mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-29 05:07:58 +00:00
Code Issues Releases Wiki Activity

postfix-3.2-20160730

Browse Source
This commit is contained in:
Wietse Venema 2016-07-30 00:00:00 -05:00 committed by Viktor Dukhovni
parent 98b90b32f0
commit edfd6b5bb5
13 changed files with 158 additions and 144 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
postfix/HISTORY
View File

@ -22419,3 +22419,13 @@ Apologies for any names omitted.
after-220 tests. Files: postscreen_misc.c, postscreen_state.c,
postscreen.h, postscreen_tests.c, postscreen.c, postscreen_smtpd.c,
postscreen_early.c.
20160730
Cleanup: don't try to optimize away postscreen cache updates.
File: postscreen_misc.c.
Cleanup: removed compatibility crutches that emulated a
historical data organization from four years ago. Files:
postscreen/postscreen.[hc], postscreen/postscreen_early.c,
postscreen/postscreen_smtpd.c, postscreen/postscreen_tests.c.

15
postfix/html/cidr_table.5.html
View File

@ -85,16 +85,17 @@ CIDR_TABLE(5) CIDR_TABLE(5)
An IPv4 network address is a sequence of four decimal octets separated
by ".", and an IPv6 network address is a sequence of three to eight
hexadecimal octets or octet pairs separated by ":". The pattern
0.0.0.0/0 matches every IPv4 address, and ::/0 matches every IPv6
hexadecimal octet pairs separated by ":" or "::", where the latter is
short-hand for a sequence of one or more all-zero octet pairs. The pat-
tern 0.0.0.0/0 matches every IPv4 address, and ::/0 matches every IPv6
address. IPv6 support is available in Postfix 2.2 and later.
Before comparisons are made, lookup keys and table entries are con-
verted from string to binary. Therefore, IPv6 patterns will be matched
regardless of leading zeros (a leading zero in an IPv4 address octet
Before comparisons are made, lookup keys and table entries are con-
verted from string to binary. Therefore, IPv6 patterns will be matched
regardless of leading zeros (a leading zero in an IPv4 address octet
indicates octal notation).
Note: address information may be enclosed inside "[]" but this form is
Note: address information may be enclosed inside "[]" but this form is
not required.
<b>EXAMPLE SMTPD ACCESS MAP</b>
@ -106,6 +107,8 @@ CIDR_TABLE(5) CIDR_TABLE(5)
# before more general blacklist entries.
192.168.1.1 OK
192.168.0.0/16 REJECT
2001:db8::1 OK
2001:db8::/32 REJECT
<b>SEE ALSO</b>
<a href="postmap.1.html">postmap(1)</a>, Postfix lookup table manager

123
postfix/html/postscreen.8.html
View File

@ -4,7 +4,7 @@
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<title> Postfix manual - postscreen(8) </title>
</head> <body> <pre>
POSTSCREEN(8) System Manager's Manual POSTSCREEN(8)
POSTSCREEN(8) POSTSCREEN(8)
<b>NAME</b>
postscreen - Postfix zombie blocker
@ -106,14 +106,14 @@ POSTSCREEN(8) System Manager's Manual POSTSCREEN(8)
<b><a href="postconf.5.html#postscreen_discard_ehlo_keyword_address_maps">postscreen_discard_ehlo_keyword_address_maps</a> ($<a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_key</a>-</b>
<b><a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">word_address_maps</a>)</b>
Lookup tables, indexed by the remote SMTP client address, with
case insensitive lists of EHLO keywords (pipelining, starttls,
auth, etc.) that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server will not send in the
Lookup tables, indexed by the remote SMTP client address, with
case insensitive lists of EHLO keywords (pipelining, starttls,
auth, etc.) that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server will not send in the
EHLO response to a remote SMTP client.
<b><a href="postconf.5.html#postscreen_discard_ehlo_keywords">postscreen_discard_ehlo_keywords</a> ($<a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>)</b>
A case insensitive list of EHLO keywords (pipelining, starttls,
auth, etc.) that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server will not send in the
A case insensitive list of EHLO keywords (pipelining, starttls,
auth, etc.) that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server will not send in the
EHLO response to a remote SMTP client.
Available in Postfix version 3.1 and later:
@ -127,27 +127,27 @@ POSTSCREEN(8) System Manager's Manual POSTSCREEN(8)
<a href="postconf.5.html#postscreen_reject_footer">postscreen_reject_footer</a> attribute expansions.
<b><a href="postconf.5.html#postscreen_reject_footer">postscreen_reject_footer</a> ($<a href="postconf.5.html#smtpd_reject_footer">smtpd_reject_footer</a>)</b>
Optional information that is appended after a 4XX or 5XX
Optional information that is appended after a 4XX or 5XX
<a href="postscreen.8.html"><b>postscreen</b>(8)</a> server response.
<b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b>
Safety net to keep mail queued that would otherwise be returned
Safety net to keep mail queued that would otherwise be returned
to the sender.
<b>BEFORE-POSTSCREEN PROXY AGENT</b>
Available in Postfix version 2.10 and later:
<b><a href="postconf.5.html#postscreen_upstream_proxy_protocol">postscreen_upstream_proxy_protocol</a> (empty)</b>
The name of the proxy protocol used by an optional
The name of the proxy protocol used by an optional
before-postscreen proxy agent.
<b><a href="postconf.5.html#postscreen_upstream_proxy_timeout">postscreen_upstream_proxy_timeout</a> (5s)</b>
The time limit for the proxy protocol specified with the
The time limit for the proxy protocol specified with the
<a href="postconf.5.html#postscreen_upstream_proxy_protocol">postscreen_upstream_proxy_protocol</a> parameter.
<b>PERMANENT WHITE/BLACKLIST TEST</b>
This test is executed immediately after a remote SMTP client connects.
If a client is permanently whitelisted, the client will be handed off
This test is executed immediately after a remote SMTP client connects.
If a client is permanently whitelisted, the client will be handed off
immediately to a Postfix SMTP server process.
<b><a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> (<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>)</b>
@ -155,40 +155,40 @@ POSTSCREEN(8) System Manager's Manual POSTSCREEN(8)
<b><a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> (ignore)</b>
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client is
permanently blacklisted with the <a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> parame-
permanently blacklisted with the <a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> parame-
ter.
<b>MAIL EXCHANGER POLICY TESTS</b>
When <a href="postscreen.8.html"><b>postscreen</b>(8)</a> is configured to monitor all primary and backup MX
addresses, it can refuse to whitelist clients that connect to a backup
When <a href="postscreen.8.html"><b>postscreen</b>(8)</a> is configured to monitor all primary and backup MX
addresses, it can refuse to whitelist clients that connect to a backup
MX address only. For small sites, this requires configuring primary and
backup MX addresses on the same MTA. Larger sites would have to share
the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> cache between primary and backup MTAs, which would
backup MX addresses on the same MTA. Larger sites would have to share
the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> cache between primary and backup MTAs, which would
introduce a common point of failure.
<b><a href="postconf.5.html#postscreen_whitelist_interfaces">postscreen_whitelist_interfaces</a> (<a href="DATABASE_README.html#types">static</a>:all)</b>
A list of local <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server IP addresses where a
non-whitelisted remote SMTP client can obtain <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s
A list of local <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server IP addresses where a
non-whitelisted remote SMTP client can obtain <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s
temporary whitelist status.
<b>BEFORE 220 GREETING TESTS</b>
These tests are executed before the remote SMTP client receives the
These tests are executed before the remote SMTP client receives the
"220 servername" greeting. If no tests remain after the successful com-
pletion of this phase, the client will be handed off immediately to a
pletion of this phase, the client will be handed off immediately to a
Postfix SMTP server process.
<b><a href="postconf.5.html#dnsblog_service_name">dnsblog_service_name</a> (dnsblog)</b>
The name of the <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>.
<b><a href="postconf.5.html#postscreen_dnsbl_action">postscreen_dnsbl_action</a> (ignore)</b>
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client's
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client's
combined DNSBL score is equal to or greater than a threshold (as
defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> and
defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> and
<a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> parameters).
<b><a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> (empty)</b>
A mapping from actual DNSBL domain name which includes a secret
password, to the DNSBL domain name that postscreen will reply
A mapping from actual DNSBL domain name which includes a secret
password, to the DNSBL domain name that postscreen will reply
with when it rejects mail.
<b><a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> (empty)</b>
@ -196,36 +196,36 @@ POSTSCREEN(8) System Manager's Manual POSTSCREEN(8)
factors.
<b><a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> (1)</b>
The inclusive lower bound for blocking a remote SMTP client,
based on its combined DNSBL score as defined with the
The inclusive lower bound for blocking a remote SMTP client,
based on its combined DNSBL score as defined with the
<a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter.
<b><a href="postconf.5.html#postscreen_greet_action">postscreen_greet_action</a> (ignore)</b>
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client
speaks before its turn within the time specified with the
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client
speaks before its turn within the time specified with the
<a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> parameter.
<b><a href="postconf.5.html#postscreen_greet_banner">postscreen_greet_banner</a> ($<a href="postconf.5.html#smtpd_banner">smtpd_banner</a>)</b>
The <i>text</i> in the optional "220-<i>text</i>..." server response that
The <i>text</i> in the optional "220-<i>text</i>..." server response that
<a href="postscreen.8.html"><b>postscreen</b>(8)</a> sends ahead of the real Postfix SMTP server's "220
text..." response, in an attempt to confuse bad SMTP clients so
text..." response, in an attempt to confuse bad SMTP clients so
that they speak before their turn (pre-greet).
<b><a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> (normal: 6s, overload: 2s)</b>
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will wait for an SMTP
client to send a command before its turn, and for DNS blocklist
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will wait for an SMTP
client to send a command before its turn, and for DNS blocklist
lookup results to arrive (default: up to 2 seconds under stress,
up to 6 seconds otherwise).
<b><a href="postconf.5.html#smtpd_service_name">smtpd_service_name</a> (smtpd)</b>
The internal service that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> hands off allowed con-
The internal service that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> hands off allowed con-
nections to.
Available in Postfix version 2.11 and later:
<b><a href="postconf.5.html#postscreen_dnsbl_whitelist_threshold">postscreen_dnsbl_whitelist_threshold</a> (0)</b>
Allow a remote SMTP client to skip "before" and "after 220
greeting" protocol tests, based on its combined DNSBL score as
Allow a remote SMTP client to skip "before" and "after 220
greeting" protocol tests, based on its combined DNSBL score as
defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter.
Available in Postfix version 3.0 and later:
@ -235,18 +235,18 @@ POSTSCREEN(8) System Manager's Manual POSTSCREEN(8)
<b>AFTER 220 GREETING TESTS</b>
These tests are executed after the remote SMTP client receives the "220
servername" greeting. If a client passes all tests during this phase,
it will receive a 4XX response to all RCPT TO commands. After the
client reconnects, it will be allowed to talk directly to a Postfix
servername" greeting. If a client passes all tests during this phase,
it will receive a 4XX response to all RCPT TO commands. After the
client reconnects, it will be allowed to talk directly to a Postfix
SMTP server process.
<b><a href="postconf.5.html#postscreen_bare_newline_action">postscreen_bare_newline_action</a> (ignore)</b>
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client
sends a bare newline character, that is, a newline not preceded
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client
sends a bare newline character, that is, a newline not preceded
by carriage return.
<b><a href="postconf.5.html#postscreen_bare_newline_enable">postscreen_bare_newline_enable</a> (no)</b>
Enable "bare newline" SMTP protocol tests in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
Enable "bare newline" SMTP protocol tests in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
server.
<b><a href="postconf.5.html#postscreen_disable_vrfy_command">postscreen_disable_vrfy_command</a> ($<a href="postconf.5.html#disable_vrfy_command">disable_vrfy_command</a>)</b>
@ -261,7 +261,7 @@ POSTSCREEN(8) System Manager's Manual POSTSCREEN(8)
mencing a MAIL transaction.
<b><a href="postconf.5.html#postscreen_non_smtp_command_action">postscreen_non_smtp_command_action</a> (drop)</b>
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client
sends non-SMTP commands as specified with the <a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbid</a>-
<a href="postconf.5.html#postscreen_forbidden_commands">den_commands</a> parameter.
@ -269,12 +269,12 @@ POSTSCREEN(8) System Manager's Manual POSTSCREEN(8)
Enable "non-SMTP command" tests in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server.
<b><a href="postconf.5.html#postscreen_pipelining_action">postscreen_pipelining_action</a> (enforce)</b>
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client
sends multiple commands instead of sending one command and wait-
ing for the server to respond.
<b><a href="postconf.5.html#postscreen_pipelining_enable">postscreen_pipelining_enable</a> (no)</b>
Enable "pipelining" SMTP protocol tests in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
Enable "pipelining" SMTP protocol tests in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
server.
<b>CACHE CONTROLS</b>
@ -322,29 +322,29 @@ POSTSCREEN(8) System Manager's Manual POSTSCREEN(8)
<b><a href="postconf.5.html#postscreen_client_connection_count_limit">postscreen_client_connection_count_limit</a> ($<a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connec</a>-</b>
<b><a href="postconf.5.html#smtpd_client_connection_count_limit">tion_count_limit</a>)</b>
How many simultaneous connections any remote SMTP client is
How many simultaneous connections any remote SMTP client is
allowed to have with the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> daemon.
<b><a href="postconf.5.html#postscreen_command_count_limit">postscreen_command_count_limit</a> (20)</b>
The limit on the total number of commands per SMTP session for
The limit on the total number of commands per SMTP session for
<a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine.
<b><a href="postconf.5.html#postscreen_command_time_limit">postscreen_command_time_limit</a> (normal: 300s, overload: 10s)</b>
The time limit to read an entire command line with
The time limit to read an entire command line with
<a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine.
<b><a href="postconf.5.html#postscreen_post_queue_limit">postscreen_post_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b>
The number of clients that can be waiting for service from a
The number of clients that can be waiting for service from a
real Postfix SMTP server process.
<b><a href="postconf.5.html#postscreen_pre_queue_limit">postscreen_pre_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b>
The number of non-whitelisted clients that can be waiting for a
decision whether they will receive service from a real Postfix
The number of non-whitelisted clients that can be waiting for a
decision whether they will receive service from a real Postfix
SMTP server process.
<b><a href="postconf.5.html#postscreen_watchdog_timeout">postscreen_watchdog_timeout</a> (10s)</b>
How much time a <a href="postscreen.8.html"><b>postscreen</b>(8)</a> process may take to respond to a
remote SMTP client command or to perform a cache operation
How much time a <a href="postscreen.8.html"><b>postscreen</b>(8)</a> process may take to respond to a
remote SMTP client command or to perform a cache operation
before it is terminated by a built-in watchdog timer.
<b>STARTTLS CONTROLS</b>
@ -357,11 +357,11 @@ POSTSCREEN(8) System Manager's Manual POSTSCREEN(8)
The name of the <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>.
<b>OBSOLETE STARTTLS SUPPORT CONTROLS</b>
These parameters are supported for compatibility with <a href="smtpd.8.html"><b>smtpd</b>(8)</a> legacy
These parameters are supported for compatibility with <a href="smtpd.8.html"><b>smtpd</b>(8)</a> legacy
parameters.
<b><a href="postconf.5.html#postscreen_use_tls">postscreen_use_tls</a> ($<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>)</b>
Opportunistic TLS: announce STARTTLS support to remote SMTP
Opportunistic TLS: announce STARTTLS support to remote SMTP
clients, but do not require that clients use TLS encryption.
<b><a href="postconf.5.html#postscreen_enforce_tls">postscreen_enforce_tls</a> ($<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>)</b>
@ -370,18 +370,18 @@ POSTSCREEN(8) System Manager's Manual POSTSCREEN(8)
<b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
figuration files.
<b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
The maximal number of digits after the decimal point when log-
The maximal number of digits after the decimal point when log-
ging sub-second delay values.
<b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
The location of all postfix administrative commands.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix daemon process
The maximum amount of time that an idle Postfix daemon process
waits for an incoming connection before terminating voluntarily.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
@ -394,9 +394,8 @@ POSTSCREEN(8) System Manager's Manual POSTSCREEN(8)
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the process name in
syslog records, so that "smtpd" becomes, for example, "post-
fix/smtpd".
A prefix that is prepended to the process name in syslog
records, so that, for example, "smtpd" becomes "prefix/smtpd".
<b>SEE ALSO</b>
<a href="smtpd.8.html">smtpd(8)</a>, Postfix SMTP server
@ -413,7 +412,7 @@ POSTSCREEN(8) System Manager's Manual POSTSCREEN(8)
<b>HISTORY</b>
This service was introduced with Postfix version 2.8.
Many ideas in <a href="postscreen.8.html"><b>postscreen</b>(8)</a> were explored in earlier work by Michael
Many ideas in <a href="postscreen.8.html"><b>postscreen</b>(8)</a> were explored in earlier work by Michael
Tokarev, in OpenBSD spamd, and in MailChannels Traffic Control.
<b>AUTHOR(S)</b>

12
postfix/man/man5/cidr_table.5
View File

@ -96,10 +96,12 @@ part must be zero).
An IPv4 network address is a sequence of four decimal octets
separated by ".", and an IPv6 network address is a sequence
of three to eight hexadecimal octets or octet pairs separated by
":". The pattern 0.0.0.0/0 matches every IPv4 address, and ::/0
matches every IPv6 address. IPv6 support is available in
Postfix 2.2 and later.
of three to eight hexadecimal octet pairs separated by ":"
or "::", where the latter is short\-hand for a sequence of
one or more all\-zero octet pairs. The pattern 0.0.0.0/0
matches every IPv4 address, and ::/0 matches every IPv6
address. IPv6 support is available in Postfix 2.2 and
later.
Before comparisons are made, lookup keys and table entries
are converted from string to binary. Therefore, IPv6 patterns
@ -120,6 +122,8 @@ this form is not required.
# before more general blacklist entries.
192.168.1.1 OK
192.168.0.0/16 REJECT
2001:db8::1 OK
2001:db8::/32 REJECT
.fi
.SH "SEE ALSO"
.na

4
postfix/man/man8/postscreen.8
View File

@ -397,8 +397,8 @@ The process name of a Postfix command or daemon process.
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
.IP "\fBsyslog_name (see 'postconf -d' output)\fR"
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
A prefix that is prepended to the process name in syslog
records, so that, for example, "smtpd" becomes "prefix/smtpd".
.SH "SEE ALSO"
.na
.nf

12
postfix/proto/cidr_table
View File

@ -84,10 +84,12 @@
#
# An IPv4 network address is a sequence of four decimal octets
# separated by ".", and an IPv6 network address is a sequence
# of three to eight hexadecimal octets or octet pairs separated by
# ":". The pattern 0.0.0.0/0 matches every IPv4 address, and ::/0
# matches every IPv6 address. IPv6 support is available in
# Postfix 2.2 and later.
# of three to eight hexadecimal octet pairs separated by ":"
# or "::", where the latter is short-hand for a sequence of
# one or more all-zero octet pairs. The pattern 0.0.0.0/0
# matches every IPv4 address, and ::/0 matches every IPv6
# address. IPv6 support is available in Postfix 2.2 and
# later.
#
# Before comparisons are made, lookup keys and table entries
# are converted from string to binary. Therefore, IPv6 patterns
@ -106,6 +108,8 @@
# # before more general blacklist entries.
# 192.168.1.1 OK
# 192.168.0.0/16 REJECT
# 2001:db8::1 OK
# 2001:db8::/32 REJECT
# .fi
# SEE ALSO
# postmap(1), Postfix lookup table manager

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20160728"
#define MAIL_RELEASE_DATE "20160730"
#define MAIL_VERSION_NUMBER "3.2"
#ifdef SNAPSHOT

14
postfix/src/postscreen/postscreen.c
View File

@ -357,8 +357,8 @@
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
/* The mail system name that is prepended to the process name in syslog
/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
/* A prefix that is prepended to the process name in syslog
/* records, so that, for example, "smtpd" becomes "prefix/smtpd".
/* SEE ALSO
/* smtpd(8), Postfix SMTP server
/* tlsproxy(8), Postfix TLS proxy server
@ -691,7 +691,7 @@ static void psc_endpt_lookup_done(int endpt_status,
* Reply with 421 when the client has too many open connections.
*/
if (var_psc_cconn_limit > 0
&& state->client_concurrency > var_psc_cconn_limit) {
&& state->client_info->concurrency > var_psc_cconn_limit) {
msg_info("NOQUEUE: reject: CONNECT from [%s]:%s: too many connections",
state->smtp_client_addr, state->smtp_client_port);
PSC_DROP_SESSION_STATE(state,
@ -840,7 +840,7 @@ static int psc_cache_validator(const char *client_addr,
const char *stamp_str,
void *unused_context)
{
PSC_STATE dummy;
PSC_STATE dummy_state;
PSC_CLIENT_INFO dummy_client_info;
/*
@ -851,9 +851,9 @@ static int psc_cache_validator(const char *client_addr,
* silly logging we remove the cache entry only after all tests have
* expired longer ago than the cache retention time.
*/
dummy.client_info = &dummy_client_info;
psc_parse_tests(&dummy, stamp_str, event_time() - var_psc_cache_ret);
return ((dummy.flags & PSC_STATE_MASK_ANY_TODO) == 0);
dummy_state.client_info = &dummy_client_info;
psc_parse_tests(&dummy_state, stamp_str, event_time() - var_psc_cache_ret);
return ((dummy_state.flags & PSC_STATE_MASK_ANY_TODO) == 0);
}
/* pre_jail_init - pre-jail initialization */

13
postfix/src/postscreen/postscreen.h
View File

@ -99,19 +99,6 @@ typedef struct {
const char *where; /* SMTP protocol state */
} PSC_STATE;
/*
* Emulate legacy ad-hoc variables on top of indexable time stamps. This
* avoids massive scar tissue during initial feature development.
*/
#define pregr_stamp client_info->expire_time[PSC_TINDX_PREGR]
#define dnsbl_stamp client_info->expire_time[PSC_TINDX_DNSBL]
#define pipel_stamp client_info->expire_time[PSC_TINDX_PIPEL]
#define nsmtp_stamp client_info->expire_time[PSC_TINDX_NSMTP]
#define barlf_stamp client_info->expire_time[PSC_TINDX_BARLF]
/* Minize the patch size for stable releases. */
#define client_concurrency client_info->concurrency
/*
* Special expiration time values.
*/

5
postfix/src/postscreen/postscreen_early.c
View File

@ -104,6 +104,7 @@ static void psc_early_event(int event, void *context)
{
const char *myname = "psc_early_event";
PSC_STATE *state = (PSC_STATE *) context;
time_t *expire_time = state->client_info->expire_time;
char read_buf[PSC_READ_BUF_SIZE];
int read_count;
DELTA_TIME elapsed;
@ -142,7 +143,7 @@ static void psc_early_event(int event, void *context)
*/
if ((state->flags & PSC_STATE_FLAG_PREGR_TODO) != 0
&& (state->flags & PSC_STATE_MASK_PREGR_FAIL_DONE) == 0) {
state->pregr_stamp = event_time() + var_psc_pregr_ttl;
expire_time[PSC_TINDX_PREGR] = event_time() + var_psc_pregr_ttl;
PSC_PASS_SESSION_STATE(state, "pregreet test",
PSC_STATE_FLAG_PREGR_PASS);
}
@ -175,7 +176,7 @@ static void psc_early_event(int event, void *context)
psc_whitelist_non_dnsbl(state);
}
if (state->dnsbl_score < var_psc_dnsbl_thresh) {
state->dnsbl_stamp = event_time() + state->dnsbl_ttl;
expire_time[PSC_TINDX_DNSBL] = event_time() + state->dnsbl_ttl;
PSC_PASS_SESSION_STATE(state, "dnsbl test",
PSC_STATE_FLAG_DNSBL_PASS);
} else {

7
postfix/src/postscreen/postscreen_misc.c
View File

@ -112,10 +112,13 @@ void psc_conclude(PSC_STATE *state)
/*
* Update the postscreen cache. This still supports a scenario where a
* client gets whitelisted in the course of multiple sessions, as long as
* that client does not "fail" any test.
* that client does not "fail" any test. Don't try to optimize away cache
* updates; we want cached information to be up-to-date even if a test
* result is renewed during overlapping SMTP sessions, and even if
* 'postfix reload' happens in the middle of that.
*/
if ((state->flags & PSC_STATE_MASK_ANY_UPDATE) != 0
&& psc_cache_map != 0 && state->client_info->pass_new_count <= 1) {
&& psc_cache_map != 0) {
psc_print_tests(psc_temp, state);
psc_cache_update(psc_cache_map, state->smtp_client_addr, STR(psc_temp));
}

19
postfix/src/postscreen/postscreen_smtpd.c
View File

@ -722,6 +722,7 @@ static void psc_smtpd_read_event(int event, void *context)
{
const char *myname = "psc_smtpd_read_event";
PSC_STATE *state = (PSC_STATE *) context;
time_t *expire_time = state->client_info->expire_time;
int ch;
struct cmd_trans {
int state;
@ -835,7 +836,7 @@ static void psc_smtpd_read_event(int event, void *context)
PSC_CLIENT_ADDR_PORT(state), STR(psc_temp));
PSC_FAIL_SESSION_STATE(state, PSC_STATE_FLAG_BARLF_FAIL);
PSC_UNPASS_SESSION_STATE(state, PSC_STATE_FLAG_BARLF_PASS);
state->barlf_stamp = PSC_TIME_STAMP_DISABLED; /* XXX */
expire_time[PSC_TINDX_BARLF] = PSC_TIME_STAMP_DISABLED; /* XXX */
/* Skip this test for the remainder of this session. */
PSC_SKIP_SESSION_STATE(state, "bare newline test",
PSC_STATE_FLAG_BARLF_SKIP);
@ -855,7 +856,7 @@ static void psc_smtpd_read_event(int event, void *context)
/* Temporarily whitelist until something expires. */
PSC_PASS_SESSION_STATE(state, "bare newline test",
PSC_STATE_FLAG_BARLF_PASS);
state->barlf_stamp = event_time() + psc_min_ttl;
expire_time[PSC_TINDX_BARLF] = event_time() + psc_min_ttl;
break;
default:
msg_panic("%s: unknown bare_newline action value %d",
@ -960,7 +961,7 @@ static void psc_smtpd_read_event(int event, void *context)
command, STR(psc_temp));
PSC_FAIL_SESSION_STATE(state, PSC_STATE_FLAG_NSMTP_FAIL);
PSC_UNPASS_SESSION_STATE(state, PSC_STATE_FLAG_NSMTP_PASS);
state->nsmtp_stamp = PSC_TIME_STAMP_DISABLED; /* XXX */
expire_time[PSC_TINDX_NSMTP] = PSC_TIME_STAMP_DISABLED; /* XXX */
/* Skip this test for the remainder of this SMTP session. */
PSC_SKIP_SESSION_STATE(state, "non-smtp test",
PSC_STATE_FLAG_NSMTP_SKIP);
@ -980,7 +981,7 @@ static void psc_smtpd_read_event(int event, void *context)
/* Temporarily whitelist until something else expires. */
PSC_PASS_SESSION_STATE(state, "non-smtp test",
PSC_STATE_FLAG_NSMTP_PASS);
state->nsmtp_stamp = event_time() + psc_min_ttl;
expire_time[PSC_TINDX_NSMTP] = event_time() + psc_min_ttl;
break;
default:
msg_panic("%s: unknown non_smtp_command action value %d",
@ -997,7 +998,7 @@ static void psc_smtpd_read_event(int event, void *context)
PSC_CLIENT_ADDR_PORT(state), command, STR(psc_temp));
PSC_FAIL_SESSION_STATE(state, PSC_STATE_FLAG_PIPEL_FAIL);
PSC_UNPASS_SESSION_STATE(state, PSC_STATE_FLAG_PIPEL_PASS);
state->pipel_stamp = PSC_TIME_STAMP_DISABLED; /* XXX */
expire_time[PSC_TINDX_PIPEL] = PSC_TIME_STAMP_DISABLED; /* XXX */
/* Skip this test for the remainder of this SMTP session. */
PSC_SKIP_SESSION_STATE(state, "pipelining test",
PSC_STATE_FLAG_PIPEL_SKIP);
@ -1017,7 +1018,7 @@ static void psc_smtpd_read_event(int event, void *context)
/* Temporarily whitelist until something else expires. */
PSC_PASS_SESSION_STATE(state, "pipelining test",
PSC_STATE_FLAG_PIPEL_PASS);
state->pipel_stamp = event_time() + psc_min_ttl;
expire_time[PSC_TINDX_PIPEL] = event_time() + psc_min_ttl;
break;
default:
msg_panic("%s: unknown pipelining action value %d",
@ -1036,21 +1037,21 @@ static void psc_smtpd_read_event(int event, void *context)
PSC_PASS_SESSION_STATE(state, "bare newline test",
PSC_STATE_FLAG_BARLF_PASS);
/* XXX Reset to PSC_TIME_STAMP_DISABLED on failure. */
state->barlf_stamp = event_time() + var_psc_barlf_ttl;
expire_time[PSC_TINDX_BARLF] = event_time() + var_psc_barlf_ttl;
}
if ((state->flags & PSC_STATE_MASK_NSMTP_TODO_PASS_FAIL)
== PSC_STATE_FLAG_NSMTP_TODO) {
PSC_PASS_SESSION_STATE(state, "non-smtp test",
PSC_STATE_FLAG_NSMTP_PASS);
/* XXX Reset to PSC_TIME_STAMP_DISABLED on failure. */
state->nsmtp_stamp = event_time() + var_psc_nsmtp_ttl;
expire_time[PSC_TINDX_NSMTP] = event_time() + var_psc_nsmtp_ttl;
}
if ((state->flags & PSC_STATE_MASK_PIPEL_TODO_PASS_FAIL)
== PSC_STATE_FLAG_PIPEL_TODO) {
PSC_PASS_SESSION_STATE(state, "pipelining test",
PSC_STATE_FLAG_PIPEL_PASS);
/* XXX Reset to PSC_TIME_STAMP_DISABLED on failure. */
state->pipel_stamp = event_time() + var_psc_pipel_ttl;
expire_time[PSC_TINDX_PIPEL] = event_time() + var_psc_pipel_ttl;
}
}
/* Command COUNT limit test. */

66
postfix/src/postscreen/postscreen_tests.c
View File

@ -133,6 +133,7 @@
void psc_new_tests(PSC_STATE *state)
{
time_t *expire_time = state->client_info->expire_time;
/*
* Give all tests a PSC_TIME_STAMP_NEW time stamp, so that we can later
@ -140,11 +141,11 @@ void psc_new_tests(PSC_STATE *state)
* write a cache entry to the database, any new-but-disabled tests will
* get a PSC_TIME_STAMP_DISABLED time stamp.
*/
state->pregr_stamp = PSC_TIME_STAMP_NEW;
state->dnsbl_stamp = PSC_TIME_STAMP_NEW;
state->pipel_stamp = PSC_TIME_STAMP_NEW;
state->nsmtp_stamp = PSC_TIME_STAMP_NEW;
state->barlf_stamp = PSC_TIME_STAMP_NEW;
expire_time[PSC_TINDX_PREGR] = PSC_TIME_STAMP_NEW;
expire_time[PSC_TINDX_DNSBL] = PSC_TIME_STAMP_NEW;
expire_time[PSC_TINDX_PIPEL] = PSC_TIME_STAMP_NEW;
expire_time[PSC_TINDX_NSMTP] = PSC_TIME_STAMP_NEW;
expire_time[PSC_TINDX_BARLF] = PSC_TIME_STAMP_NEW;
/*
* Determine what tests need to be completed.
@ -190,7 +191,7 @@ void psc_parse_tests(PSC_STATE *state,
void psc_todo_tests(PSC_STATE *state, time_t time_value)
{
time_t *time_stamps = state->client_info->expire_time;
time_t *expire_time = state->client_info->expire_time;
time_t *sp;
/*
@ -203,7 +204,7 @@ void psc_todo_tests(PSC_STATE *state, time_t time_value)
* enabled tests, but the remote SMTP client has not yet passed all those
* tests.
*/
for (sp = time_stamps; sp < time_stamps + PSC_TINDX_COUNT; sp++) {
for (sp = expire_time; sp < expire_time + PSC_TINDX_COUNT; sp++) {
if (*sp == PSC_TIME_STAMP_NEW)
state->flags |= PSC_STATE_FLAG_NEW;
}
@ -212,15 +213,15 @@ void psc_todo_tests(PSC_STATE *state, time_t time_value)
* Don't flag disabled tests as "todo", because there would be no way to
* make those bits go away.
*/
if (PSC_PREGR_TEST_ENABLE() && time_value > state->pregr_stamp)
if (PSC_PREGR_TEST_ENABLE() && time_value > expire_time[PSC_TINDX_PREGR])
state->flags |= PSC_STATE_FLAG_PREGR_TODO;
if (PSC_DNSBL_TEST_ENABLE() && time_value > state->dnsbl_stamp)
if (PSC_DNSBL_TEST_ENABLE() && time_value > expire_time[PSC_TINDX_DNSBL])
state->flags |= PSC_STATE_FLAG_DNSBL_TODO;
if (var_psc_pipel_enable && time_value > state->pipel_stamp)
if (var_psc_pipel_enable && time_value > expire_time[PSC_TINDX_PIPEL])
state->flags |= PSC_STATE_FLAG_PIPEL_TODO;
if (var_psc_nsmtp_enable && time_value > state->nsmtp_stamp)
if (var_psc_nsmtp_enable && time_value > expire_time[PSC_TINDX_NSMTP])
state->flags |= PSC_STATE_FLAG_NSMTP_TODO;
if (var_psc_barlf_enable && time_value > state->barlf_stamp)
if (var_psc_barlf_enable && time_value > expire_time[PSC_TINDX_BARLF])
state->flags |= PSC_STATE_FLAG_BARLF_TODO;
/*
@ -235,15 +236,15 @@ void psc_todo_tests(PSC_STATE *state, time_t time_value)
&& var_psc_refresh_time > 0) {
time_t refresh_time = time_value + var_psc_refresh_time;
if (PSC_PREGR_TEST_ENABLE() && refresh_time > state->pregr_stamp)
if (PSC_PREGR_TEST_ENABLE() && refresh_time > expire_time[PSC_TINDX_PREGR])
state->flags |= PSC_STATE_FLAG_PREGR_TODO;
if (PSC_DNSBL_TEST_ENABLE() && refresh_time > state->dnsbl_stamp)
if (PSC_DNSBL_TEST_ENABLE() && refresh_time > expire_time[PSC_TINDX_DNSBL])
state->flags |= PSC_STATE_FLAG_DNSBL_TODO;
if (var_psc_pipel_enable && refresh_time > state->pipel_stamp)
if (var_psc_pipel_enable && refresh_time > expire_time[PSC_TINDX_PIPEL])
state->flags |= PSC_STATE_FLAG_PIPEL_TODO;
if (var_psc_nsmtp_enable && refresh_time > state->nsmtp_stamp)
if (var_psc_nsmtp_enable && refresh_time > expire_time[PSC_TINDX_NSMTP])
state->flags |= PSC_STATE_FLAG_NSMTP_TODO;
if (var_psc_barlf_enable && refresh_time > state->barlf_stamp)
if (var_psc_barlf_enable && refresh_time > expire_time[PSC_TINDX_BARLF])
state->flags |= PSC_STATE_FLAG_BARLF_TODO;
}
#endif
@ -271,6 +272,7 @@ void psc_todo_tests(PSC_STATE *state, time_t time_value)
char *psc_print_tests(VSTRING *buf, PSC_STATE *state)
{
const char *myname = "psc_print_tests";
time_t *expire_time = state->client_info->expire_time;
/*
* Sanity check.
@ -283,23 +285,23 @@ char *psc_print_tests(VSTRING *buf, PSC_STATE *state)
* with "pass new" when some disabled test becomes enabled at some later
* time.
*/
if (PSC_PREGR_TEST_ENABLE() == 0 && state->pregr_stamp == PSC_TIME_STAMP_NEW)
state->pregr_stamp = PSC_TIME_STAMP_DISABLED;
if (PSC_DNSBL_TEST_ENABLE() == 0 && state->dnsbl_stamp == PSC_TIME_STAMP_NEW)
state->dnsbl_stamp = PSC_TIME_STAMP_DISABLED;
if (var_psc_pipel_enable == 0 && state->pipel_stamp == PSC_TIME_STAMP_NEW)
state->pipel_stamp = PSC_TIME_STAMP_DISABLED;
if (var_psc_nsmtp_enable == 0 && state->nsmtp_stamp == PSC_TIME_STAMP_NEW)
state->nsmtp_stamp = PSC_TIME_STAMP_DISABLED;
if (var_psc_barlf_enable == 0 && state->barlf_stamp == PSC_TIME_STAMP_NEW)
state->barlf_stamp = PSC_TIME_STAMP_DISABLED;
if (PSC_PREGR_TEST_ENABLE() == 0 && expire_time[PSC_TINDX_PREGR] == PSC_TIME_STAMP_NEW)
expire_time[PSC_TINDX_PREGR] = PSC_TIME_STAMP_DISABLED;
if (PSC_DNSBL_TEST_ENABLE() == 0 && expire_time[PSC_TINDX_DNSBL] == PSC_TIME_STAMP_NEW)
expire_time[PSC_TINDX_DNSBL] = PSC_TIME_STAMP_DISABLED;
if (var_psc_pipel_enable == 0 && expire_time[PSC_TINDX_PIPEL] == PSC_TIME_STAMP_NEW)
expire_time[PSC_TINDX_PIPEL] = PSC_TIME_STAMP_DISABLED;
if (var_psc_nsmtp_enable == 0 && expire_time[PSC_TINDX_NSMTP] == PSC_TIME_STAMP_NEW)
expire_time[PSC_TINDX_NSMTP] = PSC_TIME_STAMP_DISABLED;
if (var_psc_barlf_enable == 0 && expire_time[PSC_TINDX_BARLF] == PSC_TIME_STAMP_NEW)
expire_time[PSC_TINDX_BARLF] = PSC_TIME_STAMP_DISABLED;
vstring_sprintf(buf, "%lu;%lu;%lu;%lu;%lu",
(unsigned long) state->pregr_stamp,
(unsigned long) state->dnsbl_stamp,
(unsigned long) state->pipel_stamp,
(unsigned long) state->nsmtp_stamp,
(unsigned long) state->barlf_stamp);
(unsigned long) expire_time[PSC_TINDX_PREGR],
(unsigned long) expire_time[PSC_TINDX_DNSBL],
(unsigned long) expire_time[PSC_TINDX_PIPEL],
(unsigned long) expire_time[PSC_TINDX_NSMTP],
(unsigned long) expire_time[PSC_TINDX_BARLF]);
return (STR(buf));
}