mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-30 05:38:06 +00:00
Code Issues Releases Wiki Activity

postfix-3.5.23

Browse Source
This commit is contained in:
Wietse Venema 2023-12-22 00:00:00 -05:00 committed by Viktor Dukhovni
parent 86b885a4e6
commit f75140fe85
13 changed files with 471 additions and 180 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
postfix/HISTORY
View File

@ -25399,3 +25399,17 @@ Apologies for any names omitted.
delimiter. Fixed by restoring Postfix 2.10 behavior to use
a configured recipient delimiter value. Reported by Tod
A. Sandman. Files: proto/postconf.proto, local/local_expand.c.
20231221
Security: with "smtpd_forbid_bare_newline = yes" (default
"no" for Postfix < 3.9), reply with "Error: bare <LF>
received" and disconnect when an SMTP client sends a line
ending in <LF>, violating the RFC 5321 requirement that
lines must end in <CR><LF>. This prevents SMTP smuggling
attacks that target a recipient at a Postfix server. For
backwards compatibility, local clients are excluded by
default with "smtpd_forbid_bare_newline_exclusions =
$mynetworks". Files: mantools/postlink, proto/postconf.proto,
global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h,
smtpd/smtpd.c.

25
postfix/RELEASE_NOTES
View File

@ -25,6 +25,31 @@ more recent Eclipse Public License 2.0. Recipients can choose to take
the software under the license of their choice. Those who are more
comfortable with the IPL can continue with that license.
Major changes with Postfix 3.5.23
=================================
Security: the Postfix SMTP server optionally disconnects a remote
SMTP client that sends a 'bare newline' line ending in SMTP. This
prevents an SMTP smuggling attack on recipients at a Postfix server.
For background, see https://www.postfix.org/smtp-smuggling.html
Sites concerned about SMTP smuggling attacks should enable this
feature in Internet-facing Postfix servers. For compatibility with
non-standard clients, Postfix by default excludes clients in
mynetworks from this countermeasure.
The recommended settings are:
# Optionally disconnect remote SMTP clients that send bare newlines,
# but allow local clients with non-standard SMTP implementations
# such as netcat, fax machines, or load balancer health checks.
#
smtpd_forbid_bare_newline = no
smtpd_forbid_bare_newline_exclusions = $mynetworks
This feature is back-ported from Postfix 3.9, with the difference
that "smtpd_forbid_bare_newline = no" by default.
Major changes with Postfix 3.5.20
=================================

59
postfix/html/postconf.5.html
View File

@ -15047,6 +15047,65 @@ This feature is available in Postfix 2.0 and later.
</p>
</DD>
<DT><b><a name="smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a>
(default: Postfix &lt; 3.9: no)</b></DT><DD>
<p> Reply with "Error: bare &lt;LF&gt; received" and disconnect
when a remote SMTP client sends a line ending in &lt;LF&gt;, violating
the <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a> requirement that lines must end in &lt;CR&gt;&lt;LF&gt;.
This feature is disbled by default with Postfix &lt; 3.9. Use
<a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> to exclude non-standard clients
such as netcat. Specify "<a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = no" to disable
(not recommended for an Internet-connected MTA). </p>
<p> See <a href="https://www.postfix.org/smtp-smuggling.html">
https://www.postfix.org/smtp-smuggling.html</a> for details.
<p> Example: </p>
<blockquote>
<pre>
# Disconnect remote SMTP clients that send bare newlines, but allow
# local clients with non-standard SMTP implementations such as netcat,
# fax machines, or load balancer health checks.
#
<a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = yes
<a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> = $<a href="postconf.5.html#mynetworks">mynetworks</a>
</pre>
</blockquote>
<p> This feature is available in Postfix &ge; 3.9, 3.8.4, 3.7.9,
3.6.13, and 3.5.23. </p>
</DD>
<DT><b><a name="smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a>
(default: $<a href="postconf.5.html#mynetworks">mynetworks</a>)</b></DT><DD>
<p> Exclude the specified clients from <a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a>
enforcement. It uses the same syntax and parent-domain matching
behavior as <a href="postconf.5.html#mynetworks">mynetworks</a>. </p>
<p> Example: </p>
<blockquote>
<pre>
# Disconnect remote SMTP clients that send bare newlines, but allow
# local clients with non-standard SMTP implementations such as netcat,
# fax machines, or load balancer health checks.
#
<a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = yes
<a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> = $<a href="postconf.5.html#mynetworks">mynetworks</a>
</pre>
</blockquote>
<p> This feature is available in Postfix &ge; 3.9, 3.8.4, 3.7.9,
3.6.13, and 3.5.23. </p>
</DD>
<DT><b><a name="smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a>

13
postfix/html/smtpd.8.html
View File

@ -914,9 +914,20 @@ SMTPD(8) SMTPD(8)
Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
<b><a href="postconf.5.html#smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a> (Postfix</b> &gt;<b>= 3.9: yes)</b>
Disconnect remote SMTP clients that violate <a href="https://tools.ietf.org/html/rfc2920">RFC 2920</a> (or 5321)
Disconnect remote SMTP clients that violate <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (or 5321)
command pipelining constraints.
Available in Postfix 3.9, 3.8.4, 3.7.9, 3.6.13, 3.5.23 and later:
<b><a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> (Postfix</b> &lt; <b>3.9: no)</b>
Reply with "Error: bare &lt;LF&gt; received" and disconnect when a
remote SMTP client sends a line ending in &lt;LF&gt;, violating the
<a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a> requirement that lines must end in &lt;CR&gt;&lt;LF&gt;.
<b><a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b>
Exclude the specified clients from <a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a>
enforcement.
<b>TARPIT CONTROLS</b>
When a remote SMTP client makes errors, the Postfix SMTP server can
insert delays before responding. This can help to slow down run-away

55
postfix/man/man5/postconf.5
View File

@ -10206,6 +10206,61 @@ The smtpd_expansion_filter value is not subject to Postfix configuration
parameter $name expansion.
.PP
This feature is available in Postfix 2.0 and later.
.SH smtpd_forbid_bare_newline (default: Postfix < 3.9: no)
Reply with "Error: bare <LF> received" and disconnect
when a remote SMTP client sends a line ending in <LF>, violating
the RFC 5321 requirement that lines must end in <CR><LF>.
This feature is disbled by default with Postfix < 3.9. Use
smtpd_forbid_bare_newline_exclusions to exclude non\-standard clients
such as netcat. Specify "smtpd_forbid_bare_newline = no" to disable
(not recommended for an Internet\-connected MTA).
.PP
See
https://www.postfix.org/smtp\-smuggling.html for details.
.PP
Example:
.sp
.in +4
.nf
.na
.ft C
# Disconnect remote SMTP clients that send bare newlines, but allow
# local clients with non\-standard SMTP implementations such as netcat,
# fax machines, or load balancer health checks.
#
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks
.fi
.ad
.ft R
.in -4
.PP
This feature is available in Postfix >= 3.9, 3.8.4, 3.7.9,
3.6.13, and 3.5.23.
.SH smtpd_forbid_bare_newline_exclusions (default: $mynetworks)
Exclude the specified clients from smtpd_forbid_bare_newline
enforcement. It uses the same syntax and parent\-domain matching
behavior as mynetworks.
.PP
Example:
.sp
.in +4
.nf
.na
.ft C
# Disconnect remote SMTP clients that send bare newlines, but allow
# local clients with non\-standard SMTP implementations such as netcat,
# fax machines, or load balancer health checks.
#
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks
.fi
.ad
.ft R
.in -4
.PP
This feature is available in Postfix >= 3.9, 3.8.4, 3.7.9,
3.6.13, and 3.5.23.
.SH smtpd_forbid_unauth_pipelining (default: Postfix >= 3.9: yes)
Disconnect remote SMTP clients that violate RFC 2920 (or 5321)
command pipelining constraints. The server replies with "554 5.5.0

9
postfix/man/man8/smtpd.8
View File

@ -809,6 +809,15 @@ Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
.IP "\fBsmtpd_forbid_unauth_pipelining (Postfix >= 3.9: yes)\fR"
Disconnect remote SMTP clients that violate RFC 2920 (or 5321)
command pipelining constraints.
.PP
Available in Postfix 3.9, 3.8.4, 3.7.9, 3.6.13, 3.5.23 and later:
.IP "\fBsmtpd_forbid_bare_newline (Postfix < 3.9: no)\fR"
Reply with "Error: bare <LF> received" and disconnect
when a remote SMTP client sends a line ending in <LF>, violating
the RFC 5321 requirement that lines must end in <CR><LF>.
.IP "\fBsmtpd_forbid_bare_newline_exclusions ($mynetworks)\fR"
Exclude the specified clients from smtpd_forbid_bare_newline
enforcement.
.SH "TARPIT CONTROLS"
.na
.nf

2
postfix/mantools/postlink
View File

@ -548,6 +548,8 @@ while (<>) {
s;\bsmtpd_etrn_restrictions\b;<a href="postconf.5.html#smtpd_etrn_restrictions">$&</a>;g;
s;\bsmtpd_expansion_filter\b;<a href="postconf.5.html#smtpd_expansion_filter">$&</a>;g;
s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bidden_commands\b;<a href="postconf.5.html#smtpd_forbidden_commands">$&</a>;g;
s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_bare_newline\b;<a href="postconf.5.html#smtpd_forbid_bare_newline">$&</a>;g;
s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_bare_newline_exclusions\b;<a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">$&</a>;g;
s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_unauth_pipelining\b;<a href="postconf.5.html#smtpd_forbid_unauth_pipelining">$&</a>;g;
s;\bsmtpd_hard_error_limit\b;<a href="postconf.5.html#smtpd_hard_error_limit">$&</a>;g;
s;\bsmtpd_helo_required\b;<a href="postconf.5.html#smtpd_helo_required">$&</a>;g;

51
postfix/proto/postconf.proto
View File

@ -17863,6 +17863,57 @@ MinProtocol = TLSv1
<p> This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
3.6.10, and 3.5.20. </p>
%PARAM smtpd_forbid_bare_newline Postfix &lt; 3.9: no
<p> Reply with "Error: bare &lt;LF&gt; received" and disconnect
when a remote SMTP client sends a line ending in &lt;LF&gt;, violating
the RFC 5321 requirement that lines must end in &lt;CR&gt;&lt;LF&gt;.
This feature is disbled by default with Postfix &lt; 3.9. Use
smtpd_forbid_bare_newline_exclusions to exclude non-standard clients
such as netcat. Specify "smtpd_forbid_bare_newline = no" to disable
(not recommended for an Internet-connected MTA). </p>
<p> See <a href="https://www.postfix.org/smtp-smuggling.html">
https://www.postfix.org/smtp-smuggling.html</a> for details.
<p> Example: </p>
<blockquote>
<pre>
# Disconnect remote SMTP clients that send bare newlines, but allow
# local clients with non-standard SMTP implementations such as netcat,
# fax machines, or load balancer health checks.
#
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks
</pre>
</blockquote>
<p> This feature is available in Postfix &ge; 3.9, 3.8.4, 3.7.9,
3.6.13, and 3.5.23. </p>
%PARAM smtpd_forbid_bare_newline_exclusions $mynetworks
<p> Exclude the specified clients from smtpd_forbid_bare_newline
enforcement. It uses the same syntax and parent-domain matching
behavior as mynetworks. </p>
<p> Example: </p>
<blockquote>
<pre>
# Disconnect remote SMTP clients that send bare newlines, but allow
# local clients with non-standard SMTP implementations such as netcat,
# fax machines, or load balancer health checks.
#
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks
</pre>
</blockquote>
<p> This feature is available in Postfix &ge; 3.9, 3.8.4, 3.7.9,
3.6.13, and 3.5.23. </p>
%PARAM smtpd_forbid_unauth_pipelining Postfix &ge; 3.9: yes
<p> Disconnect remote SMTP clients that violate RFC 2920 (or 5321)

11
postfix/src/global/mail_params.h
View File

@ -4142,7 +4142,16 @@ extern char *var_smtp_dns_re_filter;
extern char *var_smtpd_dns_re_filter;
/*
* Share TLS sessions through tlproxy(8).
* Backwards compatibility.
*/
#define VAR_SMTPD_FORBID_BARE_LF "smtpd_forbid_bare_newline"
#define DEF_SMTPD_FORBID_BARE_LF 0
#define VAR_SMTPD_FORBID_BARE_LF_EXCL "smtpd_forbid_bare_newline_exclusions"
#define DEF_SMTPD_FORBID_BARE_LF_EXCL "$" VAR_MYNETWORKS
/*
* Share TLS sessions through tlsproxy(8).
*/
#define VAR_SMTP_TLS_CONN_REUSE "smtp_tls_connection_reuse"
#define DEF_SMTP_TLS_CONN_REUSE 0

4
postfix/src/global/mail_version.h
View File

@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20231101"
#define MAIL_VERSION_NUMBER "3.5.22"
#define MAIL_RELEASE_DATE "20231222"
#define MAIL_VERSION_NUMBER "3.5.23"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE

14
postfix/src/global/smtp_stream.c
View File

@ -50,6 +50,8 @@
/* VSTREAM *stream;
/* char *format;
/* va_list ap;
/*
/* int smtp_forbid_bare_lf;
/* AUXILIARY API
/* int smtp_get_noexcept(vp, stream, maxlen, flags)
/* VSTRING *vp;
@ -124,11 +126,16 @@
/* smtp_vprintf() is the machine underneath smtp_printf().
/*
/* smtp_get_noexcept() implements the subset of smtp_get()
/* without timeouts and without making long jumps. Instead,
/* without long jumps for timeout or EOF errors. Instead,
/* query the stream status with vstream_feof() etc.
/* This function will make a VSTREAM long jump (error code
/* SMTP_ERR_LF) when rejecting input with a bare newline byte.
/*
/* smtp_timeout_setup() is a backwards-compatibility interface
/* for programs that don't require per-record deadline support.
/*
/* smtp_forbid_bare_lf controls whether smtp_get_noexcept()
/* will reject input with a bare newline byte.
/* DIAGNOSTICS
/* .fi
/* .ad
@ -201,6 +208,8 @@
#include "smtp_stream.h"
int smtp_forbid_bare_lf;
/* smtp_timeout_reset - reset per-stream error flags, restart deadline timer */
static void smtp_timeout_reset(VSTREAM *stream)
@ -404,6 +413,9 @@ int smtp_get_noexcept(VSTRING *vp, VSTREAM *stream, ssize_t bound, int flags
*/
case '\n':
vstring_truncate(vp, VSTRING_LEN(vp) - 1);
if (smtp_forbid_bare_lf
&& (VSTRING_LEN(vp) == 0 || vstring_end(vp)[-1] != '\r'))
vstream_longjmp(stream, SMTP_ERR_LF);
while (VSTRING_LEN(vp) > 0 && vstring_end(vp)[-1] == '\r')
vstring_truncate(vp, VSTRING_LEN(vp) - 1);
VSTRING_TERMINATE(vp);

2
postfix/src/global/smtp_stream.h
View File

@ -32,6 +32,7 @@
#define SMTP_ERR_QUIET 3 /* silent cleanup (application) */
#define SMTP_ERR_NONE 4 /* non-error case */
#define SMTP_ERR_DATA 5 /* application data error */
#define SMTP_ERR_LF 6 /* bare <LF> protocol error */
extern void smtp_stream_setup(VSTREAM *, int, int);
extern void PRINTFLIKE(2, 3) smtp_printf(VSTREAM *, const char *,...);
@ -43,6 +44,7 @@ extern void smtp_fputs(const char *, ssize_t len, VSTREAM *);
extern void smtp_fwrite(const char *, ssize_t len, VSTREAM *);
extern void smtp_fread_buf(VSTRING *, ssize_t len, VSTREAM *);
extern void smtp_fputc(int, VSTREAM *);
extern int smtp_forbid_bare_lf;
extern void smtp_vprintf(VSTREAM *, const char *, va_list);

42
postfix/src/smtpd/smtpd.c
View File

@ -763,6 +763,15 @@
/* .IP "\fBsmtpd_forbid_unauth_pipelining (Postfix >= 3.9: yes)\fR"
/* Disconnect remote SMTP clients that violate RFC 2920 (or 5321)
/* command pipelining constraints.
/* .PP
/* Available in Postfix 3.9, 3.8.4, 3.7.9, 3.6.13, 3.5.23 and later:
/* .IP "\fBsmtpd_forbid_bare_newline (Postfix < 3.9: no)\fR"
/* Reply with "Error: bare <LF> received" and disconnect
/* when a remote SMTP client sends a line ending in <LF>, violating
/* the RFC 5321 requirement that lines must end in <CR><LF>.
/* .IP "\fBsmtpd_forbid_bare_newline_exclusions ($mynetworks)\fR"
/* Exclude the specified clients from smtpd_forbid_bare_newline
/* enforcement.
/* TARPIT CONTROLS
/* .ad
/* .fi
@ -1468,6 +1477,10 @@ char *var_tlsproxy_service;
char *var_smtpd_uproxy_proto;
int var_smtpd_uproxy_tmout;
bool var_smtpd_forbid_bare_lf;
char *var_smtpd_forbid_bare_lf_excl;
static NAMADR_LIST *bare_lf_excl;
/*
* Silly little macros.
*/
@ -1542,6 +1555,7 @@ static void tls_reset(SMTPD_STATE *);
#define REASON_TIMEOUT "timeout"
#define REASON_LOST_CONNECTION "lost connection"
#define REASON_ERROR_LIMIT "too many errors"
#define REASON_BARE_LF "bare <LF> received"
#ifdef USE_TLS
@ -3968,6 +3982,7 @@ static int bdat_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
*/
done = 0;
do {
int payload_err;
/*
* Do not skip the smtp_fread_buf() call if read_len == 0. We still
@ -3981,6 +3996,10 @@ static int bdat_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
smtp_fread_buf(state->buffer, read_len, state->client);
state->bdat_get_stream = vstream_memreopen(
state->bdat_get_stream, state->buffer, O_RDONLY);
vstream_control(state->bdat_get_stream, CA_VSTREAM_CTL_EXCEPT,
CA_VSTREAM_CTL_END);
if ((payload_err = vstream_setjmp(state->bdat_get_stream)) != 0)
vstream_longjmp(state->client, payload_err);
/*
* Read lines from the fragment. The last line may continue in the
@ -4656,6 +4675,9 @@ static int xclient_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
*/
xclient_allowed =
namadr_list_match(xclient_hosts, state->name, state->addr);
smtp_forbid_bare_lf = SMTPD_STAND_ALONE((state)) == 0
&& var_smtpd_forbid_bare_lf
&& !namadr_list_match(bare_lf_excl, state->name, state->addr);
/* NOT: tls_reset() */
if (got_helo == 0)
helo_reset(state);
@ -5474,6 +5496,13 @@ static void smtpd_proto(SMTPD_STATE *state)
var_myhostname);
break;
case SMTP_ERR_LF:
state->reason = REASON_BARE_LF;
if (vstream_setjmp(state->client) == 0)
smtpd_chat_reply(state, "521 5.5.2 %s Error: bare <LF> received",
var_myhostname);
break;
case 0:
/*
@ -6032,6 +6061,13 @@ static void smtpd_service(VSTREAM *stream, char *service, char **argv)
xforward_allowed = SMTPD_STAND_ALONE((&state)) == 0 &&
namadr_list_match(xforward_hosts, state.name, state.addr);
/*
* Enforce strict SMTP line endings, with compatibility exclusions.
*/
smtp_forbid_bare_lf = SMTPD_STAND_ALONE((&state)) == 0
&& var_smtpd_forbid_bare_lf
&& !namadr_list_match(bare_lf_excl, state.name, state.addr);
/*
* See if we need to turn on verbose logging for this client.
*/
@ -6093,6 +6129,10 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
hogger_list = namadr_list_init(VAR_SMTPD_HOGGERS, MATCH_FLAG_RETURN
| match_parent_style(VAR_SMTPD_HOGGERS),
var_smtpd_hoggers);
bare_lf_excl = namadr_list_init(VAR_SMTPD_FORBID_BARE_LF_EXCL,
MATCH_FLAG_RETURN
| match_parent_style(VAR_MYNETWORKS),
var_smtpd_forbid_bare_lf_excl);
/*
* Open maps before dropping privileges so we can read passwords etc.
@ -6451,6 +6491,7 @@ int main(int argc, char **argv)
VAR_SMTPD_DELAY_OPEN, DEF_SMTPD_DELAY_OPEN, &var_smtpd_delay_open,
VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log,
VAR_SMTPD_FORBID_UNAUTH_PIPE, DEF_SMTPD_FORBID_UNAUTH_PIPE, &var_smtpd_forbid_unauth_pipe,
VAR_SMTPD_FORBID_BARE_LF, DEF_SMTPD_FORBID_BARE_LF, &var_smtpd_forbid_bare_lf,
0,
};
static const CONFIG_NBOOL_TABLE nbool_table[] = {
@ -6564,6 +6605,7 @@ int main(int argc, char **argv)
VAR_SMTPD_POLICY_CONTEXT, DEF_SMTPD_POLICY_CONTEXT, &var_smtpd_policy_context, 0, 0,
VAR_SMTPD_DNS_RE_FILTER, DEF_SMTPD_DNS_RE_FILTER, &var_smtpd_dns_re_filter, 0, 0,
VAR_SMTPD_REJ_FTR_MAPS, DEF_SMTPD_REJ_FTR_MAPS, &var_smtpd_rej_ftr_maps, 0, 0,
VAR_SMTPD_FORBID_BARE_LF_EXCL, DEF_SMTPD_FORBID_BARE_LF_EXCL, &var_smtpd_forbid_bare_lf_excl, 0, 0,
0,
};
static const CONFIG_RAW_TABLE raw_table[] = {