mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-22 09:57:34 +00:00
Code Issues Releases Wiki Activity

postfix-2.8-20101204

Browse Source
This commit is contained in:
Wietse Venema 2010-12-04 00:00:00 -05:00 committed by Viktor Dukhovni
parent 556b04bfed
commit e31ae1582b
28 changed files with 720 additions and 270 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
postfix/HISTORY
View File

@ -16205,3 +16205,30 @@ Apologies for any names omitted.
Workaround: BSD-ish mkdir() ignores the effective GID
and copies group ownership from the parent directory.
File: util/make_dirs.c.
20101202
Feature: the LDAP client can now authenticate to LDAP servers
via SASL. This is tested with SASL GSSAPI and Kerberos 5.
Code by Victor Duchovni. Files: global/dict_ldap.c,
proto/LDAP_README.html, proto/ldap_table.
Cleanup: the cleanup server now reports a temporary delivery
error when it reaches the virtual_alias_expansion_limit or
virtual_alias_recursion_limit. Previously, it would silently
ignore the excess recipients and deliver the message. File:
cleanup/cleanup_map1n.c.
20101204
Cleanup: sache_clnt_create() had an unnecessary data
dependency on the non-library var_scache_service variable,
causing problems with shared library builds. Instead, it
should use its service argument (which has the same value).
File: global/scache.c.
Cleanup: pipe_command.c had an unnecessary data dependency
on the non-library var_command_maxtime variable, causing
problems with shared library builds. The dependency was not
necessary because the callers already specify an explicit
time limit. File: global/pipe_command.c.

11
postfix/README_FILES/LDAP_README
View File

@ -81,6 +81,11 @@ AUXLIBS line to point to libldap10.so or libldapssl30.so or whatever you have,
and you may need to use the appropriate linker option (e.g. '-R') so the
executables can find it at runtime.
If you are using OpenLDAP, and the libraries were built with SASL support, you
can add -DUSE_LDAP_SASL to the CCARGS to enable SASL support. For example:
CCARGS="-I/usr/local/include -DHAS_LDAP -DUSE_LDAP_SASL"
CCoonnffiigguurriinngg LLDDAAPP llooookkuuppss
In order to use LDAP lookups, define an LDAP source as a table lookup in
@ -89,8 +94,8 @@ main.cf, for example:
alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf
The file /etc/postfix/ldap-aliases.cf can specify a great number of parameters,
including parameters that enable LDAP SSL and STARTTLS. For a complete
description, see the ldap_table(5) manual page.
including parameters that enable LDAP SSL or STARTTLS, and LDAP SASL. For a
complete description, see the ldap_table(5) manual page.
EExxaammppllee:: llooccaall((88)) aalliiaasseess
@ -440,6 +445,8 @@ CCrreeddiittss
* Gunnar Wrobel provided a first implementation of a feature to limit LDAP
search results to leaf nodes only. Victor generalized this into the Postfix
2.4 "leaf_result_attribute" feature.
* Quanah Gibson-Mount contributed support for advanced LDAP SASL mechanisms,
beyond the password-based LDAP "simple" bind.
And of course Wietse.

32
postfix/README_FILES/POSTSCREEN_README
View File

@ -39,7 +39,9 @@ The main challenge for postscreen(8) is to make an is-it-a-zombie decision
based on a single measurement. This is necessary because many zombies avoid
spamming the same site repeatedly, in an attempt to fly under the radar. Once
postscreen(8) decides that a client is not-a-zombie, it whitelists the client
temporarily to avoid further delays for legitimate mail.
temporarily to avoid further delays for legitimate mail. Clients that pass
postscreen(8) are still subject to the checks that are built into Postfix smtpd
(8), Postfix built-in content filters, and external content filters.
Zombies have challenges too: they have only a limited amount of time to deliver
spam before their IP address becomes blacklisted. To speed up spam deliveries,
@ -50,23 +52,22 @@ continue sending mail even when the server tells them to go away.
postscreen(8) uses a variety of measurements to recognize zombies. First,
postscreen(8) determines if the remote SMTP client IP address is blacklisted.
Second, postscreen(8) looks for protocol compromises that are made to speed up
delivery. The results of such measurements don't change with each delivery
attempt, and are therefore good for making an is-it-a-zombie decision based on
a single measurement.
delivery. These are good indicators for making is-it-a-zombie decisions based
on single measurements.
postscreen(8) does not inspect message content. Message content can vary widely
with each delivery attempt, especially with clients that (also) send legitimate
email. Content is therefore not good for making an is-it-a-zombie decision
based on a single measurement, and that is the problem that postscreen(8) is
postscreen(8) does not inspect message content. Message content can vary from
one delivery to the next, especially with clients that (also) send legitimate
email. Content is not a good indicator for making is-it-a-zombie decisions
based on single measurements, and that is the problem that postscreen(8) is
focused on.
GGeenneerraall ooppeerraattiioonn
The postscreen(8) triage process involves a number of tests, in the order as
described below. Some tests introduce a delay of a few seconds. Once a client
passes all tests, its IP address is temporarily excluded from any tests,
typically 24 hours for simple tests or 1 week for complex tests. This minimizes
the impact of the tests on legitimate mail clients.
passes a test, its IP address is whitelisted from 24 hours for simple tests, to
1 week for complex tests. Whitelisting minimizes the impact of postscreen(8)'s
tests on legitimate mail clients.
After logging its findings, postscreen(8) by default hands off all connections
to a Postfix SMTP server process. This mode is useful for non-destructive
@ -252,11 +253,12 @@ discussed next.
* postscreen(8)'s built-in SMTP engine does not implement the AUTH, STARTTLS,
XCLIENT, and XFORWARD features. STARTTLS and AUTH support may be added in a
future version.
future version. In the mean time, if you need to make these services
available on port 25, then do not enable the tests after the 220 server
greeting.
End-user clients should connect directly to the submission service. Other
systems that require the above features should directly connect to a Postfix
SMTP server, or they should be placed on the postscreen(8) whitelist.
End-user clients should connect directly to the submission service, so that
they never have to deal with postscreen(8)'s tests.
* Command pipelining test
* Non-SMTP command test

8
postfix/RELEASE_NOTES
View File

@ -33,6 +33,14 @@ This is supported only when the default value is stress-dependent
postscreen parameters always evaluate as if the stress value is
equal to the empty string.
Incompatibility with snapshot 20101202
======================================
Postfix now reports a temporary delivery error when the result of
virtual alias expansion would exceed the virtual_alias_recursion_limit
or virtual_alias_expansion_limit. Previously, Postfix would silently
drop the excess recipients and deliver the message.
Incompatibility with snapshot 20101130
======================================

13
postfix/WISHLIST
View File

@ -6,9 +6,10 @@ Wish list:
smtpd xclient option for sasl_username.
Use different ipc_timeout settings for email message
transactions (smtpd, pickup)->cleanup and for quick query/reply
transactions such as address rewriting/resolution.
Use different ipc time limits for email message transactions
(smtpd, pickup)->cleanup and for quick query/reply transactions
such as address rewriting/resolution. Beware of large time
limits for local or virtual alias expansion.
permit_tempfail_action (default: defer_if_reject) to be
used as the default value for dnswl_tempfail_action and
@ -22,9 +23,11 @@ Wish list:
Replace sscanf() numerical conversions by strto[dl]()
for better error reporting.
Consistency: in postconf.proto make <dt>..</dt> tags bold.
As postscreen implements more ESMTP keywords, need to copy
inter-operability features from smtpd to filter keywords
and command syntax.
Milter addrcpt - use Sendmail-compatible default DSN settings.
Consistency: in postconf.proto make <dt>..</dt> tags bold.
postscreen(8): listen on multiple IP addresses and enforce
that the client contacts the primary MX address first (i.e.

19
postfix/html/LDAP_README.html
View File

@ -128,6 +128,16 @@ change the AUXLIBS line to point to libldap10.so or libldapssl30.so
or whatever you have, and you may need to use the appropriate linker
option (e.g. '-R') so the executables can find it at runtime. </p>
<p> If you are using OpenLDAP, and the libraries were built with SASL
support, you can add -DUSE_LDAP_SASL to the CCARGS to enable SASL support.
For example: </p>
<blockquote>
<pre>
CCARGS="-I/usr/local/include -DHAS_LDAP -DUSE_LDAP_SASL"
</pre>
</blockquote>
<h2><a name="config">Configuring LDAP lookups</a></h2>
<p> In order to use LDAP lookups, define an LDAP source
@ -140,9 +150,9 @@ as a table lookup in <a href="postconf.5.html">main.cf</a>, for example: </p>
</blockquote>
<p> The file /etc/postfix/ldap-aliases.cf can specify a great number
of parameters, including parameters that enable LDAP SSL and
STARTTLS. For a complete description, see the <a href="ldap_table.5.html">ldap_table(5)</a> manual
page. </p>
of parameters, including parameters that enable LDAP SSL or STARTTLS,
and LDAP SASL. For a complete description, see the <a href="ldap_table.5.html">ldap_table(5)</a>
manual page. </p>
<h2><a name="example_alias">Example: local(8) aliases</a></h2>
@ -591,6 +601,9 @@ expansion_limit interface for LDAP, MySQL and PosgreSQL.</li>
limit LDAP search results to leaf nodes only. Victor generalized
this into the Postfix 2.4 "leaf_result_attribute" feature. </li>
<li>Quanah Gibson-Mount contributed support for advanced LDAP SASL
mechanisms, beyond the password-based LDAP "simple" bind. </li>
</ul>
And of course Wietse.

35
postfix/html/POSTSCREEN_README.html
View File

@ -67,7 +67,10 @@ decision based on a single measurement. This is necessary because
many zombies avoid spamming the same site repeatedly, in an attempt
to fly under the radar. Once <a href="postscreen.8.html">postscreen(8)</a> decides that a client
is not-a-zombie, it whitelists the client temporarily to avoid
further delays for legitimate mail. </p>
further delays for legitimate mail. Clients that pass <a href="postscreen.8.html">postscreen(8)</a>
are still subject to the checks that are built into Postfix <a href="smtpd.8.html">smtpd(8)</a>,
Postfix built-in content filters, and external content filters.
</p>
<p> Zombies have challenges too: they have only a limited amount
of time to deliver spam before their IP address becomes blacklisted.
@ -79,25 +82,24 @@ mail even when the server tells them to go away. </p>
<p> <a href="postscreen.8.html">postscreen(8)</a> uses a variety of measurements to recognize
zombies. First, <a href="postscreen.8.html">postscreen(8)</a> determines if the remote SMTP client
IP address is blacklisted. Second, <a href="postscreen.8.html">postscreen(8)</a> looks for protocol
compromises that are made to speed up delivery. The results of
such measurements don't change with each delivery attempt, and are
therefore good for making an is-it-a-zombie decision based on a
single measurement. </p>
compromises that are made to speed up delivery. These are good
indicators for making is-it-a-zombie decisions based on single
measurements. </p>
<p> <a href="postscreen.8.html">postscreen(8)</a> does not inspect message content. Message content
can vary widely with each delivery attempt, especially with clients
that (also) send legitimate email. Content is therefore not good
for making an is-it-a-zombie decision based on a single measurement,
can vary from one delivery to the next, especially with clients
that (also) send legitimate email. Content is not a good indicator
for making is-it-a-zombie decisions based on single measurements,
and that is the problem that <a href="postscreen.8.html">postscreen(8)</a> is focused on. </p>
<h2> <a name="general"> General operation </a> </h2>
<p> The <a href="postscreen.8.html">postscreen(8)</a> triage process involves a number of tests,
in the order as described below. Some tests introduce a delay of
a few seconds. Once a client passes all tests, its IP address is
temporarily excluded from any tests, typically 24 hours for simple
tests or 1 week for complex tests. This minimizes the impact of
the tests on legitimate mail clients. </p>
a few seconds. Once a client passes a test, its IP address is
whitelisted from 24 hours for simple tests, to 1 week for complex
tests. Whitelisting minimizes the impact of <a href="postscreen.8.html">postscreen(8)</a>'s tests
on legitimate mail clients. </p>
<p> After logging its findings, <a href="postscreen.8.html">postscreen(8)</a> by default hands off
all connections to a Postfix SMTP server process. This mode is
@ -340,14 +342,15 @@ a relatively long expiration time. </p>
<li> <p> <a href="postscreen.8.html">postscreen(8)</a>'s built-in SMTP engine does not implement
the AUTH, STARTTLS, XCLIENT, and XFORWARD features. STARTTLS and
AUTH support may be added in a future version. </p>
AUTH support may be added in a future version. In the mean time,
if you need to make these services available on port 25, then do
not enable the tests after the 220 server greeting. </p>
</ul>
<p> End-user clients should connect directly to the submission
service. Other systems that require the above features
should directly connect to a Postfix SMTP server, or they
should be placed on the <a href="postscreen.8.html">postscreen(8)</a> whitelist. </p>
service, so that they never have to deal with <a href="postscreen.8.html">postscreen(8)</a>'s tests.
</p>
<ul>

184
postfix/html/ldap_table.5.html
View File

@ -451,11 +451,26 @@ LDAP_TABLE(5) LDAP_TABLE(5)
and LDAP_SCOPE_ONELEVEL.
<b>bind (default: yes)</b>
Whether or not to bind to the LDAP server. Newer
Whether or how to bind to the LDAP server. Newer
LDAP implementations don't require clients to bind,
which saves time. Example:
# Don't bind
bind = no
# Use SIMPLE bind
bind = yes
# Use SASL bind
bind = sasl
Postfix versions prior to 2.8 only support "bind =
no" which means don't bind, and "bind = yes" which
means do a SIMPLE bind. Postfix 2.8 and later also
supports "bind = SASL" when compiled with LDAP SASL
support as described in <a href="LDAP_README.html">LDAP_README</a>, it also adds
the synonyms "bind = none" and "bind = simple" for
"bind = no" and "bind = yes" respectively. See the
SASL section below for additional parameters avail-
able with "bind = sasl".
If you do need to bind, you might consider config-
uring Postfix to connect to the local machine on a
@ -470,6 +485,9 @@ LDAP_TABLE(5) LDAP_TABLE(5)
guished name. Example:
bind_dn = uid=postfix, dc=your, dc=com
With "bind = sasl" (see above) the DN may be
optional for some SASL mechanisms, don't specify a
DN if not needed.
<b>bind_pw (default: empty)</b>
The password for the distinguished name above. If
@ -483,6 +501,9 @@ LDAP_TABLE(5) LDAP_TABLE(5)
mand. Example:
bind_pw = postfixpw
With "bind = sasl" (see above) the password may be
optional for some SASL mechanisms, don't specify a
password if not needed.
<b>cache (IGNORED with a warning)</b>
@ -553,12 +574,63 @@ LDAP_TABLE(5) LDAP_TABLE(5)
What level to set for debugging in the OpenLDAP
libraries.
<b>LDAP SASL PARAMETERS</b>
If you're using the OpenLDAP libraries compiled with SASL
support, Postfix 2.8 and later built with LDAP SASL sup-
port as described in <a href="LDAP_README.html">LDAP_README</a> can authenticate to LDAP
servers via SASL.
This enables authentication to the LDAP server via mecha-
nisms other than a simple password. The added flexibility
has a cost: it is no longer practical to set an explicit
timeout on the duration of an LDAP bind operation. Under
adverse conditions, whether a SASL bind times out, or if
it does, the duration of the timeout is determined by the
LDAP and SASL libraries.
It is best to use tables that use SASL binds via <a href="proxymap.8.html">prox-</a>
<a href="proxymap.8.html">ymap(8)</a>, this way the requesting process can time-out the
proxymap request. This also lets you tailer the process
environment by overriding the <a href="proxymap.8.html">proxymap(8)</a> import_environ-
ment setting in <a href="master.5.html">master.cf</a>(5). Special environment settings
may be needed to configure GSSAPI credential caches or
other SASL mechanism specific options. The GSSAPI creden-
tials used for LDAP lookups may need to be different than
say those used for the Postfix SMTP client to authenticate
to remote servers.
Using SASL mechanisms requires LDAP protocol version 3,
the default protocol version is 2 for backwards compati-
bility. You must set "version = 3" in addition to "bind =
sasl".
The following parameters are relevant to using LDAP with
SASL
<b>sasl (default: no)</b>
Whether or not to use SASL binds to the server.
Can be yes or no.
<b>sasl_mechs (default: empty)</b>
Space separated list of SASL mechanism(s) to try.
<b>sasl_realm (default: empty)</b>
SASL Realm to use, if applicable.
<b>sasl_authz_id (default: empty)</b>
The SASL authorization identity to assert, if
applicable.
<b>sasl_minssf (default: 0)</b>
The minimum required sasl security factor required
to establish a connection.
<b>LDAP SSL AND STARTTLS PARAMETERS</b>
If you're using the OpenLDAP libraries compiled with SSL
support, Postfix can connect to LDAP SSL servers and can
If you're using the OpenLDAP libraries compiled with SSL
support, Postfix can connect to LDAP SSL servers and can
issue the STARTTLS command.
LDAP SSL service can be requested by using a LDAP SSL URL
LDAP SSL service can be requested by using a LDAP SSL URL
in the server_host parameter:
server_host = ldaps://ldap.example.com:636
@ -567,82 +639,82 @@ LDAP_TABLE(5) LDAP_TABLE(5)
start_tls = yes
Both forms require LDAP protocol version 3, which has to
Both forms require LDAP protocol version 3, which has to
be set explicitly with:
version = 3
If any of the Postfix programs querying the map is config-
ured in <a href="master.5.html">master.cf</a> to run chrooted, all the certificates
ured in <a href="master.5.html">master.cf</a> to run chrooted, all the certificates
and keys involved have to be copied to the chroot jail. Of
course, the private keys should only be readable by the
course, the private keys should only be readable by the
user "postfix".
The following parameters are relevant to LDAP SSL and
The following parameters are relevant to LDAP SSL and
STARTTLS:
<b>start_tls (default: no)</b>
Whether or not to issue STARTTLS upon connection to
the server. Don't set this with LDAP SSL (the SSL
the server. Don't set this with LDAP SSL (the SSL
session is setup automatically when the TCP connec-
tion is opened).
<b>tls_ca_cert_dir (No default; set either this or</b>
<b>tls_ca_cert_dir (No default; set either this or</b>
<b>tls_ca_cert_file)</b>
Directory containing X509 Certificate Authority
certificates in PEM format which are to be recog-
nized by the client in SSL/TLS connections. The
files each contain one CA certificate. The files
are looked up by the CA subject name hash value,
which must hence be available. If more than one CA
certificate with the same name hash value exist,
the extension must be different (e.g. 9d66eef0.0,
9d66eef0.1 etc). The search is performed in the
ordering of the extension number, regardless of
certificates in PEM format which are to be recog-
nized by the client in SSL/TLS connections. The
files each contain one CA certificate. The files
are looked up by the CA subject name hash value,
which must hence be available. If more than one CA
certificate with the same name hash value exist,
the extension must be different (e.g. 9d66eef0.0,
9d66eef0.1 etc). The search is performed in the
ordering of the extension number, regardless of
other properties of the certificates. Use the
c_rehash utility (from the OpenSSL distribution) to
create the necessary links.
<b>tls_ca_cert_file (No default; set either this or</b>
<b>tls_ca_cert_file (No default; set either this or</b>
<b>tls_ca_cert_dir)</b>
File containing the X509 Certificate Authority cer-
tificates in PEM format which are to be recognized
by the client in SSL/TLS connections. This setting
tificates in PEM format which are to be recognized
by the client in SSL/TLS connections. This setting
takes precedence over tls_ca_cert_dir.
<b>tls_cert (No default; you must set this)</b>
File containing client's X509 certificate to be
File containing client's X509 certificate to be
used by the client in SSL/ TLS connections.
<b>tls_key (No default; you must set this)</b>
File containing the private key corresponding to
File containing the private key corresponding to
the above tls_cert.
<b>tls_require_cert (default: no)</b>
Whether or not to request server's X509 certificate
and check its validity when establishing SSL/TLS
connections. The supported values are <b>no</b> and <b>yes</b>.
and check its validity when establishing SSL/TLS
connections. The supported values are <b>no</b> and <b>yes</b>.
With <b>no</b>, the server certificate trust chain is not
checked, but with OpenLDAP prior to 2.1.13, the
With <b>no</b>, the server certificate trust chain is not
checked, but with OpenLDAP prior to 2.1.13, the
name in the server certificate must still match the
LDAP server name. With OpenLDAP 2.0.0 to 2.0.11 the
server name is not necessarily what you specified,
rather it is determined (by reverse lookup) from
the IP address of the LDAP server connection. With
OpenLDAP prior to 2.0.13, subjectAlternativeName
server name is not necessarily what you specified,
rather it is determined (by reverse lookup) from
the IP address of the LDAP server connection. With
OpenLDAP prior to 2.0.13, subjectAlternativeName
extensions in the LDAP server certificate are
ignored: the server name must match the subject
ignored: the server name must match the subject
CommonName. The <b>no</b> setting corresponds to the <b>never</b>
value of <b>TLS_REQCERT</b> in LDAP client configuration
value of <b>TLS_REQCERT</b> in LDAP client configuration
files.
Don't use TLS with OpenLDAP 2.0.x (and especially
Don't use TLS with OpenLDAP 2.0.x (and especially
with x &lt;= 11) if you can avoid it.
With <b>yes</b>, the server certificate must be issued by
a trusted CA, and not be expired. The LDAP server
name must match one of the name(s) found in the
With <b>yes</b>, the server certificate must be issued by
a trusted CA, and not be expired. The LDAP server
name must match one of the name(s) found in the
certificate (see above for OpenLDAP library version
dependent behavior). The <b>yes</b> setting corresponds to
the <b>demand</b> value of <b>TLS_REQCERT</b> in LDAP client con-
@ -650,27 +722,27 @@ LDAP_TABLE(5) LDAP_TABLE(5)
The "try" and "never" values of <b>TLS_REQCERT</b> have no
equivalents here. They are not available with
OpenLDAP 2.0, and in any case have questionable
security properties. Either you want TLS verified
OpenLDAP 2.0, and in any case have questionable
security properties. Either you want TLS verified
LDAP connections, or you don't.
The <b>yes</b> value only works correctly with Postfix 2.5
and later, or with OpenLDAP 2.0. Earlier Postfix
releases or later OpenLDAP releases don't work
together with this setting. Support for LDAP over
TLS was added to Postfix based on the OpenLDAP 2.0
and later, or with OpenLDAP 2.0. Earlier Postfix
releases or later OpenLDAP releases don't work
together with this setting. Support for LDAP over
TLS was added to Postfix based on the OpenLDAP 2.0
API.
<b>tls_random_file (No default)</b>
Path of a file to obtain random bits from when
/dev/[u]random is not available, to be used by the
Path of a file to obtain random bits from when
/dev/[u]random is not available, to be used by the
client in SSL/TLS connections.
<b>tls_cipher_suite (No default)</b>
Cipher suite to use in SSL/TLS negotiations.
<b>EXAMPLE</b>
Here's a basic example for using LDAP to look up <a href="local.8.html">local(8)</a>
Here's a basic example for using LDAP to look up <a href="local.8.html">local(8)</a>
aliases. Assume that in <a href="postconf.5.html">main.cf</a>, you have:
<a href="postconf.5.html#alias_maps">alias_maps</a> = hash:/etc/aliases,
@ -681,14 +753,14 @@ LDAP_TABLE(5) LDAP_TABLE(5)
server_host = ldap.example.com
search_base = dc=example, dc=com
Upon receiving mail for a local address "ldapuser" that
isn't found in the /etc/aliases database, Postfix will
Upon receiving mail for a local address "ldapuser" that
isn't found in the /etc/aliases database, Postfix will
search the LDAP server listening at port 389 on ldap.exam-
ple.com. It will bind anonymously, search for any direc-
tory entries whose mailacceptinggeneralid attribute is
ple.com. It will bind anonymously, search for any direc-
tory entries whose mailacceptinggeneralid attribute is
"ldapuser", read the "maildrop" attributes of those found,
and build a list of their maildrops, which will be treated
as <a href="http://tools.ietf.org/html/rfc822">RFC822</a> addresses to which the message will be deliv-
as <a href="http://tools.ietf.org/html/rfc822">RFC822</a> addresses to which the message will be deliv-
ered.
<b>SEE ALSO</b>
@ -702,13 +774,13 @@ LDAP_TABLE(5) LDAP_TABLE(5)
<a href="LDAP_README.html">LDAP_README</a>, Postfix LDAP client guide
<b>LICENSE</b>
The Secure Mailer license must be distributed with this
The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
Carsten Hoeger, Hery Rakotoarisoa, John Hensley, Keith
Stevenson, LaMont Jones, Liviu Daia, Manuel Guesdon, Mike
Mattice, Prabhat K Singh, Sami Haahtinen, Samuel Tardieu,
Carsten Hoeger, Hery Rakotoarisoa, John Hensley, Keith
Stevenson, LaMont Jones, Liviu Daia, Manuel Guesdon, Mike
Mattice, Prabhat K Singh, Sami Haahtinen, Samuel Tardieu,
Victor Duchovni, and many others.
LDAP_TABLE(5)

171
postfix/html/postscreen.8.html
View File

@ -55,75 +55,74 @@ POSTSCREEN(8) POSTSCREEN(8)
Problems and transactions are logged to <b>syslogd</b>(8).
<b>BUGS</b>
Some of the non-default protocol tests involve
<a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine. When these
The <a href="postscreen.8.html"><b>postscreen</b>(8)</a> built-in SMTP protocol engine does not
announce support for STARTTLS, AUTH, XCLIENT or XFORWARD.
Support for STARTTLS and AUTH may be added in the future.
In the mean time, if you need to make these services
available on port 25, then do not enable the optional
"after 220 server greeting" tests.
The optional "after 220 server greeting" tests involve
<a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine. When these
tests succeed, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> adds the client to the tempo-
rary whitelist but it cannot not hand off the "live" con-
nection to a Postfix SMTP server process in the middle of
a session. Instead, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> defers attempts to
deliver mail with a 4XX status, and waits for the client
to disconnect. The next time a good client connects, it
will be allowed to talk to a Postfix SMTP server process
to deliver mail. <a href="postscreen.8.html"><b>postscreen</b>(8)</a> mitigates the impact of
this limitation by giving such tests a long expiration
rary whitelist but it cannot not hand off the "live" con-
nection to a Postfix SMTP server process in the middle of
a session. Instead, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> defers attempts to
deliver mail with a 4XX status, and waits for the client
to disconnect. The next time a good client connects, it
will be allowed to talk to a Postfix SMTP server process
to deliver mail. <a href="postscreen.8.html"><b>postscreen</b>(8)</a> mitigates the impact of
this limitation by giving such tests a long expiration
time.
The <a href="postscreen.8.html"><b>postscreen</b>(8)</a> built-in SMTP protocol engine does not
announce support for STARTTLS, AUTH, XCLIENT or XFORWARD
(support for STARTTLS and AUTH may be added in the
future). End-user clients should connect directly to the
submission service; other systems that require the above
features should directly connect to a Postfix SMTP server,
or they should be placed on the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> whitelist.
<b>CONFIGURATION PARAMETERS</b>
Changes to <a href="postconf.5.html">main.cf</a> are not picked up automatically, as
<a href="postscreen.8.html"><b>postscreen</b>(8)</a> processes may run for several hours. Use
Changes to <a href="postconf.5.html">main.cf</a> are not picked up automatically, as
<a href="postscreen.8.html"><b>postscreen</b>(8)</a> processes may run for several hours. Use
the command "postfix reload" after a configuration change.
The text below provides only a parameter summary. See
The text below provides only a parameter summary. See
<a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples.
NOTE: Some <a href="postscreen.8.html"><b>postscreen</b>(8)</a> parameters implement stress-
dependent behavior. This is supported only when the
default value is stress-dependent (that is, it looks like
NOTE: Some <a href="postscreen.8.html"><b>postscreen</b>(8)</a> parameters implement stress-
dependent behavior. This is supported only when the
default value is stress-dependent (that is, it looks like
${stress?X}${stress:Y}). Other parameters always evaluate
as if the stress value is the empty string.
<b>TRIAGE PARAMETERS</b>
<b><a href="postconf.5.html#postscreen_bare_newline_action">postscreen_bare_newline_action</a> (ignore)</b>
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
client sends a bare newline character, that is, a
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
client sends a bare newline character, that is, a
newline not preceded by carriage return.
<b><a href="postconf.5.html#postscreen_bare_newline_enable">postscreen_bare_newline_enable</a> (no)</b>
Enable "bare newline" SMTP protocol tests in the
Enable "bare newline" SMTP protocol tests in the
<a href="postscreen.8.html"><b>postscreen</b>(8)</a> server.
<b><a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> (ignore)</b>
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
client is permanently blacklisted with the
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
client is permanently blacklisted with the
<a href="postconf.5.html#postscreen_blacklist_networks">postscreen_blacklist_networks</a> parameter.
<b><a href="postconf.5.html#postscreen_blacklist_networks">postscreen_blacklist_networks</a> (empty)</b>
Network addresses that are permanently blacklisted;
see the <a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> parameter for
see the <a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> parameter for
possible actions.
<b><a href="postconf.5.html#postscreen_disable_vrfy_command">postscreen_disable_vrfy_command</a> ($<a href="postconf.5.html#disable_vrfy_command">disable_vrfy_command</a>)</b>
Disable the SMTP VRFY command in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
Disable the SMTP VRFY command in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
daemon.
<b><a href="postconf.5.html#postscreen_dnsbl_action">postscreen_dnsbl_action</a> (ignore)</b>
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
client's combined DNSBL score is equal to or
greater than a threshold (as defined with the
greater than a threshold (as defined with the
<a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> and <a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_thresh</a>-
<a href="postconf.5.html#postscreen_dnsbl_threshold">old</a> parameters).
<b><a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> (empty)</b>
A mapping from actual DNSBL domain name which
includes a secret password, to the DNSBL domain
A mapping from actual DNSBL domain name which
includes a secret password, to the DNSBL domain
name that postscreen will reply with when it
rejects mail.
@ -132,16 +131,16 @@ POSTSCREEN(8) POSTSCREEN(8)
weight factors.
<b><a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> (1)</b>
The inclusive lower bound for blocking an SMTP
The inclusive lower bound for blocking an SMTP
client, based on its combined DNSBL score as
defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter.
defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter.
<b><a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a> ($<a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a>)</b>
List of commands that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server con-
siders in violation of the SMTP protocol.
<b><a href="postconf.5.html#postscreen_greet_action">postscreen_greet_action</a> (ignore)</b>
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
client speaks before its turn within the time spec-
ified with the <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> parameter.
@ -149,130 +148,130 @@ POSTSCREEN(8) POSTSCREEN(8)
The <i>text</i> in the optional "220-<i>text</i>..." server
response that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> sends ahead of the real
Postfix SMTP server's "220 text..." response, in an
attempt to confuse bad SMTP clients so that they
attempt to confuse bad SMTP clients so that they
speak before their turn (pre-greet).
<b><a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> (${stress?2}${stress:6}s)</b>
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will wait for
an SMTP client to send a command before its turn,
and for DNS blocklist lookup results to arrive
(default: up to 2 seconds under stress, up to 6
an SMTP client to send a command before its turn,
and for DNS blocklist lookup results to arrive
(default: up to 2 seconds under stress, up to 6
seconds otherwise).
<b><a href="postconf.5.html#postscreen_helo_required">postscreen_helo_required</a> ($<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a>)</b>
Require that a remote SMTP client sends HELO or
Require that a remote SMTP client sends HELO or
EHLO before commencing a MAIL transaction.
<b><a href="postconf.5.html#postscreen_non_smtp_command_action">postscreen_non_smtp_command_action</a> (drop)</b>
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
client sends non-SMTP commands as specified with
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
client sends non-SMTP commands as specified with
the <a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a> parameter.
<b><a href="postconf.5.html#postscreen_non_smtp_command_enable">postscreen_non_smtp_command_enable</a> (no)</b>
Enable "non-SMTP command" tests in the
Enable "non-SMTP command" tests in the
<a href="postscreen.8.html"><b>postscreen</b>(8)</a> server.
<b><a href="postconf.5.html#postscreen_pipelining_action">postscreen_pipelining_action</a> (enforce)</b>
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
client sends multiple commands instead of sending
one command and waiting for the server to respond.
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
client sends multiple commands instead of sending
one command and waiting for the server to respond.
<b><a href="postconf.5.html#postscreen_pipelining_enable">postscreen_pipelining_enable</a> (no)</b>
Enable "pipelining" SMTP protocol tests in the
Enable "pipelining" SMTP protocol tests in the
<a href="postscreen.8.html"><b>postscreen</b>(8)</a> server.
<b><a href="postconf.5.html#postscreen_whitelist_networks">postscreen_whitelist_networks</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b>
Network addresses that are permanently whitelisted,
and that will not be subjected to <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
and that will not be subjected to <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
checks.
<b><a href="postconf.5.html#smtpd_service_name">smtpd_service_name</a> (smtpd)</b>
The internal service that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> forwards
The internal service that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> forwards
allowed connections to.
<b>CACHE CONTROLS</b>
<b><a href="postconf.5.html#postscreen_cache_cleanup_interval">postscreen_cache_cleanup_interval</a> (12h)</b>
The amount of time between <a href="postscreen.8.html"><b>postscreen</b>(8)</a> cache
The amount of time between <a href="postscreen.8.html"><b>postscreen</b>(8)</a> cache
cleanup runs.
<b><a href="postconf.5.html#postscreen_cache_map">postscreen_cache_map</a> (btree:$<a href="postconf.5.html#data_directory">data_directory</a>/ps_cache)</b>
Persistent storage for the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server
Persistent storage for the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server
decisions.
<b><a href="postconf.5.html#postscreen_cache_retention_time">postscreen_cache_retention_time</a> (7d)</b>
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache an
expired temporary whitelist entry before it is
expired temporary whitelist entry before it is
removed.
<b><a href="postconf.5.html#postscreen_bare_newline_ttl">postscreen_bare_newline_ttl</a> (30d)</b>
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
results from a successful "bare newline" SMTP pro-
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
results from a successful "bare newline" SMTP pro-
tocol test.
<b><a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a> (1h)</b>
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
results from a successful DNS blocklist test.
<b><a href="postconf.5.html#postscreen_greet_ttl">postscreen_greet_ttl</a> (1d)</b>
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
results from a successful PREGREET test.
<b><a href="postconf.5.html#postscreen_non_smtp_command_ttl">postscreen_non_smtp_command_ttl</a> (30d)</b>
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
results from a successful "non_smtp_command" SMTP
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
results from a successful "non_smtp_command" SMTP
protocol test.
<b><a href="postconf.5.html#postscreen_pipelining_ttl">postscreen_pipelining_ttl</a> (30d)</b>
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
results from a successful "pipelining" SMTP proto-
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
results from a successful "pipelining" SMTP proto-
col test.
<b>RESOURCE CONTROLS</b>
<b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b>
Upon input, long lines are chopped up into pieces
of at most this length; upon delivery, long lines
Upon input, long lines are chopped up into pieces
of at most this length; upon delivery, long lines
are reconstructed.
<b><a href="postconf.5.html#postscreen_client_connection_count_limit">postscreen_client_connection_count_limit</a></b>
<b>($<a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a>)</b>
How many simultaneous connections any client is
How many simultaneous connections any client is
allowed to have with the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> daemon.
<b><a href="postconf.5.html#postscreen_command_count_limit">postscreen_command_count_limit</a> (20)</b>
The limit on the total number of commands per SMTP
session for <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol
The limit on the total number of commands per SMTP
session for <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol
engine.
<b><a href="postconf.5.html#postscreen_command_time_limit">postscreen_command_time_limit</a> (${stress?10}${stress:300}s)</b>
The command "read" time limit for <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s
The command "read" time limit for <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s
built-in SMTP protocol engine.
<b><a href="postconf.5.html#postscreen_post_queue_limit">postscreen_post_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b>
The number of clients that can be waiting for ser-
The number of clients that can be waiting for ser-
vice from a real SMTP server process.
<b><a href="postconf.5.html#postscreen_pre_queue_limit">postscreen_pre_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b>
The number of non-whitelisted clients that can be
waiting for a decision whether they will receive
The number of non-whitelisted clients that can be
waiting for a decision whether they will receive
service from a real SMTP server process.
<b><a href="postconf.5.html#postscreen_watchdog_timeout">postscreen_watchdog_timeout</a> (10s)</b>
How much time a <a href="postscreen.8.html"><b>postscreen</b>(8)</a> process may take to
respond to an SMTP client command or to perform a
How much time a <a href="postscreen.8.html"><b>postscreen</b>(8)</a> process may take to
respond to an SMTP client command or to perform a
cache operation before it is terminated by a built-
in watchdog timer.
<b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
<a href="master.5.html">master.cf</a> configuration files.
<b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
The maximal number of digits after the decimal
The maximal number of digits after the decimal
point when logging sub-second delay values.
<b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
The location of all postfix administrative com-
The location of all postfix administrative com-
mands.
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
@ -280,24 +279,24 @@ POSTSCREEN(8) POSTSCREEN(8)
over an internal communication channel.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix
daemon process waits for an incoming connection
The maximum amount of time that an idle Postfix
daemon process waits for an incoming connection
before terminating voluntarily.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
The process ID of a Postfix command or daemon
The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
The process name of a Postfix command or daemon
The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b>SEE ALSO</b>
@ -309,12 +308,12 @@ POSTSCREEN(8) POSTSCREEN(8)
<a href="POSTSCREEN_README.html">POSTSCREEN_README</a>, Postfix Postscreen Howto
<b>LICENSE</b>
The Secure Mailer license must be distributed with this
The Secure Mailer license must be distributed with this
software.
<b>HISTORY</b>
Many ideas in <a href="postscreen.8.html"><b>postscreen</b>(8)</a> were explored in earlier work
by Michael Tokarev, in OpenBSD spamd, and in MailChannels
Many ideas in <a href="postscreen.8.html"><b>postscreen</b>(8)</a> were explored in earlier work
by Michael Tokarev, in OpenBSD spamd, and in MailChannels
Traffic Control.
<b>AUTHOR(S)</b>

62
postfix/man/man5/ldap_table.5
View File

@ -422,14 +422,27 @@ The LDAP search scope: \fBsub\fR, \fBbase\fR, or \fBone\fR.
These translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
and LDAP_SCOPE_ONELEVEL.
.IP "\fBbind (default: yes)\fR"
Whether or not to bind to the LDAP server. Newer LDAP
Whether or how to bind to the LDAP server. Newer LDAP
implementations don't require clients to bind, which saves
time. Example:
.nf
# Don't bind
bind = no
# Use SIMPLE bind
bind = yes
# Use SASL bind
bind = sasl
.fi
Postfix versions prior to 2.8 only support "bind = no" which
means don't bind, and "bind = yes" which means do a SIMPLE bind.
Postfix 2.8 and later also supports "bind = SASL" when compiled
with LDAP SASL support as described in LDAP_README, it also adds
the synonyms "bind = none" and "bind = simple" for "bind = no"
and "bind = yes" respectively. See the SASL section below for
additional parameters available with "bind = sasl".
If you do need to bind, you might consider configuring
Postfix to connect to the local machine on a port that's
an SSL tunnel to your LDAP server. If your LDAP server
@ -443,6 +456,8 @@ If you do have to bind, do it with this distinguished name. Example:
.nf
bind_dn = uid=postfix, dc=your, dc=com
.fi
With "bind = sasl" (see above) the DN may be optional for some SASL
mechanisms, don't specify a DN if not needed.
.IP "\fBbind_pw (default: empty)\fR"
The password for the distinguished name above. If you have
to use this, you probably want to make the map configuration
@ -456,6 +471,8 @@ command. Example:
.nf
bind_pw = postfixpw
.fi
With "bind = sasl" (see above) the password may be optional
for some SASL mechanisms, don't specify a password if not needed.
.IP "\fBcache (IGNORED with a warning)\fR"
.IP "\fBcache_expiry (IGNORED with a warning)\fR"
.IP "\fBcache_size (IGNORED with a warning)\fR"
@ -512,6 +529,49 @@ Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP version
Specifies the LDAP protocol version to use.
.IP "\fBdebuglevel (default: 0)\fR"
What level to set for debugging in the OpenLDAP libraries.
.SH "LDAP SASL PARAMETERS"
.na
.nf
.ad
.fi
If you're using the OpenLDAP libraries compiled with SASL
support, Postfix 2.8 and later built with LDAP SASL support
as described in LDAP_README can authenticate to LDAP servers
via SASL.
This enables authentication to the LDAP server via mechanisms
other than a simple password. The added flexibility has a cost:
it is no longer practical to set an explicit timeout on the duration
of an LDAP bind operation. Under adverse conditions, whether a SASL
bind times out, or if it does, the duration of the timeout is
determined by the LDAP and SASL libraries.
It is best to use tables that use SASL binds via proxymap(8), this
way the requesting process can time-out the proxymap request. This
also lets you tailer the process environment by overriding the
proxymap(8) import_environment setting in master.cf(5). Special
environment settings may be needed to configure GSSAPI credential
caches or other SASL mechanism specific options. The GSSAPI
credentials used for LDAP lookups may need to be different than
say those used for the Postfix SMTP client to authenticate to remote
servers.
Using SASL mechanisms requires LDAP protocol version 3, the default
protocol version is 2 for backwards compatibility. You must set
"version = 3" in addition to "bind = sasl".
The following parameters are relevant to using LDAP with SASL
.IP "\fBsasl (default: no)\fR"
Whether or not to use SASL binds to the server. Can be yes or no.
.IP "\fBsasl_mechs (default: empty)\fR"
Space separated list of SASL mechanism(s) to try.
.IP "\fBsasl_realm (default: empty)\fR"
SASL Realm to use, if applicable.
.IP "\fBsasl_authz_id (default: empty)\fR"
The SASL authorization identity to assert, if applicable.
.IP "\fBsasl_minssf (default: 0)\fR"
The minimum required sasl security factor required to establish a
connection.
.SH "LDAP SSL AND STARTTLS PARAMETERS"
.na
.nf

17
postfix/man/man8/postscreen.8
View File

@ -60,7 +60,14 @@ Problems and transactions are logged to \fBsyslogd\fR(8).
.SH BUGS
.ad
.fi
Some of the non-default protocol tests involve
The \fBpostscreen\fR(8) built-in SMTP protocol engine does
not announce support for STARTTLS, AUTH, XCLIENT or XFORWARD.
Support for STARTTLS and AUTH may be added in the future.
In the mean time, if you need to make these services available
on port 25, then do not enable the optional "after 220
server greeting" tests.
The optional "after 220 server greeting" tests involve
\fBpostscreen\fR(8)'s built-in SMTP protocol engine. When
these tests succeed, \fBpostscreen\fR(8) adds the client
to the temporary whitelist but it cannot not hand off the
@ -72,14 +79,6 @@ connects, it will be allowed to talk to a Postfix SMTP
server process to deliver mail. \fBpostscreen\fR(8) mitigates
the impact of this limitation by giving such tests a long
expiration time.
The \fBpostscreen\fR(8) built-in SMTP protocol engine does
not announce support for STARTTLS, AUTH, XCLIENT or XFORWARD
(support for STARTTLS and AUTH may be added in the future).
End-user clients should connect directly to the submission
service; other systems that require the above features
should directly connect to a Postfix SMTP server, or they
should be placed on the \fBpostscreen\fR(8) whitelist.
.SH "CONFIGURATION PARAMETERS"
.na
.nf

19
postfix/proto/LDAP_README.html
View File

@ -128,6 +128,16 @@ change the AUXLIBS line to point to libldap10.so or libldapssl30.so
or whatever you have, and you may need to use the appropriate linker
option (e.g. '-R') so the executables can find it at runtime. </p>
<p> If you are using OpenLDAP, and the libraries were built with SASL
support, you can add -DUSE_LDAP_SASL to the CCARGS to enable SASL support.
For example: </p>
<blockquote>
<pre>
CCARGS="-I/usr/local/include -DHAS_LDAP -DUSE_LDAP_SASL"
</pre>
</blockquote>
<h2><a name="config">Configuring LDAP lookups</a></h2>
<p> In order to use LDAP lookups, define an LDAP source
@ -140,9 +150,9 @@ alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf
</blockquote>
<p> The file /etc/postfix/ldap-aliases.cf can specify a great number
of parameters, including parameters that enable LDAP SSL and
STARTTLS. For a complete description, see the ldap_table(5) manual
page. </p>
of parameters, including parameters that enable LDAP SSL or STARTTLS,
and LDAP SASL. For a complete description, see the ldap_table(5)
manual page. </p>
<h2><a name="example_alias">Example: local(8) aliases</a></h2>
@ -591,6 +601,9 @@ expansion_limit interface for LDAP, MySQL and PosgreSQL.</li>
limit LDAP search results to leaf nodes only. Victor generalized
this into the Postfix 2.4 "leaf_result_attribute" feature. </li>
<li>Quanah Gibson-Mount contributed support for advanced LDAP SASL
mechanisms, beyond the password-based LDAP "simple" bind. </li>
</ul>
And of course Wietse.

35
postfix/proto/POSTSCREEN_README.html
View File

@ -67,7 +67,10 @@ decision based on a single measurement. This is necessary because
many zombies avoid spamming the same site repeatedly, in an attempt
to fly under the radar. Once postscreen(8) decides that a client
is not-a-zombie, it whitelists the client temporarily to avoid
further delays for legitimate mail. </p>
further delays for legitimate mail. Clients that pass postscreen(8)
are still subject to the checks that are built into Postfix smtpd(8),
Postfix built-in content filters, and external content filters.
</p>
<p> Zombies have challenges too: they have only a limited amount
of time to deliver spam before their IP address becomes blacklisted.
@ -79,25 +82,24 @@ mail even when the server tells them to go away. </p>
<p> postscreen(8) uses a variety of measurements to recognize
zombies. First, postscreen(8) determines if the remote SMTP client
IP address is blacklisted. Second, postscreen(8) looks for protocol
compromises that are made to speed up delivery. The results of
such measurements don't change with each delivery attempt, and are
therefore good for making an is-it-a-zombie decision based on a
single measurement. </p>
compromises that are made to speed up delivery. These are good
indicators for making is-it-a-zombie decisions based on single
measurements. </p>
<p> postscreen(8) does not inspect message content. Message content
can vary widely with each delivery attempt, especially with clients
that (also) send legitimate email. Content is therefore not good
for making an is-it-a-zombie decision based on a single measurement,
can vary from one delivery to the next, especially with clients
that (also) send legitimate email. Content is not a good indicator
for making is-it-a-zombie decisions based on single measurements,
and that is the problem that postscreen(8) is focused on. </p>
<h2> <a name="general"> General operation </a> </h2>
<p> The postscreen(8) triage process involves a number of tests,
in the order as described below. Some tests introduce a delay of
a few seconds. Once a client passes all tests, its IP address is
temporarily excluded from any tests, typically 24 hours for simple
tests or 1 week for complex tests. This minimizes the impact of
the tests on legitimate mail clients. </p>
a few seconds. Once a client passes a test, its IP address is
whitelisted from 24 hours for simple tests, to 1 week for complex
tests. Whitelisting minimizes the impact of postscreen(8)'s tests
on legitimate mail clients. </p>
<p> After logging its findings, postscreen(8) by default hands off
all connections to a Postfix SMTP server process. This mode is
@ -340,14 +342,15 @@ a relatively long expiration time. </p>
<li> <p> postscreen(8)'s built-in SMTP engine does not implement
the AUTH, STARTTLS, XCLIENT, and XFORWARD features. STARTTLS and
AUTH support may be added in a future version. </p>
AUTH support may be added in a future version. In the mean time,
if you need to make these services available on port 25, then do
not enable the tests after the 220 server greeting. </p>
</ul>
<p> End-user clients should connect directly to the submission
service. Other systems that require the above features
should directly connect to a Postfix SMTP server, or they
should be placed on the postscreen(8) whitelist. </p>
service, so that they never have to deal with postscreen(8)'s tests.
</p>
<ul>

60
postfix/proto/ldap_table
View File

@ -410,14 +410,27 @@
# These translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
# and LDAP_SCOPE_ONELEVEL.
# .IP "\fBbind (default: yes)\fR"
# Whether or not to bind to the LDAP server. Newer LDAP
# Whether or how to bind to the LDAP server. Newer LDAP
# implementations don't require clients to bind, which saves
# time. Example:
#
# .nf
# # Don't bind
# bind = no
# # Use SIMPLE bind
# bind = yes
# # Use SASL bind
# bind = sasl
# .fi
#
# Postfix versions prior to 2.8 only support "bind = no" which
# means don't bind, and "bind = yes" which means do a SIMPLE bind.
# Postfix 2.8 and later also supports "bind = SASL" when compiled
# with LDAP SASL support as described in LDAP_README, it also adds
# the synonyms "bind = none" and "bind = simple" for "bind = no"
# and "bind = yes" respectively. See the SASL section below for
# additional parameters available with "bind = sasl".
#
# If you do need to bind, you might consider configuring
# Postfix to connect to the local machine on a port that's
# an SSL tunnel to your LDAP server. If your LDAP server
@ -431,6 +444,8 @@
# .nf
# bind_dn = uid=postfix, dc=your, dc=com
# .fi
# With "bind = sasl" (see above) the DN may be optional for some SASL
# mechanisms, don't specify a DN if not needed.
# .IP "\fBbind_pw (default: empty)\fR"
# The password for the distinguished name above. If you have
# to use this, you probably want to make the map configuration
@ -444,6 +459,8 @@
# .nf
# bind_pw = postfixpw
# .fi
# With "bind = sasl" (see above) the password may be optional
# for some SASL mechanisms, don't specify a password if not needed.
# .IP "\fBcache (IGNORED with a warning)\fR"
# .IP "\fBcache_expiry (IGNORED with a warning)\fR"
# .IP "\fBcache_size (IGNORED with a warning)\fR"
@ -500,6 +517,47 @@
# Specifies the LDAP protocol version to use.
# .IP "\fBdebuglevel (default: 0)\fR"
# What level to set for debugging in the OpenLDAP libraries.
# LDAP SASL PARAMETERS
# .ad
# .fi
# If you're using the OpenLDAP libraries compiled with SASL
# support, Postfix 2.8 and later built with LDAP SASL support
# as described in LDAP_README can authenticate to LDAP servers
# via SASL.
#
# This enables authentication to the LDAP server via mechanisms
# other than a simple password. The added flexibility has a cost:
# it is no longer practical to set an explicit timeout on the duration
# of an LDAP bind operation. Under adverse conditions, whether a SASL
# bind times out, or if it does, the duration of the timeout is
# determined by the LDAP and SASL libraries.
#
# It is best to use tables that use SASL binds via proxymap(8), this
# way the requesting process can time-out the proxymap request. This
# also lets you tailer the process environment by overriding the
# proxymap(8) import_environment setting in master.cf(5). Special
# environment settings may be needed to configure GSSAPI credential
# caches or other SASL mechanism specific options. The GSSAPI
# credentials used for LDAP lookups may need to be different than
# say those used for the Postfix SMTP client to authenticate to remote
# servers.
#
# Using SASL mechanisms requires LDAP protocol version 3, the default
# protocol version is 2 for backwards compatibility. You must set
# "version = 3" in addition to "bind = sasl".
#
# The following parameters are relevant to using LDAP with SASL
# .IP "\fBsasl (default: no)\fR"
# Whether or not to use SASL binds to the server. Can be yes or no.
# .IP "\fBsasl_mechs (default: empty)\fR"
# Space separated list of SASL mechanism(s) to try.
# .IP "\fBsasl_realm (default: empty)\fR"
# SASL Realm to use, if applicable.
# .IP "\fBsasl_authz_id (default: empty)\fR"
# The SASL authorization identity to assert, if applicable.
# .IP "\fBsasl_minssf (default: 0)\fR"
# The minimum required sasl security factor required to establish a
# connection.
# LDAP SSL AND STARTTLS PARAMETERS
# .ad
# .fi

43
postfix/src/cleanup/cleanup_map1n.c
View File

@ -15,13 +15,18 @@
/* This module implements one-to-many table mapping via table lookup.
/* Table lookups are done with quoted (externalized) address forms.
/* The process is recursive. The recursion terminates when the
/* left-hand side appears in its own expansion, or when a maximal
/* nesting level is reached.
/* left-hand side appears in its own expansion.
/*
/* cleanup_map1n_internal() is the interface for addresses in
/* internal (unquoted) form.
/* DIAGNOSTICS
/* Recoverable errors: the global \fIcleanup_errs\fR flag is updated.
/* When the maximal expansion or recursion limit is reached,
/* the alias is not expanded and the CLEANUP_STAT_DEFER error
/* is raised with reason "4.6.0 Alias expansion error".
/*
/* When table lookup fails, the alias is not expanded and the
/* CLEANUP_STAT_WRITE error is raised with reason "4.6.0 Alias
/* expansion error".
/* SEE ALSO
/* mail_addr_map(3) address mappings
/* mail_addr_find(3) address lookups
@ -93,15 +98,26 @@ ARGV *cleanup_map1n_internal(CLEANUP_STATE *state, const char *addr,
* must index the array explicitly, instead of running along it with a
* pointer.
*/
#define UPDATE(ptr,new) { myfree(ptr); ptr = mystrdup(new); }
#define UPDATE(ptr,new) do { \
if (ptr) myfree(ptr); ptr = mystrdup(new); \
} while (0)
#define STR vstring_str
#define RETURN(x) { been_here_free(been_here); return (x); }
#define RETURN(x) do { \
been_here_free(been_here); return (x); \
} while (0)
#define UNEXPAND(argv, addr) do { \
argv_truncate((argv), 0); argv_add((argv), (addr), (char *) 0); \
} while (0)
for (arg = 0; arg < argv->argc; arg++) {
if (argv->argc > var_virt_expan_limit) {
msg_warn("%s: unreasonable %s map expansion size for %s",
msg_warn("%s: unreasonable %s map expansion size for %s -- "
"deferring delivery",
state->queue_id, maps->title, addr);
break;
state->errs |= CLEANUP_STAT_DEFER;
UPDATE(state->reason, "4.6.0 Alias expansion error");
UNEXPAND(argv, addr);
RETURN(argv);
}
for (count = 0; /* void */ ; count++) {
@ -111,9 +127,13 @@ ARGV *cleanup_map1n_internal(CLEANUP_STATE *state, const char *addr,
if (been_here_check_fixed(been_here, argv->argv[arg]) != 0)
break;
if (count >= var_virt_recur_limit) {
msg_warn("%s: unreasonable %s map nesting for %s",
msg_warn("%s: unreasonable %s map nesting for %s -- "
"deferring delivery",
state->queue_id, maps->title, addr);
break;
state->errs |= CLEANUP_STAT_DEFER;
UPDATE(state->reason, "4.6.0 Alias expansion error");
UNEXPAND(argv, addr);
RETURN(argv);
}
quote_822_local(state->temp1, argv->argv[arg]);
if ((lookup = mail_addr_map(maps, STR(state->temp1), propagate)) != 0) {
@ -136,9 +156,12 @@ ARGV *cleanup_map1n_internal(CLEANUP_STATE *state, const char *addr,
myfree(saved_lhs);
argv_free(lookup);
} else if (dict_errno != 0) {
msg_warn("%s: %s map lookup problem for %s",
msg_warn("%s: %s map lookup problem for %s -- "
"deferring delivery",
state->queue_id, maps->title, addr);
state->errs |= CLEANUP_STAT_WRITE;
UPDATE(state->reason, "4.6.0 Alias expansion error");
UNEXPAND(argv, addr);
RETURN(argv);
} else {
break;

192
postfix/src/global/dict_ldap.c
View File

@ -103,6 +103,16 @@
/* .IP version
/* Specifies the LDAP protocol version to use. Default is version
/* \fI2\fR.
/* .IP "\fBsasl (no)\fR"
/* Whether or not to use SASL binds with the server.
/* .IP "\fBsasl_mechs (empty)\fR"
/* Specifies a space-separated list of LDAP SASL Mechanisms.
/* .IP "\fBsasl_realm (empty)\fR"
/* The realm to use for SASL binds.
/* .IP "\fBsasl_authz_id (empty)\fR"
/* The SASL Authorization Identity to assert.
/* .IP "\fBsasl_minssf (0)\fR"
/* The minimum SASL SSF to allow.
/* .IP start_tls
/* Whether or not to issue STARTTLS upon connection to the server.
/* At this time, STARTTLS and LDAP SSL are only available if the
@ -208,16 +218,44 @@
#include <dict.h>
#include <stringops.h>
#include <binhash.h>
#include <name_code.h>
/* Global library. */
#include "cfg_parser.h"
#include "db_common.h"
#include "mail_conf.h"
#if defined(USE_LDAP_SASL) && defined(LDAP_API_FEATURE_X_OPENLDAP)
/*
* SASL headers, for sasl_interact_t. Either SASL v1 or v2 should be fine.
*/
#include <sasl.h>
#endif
/* Application-specific. */
#include "dict_ldap.h"
#define DICT_LDAP_BIND_NONE 0
#define DICT_LDAP_BIND_SIMPLE 1
#define DICT_LDAP_BIND_SASL 2
#define DICT_LDAP_DO_BIND(d) ((d)->bind != DICT_LDAP_BIND_NONE)
#define DICT_LDAP_DO_SASL(d) ((d)->bind == DICT_LDAP_BIND_SASL)
static const NAME_CODE bindopt_table[] = {
CONFIG_BOOL_NO, DICT_LDAP_BIND_NONE,
"none", DICT_LDAP_BIND_NONE,
CONFIG_BOOL_YES, DICT_LDAP_BIND_SIMPLE,
"simple", DICT_LDAP_BIND_SIMPLE,
#ifdef LDAP_API_FEATURE_X_OPENLDAP
#if defined(USE_LDAP_SASL)
"sasl", DICT_LDAP_BIND_SASL,
#endif
#endif
0, -1,
};
typedef struct {
LDAP *conn_ld;
int conn_refcount;
@ -254,6 +292,13 @@ typedef struct {
int debuglevel;
int version;
#ifdef LDAP_API_FEATURE_X_OPENLDAP
#if defined(USE_LDAP_SASL)
int sasl;
char *sasl_mechs;
char *sasl_realm;
char *sasl_authz;
int sasl_minssf;
#endif
int ldap_ssl;
int start_tls;
int tls_require_cert;
@ -407,6 +452,49 @@ static int dict_ldap_set_errno(LDAP *ld, int rc)
return rc;
}
#if defined(USE_LDAP_SASL) && defined(LDAP_API_FEATURE_X_OPENLDAP)
/*
* Context structure for SASL property callback.
*/
typedef struct bind_props {
char *authcid;
char *passwd;
char *realm;
char *authzid;
} bind_props;
static int
ldap_b2_interact(LDAP *ld, unsigned flags, void *props, void *inter)
{
sasl_interact_t *in;
bind_props *ctx = (bind_props *)props;
for (in = inter; in->id != SASL_CB_LIST_END; in++)
{
in->result = NULL;
switch(in->id)
{
case SASL_CB_GETREALM:
in->result = ctx->realm;
break;
case SASL_CB_AUTHNAME:
in->result = ctx->authcid;
break;
case SASL_CB_USER:
in->result = ctx->authzid;
break;
case SASL_CB_PASS:
in->result = ctx->passwd;
break;
}
if (in->result)
in->len = strlen(in->result);
}
return LDAP_SUCCESS;
}
#endif
/* dict_ldap_result - Read and parse LDAP result */
static int dict_ldap_result(LDAP *ld, int msgid, int timeout, LDAPMessage **res)
@ -427,6 +515,40 @@ static int dict_ldap_result(LDAP *ld, int msgid, int timeout, LDAPMessage **res)
return LDAP_SUCCESS;
}
#if defined(USE_LDAP_SASL) && defined(LDAP_API_FEATURE_X_OPENLDAP)
/* Asynchronous SASL auth if SASL is enabled */
static int dict_ldap_bind_sasl(DICT_LDAP *dict_ldap)
{
int rc;
bind_props props;
static VSTRING *minssf = 0;
if (minssf == 0)
minssf = vstring_alloc(12);
vstring_sprintf(minssf, "minssf=%d", dict_ldap->sasl_minssf);
if ((rc = ldap_set_option(dict_ldap->ld, LDAP_OPT_X_SASL_SECPROPS,
(char *) minssf)) != LDAP_OPT_SUCCESS)
return (rc);
props.authcid = dict_ldap->bind_dn;
props.passwd = dict_ldap->bind_pw;
props.realm = dict_ldap->sasl_realm;
props.authzid = dict_ldap->sasl_authz;
if ((rc = ldap_sasl_interactive_bind_s(dict_ldap->ld, NULL,
dict_ldap->sasl_mechs, NULL, NULL,
LDAP_SASL_QUIET, ldap_b2_interact,
&props)) != LDAP_SUCCESS)
return (rc);
return (LDAP_SUCCESS);
}
#endif
/* dict_ldap_bind_st - Synchronous simple auth with timeout */
static int dict_ldap_bind_st(DICT_LDAP *dict_ldap)
@ -746,26 +868,36 @@ static int dict_ldap_connect(DICT_LDAP *dict_ldap)
}
#endif
#define DN_LOG_VAL(dict_ldap) \
((dict_ldap)->bind_dn[0] ? (dict_ldap)->bind_dn : "empty or implicit")
/*
* If this server requires a bind, do so. Thanks to Sam Tardieu for
* noticing that the original bind call was broken.
*/
if (dict_ldap->bind) {
if (DICT_LDAP_DO_BIND(dict_ldap)) {
if (msg_verbose)
msg_info("%s: Binding to server %s as dn %s",
myname, dict_ldap->server_host, dict_ldap->bind_dn);
msg_info("%s: Binding to server %s with dn %s",
myname, dict_ldap->server_host, DN_LOG_VAL(dict_ldap));
#if defined(USE_LDAP_SASL) && defined(LDAP_API_FEATURE_X_OPENLDAP)
if (DICT_LDAP_DO_SASL(dict_ldap)) {
rc = dict_ldap_bind_sasl(dict_ldap);
} else {
rc = dict_ldap_bind_st(dict_ldap);
}
#else
rc = dict_ldap_bind_st(dict_ldap);
#endif
if (rc != LDAP_SUCCESS) {
msg_warn("%s: Unable to bind to server %s as %s: %d (%s)",
myname, dict_ldap->server_host, dict_ldap->bind_dn,
msg_warn("%s: Unable to bind to server %s with dn %s: %d (%s)",
myname, dict_ldap->server_host, DN_LOG_VAL(dict_ldap),
rc, ldap_err2string(rc));
DICT_LDAP_UNBIND_RETURN(dict_ldap->ld, DICT_ERR_RETRY, -1);
}
if (msg_verbose)
msg_info("%s: Successful bind to server %s as %s ",
myname, dict_ldap->server_host, dict_ldap->bind_dn);
msg_info("%s: Successful bind to server %s with dn %s",
myname, dict_ldap->server_host, DN_LOG_VAL(dict_ldap));
}
/* Save connection handle in shared container */
DICT_LDAP_CONN(dict_ldap)->conn_ld = dict_ldap->ld;
@ -798,13 +930,19 @@ static void dict_ldap_conn_find(DICT_LDAP *dict_ldap)
ADDSTR(keybuf, dict_ldap->server_host);
ADDINT(keybuf, dict_ldap->server_port);
ADDINT(keybuf, dict_ldap->bind);
ADDSTR(keybuf, dict_ldap->bind ? dict_ldap->bind_dn : "");
ADDSTR(keybuf, dict_ldap->bind ? dict_ldap->bind_pw : "");
ADDSTR(keybuf, DICT_LDAP_DO_BIND(dict_ldap) ? dict_ldap->bind_dn : "");
ADDSTR(keybuf, DICT_LDAP_DO_BIND(dict_ldap) ? dict_ldap->bind_pw : "");
ADDINT(keybuf, dict_ldap->dereference);
ADDINT(keybuf, dict_ldap->chase_referrals);
ADDINT(keybuf, dict_ldap->debuglevel);
ADDINT(keybuf, dict_ldap->version);
#ifdef LDAP_API_FEATURE_X_OPENLDAP
#if defined(USE_LDAP_SASL)
ADDSTR(keybuf, DICT_LDAP_DO_SASL(dict_ldap) ? dict_ldap->sasl_mechs : "");
ADDSTR(keybuf, DICT_LDAP_DO_SASL(dict_ldap) ? dict_ldap->sasl_realm : "");
ADDSTR(keybuf, DICT_LDAP_DO_SASL(dict_ldap) ? dict_ldap->sasl_authz : "");
ADDINT(keybuf, DICT_LDAP_DO_SASL(dict_ldap) ? dict_ldap->sasl_minssf : 0);
#endif
ADDINT(keybuf, dict_ldap->ldap_ssl);
ADDINT(keybuf, dict_ldap->start_tls);
ADDINT(keybuf, sslon ? dict_ldap->tls_require_cert : 0);
@ -1437,6 +1575,13 @@ static void dict_ldap_close(DICT *dict)
if (dict_ldap->ctx)
db_common_free_ctx(dict_ldap->ctx);
#ifdef LDAP_API_FEATURE_X_OPENLDAP
#if defined(USE_LDAP_SASL)
if (DICT_LDAP_DO_SASL(dict_ldap)) {
myfree(dict_ldap->sasl_mechs);
myfree(dict_ldap->sasl_realm);
myfree(dict_ldap->sasl_authz);
}
#endif
myfree(dict_ldap->tls_ca_cert_file);
myfree(dict_ldap->tls_ca_cert_dir);
myfree(dict_ldap->tls_cert);
@ -1461,6 +1606,7 @@ DICT *dict_ldap_open(const char *ldapsource, int dummy, int dict_flags)
char *server_host;
char *scope;
char *attr;
char *bindopt;
int tmp;
int vendor_version = dict_ldap_vendor_version();
@ -1666,9 +1812,14 @@ DICT *dict_ldap_open(const char *ldapsource, int dummy, int dict_flags)
myfree(attr);
/*
* get configured value of "bind"; default to true
* get configured value of "bind"; default to simple bind
*/
dict_ldap->bind = cfg_get_bool(dict_ldap->parser, "bind", 1);
bindopt = cfg_get_str(dict_ldap->parser, "bind", CONFIG_BOOL_YES, 1, 0);
dict_ldap->bind = name_code(bindopt_table, NAME_CODE_FLAG_NONE, bindopt);
if (dict_ldap->bind < 0)
msg_fatal("%s: unsupported parameter value: %s = %s",
dict_ldap->parser->name, "bind", bindopt);
myfree(bindopt);
/*
* get configured value of "bind_dn"; default to ""
@ -1723,6 +1874,25 @@ DICT *dict_ldap_open(const char *ldapsource, int dummy, int dict_flags)
"chase_referrals", 0);
#ifdef LDAP_API_FEATURE_X_OPENLDAP
#if defined(USE_LDAP_SASL)
/*
* SASL options
*/
if (DICT_LDAP_DO_SASL(dict_ldap)) {
dict_ldap->sasl_mechs =
cfg_get_str(dict_ldap->parser, "sasl_mechs", "", 0, 0);
dict_ldap->sasl_realm =
cfg_get_str(dict_ldap->parser, "sasl_realm", "", 0, 0);
dict_ldap->sasl_authz =
cfg_get_str(dict_ldap->parser, "sasl_authz_id", "", 0, 0);
dict_ldap->sasl_minssf =
cfg_get_int(dict_ldap->parser, "sasl_minssf", 0, 0, 4096);
} else {
dict_ldap->sasl_mechs = 0;
dict_ldap->sasl_realm = 0;
dict_ldap->sasl_authz = 0;
}
#endif
/*
* TLS options

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20101201"
#define MAIL_RELEASE_DATE "20101204"
#define MAIL_VERSION_NUMBER "2.8"
#ifdef SNAPSHOT

2
postfix/src/global/mime_state.c
View File

@ -49,7 +49,7 @@
/*
/* In order to fend off denial of service attacks, message headers
/* are truncated at or above var_header_limit bytes, message boundary
/* strings are truncated at var_boundary_len bytes, and the multipart
/* strings are truncated at var_mime_bound_len bytes, and the multipart
/* nesting level is limited to var_mime_maxdepth levels.
/*
/* mime_state_alloc() creates a MIME state machine. The machine

5
postfix/src/global/pipe_command.c
View File

@ -85,8 +85,7 @@
/* configuration parameter. The group ID must be non-zero.
/* .IP "PIPE_CMD_TIME_LIMIT (int)"
/* The amount of time the command is allowed to run before it
/* is terminated with SIGKILL. The default is the limit given
/* with the \fIcommand_time_limit\fR configuration parameter.
/* is terminated with SIGKILL. The default is DEF_COMMAND_MAXTIME.
/* .IP "PIPE_CMD_SHELL (char *)"
/* The shell to use when executing the command specified with
/* PIPE_CMD_COMMAND. This shell is invoked regardless of the
@ -211,7 +210,7 @@ static void get_pipe_args(struct pipe_args * args, va_list ap)
args->cwd = 0;
args->chroot = 0;
pipe_command_maxtime = var_command_maxtime;
pipe_command_maxtime = DEF_COMMAND_MAXTIME;
/*
* Then, override the defaults with user-supplied inputs.

2
postfix/src/global/scache_clnt.c
View File

@ -414,7 +414,7 @@ SCACHE *scache_clnt_create(const char *server, int timeout,
sp->scache->size = scache_clnt_size;
sp->scache->free = scache_clnt_free;
service = concatenate("local:private/", var_scache_service, (char *) 0);
service = concatenate("local:private/", server, (char *) 0);
sp->auto_clnt = auto_clnt_create(service, timeout, idle_limit, ttl_limit);
myfree(service);

2
postfix/src/local/local.c
View File

@ -626,7 +626,7 @@ char *var_allow_commands;
char *var_allow_files;
char *var_alias_maps;
int var_dup_filter_limit;
int var_command_maxtime;
int var_command_maxtime; /* You can now leave this here. */
char *var_home_mailbox;
char *var_mailbox_command;
char *var_mailbox_cmd_maps;

5
postfix/src/pickup/pickup.c
View File

@ -196,8 +196,9 @@ static int cleanup_service_error_reason(PICKUP_INFO *info, int status,
* -r" when a message is already delivered (or bounced). The Postfix
* sendmail command rejects submissions without recipients.
*/
if (reason == 0)
msg_warn("%s: %s", info->path, cleanup_strerror(status));
if (reason == 0 || *reason == 0)
msg_warn("%s: error writing %s: %s",
info->path, info->id, cleanup_strerror(status));
return ((status & (CLEANUP_STAT_BAD | CLEANUP_STAT_RCPT)) ?
REMOVE_MESSAGE_FILE : KEEP_MESSAGE_FILE);
}

2
postfix/src/pipe/pipe.c
View File

@ -530,7 +530,7 @@
* Tunable parameters. Values are taken from the config file, after
* prepending the service name to _name, and so on.
*/
int var_command_maxtime; /* system-wide */
int var_command_maxtime; /* You can now leave this here. */
/*
* For convenience. Instead of passing around lists of parameters, bundle

19
postfix/src/postscreen/postscreen.c
View File

@ -46,7 +46,14 @@
/* DIAGNOSTICS
/* Problems and transactions are logged to \fBsyslogd\fR(8).
/* BUGS
/* Some of the non-default protocol tests involve
/* The \fBpostscreen\fR(8) built-in SMTP protocol engine does
/* not announce support for STARTTLS, AUTH, XCLIENT or XFORWARD.
/* Support for STARTTLS and AUTH may be added in the future.
/* In the mean time, if you need to make these services available
/* on port 25, then do not enable the optional "after 220
/* server greeting" tests.
/*
/* The optional "after 220 server greeting" tests involve
/* \fBpostscreen\fR(8)'s built-in SMTP protocol engine. When
/* these tests succeed, \fBpostscreen\fR(8) adds the client
/* to the temporary whitelist but it cannot not hand off the
@ -58,14 +65,6 @@
/* server process to deliver mail. \fBpostscreen\fR(8) mitigates
/* the impact of this limitation by giving such tests a long
/* expiration time.
/*
/* The \fBpostscreen\fR(8) built-in SMTP protocol engine does
/* not announce support for STARTTLS, AUTH, XCLIENT or XFORWARD
/* (support for STARTTLS and AUTH may be added in the future).
/* End-user clients should connect directly to the submission
/* service; other systems that require the above features
/* should directly connect to a Postfix SMTP server, or they
/* should be placed on the \fBpostscreen\fR(8) whitelist.
/* CONFIGURATION PARAMETERS
/* .ad
/* .fi
@ -525,7 +524,7 @@ static void ps_service(VSTREAM *smtp_client_stream,
* Reply with 421 when the client has too many open connections.
*/
if (var_ps_cconn_limit > 0
&& state->client_concurrency > var_ps_cconn_limit) {
&& state->client_concurrency > var_ps_cconn_limit) {
msg_info("NOQUEUE: reject: CONNECT from [%s]:%s: too many connections",
state->smtp_client_addr, state->smtp_client_port);
PS_DROP_SESSION_STATE(state,

4
postfix/src/postscreen/postscreen_early.c
View File

@ -258,9 +258,7 @@ void ps_early_tests(PS_STATE *state)
*/
if ((state->flags & PS_STATE_FLAG_PREGR_TODO) != 0
&& ps_teaser_greeting != 0
&& ps_send_reply(vstream_fileno(state->smtp_client_stream),
state->smtp_client_addr, state->smtp_client_port,
ps_teaser_greeting) != 0) {
&& PS_SEND_REPLY(state, ps_teaser_greeting) != 0) {
ps_hangup_event(state);
return;
}

4
postfix/src/postscreen/postscreen_misc.c
View File

@ -125,9 +125,7 @@ void ps_conclude(PS_STATE *state)
ps_send_socket(state);
} else {
if ((state->flags & PS_STATE_FLAG_HANGUP) == 0)
(void) ps_send_reply(vstream_fileno(state->smtp_client_stream),
state->smtp_client_addr, state->smtp_client_port,
state->final_reply);
(void) PS_SEND_REPLY(state, state->final_reply);
msg_info("DISCONNECT [%s]:%s", PS_CLIENT_ADDR_PORT(state));
ps_free_session_state(state);
}

13
postfix/src/postscreen/postscreen_send.c
View File

@ -85,9 +85,8 @@ int ps_send_reply(int smtp_client_fd, const char *smtp_client_addr,
* XXX Need to make sure that the TCP send buffer is large enough for any
* response, so that a nasty client can't cause this process to block.
*/
ret = (write_buf(smtp_client_fd, text, strlen(text),
PS_SEND_TEXT_TIMEOUT) < 0);
if (ret != 0 && errno != EPIPE)
ret = write_buf(smtp_client_fd, text, strlen(text), PS_SEND_TEXT_TIMEOUT);
if (ret < 0 && errno != EPIPE)
msg_warn("write [%s]:%s: %m", smtp_client_addr, smtp_client_port);
return (ret);
}
@ -164,9 +163,7 @@ void ps_send_socket(PS_STATE *state)
LOCAL_CONNECT(ps_smtpd_service_name, NON_BLOCKING,
PS_SEND_SOCK_CONNECT_TIMEOUT)) < 0) {
msg_warn("cannot connect to service %s: %m", ps_smtpd_service_name);
ps_send_reply(vstream_fileno(state->smtp_client_stream),
state->smtp_client_addr, state->smtp_client_port,
"421 4.3.2 All server ports are busy\r\n");
PS_SEND_REPLY(state, "421 4.3.2 All server ports are busy\r\n");
ps_free_session_state(state);
return;
}
@ -175,9 +172,7 @@ void ps_send_socket(PS_STATE *state)
vstream_fileno(state->smtp_client_stream)) < 0) {
msg_warn("cannot pass connection to service %s: %m",
ps_smtpd_service_name);
ps_send_reply(vstream_fileno(state->smtp_client_stream),
state->smtp_client_addr, state->smtp_client_port,
"421 4.3.2 No system resources\r\n");
PS_SEND_REPLY(state, "421 4.3.2 No system resources\r\n");
ps_free_session_state(state);
return;
} else {

2
postfix/src/smtp/smtp.c
View File

@ -753,7 +753,7 @@ int var_smtp_mxsess_limit;
int var_smtp_cache_conn;
int var_smtp_reuse_time;
char *var_smtp_cache_dest;
char *var_scache_service;
char *var_scache_service; /* You can now leave this here. */
bool var_smtp_cache_demand;
char *var_smtp_ehlo_dis_words;
char *var_smtp_ehlo_dis_maps;