Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Resolve conflicts from last import.

Browse Source
This commit is contained in:
tron 2013-01-02 19:18:29 +00:00
parent a30b880ed6
commit cf33639979
31 changed files with 4914 additions and 4030 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
external/ibm-public/postfix/dist/README_FILES/ADDRESS_VERIFICATION_README vendored
View File

@ -123,6 +123,13 @@ LLiimmiittaattiioonnss ooff aaddddrreessss vveerriiffi
fail with mis-configured sites that reject MAIL FROM: <>, while probes from
"double-bounce@$myorigin" would succeed.
* The downside of using a non-empty sender address is that the address may
end op on spammer mailing lists. Although Postfix always discards mail to
the double-bounce address, this still results in wasted network bandwidth
and server capacity. To defeat address harvesting, Postfix 2.9 and later
support time-dependent sender addresses when you specify a non-zero
address_verify_sender_ttl value.
RReecciippiieenntt aaddddrreessss vveerriiffiiccaattiioonn
As mentioned earlier, recipient address verification is useful to block mail
@ -287,6 +294,16 @@ results are lost after "postfix reload" or "postfix stop".
# Note: avoid hash files here. Use btree instead.
address_verify_map = btree:$data_directory/verify_cache
# Shared persistent cache (requires Postfix 2.9 or later).
address_verify_map = proxy:btree:$data_directory/verify_cache
# Disable automatic cache cleanup in all Postfix instances except
# for one instance that will be responsible for cache cleanup.
# address_verify_cache_cleanup_interval = 0
# Shared memory cache (requires Postfix 2.9 or later).
# See memcache_table(5) for details.
address_verify_map = memcache:/etc/postfix/verify-memcache.cf
# Default setting for Postfix 2.6 and earlier.
# This uses non-persistent storage only.
address_verify_map =

83
external/ibm-public/postfix/dist/README_FILES/INSTALL vendored
View File

@ -223,7 +223,86 @@ Parameters whose defaults can be specified in this way are:
Note: the data_directory parameter (for caches and pseudo-random numbers) was
introduced with Postfix version 2.5.
44..55 -- SSuuppppoorrtt ffoorr tthhoouussaannddss ooff pprroocceesssseess
44..55 -- OOvveerrrriiddiinngg ootthheerr ccoommppiillee--ttiimmee ffeeaattuurreess
The general method to override Postfix compile-time features is as follows:
% make makefiles name=value name=value...
% make
The following is an extensive list of names and values.
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
|NNaammee//VVaalluuee |DDeessccrriippttiioonn |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|AUXLIBS="object_library..." |Specifies one or more non-default object |
| |libraries. |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|CC=compiler_command |Specifies a non-default compiler. On many |
| |systems, the default is gcc. |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
| |Specifies non-default compiler arguments, for |
|CCARGS="compiler_arguments..."|example, a non-default include directory. The |
| |following directives turn off Postfix features|
| |at compile time: |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|| |Do not build with Berkeley DB support. By |
||-DNO_DB |default, Berkeley DB support is compiled in on|
|| |platforms that are known to support this |
|| |feature. |
|_|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|| |Do not build with Solaris /dev/poll support. |
||-DNO_DEVPOLL |By default, /dev/poll support is compiled in |
|| |on Solaris versions that are known to support |
|| |this feature. |
|_|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|| |Do not build with Linux EPOLL support. By |
||-DNO_EPOLL |default, EPOLL support is compiled in on |
|| |platforms that are known to support this |
|| |feature. |
|_|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|| |Do not build with IPv6 support. By default, |
|| |IPv6 support is compiled in on platforms that |
||-DNO_IPV6 |are known to have IPv6 support. Note: this |
|| |directive is for debugging and testing only. |
|| |It is not guaranteed to work on all platforms.|
|_|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|| |Do not build with FreeBSD / NetBSD / OpenBSD /|
||-DNO_KQUEUE |MacOSX KQUEUE support. By default, KQUEUE |
|| |support is compiled in on platforms that are |
|| |known to support it. |
|_|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|| |Do not build with NIS or NISPLUS support. NIS |
||-DNO_NIS |is not available on some recent Linux or |
|| |Solaris distributions. |
|_|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|| |Do not build with PCRE support. By default, |
||-DNO_PCRE |PCRE support is compiled in when the pcre- |
|| |config utility is installed. |
|_|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|| |Disable support for POSIX getpwnam_r/ |
||-DNO_POSIX_GETPW_R |getpwuid_r. By default Postfix uses these |
|| |where they are known to be available. |
|_|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|| |Use setjmp()/longjmp() instead of sigsetjmp()/|
||-DNO_SIGSETJMP |siglongjmp(). By default, Postfix uses |
|| |sigsetjmp()/siglongjmp() when they are known |
|| |to be available. |
|_|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
| |Specifies a non-default compiler debugging |
|DEBUG=debug_level |level. The default is -g. Specify DEBUG= to |
| |turn off debugging. |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
| |Specifies a non-default optimization level. |
|OPT=optimization_level |The default is -O. Specify OPT= to turn off |
| |optimization. |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
| |Specifies non-default gcc compiler warning |
|WARN="warning_flags..." |options for use when "make" is invoked in a |
| |source subdirectory only. |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
44..66 -- SSuuppppoorrtt ffoorr tthhoouussaannddss ooff pprroocceesssseess
The number of connections that Postfix can manage simultaneously is limited by
the number of processes that it can run. This number in turn is limited by the
@ -255,7 +334,7 @@ But wait, there is more: none of this will work unless the operating system is
configured to handle thousands of connections. See the TUNING_README guide for
examples of how to increase the number of open sockets or files.
44..66 -- CCoommppiilliinngg PPoossttffiixx,, aatt llaasstt
44..77 -- CCoommppiilliinngg PPoossttffiixx,, aatt llaasstt
If the command

1293
external/ibm-public/postfix/dist/README_FILES/TLS_README vendored
View File

File diff suppressed because it is too large Load Diff

10
external/ibm-public/postfix/dist/conf/main.cf vendored
View File

@ -1,4 +1,4 @@
# $NetBSD: main.cf,v 1.2 2009/06/23 11:41:06 tron Exp $
# $NetBSD: main.cf,v 1.3 2013/01/02 19:18:30 tron Exp $
#
# Global Postfix configuration file. This file lists only a subset
# of all parameters. For the syntax, and for a complete parameter
@ -468,7 +468,12 @@ unknown_local_recipient_reject_code = 550
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
#mailbox_transport = lmtp:unix:/file/name
# Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd"
# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf.
#mailbox_transport = lmtp:unix:/var/imap/socket/lmtp
#
# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and
# subsequent line in master.cf.
#mailbox_transport = cyrus
# The fallback_transport specifies the optional transport in master.cf
@ -659,3 +664,4 @@ sample_directory = /usr/share/examples/postfix
# readme_directory: The location of the Postfix README files.
#
readme_directory = /usr/share/examples/postfix
inet_protocols = ipv4

6
external/ibm-public/postfix/dist/conf/master.cf vendored
View File

@ -1,4 +1,4 @@
# $NetBSD: master.cf,v 1.4 2011/03/02 19:56:37 tron Exp $
# $NetBSD: master.cf,v 1.5 2013/01/02 19:18:30 tron Exp $
#
#
# Postfix master process configuration file. For details on the format
@ -16,11 +16,13 @@
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy
#submission inet n - n - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - n - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
@ -40,9 +42,7 @@ flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error

9
external/ibm-public/postfix/dist/conf/postfix-files vendored
View File

@ -1,4 +1,4 @@
# $NetBSD: postfix-files,v 1.3 2011/03/02 19:56:37 tron Exp $
# $NetBSD: postfix-files,v 1.4 2013/01/02 19:18:30 tron Exp $
#
# Commented out entries mean files not installed under NetBSD.
#
@ -169,8 +169,9 @@ $manpage_directory/man5/generic.5:f:root:-:644
$manpage_directory/man5/header_checks.5:f:root:-:644
#$manpage_directory/man5/ldap_table.5:f:root:-:644
$manpage_directory/man5/master.5:f:root:-:644
$manpage_directory/man5/memcache_table.5:f:root:-:644
#$manpage_directory/man5/mysql_table.5:f:root:-:644
#$manpage_directory/man5/sqlite_table.5:f:root:-:644
$manpage_directory/man5/sqlite_table.5:f:root:-:644
$manpage_directory/man5/nisplus_table.5:f:root:-:644
$manpage_directory/man5/pcre_table.5:f:root:-:644
#$manpage_directory/man5/pgsql_table.5:f:root:-:644
@ -267,6 +268,7 @@ $readme_directory/LDAP_README:f:root:-:644
$readme_directory/LOCAL_RECIPIENT_README:f:root:-:644
$readme_directory/MACOSX_README:f:root:-:644:o
$readme_directory/MAILDROP_README:f:root:-:644
$readme_directory/MEMCACHE_README:f:root:-:644
$readme_directory/MILTER_README:f:root:-:644
$readme_directory/MULTI_INSTANCE_README:f:root:-:644
$readme_directory/MYSQL_README:f:root:-:644
@ -372,8 +374,9 @@ $html_directory/local.8.html:f:root:-:644
$html_directory/mailq.1.html:f:root:-:644
$html_directory/master.5.html:f:root:-:644
$html_directory/master.8.html:f:root:-:644
$html_directory/memcache_table.5.html:f:root:-:644
#$html_directory/mysql_table.5.html:f:root:-:644
#$html_directory/sqlite_table.5.html:f:root:-:644
$html_directory/sqlite_table.5.html:f:root:-:644
$html_directory/nisplus_table.5.html:f:root:-:644
$html_directory/newaliases.1.html:h:$html_directory/mailq.1.html:-:644
$html_directory/oqmgr.8.html:f:root:-:644

18
external/ibm-public/postfix/dist/html/ADDRESS_VERIFICATION_README.html vendored
View File

@ -245,6 +245,14 @@ server does not reject mail for this address. </p>
mis-configured sites that reject MAIL FROM: &lt;&gt;, while
probes from "double-bounce@$<a href="postconf.5.html#myorigin">myorigin</a>" would succeed. </p>
<li> <p> The downside of using a non-empty sender address is that
the address may end op on spammer mailing lists. Although Postfix
always discards mail to the double-bounce address, this still results
in wasted network bandwidth and server capacity. To defeat
address harvesting, Postfix 2.9 and later support time-dependent
sender addresses when you specify a non-zero <a href="postconf.5.html#address_verify_sender_ttl">address_verify_sender_ttl</a>
value. </p>
</ul>
<h2><a name="recipient">Recipient address verification</a></h2>
@ -448,6 +456,16 @@ results are lost after "postfix reload" or "postfix stop". </p>
# Note: avoid hash files here. Use btree instead.
<a href="postconf.5.html#address_verify_map">address_verify_map</a> = btree:$<a href="postconf.5.html#data_directory">data_directory</a>/verify_cache
# Shared persistent cache (requires Postfix 2.9 or later).
<a href="postconf.5.html#address_verify_map">address_verify_map</a> = <a href="proxymap.8.html">proxy</a>:btree:$<a href="postconf.5.html#data_directory">data_directory</a>/verify_cache
# Disable automatic cache cleanup in all Postfix instances except
# for one instance that will be responsible for cache cleanup.
# <a href="postconf.5.html#address_verify_cache_cleanup_interval">address_verify_cache_cleanup_interval</a> = 0
# Shared memory cache (requires Postfix 2.9 or later).
# See <a href="memcache_table.5.html">memcache_table(5)</a> for details.
<a href="postconf.5.html#address_verify_map">address_verify_map</a> = <a href="memcache_table.5.html">memcache</a>:/etc/postfix/verify-memcache.cf
# Default setting for Postfix 2.6 and earlier.
# This uses non-persistent storage only.
<a href="postconf.5.html#address_verify_map">address_verify_map</a> =

90
external/ibm-public/postfix/dist/html/INSTALL.html vendored
View File

@ -342,7 +342,93 @@ default</th> </tr>
<p> Note: the <a href="postconf.5.html#data_directory">data_directory</a> parameter (for caches and pseudo-random
numbers) was introduced with Postfix version 2.5. </p>
<h3>4.5 - Support for thousands of processes</h3>
<h3>4.5 - Overriding other compile-time features</h3>
<p> The general method to override Postfix compile-time features
is as follows: </p>
<blockquote>
<pre>
% make makefiles name=value name=value...
% make
</pre>
</blockquote>
<p> The following is an extensive list of names and values. </p>
<table border="1">
<tr> <th colspan="2"> Name/Value </th> <th> Description </th> </tr>
<tr> <td colspan="2"> AUXLIBS="object_library..."</td> <td> Specifies
one or more non-default object libraries. </td> </tr>
<tr> <td colspan="2"> CC=compiler_command</td> <td> Specifies a
non-default compiler. On many systems, the default is <tt>gcc</tt>.
</td> </tr>
<tr> <td colspan="2"> CCARGS="compiler_arguments..."</td> <td>
Specifies non-default compiler arguments, for example, a non-default
<tt>include</tt> directory. The following directives turn
off Postfix features at compile time:</td> </tr>
<tr> <td> </td> <td> -DNO_DB </td> <td> Do not build with Berkeley
DB support. By default, Berkeley DB support is compiled in on
platforms that are known to support this feature. </td> </tr>
<tr> <td> </td> <td> -DNO_DEVPOLL </td> <td> Do not build with
Solaris <tt>/dev/poll</tt> support. By default, <tt>/dev/poll</tt>
support is compiled in on Solaris versions that are known to support
this feature. </td> </tr>
<tr> <td> </td> <td> -DNO_EPOLL </td> <td> Do not build with Linux
EPOLL support. By default, EPOLL support is compiled in on platforms
that are known to support this feature. </td> </tr>
<tr> <td> </td> <td> -DNO_IPV6 </td> <td> Do not build with IPv6
support. By default, IPv6 support is compiled in on platforms that
are known to have IPv6 support. Note: this directive is for debugging
and testing only. It is not guaranteed to work on all platforms.
</td> </tr>
<tr> <td> </td> <td> -DNO_KQUEUE </td> <td> Do not build with FreeBSD
/ NetBSD / OpenBSD / MacOSX KQUEUE support. By default, KQUEUE
support is compiled in on platforms that are known to support it.
</td> </tr>
<tr> <td> </td> <td> -DNO_NIS </td> <td> Do not build with NIS or
NISPLUS support. NIS is not available on some recent Linux or Solaris
distributions. </td> </tr>
<tr> <td> </td> <td> -DNO_PCRE </td> <td> Do not build with PCRE
support. By default, PCRE support is compiled in when the
<tt>pcre-config</tt> utility is installed. </td> </tr>
<tr> <td> </td> <td> -DNO_POSIX_GETPW_R </td> <td> Disable support
for POSIX <tt>getpwnam_r/getpwuid_r</tt>. By default Postfix uses
these where they are known to be available. </td> </tr>
<tr> <td> </td> <td> -DNO_SIGSETJMP </td> <td> Use
<tt>setjmp()/longjmp()</tt> instead of <tt>sigsetjmp()/siglongjmp()</tt>.
By default, Postfix uses <tt>sigsetjmp()/siglongjmp()</tt> when
they are known to be available. </td> </tr>
<tr> <td colspan="2"> DEBUG=debug_level </td> <td> Specifies a
non-default compiler debugging level. The default is <tt>-g</tt>.
Specify DEBUG= to turn off debugging. </td> </tr>
<tr> <td colspan="2"> OPT=optimization_level </td> <td> Specifies
a non-default optimization level. The default is -O. Specify OPT=
to turn off optimization. </td> </tr>
<tr> <td colspan="2"> WARN="warning_flags..." </td> <td> Specifies
non-default <tt>gcc</tt> compiler warning options for use when
"<tt>make</tt>" is invoked in a source subdirectory only. </td>
</tr>
</table>
<h3>4.6 - Support for thousands of processes</h3>
<p> The number of connections that Postfix can manage simultaneously
is limited by the number of processes that it can run. This number
@ -390,7 +476,7 @@ operating system is configured to handle thousands of connections.
See the <a href="TUNING_README.html">TUNING_README</a> guide for examples of how to increase the
number of open sockets or files. </p>
<h3>4.6 - Compiling Postfix, at last</h3>
<h3>4.7 - Compiling Postfix, at last</h3>
<p> If the command </p>

1606
external/ibm-public/postfix/dist/html/TLS_README.html vendored
View File

File diff suppressed because it is too large Load Diff

953
external/ibm-public/postfix/dist/html/postconf.5.html vendored
View File

File diff suppressed because it is too large Load Diff

15
external/ibm-public/postfix/dist/makedefs vendored
View File

@ -25,6 +25,8 @@
# \fIinclude\fR directory.
# The following directives are special:
# .RS
# .IP \fB-DNO_DB\fR
# Do not build with Berkeley DB support.
# .IP \fB-DNO_DEVPOLL\fR
# Do not build with Solaris /dev/poll support.
# By default, /dev/poll support is compiled in on platforms that
@ -44,10 +46,15 @@
# Do not build with FreeBSD/NetBSD/OpenBSD/MacOSX KQUEUE support.
# By default, KQUEUE support is compiled in on platforms that
# are known to support it.
# .IP \fB-DNO_NIS\fR
# Do not build with NIS or NISPLUS support. Support for NIS
# is unavailable on some recent Linux and Solaris distributions.
# .IP \fB-DNO_PCRE\fR
# Do not build with PCRE support.
# By default, PCRE support is compiled in when the \fBpcre-config\fR
# utility is installed.
# .IP \fB-DNO_POSIX_GETPW_R\fR
# Disable support for POSIX getpwnam_r/getpwuid_r.
# .IP \fB-DNO_SIGSETJMP\fR
# Use setjmp()/longjmp() instead of sigsetjmp()/siglongjmp().
# By default, Postfix uses sigsetjmp()/siglongjmp() when they
@ -190,9 +197,9 @@ case "$SYSTEM.$RELEASE" in
SYSLIBS="-lresolv -lsocket -lnsl"
# Stock awk breaks with >10 files.
test -x /usr/xpg4/bin/awk && AWK=/usr/xpg4/bin/awk
# Solaris 2.5 added usleep() and POSIX regular expressions
# Solaris 2.5 added usleep(), POSIX regexp, POSIX getpwnam/uid_r
case $RELEASE in
5.[0-4]) CCARGS="$CCARGS -DMISSING_USLEEP -DNO_POSIX_REGEXP";;
5.[0-4]) CCARGS="$CCARGS -DMISSING_USLEEP -DNO_POSIX_REGEXP -DNO_POSIX_GETPW_R";;
esac
# Solaris 8 added IPv6 and /dev/poll
case $RELEASE in
@ -460,6 +467,10 @@ ReliantUNIX-?.5.43) SYSTYPE=ReliantUnix543
[1-6].*) CCARGS="$CCARGS -DNO_IPV6";;
*) CCARGS="$CCARGS -DBIND_8_COMPAT -DNO_NETINFO";;
esac
# Darwin 9.0 (MacOS X 10.5) adds POSIX getpwnam_r/getpwuid_r
case $RELEASE in
[1-8].*) CCARGS="$CCARGS -DNO_POSIX_GETPW_R";;
esac
# Darwin 10.3.0 no longer has <nameser8_compat.h>.
case $RELEASE in
?.*) CCARGS="$CCARGS -DRESOLVE_H_NEEDS_NAMESER8_COMPAT_H";;

846
external/ibm-public/postfix/dist/man/man5/postconf.5 vendored
View File

File diff suppressed because it is too large Load Diff

14
external/ibm-public/postfix/dist/pflogsumm-conn-delays-dsn-patch vendored
View File

@ -1,14 +0,0 @@
This patch adds support for logfiles with conn_use, delays, and dsn
attributes.
--- pflogsumm.pl.orig 2005-04-09 12:54:44.000000000 +0200
+++ pflogsumm.pl 2005-11-07 21:50:05.483199193 +0100
@@ -696,7 +696,7 @@
}
}
elsif((($addr, $relay, $delay, $status, $toRmdr) = $logRmdr =~
- /to=<([^>]*)>, (?:orig_to=<[^>]*>, )?relay=([^,]+), delay=([^,]+), status=(\S+)(.*)$/o) >= 4)
+ /to=<([^>]*)>, (?:orig_to=<[^>]*>, )?relay=([^,]+), (?:conn_use=[^,]+, )?delay=([^,]+), (?:delays=[^,]+, )?(?:dsn=[^,]+, )?status=(\S+)(.*)$/o) >= 4)
{
if($opts{'m'} && $addr =~ /^(.*!)*([^!]+)!([^!@]+)@([^\.]+)$/o) {

4
external/ibm-public/postfix/dist/postfix-install vendored
View File

@ -363,7 +363,7 @@ HTML files. Specify \"no\" if you do not want to install these files."
: ${install_root=/}
: ${tempdir=`pwd`}
: ${config_directory=`bin/postconf -h -d config_directory`}
: ${config_directory=`bin/postconf -c conf -h -d config_directory`}
# Find out the location of installed configuration files.
@ -446,7 +446,7 @@ do
case "$junk" in
"") eval unset $name;;
esac
eval : \${$name=\`bin/postconf -d -h $name\`} || exit 1
eval : \${$name=\`bin/postconf -c conf -d -h $name\`} || exit 1
done
# Override settings manually.

18
external/ibm-public/postfix/dist/proto/ADDRESS_VERIFICATION_README.html vendored
View File

@ -245,6 +245,14 @@ server does not reject mail for this address. </p>
mis-configured sites that reject MAIL FROM: &lt;&gt;, while
probes from "double-bounce@$myorigin" would succeed. </p>
<li> <p> The downside of using a non-empty sender address is that
the address may end op on spammer mailing lists. Although Postfix
always discards mail to the double-bounce address, this still results
in wasted network bandwidth and server capacity. To defeat
address harvesting, Postfix 2.9 and later support time-dependent
sender addresses when you specify a non-zero address_verify_sender_ttl
value. </p>
</ul>
<h2><a name="recipient">Recipient address verification</a></h2>
@ -448,6 +456,16 @@ results are lost after "postfix reload" or "postfix stop". </p>
# Note: avoid hash files here. Use btree instead.
address_verify_map = btree:$data_directory/verify_cache
# Shared persistent cache (requires Postfix 2.9 or later).
address_verify_map = proxy:btree:$data_directory/verify_cache
# Disable automatic cache cleanup in all Postfix instances except
# for one instance that will be responsible for cache cleanup.
# address_verify_cache_cleanup_interval = 0
# Shared memory cache (requires Postfix 2.9 or later).
# See memcache_table(5) for details.
address_verify_map = memcache:/etc/postfix/verify-memcache.cf
# Default setting for Postfix 2.6 and earlier.
# This uses non-persistent storage only.
address_verify_map =

90
external/ibm-public/postfix/dist/proto/INSTALL.html vendored
View File

@ -342,7 +342,93 @@ default</th> </tr>
<p> Note: the data_directory parameter (for caches and pseudo-random
numbers) was introduced with Postfix version 2.5. </p>
<h3>4.5 - Support for thousands of processes</h3>
<h3>4.5 - Overriding other compile-time features</h3>
<p> The general method to override Postfix compile-time features
is as follows: </p>
<blockquote>
<pre>
% make makefiles name=value name=value...
% make
</pre>
</blockquote>
<p> The following is an extensive list of names and values. </p>
<table border="1">
<tr> <th colspan="2"> Name/Value </th> <th> Description </th> </tr>
<tr> <td colspan="2"> AUXLIBS="object_library..."</td> <td> Specifies
one or more non-default object libraries. </td> </tr>
<tr> <td colspan="2"> CC=compiler_command</td> <td> Specifies a
non-default compiler. On many systems, the default is <tt>gcc</tt>.
</td> </tr>
<tr> <td colspan="2"> CCARGS="compiler_arguments..."</td> <td>
Specifies non-default compiler arguments, for example, a non-default
<tt>include</tt> directory. The following directives turn
off Postfix features at compile time:</td> </tr>
<tr> <td> </td> <td> -DNO_DB </td> <td> Do not build with Berkeley
DB support. By default, Berkeley DB support is compiled in on
platforms that are known to support this feature. </td> </tr>
<tr> <td> </td> <td> -DNO_DEVPOLL </td> <td> Do not build with
Solaris <tt>/dev/poll</tt> support. By default, <tt>/dev/poll</tt>
support is compiled in on Solaris versions that are known to support
this feature. </td> </tr>
<tr> <td> </td> <td> -DNO_EPOLL </td> <td> Do not build with Linux
EPOLL support. By default, EPOLL support is compiled in on platforms
that are known to support this feature. </td> </tr>
<tr> <td> </td> <td> -DNO_IPV6 </td> <td> Do not build with IPv6
support. By default, IPv6 support is compiled in on platforms that
are known to have IPv6 support. Note: this directive is for debugging
and testing only. It is not guaranteed to work on all platforms.
</td> </tr>
<tr> <td> </td> <td> -DNO_KQUEUE </td> <td> Do not build with FreeBSD
/ NetBSD / OpenBSD / MacOSX KQUEUE support. By default, KQUEUE
support is compiled in on platforms that are known to support it.
</td> </tr>
<tr> <td> </td> <td> -DNO_NIS </td> <td> Do not build with NIS or
NISPLUS support. NIS is not available on some recent Linux or Solaris
distributions. </td> </tr>
<tr> <td> </td> <td> -DNO_PCRE </td> <td> Do not build with PCRE
support. By default, PCRE support is compiled in when the
<tt>pcre-config</tt> utility is installed. </td> </tr>
<tr> <td> </td> <td> -DNO_POSIX_GETPW_R </td> <td> Disable support
for POSIX <tt>getpwnam_r/getpwuid_r</tt>. By default Postfix uses
these where they are known to be available. </td> </tr>
<tr> <td> </td> <td> -DNO_SIGSETJMP </td> <td> Use
<tt>setjmp()/longjmp()</tt> instead of <tt>sigsetjmp()/siglongjmp()</tt>.
By default, Postfix uses <tt>sigsetjmp()/siglongjmp()</tt> when
they are known to be available. </td> </tr>
<tr> <td colspan="2"> DEBUG=debug_level </td> <td> Specifies a
non-default compiler debugging level. The default is <tt>-g</tt>.
Specify DEBUG= to turn off debugging. </td> </tr>
<tr> <td colspan="2"> OPT=optimization_level </td> <td> Specifies
a non-default optimization level. The default is -O. Specify OPT=
to turn off optimization. </td> </tr>
<tr> <td colspan="2"> WARN="warning_flags..." </td> <td> Specifies
non-default <tt>gcc</tt> compiler warning options for use when
"<tt>make</tt>" is invoked in a source subdirectory only. </td>
</tr>
</table>
<h3>4.6 - Support for thousands of processes</h3>
<p> The number of connections that Postfix can manage simultaneously
is limited by the number of processes that it can run. This number
@ -390,7 +476,7 @@ operating system is configured to handle thousands of connections.
See the TUNING_README guide for examples of how to increase the
number of open sockets or files. </p>
<h3>4.6 - Compiling Postfix, at last</h3>
<h3>4.7 - Compiling Postfix, at last</h3>
<p> If the command </p>

1606
external/ibm-public/postfix/dist/proto/TLS_README.html vendored
View File

File diff suppressed because it is too large Load Diff

887
external/ibm-public/postfix/dist/proto/postconf.proto vendored
View File

File diff suppressed because it is too large Load Diff

19
external/ibm-public/postfix/dist/src/cleanup/cleanup.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: cleanup.c,v 1.3 2010/06/17 18:18:15 tron Exp $ */
/* $NetBSD: cleanup.c,v 1.4 2013/01/02 19:18:33 tron Exp $ */
/*++
/* NAME
@ -70,7 +70,7 @@
/* COMPATIBILITY CONTROLS
/* .ad
/* .fi
/* .IP "\fBundisclosed_recipients_header (To: undisclosed-recipients:;)\fR"
/* .IP "\fBundisclosed_recipients_header (see 'postconf -d' output)\fR"
/* Message header that the Postfix \fBcleanup\fR(8) server inserts when a
/* message contains no To: or Cc: message header.
/* .PP
@ -86,6 +86,10 @@
/* .IP "\fBalways_add_missing_headers (no)\fR"
/* Always add (Resent-) From:, To:, Date: or Message-ID: headers
/* when not present.
/* .PP
/* Available in Postfix version 2.9 and later:
/* .IP "\fBenable_long_queue_ids (no)\fR"
/* Enable long, non-repeating, queue IDs (queue file names).
/* BUILT-IN CONTENT FILTERING CONTROLS
/* .ad
/* .fi
@ -488,8 +492,15 @@ static void cleanup_service(VSTREAM *src, char *unused_service, char **argv)
*/
if (CLEANUP_OUT_OK(state) == 0 && type > 0) {
while (type != REC_TYPE_END
&& (type = rec_get(src, buf, 0)) > 0)
/* void */ ;
&& (type = rec_get(src, buf, 0)) > 0) {
if (type == REC_TYPE_MILT_COUNT) {
int milter_count = atoi(vstring_str(buf));
/* Avoid deadlock. */
if (milter_count >= 0)
cleanup_milter_receive(state, milter_count);
}
}
}
/*

8
external/ibm-public/postfix/dist/src/cleanup/cleanup.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: cleanup.h,v 1.4 2011/03/02 19:56:38 tron Exp $ */
/* $NetBSD: cleanup.h,v 1.5 2013/01/02 19:18:33 tron Exp $ */
/*++
/* NAME
@ -273,9 +273,9 @@ ARGV *cleanup_map1n_internal(CLEANUP_STATE *, const char *, MAPS *, int);
/*
* cleanup_masquerade.c
*/
extern int cleanup_masquerade_external(VSTRING *, ARGV *);
extern int cleanup_masquerade_internal(VSTRING *, ARGV *);
extern int cleanup_masquerade_tree(TOK822 *, ARGV *);
extern int cleanup_masquerade_external(CLEANUP_STATE *, VSTRING *, ARGV *);
extern int cleanup_masquerade_internal(CLEANUP_STATE *, VSTRING *, ARGV *);
extern int cleanup_masquerade_tree(CLEANUP_STATE *, TOK822 *, ARGV *);
/*
* cleanup_recipient.c

4
external/ibm-public/postfix/dist/src/cleanup/cleanup_init.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: cleanup_init.c,v 1.3 2010/06/17 18:18:15 tron Exp $ */
/* $NetBSD: cleanup_init.c,v 1.4 2013/01/02 19:18:34 tron Exp $ */
/*++
/* NAME
@ -380,7 +380,7 @@ void cleanup_pre_jail(char *unused_name, char **unused_argv)
maps_create(VAR_BODY_CHECKS, var_body_checks, DICT_FLAG_LOCK);
if (*var_masq_exceptions)
cleanup_masq_exceptions =
string_list_init(MATCH_FLAG_NONE, var_masq_exceptions);
string_list_init(MATCH_FLAG_RETURN, var_masq_exceptions);
if (*var_masq_classes)
cleanup_masq_flags = name_mask(VAR_MASQ_CLASSES, masq_class_table,
var_masq_classes);

106
external/ibm-public/postfix/dist/src/global/mail_params.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: mail_params.h,v 1.8 2012/06/09 11:32:20 tron Exp $ */
/* $NetBSD: mail_params.h,v 1.9 2013/01/02 19:18:34 tron Exp $ */
#ifndef _MAIL_PARAMS_H_INCLUDED_
#define _MAIL_PARAMS_H_INCLUDED_
@ -579,7 +579,7 @@ extern char *var_mailbox_lock;
*/
#define VAR_MAILBOX_LIMIT "mailbox_size_limit"
#define DEF_MAILBOX_LIMIT (DEF_MESSAGE_LIMIT * 5)
extern int var_mailbox_limit;
extern long var_mailbox_limit;
/*
* Miscellaneous.
@ -912,6 +912,14 @@ extern char *var_hash_queue_names;
#define DEF_HASH_QUEUE_DEPTH 1
extern int var_hash_queue_depth;
/*
* Short queue IDs contain the time in microseconds and file inode number.
* Long queue IDs also contain the time in seconds.
*/
#define VAR_LONG_QUEUE_IDS "enable_long_queue_ids"
#define DEF_LONG_QUEUE_IDS 0
extern bool var_long_queue_ids;
/*
* Multi-protocol support.
*/
@ -1074,9 +1082,9 @@ extern char *var_smtp_helo_name;
extern bool var_smtp_rand_addr;
#define VAR_SMTP_LINE_LIMIT "smtp_line_length_limit"
#define DEF_SMTP_LINE_LIMIT 990
#define DEF_SMTP_LINE_LIMIT 998
#define VAR_LMTP_LINE_LIMIT "lmtp_line_length_limit"
#define DEF_LMTP_LINE_LIMIT 990
#define DEF_LMTP_LINE_LIMIT 998
extern int var_smtp_line_limit;
#define VAR_SMTP_PIX_THRESH "smtp_pix_workaround_threshold_time"
@ -1287,8 +1295,8 @@ extern char *var_smtpd_tls_dh1024_param_file;
extern char *var_smtpd_tls_eecdh;
#define VAR_SMTPD_TLS_LOGLEVEL "smtpd_tls_loglevel"
#define DEF_SMTPD_TLS_LOGLEVEL 0
extern int var_smtpd_tls_loglevel;
#define DEF_SMTPD_TLS_LOGLEVEL "0"
extern char *var_smtpd_tls_loglevel;
#define VAR_SMTPD_TLS_RECHEAD "smtpd_tls_received_header"
#define DEF_SMTPD_TLS_RECHEAD 0
@ -1425,11 +1433,11 @@ extern char *var_smtp_tls_mand_excl;
extern char *var_smtp_tls_fpt_dgst;
#define VAR_SMTP_TLS_LOGLEVEL "smtp_tls_loglevel"
#define DEF_SMTP_TLS_LOGLEVEL 0
#define DEF_SMTP_TLS_LOGLEVEL "0"
#define VAR_LMTP_TLS_LOGLEVEL "lmtp_tls_loglevel"
#define DEF_LMTP_TLS_LOGLEVEL 0
extern int var_smtp_tls_loglevel; /* In smtp(8) and tlsmgr(8) */
extern int var_lmtp_tls_loglevel; /* In tlsmgr(8) */
#define DEF_LMTP_TLS_LOGLEVEL "0"
extern char *var_smtp_tls_loglevel; /* In smtp(8) and tlsmgr(8) */
extern char *var_lmtp_tls_loglevel; /* In tlsmgr(8) */
#define VAR_SMTP_TLS_NOTEOFFER "smtp_tls_note_starttls_offer"
#define DEF_SMTP_TLS_NOTEOFFER 0
@ -1597,6 +1605,10 @@ extern char *var_smtp_sasl_tls_opts;
#define DEF_LMTP_SASL_TLSV_OPTS "$" VAR_LMTP_SASL_TLS_OPTS
extern char *var_smtp_sasl_tlsv_opts;
#define VAR_SMTP_DUMMY_MAIL_AUTH "smtp_send_dummy_mail_auth"
#define DEF_SMTP_DUMMY_MAIL_AUTH 0
extern bool var_smtp_dummy_mail_auth;
/*
* LMTP server. The soft error limit determines how many errors an LMTP
* client may make before we start to slow down; the hard error limit
@ -1664,6 +1676,10 @@ extern char *var_lmtp_sasl_opts;
#define DEF_LMTP_SASL_PATH ""
extern char *var_lmtp_sasl_path;
#define VAR_LMTP_DUMMY_MAIL_AUTH "lmtp_send_dummy_mail_auth"
#define DEF_LMTP_DUMMY_MAIL_AUTH 0
extern bool var_lmtp_dummy_mail_auth;
/*
* SASL-based relay etc. control.
*/
@ -1789,7 +1805,7 @@ extern int var_virt_expan_limit;
*/
#define VAR_MESSAGE_LIMIT "message_size_limit"
#define DEF_MESSAGE_LIMIT 10240000
extern int var_message_limit;
extern long var_message_limit;
#define VAR_QUEUE_MINFREE "queue_minfree"
#define DEF_QUEUE_MINFREE 0
@ -2221,14 +2237,25 @@ extern int var_local_rcpt_code;
" $" VAR_SEND_BCC_MAPS \
" $" VAR_RCPT_BCC_MAPS \
" $" VAR_SMTP_GENERIC_MAPS \
" $" VAR_LMTP_GENERIC_MAPS
" $" VAR_LMTP_GENERIC_MAPS \
" $" VAR_ALIAS_MAPS
extern char *var_proxy_read_maps;
#define VAR_PROXY_WRITE_MAPS "proxy_write_maps"
#define DEF_PROXY_WRITE_MAPS "$" VAR_SMTP_SASL_AUTH_CACHE_NAME \
" $" VAR_LMTP_SASL_AUTH_CACHE_NAME
" $" VAR_LMTP_SASL_AUTH_CACHE_NAME \
" $" VAR_VERIFY_MAP \
" $" VAR_PSC_CACHE_MAP
extern char *var_proxy_write_maps;
#define VAR_PROXY_READ_ACL "proxy_read_access_list"
#define DEF_PROXY_READ_ACL "reject"
extern char *var_proxy_read_acl;
#define VAR_PROXY_WRITE_ACL "proxy_write_access_list"
#define DEF_PROXY_WRITE_ACL "reject"
extern char *var_proxy_write_acl;
/*
* Other.
*/
@ -2345,7 +2372,7 @@ extern char *var_virt_mailbox_base;
#define VAR_VIRT_MAILBOX_LIMIT "virtual_mailbox_limit"
#define DEF_VIRT_MAILBOX_LIMIT (5 * DEF_MESSAGE_LIMIT)
extern int var_virt_mailbox_limit;
extern long var_virt_mailbox_limit;
#define VAR_VIRT_MAILBOX_LOCK "virtual_mailbox_lock"
#define DEF_VIRT_MAILBOX_LOCK "fcntl, dotlock"
@ -2611,6 +2638,10 @@ extern int var_verify_scan_cache;
#define DEF_VERIFY_SENDER "$" VAR_DOUBLE_BOUNCE
extern char *var_verify_sender;
#define VAR_VERIFY_SENDER_TTL "address_verify_sender_ttl"
#define DEF_VERIFY_SENDER_TTL "0s"
extern int var_verify_sender_ttl;
#define VAR_VERIFY_POLL_COUNT "address_verify_poll_count"
#define DEF_VERIFY_POLL_COUNT "${stress?1}${stress:3}"
extern int var_verify_poll_count;
@ -3142,7 +3173,7 @@ extern char *var_smtp_body_chks;
#define VAR_SMTP_ADDR_PREF "smtp_address_preference"
#ifdef HAS_IPV6
#define DEF_SMTP_ADDR_PREF INET_PROTO_NAME_IPV6
#define DEF_SMTP_ADDR_PREF INET_PROTO_NAME_ANY
#else
#define DEF_SMTP_ADDR_PREF INET_PROTO_NAME_IPV4
#endif
@ -3420,16 +3451,14 @@ extern char *var_psc_exp_filter;
#define DEF_PSC_CMD_FILTER ""
extern char *var_psc_cmd_filter;
#define PSC_ACL_NAME_WL_MYNETWORKS "permit_mynetworks"
#define PSC_ACL_NAME_WHITELIST "permit"
#define PSC_ACL_NAME_BLACKLIST "reject"
#define PSC_ACL_NAME_DUNNO "dunno"
#define PSC_ACL_NAME_ERROR "error"
#define VAR_PSC_ACL "postscreen_access_list"
#define DEF_PSC_ACL PSC_ACL_NAME_WL_MYNETWORKS
#define DEF_PSC_ACL SERVER_ACL_NAME_WL_MYNETWORKS
extern char *var_psc_acl;
#define VAR_PSC_WLIST_IF "postscreen_whitelist_interfaces"
#define DEF_PSC_WLIST_IF "static:all"
extern char *var_psc_wlist_if;
#define VAR_DNSBLOG_SERVICE "dnsblog_service_name"
#define DEF_DNSBLOG_SERVICE MAIL_SERVICE_DNSBLOG
extern char *var_dnsblog_service;
@ -3547,7 +3576,7 @@ extern char *var_tlsp_tls_eecdh;
#define VAR_TLSP_TLS_LOGLEVEL "tlsproxy_tls_loglevel"
#define DEF_TLSP_TLS_LOGLEVEL "$" VAR_SMTPD_TLS_LOGLEVEL
extern int var_tlsp_tls_loglevel;
extern char *var_tlsp_tls_loglevel;
#define VAR_TLSP_TLS_RECHEAD "tlsproxy_tls_received_header"
#define DEF_TLSP_TLS_RECHEAD "$" VAR_SMTPD_TLS_RECHEAD
@ -3572,6 +3601,37 @@ extern bool var_tlsp_tls_set_sessid;
#define DEF_SMTPD_REJ_FOOTER ""
extern char *var_smtpd_rej_footer;
/*
* Per-record time limit support.
*/
#define VAR_SMTPD_REC_DEADLINE "smtpd_per_record_deadline"
#define DEF_SMTPD_REC_DEADLINE "${stress?yes}${stress:no}"
extern bool var_smtpd_rec_deadline;
#define VAR_SMTP_REC_DEADLINE "smtp_per_record_deadline"
#define DEF_SMTP_REC_DEADLINE 0
#define VAR_LMTP_REC_DEADLINE "lmtp_per_record_deadline"
#define DEF_LMTP_REC_DEADLINE 0
extern bool var_smtp_rec_deadline;
/*
* Postfix sendmail command compatibility features.
*/
#define SM_FIX_EOL_STRICT "strict"
#define SM_FIX_EOL_NEVER "never"
#define SM_FIX_EOL_ALWAYS "always"
#define VAR_SM_FIX_EOL "sendmail_fix_line_endings"
#define DEF_SM_FIX_EOL SM_FIX_EOL_ALWAYS
extern char *var_sm_fix_eol;
/*
* Gradual degradation, or fatal exit after table open error?
*/
#define VAR_DAEMON_OPEN_FATAL "daemon_table_open_error_is_fatal"
#define DEF_DAEMON_OPEN_FATAL 0
extern bool var_daemon_open_fatal;
/* LICENSE
/* .ad
/* .fi

7
external/ibm-public/postfix/dist/src/local/unknown.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: unknown.c,v 1.3 2012/06/09 11:32:20 tron Exp $ */
/* $NetBSD: unknown.c,v 1.4 2013/01/02 19:18:34 tron Exp $ */
/*++
/* NAME
@ -113,14 +113,13 @@ int deliver_unknown(LOCAL_STATE state, USER_ATTR usr_attr)
transp_maps = maps_create(VAR_FBCK_TRANSP_MAPS, var_fbck_transp_maps,
DICT_FLAG_LOCK | DICT_FLAG_NO_REGSUB);
/* The -1 is a hint for the down-stream deliver_completed() function. */
dict_errno = 0;
if (*var_fbck_transp_maps
if (transp_maps
&& (map_transport = maps_find(transp_maps, state.msg_attr.user,
DICT_FLAG_NONE)) != 0) {
state.msg_attr.rcpt.offset = -1L;
return (deliver_pass(MAIL_CLASS_PRIVATE, map_transport,
state.request, &state.msg_attr.rcpt));
} else if (dict_errno != 0) {
} else if (transp_maps && transp_maps->error != 0) {
/* Details in the logfile. */
dsb_simple(state.msg_attr.why, "4.3.0", "table lookup failure");
return (defer_append(BOUNCE_FLAGS(state.request),

33
external/ibm-public/postfix/dist/src/postconf/auto.awk vendored
View File

@ -1,33 +0,0 @@
BEGIN {
split("local lmtp relay smtp virtual", transports)
vars["destination_concurrency_failed_cohort_limit"] = "default_destination_concurrency_failed_cohort_limit"
vars["destination_concurrency_limit"] = "default_destination_concurrency_limit"
vars["destination_concurrency_negative_feedback"] = "default_destination_concurrency_negative_feedback"
vars["destination_concurrency_positive_feedback"] = "default_destination_concurrency_positive_feedback"
vars["destination_recipient_limit"] = "default_destination_recipient_limit"
vars["initial_destination_concurrency"] = "initial_destination_concurrency"
vars["destination_rate_delay"] = "default_destination_rate_delay"
# auto_table.h
for (var in vars) {
for (transport in transports) {
if (transports[transport] != "local" || (var != "destination_recipient_limit" && var != "destination_concurrency_limit"))
print "\"" transports[transport] "_" var "\", \"$" vars[var] "\", &var_" transports[transport] "_" var ", 0, 0," > "auto_table.h"
}
print "" > "auto_table.h"
}
# auto_vars.h
for (var in vars) {
for (transport in transports) {
if (transports[transport] != "local" || (var != "destination_recipient_limit" && var != "destination_concurrency_limit"))
print "char *var_" transports[transport] "_" var ";" > "auto_vars.h"
}
print "" > "auto_vars.h"
}
exit(0)
}

256
external/ibm-public/postfix/dist/src/postscreen/postscreen_access.c vendored
View File

@ -1,256 +0,0 @@
/* $NetBSD: postscreen_access.c,v 1.1.1.2 2012/12/18 09:02:14 tron Exp $ */
/*++
/* NAME
/* postscreen_access 3
/* SUMMARY
/* postscreen access list support
/* SYNOPSIS
/* #include <postscreen.h>
/*
/* void psc_acl_pre_jail_init()
/*
/* ARGV *psc_acl_parse(raw_acl, origin)
/* const char *raw_acl;
/* const char *origin;
/*
/* int psc_acl_eval(state, cooked_acl, origin)
/* PSC_STATE *state;
/* ARGV *cooked_acl;
/* const char *origin;
/* DESCRIPTION
/* This module implements the permanent black/whitelist that
/* is evaluated immediately after a client connects to postscreen.
/*
/* psc_acl_pre_jail_init() does before-chroot initialization.
/*
/* psc_acl_parse() converts an access list from raw string
/* form to binary form.
/*
/* psc_acl_eval() evaluates an access list for the specified
/* SMTP session.
/*
/* Arguments:
/* .IP raw_acl
/* String with space/comma separated commands.
/* .IP cooked_acl
/* The parsed access list.
/* .IP origin
/* This should be "postscreen_access_list" for an access list
/* from main.cf, and the type:name of a lookup table otherwise.
/* The information is used for error reporting (nested table,
/* unknown keyword).
/* .IP state
/* Connection state.
/* LICENSE
/* .ad
/* .fi
/* The Secure Mailer license must be distributed with this software.
/* AUTHOR(S)
/* Wietse Venema
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
/*--*/
/* System library. */
#include <sys_defs.h>
#include <string.h>
#ifdef STRCASECMP_IN_STRINGS_H
#include <strings.h>
#endif
/* Utility library. */
#include <msg.h>
#include <mymalloc.h>
#include <stringops.h>
/* Global library. */
#include <mail_params.h>
#include <addr_match_list.h>
#include <match_parent_style.h>
/* Application-specific. */
#include <postscreen.h>
#define PSC_ACL_SEPARATORS ", \t\r"
static ADDR_MATCH_LIST *psc_mynetworks;
/* psc_acl_pre_jail_init - initialize */
void psc_acl_pre_jail_init(void)
{
if (psc_mynetworks)
addr_match_list_free(psc_mynetworks);
psc_mynetworks = addr_match_list_init(match_parent_style(VAR_MYNETWORKS),
var_mynetworks);
}
/* psc_acl_parse - parse access list */
ARGV *psc_acl_parse(const char *acl, const char *origin)
{
char *saved_checks = mystrdup(acl);
ARGV *argv = argv_alloc(1);
char *bp = saved_checks;
char *name;
#define STREQ(x,y) (strcasecmp((x), (y)) == 0)
#define STRNE(x,y) (strcasecmp((x), (y)) != 0)
/*
* Nested tables are not allowed. Tables are opened before entering the
* chroot jail, while access lists are evaluated after entering the
* chroot jail.
*/
while ((name = mystrtok(&bp, PSC_ACL_SEPARATORS)) != 0) {
if (strchr(name, ':') != 0) {
if (STRNE(origin, VAR_PSC_ACL)) {
msg_warn("table %s: lookup result \"%s\" is not allowed"
" -- ignoring remainder of access list",
origin, name);
argv_add(argv, PSC_ACL_NAME_DUNNO, (char *) 0);
break;
} else {
if (dict_handle(name) == 0)
dict_register(name, dict_open(name, O_RDONLY, DICT_FLAG_LOCK
| DICT_FLAG_FOLD_FIX));
}
}
argv_add(argv, name, (char *) 0);
}
argv_terminate(argv);
/*
* Cleanup.
*/
myfree(saved_checks);
return (argv);
}
/* psc_acl_eval - evaluate access list */
int psc_acl_eval(PSC_STATE *state, ARGV *acl, const char *origin)
{
const char *myname = "psc_acl_eval";
char **cpp;
DICT *dict;
ARGV *argv;
const char *name;
const char *dict_val;
int ret;
for (cpp = acl->argv; (name = *cpp) != 0; cpp++) {
if (msg_verbose)
msg_info("source=%s address=%s acl=%s",
origin, state->smtp_client_addr, name);
if (STREQ(name, PSC_ACL_NAME_BLACKLIST)) {
return (PSC_ACL_ACT_BLACKLIST);
} else if (STREQ(name, PSC_ACL_NAME_WHITELIST)) {
return (PSC_ACL_ACT_WHITELIST);
} else if (STREQ(name, PSC_ACL_NAME_WL_MYNETWORKS)) {
if (addr_match_list_match(psc_mynetworks, state->smtp_client_addr))
return (PSC_ACL_ACT_WHITELIST);
} else if (strchr(name, ':') != 0) {
if ((dict = dict_handle(name)) == 0)
msg_panic("%s: unexpected dictionary: %s", myname, name);
if ((dict_val = dict_get(dict, state->smtp_client_addr)) != 0) {
argv = psc_acl_parse(dict_val, name);
ret = psc_acl_eval(state, argv, name);
argv_free(argv);
if (ret != PSC_ACL_ACT_DUNNO)
return (ret);
} else if (dict_errno != 0) {
msg_warn("%s: table lookup error -- ignoring the remainder "
"of this access list", name);
return (PSC_ACL_ACT_ERROR);
}
} else if (STREQ(name, PSC_ACL_NAME_DUNNO)) {
return (PSC_ACL_ACT_DUNNO);
} else {
msg_warn("%s: unknown command: %s -- ignoring the remainder "
"of this access list", origin, name);
return (PSC_ACL_ACT_ERROR);
}
}
if (msg_verbose)
msg_info("source=%s address=%s - no match",
origin, state->smtp_client_addr);
return (PSC_ACL_ACT_DUNNO);
}
/*
* Access lists need testing. Not only with good inputs; error cases must
* also be handled appropriately.
*/
#ifdef TEST
#include <unistd.h>
#include <stdlib.h>
#include <vstring_vstream.h>
#include <name_code.h>
#include <split_at.h>
char *var_par_dom_match = DEF_PAR_DOM_MATCH;
char *var_mynetworks = "";
char *var_psc_acl = "";
#define UPDATE_VAR(s,v) do { if (*(s)) myfree(s); (s) = mystrdup(v); } while (0)
int main(void)
{
VSTRING *buf = vstring_alloc(100);
PSC_STATE state;
ARGV *argv;
int ret;
int have_tty = isatty(0);
char *bufp;
char *cmd;
char *value;
const NAME_CODE acl_map[] = {
PSC_ACL_NAME_ERROR, PSC_ACL_ACT_ERROR,
PSC_ACL_NAME_WHITELIST, PSC_ACL_ACT_WHITELIST,
PSC_ACL_NAME_BLACKLIST, PSC_ACL_ACT_BLACKLIST,
PSC_ACL_NAME_DUNNO, PSC_ACL_ACT_DUNNO,
0,
};
while (vstring_get_nonl(buf, VSTREAM_IN) != VSTREAM_EOF) {
bufp = STR(buf);
if (have_tty == 0) {
vstream_printf("> %s\n", bufp);
vstream_fflush(VSTREAM_OUT);
}
if (*bufp == '#')
continue;
if ((cmd = mystrtok(&bufp, " =")) == 0 || STREQ(cmd, "?")) {
vstream_printf("usage: %s=value|%s=value|address=value\n",
VAR_MYNETWORKS, VAR_PSC_ACL);
} else if ((value = mystrtok(&bufp, " =")) == 0) {
vstream_printf("missing value\n");
} else if (STREQ(cmd, VAR_MYNETWORKS)) {
UPDATE_VAR(var_mynetworks, value);
} else if (STREQ(cmd, VAR_PSC_ACL)) {
UPDATE_VAR(var_psc_acl, value);
} else if (STREQ(cmd, "address")) {
psc_acl_pre_jail_init();
argv = psc_acl_parse(var_psc_acl, VAR_PSC_ACL);
state.smtp_client_addr = value;
ret = psc_acl_eval(&state, argv, VAR_PSC_ACL);
argv_free(argv);
vstream_printf("%s: %s\n", value, str_name_code(acl_map, ret));
} else {
vstream_printf("unknown command: \"%s\"\n", cmd);
}
vstream_fflush(VSTREAM_OUT);
}
vstring_free(buf);
exit(0);
}
#endif

119
external/ibm-public/postfix/dist/src/smtp/smtp.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: smtp.c,v 1.5 2012/06/09 11:32:20 tron Exp $ */
/* $NetBSD: smtp.c,v 1.6 2013/01/02 19:18:35 tron Exp $ */
/*++
/* NAME
@ -144,7 +144,7 @@
/* Never send EHLO at the start of an SMTP session.
/* .IP "\fBsmtp_defer_if_no_mx_address_found (no)\fR"
/* Defer mail delivery when no MX record resolves to an IP address.
/* .IP "\fBsmtp_line_length_limit (990)\fR"
/* .IP "\fBsmtp_line_length_limit (998)\fR"
/* The maximal length of message header and body lines that Postfix
/* will send via SMTP.
/* .IP "\fBsmtp_pix_workaround_delay_time (10s)\fR"
@ -163,13 +163,15 @@
/* Lookup tables, indexed by the remote SMTP server address, with
/* per-destination workarounds for CISCO PIX firewall bugs.
/* .IP "\fBsmtp_quote_rfc821_envelope (yes)\fR"
/* Quote addresses in SMTP MAIL FROM and RCPT TO commands as required
/* Quote addresses in Postfix SMTP client MAIL FROM and RCPT TO commands
/* as required
/* by RFC 2821.
/* .IP "\fBsmtp_reply_filter (empty)\fR"
/* A mechanism to transform replies from remote SMTP servers one
/* line at a time.
/* .IP "\fBsmtp_skip_5xx_greeting (yes)\fR"
/* Skip SMTP servers that greet with a 5XX status code (go away, do
/* Skip remote SMTP servers that greet with a 5XX status code (go away,
/* do
/* not try again later).
/* .IP "\fBsmtp_skip_quit_response (yes)\fR"
/* Do not wait for the response to the SMTP QUIT command.
@ -191,7 +193,7 @@
/* response from a remote SMTP server.
/* .IP "\fBsmtp_generic_maps (empty)\fR"
/* Optional lookup tables that perform address rewriting in the
/* SMTP client, typically to transform a locally valid address into
/* Postfix SMTP client, typically to transform a locally valid address into
/* a globally valid address when sending mail across the Internet.
/* .PP
/* Available in Postfix version 2.2.9 and later:
@ -204,11 +206,13 @@
/* .IP "\fBlmtp_discard_lhlo_keyword_address_maps (empty)\fR"
/* Lookup tables, indexed by the remote LMTP server address, with
/* case insensitive lists of LHLO keywords (pipelining, starttls,
/* auth, etc.) that the LMTP client will ignore in the LHLO response
/* auth, etc.) that the Postfix LMTP client will ignore in the LHLO
/* response
/* from a remote LMTP server.
/* .IP "\fBlmtp_discard_lhlo_keywords (empty)\fR"
/* A case insensitive list of LHLO keywords (pipelining, starttls,
/* auth, etc.) that the LMTP client will ignore in the LHLO response
/* auth, etc.) that the Postfix LMTP client will ignore in the LHLO
/* response
/* from a remote LMTP server.
/* .PP
/* Available in Postfix version 2.4.4 and later:
@ -236,6 +240,16 @@
/* Available in Postfix version 2.8 and later:
/* .IP "\fBsmtp_dns_resolver_options (empty)\fR"
/* DNS Resolver options for the Postfix SMTP client.
/* .PP
/* Available in Postfix version 2.9 and later:
/* .IP "\fBsmtp_per_record_deadline (no)\fR"
/* Change the behavior of the smtp_*_timeout time limits, from a
/* time limit per read or write system call, to a time limit to send
/* or receive a complete record (an SMTP command line, SMTP response
/* line, SMTP message content line, or TLS protocol message).
/* .IP "\fBsmtp_send_dummy_mail_auth (no)\fR"
/* Whether or not to append the "AUTH=<>" option to the MAIL
/* FROM command in SASL-authenticated SMTP sessions.
/* MIME PROCESSING CONTROLS
/* .ad
/* .fi
@ -259,7 +273,8 @@
/* .IP "\fBsmtp_sasl_auth_enable (no)\fR"
/* Enable SASL authentication in the Postfix SMTP client.
/* .IP "\fBsmtp_sasl_password_maps (empty)\fR"
/* Optional SMTP client lookup tables with one username:password entry
/* Optional Postfix SMTP client lookup tables with one username:password
/* entry
/* per remote hostname or domain, or sender address when sender-dependent
/* authentication is enabled.
/* .IP "\fBsmtp_sasl_security_options (noplaintext, noanonymous)\fR"
@ -300,6 +315,11 @@
/* When a remote SMTP server rejects a SASL authentication request
/* with a 535 reply code, defer mail delivery instead of returning
/* mail as undeliverable.
/* .PP
/* Available in Postfix version 2.9 and later:
/* .IP "\fBsmtp_send_dummy_mail_auth (no)\fR"
/* Whether or not to append the "AUTH=<>" option to the MAIL
/* FROM command in SASL-authenticated SMTP sessions.
/* STARTTLS SUPPORT CONTROLS
/* .ad
/* .fi
@ -334,7 +354,7 @@
/* list at all TLS security levels.
/* .IP "\fBsmtp_tls_mandatory_exclude_ciphers (empty)\fR"
/* Additional list of ciphers or cipher types to exclude from the
/* SMTP client cipher list at mandatory TLS security levels.
/* Postfix SMTP client cipher list at mandatory TLS security levels.
/* .IP "\fBsmtp_tls_dcert_file (empty)\fR"
/* File with the Postfix SMTP client DSA certificate in PEM format.
/* .IP "\fBsmtp_tls_dkey_file ($smtp_tls_dcert_file)\fR"
@ -356,7 +376,8 @@
/* .IP "\fBsmtp_tls_scert_verifydepth (9)\fR"
/* The verification depth for remote SMTP server certificates.
/* .IP "\fBsmtp_tls_secure_cert_match (nexthop, dot-nexthop)\fR"
/* The server certificate peername verification method for the
/* How the Postfix SMTP client verifies the server certificate
/* peername for the
/* "secure" TLS security level.
/* .IP "\fBsmtp_tls_session_cache_database (empty)\fR"
/* Name of the file containing the optional Postfix SMTP client
@ -365,7 +386,8 @@
/* The expiration time of Postfix SMTP client TLS session cache
/* information.
/* .IP "\fBsmtp_tls_verify_cert_match (hostname)\fR"
/* The server certificate peername verification method for the
/* How the Postfix SMTP client verifies the server certificate
/* peername for the
/* "verify" TLS security level.
/* .IP "\fBtls_daemon_random_bytes (32)\fR"
/* The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
@ -391,8 +413,8 @@
/* .PP
/* Available in Postfix version 2.5 and later:
/* .IP "\fBsmtp_tls_fingerprint_cert_match (empty)\fR"
/* List of acceptable remote SMTP server certificate fingerprints
/* for the "fingerprint" TLS security level (\fBsmtp_tls_security_level\fR =
/* List of acceptable remote SMTP server certificate fingerprints for
/* the "fingerprint" TLS security level (\fBsmtp_tls_security_level\fR =
/* fingerprint).
/* .IP "\fBsmtp_tls_fingerprint_digest (md5)\fR"
/* The message digest algorithm used to construct remote SMTP server
@ -451,46 +473,48 @@
/* The maximal number of recipients per message for the smtp
/* message delivery transport.
/* .IP "\fBsmtp_connect_timeout (30s)\fR"
/* The SMTP client time limit for completing a TCP connection, or
/* The Postfix SMTP client time limit for completing a TCP connection, or
/* zero (use the operating system built-in time limit).
/* .IP "\fBsmtp_helo_timeout (300s)\fR"
/* The SMTP client time limit for sending the HELO or EHLO command,
/* and for receiving the initial server response.
/* The Postfix SMTP client time limit for sending the HELO or EHLO command,
/* and for receiving the initial remote SMTP server response.
/* .IP "\fBlmtp_lhlo_timeout (300s)\fR"
/* The LMTP client time limit for sending the LHLO command, and
/* for receiving the initial server response.
/* The Postfix LMTP client time limit for sending the LHLO command,
/* and for receiving the initial remote LMTP server response.
/* .IP "\fBsmtp_xforward_timeout (300s)\fR"
/* The SMTP client time limit for sending the XFORWARD command, and
/* for receiving the server response.
/* The Postfix SMTP client time limit for sending the XFORWARD command,
/* and for receiving the remote SMTP server response.
/* .IP "\fBsmtp_mail_timeout (300s)\fR"
/* The SMTP client time limit for sending the MAIL FROM command, and
/* for receiving the server response.
/* The Postfix SMTP client time limit for sending the MAIL FROM command,
/* and for receiving the remote SMTP server response.
/* .IP "\fBsmtp_rcpt_timeout (300s)\fR"
/* The SMTP client time limit for sending the SMTP RCPT TO command, and
/* for receiving the server response.
/* The Postfix SMTP client time limit for sending the SMTP RCPT TO
/* command, and for receiving the remote SMTP server response.
/* .IP "\fBsmtp_data_init_timeout (120s)\fR"
/* The SMTP client time limit for sending the SMTP DATA command, and for
/* receiving the server response.
/* The Postfix SMTP client time limit for sending the SMTP DATA command,
/* and for receiving the remote SMTP server response.
/* .IP "\fBsmtp_data_xfer_timeout (180s)\fR"
/* The SMTP client time limit for sending the SMTP message content.
/* The Postfix SMTP client time limit for sending the SMTP message content.
/* .IP "\fBsmtp_data_done_timeout (600s)\fR"
/* The SMTP client time limit for sending the SMTP ".", and for receiving
/* the server response.
/* The Postfix SMTP client time limit for sending the SMTP ".", and
/* for receiving the remote SMTP server response.
/* .IP "\fBsmtp_quit_timeout (300s)\fR"
/* The SMTP client time limit for sending the QUIT command, and for
/* receiving the server response.
/* The Postfix SMTP client time limit for sending the QUIT command,
/* and for receiving the remote SMTP server response.
/* .PP
/* Available in Postfix version 2.1 and later:
/* .IP "\fBsmtp_mx_address_limit (5)\fR"
/* The maximal number of MX (mail exchanger) IP addresses that can
/* result from mail exchanger lookups, or zero (no limit).
/* result from Postfix SMTP client mail exchanger lookups, or zero (no
/* limit).
/* .IP "\fBsmtp_mx_session_limit (2)\fR"
/* The maximal number of SMTP sessions per delivery request before
/* giving up or delivering to a fall-back relay host, or zero (no
/* the Postfix SMTP client
/* gives up or delivers to a fall-back relay host, or zero (no
/* limit).
/* .IP "\fBsmtp_rset_timeout (20s)\fR"
/* The SMTP client time limit for sending the RSET command, and
/* for receiving the server response.
/* The Postfix SMTP client time limit for sending the RSET command,
/* and for receiving the remote SMTP server response.
/* .PP
/* Available in Postfix version 2.2 and earlier:
/* .IP "\fBlmtp_cache_connection (yes)\fR"
@ -515,6 +539,13 @@
/* .IP "\fBconnection_cache_protocol_timeout (5s)\fR"
/* Time limit for connection cache connect, send or receive
/* operations.
/* .PP
/* Available in Postfix version 2.9 and later:
/* .IP "\fBsmtp_per_record_deadline (no)\fR"
/* Change the behavior of the smtp_*_timeout time limits, from a
/* time limit per read or write system call, to a time limit to send
/* or receive a complete record (an SMTP command line, SMTP response
/* line, SMTP message content line, or TLS protocol message).
/* TROUBLE SHOOTING CONTROLS
/* .ad
/* .fi
@ -555,14 +586,15 @@
/* .IP "\fBinet_interfaces (all)\fR"
/* The network interface addresses that this mail system receives
/* mail on.
/* .IP "\fBinet_protocols (ipv4)\fR"
/* .IP "\fBinet_protocols (all)\fR"
/* The Internet protocols Postfix will attempt to use when making
/* or accepting connections.
/* .IP "\fBipc_timeout (3600s)\fR"
/* The time limit for sending or receiving information over an internal
/* communication channel.
/* .IP "\fBlmtp_assume_final (no)\fR"
/* When an LMTP server announces no DSN support, assume that the
/* When a remote LMTP server announces no DSN support, assume that
/* the
/* server performs final delivery, and send "delivered" delivery status
/* notifications instead of "relayed".
/* .IP "\fBlmtp_tcp_port (24)\fR"
@ -580,7 +612,7 @@
/* .IP "\fBproxy_interfaces (empty)\fR"
/* The network interface addresses that this mail system receives mail
/* on by way of a proxy or network address translation unit.
/* .IP "\fBsmtp_address_preference (ipv6)\fR"
/* .IP "\fBsmtp_address_preference (any)\fR"
/* The address type ("ipv6", "ipv4" or "any") that the Postfix
/* SMTP client will try first, when a destination has IPv6 and IPv4
/* addresses with equal MX preference.
@ -785,7 +817,7 @@ char *var_smtp_tls_dcert_file;
char *var_smtp_tls_dkey_file;
bool var_smtp_tls_enforce_peername;
char *var_smtp_tls_key_file;
int var_smtp_tls_loglevel;
char *var_smtp_tls_loglevel;
bool var_smtp_tls_note_starttls_offer;
char *var_smtp_tls_mand_proto;
char *var_smtp_tls_sec_cmatch;
@ -817,6 +849,8 @@ char *var_smtp_body_chks;
char *var_smtp_resp_filter;
bool var_lmtp_assume_final;
char *var_smtp_dns_res_opt;
bool var_smtp_rec_deadline;
bool var_smtp_dummy_mail_auth;
/* Special handling of 535 AUTH errors. */
char *var_smtp_sasl_auth_cache_name;
@ -1032,6 +1066,7 @@ static void pre_init(char *unused_name, char **unused_argv)
if (use_tls || var_smtp_tls_per_site[0] || var_smtp_tls_policy[0]) {
#ifdef USE_TLS
TLS_CLIENT_INIT_PROPS props;
int using_smtp = (strcmp(var_procname, "smtp") == 0);
/*
* We get stronger type safety and a cleaner interface by combining
@ -1042,9 +1077,11 @@ static void pre_init(char *unused_name, char **unused_argv)
*/
smtp_tls_ctx =
TLS_CLIENT_INIT(&props,
log_param = using_smtp ?
VAR_SMTP_TLS_LOGLEVEL : VAR_LMTP_TLS_LOGLEVEL,
log_level = var_smtp_tls_loglevel,
verifydepth = var_smtp_tls_scert_vd,
cache_type = strcmp(var_procname, "smtp") == 0 ?
cache_type = using_smtp ?
TLS_MGR_SCACHE_SMTP : TLS_MGR_SCACHE_LMTP,
cert_file = var_smtp_tls_cert_file,
key_file = var_smtp_tls_key_file,
@ -1070,7 +1107,7 @@ static void pre_init(char *unused_name, char **unused_argv)
* Session cache domain list.
*/
if (*var_smtp_cache_dest)
smtp_cache_dest = string_list_init(MATCH_FLAG_NONE, var_smtp_cache_dest);
smtp_cache_dest = string_list_init(MATCH_FLAG_RETURN, var_smtp_cache_dest);
/*
* EHLO keyword filter.

460
external/ibm-public/postfix/dist/src/smtpd/smtpd.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: smtpd.c,v 1.8 2012/06/09 11:32:20 tron Exp $ */
/* $NetBSD: smtpd.c,v 1.9 2013/01/02 19:18:36 tron Exp $ */
/*++
/* NAME
@ -42,16 +42,17 @@
/* RFC 1123 (Host requirements)
/* RFC 1652 (8bit-MIME transport)
/* RFC 1869 (SMTP service extensions)
/* RFC 1870 (Message Size Declaration)
/* RFC 1870 (Message size declaration)
/* RFC 1985 (ETRN command)
/* RFC 2034 (SMTP Enhanced Status Codes)
/* RFC 2034 (SMTP enhanced status codes)
/* RFC 2554 (AUTH command)
/* RFC 2821 (SMTP protocol)
/* RFC 2920 (SMTP Pipelining)
/* RFC 2920 (SMTP pipelining)
/* RFC 3207 (STARTTLS command)
/* RFC 3461 (SMTP DSN Extension)
/* RFC 3463 (Enhanced Status Codes)
/* RFC 3848 (ESMTP Transmission Types)
/* RFC 3461 (SMTP DSN extension)
/* RFC 3463 (Enhanced status codes)
/* RFC 3848 (ESMTP transmission types)
/* RFC 4409 (Message submission)
/* RFC 4954 (AUTH command)
/* DIAGNOSTICS
/* Problems and transactions are logged to \fBsyslogd\fR(8).
@ -77,7 +78,7 @@
/* .ad
/* .fi
/* .IP "\fBbroken_sasl_auth_clients (no)\fR"
/* Enable inter-operability with SMTP clients that implement an obsolete
/* Enable inter-operability with remote SMTP clients that implement an obsolete
/* version of the AUTH command (RFC 4954).
/* .IP "\fBdisable_vrfy_command (no)\fR"
/* Disable the SMTP VRFY command.
@ -106,11 +107,13 @@
/* .IP "\fBsmtpd_discard_ehlo_keyword_address_maps (empty)\fR"
/* Lookup tables, indexed by the remote SMTP client address, with
/* case insensitive lists of EHLO keywords (pipelining, starttls, auth,
/* etc.) that the SMTP server will not send in the EHLO response to a
/* etc.) that the Postfix SMTP server will not send in the EHLO response
/* to a
/* remote SMTP client.
/* .IP "\fBsmtpd_discard_ehlo_keywords (empty)\fR"
/* A case insensitive list of EHLO keywords (pipelining, starttls,
/* auth, etc.) that the SMTP server will not send in the EHLO response
/* auth, etc.) that the Postfix SMTP server will not send in the EHLO
/* response
/* to a remote SMTP client.
/* .IP "\fBsmtpd_delay_open_until_valid_rcpt (yes)\fR"
/* Postpone the start of an SMTP mail transaction until a valid
@ -129,6 +132,13 @@
/* Available in Postfix version 2.7 and later:
/* .IP "\fBsmtpd_command_filter (empty)\fR"
/* A mechanism to transform commands from remote SMTP clients.
/* .PP
/* Available in Postfix version 2.9 and later:
/* .IP "\fBsmtpd_per_record_deadline (normal: no, overload: yes)\fR"
/* Change the behavior of the smtpd_timeout time limit, from a
/* time limit per read or write system call, to a time limit to send
/* or receive a complete record (an SMTP command line, SMTP response
/* line, SMTP message content line, or TLS protocol message).
/* ADDRESS REWRITING CONTROLS
/* .ad
/* .fi
@ -247,7 +257,7 @@
/* .PP
/* Available in Postfix version 2.1 and later:
/* .IP "\fBsmtpd_authorized_xforward_hosts (empty)\fR"
/* What SMTP clients are allowed to use the XFORWARD feature.
/* What remote SMTP clients are allowed to use the XFORWARD feature.
/* SASL AUTHENTICATION CONTROLS
/* .ad
/* .fi
@ -256,7 +266,7 @@
/* Postfix SMTP client to a remote SMTP server.
/* See the SASL_README document for details.
/* .IP "\fBbroken_sasl_auth_clients (no)\fR"
/* Enable inter-operability with SMTP clients that implement an obsolete
/* Enable inter-operability with remote SMTP clients that implement an obsolete
/* version of the AUTH command (RFC 4954).
/* .IP "\fBsmtpd_sasl_auth_enable (no)\fR"
/* Enable SASL authentication in the Postfix SMTP server.
@ -358,14 +368,14 @@
/* use with mandatory TLS encryption.
/* .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
/* Additional list of ciphers or cipher types to exclude from the
/* SMTP server cipher list at mandatory TLS security levels.
/* Postfix SMTP server cipher list at mandatory TLS security levels.
/* .IP "\fBsmtpd_tls_mandatory_protocols (!SSLv2)\fR"
/* The SSL/TLS protocols accepted by the Postfix SMTP server with
/* mandatory TLS encryption.
/* .IP "\fBsmtpd_tls_received_header (no)\fR"
/* Request that the Postfix SMTP server produces Received: message
/* headers that include information about the protocol and cipher used,
/* as well as the client CommonName and client certificate issuer
/* as well as the remote SMTP client CommonName and client certificate issuer
/* CommonName.
/* .IP "\fBsmtpd_tls_req_ccert (no)\fR"
/* With mandatory TLS encryption, require a trusted remote SMTP client
@ -397,9 +407,10 @@
/* .PP
/* Available in Postfix version 2.5 and later:
/* .IP "\fBsmtpd_tls_fingerprint_digest (md5)\fR"
/* The message digest algorithm used to construct client-certificate
/* fingerprints for \fBcheck_ccert_access\fR and
/* \fBpermit_tls_clientcerts\fR.
/* The message digest algorithm to construct remote SMTP
/* client-certificate
/* fingerprints or public key fingerprints (Postfix 2.9 and later)
/* for \fBcheck_ccert_access\fR and \fBpermit_tls_clientcerts\fR.
/* .PP
/* Available in Postfix version 2.6 and later:
/* .IP "\fBsmtpd_tls_protocols (empty)\fR"
@ -416,16 +427,19 @@
/* The Postfix SMTP server security grade for ephemeral elliptic-curve
/* Diffie-Hellman (EECDH) key exchange.
/* .IP "\fBtls_eecdh_strong_curve (prime256v1)\fR"
/* The elliptic curve used by the SMTP server for sensibly strong
/* The elliptic curve used by the Postfix SMTP server for sensibly
/* strong
/* ephemeral ECDH key exchange.
/* .IP "\fBtls_eecdh_ultra_curve (secp384r1)\fR"
/* The elliptic curve used by the SMTP server for maximally strong
/* The elliptic curve used by the Postfix SMTP server for maximally
/* strong
/* ephemeral ECDH key exchange.
/* .PP
/* Available in Postfix version 2.8 and later:
/* .IP "\fBtls_preempt_cipherlist (no)\fR"
/* With SSLv3 and later, use the server's cipher preference order
/* instead of the client's cipher preference order.
/* With SSLv3 and later, use the Postfix SMTP server's cipher
/* preference order instead of the remote client's cipher preference
/* order.
/* .IP "\fBtls_disable_workarounds (see 'postconf -d' output)\fR"
/* List or bit-mask of OpenSSL bug work-arounds to disable.
/* OBSOLETE STARTTLS CONTROLS
@ -435,10 +449,10 @@
/* with Postfix versions before 2.3. Support for these will
/* be removed in a future release.
/* .IP "\fBsmtpd_use_tls (no)\fR"
/* Opportunistic TLS: announce STARTTLS support to SMTP clients,
/* Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
/* but do not require that clients use TLS encryption.
/* .IP "\fBsmtpd_enforce_tls (no)\fR"
/* Mandatory TLS: announce STARTTLS support to SMTP clients,
/* Mandatory TLS: announce STARTTLS support to remote SMTP clients,
/* and require that clients use TLS encryption.
/* .IP "\fBsmtpd_tls_cipherlist (empty)\fR"
/* Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS
@ -462,11 +476,11 @@
/* .PP
/* Available in Postfix version 1.1 and 2.0:
/* .IP "\fBauthorized_verp_clients ($mynetworks)\fR"
/* What SMTP clients are allowed to specify the XVERP command.
/* What remote SMTP clients are allowed to specify the XVERP command.
/* .PP
/* Available in Postfix version 2.1 and later:
/* .IP "\fBsmtpd_authorized_verp_clients ($authorized_verp_clients)\fR"
/* What SMTP clients are allowed to specify the XVERP command.
/* What remote SMTP clients are allowed to specify the XVERP command.
/* TROUBLE SHOOTING CONTROLS
/* .ad
/* .fi
@ -492,7 +506,8 @@
/* .IP "\fBnotify_classes (resource, software)\fR"
/* The list of error classes that are reported to the postmaster.
/* .IP "\fBsmtpd_reject_footer (empty)\fR"
/* Optional information that is appended after each SMTP server
/* Optional information that is appended after each Postfix SMTP
/* server
/* 4XX or 5XX response.
/* .IP "\fBsoft_bounce (no)\fR"
/* Safety net to keep mail queued that would otherwise be returned to
@ -500,7 +515,7 @@
/* .PP
/* Available in Postfix version 2.1 and later:
/* .IP "\fBsmtpd_authorized_xclient_hosts (empty)\fR"
/* What SMTP clients are allowed to use the XCLIENT feature.
/* What remote SMTP clients are allowed to use the XCLIENT feature.
/* KNOWN VERSUS UNKNOWN RECIPIENT CONTROLS
/* .ad
/* .fi
@ -529,7 +544,7 @@
/* .IP "\fBproxy_interfaces (empty)\fR"
/* The network interface addresses that this mail system receives mail
/* on by way of a proxy or network address translation unit.
/* .IP "\fBinet_protocols (ipv4)\fR"
/* .IP "\fBinet_protocols (all)\fR"
/* The Internet protocols Postfix will attempt to use when making
/* or accepting connections.
/* .IP "\fBlocal_recipient_maps (proxy:unix:passwd.byname $alias_maps)\fR"
@ -563,7 +578,7 @@
/* Optional lookup tables that alias specific mail addresses or domains
/* to other local or remote address.
/* .IP "\fBunknown_virtual_alias_reject_code (550)\fR"
/* The SMTP server reply code when a recipient address matches
/* The Postfix SMTP server reply code when a recipient address matches
/* $virtual_alias_domains, and $virtual_alias_maps specifies a list
/* of lookup tables that does not match the recipient address.
/* .PP
@ -576,7 +591,7 @@
/* Optional lookup tables with all valid addresses in the domains that
/* match $virtual_mailbox_domains.
/* .IP "\fBunknown_virtual_mailbox_reject_code (550)\fR"
/* The SMTP server reply code when a recipient address matches
/* The Postfix SMTP server reply code when a recipient address matches
/* $virtual_mailbox_domains, and $virtual_mailbox_maps specifies a list
/* of lookup tables that does not match the recipient address.
/* RESOURCE AND RATE CONTROLS
@ -633,6 +648,13 @@
/* The maximal number of new (i.e., uncached) TLS sessions that a
/* remote SMTP client is allowed to negotiate with this service per
/* time unit.
/* .PP
/* Available in Postfix version 2.9 and later:
/* .IP "\fBsmtpd_per_record_deadline (normal: no, overload: yes)\fR"
/* Change the behavior of the smtpd_timeout time limit, from a
/* time limit per read or write system call, to a time limit to send
/* or receive a complete record (an SMTP command line, SMTP response
/* line, SMTP message content line, or TLS protocol message).
/* TARPIT CONTROLS
/* .ad
/* .fi
@ -692,8 +714,8 @@
/* What Postfix features match subdomains of "domain.tld" automatically,
/* instead of requiring an explicit ".domain.tld" pattern.
/* .IP "\fBsmtpd_client_restrictions (empty)\fR"
/* Optional SMTP server access restrictions in the context of a client
/* SMTP connection request.
/* Optional Postfix SMTP server access restrictions in the context of
/* a remote SMTP client connection request.
/* .IP "\fBsmtpd_helo_required (no)\fR"
/* Require that a remote SMTP client introduces itself with the HELO
/* or EHLO command before sending the MAIL command or other commands
@ -791,6 +813,11 @@
/* .IP "\fBunverified_recipient_tempfail_action ($reject_tempfail_action)\fR"
/* The Postfix SMTP server's action when reject_unverified_recipient
/* fails due to a temporary error condition.
/* .PP
/* Available with Postfix 2.9 and later:
/* .IP "\fBaddress_verify_sender_ttl (0s)\fR"
/* The time between changes in the time-dependent portion of address
/* verification probe sender addresses.
/* ACCESS CONTROL RESPONSES
/* .ad
/* .fi
@ -840,7 +867,7 @@
/* .PP
/* Available in Postfix version 2.0 and later:
/* .IP "\fBdefault_rbl_reply (see 'postconf -d' output)\fR"
/* The default SMTP server response template for a request that is
/* The default Postfix SMTP server response template for a request that is
/* rejected by an RBL-based restriction.
/* .IP "\fBmulti_recipient_bounce_reject_code (550)\fR"
/* The numerical Postfix SMTP server response code when a remote SMTP
@ -896,7 +923,7 @@
/* .IP "\fBmyhostname (see 'postconf -d' output)\fR"
/* The internet hostname of this mail system.
/* .IP "\fBmynetworks (see 'postconf -d' output)\fR"
/* The list of "trusted" SMTP clients that have more privileges than
/* The list of "trusted" remote SMTP clients that have more privileges than
/* "strangers".
/* .IP "\fBmyorigin ($myhostname)\fR"
/* The domain name that locally-posted mail appears to come
@ -1021,6 +1048,7 @@
#include <iostuff.h>
#include <split_at.h>
#include <name_code.h>
#include <inet_proto.h>
/* Global library. */
@ -1054,6 +1082,7 @@
#include <dsn_mask.h>
#include <xtext.h>
#include <tls_proxy.h>
#include <verify_sender_addr.h>
/* Single-threaded server skeleton. */
@ -1151,7 +1180,6 @@ char *var_unv_from_why;
char *var_unv_rcpt_why;
int var_mul_rcpt_code;
char *var_relay_rcpt_maps;
char *var_verify_sender;
int var_local_rcpt_code;
int var_virt_alias_code;
int var_virt_mailbox_code;
@ -1208,7 +1236,7 @@ char *var_smtpd_tls_dh1024_param_file;
char *var_smtpd_tls_dh512_param_file;
char *var_smtpd_tls_dkey_file;
char *var_smtpd_tls_key_file;
int var_smtpd_tls_loglevel;
char *var_smtpd_tls_loglevel;
char *var_smtpd_tls_mand_proto;
bool var_smtpd_tls_received_header;
bool var_smtpd_tls_req_ccert;
@ -1250,6 +1278,7 @@ char *var_unk_name_tf_act;
char *var_unk_addr_tf_act;
char *var_unv_rcpt_tf_act;
char *var_unv_from_tf_act;
bool var_smtpd_rec_deadline;
int smtpd_proxy_opts;
@ -1363,8 +1392,9 @@ static int sasl_client_exception(SMTPD_STATE *state)
if (sasl_exceptions_networks == 0)
return (0);
match = namadr_list_match(sasl_exceptions_networks,
state->name, state->addr);
if ((match = namadr_list_match(sasl_exceptions_networks,
state->name, state->addr)) == 0)
match = sasl_exceptions_networks->error;
if (msg_verbose)
msg_info("sasl_exceptions: %s, match=%d",
@ -1527,13 +1557,31 @@ static int helo_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
return (0);
}
/* cant_announce_feature - explain and terminate this session */
static NORETURN cant_announce_feature(SMTPD_STATE *state, const char *feature)
{
msg_warn("don't know if EHLO feature %s should be announced to %s",
feature, state->namaddr);
vstream_longjmp(state->client, SMTP_ERR_DATA);
}
/* cant_permit_command - explain and terminate this session */
static NORETURN cant_permit_command(SMTPD_STATE *state, const char *command)
{
msg_warn("don't know if command %s should be allowed from %s",
command, state->namaddr);
vstream_longjmp(state->client, SMTP_ERR_DATA);
}
/* ehlo_cmd - process EHLO command */
static int ehlo_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
{
const char *err;
int discard_mask;
VSTRING *reply_buf;
char **cpp;
/*
* XXX 2821 new feature: Section 4.1.4 specifies that a server must clear
@ -1600,23 +1648,21 @@ static int ehlo_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
}
/*
* Build the EHLO response, suppressing features as requested. We store
* each output line in a one-element output queue, where it sits until we
* know if we need to prepend "250-" or "250 " to it. Each time we
* enqueue a reply line we flush the one that sits in the queue. We use a
* couple ugly macros to avoid making mistakes in code that repeats a
* lot.
* Build the EHLO response, producing no output until we know what to
* send - this simplifies exception handling. The CRLF record boundaries
* don't exist at this level in the code, so we represent multi-line
* output as an array of single-line responses.
*/
#define ENQUEUE_FIX_REPLY(state, reply_buf, cmd) \
#define EHLO_APPEND(state, cmd) \
do { \
smtpd_chat_reply((state), "250-%s", STR(reply_buf)); \
vstring_strcpy((reply_buf), (cmd)); \
vstring_sprintf((state)->ehlo_buf, (cmd)); \
argv_add((state)->ehlo_argv, STR((state)->ehlo_buf), (char *) 0); \
} while (0)
#define ENQUEUE_FMT_REPLY(state, reply_buf, fmt, arg) \
#define EHLO_APPEND1(state, cmd, arg) \
do { \
smtpd_chat_reply((state), "250-%s", STR(reply_buf)); \
vstring_sprintf((reply_buf), (fmt), (arg)); \
vstring_sprintf((state)->ehlo_buf, (cmd), (arg)); \
argv_add((state)->ehlo_argv, STR((state)->ehlo_buf), (char *) 0); \
} while (0)
/*
@ -1632,68 +1678,104 @@ static int ehlo_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
if ((discard_mask & EHLO_MASK_ENHANCEDSTATUSCODES) == 0)
if (discard_mask && !(discard_mask & EHLO_MASK_SILENT))
msg_info("discarding EHLO keywords: %s", str_ehlo_mask(discard_mask));
if (ehlo_discard_maps && ehlo_discard_maps->error) {
msg_warn("don't know what EHLO features to announce to %s",
state->namaddr);
vstream_longjmp(state->client, SMTP_ERR_DATA);
}
reply_buf = vstring_alloc(10);
vstring_strcpy(reply_buf, var_myhostname);
/*
* These may still exist after a prior exception.
*/
if (state->ehlo_argv == 0) {
state->ehlo_argv = argv_alloc(10);
state->ehlo_buf = vstring_alloc(10);
} else
argv_truncate(state->ehlo_argv, 0);
EHLO_APPEND1(state, "%s", var_myhostname);
if ((discard_mask & EHLO_MASK_PIPELINING) == 0)
ENQUEUE_FIX_REPLY(state, reply_buf, "PIPELINING");
EHLO_APPEND(state, "PIPELINING");
if ((discard_mask & EHLO_MASK_SIZE) == 0) {
if (var_message_limit)
ENQUEUE_FMT_REPLY(state, reply_buf, "SIZE %lu",
(unsigned long) var_message_limit); /* XXX */
EHLO_APPEND1(state, "SIZE %lu",
(unsigned long) var_message_limit); /* XXX */
else
ENQUEUE_FIX_REPLY(state, reply_buf, "SIZE");
EHLO_APPEND(state, "SIZE");
}
if ((discard_mask & EHLO_MASK_VRFY) == 0)
if (var_disable_vrfy_cmd == 0)
ENQUEUE_FIX_REPLY(state, reply_buf, SMTPD_CMD_VRFY);
EHLO_APPEND(state, SMTPD_CMD_VRFY);
if ((discard_mask & EHLO_MASK_ETRN) == 0)
ENQUEUE_FIX_REPLY(state, reply_buf, SMTPD_CMD_ETRN);
EHLO_APPEND(state, SMTPD_CMD_ETRN);
#ifdef USE_TLS
if ((discard_mask & EHLO_MASK_STARTTLS) == 0)
if (var_smtpd_use_tls && (!state->tls_context))
ENQUEUE_FIX_REPLY(state, reply_buf, SMTPD_CMD_STARTTLS);
EHLO_APPEND(state, SMTPD_CMD_STARTTLS);
#endif
#ifdef USE_SASL_AUTH
#ifndef AUTH_CMD
#define AUTH_CMD "AUTH"
#endif
if ((discard_mask & EHLO_MASK_AUTH) == 0) {
if (smtpd_sasl_is_active(state) && !sasl_client_exception(state)) {
ENQUEUE_FMT_REPLY(state, reply_buf, "AUTH %s",
state->sasl_mechanism_list);
EHLO_APPEND1(state, "AUTH %s", state->sasl_mechanism_list);
if (var_broken_auth_clients)
ENQUEUE_FMT_REPLY(state, reply_buf, "AUTH=%s",
state->sasl_mechanism_list);
}
EHLO_APPEND1(state, "AUTH=%s", state->sasl_mechanism_list);
} else if (sasl_exceptions_networks && sasl_exceptions_networks->error)
cant_announce_feature(state, AUTH_CMD);
}
#define XCLIENT_LOGIN_KLUDGE " " XCLIENT_LOGIN
#else
#define XCLIENT_LOGIN_KLUDGE ""
#endif
if ((discard_mask & EHLO_MASK_VERP) == 0)
if ((discard_mask & EHLO_MASK_VERP) == 0) {
if (namadr_list_match(verp_clients, state->name, state->addr))
ENQUEUE_FIX_REPLY(state, reply_buf, VERP_CMD);
EHLO_APPEND(state, VERP_CMD);
else if (verp_clients && verp_clients->error)
cant_announce_feature(state, VERP_CMD);
}
/* XCLIENT must not override its own access control. */
if ((discard_mask & EHLO_MASK_XCLIENT) == 0)
if ((discard_mask & EHLO_MASK_XCLIENT) == 0) {
if (xclient_allowed)
ENQUEUE_FIX_REPLY(state, reply_buf, XCLIENT_CMD
" " XCLIENT_NAME " " XCLIENT_ADDR
" " XCLIENT_PROTO " " XCLIENT_HELO
" " XCLIENT_REVERSE_NAME " " XCLIENT_PORT);
if ((discard_mask & EHLO_MASK_XFORWARD) == 0)
EHLO_APPEND(state, XCLIENT_CMD
" " XCLIENT_NAME " " XCLIENT_ADDR
" " XCLIENT_PROTO " " XCLIENT_HELO
" " XCLIENT_REVERSE_NAME " " XCLIENT_PORT
XCLIENT_LOGIN_KLUDGE);
else if (xclient_hosts && xclient_hosts->error)
cant_announce_feature(state, XCLIENT_CMD);
}
if ((discard_mask & EHLO_MASK_XFORWARD) == 0) {
if (xforward_allowed)
ENQUEUE_FIX_REPLY(state, reply_buf, XFORWARD_CMD
" " XFORWARD_NAME " " XFORWARD_ADDR
" " XFORWARD_PROTO " " XFORWARD_HELO
" " XFORWARD_DOMAIN " " XFORWARD_PORT
" " XFORWARD_IDENT);
EHLO_APPEND(state, XFORWARD_CMD
" " XFORWARD_NAME " " XFORWARD_ADDR
" " XFORWARD_PROTO " " XFORWARD_HELO
" " XFORWARD_DOMAIN " " XFORWARD_PORT
" " XFORWARD_IDENT);
else if (xforward_hosts && xforward_hosts->error)
cant_announce_feature(state, XFORWARD_CMD);
}
if ((discard_mask & EHLO_MASK_ENHANCEDSTATUSCODES) == 0)
ENQUEUE_FIX_REPLY(state, reply_buf, "ENHANCEDSTATUSCODES");
EHLO_APPEND(state, "ENHANCEDSTATUSCODES");
if ((discard_mask & EHLO_MASK_8BITMIME) == 0)
ENQUEUE_FIX_REPLY(state, reply_buf, "8BITMIME");
EHLO_APPEND(state, "8BITMIME");
if ((discard_mask & EHLO_MASK_DSN) == 0)
ENQUEUE_FIX_REPLY(state, reply_buf, "DSN");
smtpd_chat_reply(state, "250 %s", STR(reply_buf));
EHLO_APPEND(state, "DSN");
/*
* Send the reply.
*/
for (cpp = state->ehlo_argv->argv; *cpp; cpp++)
smtpd_chat_reply(state, "250%c%s", cpp[1] ? '-' : ' ', *cpp);
/*
* Clean up.
*/
vstring_free(reply_buf);
argv_free(state->ehlo_argv);
state->ehlo_argv = 0;
vstring_free(state->ehlo_buf);
state->ehlo_buf = 0;
return (0);
}
@ -1708,6 +1790,14 @@ static void helo_reset(SMTPD_STATE *state)
if (SMTPD_STAND_ALONE(state) == 0 && smtpd_milters != 0)
milter_abort(smtpd_milters);
}
if (state->ehlo_argv) {
argv_free(state->ehlo_argv);
state->ehlo_argv = 0;
}
if (state->ehlo_buf) {
vstring_free(state->ehlo_buf);
state->ehlo_buf = 0;
}
}
/* mail_open_stream - open mail queue file or IPC stream */
@ -1727,7 +1817,6 @@ static int mail_open_stream(SMTPD_STATE *state)
* feature.
*/
if (state->proxy_mail) {
smtpd_check_rewrite(state);
if (smtpd_proxy_create(state, smtpd_proxy_opts, var_smtpd_proxy_filt,
var_smtpd_proxy_tmout, var_smtpd_proxy_ehlo,
state->proxy_mail) != 0) {
@ -1750,7 +1839,6 @@ static int mail_open_stream(SMTPD_STATE *state)
else if (SMTPD_STAND_ALONE(state) == 0) {
int cleanup_flags;
smtpd_check_rewrite(state);
cleanup_flags = input_transp_cleanup(CLEANUP_FLAG_MASK_EXTERNAL,
smtpd_input_transp_mask)
| CLEANUP_FLAG_SMTP_REPLY;
@ -1811,17 +1899,16 @@ static int mail_open_stream(SMTPD_STATE *state)
rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
MAIL_ATTR_RWR_CONTEXT, FORWARD_DOMAIN(state));
#ifdef USE_SASL_AUTH
if (smtpd_sasl_is_active(state)) {
if (state->sasl_method)
rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
MAIL_ATTR_SASL_METHOD, state->sasl_method);
if (state->sasl_username)
rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
MAIL_ATTR_SASL_USERNAME, state->sasl_username);
if (state->sasl_sender)
rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
MAIL_ATTR_SASL_SENDER, state->sasl_sender);
}
/* Make external authentication painless (e.g., XCLIENT). */
if (state->sasl_method)
rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
MAIL_ATTR_SASL_METHOD, state->sasl_method);
if (state->sasl_username)
rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
MAIL_ATTR_SASL_USERNAME, state->sasl_username);
if (state->sasl_sender)
rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
MAIL_ATTR_SASL_SENDER, state->sasl_sender);
#endif
/*
@ -1921,7 +2008,7 @@ static int mail_open_stream(SMTPD_STATE *state)
* Log the queue ID with the message origin.
*/
#ifdef USE_SASL_AUTH
if (smtpd_sasl_is_active(state))
if (state->sasl_username)
smtpd_sasl_mail_log(state);
else
#endif
@ -2177,8 +2264,7 @@ static int mail_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
return (-1);
}
#ifdef USE_SASL_AUTH
} else if (smtpd_sasl_is_active(state)
&& strncasecmp(arg, "AUTH=", 5) == 0) {
} else if (strncasecmp(arg, "AUTH=", 5) == 0) {
if ((err = smtpd_sasl_mail_opt(state, arg + 5)) != 0) {
smtpd_chat_reply(state, "%s", err);
return (-1);
@ -2269,6 +2355,15 @@ static int mail_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
return (-1);
}
}
if (SMTPD_STAND_ALONE(state) == 0) {
err = smtpd_check_rewrite(state);
if (err != 0) {
/* XXX Reset access map side effects. */
mail_reset(state);
smtpd_chat_reply(state, "%s", err);
return (-1);
}
}
/*
* Check the queue file space, if applicable. The optional before-filter
@ -2364,7 +2459,7 @@ static void mail_reset(SMTPD_STATE *state)
state->saved_delay = 0;
#endif
#ifdef USE_SASL_AUTH
if (smtpd_sasl_is_active(state))
if (state->sasl_sender)
smtpd_sasl_mail_reset(state);
#endif
state->discard = 0;
@ -2503,7 +2598,23 @@ static int rcpt_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
return (-1);
}
if (SMTPD_STAND_ALONE(state) == 0) {
err = smtpd_check_rcpt(state, STR(state->addr_buf));
const char *verify_sender;
/*
* XXX Don't reject the address when we're probed with our own
* address verification sender address. Otherwise, some timeout or
* some UCE block may result in mutual negative caching, making it
* painful to get the mail through. Unfortunately we still have to
* send the address to the Milters otherwise they may bail out with a
* "missing recipient" protocol error.
*/
verify_sender = valid_verify_sender_addr(STR(state->addr_buf));
if (verify_sender != 0) {
vstring_strcpy(state->addr_buf, verify_sender);
err = 0;
} else {
err = smtpd_check_rcpt(state, STR(state->addr_buf));
}
if (smtpd_milters != 0
&& (state->saved_flags & MILTER_SKIP_FLAGS) == 0) {
PUSH_STRING(saved_rcpt, state->recipient, STR(state->addr_buf));
@ -2886,8 +2997,7 @@ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
#endif
rfc3848_sess = "";
#ifdef USE_SASL_AUTH
if (smtpd_sasl_is_active(state) && var_smtpd_sasl_auth_hdr
&& state->sasl_username) {
if (var_smtpd_sasl_auth_hdr && state->sasl_username) {
username = VSTRING_STRDUP(state->sasl_username);
comment_sanitize(username);
out_fprintf(out_stream, REC_TYPE_NORM,
@ -2895,7 +3005,7 @@ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
vstring_free(username);
}
/* RFC 3848 is defined for ESMTP only. */
if (smtpd_sasl_is_active(state) && state->sasl_username
if (state->sasl_username
&& strcmp(state->protocol, MAIL_PROTO_ESMTP) == 0)
rfc3848_auth = "A";
else
@ -2944,7 +3054,8 @@ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
* because sendmail permits it.
*/
for (prev_rec_type = 0; /* void */ ; prev_rec_type = curr_rec_type) {
if (smtp_get(state->buffer, state->client, var_line_limit) == '\n')
if (smtp_get(state->buffer, state->client, var_line_limit,
SMTP_GET_FLAG_NONE) == '\n')
curr_rec_type = REC_TYPE_NORM;
else
curr_rec_type = REC_TYPE_CONT;
@ -3417,6 +3528,7 @@ static int xclient_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
};
int got_helo = 0;
int got_proto = 0;
int got_login = 0;
/*
* Sanity checks.
@ -3435,6 +3547,8 @@ static int xclient_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
XCLIENT_CMD);
return (-1);
}
if (xclient_hosts && xclient_hosts->error)
cant_permit_command(state, XCLIENT_CMD);
if (!xclient_allowed) {
state->error_mask |= MAIL_ERROR_POLICY;
smtpd_chat_reply(state, "550 5.7.0 Error: insufficient authorization");
@ -3609,6 +3723,20 @@ static int xclient_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
got_proto = 1;
}
/*
* LOGIN=sasl_username. Sets the authentication method as XCLIENT.
* This can be used even if SASL authentication is turned off in
* main.cf. We can't make it easier than that.
*/
#ifdef USE_SASL_AUTH
else if (STREQ(attr_name, XCLIENT_LOGIN)) {
if (STREQ(attr_value, XCLIENT_UNAVAILABLE) == 0) {
smtpd_sasl_auth_extern(state, attr_value, XCLIENT_CMD);
got_login = 1;
}
}
#endif
/*
* Unknown attribute name. Complain.
*/
@ -3657,7 +3785,7 @@ static int xclient_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
state->protocol = mystrdup(MAIL_PROTO_SMTP);
}
#ifdef USE_SASL_AUTH
if (smtpd_sasl_is_active(state))
if (got_login == 0)
smtpd_sasl_auth_reset(state);
#endif
chat_reset(state, 0);
@ -3715,6 +3843,8 @@ static int xforward_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
XFORWARD_CMD);
return (-1);
}
if (xforward_hosts && xforward_hosts->error)
cant_permit_command(state, XFORWARD_CMD);
if (!xforward_allowed) {
state->error_mask |= MAIL_ERROR_POLICY;
smtpd_chat_reply(state, "550 5.7.0 Error: insufficient authorization");
@ -4032,7 +4162,6 @@ static void smtpd_start_tls(SMTPD_STATE *state)
ctx = smtpd_tls_ctx,
stream = state->client,
fd = -1,
log_level = var_smtpd_tls_loglevel,
timeout = var_smtpd_starttls_tmout,
requirecert = requirecert,
serverid = state->service,
@ -4340,7 +4469,7 @@ static void smtpd_proto(SMTPD_STATE *state)
* cleans up, but no attempt is made to inform the client of the nature
* of the problem.
*/
smtp_timeout_setup(state->client, var_smtpd_tmout);
smtp_stream_setup(state->client, var_smtpd_tmout, var_smtpd_rec_deadline);
while ((status = vstream_setjmp(state->client)) == SMTP_ERR_NONE)
/* void */ ;
@ -4365,6 +4494,17 @@ static void smtpd_proto(SMTPD_STATE *state)
case SMTP_ERR_QUIET:
break;
case SMTP_ERR_DATA:
msg_info("%s: reject: %s from %s: "
"421 4.3.0 %s Server local data error",
(state->queue_id ? state->queue_id : "NOQUEUE"),
state->where, state->namaddr, var_myhostname);
state->error_mask |= MAIL_ERROR_DATA;
if (vstream_setjmp(state->client) == 0)
smtpd_chat_reply(state, "421 4.3.0 %s Server local data error",
var_myhostname);
break;
case 0:
/*
@ -4455,6 +4595,17 @@ static void smtpd_proto(SMTPD_STATE *state)
break;
}
}
/*
* Determine what server ESMTP features to suppress, typically to
* avoid inter-operability problems. Moved up so we don't send 421
* immediately after sending the initial server response.
*/
if (ehlo_discard_maps == 0
|| (ehlo_words = maps_find(ehlo_discard_maps, state->addr, 0)) == 0)
ehlo_words = var_smtpd_ehlo_dis_words;
state->ehlo_discard_mask = ehlo_mask(ehlo_words);
/* XXX We use the real client for connect access control. */
if (SMTPD_STAND_ALONE(state) == 0
&& var_smtpd_delay_reject == 0
@ -4501,49 +4652,11 @@ static void smtpd_proto(SMTPD_STATE *state)
smtpd_chat_reply(state, "421 %s Service unavailable - try again later",
var_myhostname);
/* Not: state->error_count++; */
#ifdef notdef
} else if (strcmp(state->name, "unknown") == 0) {
static char *greet_chunks[] = {
"220 ", 0, " ESMTP ", 0, 0,
};
char **cpp;
char *cp;
greet_chunks[1] = var_myhostname;
greet_chunks[3] = var_mail_name;
for (cpp = greet_chunks; *cpp; cpp++) {
for (cp = *cpp; *cp; cp++)
smtp_fputc(*(unsigned char *) cp, state->client);
smtp_flush(state->client);
if (read_wait(vstream_fileno(state->client), 2) == 0) {
smtpd_chat_query(state);
msg_info("PREGREET from %s: %s",
state->namaddr, vstring_str(state->buffer));
state->error_mask |= MAIL_ERROR_POLICY;
smtpd_chat_reply(state,
"521 %s ESMTP not accepting connections",
var_myhostname);
/* Not: state->error_count++; */
break;
}
}
smtp_fputs("", 0, state->client);
smtp_flush(state->client);
#endif
} else {
smtpd_chat_reply(state, "220 %s", var_smtpd_banner);
}
}
/*
* Determine what server ESMTP features to suppress, typically to
* avoid inter-operability problems.
*/
if (ehlo_discard_maps == 0
|| (ehlo_words = maps_find(ehlo_discard_maps, state->addr, 0)) == 0)
ehlo_words = var_smtpd_ehlo_dis_words;
state->ehlo_discard_mask = ehlo_mask(ehlo_words);
/*
* SASL initialization for plaintext mode.
*
@ -4585,6 +4698,11 @@ static void smtpd_proto(SMTPD_STATE *state)
msg_info("%s: replacing command \"%.100s\" with \"%.100s\"",
state->namaddr, STR(state->buffer), cp);
vstring_strcpy(state->buffer, cp);
} else if (smtpd_cmd_filter->error != 0) {
msg_warn("%s:%s lookup error for \"%.100s\"",
smtpd_cmd_filter->type, smtpd_cmd_filter->name,
printable(STR(state->buffer), '?'));
vstream_longjmp(state->client, SMTP_ERR_DATA);
}
}
if ((argc = smtpd_token(vstring_str(state->buffer), &argv)) == 0) {
@ -4593,6 +4711,7 @@ static void smtpd_proto(SMTPD_STATE *state)
state->error_count++;
continue;
}
/* Ignore smtpd_noop_cmds lookup errors. Non-critical feature. */
if (*var_smtpd_noop_cmds
&& string_list_match(smtpd_noop_cmds, argv[0].strval)) {
smtpd_chat_reply(state, "250 2.0.0 Ok");
@ -4603,6 +4722,7 @@ static void smtpd_proto(SMTPD_STATE *state)
for (cmdp = smtpd_cmd_table; cmdp->name != 0; cmdp++)
if (strcasecmp(argv[0].strval, cmdp->name) == 0)
break;
/* Ignore smtpd_forbid_cmds lookup errors. Non-critical feature. */
if (cmdp->name == 0) {
state->where = SMTPD_CMD_UNKNOWN;
if (is_header(argv[0].strval)
@ -4657,8 +4777,13 @@ static void smtpd_proto(SMTPD_STATE *state)
&& (state->flags & SMTPD_FLAG_ILL_PIPELINING) == 0
&& (vstream_peek(state->client) > 0
|| peekfd(vstream_fileno(state->client)) > 0)) {
msg_info("improper command pipelining after %s from %s",
cmdp->name, state->namaddr);
if (state->expand_buf == 0)
state->expand_buf = vstring_alloc(100);
escape(state->expand_buf, vstream_peek_data(state->client),
vstream_peek(state->client) < 100 ?
vstream_peek(state->client) : 100);
msg_info("improper command pipelining after %s from %s: %s",
cmdp->name, state->namaddr, STR(state->expand_buf));
state->flags |= SMTPD_FLAG_ILL_PIPELINING;
}
if (cmdp->action(state, argc, argv) != 0)
@ -4720,8 +4845,8 @@ static void smtpd_proto(SMTPD_STATE *state)
#endif
helo_reset(state);
#ifdef USE_SASL_AUTH
smtpd_sasl_auth_reset(state);
if (smtpd_sasl_is_active(state)) {
smtpd_sasl_auth_reset(state);
smtpd_sasl_deactivate(state);
}
#endif
@ -4744,6 +4869,16 @@ static void smtpd_service(VSTREAM *stream, char *service, char **argv)
if (argv[0])
msg_fatal("unexpected command-line argument: %s", argv[0]);
/*
* For sanity, require that at least one of INET or INET6 is enabled.
* Otherwise, we can't look up interface information, and we can't
* convert names or addresses.
*/
if (SMTPD_STAND_ALONE_STREAM(stream) == 0
&& inet_proto_info()->ai_family_list[0] == 0)
msg_fatal("all network protocols are disabled (%s = %s)",
VAR_INET_PROTOCOLS, var_inet_protocols);
/*
* This routine runs when a client has connected to our network port, or
* when the smtp server is run in stand-alone mode (input from pipe).
@ -4768,13 +4903,13 @@ static void smtpd_service(VSTREAM *stream, char *service, char **argv)
/*
* XCLIENT must not override its own access control.
*/
xclient_allowed =
xclient_allowed = SMTPD_STAND_ALONE((&state)) == 0 &&
namadr_list_match(xclient_hosts, state.name, state.addr);
/*
* Overriding XFORWARD access control makes no sense, either.
*/
xforward_allowed =
xforward_allowed = SMTPD_STAND_ALONE((&state)) == 0 &&
namadr_list_match(xforward_hosts, state.name, state.addr);
/*
@ -4817,12 +4952,12 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
* Initialize blacklist/etc. patterns before entering the chroot jail, in
* case they specify a filename pattern.
*/
smtpd_noop_cmds = string_list_init(MATCH_FLAG_NONE, var_smtpd_noop_cmds);
smtpd_forbid_cmds = string_list_init(MATCH_FLAG_NONE, var_smtpd_forbid_cmds);
verp_clients = namadr_list_init(MATCH_FLAG_NONE, var_verp_clients);
xclient_hosts = namadr_list_init(MATCH_FLAG_NONE, var_xclient_hosts);
xforward_hosts = namadr_list_init(MATCH_FLAG_NONE, var_xforward_hosts);
hogger_list = namadr_list_init(MATCH_FLAG_NONE, var_smtpd_hoggers);
smtpd_noop_cmds = string_list_init(MATCH_FLAG_RETURN, var_smtpd_noop_cmds);
smtpd_forbid_cmds = string_list_init(MATCH_FLAG_RETURN, var_smtpd_forbid_cmds);
verp_clients = namadr_list_init(MATCH_FLAG_RETURN, var_verp_clients);
xclient_hosts = namadr_list_init(MATCH_FLAG_RETURN, var_xclient_hosts);
xforward_hosts = namadr_list_init(MATCH_FLAG_RETURN, var_xforward_hosts);
hogger_list = namadr_list_init(MATCH_FLAG_RETURN, var_smtpd_hoggers);
/*
* Open maps before dropping privileges so we can read passwords etc.
@ -4845,7 +4980,7 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
if (*var_smtpd_sasl_exceptions_networks)
sasl_exceptions_networks =
namadr_list_init(MATCH_FLAG_NONE,
namadr_list_init(MATCH_FLAG_RETURN,
var_smtpd_sasl_exceptions_networks);
#else
msg_warn("%s is true, but SASL support is not compiled in",
@ -4950,6 +5085,7 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
*/
smtpd_tls_ctx =
TLS_SERVER_INIT(&props,
log_param = VAR_SMTPD_TLS_LOGLEVEL,
log_level = var_smtpd_tls_loglevel,
verifydepth = var_smtpd_tls_ccert_vd,
cache_type = TLS_MGR_SCACHE_SMTPD,
@ -5114,7 +5250,6 @@ int main(int argc, char **argv)
VAR_SMTPD_CNTLS_LIMIT, DEF_SMTPD_CNTLS_LIMIT, &var_smtpd_cntls_limit, 0, 0,
#ifdef USE_TLS
VAR_SMTPD_TLS_CCERT_VD, DEF_SMTPD_TLS_CCERT_VD, &var_smtpd_tls_ccert_vd, 0, 0,
VAR_SMTPD_TLS_LOGLEVEL, DEF_SMTPD_TLS_LOGLEVEL, &var_smtpd_tls_loglevel, 0, 0,
#endif
0,
};
@ -5133,6 +5268,7 @@ int main(int argc, char **argv)
VAR_MILT_CONN_TIME, DEF_MILT_CONN_TIME, &var_milt_conn_time, 1, 0,
VAR_MILT_CMD_TIME, DEF_MILT_CMD_TIME, &var_milt_cmd_time, 1, 0,
VAR_MILT_MSG_TIME, DEF_MILT_MSG_TIME, &var_milt_msg_time, 1, 0,
VAR_VERIFY_SENDER_TTL, DEF_VERIFY_SENDER_TTL, &var_verify_sender_ttl, 0, 0,
0,
};
static const CONFIG_BOOL_TABLE bool_table[] = {
@ -5162,6 +5298,10 @@ int main(int argc, char **argv)
VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log,
0,
};
static const CONFIG_NBOOL_TABLE nbool_table[] = {
VAR_SMTPD_REC_DEADLINE, DEF_SMTPD_REC_DEADLINE, &var_smtpd_rec_deadline,
0,
};
static const CONFIG_STR_TABLE str_table[] = {
VAR_SMTPD_BANNER, DEF_SMTPD_BANNER, &var_smtpd_banner, 1, 0,
VAR_NOTIFY_CLASSES, DEF_NOTIFY_CLASSES, &var_notify_classes, 0, 0,
@ -5227,6 +5367,7 @@ int main(int argc, char **argv)
VAR_SMTPD_TLS_1024_FILE, DEF_SMTPD_TLS_1024_FILE, &var_smtpd_tls_dh1024_param_file, 0, 0,
VAR_SMTPD_TLS_EECDH, DEF_SMTPD_TLS_EECDH, &var_smtpd_tls_eecdh, 1, 0,
VAR_SMTPD_TLS_FPT_DGST, DEF_SMTPD_TLS_FPT_DGST, &var_smtpd_tls_fpt_dgst, 1, 0,
VAR_SMTPD_TLS_LOGLEVEL, DEF_SMTPD_TLS_LOGLEVEL, &var_smtpd_tls_loglevel, 0, 0,
#endif
VAR_SMTPD_TLS_LEVEL, DEF_SMTPD_TLS_LEVEL, &var_smtpd_tls_level, 0, 0,
VAR_SMTPD_SASL_TYPE, DEF_SMTPD_SASL_TYPE, &var_smtpd_sasl_type, 1, 0,
@ -5278,6 +5419,7 @@ int main(int argc, char **argv)
MAIL_SERVER_STR_TABLE, str_table,
MAIL_SERVER_RAW_TABLE, raw_table,
MAIL_SERVER_BOOL_TABLE, bool_table,
MAIL_SERVER_NBOOL_TABLE, nbool_table,
MAIL_SERVER_TIME_TABLE, time_table,
MAIL_SERVER_PRE_INIT, pre_jail_init,
MAIL_SERVER_PRE_ACCEPT, pre_accept,

159
external/ibm-public/postfix/dist/src/tls/tls_client.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: tls_client.c,v 1.5 2012/06/09 11:32:20 tron Exp $ */
/* $NetBSD: tls_client.c,v 1.6 2013/01/02 19:18:36 tron Exp $ */
/*++
/* NAME
@ -169,7 +169,8 @@ static SSL_SESSION *load_clnt_session(TLS_SESS_STATE *TLScontext)
/*
* Prepare the query.
*/
if (TLScontext->log_level >= 2)
if (TLScontext->log_mask & TLS_LOG_CACHE)
/* serverid already contains namaddrport information */
msg_info("looking for session %s in %s cache",
TLScontext->serverid, TLScontext->cache_type);
@ -190,7 +191,8 @@ static SSL_SESSION *load_clnt_session(TLS_SESS_STATE *TLScontext)
session_data) == TLS_MGR_STAT_OK) {
session = tls_session_activate(STR(session_data), LEN(session_data));
if (session) {
if (TLScontext->log_level >= 2)
if (TLScontext->log_mask & TLS_LOG_CACHE)
/* serverid already contains namaddrport information */
msg_info("reloaded session %s from %s cache",
TLScontext->serverid, TLScontext->cache_type);
}
@ -229,7 +231,8 @@ static int new_client_session_cb(SSL *ssl, SSL_SESSION *session)
msg_panic("%s: null session cache type in new session callback",
myname);
if (TLScontext->log_level >= 2)
if (TLScontext->log_mask & TLS_LOG_CACHE)
/* serverid already contains namaddrport information */
msg_info("save session %s to %s cache",
TLScontext->serverid, TLScontext->cache_type);
@ -276,7 +279,8 @@ static void uncache_session(SSL_CTX *ctx, TLS_SESS_STATE *TLScontext)
if (TLScontext->cache_type == 0 || TLScontext->serverid == 0)
return;
if (TLScontext->log_level >= 2)
if (TLScontext->log_mask & TLS_LOG_CACHE)
/* serverid already contains namaddrport information */
msg_info("remove session %s from client cache", TLScontext->serverid);
tls_mgr_delete(TLScontext->cache_type, TLScontext->serverid);
@ -292,8 +296,14 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props)
TLS_APPL_STATE *app_ctx;
const EVP_MD *md_alg;
unsigned int md_len;
int log_mask;
if (props->log_level >= 2)
/*
* Convert user loglevel to internal logmask.
*/
log_mask = tls_log_mask(props->log_param, props->log_level);
if (log_mask & TLS_LOG_VERBOSE)
msg_info("initializing the client-side TLS engine");
/*
@ -387,7 +397,7 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props)
/*
* Set the call-back routine for verbose logging.
*/
if (props->log_level >= 2)
if (log_mask & TLS_LOG_DEBUG)
SSL_CTX_set_info_callback(client_ctx, tls_info_callback);
/*
@ -471,7 +481,7 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props)
* Allocate an application context, and populate with mandatory protocol
* and cipher data.
*/
app_ctx = tls_alloc_app_context(client_ctx);
app_ctx = tls_alloc_app_context(client_ctx, log_mask);
/*
* The external session cache is implemented by the tlsmgr(8) process.
@ -512,7 +522,7 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props)
static int match_hostname(const char *peerid,
const TLS_CLIENT_START_PROPS *props)
{
const ARGV *cmatch_argv = props->matchargv;
const ARGV *cmatch_argv;
const char *nexthop = props->nexthop;
const char *hname = props->host;
const char *pattern;
@ -522,6 +532,9 @@ static int match_hostname(const char *peerid,
int idlen;
int patlen;
if ((cmatch_argv = props->matchargv) == 0)
return 0;
/*
* Match the peerid against each pattern until we find a match.
*/
@ -576,6 +589,10 @@ static void verify_extract_name(TLS_SESS_STATE *TLScontext, X509 *peercert,
int i;
int r;
int matched = 0;
int dnsname_match;
int verify_peername = 0;
int log_certmatch;
int verbose;
const char *dnsname;
const GENERAL_NAME *gn;
@ -592,7 +609,16 @@ static void verify_extract_name(TLS_SESS_STATE *TLScontext, X509 *peercert,
if (SSL_get_verify_result(TLScontext->con) == X509_V_OK)
TLScontext->peer_status |= TLS_CERT_FLAG_TRUSTED;
if (TLS_CERT_IS_TRUSTED(TLScontext) && props->tls_level >= TLS_LEV_VERIFY) {
if (TLS_CERT_IS_TRUSTED(TLScontext) && props->tls_level >= TLS_LEV_VERIFY)
verify_peername = 1;
/* Force cert processing so we can log the data? */
log_certmatch = TLScontext->log_mask & TLS_LOG_CERTMATCH;
/* Log cert details when processing? */
verbose = log_certmatch || (TLScontext->log_mask & TLS_LOG_VERBOSE);
if (verify_peername || log_certmatch) {
/*
* Verify the dNSName(s) in the peer certificate against the nexthop
@ -616,7 +642,7 @@ static void verify_extract_name(TLS_SESS_STATE *TLScontext, X509 *peercert,
gens = X509_get_ext_d2i(peercert, NID_subject_alt_name, 0, 0);
if (gens) {
r = sk_GENERAL_NAME_num(gens);
for (i = 0; i < r && !matched; ++i) {
for (i = 0; i < r; ++i) {
gn = sk_GENERAL_NAME_value(gens, i);
if (gn->type != GEN_DNS)
continue;
@ -634,16 +660,26 @@ static void verify_extract_name(TLS_SESS_STATE *TLScontext, X509 *peercert,
TLScontext->peer_status |= TLS_CERT_FLAG_ALTNAME;
dnsname = tls_dns_name(gn, TLScontext);
if (dnsname && *dnsname) {
matched = match_hostname(dnsname, props);
if ((dnsname_match = match_hostname(dnsname, props)) != 0)
matched++;
/* Keep the first matched name. */
if (TLScontext->peer_CN
&& (matched || *TLScontext->peer_CN == 0)) {
&& ((dnsname_match && matched == 1)
|| *TLScontext->peer_CN == 0)) {
myfree(TLScontext->peer_CN);
TLScontext->peer_CN = 0;
}
if (verbose)
msg_info("%s: %ssubjectAltName: %s", props->namaddr,
dnsname_match ? "Matched " : "", dnsname);
}
if (TLScontext->peer_CN == 0)
TLScontext->peer_CN = mystrdup(dnsname ? dnsname : "");
if (matched && !log_certmatch)
break;
}
if (verify_peername && matched)
TLScontext->peer_status |= TLS_CERT_FLAG_MATCHED;
/*
* (Sam Rushing, Ironport) Free stack *and* member GENERAL_NAME
@ -659,20 +695,21 @@ static void verify_extract_name(TLS_SESS_STATE *TLScontext, X509 *peercert,
TLScontext->peer_CN = tls_peer_CN(peercert, TLScontext);
if (*TLScontext->peer_CN)
matched = match_hostname(TLScontext->peer_CN, props);
}
if (matched)
TLScontext->peer_status |= TLS_CERT_FLAG_MATCHED;
if (verify_peername && matched)
TLScontext->peer_status |= TLS_CERT_FLAG_MATCHED;
if (verbose)
msg_info("%s %sCommonName %s", props->namaddr,
matched ? "Matched " : "", TLScontext->peer_CN);
} else if (verbose) {
char *tmpcn = tls_peer_CN(peercert, TLScontext);
/*
* - Matched: Trusted and peername matches - Trusted: Signed by
* trusted CA(s), but peername not matched - Untrusted: Can't verify
* the trust chain, reason already logged.
*/
if (TLScontext->log_level >= 2)
msg_info("%s: %s subject_CN=%s, issuer_CN=%s", props->namaddr,
TLS_CERT_IS_MATCHED(TLScontext) ? "Matched" :
TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted",
TLScontext->peer_CN, TLScontext->issuer_CN);
/*
* Though the CommonName was superceded by a subjectAltName, log
* it when certificate match debugging was requested.
*/
msg_info("%s CommonName %s", TLScontext->namaddr, tmpcn);
myfree(tmpcn);
}
} else
TLScontext->peer_CN = tls_peer_CN(peercert, TLScontext);
@ -684,7 +721,7 @@ static void verify_extract_name(TLS_SESS_STATE *TLScontext, X509 *peercert,
*/
if (TLScontext->session_reused
&& !TLS_CERT_IS_TRUSTED(TLScontext)
&& TLScontext->log_level >= 1)
&& (TLScontext->log_mask & TLS_LOG_UNTRUSTED))
msg_info("%s: re-using session with untrusted certificate, "
"look for details earlier in the log", props->namaddr);
}
@ -698,23 +735,21 @@ static void verify_extract_print(TLS_SESS_STATE *TLScontext, X509 *peercert,
/* Non-null by contract */
TLScontext->peer_fingerprint = tls_fingerprint(peercert, props->fpt_dgst);
if (props->tls_level != TLS_LEV_FPRINT)
return;
TLScontext->peer_pkey_fprint = tls_pkey_fprint(peercert, props->fpt_dgst);
/*
* Compare the fingerprint against each acceptable value, ignoring
* upper/lower case differences.
*/
for (cpp = props->matchargv->argv; *cpp; ++cpp)
if (strcasecmp(TLScontext->peer_fingerprint, *cpp) == 0) {
TLScontext->peer_status |= TLS_CERT_FLAG_MATCHED;
break;
if (props->tls_level == TLS_LEV_FPRINT) {
for (cpp = props->matchargv->argv; *cpp; ++cpp) {
if (strcasecmp(TLScontext->peer_fingerprint, *cpp) == 0
|| strcasecmp(TLScontext->peer_pkey_fprint, *cpp) == 0) {
TLScontext->peer_status |= TLS_CERT_FLAG_MATCHED;
break;
}
}
if (props->log_level >= 2)
msg_info("%s %s%s fingerprint %s", props->namaddr,
TLS_CERT_IS_MATCHED(TLScontext) ? "Matched " : "",
props->fpt_dgst, TLScontext->peer_fingerprint);
}
}
/*
@ -733,8 +768,16 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
TLS_SESS_STATE *TLScontext;
TLS_APPL_STATE *app_ctx = props->ctx;
VSTRING *myserverid;
int log_mask = app_ctx->log_mask;
if (props->log_level >= 1)
/*
* When certificate verification is required, log trust chain validation
* errors even when disabled by default for opportunistic sessions.
*/
if (props->tls_level >= TLS_LEV_VERIFY)
log_mask |= TLS_LOG_UNTRUSTED;
if (log_mask & TLS_LOG_VERBOSE)
msg_info("setting up TLS connection to %s", props->namaddr);
/*
@ -781,7 +824,7 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
vstring_free(myserverid);
return (0);
}
if (props->log_level >= 2)
if (log_mask & TLS_LOG_VERBOSE)
msg_info("%s: TLS cipher list \"%s\"", props->namaddr, cipher_list);
vstring_sprintf_append(myserverid, "&c=%s", cipher_list);
@ -799,10 +842,11 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
* If session caching was enabled when TLS was initialized, the cache type
* is stored in the client SSL context.
*/
TLScontext = tls_alloc_sess_context(props->log_level, props->namaddr);
TLScontext = tls_alloc_sess_context(log_mask, props->namaddr);
TLScontext->cache_type = app_ctx->cache_type;
TLScontext->serverid = vstring_export(myserverid);
TLScontext->stream = props->stream;
if ((TLScontext->con = SSL_new(app_ctx->ssl_ctx)) == NULL) {
msg_warn("Could not allocate 'TLScontext->con' with SSL_new()");
@ -890,13 +934,14 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
/*
* If the debug level selected is high enough, all of the data is dumped:
* 3 will dump the SSL negotiation, 4 will dump everything.
* TLS_LOG_TLSPKTS will dump the SSL negotiation, TLS_LOG_ALLPKTS will
* dump everything.
*
* We do have an SSL_set_fd() and now suddenly a BIO_ routine is called?
* Well there is a BIO below the SSL routines that is automatically
* created for us, so we can use it for debugging purposes.
*/
if (props->log_level >= 3)
if (log_mask & TLS_LOG_TLSPKTS)
BIO_set_callback(SSL_get_rbio(TLScontext->con), tls_bio_dump_cb);
/*
@ -909,14 +954,21 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
sts = tls_bio_connect(vstream_fileno(props->stream), props->timeout,
TLScontext);
if (sts <= 0) {
msg_info("SSL_connect error to %s: %d", props->namaddr, sts);
tls_print_errors();
if (ERR_peek_error() != 0) {
msg_info("SSL_connect error to %s: %d", props->namaddr, sts);
tls_print_errors();
} else if (errno != 0) {
msg_info("SSL_connect error to %s: %m", props->namaddr);
} else {
msg_info("SSL_connect error to %s: lost connection",
props->namaddr);
}
uncache_session(app_ctx->ssl_ctx, TLScontext);
tls_free_context(TLScontext);
return (0);
}
/* Only log_level==4 dumps everything */
if (props->log_level < 4)
/* Turn off packet dump if only dumping the handshake */
if ((log_mask & TLS_LOG_ALLPKTS) == 0)
BIO_set_callback(SSL_get_rbio(TLScontext->con), 0);
/*
@ -924,7 +976,7 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
* session was negotiated.
*/
TLScontext->session_reused = SSL_session_reused(TLScontext->con);
if (props->log_level >= 2 && TLScontext->session_reused)
if ((log_mask & TLS_LOG_CACHE) && TLScontext->session_reused)
msg_info("%s: Reusing old session", TLScontext->namaddr);
/*
@ -940,11 +992,20 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
*/
verify_extract_name(TLScontext, peercert, props);
verify_extract_print(TLScontext, peercert, props);
if (TLScontext->log_mask &
(TLS_LOG_CERTMATCH | TLS_LOG_VERBOSE | TLS_LOG_PEERCERT))
msg_info("%s: subject_CN=%s, issuer_CN=%s, "
"fingerprint %s, pkey_fingerprint=%s", props->namaddr,
TLScontext->peer_CN, TLScontext->issuer_CN,
TLScontext->peer_fingerprint,
TLScontext->peer_pkey_fprint);
X509_free(peercert);
} else {
TLScontext->issuer_CN = mystrdup("");
TLScontext->peer_CN = mystrdup("");
TLScontext->peer_fingerprint = mystrdup("");
TLScontext->peer_pkey_fprint = mystrdup("");
}
/*
@ -965,7 +1026,7 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
/*
* All the key facts in a single log entry.
*/
if (props->log_level >= 1)
if (log_mask & TLS_LOG_SUMMARY)
msg_info("%s TLS connection established to %s: %s with cipher %s "
"(%d/%d bits)", TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" :
TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted",

83
external/ibm-public/postfix/dist/src/tls/tls_server.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: tls_server.c,v 1.5 2012/06/09 11:32:20 tron Exp $ */
/* $NetBSD: tls_server.c,v 1.6 2013/01/02 19:18:36 tron Exp $ */
/*++
/* NAME
@ -36,7 +36,7 @@
/*
/* tls_server_start() activates the TLS feature for the VSTREAM
/* passed as argument. We assume that network buffers are flushed
/* and the TLS handshake can begin immediately.
/* and the TLS handshake can begin immediately.
/*
/* tls_server_stop() sends the "close notify" alert via
/* SSL_shutdown() to the peer and resets all connection specific
@ -84,7 +84,7 @@
/* programs cannot use the synchronous VSTREAM-over-TLS
/* implementation that the current TLS library provides,
/* including tls_server_stop() and the underlying tls_stream(3)
/* and tls_bio_ops(3) routines.
/* and tls_bio_ops(3) routines.
/*
/* With the current TLS library implementation, this means
/* that the application is responsible for calling and retrying
@ -192,7 +192,7 @@ static SSL_SESSION *get_server_session_cb(SSL *ssl, unsigned char *session_id,
GEN_CACHE_ID(cache_id, session_id, session_id_length, TLScontext->serverid);
if (TLScontext->log_level >= 2)
if (TLScontext->log_mask & TLS_LOG_CACHE)
msg_info("%s: looking up session %s in %s cache", TLScontext->namaddr,
STR(cache_id), TLScontext->cache_type);
@ -202,7 +202,7 @@ static SSL_SESSION *get_server_session_cb(SSL *ssl, unsigned char *session_id,
if (tls_mgr_lookup(TLScontext->cache_type, STR(cache_id),
session_data) == TLS_MGR_STAT_OK) {
session = tls_session_activate(STR(session_data), LEN(session_data));
if (session && (TLScontext->log_level >= 2))
if (session && (TLScontext->log_mask & TLS_LOG_CACHE))
msg_info("%s: reloaded session %s from %s cache",
TLScontext->namaddr, STR(cache_id),
TLScontext->cache_type);
@ -232,7 +232,7 @@ static void uncache_session(SSL_CTX *ctx, TLS_SESS_STATE *TLScontext)
GEN_CACHE_ID(cache_id, session->session_id, session->session_id_length,
TLScontext->serverid);
if (TLScontext->log_level >= 2)
if (TLScontext->log_mask & TLS_LOG_CACHE)
msg_info("%s: remove session %s from %s cache", TLScontext->namaddr,
STR(cache_id), TLScontext->cache_type);
@ -255,7 +255,7 @@ static int new_server_session_cb(SSL *ssl, SSL_SESSION *session)
GEN_CACHE_ID(cache_id, session->session_id, session->session_id_length,
TLScontext->serverid);
if (TLScontext->log_level >= 2)
if (TLScontext->log_mask & TLS_LOG_CACHE)
msg_info("%s: save session %s to %s cache", TLScontext->namaddr,
STR(cache_id), TLScontext->cache_type);
@ -290,8 +290,14 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
TLS_APPL_STATE *app_ctx;
const EVP_MD *md_alg;
unsigned int md_len;
int log_mask;
if (props->log_level >= 2)
/*
* Convert user loglevel to internal logmask.
*/
log_mask = tls_log_mask(props->log_param, props->log_level);
if (log_mask & TLS_LOG_VERBOSE)
msg_info("initializing the server-side TLS engine");
/*
@ -423,7 +429,7 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
/*
* Set the call-back routine to debug handshake progress.
*/
if (props->log_level >= 2)
if (log_mask & TLS_LOG_DEBUG)
SSL_CTX_set_info_callback(server_ctx, tls_info_callback);
/*
@ -469,9 +475,9 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
}
/*
* According to the OpenSSL documentation, temporary RSA key is needed
* export ciphers are in use. We have to provide one, so well, we just do
* it.
* According to OpenSSL documentation, a temporary RSA key is needed when
* export ciphers are in use, because the certified key cannot be
* directly used.
*/
SSL_CTX_set_tmp_rsa_callback(server_ctx, tls_tmp_rsa_cb);
@ -527,7 +533,7 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
* Initialize our own TLS server handle, before diving into the details
* of TLS session cache management.
*/
app_ctx = tls_alloc_app_context(server_ctx);
app_ctx = tls_alloc_app_context(server_ctx, log_mask);
/*
* The session cache is implemented by the tlsmgr(8) server.
@ -607,8 +613,16 @@ TLS_SESS_STATE *tls_server_start(const TLS_SERVER_START_PROPS *props)
TLS_SESS_STATE *TLScontext;
const char *cipher_list;
TLS_APPL_STATE *app_ctx = props->ctx;
int log_mask = app_ctx->log_mask;
if (props->log_level >= 1)
/*
* Implicitly enable logging of trust chain errors when verified certs
* are required.
*/
if (props->requirecert)
log_mask |= TLS_LOG_UNTRUSTED;
if (log_mask & TLS_LOG_VERBOSE)
msg_info("setting up TLS connection from %s", props->namaddr);
cipher_list = tls_set_ciphers(app_ctx, "TLS", props->cipher_grade,
@ -618,7 +632,7 @@ TLS_SESS_STATE *tls_server_start(const TLS_SERVER_START_PROPS *props)
vstring_str(app_ctx->why));
return (0);
}
if (props->log_level >= 2)
if (log_mask & TLS_LOG_VERBOSE)
msg_info("%s: TLS cipher list \"%s\"", props->namaddr, cipher_list);
/*
@ -626,7 +640,7 @@ TLS_SESS_STATE *tls_server_start(const TLS_SERVER_START_PROPS *props)
* structure. Add the location of TLScontext to the SSL to later retrieve
* the information inside the tls_verify_certificate_callback().
*/
TLScontext = tls_alloc_sess_context(props->log_level, props->namaddr);
TLScontext = tls_alloc_sess_context(log_mask, props->namaddr);
TLScontext->cache_type = app_ctx->cache_type;
TLScontext->serverid = mystrdup(props->serverid);
@ -677,13 +691,14 @@ TLS_SESS_STATE *tls_server_start(const TLS_SERVER_START_PROPS *props)
/*
* If the debug level selected is high enough, all of the data is dumped:
* 3 will dump the SSL negotiation, 4 will dump everything.
* TLS_LOG_TLSPKTS will dump the SSL negotiation, TLS_LOG_ALLPKTS will
* dump everything.
*
* We do have an SSL_set_fd() and now suddenly a BIO_ routine is called?
* Well there is a BIO below the SSL routines that is automatically
* created for us, so we can use it for debugging purposes.
*/
if (props->log_level >= 3)
if (log_mask & TLS_LOG_TLSPKTS)
BIO_set_callback(SSL_get_rbio(TLScontext->con), tls_bio_dump_cb);
/*
@ -709,8 +724,15 @@ TLS_SESS_STATE *tls_server_start(const TLS_SERVER_START_PROPS *props)
sts = tls_bio_accept(vstream_fileno(props->stream), props->timeout,
TLScontext);
if (sts <= 0) {
msg_info("SSL_accept error from %s: %d", props->namaddr, sts);
tls_print_errors();
if (ERR_peek_error() != 0) {
msg_info("SSL_accept error from %s: %d", props->namaddr, sts);
tls_print_errors();
} else if (errno != 0) {
msg_info("SSL_accept error from %s: %m", props->namaddr);
} else {
msg_info("SSL_accept error from %s: lost connection",
props->namaddr);
}
tls_free_context(TLScontext);
return (0);
}
@ -725,8 +747,8 @@ TLS_SESS_STATE *tls_server_post_accept(TLS_SESS_STATE *TLScontext)
X509 *peer;
char buf[CCERT_BUFSIZ];
/* Only loglevel==4 dumps everything */
if (TLScontext->log_level < 4)
/* Turn off packet dump if only dumping the handshake */
if ((TLScontext->log_mask & TLS_LOG_ALLPKTS) == 0)
BIO_set_callback(SSL_get_rbio(TLScontext->con), 0);
/*
@ -734,7 +756,7 @@ TLS_SESS_STATE *tls_server_post_accept(TLS_SESS_STATE *TLScontext)
* session was negotiated.
*/
TLScontext->session_reused = SSL_session_reused(TLScontext->con);
if (TLScontext->log_level >= 2 && TLScontext->session_reused)
if ((TLScontext->log_mask & TLS_LOG_CACHE) && TLScontext->session_reused)
msg_info("%s: Reusing old session", TLScontext->namaddr);
/*
@ -747,7 +769,7 @@ TLS_SESS_STATE *tls_server_post_accept(TLS_SESS_STATE *TLScontext)
if (SSL_get_verify_result(TLScontext->con) == X509_V_OK)
TLScontext->peer_status |= TLS_CERT_FLAG_TRUSTED;
if (TLScontext->log_level >= 2) {
if (TLScontext->log_mask & TLS_LOG_VERBOSE) {
X509_NAME_oneline(X509_get_subject_name(peer),
buf, sizeof(buf));
msg_info("subject=%s", buf);
@ -759,13 +781,16 @@ TLS_SESS_STATE *tls_server_post_accept(TLS_SESS_STATE *TLScontext)
TLScontext->issuer_CN = tls_issuer_CN(peer, TLScontext);
TLScontext->peer_fingerprint =
tls_fingerprint(peer, TLScontext->fpt_dgst);
TLScontext->peer_pkey_fprint =
tls_pkey_fprint(peer, TLScontext->fpt_dgst);
if (TLScontext->log_level >= 1) {
msg_info("%s: %s: subject_CN=%s, issuer=%s, fingerprint=%s",
if (TLScontext->log_mask & (TLS_LOG_VERBOSE | TLS_LOG_PEERCERT)) {
msg_info("%s: subject_CN=%s, issuer=%s, fingerprint=%s"
", pkey_fingerprint=%s",
TLScontext->namaddr,
TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted",
TLScontext->peer_CN, TLScontext->issuer_CN,
TLScontext->peer_fingerprint);
TLScontext->peer_fingerprint,
TLScontext->peer_pkey_fprint);
}
X509_free(peer);
} else {
@ -795,7 +820,7 @@ TLS_SESS_STATE *tls_server_post_accept(TLS_SESS_STATE *TLScontext)
/*
* All the key facts in a single log entry.
*/
if (TLScontext->log_level >= 1)
if (TLScontext->log_mask & TLS_LOG_SUMMARY)
msg_info("%s TLS connection established from %s: %s with cipher %s "
"(%d/%d bits)", !TLS_CERT_IS_PRESENT(TLScontext) ? "Anonymous"
: TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted",

37
external/ibm-public/postfix/dist/src/util/match_ops.h vendored
View File

@ -1,37 +0,0 @@
/* $NetBSD: match_ops.h,v 1.1.1.1 2009/06/23 10:09:00 tron Exp $ */
#ifndef _MATCH_OPS_H_INCLUDED_
#define _MATCH_OPS_H_INCLUDED_
/*++
/* NAME
/* match_ops 3h
/* SUMMARY
/* simple string or host pattern matching
/* SYNOPSIS
/* #include <match_ops.h>
/* DESCRIPTION
/* .nf
/* External interface. */
#define MATCH_FLAG_NONE 0
#define MATCH_FLAG_PARENT (1<<0)
#define MATCH_FLAG_ALL (MATCH_FLAG_PARENT)
extern int match_string(int, const char *, const char *);
extern int match_hostname(int, const char *, const char *);
extern int match_hostaddr(int, const char *, const char *);
/* LICENSE
/* .ad
/* .fi
/* The Secure Mailer license must be distributed with this software.
/* AUTHOR(S)
/* Wietse Venema
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
/*--*/
#endif

88
external/ibm-public/postfix/dist/src/util/sys_defs.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: sys_defs.h,v 1.4 2012/12/18 09:10:32 tron Exp $ */
/* $NetBSD: sys_defs.h,v 1.5 2013/01/02 19:18:37 tron Exp $ */
#ifndef _SYS_DEFS_H_INCLUDED_
#define _SYS_DEFS_H_INCLUDED_
@ -190,6 +190,14 @@
# endif
#endif
#ifndef NO_POSIX_GETPW_R
# if (defined(__FreeBSD_version) && __FreeBSD_version >= 510000) \
|| (defined(__NetBSD_Version__) && __NetBSD_Version__ >= 300000000) \
|| (defined(OpenBSD) && OpenBSD >= 200811) /* OpenBSD 4.4 */
# define HAVE_POSIX_GETPW_R
# endif
#endif
#endif
/*
@ -238,6 +246,9 @@
# define EVENTS_STYLE EVENTS_STYLE_KQUEUE
# define USE_SYSV_POLL
#endif
#ifndef NO_POSIX_GETPW_R
# define HAVE_POSIX_GETPW_R
#endif
#endif
@ -278,7 +289,9 @@ extern int opterr;
extern int h_errno;
#define MISSING_STRFTIME_E
#ifndef NO_NIS
#define HAS_NIS
#endif
#define GETTIMEOFDAY(t) gettimeofday(t,(struct timezone *) 0)
#define ROOT_PATH "/bin:/usr/bin:/etc:/usr/etc:/usr/ucb"
#define USE_STATFS
@ -318,7 +331,9 @@ extern int optind; /* XXX use <getopt.h> */
extern char *optarg; /* XXX use <getopt.h> */
extern int opterr; /* XXX use <getopt.h> */
#ifndef NO_NIS
#define HAS_NIS
#endif
#define GETTIMEOFDAY(t) gettimeofday(t,(struct timezone *) 0)
#define ROOT_PATH "/bin:/usr/bin:/sbin:/usr/sbin:/usr/ucb"
#define USE_STATFS
@ -363,7 +378,9 @@ extern int optind;
extern char *optarg;
extern int opterr;
#ifndef NO_NIS
#define HAS_NIS
#endif
#define GETTIMEOFDAY(t) gettimeofday(t,(struct timezone *) 0)
#define ROOT_PATH "/bin:/usr/bin:/etc:/usr/etc:/usr/ucb"
#define USE_STATFS
@ -403,8 +420,10 @@ extern int opterr;
#define HAS_DBM
#define DEF_DB_TYPE "dbm"
#define ALIAS_DB_MAP "dbm:/etc/mail/aliases"
#ifndef NO_NIS
#define HAS_NIS
#define HAS_NISPLUS
#endif
#define USE_SYS_SOCKIO_H /* Solaris 2.5, changed sys/ioctl.h */
#define GETTIMEOFDAY(t) gettimeofday(t)
#define ROOT_PATH "/bin:/usr/bin:/sbin:/usr/sbin:/usr/ucb"
@ -446,6 +465,10 @@ extern int opterr;
#ifndef NO_DEVPOLL
# define EVENTS_STYLE EVENTS_STYLE_DEVPOLL
#endif
#ifndef NO_POSIX_GETPW_R
# define HAVE_POSIX_GETPW_R
# define GETPW_R_NEEDS_POSIX_PTHREAD_SEMANTICS
#endif
/*
* Allow build environment to override paths.
@ -477,7 +500,9 @@ extern int opterr;
#define HAS_DBM
#define DEF_DB_TYPE "dbm"
#define ALIAS_DB_MAP "dbm:/etc/mail/aliases"
#ifndef NO_NIS
#define HAS_NIS
#endif
#define USE_SYS_SOCKIO_H
#define GETTIMEOFDAY(t) gettimeofday(t,(struct timezone *) 0)
#define ROOT_PATH "/bin:/usr/bin:/sbin:/usr/sbin:/usr/ucb"
@ -506,8 +531,9 @@ extern int opterr;
#define HAS_DBM
#define DEF_DB_TYPE "dbm"
#define ALIAS_DB_MAP "dbm:/etc/mail/aliases"
/* Uncomment the following line if you have NIS package installed
#ifndef NO_NIS
#define HAS_NIS */
#endif
#define USE_SYS_SOCKIO_H
#define GETTIMEOFDAY(t) gettimeofday(t,NULL)
#define ROOT_PATH "/bin:/usr/bin:/sbin:/usr/sbin:/usr/ucb"
@ -548,7 +574,9 @@ extern int opterr;
#define HAS_DBM
#define DEF_DB_TYPE "dbm"
#define ALIAS_DB_MAP "dbm:/etc/aliases"
#ifndef NO_NIS
#define HAS_NIS
#endif
#define HAS_SA_LEN
#define GETTIMEOFDAY(t) gettimeofday(t,(struct timezone *) 0)
#define ROOT_PATH "/bin:/usr/bin:/sbin:/usr/sbin:/usr/ucb"
@ -600,7 +628,9 @@ extern int opterr;
#define HAS_DBM
#define DEF_DB_TYPE "dbm"
#define ALIAS_DB_MAP "dbm:/etc/aliases"
#ifndef NO_NIS
#define HAS_NIS
#endif
#define HAS_SA_LEN
#define GETTIMEOFDAY(t) gettimeofday(t,(struct timezone *) 0)
#define RESOLVE_H_NEEDS_STDIO_H
@ -644,7 +674,9 @@ extern int initgroups(const char *, int);
#define HAS_DBM
#define DEF_DB_TYPE "dbm"
#define ALIAS_DB_MAP "dbm:/etc/aliases"
#ifndef NO_NIS
#define HAS_NIS
#endif
#define HAS_SA_LEN
#define GETTIMEOFDAY(t) gettimeofday(t,(struct timezone *) 0)
#define RESOLVE_H_NEEDS_STDIO_H
@ -684,7 +716,9 @@ extern int initgroups(const char *, int);
#define HAS_DBM
#define DEF_DB_TYPE "dbm"
#define ALIAS_DB_MAP "dbm:/etc/aliases"
#ifndef NO_NIS
#define HAS_NIS
#endif
#define USE_SYS_SOCKIO_H /* XXX check */
#define GETTIMEOFDAY(t) gettimeofday(t)
#define ROOT_PATH "/bin:/usr/bin:/sbin:/usr/sbin:/usr/bsd"
@ -726,7 +760,9 @@ extern int initgroups(const char *, int);
#define HAS_DB
#define DEF_DB_TYPE "hash"
#define ALIAS_DB_MAP "hash:/etc/aliases"
#ifndef NO_NIS
#define HAS_NIS
#endif
#define GETTIMEOFDAY(t) gettimeofday(t,(struct timezone *) 0)
#define ROOT_PATH "/bin:/usr/bin:/sbin:/usr/sbin"
#define FIONREAD_IN_TERMIOS_H
@ -775,6 +811,16 @@ extern int initgroups(const char *, int);
# define EVENTS_STYLE EVENTS_STYLE_EPOLL /* introduced in 2.5 */
#endif
#define USE_SYSV_POLL
#ifndef NO_POSIX_GETPW_R
# if (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 1) \
|| (defined(_XOPEN_SOURCE) && _XOPEN_SOURCE >= 1) \
|| (defined(_BSD_SOURCE) && _BSD_SOURCE >= 1) \
|| (defined(_SVID_SOURCE) && _SVID_SOURCE >= 1) \
|| (defined(_POSIX_SOURCE) && _POSIX_SOURCE >= 1)
# define HAVE_POSIX_GETPW_R
# endif
#endif
#endif
#ifdef LINUX1
@ -791,7 +837,9 @@ extern int initgroups(const char *, int);
#define HAS_DB
#define DEF_DB_TYPE "hash"
#define ALIAS_DB_MAP "hash:/etc/aliases"
#ifndef NO_NIS
#define HAS_NIS
#endif
#define GETTIMEOFDAY(t) gettimeofday(t,(struct timezone *) 0)
#define ROOT_PATH "/bin:/usr/bin:/sbin:/usr/sbin"
#define FIONREAD_IN_TERMIOS_H /* maybe unnecessary */
@ -823,7 +871,9 @@ extern int initgroups(const char *, int);
#define HAS_DB
#define DEF_DB_TYPE "hash"
#define ALIAS_DB_MAP "hash:/etc/aliases"
#ifndef NO_NIS
#define HAS_NIS
#endif
#define GETTIMEOFDAY(t) gettimeofday(t,(struct timezone *) 0)
#define ROOT_PATH "/bin:/usr/bin:/sbin:/usr/sbin"
#define FIONREAD_IN_TERMIOS_H
@ -889,7 +939,9 @@ extern int initgroups(const char *, int);
#define ALIAS_DB_MAP "dbm:/etc/mail/aliases"
#define ROOT_PATH "/usr/bin:/sbin:/usr/sbin"
#define MISSING_SETENV
#ifndef NO_NIS
#define HAS_NIS
#endif
#define GETTIMEOFDAY(t) gettimeofday(t,(struct timezone *) 0)
#define _PATH_BSHELL "/bin/sh"
#define _PATH_MAILDIR "/var/mail"
@ -926,7 +978,9 @@ extern int h_errno; /* <netdb.h> imports too much stuff */
#define ALIAS_DB_MAP "dbm:/etc/mail/aliases"
#define ROOT_PATH "/usr/bin:/sbin:/usr/sbin"
#define MISSING_SETENV
#ifndef NO_NIS
#define HAS_NIS
#endif
#define GETTIMEOFDAY(t) gettimeofday(t,(struct timezone *) 0)
#define _PATH_BSHELL "/bin/sh"
#define _PATH_MAILDIR "/var/mail"
@ -959,7 +1013,9 @@ extern int h_errno; /* <netdb.h> imports too much stuff */
#define INTERNAL_LOCK MYFLOCK_STYLE_FCNTL
#define DEF_MAILBOX_LOCK "fcntl, dotlock"
#define HAS_FSYNC
#ifndef NO_NIS
#define HAS_NIS
#endif
#define MISSING_SETENV
#define MISSING_RLIMIT_FSIZE
#define GETTIMEOFDAY(t) gettimeofday(t,(struct timezone *) 0)
@ -1002,7 +1058,9 @@ extern int h_errno;
#define HAVE_SYS_DIR_H
#define STATFS_IN_SYS_VFS_H
#define HAS_FSYNC
#ifndef NO_NIS
#define HAS_NIS
#endif
#define HAS_NETINFO
#define MISSING_SETENV_PUTENV
#define MISSING_MKFIFO
@ -1055,7 +1113,9 @@ typedef unsigned short mode_t;
#define HAVE_SYS_DIR_H
#define STATFS_IN_SYS_VFS_H
#define HAS_FSYNC
#ifndef NO_NIS
#define HAS_NIS
#endif
#define HAS_NETINFO
#define MISSING_SETENV_PUTENV
#define MISSING_MKFIFO
@ -1117,7 +1177,9 @@ extern int optind; /* XXX use <getopt.h> */
extern char *optarg; /* XXX use <getopt.h> */
extern int opterr; /* XXX use <getopt.h> */
#ifndef NO_NIS
#define HAS_NIS
#endif
#define GETTIMEOFDAY(t) gettimeofday(t)
#define ROOT_PATH "/bin:/usr/bin:/sbin:/usr/sbin:/usr/ucb"
#define USE_STATVFS
@ -1175,7 +1237,9 @@ extern int h_errno;
#define DEF_DB_TYPE "dbm"
#define ALIAS_DB_MAP "dbm:/etc/mail/aliases"
#define DBM_NO_TRAILING_NULL
#ifndef NO_NIS
#define HAS_NIS
#endif
#define GETTIMEOFDAY(t) gettimeofday(t,(struct timezone *) 0)
#define ROOT_PATH "/bin:/etc:/usr/bin:/tcb/bin"
#define USE_STATVFS
@ -1316,10 +1380,15 @@ extern int inet_pton(int, const char *, void *);
#endif
/*
* Defaults for all systems.
* The Postfix 2.9 post-install workaround assumes that the inet_protocols
* default value is "ipv4" when Postfix is compiled without IPv6 support.
*/
#ifndef DEF_INET_PROTOCOLS
#define DEF_INET_PROTOCOLS "ipv4"
#ifdef HAS_IPV6
#define DEF_INET_PROTOCOLS INET_PROTO_NAME_ALL
#else
#define DEF_INET_PROTOCOLS INET_PROTO_NAME_IPV4
#endif
#endif
/*
@ -1363,6 +1432,14 @@ typedef int WAIT_STATUS_T;
#define NORMAL_EXIT_STATUS(status) ((status) == 0)
#endif
#ifdef NO_POSIX_GETPW_R
#undef HAVE_POSIX_GETPW_R
#endif
#ifdef NO_DB
#undef HAS_DB
#endif
#ifndef OCTAL_TO_UNSIGNED
#define OCTAL_TO_UNSIGNED(res, str) ((res) = strtoul((str), (char **) 0, 8))
#endif
@ -1552,6 +1629,9 @@ typedef int pid_t;
* Bit banging!! There is no official constant that defines the INT_MAX
* equivalent of the off_t type. Wietse came up with the following macro
* that works as long as off_t is some two's complement number.
*
* Note, however, that C99 permits signed integer representations other than
* two's complement.
*/
#include <limits.h>
#define __MAXINT__(T) ((T) (((((T) 1) << ((sizeof(T) * CHAR_BIT) - 1)) ^ ((T) -1))))