is specified, the program reads queue
IDs from standard input. If a <i>queue</i><b>_</b><i>id</i> of <b>-</b> is specified, the program reads
queue IDs from standard input.
Specify <b>-h ALL</b> to hold all messages; for example, Specify <b>-h ALL</b> to hold all messages; for example,
specify <b>-h ALL deferred</b> to hold mail in the specify <b>-h ALL deferred</b> to hold mail in the
@@ -101,8 +104,9 @@ POSTSUPER(1) POSTSUPER(1)
<b>-H</b> <i>queue</i><b>_</b><i>id</i> <b>-H</b> <i>queue</i><b>_</b><i>id</i>
Release mail that was put "on hold". Move one mes- Release mail that was put "on hold". Move one mes-
sage with the named queue ID from the named mail sage with the named queue ID from the named mail
queue(s) (default: <b>hold</b>) to the <b>deferred</b> queue. If queue(s) (default: <b>hold</b>) to the <b>deferred</b> queue.
a <i>queue</i><b>_</b><i>id</i> of <b>-</b> is specified, the program reads
If a <i>queue</i><b>_</b><i>id</i> of <b>-</b> is specified, the program reads
queue IDs from standard input. queue IDs from standard input.
Note: use "<b>postsuper -r</b>" to release mail that was Note: use "<b>postsuper -r</b>" to release mail that was
@@ -122,6 +126,7 @@ POSTSUPER(1) POSTSUPER(1)
the named mail queue(s) (default: <b>hold</b>, <b>incoming</b>, the named mail queue(s) (default: <b>hold</b>, <b>incoming</b>,
<b>active</b> and <b>deferred</b>). To requeue multiple mes- <b>active</b> and <b>deferred</b>). To requeue multiple mes-
sages, specify multiple <b>-r</b> command-line options. sages, specify multiple <b>-r</b> command-line options.
Alternatively, if a <i>queue</i><b>_</b><i>id</i> of <b>-</b> is specified, the Alternatively, if a <i>queue</i><b>_</b><i>id</i> of <b>-</b> is specified, the
program reads queue IDs from standard input. program reads queue IDs from standard input.

4
postfix/html/relocated.5.html
View File

@@ -68,8 +68,8 @@ RELOCATED(5) RELOCATED(5)
in $<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a></b> or $<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a></b>. in $<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a></b> or $<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a></b>.
@<i>domain</i> @<i>domain</i>
Matches every other address in <i>domain</i>. This form Matches other addresses in <i>domain</i>. This form has
has the lowest precedence. the lowest precedence.
<b>ADDRESS EXTENSION</b> <b>ADDRESS EXTENSION</b>
When a mail address localpart contains the optional recip- When a mail address localpart contains the optional recip-

2
postfix/makedefs
View File

@@ -8,7 +8,7 @@
# SYNOPSIS # SYNOPSIS
# \fBmake makefiles \fIname=value...\fR # \fBmake makefiles \fIname=value...\fR
# DESCRIPTION # DESCRIPTION
# The \fBmakedefs\fR command identifies the program compilation # The \fBmakedefs\fR command identifies the compilation
# environment, and emits macro definitions on the standard output # environment, and emits macro definitions on the standard output
# stream that can be prepended to template Makefiles. # stream that can be prepended to template Makefiles.
# #

10
postfix/man/man1/postfix.1
View File

@@ -25,15 +25,15 @@ runs the \fBpostfix-script\fR shell script to do the actual work.
The following commands are implemented: The following commands are implemented:
.IP \fBcheck\fR .IP \fBcheck\fR
Validate the Postfix mail system configuration. Warn about bad Warn about bad directory/file ownership or permissions,
directory/file ownership or permissions, and create missing and create missing directories.
directories.
.IP \fBstart\fR .IP \fBstart\fR
Start the Postfix mail system. This also runs the configuration Start the Postfix mail system. This also runs the configuration
check described above. check described above.
.IP \fBstop\fR .IP \fBstop\fR
Stop the Postfix mail system in an orderly fashion. Running processes Stop the Postfix mail system in an orderly fashion. If
are allowed to terminate at their earliest convenience. possible, running processes are allowed to terminate at
their earliest convenience.
.sp .sp
Note: in order to refresh the Postfix mail system after a Note: in order to refresh the Postfix mail system after a
configuration change, do not use the \fBstart\fR and \fBstop\fR configuration change, do not use the \fBstart\fR and \fBstop\fR

4
postfix/man/man1/postsuper.1
View File

@@ -37,6 +37,7 @@ MAIL_CONFIG environment setting below.
Delete one message with the named queue ID from the named Delete one message with the named queue ID from the named
mail queue(s) (default: \fBhold\fR, \fBincoming\fR, \fBactive\fR and mail queue(s) (default: \fBhold\fR, \fBincoming\fR, \fBactive\fR and
\fBdeferred\fR). \fBdeferred\fR).
If a \fIqueue_id\fR of \fB-\fR is specified, the program reads If a \fIqueue_id\fR of \fB-\fR is specified, the program reads
queue IDs from standard input. For example, to delete all mail queue IDs from standard input. For example, to delete all mail
with exactly one recipient \fBuser@example.com\fR: with exactly one recipient \fBuser@example.com\fR:
@@ -82,6 +83,7 @@ Put mail "on hold" so that no attempt is made to deliver it.
Move one message with the named queue ID from the named Move one message with the named queue ID from the named
mail queue(s) (default: \fBincoming\fR, \fBactive\fR and mail queue(s) (default: \fBincoming\fR, \fBactive\fR and
\fBdeferred\fR) to the \fBhold\fR queue. \fBdeferred\fR) to the \fBhold\fR queue.
If a \fIqueue_id\fR of \fB-\fR is specified, the program reads If a \fIqueue_id\fR of \fB-\fR is specified, the program reads
queue IDs from standard input. queue IDs from standard input.
.sp .sp
@@ -98,6 +100,7 @@ expiration after it is released from "hold".
Release mail that was put "on hold". Release mail that was put "on hold".
Move one message with the named queue ID from the named Move one message with the named queue ID from the named
mail queue(s) (default: \fBhold\fR) to the \fBdeferred\fR queue. mail queue(s) (default: \fBhold\fR) to the \fBdeferred\fR queue.
If a \fIqueue_id\fR of \fB-\fR is specified, the program reads If a \fIqueue_id\fR of \fB-\fR is specified, the program reads
queue IDs from standard input. queue IDs from standard input.
.sp .sp
@@ -117,6 +120,7 @@ mail queue(s) (default: \fBhold\fR, \fBincoming\fR, \fBactive\fR and
\fBdeferred\fR). \fBdeferred\fR).
To requeue multiple messages, specify multiple \fB-r\fR To requeue multiple messages, specify multiple \fB-r\fR
command-line options. command-line options.
Alternatively, if a \fIqueue_id\fR of \fB-\fR is specified, Alternatively, if a \fIqueue_id\fR of \fB-\fR is specified,
the program reads queue IDs from standard input. the program reads queue IDs from standard input.
.sp .sp

20
postfix/man/man5/postconf.5
View File

@@ -36,10 +36,12 @@ The expressions "$name", "${name}" or "$(name)" are
recursively replaced by the value of the named parameter. recursively replaced by the value of the named parameter.
.IP \(bu .IP \(bu
The expression "${name?value}" expands to "value" when The expression "${name?value}" expands to "value" when
"$name" is non-empty. "$name" is non-empty. This form is supported with Postfix
version 2.2 and later.
.IP \(bu .IP \(bu
The expression "${name:value}" expands to "value" when The expression "${name:value}" expands to "value" when
"$name" is empty. "$name" is empty. This form is supported with Postfix
version 2.2 and later.
.RE .RE
.IP \(bu .IP \(bu
When the same parameter is defined multiple times, only the last When the same parameter is defined multiple times, only the last
@@ -2743,6 +2745,12 @@ relay_clientcerts = hash:/etc/postfix/relay_clientcerts
.fi .fi
.ad .ad
.ft R .ft R
.PP
For more fine-grained control, use check_ccert_access to select
an appropriate \fBaccess\fR(5) policy for each client.
See RESTRICTION_CLASS_README.
.PP
This feature is available with Postfix 2.2.
.SH relay_destination_concurrency_limit (default: $default_destination_concurrency_limit) .SH relay_destination_concurrency_limit (default: $default_destination_concurrency_limit)
The maximal number of parallel deliveries to the same destination The maximal number of parallel deliveries to the same destination
via the relay message delivery transport. This limit is enforced via the relay message delivery transport. This limit is enforced
@@ -3925,6 +3933,10 @@ restriction that matches wins.
.PP .PP
The following restrictions are specific to client hostname or The following restrictions are specific to client hostname or
client network address information. client network address information.
.IP "\fBcheck_ccert_access \fItype:table\fR\fR"
When the remote SMTP client certificate is verified successfully,
use the client certificate fingerprint as lookup key for the specified
\fBaccess\fR(5) database. This feature is available with Postfix 2.2.
.IP "\fBcheck_client_access \fItype:table\fR\fR" .IP "\fBcheck_client_access \fItype:table\fR\fR"
Search the specified access database for the client hostname, Search the specified access database for the client hostname,
parent domains, client IP address, or networks obtained by stripping parent domains, client IP address, or networks obtained by stripping
@@ -3943,11 +3955,11 @@ Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted CA issues the certificates and only this CA is listed as trusted
CA, otherwise all clients with a recognized certificate would be CA, otherwise all clients with a recognized certificate would be
allowed to relay. allowed to relay. This feature is available with Postfix 2.2.
.IP "\fBpermit_tls_clientcerts\fR" .IP "\fBpermit_tls_clientcerts\fR"
Permit the request when the remote SMTP client certificate is Permit the request when the remote SMTP client certificate is
verified successfully, and the certificate fingerprint is listed verified successfully, and the certificate fingerprint is listed
in $relay_clientcerts. in $relay_clientcerts. This feature is available with Postfix 2.2.
.IP "\fBreject_rbl_client \fIrbl_domain=d.d.d.d\fR\fR" .IP "\fBreject_rbl_client \fIrbl_domain=d.d.d.d\fR\fR"
Reject the request when the reversed client network address is Reject the request when the reversed client network address is
listed with the A record "\fId.d.d.d\fR" under \fIrbl_domain\fR listed with the A record "\fId.d.d.d\fR" under \fIrbl_domain\fR

2
postfix/man/man5/relocated.5
View File

@@ -67,7 +67,7 @@ Matches \fIuser\fR@\fIsite\fR when \fIsite\fR is $\fBmyorigin\fR,
when \fIsite\fR is listed in $\fBmydestination\fR, or when \fIsite\fR when \fIsite\fR is listed in $\fBmydestination\fR, or when \fIsite\fR
is listed in $\fBinet_interfaces\fR or $\fBproxy_interfaces\fR. is listed in $\fBinet_interfaces\fR or $\fBproxy_interfaces\fR.
.IP @\fIdomain\fR .IP @\fIdomain\fR
Matches every other address in \fIdomain\fR. This form has the lowest Matches other addresses in \fIdomain\fR. This form has the lowest
precedence. precedence.
.SH "ADDRESS EXTENSION" .SH "ADDRESS EXTENSION"
.na .na

3
postfix/mantools/postlink
View File

@@ -578,7 +578,7 @@ while (<>) {
s/\b[A-Z0-9_]*_README\b/<a href="$&.html">$&<\/a>/g; s/\b[A-Z0-9_]*_README\b/<a href="$&.html">$&<\/a>/g;
s/\bINSTALL\b/<a href="$&.html">$&<\/a>/g; s/\bINSTALL\b/<a href="$&.html">$&<\/a>/g;
s/\bOVERVIEW\b/<a href="$&.html">$&<\/a>/g; s/\bOVERVIEW\b/<a href="$&.html">$&<\/a>/g;
s/"type:table"/"<a href="DATABASE_README.html">type:table<\/a>"/g; s/\btype:table\b/<a href="DATABASE_README.html">type:table<\/a>/g;
# Split manual page hyperlinks across newlines # Split manual page hyperlinks across newlines
@@ -597,6 +597,7 @@ while (<>) {
# Access restrictions - client # Access restrictions - client
s;\bcheck_client_access\b;<a href="postconf.5.html#check_client_access">$&</a>;g; s;\bcheck_client_access\b;<a href="postconf.5.html#check_client_access">$&</a>;g;
s;\bcheck_ccert_access\b;<a href="postconf.5.html#check_ccert_access">$&</a>;g;
s;\bpermit_inet_interfaces\b;<a href="postconf.5.html#permit_inet_interfaces">$&</a>;g; s;\bpermit_inet_interfaces\b;<a href="postconf.5.html#permit_inet_interfaces">$&</a>;g;
s;\bpermit_mynetworks\b;<a href="postconf.5.html#permit_mynetworks">$&</a>;g; s;\bpermit_mynetworks\b;<a href="postconf.5.html#permit_mynetworks">$&</a>;g;
s;\bpermit_sasl_authenticated\b;<a href="postconf.5.html#permit_sasl_authenticated">$&</a>;g; s;\bpermit_sasl_authenticated\b;<a href="postconf.5.html#permit_sasl_authenticated">$&</a>;g;

6
postfix/proto/SMTPD_ACCESS_README.html
View File

@@ -179,6 +179,12 @@ described in the postconf(5) manual page. </p>
# Whitelisting: local clients may specify any destination. Others may not. # Whitelisting: local clients may specify any destination. Others may not.
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
# Block clients that speak too early.
smtpd_data_restrictions = reject_unauth_pipelining
# Enforce mail volume quota via policy service callouts.
smtpd_end_of_data_restrictions = check_policy_service unix:private/policy
</pre> </pre>
<p> Each restriction list is evaluated from left to right until <p> Each restriction list is evaluated from left to right until

6
postfix/proto/TLS_README.html
View File

@@ -580,7 +580,7 @@ recommends a maximum of 24 hours. </p>
<h3><a name="server_access">Server access control</a> </h3> <h3><a name="server_access">Server access control</a> </h3>
<p> Postfix TLS support introduces two additional features for <p> Postfix TLS support introduces three additional features for
Postfix SMTP server access control: </p> Postfix SMTP server access control: </p>
<blockquote> <blockquote>
@@ -596,6 +596,10 @@ and if its fingerprint is listed in the list of client certificates
client SMTP request if the client certificate passes verification. client SMTP request if the client certificate passes verification.
</p> </dd> </p> </dd>
<dt> check_ccert_access type:table</dt> <dd>
<p> If the client certificate passes verification, use its fingerprint
as a key for the specified access(5) table. </p> </dd>
</dl> </dl>
</blockquote> </blockquote>

6
postfix/proto/postconf.html.prolog
View File

@@ -46,10 +46,12 @@ that starts with whitespace continues a logical line. </p>
recursively replaced by the value of the named parameter. </p> recursively replaced by the value of the named parameter. </p>
<li> <p> The expression "${name?value}" expands to "value" when <li> <p> The expression "${name?value}" expands to "value" when
"$name" is non-empty. </p> "$name" is non-empty. This form is supported with Postfix version
2.2 and later. </p>
<li> <p> The expression "${name:value}" expands to "value" when <li> <p> The expression "${name:value}" expands to "value" when
"$name" is empty. </p> "$name" is empty. This form is supported with Postfix version 2.2
and later. </p>
</ul> </ul>

6
postfix/proto/postconf.man.prolog
View File

@@ -36,10 +36,12 @@ The expressions "$name", "${name}" or "$(name)" are
recursively replaced by the value of the named parameter. recursively replaced by the value of the named parameter.
.IP \(bu .IP \(bu
The expression "${name?value}" expands to "value" when The expression "${name?value}" expands to "value" when
"$name" is non-empty. "$name" is non-empty. This form is supported with Postfix
version 2.2 and later.
.IP \(bu .IP \(bu
The expression "${name:value}" expands to "value" when The expression "${name:value}" expands to "value" when
"$name" is empty. "$name" is empty. This form is supported with Postfix
version 2.2 and later.
.RE .RE
.IP \(bu .IP \(bu
When the same parameter is defined multiple times, only the last When the same parameter is defined multiple times, only the last

16
postfix/proto/postconf.proto
View File

@@ -4313,6 +4313,12 @@ client network address information.
<dl> <dl>
<dt><b><a name="check_ccert_access">check_ccert_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
<dd>When the remote SMTP client certificate is verified successfully,
use the client certificate fingerprint as lookup key for the specified
access(5) database. This feature is available with Postfix 2.2.</dd>
<dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> <dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
<dd>Search the specified access database for the client hostname, <dd>Search the specified access database for the client hostname,
@@ -4341,13 +4347,13 @@ authenticated via the RFC 2554 (AUTH) protocol. </dd>
verified successfully. This option must be used only if a special verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted CA issues the certificates and only this CA is listed as trusted
CA, otherwise all clients with a recognized certificate would be CA, otherwise all clients with a recognized certificate would be
allowed to relay. </dd> allowed to relay. This feature is available with Postfix 2.2.</dd>
<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt> <dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
<dd>Permit the request when the remote SMTP client certificate is <dd>Permit the request when the remote SMTP client certificate is
verified successfully, and the certificate fingerprint is listed verified successfully, and the certificate fingerprint is listed
in $relay_clientcerts. </dd> in $relay_clientcerts. This feature is available with Postfix 2.2.</dd>
<dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt> <dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>
<dd>Reject the request when the reversed client network address is <dd>Reject the request when the reversed client network address is
@@ -7873,6 +7879,12 @@ D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home </p>
relay_clientcerts = hash:/etc/postfix/relay_clientcerts relay_clientcerts = hash:/etc/postfix/relay_clientcerts
</pre> </pre>
<p>For more fine-grained control, use check_ccert_access to select
an appropriate access(5) policy for each client.
See RESTRICTION_CLASS_README.</p>
<p>This feature is available with Postfix 2.2.</p>
%PARAM smtpd_tls_cipherlist %PARAM smtpd_tls_cipherlist
<p> Controls the Postfix SMTP server TLS cipher selection scheme. <p> Controls the Postfix SMTP server TLS cipher selection scheme.

1
postfix/src/global/mail_params.h
View File

@@ -1662,6 +1662,7 @@ extern char *var_perm_mx_networks;
extern int var_access_map_code; extern int var_access_map_code;
#define CHECK_CLIENT_ACL "check_client_access" #define CHECK_CLIENT_ACL "check_client_access"
#define CHECK_CCERT_ACL "check_ccert_access"
#define CHECK_HELO_ACL "check_helo_access" #define CHECK_HELO_ACL "check_helo_access"
#define CHECK_SENDER_ACL "check_sender_access" #define CHECK_SENDER_ACL "check_sender_access"
#define CHECK_RECIP_ACL "check_recipient_access" #define CHECK_RECIP_ACL "check_recipient_access"

2
postfix/src/global/mail_version.h
View File

@@ -20,7 +20,7 @@
* Patches change the patchlevel and the release date. Snapshots change the * Patches change the patchlevel and the release date. Snapshots change the
* release date only. * release date only.
*/ */
#define MAIL_RELEASE_DATE "20050207" #define MAIL_RELEASE_DATE "20050208"
#define MAIL_VERSION_NUMBER "2.2" #define MAIL_VERSION_NUMBER "2.2"
#define VAR_MAIL_VERSION "mail_version" #define VAR_MAIL_VERSION "mail_version"

2
postfix/src/local/local.c
View File

@@ -790,7 +790,7 @@ static void pre_init(char *unused_name, char **unused_argv)
* file. * file.
*/ */
if (var_mailbox_limit) { if (var_mailbox_limit) {
if (var_mailbox_limit < var_message_limit) if (var_mailbox_limit < var_message_limit || var_message_limit == 0)
msg_fatal("main.cf configuration error: %s is smaller than %s", msg_fatal("main.cf configuration error: %s is smaller than %s",
VAR_MAILBOX_LIMIT, VAR_MESSAGE_LIMIT); VAR_MAILBOX_LIMIT, VAR_MESSAGE_LIMIT);
set_file_limit(var_mailbox_limit); set_file_limit(var_mailbox_limit);

10
postfix/src/postfix/postfix.c
View File

@@ -19,15 +19,15 @@
/* /*
/* The following commands are implemented: /* The following commands are implemented:
/* .IP \fBcheck\fR /* .IP \fBcheck\fR
/* Validate the Postfix mail system configuration. Warn about bad /* Warn about bad directory/file ownership or permissions,
/* directory/file ownership or permissions, and create missing /* and create missing directories.
/* directories.
/* .IP \fBstart\fR /* .IP \fBstart\fR
/* Start the Postfix mail system. This also runs the configuration /* Start the Postfix mail system. This also runs the configuration
/* check described above. /* check described above.
/* .IP \fBstop\fR /* .IP \fBstop\fR
/* Stop the Postfix mail system in an orderly fashion. Running processes /* Stop the Postfix mail system in an orderly fashion. If
/* are allowed to terminate at their earliest convenience. /* possible, running processes are allowed to terminate at
/* their earliest convenience.
/* .sp /* .sp
/* Note: in order to refresh the Postfix mail system after a /* Note: in order to refresh the Postfix mail system after a
/* configuration change, do not use the \fBstart\fR and \fBstop\fR /* configuration change, do not use the \fBstart\fR and \fBstop\fR

4
postfix/src/postsuper/postsuper.c
View File

@@ -31,6 +31,7 @@
/* Delete one message with the named queue ID from the named /* Delete one message with the named queue ID from the named
/* mail queue(s) (default: \fBhold\fR, \fBincoming\fR, \fBactive\fR and /* mail queue(s) (default: \fBhold\fR, \fBincoming\fR, \fBactive\fR and
/* \fBdeferred\fR). /* \fBdeferred\fR).
/*
/* If a \fIqueue_id\fR of \fB-\fR is specified, the program reads /* If a \fIqueue_id\fR of \fB-\fR is specified, the program reads
/* queue IDs from standard input. For example, to delete all mail /* queue IDs from standard input. For example, to delete all mail
/* with exactly one recipient \fBuser@example.com\fR: /* with exactly one recipient \fBuser@example.com\fR:
@@ -76,6 +77,7 @@
/* Move one message with the named queue ID from the named /* Move one message with the named queue ID from the named
/* mail queue(s) (default: \fBincoming\fR, \fBactive\fR and /* mail queue(s) (default: \fBincoming\fR, \fBactive\fR and
/* \fBdeferred\fR) to the \fBhold\fR queue. /* \fBdeferred\fR) to the \fBhold\fR queue.
/*
/* If a \fIqueue_id\fR of \fB-\fR is specified, the program reads /* If a \fIqueue_id\fR of \fB-\fR is specified, the program reads
/* queue IDs from standard input. /* queue IDs from standard input.
/* .sp /* .sp
@@ -92,6 +94,7 @@
/* Release mail that was put "on hold". /* Release mail that was put "on hold".
/* Move one message with the named queue ID from the named /* Move one message with the named queue ID from the named
/* mail queue(s) (default: \fBhold\fR) to the \fBdeferred\fR queue. /* mail queue(s) (default: \fBhold\fR) to the \fBdeferred\fR queue.
/*
/* If a \fIqueue_id\fR of \fB-\fR is specified, the program reads /* If a \fIqueue_id\fR of \fB-\fR is specified, the program reads
/* queue IDs from standard input. /* queue IDs from standard input.
/* .sp /* .sp
@@ -111,6 +114,7 @@
/* \fBdeferred\fR). /* \fBdeferred\fR).
/* To requeue multiple messages, specify multiple \fB-r\fR /* To requeue multiple messages, specify multiple \fB-r\fR
/* command-line options. /* command-line options.
/*
/* Alternatively, if a \fIqueue_id\fR of \fB-\fR is specified, /* Alternatively, if a \fIqueue_id\fR of \fB-\fR is specified,
/* the program reads queue IDs from standard input. /* the program reads queue IDs from standard input.
/* .sp /* .sp

38
postfix/src/smtpd/smtpd_check.c
View File

@@ -336,6 +336,7 @@ static int check_rcpt_maps(SMTPD_STATE *, const char *, const char *);
* Reject context. * Reject context.
*/ */
#define SMTPD_NAME_CLIENT "Client host" #define SMTPD_NAME_CLIENT "Client host"
#define SMTPD_NAME_CCERT "Client certificate"
#define SMTPD_NAME_HELO "Helo command" #define SMTPD_NAME_HELO "Helo command"
#define SMTPD_NAME_SENDER "Sender address" #define SMTPD_NAME_SENDER "Sender address"
#define SMTPD_NAME_RECIPIENT "Recipient address" #define SMTPD_NAME_RECIPIENT "Recipient address"
@@ -2341,6 +2342,39 @@ static int check_server_access(SMTPD_STATE *state, const char *table,
CHECK_SERVER_RETURN(SMTPD_CHECK_DUNNO); CHECK_SERVER_RETURN(SMTPD_CHECK_DUNNO);
} }
/* check_ccert_access - access for TLS clients by certificate fingerprint */
#ifdef USE_TLS
static int check_ccert_access(SMTPD_STATE *state, const char *table,
const char *def_acl)
{
char *myname = "check_ccert_access";
int found;
if (state->tls_info.peer_verified && state->tls_info.peer_fingerprint) {
if (msg_verbose)
msg_info("%s: %s", myname, state->tls_info.peer_fingerprint);
/*
* Regexp tables don't make sense for certificate fingerprints. That
* may be so, but we can't ignore the entire check_ccert_access
* request without logging a warning.
*
* Log the peer CommonName when access is denied. Non-printable
* characters will be neutered by smtpd_check_reject(). The SMTP
* client name and address are always syslogged as part of a "reject"
* event.
*/
return (check_access(state, table, state->tls_info.peer_fingerprint,
DICT_FLAG_NONE, &found, state->tls_info.peer_CN,
SMTPD_NAME_CCERT, def_acl));
}
return (SMTPD_CHECK_DUNNO);
}
#endif
/* check_mail_access - OK/FAIL based on mail address lookup */ /* check_mail_access - OK/FAIL based on mail address lookup */
static int check_mail_access(SMTPD_STATE *state, const char *table, static int check_mail_access(SMTPD_STATE *state, const char *table,
@@ -3204,6 +3238,10 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
status = reject_rbl_domain(state, *cpp, state->name, status = reject_rbl_domain(state, *cpp, state->name,
SMTPD_NAME_CLIENT); SMTPD_NAME_CLIENT);
} }
#ifdef USE_TLS
} else if (is_map_command(state, name, CHECK_CCERT_ACL, &cpp)) {
status = check_ccert_access(state, *cpp, def_acl);
#endif
} }
/* /*

92
postfix/src/util/dict.c
View File

@@ -117,8 +117,8 @@
/* dict_eval() expands macro references in the specified string. /* dict_eval() expands macro references in the specified string.
/* The result is owned by the dictionary manager. Make a copy if the /* The result is owned by the dictionary manager. Make a copy if the
/* result is to survive multiple dict_eval() calls. When the /* result is to survive multiple dict_eval() calls. When the
/* \fIrecursive\fR argument is non-zero, macros references are /* \fIrecursive\fR argument is non-zero, macro references in macro
/* expanded recursively. /* lookup results are expanded recursively.
/* /*
/* dict_walk() iterates over all registered dictionaries in some /* dict_walk() iterates over all registered dictionaries in some
/* arbitrary order, and invokes the specified action routine with /* arbitrary order, and invokes the specified action routine with
@@ -183,7 +183,7 @@
#include "vstream.h" #include "vstream.h"
#include "vstring.h" #include "vstring.h"
#include "readlline.h" #include "readlline.h"
#include "mac_parse.h" #include "mac_expand.h"
#include "stringops.h" #include "stringops.h"
#include "iostuff.h" #include "iostuff.h"
#include "dict.h" #include "dict.h"
@@ -410,94 +410,52 @@ void dict_load_fp(const char *dict_name, VSTREAM *fp)
vstring_free(buf); vstring_free(buf);
} }
/* /* dict_eval_lookup - macro parser call-back routine */
* Helper for macro expansion callback.
*/
struct dict_eval_context {
const char *dict_name; /* where to look */
VSTRING *buf; /* result buffer */
int recursive; /* recursive or not */
};
/* dict_eval_action - macro parser call-back routine */ static const char *dict_eval_lookup(const char *key, int unused_type,
char *dict_name)
static int dict_eval_action(int type, VSTRING *buf, char *ptr)
{ {
struct dict_eval_context *ctxt = (struct dict_eval_context *) ptr;
char *myname = "dict_eval_action";
const char *pp; const char *pp;
if (msg_verbose > 1)
msg_info("%s: type %s buf %s context %s \"%s\" %s",
myname, type == MAC_PARSE_VARNAME ? "variable" : "literal",
STR(buf), ctxt->dict_name, STR(ctxt->buf),
ctxt->recursive ? "recursive" : "non-recursive");
/* /*
* In order to support recursion, we must save the dict_lookup() result. * XXX how would one recover?
* We use the input buffer since it will not be needed anymore.
*/ */
if (type == MAC_PARSE_VARNAME) { if ((pp = dict_lookup(dict_name, key)) == 0 && dict_errno != 0)
if ((pp = dict_lookup(ctxt->dict_name, STR(buf))) == 0) { msg_fatal("dictionary %s: lookup %s: temporary error", dict_name, key);
if (dict_errno) /* XXX how would one recover? */
msg_fatal("dictionary %s: lookup %s: temporary error", return (pp);
ctxt->dict_name, STR(buf));
} else if (ctxt->recursive) {
vstring_strcpy(buf, pp); /* XXX clobber input */
dict_eval(ctxt->dict_name, STR(buf), ctxt->recursive);
} else {
vstring_strcat(ctxt->buf, pp);
}
} else {
vstring_strcat(ctxt->buf, STR(buf));
}
return (0);
} }
/* dict_eval - expand embedded dictionary references */ /* dict_eval - expand embedded dictionary references */
const char *dict_eval(const char *dict_name, const char *value, int recursive) const char *dict_eval(const char *dict_name, const char *value, int recursive)
{ {
const char *myname = "dict_eval";
static VSTRING *buf; static VSTRING *buf;
static struct dict_eval_context ctxt; int status;
static int loop = 0;
/*
* Sanity check.
*/
if (loop > 100)
msg_fatal("unreasonable macro nesting: \"%s\"", value);
/* /*
* Initialize. * Initialize.
*/ */
if (buf == 0) if (buf == 0)
buf = vstring_alloc(10); buf = vstring_alloc(10);
if (loop++ == 0) {
VSTRING_RESET(buf);
VSTRING_TERMINATE(buf);
}
ctxt.buf = buf;
ctxt.recursive = recursive;
ctxt.dict_name = dict_name;
/* /*
* Expand macros, possibly recursively. * Expand macros, possibly recursively.
*/ */
if (msg_verbose > 1) #define DONT_FILTER (char *) 0
msg_info("dict_eval[%d] %s", loop, value);
mac_parse(value, dict_eval_action, (char *) &ctxt);
if (msg_verbose > 1)
msg_info("dict_eval[%d] result %s", loop, STR(buf));
/*
* Cleanup.
*/
loop--;
VSTRING_TERMINATE(buf);
status = mac_expand(buf, value,
recursive ? MAC_EXP_FLAG_RECURSE : MAC_EXP_FLAG_NONE,
DONT_FILTER, dict_eval_lookup, (char *) dict_name);
if (status & MAC_PARSE_ERROR)
msg_fatal("dictionary %s: macro processing error", dict_name);
if (msg_verbose) {
if (strcmp(value, STR(buf)) != 0)
msg_info("%s: expand %s -> %s", myname, value, STR(buf));
else
msg_info("%s: const %s", myname, value);
}
return (STR(buf)); return (STR(buf));
} }

9
postfix/src/util/dict_open.c
View File

@@ -88,9 +88,14 @@
/* into the right-hand side. /* into the right-hand side.
/* .IP DICT_FLAG_NO_PROXY /* .IP DICT_FLAG_NO_PROXY
/* Disallow access through the \fBproxymap\fR service. /* Disallow access through the \fBproxymap\fR service.
/* .IP DICT_FLAG_NO_UNAUTH
/* Disallow network lookup mechanisms that lack any form of
/* authentication (example: tcp_table; even NIS can be secured
/* to some extent by requiring that the server binds to a
/* privileged port).
/* .IP DICT_FLAG_PARANOID /* .IP DICT_FLAG_PARANOID
/* A combination of all the paranoia flags: DICT_FLAG_NO_REGSUB /* A combination of all the paranoia flags: DICT_FLAG_NO_REGSUB,
/* and DICT_FLAG_NO_PROXY. /* DICT_FLAG_NO_PROXY and DICT_FLAG_NO_UNAUTH.
/* .PP /* .PP
/* Specify DICT_FLAG_NONE for no special processing. /* Specify DICT_FLAG_NONE for no special processing.
/* /*

22
postfix/src/util/mac_expand.c
View File

@@ -45,7 +45,7 @@
/* Bit-wise OR of zero or more of the following: /* Bit-wise OR of zero or more of the following:
/* .RS /* .RS
/* .IP MAC_EXP_FLAG_RECURSE /* .IP MAC_EXP_FLAG_RECURSE
/* Expand $name recursively. This should never be done with /* Expand macros in lookup results. This should never be done with
/* data whose origin is untrusted. /* data whose origin is untrusted.
/* .PP /* .PP
/* The constant MAC_EXP_FLAG_NONE specifies a manifest null value. /* The constant MAC_EXP_FLAG_NONE specifies a manifest null value.
@@ -59,7 +59,7 @@
/* MAC_EXP_MODE_TEST to test the existence of the named attribute /* MAC_EXP_MODE_TEST to test the existence of the named attribute
/* or MAC_EXP_MODE_USE to use the value of the named attribute, /* or MAC_EXP_MODE_USE to use the value of the named attribute,
/* and the caller context that was given to mac_expand(). A null /* and the caller context that was given to mac_expand(). A null
/* result means that the requested attribute was not defined. /* result value means that the requested attribute was not defined.
/* .IP context /* .IP context
/* Caller context that is passed on to the attribute lookup routine. /* Caller context that is passed on to the attribute lookup routine.
/* DIAGNOSTICS /* DIAGNOSTICS
@@ -136,8 +136,11 @@ static int mac_expand_callback(int type, VSTRING *buf, char *ptr)
/* /*
* $Name etc. reference. * $Name etc. reference.
*
* In order to support expansion of lookup results, we must save the lookup
* result. We use the input buffer since it will not be needed anymore.
*/ */
if (type == MAC_PARSE_VARNAME) { if (type == MAC_PARSE_EXPR) {
/* /*
* Look for the ? or : delimiter. In case of a syntax error, return * Look for the ? or : delimiter. In case of a syntax error, return
@@ -183,7 +186,8 @@ static int mac_expand_callback(int type, VSTRING *buf, char *ptr)
} else if (*text == 0) { } else if (*text == 0) {
/* void */ ; /* void */ ;
} else if (mc->flags & MAC_EXP_FLAG_RECURSE) { } else if (mc->flags & MAC_EXP_FLAG_RECURSE) {
mac_parse(text, mac_expand_callback, (char *) mc); vstring_strcpy(buf, text);
mac_parse(vstring_str(buf), mac_expand_callback, (char *) mc);
} else { } else {
len = VSTRING_LEN(mc->result); len = VSTRING_LEN(mc->result);
vstring_strcat(mc->result, text); vstring_strcat(mc->result, text);
@@ -201,17 +205,9 @@ static int mac_expand_callback(int type, VSTRING *buf, char *ptr)
* Literal text. * Literal text.
*/ */
else { else {
text = vstring_str(buf); vstring_strcat(mc->result, vstring_str(buf));
vstring_strcat(mc->result, text);
} }
/*
* Give the poor tester a clue of what is going on.
*/
if (msg_verbose)
msg_info("%s: %s = %s", myname, vstring_str(buf),
text ? text : "(undef)");
mc->level--; mc->level--;
return (mc->status); return (mc->status);

20
postfix/src/util/mac_parse.c
View File

@@ -23,9 +23,11 @@
/* found, and \fIcontext\fR is passed on unmodified from the caller. /* found, and \fIcontext\fR is passed on unmodified from the caller.
/* The application is at liberty to clobber \fIbuf\fR. /* The application is at liberty to clobber \fIbuf\fR.
/* .IP MAC_PARSE_LITERAL /* .IP MAC_PARSE_LITERAL
/* The text in \fIbuf\fR is literal text. /* The content of \fIbuf\fR is literal text.
/* .IP MAC_PARSE_VARNAME /* .IP MAC_PARSE_EXPR
/* The text in \fIbuf\fR is a macro expression. /* The content of \fIbuf\fR is a macro expression: either a
/* bare macro name without the preceding "$", or all the text
/* inside $() or ${}.
/* .PP /* .PP
/* The action routine result value is the bit-wise OR of zero or more /* The action routine result value is the bit-wise OR of zero or more
/* of the following: /* of the following:
@@ -72,11 +74,11 @@
* execute the action, and reset the temporary buffer for re-use. * execute the action, and reset the temporary buffer for re-use.
*/ */
#define MAC_PARSE_ACTION(status, type, buf, context) \ #define MAC_PARSE_ACTION(status, type, buf, context) \
{ \ do { \
VSTRING_TERMINATE(buf); \ VSTRING_TERMINATE(buf); \
status |= action(type, buf, context); \ status |= action((type), (buf), (context)); \
VSTRING_RESET(buf); \ VSTRING_RESET(buf); \
} } while(0)
/* mac_parse - split string into literal text and macro references */ /* mac_parse - split string into literal text and macro references */
@@ -138,7 +140,7 @@ int mac_parse(const char *value, MAC_PARSE_FN action, char *context)
msg_warn("empty macro name: \"%s\"", value); msg_warn("empty macro name: \"%s\"", value);
break; break;
} }
MAC_PARSE_ACTION(status, MAC_PARSE_VARNAME, buf, context); MAC_PARSE_ACTION(status, MAC_PARSE_EXPR, buf, context);
} }
} }
if (VSTRING_LEN(buf) > 0 && (status & MAC_PARSE_ERROR) == 0) if (VSTRING_LEN(buf) > 0 && (status & MAC_PARSE_ERROR) == 0)
@@ -167,8 +169,8 @@ static int mac_parse_print(int type, VSTRING *buf, char *unused_context)
char *type_name; char *type_name;
switch (type) { switch (type) {
case MAC_PARSE_VARNAME: case MAC_PARSE_EXPR:
type_name = "MAC_PARSE_VARNAME"; type_name = "MAC_PARSE_EXPR";
break; break;
case MAC_PARSE_LITERAL: case MAC_PARSE_LITERAL:
type_name = "MAC_PARSE_LITERAL"; type_name = "MAC_PARSE_LITERAL";

3
postfix/src/util/mac_parse.h
View File

@@ -20,7 +20,8 @@
* External interface. * External interface.
*/ */
#define MAC_PARSE_LITERAL 1 #define MAC_PARSE_LITERAL 1
#define MAC_PARSE_VARNAME 2 #define MAC_PARSE_EXPR 2
#define MAC_PARSE_VARNAME MAC_PARSE_EXPR /* 2.1 compatibility */
#define MAC_PARSE_OK 0 #define MAC_PARSE_OK 0
#define MAC_PARSE_ERROR (1<<0) #define MAC_PARSE_ERROR (1<<0)

2
postfix/src/virtual/virtual.c
View File

@@ -457,7 +457,7 @@ static void pre_init(char *unused_name, char **unused_argv)
* file. * file.
*/ */
if (var_virt_mailbox_limit) { if (var_virt_mailbox_limit) {
if (var_virt_mailbox_limit < var_message_limit) if (var_virt_mailbox_limit < var_message_limit || var_message_limit == 0)
msg_fatal("main.cf configuration error: %s is smaller than %s", msg_fatal("main.cf configuration error: %s is smaller than %s",
VAR_VIRT_MAILBOX_LIMIT, VAR_MESSAGE_LIMIT); VAR_VIRT_MAILBOX_LIMIT, VAR_MESSAGE_LIMIT);
set_file_limit(var_virt_mailbox_limit); set_file_limit(var_virt_mailbox_limit);