mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-22 18:07:41 +00:00
Code Issues Releases Wiki Activity

postfix-2.8-20101206

Browse Source
This commit is contained in:
Wietse Venema 2010-12-06 00:00:00 -05:00 committed by Viktor Dukhovni
parent e31ae1582b
commit d87d8c1c0f
8 changed files with 73 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
postfix/HISTORY
View File

@ -16210,8 +16210,9 @@ Apologies for any names omitted.
Feature: the LDAP client can now authenticate to LDAP servers Feature: the LDAP client can now authenticate to LDAP servers
via SASL. This is tested with SASL GSSAPI and Kerberos 5. via SASL. This is tested with SASL GSSAPI and Kerberos 5.
Code by Victor Duchovni. Files: global/dict_ldap.c, Original code by Quanah Gibson-Mount adapted by Victor
proto/LDAP_README.html, proto/ldap_table. Duchovni. Files: global/dict_ldap.c, proto/LDAP_README.html,
proto/ldap_table.
Cleanup: the cleanup server now reports a temporary delivery Cleanup: the cleanup server now reports a temporary delivery
error when it reaches the virtual_alias_expansion_limit or error when it reaches the virtual_alias_expansion_limit or
@ -16232,3 +16233,8 @@ Apologies for any names omitted.
problems with shared library builds. The dependency was not problems with shared library builds. The dependency was not
necessary because the callers already specify an explicit necessary because the callers already specify an explicit
time limit. File: global/pipe_command.c. time limit. File: global/pipe_command.c.
20101206
postscreen hung up due to incorrect output error test. File:
postscreen/postscreen_send.c.

116
postfix/html/ldap_table.5.html
View File

@ -607,10 +607,6 @@ LDAP_TABLE(5) LDAP_TABLE(5)
The following parameters are relevant to using LDAP with The following parameters are relevant to using LDAP with
SASL SASL
<b>sasl (default: no)</b>
Whether or not to use SASL binds to the server.
Can be yes or no.
<b>sasl_mechs (default: empty)</b> <b>sasl_mechs (default: empty)</b>
Space separated list of SASL mechanism(s) to try. Space separated list of SASL mechanism(s) to try.
@ -622,15 +618,15 @@ LDAP_TABLE(5) LDAP_TABLE(5)
applicable. applicable.
<b>sasl_minssf (default: 0)</b> <b>sasl_minssf (default: 0)</b>
The minimum required sasl security factor required The minimum required sasl security factor required
to establish a connection. to establish a connection.
<b>LDAP SSL AND STARTTLS PARAMETERS</b> <b>LDAP SSL AND STARTTLS PARAMETERS</b>
If you're using the OpenLDAP libraries compiled with SSL If you're using the OpenLDAP libraries compiled with SSL
support, Postfix can connect to LDAP SSL servers and can support, Postfix can connect to LDAP SSL servers and can
issue the STARTTLS command. issue the STARTTLS command.
LDAP SSL service can be requested by using a LDAP SSL URL LDAP SSL service can be requested by using a LDAP SSL URL
in the server_host parameter: in the server_host parameter:
server_host = ldaps://ldap.example.com:636 server_host = ldaps://ldap.example.com:636
@ -639,82 +635,82 @@ LDAP_TABLE(5) LDAP_TABLE(5)
start_tls = yes start_tls = yes
Both forms require LDAP protocol version 3, which has to Both forms require LDAP protocol version 3, which has to
be set explicitly with: be set explicitly with:
version = 3 version = 3
If any of the Postfix programs querying the map is config- If any of the Postfix programs querying the map is config-
ured in <a href="master.5.html">master.cf</a> to run chrooted, all the certificates ured in <a href="master.5.html">master.cf</a> to run chrooted, all the certificates
and keys involved have to be copied to the chroot jail. Of and keys involved have to be copied to the chroot jail. Of
course, the private keys should only be readable by the course, the private keys should only be readable by the
user "postfix". user "postfix".
The following parameters are relevant to LDAP SSL and The following parameters are relevant to LDAP SSL and
STARTTLS: STARTTLS:
<b>start_tls (default: no)</b> <b>start_tls (default: no)</b>
Whether or not to issue STARTTLS upon connection to Whether or not to issue STARTTLS upon connection to
the server. Don't set this with LDAP SSL (the SSL the server. Don't set this with LDAP SSL (the SSL
session is setup automatically when the TCP connec- session is setup automatically when the TCP connec-
tion is opened). tion is opened).
<b>tls_ca_cert_dir (No default; set either this or</b> <b>tls_ca_cert_dir (No default; set either this or</b>
<b>tls_ca_cert_file)</b> <b>tls_ca_cert_file)</b>
Directory containing X509 Certificate Authority Directory containing X509 Certificate Authority
certificates in PEM format which are to be recog- certificates in PEM format which are to be recog-
nized by the client in SSL/TLS connections. The nized by the client in SSL/TLS connections. The
files each contain one CA certificate. The files files each contain one CA certificate. The files
are looked up by the CA subject name hash value, are looked up by the CA subject name hash value,
which must hence be available. If more than one CA which must hence be available. If more than one CA
certificate with the same name hash value exist, certificate with the same name hash value exist,
the extension must be different (e.g. 9d66eef0.0, the extension must be different (e.g. 9d66eef0.0,
9d66eef0.1 etc). The search is performed in the 9d66eef0.1 etc). The search is performed in the
ordering of the extension number, regardless of ordering of the extension number, regardless of
other properties of the certificates. Use the other properties of the certificates. Use the
c_rehash utility (from the OpenSSL distribution) to c_rehash utility (from the OpenSSL distribution) to
create the necessary links. create the necessary links.
<b>tls_ca_cert_file (No default; set either this or</b> <b>tls_ca_cert_file (No default; set either this or</b>
<b>tls_ca_cert_dir)</b> <b>tls_ca_cert_dir)</b>
File containing the X509 Certificate Authority cer- File containing the X509 Certificate Authority cer-
tificates in PEM format which are to be recognized tificates in PEM format which are to be recognized
by the client in SSL/TLS connections. This setting by the client in SSL/TLS connections. This setting
takes precedence over tls_ca_cert_dir. takes precedence over tls_ca_cert_dir.
<b>tls_cert (No default; you must set this)</b> <b>tls_cert (No default; you must set this)</b>
File containing client's X509 certificate to be File containing client's X509 certificate to be
used by the client in SSL/ TLS connections. used by the client in SSL/ TLS connections.
<b>tls_key (No default; you must set this)</b> <b>tls_key (No default; you must set this)</b>
File containing the private key corresponding to File containing the private key corresponding to
the above tls_cert. the above tls_cert.
<b>tls_require_cert (default: no)</b> <b>tls_require_cert (default: no)</b>
Whether or not to request server's X509 certificate Whether or not to request server's X509 certificate
and check its validity when establishing SSL/TLS and check its validity when establishing SSL/TLS
connections. The supported values are <b>no</b> and <b>yes</b>. connections. The supported values are <b>no</b> and <b>yes</b>.
With <b>no</b>, the server certificate trust chain is not With <b>no</b>, the server certificate trust chain is not
checked, but with OpenLDAP prior to 2.1.13, the checked, but with OpenLDAP prior to 2.1.13, the
name in the server certificate must still match the name in the server certificate must still match the
LDAP server name. With OpenLDAP 2.0.0 to 2.0.11 the LDAP server name. With OpenLDAP 2.0.0 to 2.0.11 the
server name is not necessarily what you specified, server name is not necessarily what you specified,
rather it is determined (by reverse lookup) from rather it is determined (by reverse lookup) from
the IP address of the LDAP server connection. With the IP address of the LDAP server connection. With
OpenLDAP prior to 2.0.13, subjectAlternativeName OpenLDAP prior to 2.0.13, subjectAlternativeName
extensions in the LDAP server certificate are extensions in the LDAP server certificate are
ignored: the server name must match the subject ignored: the server name must match the subject
CommonName. The <b>no</b> setting corresponds to the <b>never</b> CommonName. The <b>no</b> setting corresponds to the <b>never</b>
value of <b>TLS_REQCERT</b> in LDAP client configuration value of <b>TLS_REQCERT</b> in LDAP client configuration
files. files.
Don't use TLS with OpenLDAP 2.0.x (and especially Don't use TLS with OpenLDAP 2.0.x (and especially
with x &lt;= 11) if you can avoid it. with x &lt;= 11) if you can avoid it.
With <b>yes</b>, the server certificate must be issued by With <b>yes</b>, the server certificate must be issued by
a trusted CA, and not be expired. The LDAP server a trusted CA, and not be expired. The LDAP server
name must match one of the name(s) found in the name must match one of the name(s) found in the
certificate (see above for OpenLDAP library version certificate (see above for OpenLDAP library version
dependent behavior). The <b>yes</b> setting corresponds to dependent behavior). The <b>yes</b> setting corresponds to
the <b>demand</b> value of <b>TLS_REQCERT</b> in LDAP client con- the <b>demand</b> value of <b>TLS_REQCERT</b> in LDAP client con-
@ -722,27 +718,27 @@ LDAP_TABLE(5) LDAP_TABLE(5)
The "try" and "never" values of <b>TLS_REQCERT</b> have no The "try" and "never" values of <b>TLS_REQCERT</b> have no
equivalents here. They are not available with equivalents here. They are not available with
OpenLDAP 2.0, and in any case have questionable OpenLDAP 2.0, and in any case have questionable
security properties. Either you want TLS verified security properties. Either you want TLS verified
LDAP connections, or you don't. LDAP connections, or you don't.
The <b>yes</b> value only works correctly with Postfix 2.5 The <b>yes</b> value only works correctly with Postfix 2.5
and later, or with OpenLDAP 2.0. Earlier Postfix and later, or with OpenLDAP 2.0. Earlier Postfix
releases or later OpenLDAP releases don't work releases or later OpenLDAP releases don't work
together with this setting. Support for LDAP over together with this setting. Support for LDAP over
TLS was added to Postfix based on the OpenLDAP 2.0 TLS was added to Postfix based on the OpenLDAP 2.0
API. API.
<b>tls_random_file (No default)</b> <b>tls_random_file (No default)</b>
Path of a file to obtain random bits from when Path of a file to obtain random bits from when
/dev/[u]random is not available, to be used by the /dev/[u]random is not available, to be used by the
client in SSL/TLS connections. client in SSL/TLS connections.
<b>tls_cipher_suite (No default)</b> <b>tls_cipher_suite (No default)</b>
Cipher suite to use in SSL/TLS negotiations. Cipher suite to use in SSL/TLS negotiations.
<b>EXAMPLE</b> <b>EXAMPLE</b>
Here's a basic example for using LDAP to look up <a href="local.8.html">local(8)</a> Here's a basic example for using LDAP to look up <a href="local.8.html">local(8)</a>
aliases. Assume that in <a href="postconf.5.html">main.cf</a>, you have: aliases. Assume that in <a href="postconf.5.html">main.cf</a>, you have:
<a href="postconf.5.html#alias_maps">alias_maps</a> = hash:/etc/aliases, <a href="postconf.5.html#alias_maps">alias_maps</a> = hash:/etc/aliases,
@ -753,14 +749,14 @@ LDAP_TABLE(5) LDAP_TABLE(5)
server_host = ldap.example.com server_host = ldap.example.com
search_base = dc=example, dc=com search_base = dc=example, dc=com
Upon receiving mail for a local address "ldapuser" that Upon receiving mail for a local address "ldapuser" that
isn't found in the /etc/aliases database, Postfix will isn't found in the /etc/aliases database, Postfix will
search the LDAP server listening at port 389 on ldap.exam- search the LDAP server listening at port 389 on ldap.exam-
ple.com. It will bind anonymously, search for any direc- ple.com. It will bind anonymously, search for any direc-
tory entries whose mailacceptinggeneralid attribute is tory entries whose mailacceptinggeneralid attribute is
"ldapuser", read the "maildrop" attributes of those found, "ldapuser", read the "maildrop" attributes of those found,
and build a list of their maildrops, which will be treated and build a list of their maildrops, which will be treated
as <a href="http://tools.ietf.org/html/rfc822">RFC822</a> addresses to which the message will be deliv- as <a href="http://tools.ietf.org/html/rfc822">RFC822</a> addresses to which the message will be deliv-
ered. ered.
<b>SEE ALSO</b> <b>SEE ALSO</b>
@ -774,13 +770,13 @@ LDAP_TABLE(5) LDAP_TABLE(5)
<a href="LDAP_README.html">LDAP_README</a>, Postfix LDAP client guide <a href="LDAP_README.html">LDAP_README</a>, Postfix LDAP client guide
<b>LICENSE</b> <b>LICENSE</b>
The Secure Mailer license must be distributed with this The Secure Mailer license must be distributed with this
software. software.
<b>AUTHOR(S)</b> <b>AUTHOR(S)</b>
Carsten Hoeger, Hery Rakotoarisoa, John Hensley, Keith Carsten Hoeger, Hery Rakotoarisoa, John Hensley, Keith
Stevenson, LaMont Jones, Liviu Daia, Manuel Guesdon, Mike Stevenson, LaMont Jones, Liviu Daia, Manuel Guesdon, Mike
Mattice, Prabhat K Singh, Sami Haahtinen, Samuel Tardieu, Mattice, Prabhat K Singh, Sami Haahtinen, Samuel Tardieu,
Victor Duchovni, and many others. Victor Duchovni, and many others.
LDAP_TABLE(5) LDAP_TABLE(5)

2
postfix/man/man5/ldap_table.5
View File

@ -561,8 +561,6 @@ protocol version is 2 for backwards compatibility. You must set
"version = 3" in addition to "bind = sasl". "version = 3" in addition to "bind = sasl".
The following parameters are relevant to using LDAP with SASL The following parameters are relevant to using LDAP with SASL
.IP "\fBsasl (default: no)\fR"
Whether or not to use SASL binds to the server. Can be yes or no.
.IP "\fBsasl_mechs (default: empty)\fR" .IP "\fBsasl_mechs (default: empty)\fR"
Space separated list of SASL mechanism(s) to try. Space separated list of SASL mechanism(s) to try.
.IP "\fBsasl_realm (default: empty)\fR" .IP "\fBsasl_realm (default: empty)\fR"

2
postfix/proto/ldap_table
View File

@ -547,8 +547,6 @@
# "version = 3" in addition to "bind = sasl". # "version = 3" in addition to "bind = sasl".
# #
# The following parameters are relevant to using LDAP with SASL # The following parameters are relevant to using LDAP with SASL
# .IP "\fBsasl (default: no)\fR"
# Whether or not to use SASL binds to the server. Can be yes or no.
# .IP "\fBsasl_mechs (default: empty)\fR" # .IP "\fBsasl_mechs (default: empty)\fR"
# Space separated list of SASL mechanism(s) to try. # Space separated list of SASL mechanism(s) to try.
# .IP "\fBsasl_realm (default: empty)\fR" # .IP "\fBsasl_realm (default: empty)\fR"

2
postfix/src/global/dict_ldap.c
View File

@ -103,8 +103,6 @@
/* .IP version /* .IP version
/* Specifies the LDAP protocol version to use. Default is version /* Specifies the LDAP protocol version to use. Default is version
/* \fI2\fR. /* \fI2\fR.
/* .IP "\fBsasl (no)\fR"
/* Whether or not to use SASL binds with the server.
/* .IP "\fBsasl_mechs (empty)\fR" /* .IP "\fBsasl_mechs (empty)\fR"
/* Specifies a space-separated list of LDAP SASL Mechanisms. /* Specifies a space-separated list of LDAP SASL Mechanisms.
/* .IP "\fBsasl_realm (empty)\fR" /* .IP "\fBsasl_realm (empty)\fR"

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no * Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only. * patchlevel; they change the release date only.
*/ */
#define MAIL_RELEASE_DATE "20101204" #define MAIL_RELEASE_DATE "20101206"
#define MAIL_VERSION_NUMBER "2.8" #define MAIL_VERSION_NUMBER "2.8"
#ifdef SNAPSHOT #ifdef SNAPSHOT

7
postfix/src/global/pipe_command.c
View File

@ -85,7 +85,8 @@
/* configuration parameter. The group ID must be non-zero. /* configuration parameter. The group ID must be non-zero.
/* .IP "PIPE_CMD_TIME_LIMIT (int)" /* .IP "PIPE_CMD_TIME_LIMIT (int)"
/* The amount of time the command is allowed to run before it /* The amount of time the command is allowed to run before it
/* is terminated with SIGKILL. The default is DEF_COMMAND_MAXTIME. /* is terminated with SIGKILL. A non-negative PIPE_CMD_TIME_LIMIT
/* value must be specified.
/* .IP "PIPE_CMD_SHELL (char *)" /* .IP "PIPE_CMD_SHELL (char *)"
/* The shell to use when executing the command specified with /* The shell to use when executing the command specified with
/* PIPE_CMD_COMMAND. This shell is invoked regardless of the /* PIPE_CMD_COMMAND. This shell is invoked regardless of the
@ -210,7 +211,7 @@ static void get_pipe_args(struct pipe_args * args, va_list ap)
args->cwd = 0; args->cwd = 0;
args->chroot = 0; args->chroot = 0;
pipe_command_maxtime = DEF_COMMAND_MAXTIME; pipe_command_maxtime = -1;
/* /*
* Then, override the defaults with user-supplied inputs. * Then, override the defaults with user-supplied inputs.
@ -276,6 +277,8 @@ static void get_pipe_args(struct pipe_args * args, va_list ap)
msg_panic("%s: privileged uid", myname); msg_panic("%s: privileged uid", myname);
if (args->gid == 0) if (args->gid == 0)
msg_panic("%s: privileged gid", myname); msg_panic("%s: privileged gid", myname);
if (pipe_command_maxtime < 0)
msg_panic("%s: missing or invalid PIPE_CMD_TIME_LIMIT", myname);
} }
/* pipe_command_write - write to command with time limit */ /* pipe_command_write - write to command with time limit */

5
postfix/src/postscreen/postscreen_send.c
View File

@ -85,8 +85,9 @@ int ps_send_reply(int smtp_client_fd, const char *smtp_client_addr,
* XXX Need to make sure that the TCP send buffer is large enough for any * XXX Need to make sure that the TCP send buffer is large enough for any
* response, so that a nasty client can't cause this process to block. * response, so that a nasty client can't cause this process to block.
*/ */
ret = write_buf(smtp_client_fd, text, strlen(text), PS_SEND_TEXT_TIMEOUT); ret = (write_buf(smtp_client_fd, text, strlen(text),
if (ret < 0 && errno != EPIPE) PS_SEND_TEXT_TIMEOUT) < 0);
if (ret != 0 && errno != EPIPE)
msg_warn("write [%s]:%s: %m", smtp_client_addr, smtp_client_port); msg_warn("write [%s]:%s: %m", smtp_client_addr, smtp_client_port);
return (ret); return (ret);
} }