mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-30 21:55:20 +00:00
Code Issues Releases Wiki Activity

snapshot-20000529

Browse Source
This commit is contained in:
Wietse Venema
2000-05-29 00:00:00 +00:00
parent 7da180a864
commit df9542112c
20 changed files with 266 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
postfix/HISTORY
View File

@@ -4009,3 +4009,12 @@ Apologies for any names omitted.
feature uses the same filtering syntax as the header_checks feature uses the same filtering syntax as the header_checks
feature. File: cleanup/cleanup_message.c. See also the feature. File: cleanup/cleanup_message.c. See also the
conf/sample-filter.cf file. conf/sample-filter.cf file.
20000529
Feature: full content inspection through external software.
This uses existing interfaces for sending and receiving mail
from and to the content inspector. Currently, only the SMTP
server is suitable for receiving inspected mail. Details
in INSPECTION_README. Files: pickup/pickup.c, smtpd/smtpd.c,
qmgr/qmgr_message.c.

77
postfix/INSPECTION_README Normal file
View File

@@ -0,0 +1,77 @@
This is a very first implementation of Postfix content inspection.
It involves an incompatible change to queue file formats. Older
Postfix versions will move the mail aside to the "corrupt" mail
queue subdirectory.
The example uses content inspection software that can receive and
deliver mail via SMTP. At present, Postfix can receive already
inspected mail only via SMTP. In the future it may become possible
to submit already filtered mail via the postdrop command. However,
doing business over SMTP is much less inefficient.
We will set up a content inspector program listening on localhost
port 10025 that receives mail via the SMTP protocol, and that
submits mail back into Postfix via localhost port 10026.
..................................
. Postfix .
------smtpd \ /local-----
. -cleanup->queue- .
-----pickup / ^ | \smtp------
. | v .
. smtpd smtp .
. 10026 | .
......................|...........
^ |
| v
....|............
. | 10025 .
. inspector .
. .
.................
To enable content inspection in this manner, specify in main.cf a
new parameter:
/etc/postfix/main.cf:
content_inspector = smtp:localhost:10025
This causes Postfix to add one extra content inspection record to
each incoming mail message, with content smtp:localhost:10025.
You can use the same syntax as in the right-hand side of a Postfix
transport table. The content inspection records are added by the
smtpd and pickup servers.
When a queue file has content inspection information, the queue
manager will deliver the mail to the specified content inspector
regardless of its final destination.
Setting up the content inspector could be done with the Postfix
spawn service, to instantiate up to 10 processes on demand:
/etc/postfix/master.cf:
localhost:10025 inet - n n - 10 spawn
user=inspect argv=/some/where/inspect localhost 10026
The spawn server is part of Postfix but is not installed by default.
Edit the top-level Makefile.in file, run "make makefiles", "make",
and "make install".
The /some/where/inspect command is most likely a PERL script. PERL
has modules that make talking SMTP easy. The command-line specifies
that mail shouldbe sent back into Postfix via localhost port 10026.
The job of the content inspector is to either bounce mail with a
suitable diagnostic, or to feed the mail back into Postfix through
a dedicated listener on port localhost 10026:
/etc/postfix/master.cf:
localhost:10026 inet n - n - 0 smtpd
-o content_inspector= myhostname=localhost.domain.name
This is just another SMTP server. It is configured NOT to request
content inspection for incoming mail, has no process limit (so
Postfix will not deadlock), and is configured to use a different
hostname in the greeting message (this is necessary for testing
when I simply use no inspector program and let the SMTP content
inspection interfaces talk directly to each other).

22
postfix/RELEASE_NOTES
View File

@@ -1,4 +1,24 @@
Major changes with snapshot-20000526 Incompatible changes with snapshot-20000529
===========================================
This version introduces an incompatible queue file format change
when content inspection is enabled. Old Postfix queue files will
work fine, but new queue files will not work with old Postfix
versions. They log a warning and move incompatible queue files to
the "corrupt" mail queue subdirectory.
Major changes with snapshot-20000529
====================================
This version introduces full content inspection through an external
process. This involves an incompatible change in queue file format.
Mail is delivered to content inspection software via an existing
mail delivery agent, and is re-injected into Postfix via an existing
mail submission agent. Presently, only the Postfix SMTP server is
suitable for receiving already inspected mail. Details in the
INSPECTION_README file.
Major changes with snapshot-20000528
==================================== ====================================
Specify "body_checks = regexp:/etc/postfix/body_checks" for a quick Specify "body_checks = regexp:/etc/postfix/body_checks" for a quick

4
postfix/SASL_README
View File

@@ -137,8 +137,8 @@ Enabling SASL authentication in the Postfix SMTP client
Turn on client-side SASL authentication, and specify a table with Turn on client-side SASL authentication, and specify a table with
per-host or per-destination username and password information. per-host or per-destination username and password information.
Postfix first looks up the server hostname; if no entry is found, Postfix first looks up the server hostname; if no entry is found,
then Postfix looks up the destination domain name (the address then Postfix looks up the destination domain name (usually, the
remote part). remote part of an email address).
/etc/postfix/main.cf: /etc/postfix/main.cf:
smtp_sasl_auth_enable = yes smtp_sasl_auth_enable = yes

9
postfix/conf/sample-filter.cf
View File

@@ -11,12 +11,15 @@
# When a pattern matches, and the associated action is REJECT, the # When a pattern matches, and the associated action is REJECT, the
# entire message is rejected. # entire message is rejected.
# #
# These patterns do not apply to MIME headers in the message body.
#
header_checks = regexp:/etc/postfix/header_checks header_checks = regexp:/etc/postfix/header_checks
# The body_checks parameter specifies an optional table with patterns # The body_checks parameter specifies an optional table with patterns
# that each physical non-header line is matched against (including # that each physical line in the message body is matched against
# MIME headers inside the message body). Lines are matched one at # (including MIME headers inside the message body - Postfix does not
# a time. Long lines are matched in chunks of at most $line_length_limit # recognize multi-line MIME headers). Lines are matched one at a
# time. Long lines are matched in chunks of at most $line_length_limit
# characters. Patterns are matched in the specified order, and the # characters. Patterns are matched in the specified order, and the
# search stops upon the first match. When a pattern matches, and # search stops upon the first match. When a pattern matches, and
# the associated action is REJECT, the entire message is rejected. # the associated action is REJECT, the entire message is rejected.

8
postfix/global/mail_params.h
View File

@@ -1045,6 +1045,14 @@ extern bool var_allow_min_user;
extern void mail_params_init(void); extern void mail_params_init(void);
/*
* Content inspection transport. The things we have to do because some
* over-paid peecee programmers could not do a proper job.
*/
#define VAR_INSPECT_XPORT "content_inspector"
#define DEF_INSPECT_XPORT ""
extern char *var_inspect_xport;
/* LICENSE /* LICENSE
/* .ad /* .ad
/* .fi /* .fi

2
postfix/global/mail_version.h
View File

@@ -15,7 +15,7 @@
* Version of this program. * Version of this program.
*/ */
#define VAR_MAIL_VERSION "mail_version" #define VAR_MAIL_VERSION "mail_version"
#define DEF_MAIL_VERSION "Snapshot-20000528" #define DEF_MAIL_VERSION "Snapshot-20000529"
extern char *var_mail_version; extern char *var_mail_version;
/* LICENSE /* LICENSE

1
postfix/global/rec_type.c
View File

@@ -43,6 +43,7 @@ REC_TYPE_NAME rec_type_names[] = {
REC_TYPE_SIZE, "message_size", REC_TYPE_SIZE, "message_size",
REC_TYPE_TIME, "time", REC_TYPE_TIME, "time",
REC_TYPE_FULL, "fullname", REC_TYPE_FULL, "fullname",
REC_TYPE_INSP, "content_inspector",
REC_TYPE_FROM, "sender", REC_TYPE_FROM, "sender",
REC_TYPE_DONE, "done", REC_TYPE_DONE, "done",
REC_TYPE_RCPT, "recipient", REC_TYPE_RCPT, "recipient",

3
postfix/global/rec_type.h
View File

@@ -28,6 +28,7 @@
#define REC_TYPE_SIZE 'C' /* first record, created by cleanup */ #define REC_TYPE_SIZE 'C' /* first record, created by cleanup */
#define REC_TYPE_TIME 'T' /* time stamp, required */ #define REC_TYPE_TIME 'T' /* time stamp, required */
#define REC_TYPE_FULL 'F' /* full name, optional */ #define REC_TYPE_FULL 'F' /* full name, optional */
#define REC_TYPE_INSP 'I' /* inspector transport */
#define REC_TYPE_FROM 'S' /* sender, required */ #define REC_TYPE_FROM 'S' /* sender, required */
#define REC_TYPE_DONE 'D' /* delivered recipient, optional */ #define REC_TYPE_DONE 'D' /* delivered recipient, optional */
#define REC_TYPE_RCPT 'R' /* todo recipient, optional */ #define REC_TYPE_RCPT 'R' /* todo recipient, optional */
@@ -51,7 +52,7 @@
* record groups. The first member in each set is the record type that * record groups. The first member in each set is the record type that
* indicates the end of that record group. * indicates the end of that record group.
*/ */
#define REC_TYPE_ENVELOPE "MCTFSDRW" #define REC_TYPE_ENVELOPE "MCTFISDRW"
#define REC_TYPE_CONTENT "XLN" #define REC_TYPE_CONTENT "XLN"
#define REC_TYPE_EXTRACT "EDRPre" #define REC_TYPE_EXTRACT "EDRPre"
#define REC_TYPE_NOEXTRACT "E" #define REC_TYPE_NOEXTRACT "E"

32
postfix/html/pickup.8.html
View File

@@ -47,18 +47,18 @@ PICKUP(8) PICKUP(8)
details and for default values. Use the <b>postfix</b> <b>reload</b> details and for default values. Use the <b>postfix</b> <b>reload</b>
command after a configuration change. command after a configuration change.
<b>Content</b> <b>inspection</b> <b>controls</b>
<b>content</b><i>_</i><b>inspector</b>
The name of a mail delivery transport that inspects
mail prior to delivery. This parameter uses the
same syntax as the right-hand side of a Postfix
transport table.
<b>Miscellaneous</b> <b>Miscellaneous</b>
<b>always</b><i>_</i><b>bcc</b> <b>always</b><i>_</i><b>bcc</b>
Address to send a copy of each message that enters Address to send a copy of each message that enters
the system. the system.
<b>mail</b><i>_</i><b>owner</b>
The process privileges used while not opening a
<b>maildrop</b> file.
<b>queue</b><i>_</i><b>directory</b>
Top-level directory of the Postfix queue.
@@ -71,13 +71,20 @@ PICKUP(8) PICKUP(8)
PICKUP(8) PICKUP(8) PICKUP(8) PICKUP(8)
<b>mail</b><i>_</i><b>owner</b>
The process privileges used while not opening a
<b>maildrop</b> file.
<b>queue</b><i>_</i><b>directory</b>
Top-level directory of the Postfix queue.
<b>SEE</b> <b>ALSO</b> <b>SEE</b> <b>ALSO</b>
<a href="cleanup.8.html">cleanup(8)</a> message canonicalization <a href="cleanup.8.html">cleanup(8)</a> message canonicalization
<a href="master.8.html">master(8)</a> process manager <a href="master.8.html">master(8)</a> process manager
syslogd(8) system logging syslogd(8) system logging
<b>LICENSE</b> <b>LICENSE</b>
The Secure Mailer license must be distributed with this The Secure Mailer license must be distributed with this
software. software.
<b>AUTHOR(S)</b> <b>AUTHOR(S)</b>
@@ -113,13 +120,6 @@ PICKUP(8) PICKUP(8)

6
postfix/html/smtp.8.html
View File

@@ -155,9 +155,9 @@ SMTP(8) SMTP(8)
support. support.
<b>smtp</b><i>_</i><b>sasl</b><i>_</i><b>password</b><i>_</i><b>maps</b> <b>smtp</b><i>_</i><b>sasl</b><i>_</i><b>password</b><i>_</i><b>maps</b>
Lookup tables with per-host <i>name</i>:<i>password</i> entries. Lookup tables with per-host or domain <i>name</i>:<i>password</i>
No entry for a host means no attempt to authenti- entries. No entry for a host means no attempt to
cate. authenticate.
<b>smtp</b><i>_</i><b>sasl</b><i>_</i><b>security</b><i>_</i><b>options</b> <b>smtp</b><i>_</i><b>sasl</b><i>_</i><b>security</b><i>_</i><b>options</b>
Zero or more of the following. Zero or more of the following.

128
postfix/html/smtpd.8.html
View File

@@ -80,10 +80,17 @@ SMTPD(8) SMTPD(8)
For example, allow <a href="http://www.faqs.org/rfcs/rfc822.html">RFC822</a>-style address forms with For example, allow <a href="http://www.faqs.org/rfcs/rfc822.html">RFC822</a>-style address forms with
comments, like Sendmail does. comments, like Sendmail does.
<b>Content</b> <b>inspection</b> <b>controls</b>
<b>content</b><i>_</i><b>inspector</b>
The name of a mail delivery transport that inspects
mail prior to delivery. This parameter uses the
same syntax as the right-hand side of a Postfix
transport table.
<b>Authenication</b> <b>controls</b> <b>Authenication</b> <b>controls</b>
<b>enable</b><i>_</i><b>sasl</b><i>_</i><b>authentication</b> <b>enable</b><i>_</i><b>sasl</b><i>_</i><b>authentication</b>
Enable per-session authentication as per <a href="http://www.faqs.org/rfcs/rfc2554.html">RFC 2554</a> Enable per-session authentication as per <a href="http://www.faqs.org/rfcs/rfc2554.html">RFC 2554</a>
(SASL). This functionality is available only when (SASL). This functionality is available only when
explicitly selected at program build time and explicitly selected at program build time and
explicitly enabled at runtime. explicitly enabled at runtime.
@@ -107,7 +114,7 @@ SMTPD(8) SMTPD(8)
<b>Miscellaneous</b> <b>Miscellaneous</b>
<b>always</b><i>_</i><b>bcc</b> <b>always</b><i>_</i><b>bcc</b>
Address to send a copy of each message that enters Address to send a copy of each message that enters
the system. the system.
<b>command</b><i>_</i><b>directory</b> <b>command</b><i>_</i><b>directory</b>
@@ -115,17 +122,10 @@ SMTPD(8) SMTPD(8)
<b>$program</b><i>_</i><b>directory</b>). <b>$program</b><i>_</i><b>directory</b>).
<b>debug</b><i>_</i><b>peer</b><i>_</i><b>level</b> <b>debug</b><i>_</i><b>peer</b><i>_</i><b>level</b>
Increment in verbose logging level when a remote Increment in verbose logging level when a remote
host matches a pattern in the <b>debug</b><i>_</i><b>peer</b><i>_</i><b>list</b> host matches a pattern in the <b>debug</b><i>_</i><b>peer</b><i>_</i><b>list</b>
parameter. parameter.
<b>debug</b><i>_</i><b>peer</b><i>_</i><b>list</b>
List of domain or network patterns. When a remote
host matches a pattern, increase the verbose log-
ging level by the amount specified in the
<b>debug</b><i>_</i><b>peer</b><i>_</i><b>level</b> parameter.
2 2
@@ -137,59 +137,59 @@ SMTPD(8) SMTPD(8)
SMTPD(8) SMTPD(8) SMTPD(8) SMTPD(8)
<b>debug</b><i>_</i><b>peer</b><i>_</i><b>list</b>
List of domain or network patterns. When a remote
host matches a pattern, increase the verbose log-
ging level by the amount specified in the
<b>debug</b><i>_</i><b>peer</b><i>_</i><b>level</b> parameter.
<b>error</b><i>_</i><b>notice</b><i>_</i><b>recipient</b> <b>error</b><i>_</i><b>notice</b><i>_</i><b>recipient</b>
Recipient of protocol/policy/resource/software Recipient of protocol/policy/resource/software
error notices. error notices.
<b>hopcount</b><i>_</i><b>limit</b> <b>hopcount</b><i>_</i><b>limit</b>
Limit the number of <b>Received:</b> message headers. Limit the number of <b>Received:</b> message headers.
<b>local</b><i>_</i><b>recipient</b><i>_</i><b>maps</b> <b>local</b><i>_</i><b>recipient</b><i>_</i><b>maps</b>
List of maps with user names that are local to List of maps with user names that are local to
<b>$myorigin</b> or <b>$inet</b><i>_</i><b>interfaces</b>. If this parameter is <b>$myorigin</b> or <b>$inet</b><i>_</i><b>interfaces</b>. If this parameter is
defined, then the SMTP server rejects mail for defined, then the SMTP server rejects mail for
unknown local users. unknown local users.
<b>notify</b><i>_</i><b>classes</b> <b>notify</b><i>_</i><b>classes</b>
List of error classes. Of special interest are: List of error classes. Of special interest are:
<b>policy</b> When a client violates any policy, mail a <b>policy</b> When a client violates any policy, mail a
transcript of the entire SMTP session to the transcript of the entire SMTP session to the
postmaster. postmaster.
<b>protocol</b> <b>protocol</b>
When a client violates the SMTP protocol or When a client violates the SMTP protocol or
issues an unimplemented command, mail a issues an unimplemented command, mail a
transcript of the entire SMTP session to the transcript of the entire SMTP session to the
postmaster. postmaster.
<b>smtpd</b><i>_</i><b>banner</b> <b>smtpd</b><i>_</i><b>banner</b>
Text that follows the <b>220</b> status code in the SMTP Text that follows the <b>220</b> status code in the SMTP
greeting banner. greeting banner.
<b>smtpd</b><i>_</i><b>recipient</b><i>_</i><b>limit</b> <b>smtpd</b><i>_</i><b>recipient</b><i>_</i><b>limit</b>
Restrict the number of recipients that the SMTP Restrict the number of recipients that the SMTP
server accepts per message delivery. server accepts per message delivery.
<b>smtpd</b><i>_</i><b>timeout</b> <b>smtpd</b><i>_</i><b>timeout</b>
Limit the time to send a server response and to Limit the time to send a server response and to
receive a client request. receive a client request.
<b>Resource</b> <b>controls</b> <b>Resource</b> <b>controls</b>
<b>line</b><i>_</i><b>length</b><i>_</i><b>limit</b> <b>line</b><i>_</i><b>length</b><i>_</i><b>limit</b>
Limit the amount of memory in bytes used for the Limit the amount of memory in bytes used for the
handling of partial input lines. handling of partial input lines.
<b>message</b><i>_</i><b>size</b><i>_</i><b>limit</b> <b>message</b><i>_</i><b>size</b><i>_</i><b>limit</b>
Limit the total size in bytes of a message, includ- Limit the total size in bytes of a message, includ-
ing on-disk storage for envelope information. ing on-disk storage for envelope information.
<b>queue</b><i>_</i><b>minfree</b>
Minimal amount of free space in bytes in the queue
file system for the SMTP server to accept any mail
at all.
<b>Tarpitting</b>
@@ -203,23 +203,29 @@ SMTPD(8) SMTPD(8)
SMTPD(8) SMTPD(8) SMTPD(8) SMTPD(8)
<b>queue</b><i>_</i><b>minfree</b>
Minimal amount of free space in bytes in the queue
file system for the SMTP server to accept any mail
at all.
<b>Tarpitting</b>
<b>smtpd</b><i>_</i><b>error</b><i>_</i><b>sleep</b><i>_</i><b>time</b> <b>smtpd</b><i>_</i><b>error</b><i>_</i><b>sleep</b><i>_</i><b>time</b>
Time to wait in seconds before sending a 4xx or 5xx Time to wait in seconds before sending a 4xx or 5xx
server error response. server error response.
<b>smtpd</b><i>_</i><b>soft</b><i>_</i><b>error</b><i>_</i><b>limit</b> <b>smtpd</b><i>_</i><b>soft</b><i>_</i><b>error</b><i>_</i><b>limit</b>
When an SMTP client has made this number of errors, When an SMTP client has made this number of errors,
wait <i>error_count</i> seconds before responding to any wait <i>error_count</i> seconds before responding to any
client request. client request.
<b>smtpd</b><i>_</i><b>hard</b><i>_</i><b>error</b><i>_</i><b>limit</b> <b>smtpd</b><i>_</i><b>hard</b><i>_</i><b>error</b><i>_</i><b>limit</b>
Disconnect after a client has made this number of Disconnect after a client has made this number of
errors. errors.
<b>smtpd</b><i>_</i><b>junk</b><i>_</i><b>command</b><i>_</i><b>limit</b> <b>smtpd</b><i>_</i><b>junk</b><i>_</i><b>command</b><i>_</i><b>limit</b>
Limit the number of times a client can issue a junk Limit the number of times a client can issue a junk
command such as NOOP, VRFY, ETRN or RSET in one command such as NOOP, VRFY, ETRN or RSET in one
SMTP session before it is penalized with tarpit SMTP session before it is penalized with tarpit
delays. delays.
<b>UCE</b> <b>control</b> <b>restrictions</b> <b>UCE</b> <b>control</b> <b>restrictions</b>
@@ -228,19 +234,19 @@ SMTPD(8) SMTPD(8)
tem. tem.
<b>smtpd</b><i>_</i><b>helo</b><i>_</i><b>required</b> <b>smtpd</b><i>_</i><b>helo</b><i>_</i><b>required</b>
Require that clients introduce themselves at the Require that clients introduce themselves at the
beginning of an SMTP session. beginning of an SMTP session.
<b>smtpd</b><i>_</i><b>helo</b><i>_</i><b>restrictions</b> <b>smtpd</b><i>_</i><b>helo</b><i>_</i><b>restrictions</b>
Restrict what client hostnames are allowed in <b>HELO</b> Restrict what client hostnames are allowed in <b>HELO</b>
and <b>EHLO</b> commands. and <b>EHLO</b> commands.
<b>smtpd</b><i>_</i><b>sender</b><i>_</i><b>restrictions</b> <b>smtpd</b><i>_</i><b>sender</b><i>_</i><b>restrictions</b>
Restrict what sender addresses are allowed in <b>MAIL</b> Restrict what sender addresses are allowed in <b>MAIL</b>
<b>FROM</b> commands. <b>FROM</b> commands.
<b>smtpd</b><i>_</i><b>recipient</b><i>_</i><b>restrictions</b> <b>smtpd</b><i>_</i><b>recipient</b><i>_</i><b>restrictions</b>
Restrict what recipient addresses are allowed in Restrict what recipient addresses are allowed in
<b>RCPT</b> <b>TO</b> commands. <b>RCPT</b> <b>TO</b> commands.
<b>smtpd</b><i>_</i><b>etrn</b><i>_</i><b>restrictions</b> <b>smtpd</b><i>_</i><b>etrn</b><i>_</i><b>restrictions</b>
@@ -248,15 +254,9 @@ SMTPD(8) SMTPD(8)
mands, and what clients may issue <b>ETRN</b> commands. mands, and what clients may issue <b>ETRN</b> commands.
<b>allow</b><i>_</i><b>untrusted</b><i>_</i><b>routing</b> <b>allow</b><i>_</i><b>untrusted</b><i>_</i><b>routing</b>
Allow untrusted clients to specify addresses with Allow untrusted clients to specify addresses with
sender-specified routing. Enabling this opens up sender-specified routing. Enabling this opens up
nasty relay loopholes involving trusted backup MX nasty relay loopholes involving trusted backup MX
hosts.
<b>restriction</b><i>_</i><b>classes</b>
Declares the name of zero or more parameters that
contain a list of UCE restrictions. The names of
these parameters can then be used instead of the
@@ -269,48 +269,54 @@ SMTPD(8) SMTPD(8)
SMTPD(8) SMTPD(8) SMTPD(8) SMTPD(8)
hosts.
<b>restriction</b><i>_</i><b>classes</b>
Declares the name of zero or more parameters that
contain a list of UCE restrictions. The names of
these parameters can then be used instead of the
restriction lists that they represent. restriction lists that they represent.
<b>maps</b><i>_</i><b>rbl</b><i>_</i><b>domains</b> <b>maps</b><i>_</i><b>rbl</b><i>_</i><b>domains</b>
List of DNS domains that publish the addresses of List of DNS domains that publish the addresses of
blacklisted hosts. blacklisted hosts.
<b>relay</b><i>_</i><b>domains</b> <b>relay</b><i>_</i><b>domains</b>
Restrict what domains or networks this mail system Restrict what domains or networks this mail system
will relay mail from or to. will relay mail from or to.
<b>UCE</b> <b>control</b> <b>responses</b> <b>UCE</b> <b>control</b> <b>responses</b>
<b>access</b><i>_</i><b>map</b><i>_</i><b>reject</b><i>_</i><b>code</b> <b>access</b><i>_</i><b>map</b><i>_</i><b>reject</b><i>_</i><b>code</b>
Server response when a client violates an access Server response when a client violates an access
database restriction. database restriction.
<b>invalid</b><i>_</i><b>hostname</b><i>_</i><b>reject</b><i>_</i><b>code</b> <b>invalid</b><i>_</i><b>hostname</b><i>_</i><b>reject</b><i>_</i><b>code</b>
Server response when a client violates the Server response when a client violates the
<b>reject</b><i>_</i><b>invalid</b><i>_</i><b>hostname</b> restriction. <b>reject</b><i>_</i><b>invalid</b><i>_</i><b>hostname</b> restriction.
<b>maps</b><i>_</i><b>rbl</b><i>_</i><b>reject</b><i>_</i><b>code</b> <b>maps</b><i>_</i><b>rbl</b><i>_</i><b>reject</b><i>_</i><b>code</b>
Server response when a client violates the Server response when a client violates the
<b>maps</b><i>_</i><b>rbl</b><i>_</i><b>domains</b> restriction. <b>maps</b><i>_</i><b>rbl</b><i>_</i><b>domains</b> restriction.
<b>reject</b><i>_</i><b>code</b> <b>reject</b><i>_</i><b>code</b>
Response code when the client matches a <b>reject</b> Response code when the client matches a <b>reject</b>
restriction. restriction.
<b>relay</b><i>_</i><b>domains</b><i>_</i><b>reject</b><i>_</i><b>code</b> <b>relay</b><i>_</i><b>domains</b><i>_</i><b>reject</b><i>_</i><b>code</b>
Server response when a client attempts to violate Server response when a client attempts to violate
the mail relay policy. the mail relay policy.
<b>unknown</b><i>_</i><b>address</b><i>_</i><b>reject</b><i>_</i><b>code</b> <b>unknown</b><i>_</i><b>address</b><i>_</i><b>reject</b><i>_</i><b>code</b>
Server response when a client violates the Server response when a client violates the
<b>reject</b><i>_</i><b>unknown</b><i>_</i><b>address</b> restriction. <b>reject</b><i>_</i><b>unknown</b><i>_</i><b>address</b> restriction.
<b>unknown</b><i>_</i><b>client</b><i>_</i><b>reject</b><i>_</i><b>code</b> <b>unknown</b><i>_</i><b>client</b><i>_</i><b>reject</b><i>_</i><b>code</b>
Server response when a client without address to Server response when a client without address to
name mapping violates the <b>reject</b><i>_</i><b>unknown</b><i>_</i><b>clients</b> name mapping violates the <b>reject</b><i>_</i><b>unknown</b><i>_</i><b>clients</b>
restriction. restriction.
<b>unknown</b><i>_</i><b>hostname</b><i>_</i><b>reject</b><i>_</i><b>code</b> <b>unknown</b><i>_</i><b>hostname</b><i>_</i><b>reject</b><i>_</i><b>code</b>
Server response when a client violates the Server response when a client violates the
<b>reject</b><i>_</i><b>unknown</b><i>_</i><b>hostname</b> restriction. <b>reject</b><i>_</i><b>unknown</b><i>_</i><b>hostname</b> restriction.
<b>SEE</b> <b>ALSO</b> <b>SEE</b> <b>ALSO</b>
@@ -318,12 +324,6 @@ SMTPD(8) SMTPD(8)
<a href="master.8.html">master(8)</a> process manager <a href="master.8.html">master(8)</a> process manager
syslogd(8) system logging syslogd(8) system logging
<b>LICENSE</b>
The Secure Mailer license must be distributed with this
software.
5 5
@@ -335,6 +335,10 @@ SMTPD(8) SMTPD(8)
SMTPD(8) SMTPD(8) SMTPD(8) SMTPD(8)
<b>LICENSE</b>
The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b> <b>AUTHOR(S)</b>
Wietse Venema Wietse Venema
IBM T.J. Watson Research IBM T.J. Watson Research
@@ -383,10 +387,6 @@ SMTPD(8) SMTPD(8)

6
postfix/man/man8/pickup.8
View File

@@ -56,6 +56,12 @@ The following \fBmain.cf\fR parameters are especially relevant to
this program. See the Postfix \fBmain.cf\fR file for syntax details this program. See the Postfix \fBmain.cf\fR file for syntax details
and for default values. Use the \fBpostfix reload\fR command after and for default values. Use the \fBpostfix reload\fR command after
a configuration change. a configuration change.
.SH "Content inspection controls"
.IP \fBcontent_inspector\fR
The name of a mail delivery transport that inspects mail prior
to delivery.
This parameter uses the same syntax as the right-hand side of
a Postfix transport table.
.SH Miscellaneous .SH Miscellaneous
.ad .ad
.fi .fi

2
postfix/man/man8/smtp.8
View File

@@ -117,7 +117,7 @@ Numerical network address to bind to when making a connection.
Enable per-session authentication as per RFC 2554 (SASL). Enable per-session authentication as per RFC 2554 (SASL).
By default, Postfix is built without SASL support. By default, Postfix is built without SASL support.
.IP \fBsmtp_sasl_password_maps\fR .IP \fBsmtp_sasl_password_maps\fR
Lookup tables with per-host \fIname\fR:\fIpassword\fR entries. Lookup tables with per-host or domain \fIname\fR:\fIpassword\fR entries.
No entry for a host means no attempt to authenticate. No entry for a host means no attempt to authenticate.
.IP \fBsmtp_sasl_security_options\fR .IP \fBsmtp_sasl_security_options\fR
Zero or more of the following. Zero or more of the following.

6
postfix/man/man8/smtpd.8
View File

@@ -75,6 +75,12 @@ a configuration change.
.IP \fBstrict_rfc821_envelopes\fR .IP \fBstrict_rfc821_envelopes\fR
Disallow non-RFC 821 style addresses in envelopes. For example, Disallow non-RFC 821 style addresses in envelopes. For example,
allow RFC822-style address forms with comments, like Sendmail does. allow RFC822-style address forms with comments, like Sendmail does.
.SH "Content inspection controls"
.IP \fBcontent_inspector\fR
The name of a mail delivery transport that inspects mail prior
to delivery.
This parameter uses the same syntax as the right-hand side of
a Postfix transport table.
.SH "Authenication controls" .SH "Authenication controls"
.IP \fBenable_sasl_authentication\fR .IP \fBenable_sasl_authentication\fR
Enable per-session authentication as per RFC 2554 (SASL). Enable per-session authentication as per RFC 2554 (SASL).

16
postfix/pickup/pickup.c
View File

@@ -40,6 +40,12 @@
/* this program. See the Postfix \fBmain.cf\fR file for syntax details /* this program. See the Postfix \fBmain.cf\fR file for syntax details
/* and for default values. Use the \fBpostfix reload\fR command after /* and for default values. Use the \fBpostfix reload\fR command after
/* a configuration change. /* a configuration change.
/* .SH "Content inspection controls"
/* .IP \fBcontent_inspector\fR
/* The name of a mail delivery transport that inspects mail prior
/* to delivery.
/* This parameter uses the same syntax as the right-hand side of
/* a Postfix transport table.
/* .SH Miscellaneous /* .SH Miscellaneous
/* .ad /* .ad
/* .fi /* .fi
@@ -106,6 +112,7 @@
/* Application-specific. */ /* Application-specific. */
char *var_always_bcc; char *var_always_bcc;
char *var_inspect_xport;
/* /*
* Structure to bundle a bunch of information about a queue file. * Structure to bundle a bunch of information about a queue file.
@@ -173,6 +180,8 @@ static int copy_segment(VSTREAM *qfile, VSTREAM *cleanup, PICKUP_INFO *info,
info->rcpt = mystrdup(vstring_str(buf)); info->rcpt = mystrdup(vstring_str(buf));
if (type == REC_TYPE_TIME) if (type == REC_TYPE_TIME)
continue; continue;
if (type == REC_TYPE_INSP)
continue;
else { else {
/* /*
@@ -223,6 +232,12 @@ static int pickup_copy(VSTREAM *qfile, VSTREAM *cleanup,
*/ */
rec_fprintf(cleanup, REC_TYPE_TIME, "%ld", (long) info->st.st_mtime); rec_fprintf(cleanup, REC_TYPE_TIME, "%ld", (long) info->st.st_mtime);
/*
* Add content inspection transport.
*/
if (*var_inspect_xport)
rec_fprintf(cleanup, REC_TYPE_INSP, "%s", var_inspect_xport);
/* /*
* Copy the message envelope segment. Allow only those records that we * Copy the message envelope segment. Allow only those records that we
* expect to see in the envelope section. The envelope segment must * expect to see in the envelope section. The envelope segment must
@@ -442,6 +457,7 @@ int main(int argc, char **argv)
{ {
static CONFIG_STR_TABLE str_table[] = { static CONFIG_STR_TABLE str_table[] = {
VAR_ALWAYS_BCC, DEF_ALWAYS_BCC, &var_always_bcc, 0, 0, VAR_ALWAYS_BCC, DEF_ALWAYS_BCC, &var_always_bcc, 0, 0,
VAR_INSPECT_XPORT, DEF_INSPECT_XPORT, &var_inspect_xport, 0, 0,
0, 0,
}; };

1
postfix/qmgr/qmgr.h
View File

@@ -229,6 +229,7 @@ struct QMGR_MESSAGE {
char *sender; /* complete address */ char *sender; /* complete address */
char *errors_to; /* error report address */ char *errors_to; /* error report address */
char *return_receipt; /* confirm receipt address */ char *return_receipt; /* confirm receipt address */
char *inspect_xport; /* inspection transport */
long data_size; /* message content size */ long data_size; /* message content size */
long rcpt_offset; /* more recipients here */ long rcpt_offset; /* more recipients here */
QMGR_RCPT_LIST rcpt_list; /* complete addresses */ QMGR_RCPT_LIST rcpt_list; /* complete addresses */

18
postfix/qmgr/qmgr_message.c
View File

@@ -144,6 +144,7 @@ static QMGR_MESSAGE *qmgr_message_create(const char *queue_name,
message->sender = 0; message->sender = 0;
message->errors_to = 0; message->errors_to = 0;
message->return_receipt = 0; message->return_receipt = 0;
message->inspect_xport = 0;
message->data_size = 0; message->data_size = 0;
message->warn_offset = 0; message->warn_offset = 0;
message->warn_time = 0; message->warn_time = 0;
@@ -246,6 +247,9 @@ static int qmgr_message_read(QMGR_MESSAGE *message)
} else if (rec_type == REC_TYPE_TIME) { } else if (rec_type == REC_TYPE_TIME) {
if (message->arrival_time == 0) if (message->arrival_time == 0)
message->arrival_time = atol(start); message->arrival_time = atol(start);
} else if (rec_type == REC_TYPE_INSP) {
if (message->inspect_xport == 0)
message->inspect_xport = mystrdup(start);
} else if (rec_type == REC_TYPE_FROM) { } else if (rec_type == REC_TYPE_FROM) {
if (message->sender == 0) { if (message->sender == 0) {
message->sender = mystrdup(start); message->sender = mystrdup(start);
@@ -428,6 +432,7 @@ static void qmgr_message_resolve(QMGR_MESSAGE *message)
char **cpp; char **cpp;
char *domain; char *domain;
const char *junk; const char *junk;
char *nexthop;
#define STREQ(x,y) (strcasecmp(x,y) == 0) #define STREQ(x,y) (strcasecmp(x,y) == 0)
#define STR vstring_str #define STR vstring_str
@@ -457,9 +462,14 @@ static void qmgr_message_resolve(QMGR_MESSAGE *message)
* result address may differ from the one specified by the sender. * result address may differ from the one specified by the sender.
*/ */
resolve_clnt_query(recipient->address, &reply); resolve_clnt_query(recipient->address, &reply);
if (!STREQ(recipient->address, STR(reply.recipient))) if (message->inspect_xport) {
UPDATE(recipient->address, STR(reply.recipient)); vstring_strcpy(reply.transport, message->inspect_xport);
if ((nexthop = split_at(STR(reply.transport), ':')) != 0)
vstring_strcpy(reply.nexthop, nexthop);
} else {
if (!STREQ(recipient->address, STR(reply.recipient)))
UPDATE(recipient->address, STR(reply.recipient));
}
/* /*
* Bounce recipients that have moved. We do it here instead of in the * Bounce recipients that have moved. We do it here instead of in the
@@ -692,6 +702,8 @@ void qmgr_message_free(QMGR_MESSAGE *message)
myfree(message->errors_to); myfree(message->errors_to);
if (message->return_receipt) if (message->return_receipt)
myfree(message->return_receipt); myfree(message->return_receipt);
if (message->inspect_xport)
myfree(message->inspect_xport);
qmgr_rcpt_list_free(&message->rcpt_list); qmgr_rcpt_list_free(&message->rcpt_list);
qmgr_message_count--; qmgr_message_count--;
myfree((char *) message); myfree((char *) message);

2
postfix/smtp/smtp.c
View File

@@ -101,7 +101,7 @@
/* Enable per-session authentication as per RFC 2554 (SASL). /* Enable per-session authentication as per RFC 2554 (SASL).
/* By default, Postfix is built without SASL support. /* By default, Postfix is built without SASL support.
/* .IP \fBsmtp_sasl_password_maps\fR /* .IP \fBsmtp_sasl_password_maps\fR
/* Lookup tables with per-host \fIname\fR:\fIpassword\fR entries. /* Lookup tables with per-host or domain \fIname\fR:\fIpassword\fR entries.
/* No entry for a host means no attempt to authenticate. /* No entry for a host means no attempt to authenticate.
/* .IP \fBsmtp_sasl_security_options\fR /* .IP \fBsmtp_sasl_security_options\fR
/* Zero or more of the following. /* Zero or more of the following.

10
postfix/smtpd/smtpd.c
View File

@@ -59,6 +59,12 @@
/* .IP \fBstrict_rfc821_envelopes\fR /* .IP \fBstrict_rfc821_envelopes\fR
/* Disallow non-RFC 821 style addresses in envelopes. For example, /* Disallow non-RFC 821 style addresses in envelopes. For example,
/* allow RFC822-style address forms with comments, like Sendmail does. /* allow RFC822-style address forms with comments, like Sendmail does.
/* .SH "Content inspection controls"
/* .IP \fBcontent_inspector\fR
/* The name of a mail delivery transport that inspects mail prior
/* to delivery.
/* This parameter uses the same syntax as the right-hand side of
/* a Postfix transport table.
/* .SH "Authenication controls" /* .SH "Authenication controls"
/* .IP \fBenable_sasl_authentication\fR /* .IP \fBenable_sasl_authentication\fR
/* Enable per-session authentication as per RFC 2554 (SASL). /* Enable per-session authentication as per RFC 2554 (SASL).
@@ -335,6 +341,7 @@ int var_smtpd_junk_cmd_limit;
bool var_smtpd_sasl_enable; bool var_smtpd_sasl_enable;
char *var_smtpd_sasl_opts; char *var_smtpd_sasl_opts;
char *var_smtpd_sasl_realm; char *var_smtpd_sasl_realm;
char *var_inspect_xport;
/* /*
* Global state, for stand-alone mode queue file cleanup. When this is * Global state, for stand-alone mode queue file cleanup. When this is
@@ -660,6 +667,8 @@ static int mail_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
*/ */
rec_fprintf(state->cleanup, REC_TYPE_TIME, "%ld", rec_fprintf(state->cleanup, REC_TYPE_TIME, "%ld",
(long) time((time_t *) 0)); (long) time((time_t *) 0));
if (*var_inspect_xport)
rec_fprintf(state->cleanup, REC_TYPE_INSP, "%s", var_inspect_xport);
rec_fputs(state->cleanup, REC_TYPE_FROM, argv[2].strval); rec_fputs(state->cleanup, REC_TYPE_FROM, argv[2].strval);
state->sender = mystrdup(argv[2].strval); state->sender = mystrdup(argv[2].strval);
smtpd_chat_reply(state, "250 Ok"); smtpd_chat_reply(state, "250 Ok");
@@ -1425,6 +1434,7 @@ int main(int argc, char **argv)
VAR_LOCAL_RCPT_MAPS, DEF_LOCAL_RCPT_MAPS, &var_local_rcpt_maps, 0, 0, VAR_LOCAL_RCPT_MAPS, DEF_LOCAL_RCPT_MAPS, &var_local_rcpt_maps, 0, 0,
VAR_SMTPD_SASL_OPTS, DEF_SMTPD_SASL_OPTS, &var_smtpd_sasl_opts, 0, 0, VAR_SMTPD_SASL_OPTS, DEF_SMTPD_SASL_OPTS, &var_smtpd_sasl_opts, 0, 0,
VAR_SMTPD_SASL_REALM, DEF_SMTPD_SASL_REALM, &var_smtpd_sasl_realm, 1, 0, VAR_SMTPD_SASL_REALM, DEF_SMTPD_SASL_REALM, &var_smtpd_sasl_realm, 1, 0,
VAR_INSPECT_XPORT, DEF_INSPECT_XPORT, &var_inspect_xport, 0, 0,
0, 0,
}; };