Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/external/ibm-public/postfix/dist Resolve conflicts from last...
details: https://anonhg.NetBSD.org/src/rev/eeec9f97ac33
branches: trunk
changeset: 755722:eeec9f97ac33
user: tron <tron%NetBSD.org@localhost>
date: Thu Jun 17 18:18:14 2010 +0000
description:
Resolve conflicts from last import.
diffstat:
external/ibm-public/postfix/dist/README_FILES/ADDRESS_VERIFICATION_README | 159 +-
external/ibm-public/postfix/dist/README_FILES/TLS_README | 2 +-
external/ibm-public/postfix/dist/conf/master.cf | 21 +-
external/ibm-public/postfix/dist/html/ADDRESS_VERIFICATION_README.html | 225 +-
external/ibm-public/postfix/dist/html/TLS_README.html | 2 +-
external/ibm-public/postfix/dist/html/postconf.5.html | 732 +++++++--
external/ibm-public/postfix/dist/man/man5/postconf.5 | 622 ++++++--
external/ibm-public/postfix/dist/proto/ADDRESS_VERIFICATION_README.html | 225 +-
external/ibm-public/postfix/dist/proto/TLS_README.html | 2 +-
external/ibm-public/postfix/dist/proto/postconf.proto | 671 ++++++--
external/ibm-public/postfix/dist/src/cleanup/cleanup.c | 14 +-
external/ibm-public/postfix/dist/src/cleanup/cleanup.h | 9 +-
external/ibm-public/postfix/dist/src/cleanup/cleanup_envelope.c | 7 +-
external/ibm-public/postfix/dist/src/cleanup/cleanup_init.c | 6 +-
external/ibm-public/postfix/dist/src/global/mail_params.h | 138 +-
external/ibm-public/postfix/dist/src/smtp/smtp.c | 23 +-
external/ibm-public/postfix/dist/src/smtpd/smtpd.c | 198 +-
external/ibm-public/postfix/dist/src/tls/tls_client.c | 2 +-
external/ibm-public/postfix/dist/src/tls/tls_server.c | 2 +-
external/ibm-public/postfix/dist/src/util/inet_addr_local.c | 13 +-
external/ibm-public/postfix/dist/src/util/unix_recv_fd.c | 18 +-
external/ibm-public/postfix/dist/src/util/unix_send_fd.c | 52 +-
22 files changed, 2290 insertions(+), 853 deletions(-)
diffs (truncated from 5565 to 300 lines):
diff -r a7d6fc14cb1d -r eeec9f97ac33 external/ibm-public/postfix/dist/README_FILES/ADDRESS_VERIFICATION_README
--- a/external/ibm-public/postfix/dist/README_FILES/ADDRESS_VERIFICATION_README Thu Jun 17 18:05:47 2010 +0000
+++ b/external/ibm-public/postfix/dist/README_FILES/ADDRESS_VERIFICATION_README Thu Jun 17 18:18:14 2010 +0000
@@ -4,10 +4,10 @@
W�WA�AR�RN�NI�IN�NG�G
-The sender/recipient address verification feature described in this document is
-suitable only for low-traffic sites. It performs poorly under high load;
-excessive sender address verification activity may even cause your site to be
-blacklisted by some providers. See the "Limitations" section below for details.
+Recipient address verification may cause an increased load on down-stream
+servers in the case of a dictionary attack or a flood of backscatter bounces.
+Sender address verification may cause your site to be blacklisted by some
+providers. See also the "Limitations" section below for more.
W�Wh�ha�at�t P�Po�os�st�tf�fi�ix�x a�ad�dd�dr�re�es�ss�s v�ve�er�ri�if�fi�ic�ca�at�ti�io�on�n c�ca�an�n d�do�o f�fo�or�r y�yo�ou�u
@@ -18,8 +18,8 @@
The technique has obvious uses to reject junk mail with an unreplyable sender
address.
-The technique may also be useful to block mail for undeliverable recipients,
-for example on a mail relay host that does not have a list of all the valid
+The technique is also useful to block mail for undeliverable recipients, for
+example on a mail relay host that does not have a list of all the valid
recipient addresses. This prevents undeliverable junk mail from entering the
queue, so that Postfix doesn't have to waste resources trying to send MAILER-
DAEMON messages back.
@@ -47,18 +47,26 @@
messages are like normal mail, except that they are never delivered, deferred
or bounced; probe messages are always discarded.
- Postfix Postfix Address
- Internet -> SMTP <-> verify <-> verification
- server server database
+
+ probe Postfix
+ message -> mail
+ queue
+ Postfix Postfix ->
+ Internet -> SMTP <-> verify
+ server server |
+ v
- | ^
- probe delivery
- messages status
- v |
+ <- Postfix
+ probe <- delivery -> Local
+ status agents -> Remote
+ ^
+ |
+ v
+
- Postfix Postfix
- queue -> delivery
- agents
+ Address
+ verification
+ database
With Postfix address verification turned on, normal mail will suffer only a
short delay of up to 6 seconds while an address is being verified for the first
@@ -77,7 +85,8 @@
address, without actually delivering mail to it. If the nearest MTA accepts
the address, then Postfix assumes that the address is deliverable. In
reality, mail for a remote address can bounce AFTER the nearest MTA accepts
- the recipient address.
+ the recipient address, or AFTER the nearest MTA accepts the message
+ content.
* Some sites may blacklist you when you are probing them too often (a probe
is an SMTP session that does not deliver mail), or when you are probing
@@ -95,30 +104,31 @@
* Postfix assumes that an address is undeliverable when the nearest MTA for
the address rejects the probe, regardless of the reason for rejection
(client rejected, HELO rejected, MAIL FROM rejected, etc.). Thus, Postfix
- rejects mail when the sender's MTA rejects mail from your machine. This is
- a good thing.
+ rejects an address when the nearest MTA for that address rejects mail from
+ your machine for any reason. This is not a limitation, but it is mentioned
+ here just in case people believe that it is a limitation.
- * Unfortunately, some major sites such as YAHOO do not reject unknown
- addresses in reply to the RCPT TO command, but report a delivery failure in
- response to end of DATA after a message is transferred. Postfix address
- verification does not work with such sites.
+ * Unfortunately, some sites do not reject unknown addresses in reply to the
+ RCPT TO command, but report a delivery failure in response to end of DATA
+ after a message is transferred. Postfix address verification does not work
+ with such sites.
- * By default, Postfix probe messages have "double-bounce@$myorigin" as the
- sender address (with Postfix versions before 2.5, the default is
+ * By default, Postfix probe messages have a sender address "double-
+ bounce@$myorigin" (with Postfix versions before 2.5, the default is
"postmaster@$myorigin"). This is SAFE because the Postfix SMTP server does
not reject mail for this address.
- You can change this into the null address ("address_verify_sender ="). This
- is UNSAFE because address probes will fail with mis-configured sites that
- reject MAIL FROM: <>, while probes from "postmaster@$myorigin" would
- succeed.
+ You can change the probe sender address into the null address
+ ("address_verify_sender ="). This is UNSAFE because address probes will
+ fail with mis-configured sites that reject MAIL FROM: <>, while probes from
+ "postmaster@$myorigin" would succeed.
R�Re�ec�ci�ip�pi�ie�en�nt�t a�ad�dd�dr�re�es�ss�s v�ve�er�ri�if�fi�ic�ca�at�ti�io�on�n
-As mentioned earlier, recipient address verification may be useful to block
-mail for undeliverable recipients on a mail relay host that does not have a
-list of all valid recipient addresses. This can help to prevent the mail queue
-from filling up with MAILER-DAEMON messages.
+As mentioned earlier, recipient address verification is useful to block mail
+for undeliverable recipients on a mail relay host that does not have a list of
+all valid recipient addresses. This can help to prevent the mail queue from
+filling up with MAILER-DAEMON messages.
Recipient address verification is relatively straightforward and there are no
surprises. If a recipient probe fails, then Postfix rejects mail for the
@@ -127,9 +137,10 @@
increase the load on down-stream MTAs when you're being flooded by backscatter
bounces, or when some spammer is mounting a dictionary attack.
-By default, address verification results are not saved. To avoid probing the
-same address repeatedly, you can store the result in a persistent database as
-described later.
+By default, address verification results are saved in a persistent database
+(Postfix version 2.7 and later; with earlier versions, specify the database in
+main.cf as described later). The persistent database helps to avoid probing the
+same address repeatedly.
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
@@ -177,11 +188,13 @@
# Postfix 2.6 and later.
# unverified_sender_defer_code = 250
+ # Default setting for Postfix 2.7 and later.
# Note 1: Be sure to read the "Caching" section below!
# Note 2: Avoid hash files here. Use btree instead.
address_verify_map = btree:/var/db/postfix/verify
/etc/postfix/sender_access:
+ # Don't do this when you handle lots of email.
aol.com reject_unverified_sender
hotmail.com reject_unverified_sender
bigfoot.com reject_unverified_sender
@@ -216,6 +229,7 @@
# Postfix 2.6 and later.
# unverified_sender_reject_reason = Address verification failed
+ # Default setting for Postfix 2.7 and later.
# Note 1: Be sure to read the "Caching" section below!
# Note 2: Avoid hash files here. Use btree instead.
address_verify_map = btree:/var/db/postfix/verify
@@ -261,54 +275,61 @@
A�Ad�dd�dr�re�es�ss�s v�ve�er�ri�if�fi�ic�ca�at�ti�io�on�n d�da�at�ta�ab�ba�as�se�e
-NOTE: By default, address verification information is not stored in a
-persistent file. You have to specify one in main.cf (see below). Persistent
-storage is off by default because it may need more disk space than is available
-in your file system.
-
-Address verification information is cached by the Postfix verify daemon.
-Postfix has a bunch of parameters that control the caching of positive and
-negative results. Refer to the verify(8) manual page for details.
-
-The address_verify_map (NOTE: singular) configuration parameter specifies an
-optional database for sender or recipient address verification results. If you
-don't specify a file, all address verification information is lost after
-"postfix reload" or "postfix stop".
-
-If your /var file system has sufficient space, try:
+To improve performance, the Postfix verify(8) daemon can save address
+verification results to a persistent database. This is enabled by default with
+Postfix 2.7 and later. The address_verify_map (NOTE: singular) configuration
+parameter specifies persistent storage for sender or recipient address
+verification results. If you specify an empty value, all address verification
+results are lost after "postfix reload" or "postfix stop".
/etc/postfix/main.cf:
+ # Default setting for Postfix 2.7 and later.
# Note: avoid hash files here. Use btree instead.
- address_verify_map = btree:/var/db/postfix/verify
+ address_verify_map = btree:$data_directory/verify_cache
+
+ # Default setting for Postfix 2.6 and earlier.
+ # This uses non-persistent storage only.
+ address_verify_map =
-NOTE 1: As of version 2.5, Postfix no longer uses root privileges when opening
-this file. The file should now be stored under the Postfix-owned
-data_directory. As a migration aid, an attempt to open the file under a non-
-Postfix directory is redirected to the Postfix-owned data_directory, and a
-warning is logged. If you wish to continue using a pre-existing database file,
-move it to the data_directory, and change ownership to the account specified
-with the mail_owner parameter.
+NOTE 1: The database file should be stored under a Postfix-owned directory,
+such as $data_directory.
+
+ As of version 2.5, Postfix no longer uses root privileges when opening this
+ file. To maintain backwards compatibility, an attempt to open the file
+ under a non-Postfix directory is redirected to the Postfix-owned
+ data_directory, and a warning is logged. If you wish to continue using a
+ pre-existing database file, change its file ownership to the account
+ specified with the mail_owner parameter, and either move the file to the
+ data_directory, or move it to some other Postfix-owned directory.
NOTE 2: Do not put this file in a file system that may run out of space. When
the address verification table gets corrupted the world comes to an end and YOU
will have to MANUALLY fix things as described in the next section. Meanwhile,
you will not receive mail via SMTP.
-NOTE 3: The verify(8) daemon process will create a new database when none
-exists, and will open/create the file before it enters the chroot jail.
+NOTE 3: The verify(8) daemon will create a new database when none exists. It
+will open or create the file before entering the chroot jail.
M�Ma�an�na�ag�gi�in�ng�g t�th�he�e a�ad�dd�dr�re�es�ss�s v�ve�er�ri�if�fi�ic�ca�at�ti�io�on�n d�da�at�ta�ab�ba�as�se�e
-The verify(8) manual page describes parameters that control how long
-information remains cached before it needs to be refreshed, and how long
-information can remain "unrefreshed" before it expires. Postfix uses different
+The verify(8) manual page describes parameters that control how long address
+verification results are cached before they need to be refreshed, and how long
+results can remain "unrefreshed" before they expire. Postfix uses different
controls for positive results (address was accepted) and for negative results
-(address was rejected).
+(address was rejected, or address verification failed for some other reason).
-Right now, no tools are provided to manage the address verification database.
-If the file gets too big, or if it gets corrupted, you can manually rename or
-delete the file and run "postfix reload". The new verify daemon process will
-then create a new database.
+The verify(8) daemon will periodically remove expired entries from the address
+verification database, and log the number of entries retained and dropped
+(Postfix versions 2.7 and later). A cleanup run is logged as "partial" when the
+daemon terminates early because of "postfix reload, "postfix stop", or because
+the daemon received no requests for $max_idle seconds. Postfix versions 2.6 and
+earlier do not implement automatic address verification database cleanup.
+There, the database is managed manually as described next.
+
+When the address verification database file becomes too big, or when it becomes
+corrupted, the solution is to manually rename or delete (NOT: truncate) the
+file and run "postfix reload". The verify(8) daemon will then create a new
+database file.
C�Co�on�nt�tr�ro�ol�ll�li�in�ng�g t�th�he�e r�ro�ou�ut�ti�in�ng�g o�of�f a�ad�dd�dr�re�es�ss�s v�ve�er�ri�if�fi�ic�ca�at�ti�io�on�n p�pr�ro�ob�be�es�s
diff -r a7d6fc14cb1d -r eeec9f97ac33 external/ibm-public/postfix/dist/README_FILES/TLS_README
--- a/external/ibm-public/postfix/dist/README_FILES/TLS_README Thu Jun 17 18:05:47 2010 +0000
+++ b/external/ibm-public/postfix/dist/README_FILES/TLS_README Thu Jun 17 18:18:14 2010 +0000
@@ -1659,7 +1659,7 @@
controls the minimum acceptable SMTP client TLS cipher grade for use with
mandatory TLS encryption. The default value "medium" is suitable for most
destinations with which you may want to enforce TLS, and is beyond the reach of
-today's crypt-analytic methods. See smtp_tls_policy_maps for information on how
+today's cryptanalytic methods. See smtp_tls_policy_maps for information on how
to configure ciphers on a per-destination basis.
By default anonymous ciphers are allowed, and automatically disabled when
diff -r a7d6fc14cb1d -r eeec9f97ac33 external/ibm-public/postfix/dist/conf/master.cf
--- a/external/ibm-public/postfix/dist/conf/master.cf Thu Jun 17 18:05:47 2010 +0000
+++ b/external/ibm-public/postfix/dist/conf/master.cf Thu Jun 17 18:18:14 2010 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: master.cf,v 1.2 2009/06/23 11:41:06 tron Exp $
+# $NetBSD: master.cf,v 1.3 2010/06/17 18:18:14 tron Exp $
#
#
# Postfix master process configuration file. For details on the format
@@ -21,7 +21,7 @@
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
-#628 inet n - n - - qmqpd
+#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
@@ -67,10 +67,14 @@
#
# ====================================================================
#
-# The Cyrus deliver program has changed incompatibly, multiple times.
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
-#old-cyrus unix - n n - - pipe
-# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+# Specify in cyrus.conf:
+# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+# mailbox_transport = lmtp:inet:localhost
+# virtual_transport = lmtp:inet:localhost
Home |
Main Index |
Thread Index |
Old Index