mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-30 13:48:06 +00:00
Code Issues Releases Wiki Activity

postfix-2.3-20050404

Browse Source
This commit is contained in:
Wietse Venema
2005-04-04 00:00:00 -05:00
committed by Viktor Dukhovni
parent e060cb9490
commit e6fad12921
22 changed files with 409 additions and 728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
postfix/HISTORY
View File

@@ -10606,6 +10606,22 @@ Apologies for any names omitted.
specific to 8bit->7bit conversion; they can also happen
with generic address mapping. File: smtp/smtp_proto.c.
Safety: SASL 2.1.19 has a version lookup routine that we
can use to detect compile time / run time version mis-matches
(also known as DLL hell). Files: src/smtpd/smtpd_sasl_glue.c,
src/smtp/smtp_sasl_glue.c, src/lmtp/lmtp_sasl_glue.c.
20050404
Typo: missing comma after dsn=x.yy.zz logging. File:
global/log_adhoc.c.
Feature: specify "smtpd_sasl_authenticated_header = yes"
to report the SASL login name in the Received: message
header, so that the login name is shared with the whole
world. Based on code by Branko F. Gracnar. Files:
smtpd/smtpd.c, and documentation.
Open problems:
Med: disable header address rewriting after XCLIENT?

16
postfix/README_FILES/SASL_README
View File

@@ -20,14 +20,6 @@ When receiving mail, Postfix logs the client-provided username, authentication
method, and sender address to the maillog file, and optionally grants mail
access via the permit_sasl_authenticated UCE restriction.
Postfix does not record the client's SASL authentication information in message
headers, and does not pass it on via SMTP commands when forwarding mail,
because it is no-one else's business to know the client username and
authentication method. People who need to know can find the information in the
local Postfix maillog file. Some day, Postfix message headers will be
configurable and then one can record the SASL username without having to edit C
code.
This document covers the following topics:
* What SASL versions are supported
@@ -123,6 +115,14 @@ In order to allow mail relaying by authenticated clients:
smtpd_recipient_restrictions =
permit_mynetworks permit_sasl_authenticated ...
To report SASL login names in Received: message headers (Postfix version 2.3
and later):
/etc/postfix/main.cf:
smtpd_sasl_authenticated_header = yes
Note: the SASL login names will be shared with the entire world.
In /usr/local/lib/sasl/smtpd.conf (SASL version 1.5.5) or /usr/local/lib/sasl2/
smtpd.conf (SASL version 2.1.1) you need to specify how the server should
validate client passwords.

5
postfix/README_FILES/SMTPD_POLICY_README
View File

@@ -262,8 +262,9 @@ To invoke this service you would specify "check_policy_service inet:127.0.0.1:
GGrreeyylliissttiinngg mmaaiill ffrroomm ffrreeqquueennttllyy ffoorrggeedd ddoommaaiinnss
It is relatively safe to turn on greylisting for specific domains that often
appear in forged email. A list of frequently forged MAIL FROM domains can be
found at http://www.monkeys.com/anti-spam/filtering/sender-domain-validate.in.
appear in forged email. At some point in cyberspace/time a list of frequently
forged MAIL FROM domains could be found at http://www.monkeys.com/anti-spam/
filtering/sender-domain-validate.in.
1 /etc/postfix/main.cf:
2 smtpd_recipient_restrictions =

22
postfix/html/SASL_README.html
View File

@@ -37,15 +37,6 @@ authentication method, and sender address to the maillog file, and
optionally grants mail access via the <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>
UCE restriction. </p>
<p> Postfix does not record the client's SASL authentication
information in message headers, and does not pass it on via SMTP
commands when forwarding mail, because it is no-one else's business
to know the client username and authentication method. People who
need to know can find the information in the local Postfix maillog
file. Some day, Postfix message headers will be configurable and
then one can record the SASL username without having to edit C
code. </p>
<p>This document covers the following topics: </p>
<ul>
@@ -191,6 +182,19 @@ SMTP server</a></h2>
</pre>
</blockquote>
<p> To report SASL login names in Received: message headers
(Postfix version 2.3 and later): </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
<a href="postconf.5.html#smtpd_sasl_authenticated_header">smtpd_sasl_authenticated_header</a> = yes
</pre>
</blockquote>
<p> Note: the SASL login names will be shared with the entire world.
</p>
<p> In /usr/local/lib/sasl/smtpd.conf (SASL version 1.5.5) or
/usr/local/lib/sasl2/smtpd.conf (SASL version 2.1.1) you need to
specify how the server should validate client passwords. </p>

5
postfix/html/SMTPD_POLICY_README.html
View File

@@ -374,8 +374,9 @@ inet:127.0.0.1:9998". </p>
<h2><a name="frequent">Greylisting mail from frequently forged domains</a></h2>
<p> It is relatively safe to turn on greylisting for specific
domains that often appear in forged email. A list of frequently
forged MAIL FROM domains can be found at
domains that often appear in forged email. At some point
in cyberspace/time a list of frequently
forged MAIL FROM domains could be found at
<a href="http://www.monkeys.com/anti-spam/filtering/sender-domain-validate.in">http://www.monkeys.com/anti-spam/filtering/sender-domain-validate.in</a>.
<blockquote>

11
postfix/html/postconf.5.html
View File

@@ -8261,6 +8261,17 @@ See the <a href="SASL_README.html">SASL_README</a> file for SASL configuration a
</p>
</DD>
<DT><b><a name="smtpd_sasl_authenticated_header">smtpd_sasl_authenticated_header</a>
(default: no)</b></DT><DD>
<p> Report the SASL authenticated user name in the <a href="smtpd.8.html">smtpd(8)</a> Received
message header. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
</DD>
<DT><b><a name="smtpd_sasl_exceptions_networks">smtpd_sasl_exceptions_networks</a>

422
postfix/html/smtpd.8.html
View File

@@ -227,99 +227,105 @@ SMTPD(8) SMTPD(8)
What SMTP clients Postfix will not offer AUTH sup-
port to.
Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#smtpd_sasl_authenticated_header">smtpd_sasl_authenticated_header</a> (no)</b>
Report the SASL authenticated user name in the
<a href="smtpd.8.html"><b>smtpd</b>(8)</a> Received message header.
<b>STARTTLS SUPPORT CONTROLS</b>
Detailed information about STARTTLS configuration may be
Detailed information about STARTTLS configuration may be
found in the <a href="TLS_README.html">TLS_README</a> document.
<b><a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> (no)</b>
Opportunistic mode: announce STARTTLS support to
SMTP clients, but do not require that clients use
Opportunistic mode: announce STARTTLS support to
SMTP clients, but do not require that clients use
TLS encryption.
<b><a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> (no)</b>
Enforcement mode: announce STARTTLS support to SMTP
clients, and require that clients use TLS encryp-
clients, and require that clients use TLS encryp-
tion.
<b><a href="postconf.5.html#smtpd_sasl_tls_security_options">smtpd_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtpd_sasl_security_options">smtpd_sasl_secu</a>-</b>
<b><a href="postconf.5.html#smtpd_sasl_security_options">rity_options</a>)</b>
The SASL authentication security options that the
Postfix SMTP server uses for TLS encrypted SMTP
The SASL authentication security options that the
Postfix SMTP server uses for TLS encrypted SMTP
sessions.
<b><a href="postconf.5.html#smtpd_starttls_timeout">smtpd_starttls_timeout</a> (300s)</b>
The time limit for Postfix SMTP server write and
read operations during TLS startup and shutdown
The time limit for Postfix SMTP server write and
read operations during TLS startup and shutdown
handshake procedures.
<b><a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> (empty)</b>
The file with the certificate of the certification
authority (CA) that issued the Postfix SMTP server
The file with the certificate of the certification
authority (CA) that issued the Postfix SMTP server
certificate.
<b><a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> (empty)</b>
The file with the certificate of the certification
authority (CA) that issued the Postfix SMTP server
The file with the certificate of the certification
authority (CA) that issued the Postfix SMTP server
certificate.
<b><a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> (no)</b>
Ask a remote SMTP client for a client certificate.
Ask a remote SMTP client for a client certificate.
<b><a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> (no)</b>
When TLS encryption is optional in the Postfix SMTP
server, do not announce or accept SASL authentica-
server, do not announce or accept SASL authentica-
tion over unencrypted connections.
<b><a href="postconf.5.html#smtpd_tls_ccert_verifydepth">smtpd_tls_ccert_verifydepth</a> (5)</b>
The verification depth for remote SMTP client cer-
The verification depth for remote SMTP client cer-
tificates.
<b><a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> (empty)</b>
File with the Postfix SMTP server RSA certificate
File with the Postfix SMTP server RSA certificate
in PEM format.
<b><a href="postconf.5.html#smtpd_tls_cipherlist">smtpd_tls_cipherlist</a> (empty)</b>
Controls the Postfix SMTP server TLS cipher selec-
Controls the Postfix SMTP server TLS cipher selec-
tion scheme.
<b><a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a> (empty)</b>
File with the Postfix SMTP server DSA certificate
File with the Postfix SMTP server DSA certificate
in PEM format.
<b><a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a> (empty)</b>
File with DH parameters that the Postfix SMTP
server should use with EDH ciphers.
<b><a href="postconf.5.html#smtpd_tls_dh512_param_file">smtpd_tls_dh512_param_file</a> (empty)</b>
File with DH parameters that the Postfix SMTP
server should use with EDH ciphers.
<b><a href="postconf.5.html#smtpd_tls_dh512_param_file">smtpd_tls_dh512_param_file</a> (empty)</b>
File with DH parameters that the Postfix SMTP
server should use with EDH ciphers.
<b><a href="postconf.5.html#smtpd_tls_dkey_file">smtpd_tls_dkey_file</a> ($<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>)</b>
File with the Postfix SMTP server DSA private key
File with the Postfix SMTP server DSA private key
in PEM format.
<b><a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> ($<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>)</b>
File with the Postfix SMTP server RSA private key
File with the Postfix SMTP server RSA private key
in PEM format.
<b><a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a> (0)</b>
Enable additional Postfix SMTP server logging of
Enable additional Postfix SMTP server logging of
TLS activity.
<b><a href="postconf.5.html#smtpd_tls_received_header">smtpd_tls_received_header</a> (no)</b>
Request that the Postfix SMTP server produces
Received: message headers that include information
about the protocol and cipher used, as well as the
client CommonName and client certificate issuer
about the protocol and cipher used, as well as the
client CommonName and client certificate issuer
CommonName.
<b><a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a> (no)</b>
When TLS encryption is enforced, require a remote
SMTP client certificate in order to allow TLS con-
When TLS encryption is enforced, require a remote
SMTP client certificate in order to allow TLS con-
nections to proceed.
<b><a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> (empty)</b>
Name of the file containing the optional Postfix
Name of the file containing the optional Postfix
SMTP server TLS session cache.
<b><a href="postconf.5.html#smtpd_tls_session_cache_timeout">smtpd_tls_session_cache_timeout</a> (3600s)</b>
@@ -327,70 +333,70 @@ SMTPD(8) SMTPD(8)
sion cache information.
<b><a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a> (no)</b>
Run the Postfix SMTP server in the non-standard
"wrapper" mode, instead of using the STARTTLS com-
Run the Postfix SMTP server in the non-standard
"wrapper" mode, instead of using the STARTTLS com-
mand.
<b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b>
The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a>
or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>
server in order to seed its internal pseudo random
The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a>
or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>
server in order to seed its internal pseudo random
number generator (PRNG).
<b>VERP SUPPORT CONTROLS</b>
With VERP style delivery, each recipient of a message
With VERP style delivery, each recipient of a message
receives a customized copy of the message with his/her own
recipient address encoded in the envelope sender address.
recipient address encoded in the envelope sender address.
The <a href="VERP_README.html">VERP_README</a> file describes configuration and operation
details of Postfix support for variable envelope return
details of Postfix support for variable envelope return
path addresses. VERP style delivery is requested with the
SMTP XVERP command or with the "sendmail -V" command-line
option and is available in Postfix version 1.1 and later.
SMTP XVERP command or with the "sendmail -V" command-line
option and is available in Postfix version 1.1 and later.
<b><a href="postconf.5.html#default_verp_delimiters">default_verp_delimiters</a> (+=)</b>
The two default VERP delimiter characters.
<b><a href="postconf.5.html#verp_delimiter_filter">verp_delimiter_filter</a> (-=+)</b>
The characters Postfix accepts as VERP delimiter
characters on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command line
The characters Postfix accepts as VERP delimiter
characters on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command line
and in SMTP commands.
Available in Postfix version 1.1 and 2.0:
<b><a href="postconf.5.html#authorized_verp_clients">authorized_verp_clients</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b>
What SMTP clients are allowed to specify the XVERP
What SMTP clients are allowed to specify the XVERP
command.
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtpd_authorized_verp_clients">smtpd_authorized_verp_clients</a> ($<a href="postconf.5.html#authorized_verp_clients">authorized_verp_clients</a>)</b>
What SMTP clients are allowed to specify the XVERP
What SMTP clients are allowed to specify the XVERP
command.
<b>TROUBLE SHOOTING CONTROLS</b>
The <a href="DEBUG_README.html">DEBUG_README</a> document describes how to debug parts of
the Postfix mail system. The methods vary from making the
software log a lot of detail, to running some daemon pro-
The <a href="DEBUG_README.html">DEBUG_README</a> document describes how to debug parts of
the Postfix mail system. The methods vary from making the
software log a lot of detail, to running some daemon pro-
cesses under control of a call tracer or debugger.
<b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
The increment in verbose logging level when a
remote client or server matches a pattern in the
The increment in verbose logging level when a
remote client or server matches a pattern in the
<a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
<b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
Optional list of remote client or server hostname
or network address patterns that cause the verbose
logging level to increase by the amount specified
Optional list of remote client or server hostname
or network address patterns that cause the verbose
logging level to increase by the amount specified
in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
<b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
The recipient of postmaster notifications about
mail delivery problems that are caused by policy,
The recipient of postmaster notifications about
mail delivery problems that are caused by policy,
resource, software or protocol errors.
<b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
The list of error classes that are reported to the
The list of error classes that are reported to the
postmaster.
<b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b>
@@ -400,22 +406,22 @@ SMTPD(8) SMTPD(8)
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtpd_authorized_xclient_hosts">smtpd_authorized_xclient_hosts</a> (empty)</b>
What SMTP clients are allowed to use the XCLIENT
What SMTP clients are allowed to use the XCLIENT
feature.
<b>KNOWN VERSUS UNKNOWN RECIPIENT CONTROLS</b>
As of Postfix version 2.0, the SMTP server rejects mail
for unknown recipients. This prevents the mail queue from
clogging up with undeliverable MAILER-DAEMON messages.
Additional information on this topic is in the
As of Postfix version 2.0, the SMTP server rejects mail
for unknown recipients. This prevents the mail queue from
clogging up with undeliverable MAILER-DAEMON messages.
Additional information on this topic is in the
<a href="LOCAL_RECIPIENT_README.html">LOCAL_RECIPIENT_README</a> and <a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a> documents.
<b><a href="postconf.5.html#show_user_unknown_table_name">show_user_unknown_table_name</a> (yes)</b>
Display the name of the recipient table in the
Display the name of the recipient table in the
"User unknown" responses.
<b><a href="postconf.5.html#canonical_maps">canonical_maps</a> (empty)</b>
Optional address mapping lookup tables for message
Optional address mapping lookup tables for message
headers and envelopes.
<b><a href="postconf.5.html#recipient_canonical_maps">recipient_canonical_maps</a> (empty)</b>
@@ -426,7 +432,7 @@ SMTPD(8) SMTPD(8)
<b><a href="postconf.5.html#mydestination">mydestination</a> ($<a href="postconf.5.html#myhostname">myhostname</a>, localhost.$<a href="postconf.5.html#mydomain">mydomain</a>, local-</b>
<b>host)</b>
The list of domains that are delivered via the
The list of domains that are delivered via the
$<a href="postconf.5.html#local_transport">local_transport</a> mail delivery transport.
<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
@@ -435,188 +441,188 @@ SMTPD(8) SMTPD(8)
<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
The network interface addresses that this mail sys-
tem receives mail on by way of a proxy or network
tem receives mail on by way of a proxy or network
address translation unit.
<b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b>
The Internet protocols Postfix will attempt to use
The Internet protocols Postfix will attempt to use
when making or accepting connections.
<b><a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> (<a href="proxymap.8.html">proxy</a>:unix:passwd.byname</b>
<b>$<a href="postconf.5.html#alias_maps">alias_maps</a>)</b>
Lookup tables with all names or addresses of local
recipients: a recipient address is local when its
domain matches $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or
Lookup tables with all names or addresses of local
recipients: a recipient address is local when its
domain matches $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or
$<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>.
<b><a href="postconf.5.html#unknown_local_recipient_reject_code">unknown_local_recipient_reject_code</a> (550)</b>
The numerical Postfix SMTP server response code
when a recipient address is local, and
$<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> specifies a list of lookup
The numerical Postfix SMTP server response code
when a recipient address is local, and
$<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> specifies a list of lookup
tables that does not match the recipient.
Parameters concerning known/unknown recipients of relay
Parameters concerning known/unknown recipients of relay
destinations:
<b><a href="postconf.5.html#relay_domains">relay_domains</a> ($<a href="postconf.5.html#mydestination">mydestination</a>)</b>
What destination domains (and subdomains thereof)
What destination domains (and subdomains thereof)
this system will relay mail to.
<b><a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> (empty)</b>
Optional lookup tables with all valid addresses in
Optional lookup tables with all valid addresses in
the domains that match $<a href="postconf.5.html#relay_domains">relay_domains</a>.
<b><a href="postconf.5.html#unknown_relay_recipient_reject_code">unknown_relay_recipient_reject_code</a> (550)</b>
The numerical Postfix SMTP server reply code when a
recipient address matches $<a href="postconf.5.html#relay_domains">relay_domains</a>, and
<a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> specifies a list of lookup
recipient address matches $<a href="postconf.5.html#relay_domains">relay_domains</a>, and
<a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> specifies a list of lookup
tables that does not match the recipient address.
Parameters concerning known/unknown recipients in virtual
Parameters concerning known/unknown recipients in virtual
alias domains:
<b><a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a> ($<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>)</b>
Postfix is final destination for the specified list
of virtual alias domains, that is, domains for
which all addresses are aliased to addresses in
of virtual alias domains, that is, domains for
which all addresses are aliased to addresses in
other local or remote domains.
<b><a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> ($<a href="postconf.5.html#virtual_maps">virtual_maps</a>)</b>
Optional lookup tables that alias specific mail
addresses or domains to other local or remote
Optional lookup tables that alias specific mail
addresses or domains to other local or remote
address.
<b><a href="postconf.5.html#unknown_virtual_alias_reject_code">unknown_virtual_alias_reject_code</a> (550)</b>
The SMTP server reply code when a recipient address
matches $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, and $<a href="postconf.5.html#virtual_alias_maps">vir</a>-
<a href="postconf.5.html#virtual_alias_maps">tual_alias_maps</a> specifies a list of lookup tables
matches $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, and $<a href="postconf.5.html#virtual_alias_maps">vir</a>-
<a href="postconf.5.html#virtual_alias_maps">tual_alias_maps</a> specifies a list of lookup tables
that does not match the recipient address.
Parameters concerning known/unknown recipients in virtual
Parameters concerning known/unknown recipients in virtual
mailbox domains:
<b><a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> ($<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>)</b>
Postfix is final destination for the specified list
of domains; mail is delivered via the $<a href="postconf.5.html#virtual_transport">vir</a>-
of domains; mail is delivered via the $<a href="postconf.5.html#virtual_transport">vir</a>-
<a href="postconf.5.html#virtual_transport">tual_transport</a> mail delivery transport.
<b><a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> (empty)</b>
Optional lookup tables with all valid addresses in
Optional lookup tables with all valid addresses in
the domains that match $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>.
<b><a href="postconf.5.html#unknown_virtual_mailbox_reject_code">unknown_virtual_mailbox_reject_code</a> (550)</b>
The SMTP server reply code when a recipient address
matches $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>, and $<a href="postconf.5.html#virtual_mailbox_maps">vir</a>-
matches $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>, and $<a href="postconf.5.html#virtual_mailbox_maps">vir</a>-
<a href="postconf.5.html#virtual_mailbox_maps">tual_mailbox_maps</a> specifies a list of lookup tables
that does not match the recipient address.
<b>RESOURCE AND RATE CONTROLS</b>
The following parameters limit resource usage by the SMTP
The following parameters limit resource usage by the SMTP
server and/or control client request rates.
<b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b>
Upon input, long lines are chopped up into pieces
of at most this length; upon delivery, long lines
Upon input, long lines are chopped up into pieces
of at most this length; upon delivery, long lines
are reconstructed.
<b><a href="postconf.5.html#queue_minfree">queue_minfree</a> (0)</b>
The minimal amount of free space in bytes in the
The minimal amount of free space in bytes in the
queue file system that is needed to receive mail.
<b><a href="postconf.5.html#message_size_limit">message_size_limit</a> (10240000)</b>
The maximal size in bytes of a message, including
The maximal size in bytes of a message, including
envelope information.
<b><a href="postconf.5.html#smtpd_recipient_limit">smtpd_recipient_limit</a> (1000)</b>
The maximal number of recipients that the Postfix
The maximal number of recipients that the Postfix
SMTP server accepts per message delivery request.
<b><a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> (300s)</b>
The time limit for sending a Postfix SMTP server
response and for receiving a remote SMTP client
The time limit for sending a Postfix SMTP server
response and for receiving a remote SMTP client
request.
<b><a href="postconf.5.html#smtpd_history_flush_threshold">smtpd_history_flush_threshold</a> (100)</b>
The maximal number of lines in the Postfix SMTP
server command history before it is flushed upon
The maximal number of lines in the Postfix SMTP
server command history before it is flushed upon
receipt of EHLO, RSET, or end of DATA.
The per SMTP client connection count and request rate lim-
its are implemented in co-operation with the <a href="anvil.8.html"><b>anvil</b>(8)</a> ser-
vice, and are available in Postfix version 2.2 and later.
vice, and are available in Postfix version 2.2 and later.
<b><a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a> (50)</b>
How many simultaneous connections any client is
How many simultaneous connections any client is
allowed to make to this service.
<b><a href="postconf.5.html#smtpd_client_connection_rate_limit">smtpd_client_connection_rate_limit</a> (0)</b>
The maximal number of connection attempts any
client is allowed to make to this service per time
client is allowed to make to this service per time
unit.
<b><a href="postconf.5.html#smtpd_client_message_rate_limit">smtpd_client_message_rate_limit</a> (0)</b>
The maximal number of message delivery requests
that any client is allowed to make to this service
The maximal number of message delivery requests
that any client is allowed to make to this service
per time unit, regardless of whether or not Postfix
actually accepts those messages.
<b><a href="postconf.5.html#smtpd_client_recipient_rate_limit">smtpd_client_recipient_rate_limit</a> (0)</b>
The maximal number of recipient addresses that any
client is allowed to send to this service per time
The maximal number of recipient addresses that any
client is allowed to send to this service per time
unit, regardless of whether or not Postfix actually
accepts those recipients.
<b><a href="postconf.5.html#smtpd_client_event_limit_exceptions">smtpd_client_event_limit_exceptions</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b>
Clients that are excluded from connection count,
Clients that are excluded from connection count,
connection rate, or SMTP request rate restrictions.
<b>TARPIT CONTROLS</b>
When a remote SMTP client makes errors, the Postfix SMTP
server can insert delays before responding. This can help
to slow down run-away software. The behavior is con-
trolled by an error counter that counts the number of
errors within an SMTP session that a client makes without
When a remote SMTP client makes errors, the Postfix SMTP
server can insert delays before responding. This can help
to slow down run-away software. The behavior is con-
trolled by an error counter that counts the number of
errors within an SMTP session that a client makes without
delivering mail.
<b><a href="postconf.5.html#smtpd_error_sleep_time">smtpd_error_sleep_time</a> (1s)</b>
With Postfix 2.1 and later: the SMTP server
response delay after a client has made more than
$<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> errors, and fewer than
$<a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> errors, without delivering
With Postfix 2.1 and later: the SMTP server
response delay after a client has made more than
$<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> errors, and fewer than
$<a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> errors, without delivering
mail.
<b><a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> (10)</b>
The number of errors a remote SMTP client is
allowed to make without delivering mail before the
The number of errors a remote SMTP client is
allowed to make without delivering mail before the
Postfix SMTP server slows down all its responses.
<b><a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> (20)</b>
The maximal number of errors a remote SMTP client
The maximal number of errors a remote SMTP client
is allowed to make without delivering mail.
<b><a href="postconf.5.html#smtpd_junk_command_limit">smtpd_junk_command_limit</a> (100)</b>
The number of junk commands (NOOP, VRFY, ETRN or
The number of junk commands (NOOP, VRFY, ETRN or
RSET) that a remote SMTP client can send before the
Postfix SMTP server starts to increment the error
Postfix SMTP server starts to increment the error
counter with each junk command.
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtpd_recipient_overshoot_limit">smtpd_recipient_overshoot_limit</a> (1000)</b>
The number of recipients that a remote SMTP client
can send in excess of the limit specified with
The number of recipients that a remote SMTP client
can send in excess of the limit specified with
$<a href="postconf.5.html#smtpd_recipient_limit">smtpd_recipient_limit</a>, before the Postfix SMTP
server increments the per-session error count for
server increments the per-session error count for
each excess recipient.
<b>ACCESS POLICY DELEGATION CONTROLS</b>
As of version 2.1, Postfix can be configured to delegate
access policy decisions to an external server that runs
outside Postfix. See the file <a href="SMTPD_POLICY_README.html">SMTPD_POLICY_README</a> for
As of version 2.1, Postfix can be configured to delegate
access policy decisions to an external server that runs
outside Postfix. See the file <a href="SMTPD_POLICY_README.html">SMTPD_POLICY_README</a> for
more information.
<b><a href="postconf.5.html#smtpd_policy_service_max_idle">smtpd_policy_service_max_idle</a> (300s)</b>
The time after which an idle SMTPD policy service
The time after which an idle SMTPD policy service
connection is closed.
<b><a href="postconf.5.html#smtpd_policy_service_max_ttl">smtpd_policy_service_max_ttl</a> (1000s)</b>
@@ -624,161 +630,161 @@ SMTPD(8) SMTPD(8)
connection is closed.
<b><a href="postconf.5.html#smtpd_policy_service_timeout">smtpd_policy_service_timeout</a> (100s)</b>
The time limit for connecting to, writing to or
The time limit for connecting to, writing to or
receiving from a delegated SMTPD policy server.
<b>ACCESS CONTROLS</b>
The <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a> document gives an introduction to
The <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a> document gives an introduction to
all the SMTP server access control features.
<b><a href="postconf.5.html#smtpd_delay_reject">smtpd_delay_reject</a> (yes)</b>
Wait until the RCPT TO command before evaluating
Wait until the RCPT TO command before evaluating
$<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a>, $smtpd_helo_restric-
tions and $<a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a>, or wait until
the ETRN command before evaluating
the ETRN command before evaluating
$<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> and $smtpd_helo_restric-
tions.
<b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> (see 'postconf -d' out-</b>
<b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> (see 'postconf -d' out-</b>
<b>put)</b>
What Postfix features match subdomains of
"domain.tld" automatically, instead of requiring an
explicit ".domain.tld" pattern.
<b><a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> (empty)</b>
Optional SMTP server access restrictions in the
Optional SMTP server access restrictions in the
context of a client SMTP connection request.
<b><a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> (no)</b>
Require that a remote SMTP client introduces itself
at the beginning of an SMTP session with the HELO
at the beginning of an SMTP session with the HELO
or EHLO command.
<b><a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a> (empty)</b>
Optional restrictions that the Postfix SMTP server
Optional restrictions that the Postfix SMTP server
applies in the context of the SMTP HELO command.
<b><a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a> (empty)</b>
Optional restrictions that the Postfix SMTP server
Optional restrictions that the Postfix SMTP server
applies in the context of the MAIL FROM command.
<b><a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> (<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,</b>
<b><a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>)</b>
The access restrictions that the Postfix SMTP
server applies in the context of the RCPT TO com-
server applies in the context of the RCPT TO com-
mand.
<b><a href="postconf.5.html#smtpd_etrn_restrictions">smtpd_etrn_restrictions</a> (empty)</b>
Optional SMTP server access restrictions in the
Optional SMTP server access restrictions in the
context of a client ETRN request.
<b><a href="postconf.5.html#allow_untrusted_routing">allow_untrusted_routing</a> (no)</b>
Forward mail with sender-specified routing
(user[@%!]remote[@%!]site) from untrusted clients
Forward mail with sender-specified routing
(user[@%!]remote[@%!]site) from untrusted clients
to destinations matching $<a href="postconf.5.html#relay_domains">relay_domains</a>.
<b><a href="postconf.5.html#smtpd_restriction_classes">smtpd_restriction_classes</a> (empty)</b>
User-defined aliases for groups of access restric-
User-defined aliases for groups of access restric-
tions.
<b><a href="postconf.5.html#smtpd_null_access_lookup_key">smtpd_null_access_lookup_key</a> (</b>&lt;&gt;<b>)</b>
The lookup key to be used in SMTP <a href="access.5.html"><b>access</b>(5)</a> tables
The lookup key to be used in SMTP <a href="access.5.html"><b>access</b>(5)</a> tables
instead of the null sender address.
<b><a href="postconf.5.html#permit_mx_backup_networks">permit_mx_backup_networks</a> (empty)</b>
Restrict the use of the <a href="postconf.5.html#permit_mx_backup">permit_mx_backup</a> SMTP
access feature to only domains whose primary MX
access feature to only domains whose primary MX
hosts match the listed networks.
Available in Postfix version 2.0 and later:
<b><a href="postconf.5.html#smtpd_data_restrictions">smtpd_data_restrictions</a> (empty)</b>
Optional access restrictions that the Postfix SMTP
Optional access restrictions that the Postfix SMTP
server applies in the context of the SMTP DATA com-
mand.
<b><a href="postconf.5.html#smtpd_expansion_filter">smtpd_expansion_filter</a> (see 'postconf -d' output)</b>
What characters are allowed in $name expansions of
What characters are allowed in $name expansions of
RBL reply templates.
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtpd_reject_unlisted_sender">smtpd_reject_unlisted_sender</a> (no)</b>
Request that the Postfix SMTP server rejects mail
from unknown sender addresses, even when no
explicit <a href="postconf.5.html#reject_unlisted_sender">reject_unlisted_sender</a> access restriction
Request that the Postfix SMTP server rejects mail
from unknown sender addresses, even when no
explicit <a href="postconf.5.html#reject_unlisted_sender">reject_unlisted_sender</a> access restriction
is specified.
<b><a href="postconf.5.html#smtpd_reject_unlisted_recipient">smtpd_reject_unlisted_recipient</a> (yes)</b>
Request that the Postfix SMTP server rejects mail
Request that the Postfix SMTP server rejects mail
for unknown recipient addresses, even when no
explicit <a href="postconf.5.html#reject_unlisted_recipient">reject_unlisted_recipient</a> access restric-
explicit <a href="postconf.5.html#reject_unlisted_recipient">reject_unlisted_recipient</a> access restric-
tion is specified.
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtpd_end_of_data_restrictions">smtpd_end_of_data_restrictions</a> (empty)</b>
Optional access restrictions that the Postfix SMTP
server applies in the context of the SMTP END-OF-
Optional access restrictions that the Postfix SMTP
server applies in the context of the SMTP END-OF-
DATA command.
<b>SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS</b>
Postfix version 2.1 introduces sender and recipient
address verification. This feature is implemented by
sending probe email messages that are not actually deliv-
ered. This feature is requested via the <a href="postconf.5.html#reject_unverified_sender">reject_unveri</a>-
<a href="postconf.5.html#reject_unverified_sender">fied_sender</a> and <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a> access
restrictions. The status of verification probes is main-
Postfix version 2.1 introduces sender and recipient
address verification. This feature is implemented by
sending probe email messages that are not actually deliv-
ered. This feature is requested via the <a href="postconf.5.html#reject_unverified_sender">reject_unveri</a>-
<a href="postconf.5.html#reject_unverified_sender">fied_sender</a> and <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a> access
restrictions. The status of verification probes is main-
tained by the <a href="verify.8.html"><b>verify</b>(8)</a> server. See the file <a href="ADDRESS_VERIFICATION_README.html">ADDRESS_VER</a>-
<a href="ADDRESS_VERIFICATION_README.html">IFICATION_README</a> for information about how to configure
<a href="ADDRESS_VERIFICATION_README.html">IFICATION_README</a> for information about how to configure
and operate the Postfix sender/recipient address verifica-
tion service.
<b><a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> (3)</b>
How many times to query the <a href="verify.8.html"><b>verify</b>(8)</a> service for
the completion of an address verification request
How many times to query the <a href="verify.8.html"><b>verify</b>(8)</a> service for
the completion of an address verification request
in progress.
<b><a href="postconf.5.html#address_verify_poll_delay">address_verify_poll_delay</a> (3s)</b>
The delay between queries for the completion of an
The delay between queries for the completion of an
address verification request in progress.
<b><a href="postconf.5.html#address_verify_sender">address_verify_sender</a> (postmaster)</b>
The sender address to use in address verification
The sender address to use in address verification
probes.
<b><a href="postconf.5.html#unverified_sender_reject_code">unverified_sender_reject_code</a> (450)</b>
The numerical Postfix SMTP server response code
when a recipient address is rejected by the
The numerical Postfix SMTP server response code
when a recipient address is rejected by the
<a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a> restriction.
<b><a href="postconf.5.html#unverified_recipient_reject_code">unverified_recipient_reject_code</a> (450)</b>
The numerical Postfix SMTP server response when a
The numerical Postfix SMTP server response when a
recipient address is rejected by the <a href="postconf.5.html#reject_unverified_recipient">reject_unveri</a>-
<a href="postconf.5.html#reject_unverified_recipient">fied_recipient</a> restriction.
<b>ACCESS CONTROL RESPONSES</b>
The following parameters control numerical SMTP reply
The following parameters control numerical SMTP reply
codes and/or text responses.
<b><a href="postconf.5.html#access_map_reject_code">access_map_reject_code</a> (554)</b>
The numerical Postfix SMTP server response code
when a client is rejected by an <a href="access.5.html"><b>access</b>(5)</a> map
The numerical Postfix SMTP server response code
when a client is rejected by an <a href="access.5.html"><b>access</b>(5)</a> map
restriction.
<b><a href="postconf.5.html#defer_code">defer_code</a> (450)</b>
The numerical Postfix SMTP server response code
when a remote SMTP client request is rejected by
The numerical Postfix SMTP server response code
when a remote SMTP client request is rejected by
the "defer" restriction.
<b><a href="postconf.5.html#invalid_hostname_reject_code">invalid_hostname_reject_code</a> (501)</b>
The numerical Postfix SMTP server response code
when the client HELO or EHLO command parameter is
rejected by the <a href="postconf.5.html#reject_invalid_hostname">reject_invalid_hostname</a> restric-
The numerical Postfix SMTP server response code
when the client HELO or EHLO command parameter is
rejected by the <a href="postconf.5.html#reject_invalid_hostname">reject_invalid_hostname</a> restric-
tion.
<b><a href="postconf.5.html#maps_rbl_reject_code">maps_rbl_reject_code</a> (554)</b>
The numerical Postfix SMTP server response code
The numerical Postfix SMTP server response code
when a remote SMTP client request is blocked by the
<a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a>, <a href="postconf.5.html#reject_rhsbl_client">reject_rhsbl_client</a>,
<a href="postconf.5.html#reject_rhsbl_sender">reject_rhsbl_sender</a> or <a href="postconf.5.html#reject_rhsbl_recipient">reject_rhsbl_recipient</a>
@@ -786,47 +792,47 @@ SMTPD(8) SMTPD(8)
<b><a href="postconf.5.html#non_fqdn_reject_code">non_fqdn_reject_code</a> (504)</b>
The numerical Postfix SMTP server reply code when a
client request is rejected by the
client request is rejected by the
<a href="postconf.5.html#reject_non_fqdn_hostname">reject_non_fqdn_hostname</a>, <a href="postconf.5.html#reject_non_fqdn_sender">reject_non_fqdn_sender</a> or
<a href="postconf.5.html#reject_non_fqdn_recipient">reject_non_fqdn_recipient</a> restriction.
<b><a href="postconf.5.html#reject_code">reject_code</a> (554)</b>
The numerical Postfix SMTP server response code
when a remote SMTP client request is rejected by
The numerical Postfix SMTP server response code
when a remote SMTP client request is rejected by
the "reject" restriction.
<b><a href="postconf.5.html#relay_domains_reject_code">relay_domains_reject_code</a> (554)</b>
The numerical Postfix SMTP server response code
when a client request is rejected by the
The numerical Postfix SMTP server response code
when a client request is rejected by the
<a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> recipient restriction.
<b><a href="postconf.5.html#unknown_address_reject_code">unknown_address_reject_code</a> (450)</b>
The numerical Postfix SMTP server response code
when a sender or recipient address is rejected by
The numerical Postfix SMTP server response code
when a sender or recipient address is rejected by
the <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a> or
<a href="postconf.5.html#reject_unknown_recipient_domain">reject_unknown_recipient_domain</a> restriction.
<b><a href="postconf.5.html#unknown_client_reject_code">unknown_client_reject_code</a> (450)</b>
The numerical Postfix SMTP server response code
when a client without valid address &lt;=&gt; name map-
ping is rejected by the <a href="postconf.5.html#reject_unknown_client">reject_unknown_client</a>
The numerical Postfix SMTP server response code
when a client without valid address &lt;=&gt; name map-
ping is rejected by the <a href="postconf.5.html#reject_unknown_client">reject_unknown_client</a>
restriction.
<b><a href="postconf.5.html#unknown_hostname_reject_code">unknown_hostname_reject_code</a> (450)</b>
The numerical Postfix SMTP server response code
when the hostname specified with the HELO or EHLO
command is rejected by the <a href="postconf.5.html#reject_unknown_hostname">reject_unknown_hostname</a>
The numerical Postfix SMTP server response code
when the hostname specified with the HELO or EHLO
command is rejected by the <a href="postconf.5.html#reject_unknown_hostname">reject_unknown_hostname</a>
restriction.
Available in Postfix version 2.0 and later:
<b><a href="postconf.5.html#default_rbl_reply">default_rbl_reply</a> (see 'postconf -d' output)</b>
The default SMTP server response template for a
request that is rejected by an RBL-based restric-
The default SMTP server response template for a
request that is rejected by an RBL-based restric-
tion.
<b><a href="postconf.5.html#multi_recipient_bounce_reject_code">multi_recipient_bounce_reject_code</a> (550)</b>
The numerical Postfix SMTP server response code
The numerical Postfix SMTP server response code
when a remote SMTP client request is blocked by the
<a href="postconf.5.html#reject_multi_recipient_bounce">reject_multi_recipient_bounce</a> restriction.
@@ -835,16 +841,16 @@ SMTPD(8) SMTPD(8)
<b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
The default location of the Postfix main.cf and
The default location of the Postfix main.cf and
master.cf configuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
How much time a Postfix daemon process may take to
handle a request before it is terminated by a
How much time a Postfix daemon process may take to
handle a request before it is terminated by a
built-in watchdog timer.
<b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
The location of all postfix administrative com-
The location of all postfix administrative com-
mands.
<b><a href="postconf.5.html#double_bounce_sender">double_bounce_sender</a> (double-bounce)</b>
@@ -865,36 +871,36 @@ SMTPD(8) SMTPD(8)
and most Postfix daemon processes.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix
daemon process waits for the next service request
The maximum amount of time that an idle Postfix
daemon process waits for the next service request
before exiting.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
The maximal number of connection requests before a
The maximal number of connection requests before a
Postfix daemon process terminates.
<b><a href="postconf.5.html#myhostname">myhostname</a> (see 'postconf -d' output)</b>
The internet hostname of this mail system.
<b><a href="postconf.5.html#mynetworks">mynetworks</a> (see 'postconf -d' output)</b>
The list of "trusted" SMTP clients that have more
The list of "trusted" SMTP clients that have more
privileges than "strangers".
<b><a href="postconf.5.html#myorigin">myorigin</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
The domain name that locally-posted mail appears to
come from, and that locally posted mail is deliv-
come from, and that locally posted mail is deliv-
ered to.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
The process ID of a Postfix command or daemon
The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
The process name of a Postfix command or daemon
The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
The location of the Postfix top-level queue direc-
The location of the Postfix top-level queue direc-
tory.
<b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> (empty)</b>
@@ -902,22 +908,22 @@ SMTPD(8) SMTPD(8)
sions (user+foo).
<b><a href="postconf.5.html#smtpd_banner">smtpd_banner</a> ($<a href="postconf.5.html#myhostname">myhostname</a> ESMTP $<a href="postconf.5.html#mail_name">mail_name</a>)</b>
The text that follows the 220 status code in the
The text that follows the 220 status code in the
SMTP greeting banner.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a> (CONNECT, GET, POST)</b>
List of commands that causes the Postfix SMTP
server to immediately terminate the session with a
List of commands that causes the Postfix SMTP
server to immediately terminate the session with a
221 code.
<b>SEE ALSO</b>
@@ -946,7 +952,7 @@ SMTPD(8) SMTPD(8)
<a href="XFORWARD_README.html">XFORWARD_README</a>, Postfix XFORWARD extension
<b>LICENSE</b>
The Secure Mailer license must be distributed with this
The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>

5
postfix/man/man5/postconf.5
View File

@@ -4719,6 +4719,11 @@ specify "smtpd_delay_reject = yes" (which is the default) and use:
.ft R
.PP
See the SASL_README file for SASL configuration and operation details.
.SH smtpd_sasl_authenticated_header (default: no)
Report the SASL authenticated user name in the \fBsmtpd\fR(8) Received
message header.
.PP
This feature is available in Postfix 2.3 and later.
.SH smtpd_sasl_exceptions_networks (default: empty)
What SMTP clients Postfix will not offer AUTH support to.
.PP

5
postfix/man/man8/smtpd.8
View File

@@ -215,6 +215,11 @@ Optional lookup table with the SASL login names that own sender
Available in Postfix version 2.1 and later:
.IP "\fBsmtpd_sasl_exceptions_networks (empty)\fR"
What SMTP clients Postfix will not offer AUTH support to.
.PP
Available in Postfix version 2.3 and later:
.IP "\fBsmtpd_sasl_authenticated_header (no)\fR"
Report the SASL authenticated user name in the \fBsmtpd\fR(8) Received
message header.
.SH "STARTTLS SUPPORT CONTROLS"
.na
.nf

1
postfix/mantools/postlink
View File

@@ -400,6 +400,7 @@ while (<>) {
s;\bsmtpd_restriction_classes\b;<a href="postconf.5.html#smtpd_restriction_classes">$&</a>;g;
s;\bsmtpd_sasl_application_name\b;<a href="postconf.5.html#smtpd_sasl_application_name">$&</a>;g;
s;\bsmtpd_sasl_auth_enable\b;<a href="postconf.5.html#smtpd_sasl_auth_enable">$&</a>;g;
s;\bsmtpd_sasl_authenticated_header\b;<a href="postconf.5.html#smtpd_sasl_authenticated_header">$&</a>;g;
s;\bsmtpd_sasl_exceptions_networks\b;<a href="postconf.5.html#smtpd_sasl_exceptions_networks">$&</a>;g;
s;\bsmtpd_sasl_local_domain\b;<a href="postconf.5.html#smtpd_sasl_local_domain">$&</a>;g;
s;\bsmtpd_sasl_secu[-</Bb>]*\n* *[<Bb>]*rity_options\b;<a href="postconf.5.html#smtpd_sasl_security_options">$&</a>;g;

22
postfix/proto/SASL_README.html
View File

@@ -37,15 +37,6 @@ authentication method, and sender address to the maillog file, and
optionally grants mail access via the permit_sasl_authenticated
UCE restriction. </p>
<p> Postfix does not record the client's SASL authentication
information in message headers, and does not pass it on via SMTP
commands when forwarding mail, because it is no-one else's business
to know the client username and authentication method. People who
need to know can find the information in the local Postfix maillog
file. Some day, Postfix message headers will be configurable and
then one can record the SASL username without having to edit C
code. </p>
<p>This document covers the following topics: </p>
<ul>
@@ -191,6 +182,19 @@ SMTP server</a></h2>
</pre>
</blockquote>
<p> To report SASL login names in Received: message headers
(Postfix version 2.3 and later): </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
smtpd_sasl_authenticated_header = yes
</pre>
</blockquote>
<p> Note: the SASL login names will be shared with the entire world.
</p>
<p> In /usr/local/lib/sasl/smtpd.conf (SASL version 1.5.5) or
/usr/local/lib/sasl2/smtpd.conf (SASL version 2.1.1) you need to
specify how the server should validate client passwords. </p>

5
postfix/proto/SMTPD_POLICY_README.html
View File

@@ -374,8 +374,9 @@ inet:127.0.0.1:9998". </p>
<h2><a name="frequent">Greylisting mail from frequently forged domains</a></h2>
<p> It is relatively safe to turn on greylisting for specific
domains that often appear in forged email. A list of frequently
forged MAIL FROM domains can be found at
domains that often appear in forged email. At some point
in cyberspace/time a list of frequently
forged MAIL FROM domains could be found at
http://www.monkeys.com/anti-spam/filtering/sender-domain-validate.in.
<blockquote>

7
postfix/proto/postconf.proto
View File

@@ -5168,6 +5168,13 @@ specify "smtpd_delay_reject = yes" (which is the default) and use:
See the SASL_README file for SASL configuration and operation details.
</p>
%PARAM smtpd_sasl_authenticated_header no
<p> Report the SASL authenticated user name in the smtpd(8) Received
message header. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
%PARAM smtpd_sasl_exceptions_networks
<p>

461
postfix/proto/postconf.spec
View File

@@ -1,461 +0,0 @@
%CLASS install
%PARAM command_directory
%PARAM config_directory
%PARAM daemon_directory
%PARAM default_database_type
%PARAM mail_owner
%PARAM mail_spool_directory
%PARAM mailq_path
%PARAM manpage_directory
%PARAM newaliases_path
%PARAM process_id_directory
%PARAM queue_directory
%PARAM readme_directory
%PARAM sample_directory
%PARAM sendmail_path
%PARAM setgid_group
%CLASS postfix
%PARAM mail_release_date
%PARAM mail_version
%CLASS plumbing
%PARAM address_verify_service_name
%PARAM bounce_service_name
%PARAM cleanup_service_name
%PARAM defer_service_name
%PARAM error_service_name
%PARAM flush_service_name
%PARAM pickup_service_name
%PARAM queue_service_name
%PARAM rewrite_service_name
%PARAM showq_service_name
%PARAM trace_service_name
%CLASS security
%PARAM allow_min_user
%PARAM alternate_config_directories
%PARAM authorized_flush_users
%PARAM authorized_mailq_users
%PARAM authorized_submit_users
%PARAM default_privs
%PARAM import_environment
%PARAM proxy_read_maps
%CLASS local-security
%PARAM allow_mail_to_commands
%PARAM allow_mail_to_files
%PARAM command_expansion_filter
%PARAM local_command_shell
%CLASS address-verification
%PARAM address_verify_sender
%PARAM address_verify_service_name
%CLASS address-verification-caching
%PARAM address_verify_map
%PARAM address_verify_negative_cache
%PARAM address_verify_negative_expire_time
%PARAM address_verify_negative_refresh_time
%PARAM address_verify_positive_expire_time
%PARAM address_verify_positive_refresh_time
%CLASS address-verification-routing
%PARAM address_verify_default_transport
%PARAM address_verify_local_transport
%PARAM address_verify_relay_transport
%PARAM address_verify_relayhost
%PARAM address_verify_transport_maps
%PARAM address_verify_virtual_transport
%CLASS smtpd-address-verification
%PARAM address_verify_poll_count
%PARAM address_verify_poll_delay
%PARAM unverified_recipient_reject_code
%PARAM unverified_sender_reject_code
%class compatibility
%PARAM undisclosed_recipients_header
%PARAM allow_min_user
%PARAM backwards_bounce_logfile_compatibility
%CLASS local-compatibility
%PARAM sun_mailtool_compatibility
%PARAM allow_mail_to_commands
%PARAM allow_mail_to_files
%PARAM biff
%CLASS smtpd-compatibility
%PARAM broken_sasl_auth_clients
%PARAM disable_vrfy_command
%PARAM smtpd_helo_required
%PARAM smtpd_noop_commands
%PARAM smtpd_sasl_exceptions_networks
%PARAM strict_rfc821_envelopes
%CLASS smtp-compatibility
%PARAM ignore_mx_lookup_error
%PARAM smtp_always_send_ehlo
%PARAM smtp_defer_if_no_mx_address_found
%PARAM smtp_host_lookup
%PARAM smtp_line_length_limit
%PARAM smtp_never_send_ehlo
%PARAM smtp_pix_workaround_delay_time
%PARAM smtp_pix_workaround_threshold_time
%PARAM smtp_quote_rfc821_envelope
%PARAM smtp_skip_4xx_greeting
%PARAM smtp_skip_5xx_greeting
%PARAM smtp_skip_quit_response
%CLASS lmtp-compatibility
%PARAM lmtp_skip_quit_response
%CLASS mime-compatibility
%PARAM strict_8bitmime
%PARAM strict_8bitmime_body
%PARAM strict_mime_encoding_domain
%PARAM strict_7bit_headers
%CLASS resource-control
%PARAM application_event_drain_time
%PARAM berkeley_db_create_buffer_size
%PARAM berkeley_db_read_buffer_size
%PARAM bounce_size_limit
%PARAM command_time_limit
%PARAM daemon_timeout
%PARAM default_process_limit
%PARAM delay_warning_time
%PARAM deliver_lock_attempts
%PARAM deliver_lock_delay
%PARAM duplicate_filter_limit
%PARAM fork_attempts
%PARAM fork_delay
%PARAM header_address_token_limit
%PARAM header_size_limit
%PARAM hopcount_limit
%PARAM in_flow_delay
%PARAM ipc_idle
%PARAM ipc_timeout
%PARAM ipc_ttl
%PARAM line_length_limit
%PARAM max_idle
%PARAM max_use
%PARAM message_size_limit
%PARAM queue_file_attribute_count_limit
%PARAM service_throttle_time
%PARAM stale_lock_time
%PARAM transport_retry_time
%PARAM trigger_timeout
%CLASS smtpd-resource-control
%PARAM client_event_status_update_time
%PARAM client_rate_time_unit
%PARAM queue_minfree
%PARAM smtpd_client_connection_count_limit
%PARAM smtpd_client_connection_limit_exceptions
%PARAM smtpd_client_connection_rate_limit
%PARAM smtpd_history_flush_threshold
%PARAM smtpd_junk_command_limit
%PARAM smtpd_recipient_limit
%PARAM smtpd_timeout
%CLASS smtp-resource-control
%PARAM smtp_connect_timeout
%PARAM smtp_data_done_timeout
%PARAM smtp_data_init_timeout
%PARAM smtp_data_xfer_timeout
%PARAM smtp_destination_concurrency_limit
%PARAM smtp_destination_recipient_limit
%PARAM smtp_helo_timeout
%PARAM smtp_mail_timeout
%PARAM smtp_mx_address_limit
%PARAM smtp_mx_session_limit
%PARAM smtp_quit_timeout
%PARAM smtp_rcpt_timeout
%PARAM smtp_rset_timeout
%PARAM smtp_xforward_timeout
%CLASS lmtp-resource-control
%PARAM lmtp_cache_connection
%PARAM lmtp_connect_timeout
%PARAM lmtp_data_done_timeout
%PARAM lmtp_data_init_timeout
%PARAM lmtp_data_xfer_timeout
%PARAM lmtp_lhlo_timeout
%PARAM lmtp_mail_timeout
%PARAM lmtp_quit_timeout
%PARAM lmtp_rcpt_timeout
%PARAM lmtp_rset_timeout
%PARAM lmtp_xforward_timeout
%CLASS mime-resource-control
%PARAM mime_boundary_length_limit
%PARAM mime_nesting_limit
%CLASS local-resource-control
%PARAM local_destination_concurrency_limit
%PARAM local_destination_recipient_limit
%CLASS smtpd-tarpit
%PARAM smtpd_error_sleep_time
%PARAM smtpd_hard_error_limit
%PARAM smtpd_soft_error_limit
%CLASS content-filter
%PARAM lmtp_send_xforward_command
%PARAM receive_override_options
%PARAM smtp_send_xforward_command
%PARAM smtpd_authorized_xforward_hosts
%CLASS built-in-filter
%PARAM body_checks
%PARAM body_checks_size_limit
%PARAM header_checks
%PARAM mime_header_checks
%PARAM nested_header_checks
%CLASS after-queue-filter
%PARAM content_filter
%CLASS smtpd-proxy-filter
%PARAM smtpd_proxy_ehlo
%PARAM smtpd_proxy_filter
%PARAM smtpd_proxy_timeout
%CLASS smtp
%PARAM best_mx_transport
%PARAM disable_dns_lookups
%PARAM fallback_relay
%PARAM smtp_bind_address
%PARAM smtp_helo_name
%PARAM smtp_randomize_addresses
%CLASS basic-config
%PARAM alias_maps
%PARAM inet_interfaces
%PARAM mydestination
%PARAM mydomain
%PARAM myhostname
%PARAM mynetworks
%PARAM mynetworks_style
%PARAM myorigin
%PARAM proxy_interfaces
%CLASS smtpd-policy
%PARAM smtpd_policy_service_max_idle
%PARAM smtpd_policy_service_max_ttl
%PARAM smtpd_policy_service_timeout
%CLASS smtpd-access
%PARAM allow_untrusted_routing
%PARAM maps_rbl_domains
%PARAM parent_domain_matches_subdomains
%PARAM permit_mx_backup_networks
%PARAM smtpd_client_restrictions
%PARAM smtpd_data_restrictions
%PARAM smtpd_delay_reject
%PARAM smtpd_etrn_restrictions
%PARAM smtpd_expansion_filter
%PARAM smtpd_helo_restrictions
%PARAM smtpd_null_access_lookup_key
%PARAM smtpd_recipient_restrictions
%PARAM smtpd_reject_unlisted_recipient
%PARAM smtpd_reject_unlisted_sender
%PARAM smtpd_restriction_classes
%PARAM smtpd_sender_restrictions
%CLASS smtpd-reply-code
%PARAM access_map_reject_code
%PARAM default_rbl_reply
%PARAM defer_code
%PARAM invalid_hostname_reject_code
%PARAM maps_rbl_reject_code
%PARAM multi_recipient_bounce_reject_code
%PARAM non_fqdn_reject_code
%PARAM rbl_reply_maps
%PARAM reject_code
%PARAM relay_domains_reject_code
%PARAM unknown_address_reject_code
%PARAM unknown_client_reject_code
%PARAM unknown_hostname_reject_code
%PARAM unknown_local_recipient_reject_code
%PARAM unknown_relay_recipient_reject_code
%PARAM unknown_virtual_alias_reject_code
%PARAM unknown_virtual_mailbox_reject_code
%PARAM unverified_recipient_reject_code
%PARAM unverified_sender_reject_code
%CLASS smtpd-sasl
%PARAM smtpd_sasl_application_name
%PARAM smtpd_sasl_auth_enable
%PARAM smtpd_sasl_local_domain
%PARAM smtpd_sasl_security_options
%PARAM smtpd_sender_login_maps
%CLASS smtp-sasl
%PARAM smtp_sasl_auth_enable
%PARAM smtp_sasl_password_maps
%PARAM smtp_sasl_security_options
%PARAM smtp_sasl_mechanism_filter
%CLASS lmtp-sasl
%PARAM lmtp_sasl_auth_enable
%PARAM lmtp_sasl_password_maps
%PARAM lmtp_sasl_security_options
%CLASS smtpd-unknown-recipients
%PARAM local_recipient_maps
%PARAM relay_recipient_maps
%PARAM virtual_alias_maps
%PARAM virtual_mailbox_maps
%CLASS trouble-shooting
%PARAM 2bounce_notice_recipient
%PARAM bounce_notice_recipient
%PARAM debug_peer_level
%PARAM debug_peer_list
%PARAM debugger_command
%PARAM delay_notice_recipient
%PARAM dont_remove
%PARAM double_bounce_sender
%PARAM error_notice_recipient
%PARAM fault_injection_code
%PARAM helpful_warnings
%PARAM notify_classes
%PARAM show_user_unknown_table_name
%PARAM smtpd_authorized_xclient_hosts
%PARAM soft_bounce
%CLASS mime
%PARAM disable_mime_input_processing
%PARAM disable_mime_output_conversion
%CLASS verp
%PARAM default_verp_delimiters
%PARAM disable_verp_bounces
%PARAM smtpd_authorized_verp_clients
%PARAM verp_delimiter_filter
%CLASS lmtp
%PARAM lmtp_tcp_port
%CLASS other
%PARAM command_directory
%PARAM process_name
%PARAM process_id
%PARAM smtpd_banner
%PARAM mail_name
%CLASS scheduler
%PARAM bounce_queue_lifetime
%PARAM default_delivery_slot_cost
%PARAM default_delivery_slot_discount
%PARAM default_delivery_slot_loan
%PARAM default_destination_concurrency_limit
%PARAM default_destination_recipient_limit
%PARAM default_extra_recipient_limit
%PARAM default_minimum_delivery_slots
%PARAM default_recipient_limit
%PARAM defer_transports
%PARAM initial_destination_concurrency
%PARAM maximal_backoff_time
%PARAM maximal_queue_lifetime
%PARAM minimal_backoff_time
%PARAM qmgr_clog_warn_time
%PARAM qmgr_fudge_factor
%PARAM qmgr_message_active_limit
%PARAM qmgr_message_recipient_limit
%PARAM qmgr_message_recipient_minimum
%PARAM queue_run_delay
%PARAM queue_service_name
%CLASS qmqpd
%PARAM qmqpd_authorized_clients
%PARAM qmqpd_error_delay
%PARAM qmqpd_timeout
%CLASS logging
%PARAM syslog_facility
%PARAM syslog_name
%PARAM debug_peer_list
%PARAM debug_peer_level
%CLASS etrn
%PARAM fast_flush_domains
%PARAM fast_flush_purge_time
%PARAM fast_flush_refresh_time
%PARAM flush_service_name
%CLASS local
%PARAM alias_database
%PARAM alias_maps
%PARAM export_environment
%PARAM fallback_transport
%PARAM forward_expansion_filter
%PARAM forward_path
%PARAM home_mailbox
%PARAM local_transport
%PARAM luser_relay
%PARAM mailbox_command
%PARAM mailbox_command_maps
%PARAM mailbox_delivery_lock
%PARAM mailbox_size_limit
%PARAM mailbox_transport
%PARAM prepend_delivered_header
%PARAM require_home_directory
%CLASS address-manipulation
%PARAM allow_percent_hack
%PARAM always_bcc
%PARAM append_at_myorigin
%PARAM append_dot_mydomain
%PARAM canonical_maps
%PARAM cleanup_service_name
%PARAM default_transport
%PARAM default_transport
%PARAM empty_address_recipient
%PARAM enable_original_recipient
%PARAM expand_owner_alias
%PARAM masquerade_classes
%PARAM masquerade_domains
%PARAM masquerade_exceptions
%PARAM owner_request_special
%PARAM propagate_unmatched_extensions
%PARAM recipient_bcc_maps
%PARAM recipient_canonical_maps
%PARAM recipient_delimiter
%PARAM relay_domains
%PARAM relay_transport
%PARAM relayhost
%PARAM relocated_maps
%PARAM resolve_dequoted_address
%PARAM rewrite_service_name
%PARAM sender_based_routing
%PARAM sender_bcc_maps
%PARAM sender_canonical_maps
%PARAM swap_bangpath
%PARAM transport_maps
%PARAM virtual_alias_expansion_limit
%PARAM virtual_alias_maps
%PARAM virtual_alias_recursion_limit
%CLASS queue-hashing
%PARAM hash_queue_depth
%PARAM hash_queue_names
%CLASS virtual-mailbox
%PARAM virtual_gid_maps
%PARAM virtual_mailbox_base
%PARAM virtual_mailbox_domains
%PARAM virtual_mailbox_limit
%PARAM virtual_mailbox_lock
%PARAM virtual_mailbox_maps
%PARAM virtual_minimum_uid
%PARAM virtual_transport
%PARAM virtual_uid_maps
%CLASS virtual-alias-domain
%PARAM virtual_alias_domains
%PARAM virtual_alias_expansion_limit
%PARAM virtual_alias_maps
%PARAM virtual_alias_recursion_limit

4
postfix/src/global/log_adhoc.c
View File

@@ -120,10 +120,10 @@ void vlog_adhoc(const char *id, const char *orig_rcpt,
vstring_vsprintf(why, fmt, ap);
if (orig_rcpt && *orig_rcpt && strcasecmp(recipient, orig_rcpt) != 0)
msg_info("%s: to=<%s>, orig_to=<%s>, relay=%s, delay=%d, dsn=%s status=%s (%s)",
msg_info("%s: to=<%s>, orig_to=<%s>, relay=%s, delay=%d, dsn=%s, status=%s (%s)",
id, recipient, orig_rcpt, relay, delay, detail, status, vstring_str(why));
else
msg_info("%s: to=<%s>, relay=%s, delay=%d, dsn=%s status=%s (%s)",
msg_info("%s: to=<%s>, relay=%s, delay=%d, dsn=%s, status=%s (%s)",
id, recipient, relay, delay, detail, status, vstring_str(why));
vstring_free(why);
}

4
postfix/src/global/mail_params.h
View File

@@ -1177,6 +1177,10 @@ extern int var_smtp_tls_scache_timeout;
#define DEF_SMTPD_SASL_ENABLE 0
extern bool var_smtpd_sasl_enable;
#define VAR_SMTPD_SASL_AUTH_HDR "smtpd_sasl_authenticated_header"
#define DEF_SMTPD_SASL_AUTH_HDR 0
extern bool var_smtpd_sasl_auth_hdr;
#define VAR_SMTPD_SASL_OPTS "smtpd_sasl_security_options"
#define DEF_SMTPD_SASL_OPTS "noanonymous"
extern char *var_smtpd_sasl_opts;

2
postfix/src/global/mail_version.h
View File

@@ -20,7 +20,7 @@
* Patches change the patchlevel and the release date. Snapshots change the
* release date only.
*/
#define MAIL_RELEASE_DATE "20050402"
#define MAIL_RELEASE_DATE "20050404"
#define MAIL_VERSION_NUMBER "2.3"
#define VAR_MAIL_VERSION "mail_version"

21
postfix/src/lmtp/lmtp_sasl_glue.c
View File

@@ -292,6 +292,27 @@ int lmtp_sasl_passwd_lookup(LMTP_STATE *state)
void lmtp_sasl_initialize(void)
{
#if SASL_VERSION_MAJOR >= 2 && (SASL_VERSION_MINOR >= 2 \
|| (SASL_VERSION_MINOR == 1 && SASL_VERSION_STEP >= 19))
int sasl_major;
int sasl_minor;
int sasl_step;
/*
* DLL hell guard.
*/
sasl_version_info((const char **) 0, (const char **) 0,
&sasl_major, &sasl_minor,
&sasl_step, (int *) 0);
if (sasl_major != SASL_VERSION_MAJOR
|| sasl_minor != SASL_VERSION_MINOR
|| sasl_step != SASL_VERSION_STEP)
msg_fatal("incorrect SASL library version. "
"Postfix was built for version %d.%d.%d, "
"but the run-time library version is %d.%d.%d",
SASL_VERSION_MAJOR, SASL_VERSION_MINOR, SASL_VERSION_STEP,
sasl_major, sasl_minor, sasl_step);
#endif
/*
* Global callbacks. These have no per-session context.

23
postfix/src/smtp/smtp_sasl_glue.c
View File

@@ -321,6 +321,27 @@ int smtp_sasl_passwd_lookup(SMTP_SESSION *session)
void smtp_sasl_initialize(void)
{
#if SASL_VERSION_MAJOR >= 2 && (SASL_VERSION_MINOR >= 2 \
|| (SASL_VERSION_MINOR == 1 && SASL_VERSION_STEP >= 19))
int sasl_major;
int sasl_minor;
int sasl_step;
/*
* DLL hell guard.
*/
sasl_version_info((const char **) 0, (const char **) 0,
&sasl_major, &sasl_minor,
&sasl_step, (int *) 0);
if (sasl_major != SASL_VERSION_MAJOR
|| sasl_minor != SASL_VERSION_MINOR
|| sasl_step != SASL_VERSION_STEP)
msg_fatal("incorrect SASL library version. "
"Postfix was built for version %d.%d.%d, "
"but the run-time library version is %d.%d.%d",
SASL_VERSION_MAJOR, SASL_VERSION_MINOR, SASL_VERSION_STEP,
sasl_major, sasl_minor, sasl_step);
#endif
/*
* Global callbacks. These have no per-session context.
@@ -352,7 +373,7 @@ void smtp_sasl_initialize(void)
* Initialize optional supported mechanism matchlist
*/
if (*var_smtp_sasl_mechs)
smtp_sasl_mechs = string_list_init(MATCH_FLAG_NONE,
smtp_sasl_mechs = string_list_init(MATCH_FLAG_NONE,
var_smtp_sasl_mechs);
}

51
postfix/src/smtpd/smtpd.c
View File

@@ -187,6 +187,11 @@
/* Available in Postfix version 2.1 and later:
/* .IP "\fBsmtpd_sasl_exceptions_networks (empty)\fR"
/* What SMTP clients Postfix will not offer AUTH support to.
/* .PP
/* Available in Postfix version 2.3 and later:
/* .IP "\fBsmtpd_sasl_authenticated_header (no)\fR"
/* Report the SASL authenticated user name in the \fBsmtpd\fR(8) Received
/* message header.
/* STARTTLS SUPPORT CONTROLS
/* .ad
/* .fi
@@ -856,6 +861,7 @@ bool var_allow_untrust_route;
int var_smtpd_junk_cmd_limit;
int var_smtpd_rcpt_overlim;
bool var_smtpd_sasl_enable;
bool var_smtpd_sasl_auth_hdr;
char *var_smtpd_sasl_opts;
char *var_smtpd_sasl_appname;
char *var_smtpd_sasl_realm;
@@ -1824,11 +1830,9 @@ static void rcpt_reset(SMTPD_STATE *state)
state->rcpt_overshoot = 0;
}
#ifdef USE_TLS
/* comment_sanitize - clesn up comment string */
/* CN_sanitize - make sure, the CN-string is well behaved */
static void CN_sanitize(VSTRING *CNstring)
static void comment_sanitize(VSTRING *comment_string)
{
unsigned char *cp;
int ch;
@@ -1836,12 +1840,13 @@ static void CN_sanitize(VSTRING *CNstring)
/*
* Postfix Received: headers can be configured to include a comment with
* the CN (CommonName) of the peer and its issuer. To avoid problems with
* RFC 822 etc. syntax, we limit the CN information to printable ASCII
* text, and neutralize characters that affect comment parsing: the
* backslash and unbalanced parentheses.
* the CN (CommonName) of the peer and its issuer, or the login name of a
* SASL authenticated user. To avoid problems with RFC 822 etc. syntax,
* we limit this information to printable ASCII text, and neutralize
* characters that affect comment parsing: the backslash and unbalanced
* parentheses.
*/
for (pc = 0, cp = (unsigned char *) STR(CNstring); (ch = *cp) != 0; cp++) {
for (pc = 0, cp = (unsigned char *) STR(comment_string); (ch = *cp) != 0; cp++) {
if (!ISASCII(ch) || !ISPRINT(ch) || ch == '\\') {
*cp = '?';
} else if (ch == '(') {
@@ -1854,11 +1859,9 @@ static void CN_sanitize(VSTRING *CNstring)
}
}
while (pc-- > 0)
VSTRING_ADDCH(CNstring, ')');
VSTRING_ADDCH(comment_string, ')');
}
#endif
/* data_cmd - process DATA command */
static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
@@ -1882,6 +1885,10 @@ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
VSTRING *peer_CN;
VSTRING *issuer_CN;
#endif
#ifdef USE_SASL_AUTH
VSTRING *username;
#endif
/*
@@ -1965,6 +1972,9 @@ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
"Received: from %s (%s [%s])",
state->helo_name ? state->helo_name : state->name,
state->name, state->rfc_addr);
#define VSTRING_STRDUP(s) vstring_strcpy(vstring_alloc(strlen(s) + 1), (s))
#ifdef USE_TLS
if (var_smtpd_tls_received_header && state->tls_context) {
out_fprintf(out_stream, REC_TYPE_NORM,
@@ -1972,14 +1982,11 @@ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
state->tls_info.protocol, state->tls_info.cipher_name,
state->tls_info.cipher_usebits,
state->tls_info.cipher_algbits);
#define VSTRING_STRDUP(s) vstring_strcpy(vstring_alloc(strlen(s) + 1), (s))
if (state->tls_info.peer_CN) {
peer_CN = VSTRING_STRDUP(state->tls_info.peer_CN);
CN_sanitize(peer_CN);
comment_sanitize(peer_CN);
issuer_CN = VSTRING_STRDUP(state->tls_info.issuer_CN);
CN_sanitize(issuer_CN);
comment_sanitize(issuer_CN);
if (state->tls_info.peer_verified)
out_fprintf(out_stream, REC_TYPE_NORM,
"\t(Client CN \"%s\", Issuer \"%s\" (verified OK))",
@@ -1997,6 +2004,15 @@ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
out_fprintf(out_stream, REC_TYPE_NORM,
"\t(No client certificate requested)");
}
#endif
#ifdef USE_SASL_AUTH
if (var_smtpd_sasl_auth_hdr && state->sasl_username) {
username = VSTRING_STRDUP(state->sasl_username);
comment_sanitize(username);
out_fprintf(out_stream, REC_TYPE_NORM,
"\t(Authenticated sender: %s)", STR(username));
vstring_free(username);
}
#endif
if (state->rcpt_count == 1 && state->recipient) {
out_fprintf(out_stream, REC_TYPE_NORM,
@@ -3399,6 +3415,7 @@ int main(int argc, char **argv)
VAR_DISABLE_VRFY_CMD, DEF_DISABLE_VRFY_CMD, &var_disable_vrfy_cmd,
VAR_ALLOW_UNTRUST_ROUTE, DEF_ALLOW_UNTRUST_ROUTE, &var_allow_untrust_route,
VAR_SMTPD_SASL_ENABLE, DEF_SMTPD_SASL_ENABLE, &var_smtpd_sasl_enable,
VAR_SMTPD_SASL_AUTH_HDR, DEF_SMTPD_SASL_AUTH_HDR, &var_smtpd_sasl_auth_hdr,
VAR_BROKEN_AUTH_CLNTS, DEF_BROKEN_AUTH_CLNTS, &var_broken_auth_clients,
VAR_SHOW_UNK_RCPT_TABLE, DEF_SHOW_UNK_RCPT_TABLE, &var_show_unk_rcpt_table,
VAR_SMTPD_REJ_UNL_FROM, DEF_SMTPD_REJ_UNL_FROM, &var_smtpd_rej_unl_from,

21
postfix/src/smtpd/smtpd_sasl_glue.c
View File

@@ -208,6 +208,27 @@ static NAME_MASK smtpd_sasl_mask[] = {
void smtpd_sasl_initialize(void)
{
#if SASL_VERSION_MAJOR >= 2 && (SASL_VERSION_MINOR >= 2 \
|| (SASL_VERSION_MINOR == 1 && SASL_VERSION_STEP >= 19))
int sasl_major;
int sasl_minor;
int sasl_step;
/*
* DLL hell guard.
*/
sasl_version_info((const char **) 0, (const char **) 0,
&sasl_major, &sasl_minor,
&sasl_step, (int *) 0);
if (sasl_major != SASL_VERSION_MAJOR
|| sasl_minor != SASL_VERSION_MINOR
|| sasl_step != SASL_VERSION_STEP)
msg_fatal("incorrect SASL library version. "
"Postfix was built for version %d.%d.%d, "
"but the run-time library version is %d.%d.%d",
SASL_VERSION_MAJOR, SASL_VERSION_MINOR, SASL_VERSION_STEP,
sasl_major, sasl_minor, sasl_step);
#endif
/*
* Initialize the library: load SASL plug-in routines, etc.

8
postfix/src/tls/tls_scache.c
View File

@@ -144,9 +144,6 @@
/*
* Session cache entry format.
*
* XXX The session cache version number is not needed because we truncate the
* database when it is opened.
*/
typedef struct {
time_t timestamp; /* time when saved */
@@ -221,8 +218,7 @@ static int tls_scache_decode(TLS_SCACHE *cp, const char *cache_id,
}
/*
* Disassemble the TLS session cache entry and enforce version number
* restrictions.
* Disassemble the TLS session cache entry.
*
* No early returns or we have a memory leak.
*/
@@ -289,7 +285,7 @@ int tls_scache_lookup(TLS_SCACHE *cp, const char *cache_id,
return (0);
/*
* Decode entry and verify version information.
* Decode entry and delete if expired or malformed.
*/
if (tls_scache_decode(cp, cache_id, hex_data, strlen(hex_data),
session) == 0) {