90
90
/* not contain RFC 822 style comments or phrases.
92
92
/* Available in Postfix version 2.1 and later:
93
/* .IP "\fBresolve_null_domain (no)\fR"
94
/* Resolve an address that ends in the "@" null domain as if the
95
/* local hostname were specified, instead of rejecting the address as
97
93
/* .IP "\fBsmtpd_reject_unlisted_sender (no)\fR"
98
94
/* Request that the Postfix SMTP server rejects mail from unknown
99
95
/* sender addresses, even when no explicit reject_unlisted_sender
135
131
/* Available in Postfix version 2.9 and later:
136
132
/* .IP "\fBsmtpd_per_record_deadline (normal: no, overload: yes)\fR"
137
/* Change the behavior of the smtpd_timeout time limit, from a
133
/* Change the behavior of the smtpd_timeout and smtpd_starttls_timeout
134
/* time limits, from a
138
135
/* time limit per read or write system call, to a time limit to send
139
136
/* or receive a complete record (an SMTP command line, SMTP response
140
137
/* line, SMTP message content line, or TLS protocol message).
318
315
/* .IP "\fBcyrus_sasl_config_path (empty)\fR"
319
316
/* Search path for Cyrus SASL application configuration files,
320
317
/* currently used only to locate the $smtpd_sasl_path.conf file.
319
/* Available in Postfix version 2.11 and later:
320
/* .IP "\fBsmtpd_sasl_service (smtp)\fR"
321
/* The service name that is passed to the SASL plug-in that is
322
/* selected with \fBsmtpd_sasl_type\fR and \fBsmtpd_sasl_path\fR.
321
323
/* STARTTLS SUPPORT CONTROLS
362
364
/* File with the Postfix SMTP server DSA certificate in PEM format.
363
365
/* .IP "\fBsmtpd_tls_dh1024_param_file (empty)\fR"
364
366
/* File with DH parameters that the Postfix SMTP server should
365
/* use with EDH ciphers.
367
/* use with non-export EDH ciphers.
366
368
/* .IP "\fBsmtpd_tls_dh512_param_file (empty)\fR"
367
369
/* File with DH parameters that the Postfix SMTP server should
368
/* use with EDH ciphers.
370
/* use with export-grade EDH ciphers.
369
371
/* .IP "\fBsmtpd_tls_dkey_file ($smtpd_tls_dcert_file)\fR"
370
372
/* File with the Postfix SMTP server DSA private key in PEM format.
371
373
/* .IP "\fBsmtpd_tls_key_file ($smtpd_tls_cert_file)\fR"
389
391
/* .IP "\fBsmtpd_tls_req_ccert (no)\fR"
390
392
/* With mandatory TLS encryption, require a trusted remote SMTP client
391
393
/* certificate in order to allow TLS connections to proceed.
392
/* .IP "\fBsmtpd_tls_session_cache_database (empty)\fR"
393
/* Name of the file containing the optional Postfix SMTP server
394
/* TLS session cache.
395
/* .IP "\fBsmtpd_tls_session_cache_timeout (3600s)\fR"
396
/* The expiration time of Postfix SMTP server TLS session cache
398
394
/* .IP "\fBsmtpd_tls_wrappermode (no)\fR"
399
395
/* Run the Postfix SMTP server in the non-standard "wrapper" mode,
400
396
/* instead of using the STARTTLS command.
452
448
/* .IP "\fBtls_disable_workarounds (see 'postconf -d' output)\fR"
453
449
/* List or bit-mask of OpenSSL bug work-arounds to disable.
451
/* Available in Postfix version 2.11 and later:
452
/* .IP "\fBtlsmgr_service_name (tlsmgr)\fR"
453
/* The name of the \fBtlsmgr\fR(8) service entry in master.cf.
454
454
/* OBSOLETE STARTTLS CONTROLS
529
529
/* Available in Postfix version 2.10 and later:
530
530
/* .IP "\fBsmtpd_log_access_permit_actions (empty)\fR"
531
531
/* Enable logging of the named "permit" actions in SMTP server
532
/* access lists (by default, the SMTP server logs "reject" actions but
533
/* not "permit" actions).
533
534
/* KNOWN VERSUS UNKNOWN RECIPIENT CONTROLS
666
667
/* Available in Postfix version 2.9 and later:
667
668
/* .IP "\fBsmtpd_per_record_deadline (normal: no, overload: yes)\fR"
668
/* Change the behavior of the smtpd_timeout time limit, from a
669
/* Change the behavior of the smtpd_timeout and smtpd_starttls_timeout
670
/* time limits, from a
669
671
/* time limit per read or write system call, to a time limit to send
670
672
/* or receive a complete record (an SMTP command line, SMTP response
671
673
/* line, SMTP message content line, or TLS protocol message).
782
784
/* applies in the context of the SMTP END-OF-DATA command.
784
786
/* Available in Postfix version 2.10 and later:
785
/* .IP "\fBsmtpd_relay_restrictions (permit_mynetworks, reject_unauth_destination)\fR"
787
/* .IP "\fBsmtpd_relay_restrictions (permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination)\fR"
786
788
/* Access restrictions for mail relay control that the Postfix
787
789
/* SMTP server applies in the context of the RCPT TO command, before
788
790
/* smtpd_recipient_restrictions.
955
957
/* .IP "\fBqueue_directory (see 'postconf -d' output)\fR"
956
958
/* The location of the Postfix top-level queue directory.
957
959
/* .IP "\fBrecipient_delimiter (empty)\fR"
958
/* The separator between user names and address extensions (user+foo).
960
/* The set of characters that can separate a user name from its
961
/* extension (example: user+foo), or a .forward file name from its
962
/* extension (example: .forward+foo).
959
963
/* .IP "\fBsmtpd_banner ($myhostname ESMTP $mail_name)\fR"
960
964
/* The text that follows the 220 status code in the SMTP greeting
1180
1184
bool var_smtpd_sasl_auth_hdr;
1181
1185
char *var_smtpd_sasl_opts;
1182
1186
char *var_smtpd_sasl_path;
1187
char *var_smtpd_sasl_service;
1183
1188
char *var_cyrus_conf_path;
1184
1189
char *var_smtpd_sasl_realm;
1185
1190
char *var_smtpd_sasl_exceptions_networks;
1262
1267
char *var_smtpd_tls_mand_proto;
1263
1268
bool var_smtpd_tls_received_header;
1264
1269
bool var_smtpd_tls_req_ccert;
1265
int var_smtpd_tls_scache_timeout;
1266
1270
bool var_smtpd_tls_set_sessid;
1267
1271
char *var_smtpd_tls_fpt_dgst;
1268
1272
char *var_smtpd_tls_ciph;
1845
1849
if (smtpd_proxy_create(state, smtpd_proxy_opts, var_smtpd_proxy_filt,
1846
1850
var_smtpd_proxy_tmout, var_smtpd_proxy_ehlo,
1847
1851
state->proxy_mail) != 0) {
1848
smtpd_chat_reply(state, "%s", STR(state->proxy->buffer));
1852
smtpd_chat_reply(state, "%s", STR(state->proxy->reply));
1849
1853
smtpd_proxy_free(state);
2688
2692
proxy = state->proxy;
2689
2693
if (proxy != 0 && proxy->cmd(state, SMTPD_PROX_WANT_OK,
2690
2694
"%s", STR(state->buffer)) != 0) {
2691
smtpd_chat_reply(state, "%s", STR(proxy->buffer));
2695
smtpd_chat_reply(state, "%s", STR(proxy->reply));
2937
2941
proxy = state->proxy;
2938
2942
if (proxy != 0 && proxy->cmd(state, SMTPD_PROX_WANT_MORE,
2939
2943
"%s", STR(state->buffer)) != 0) {
2940
smtpd_chat_reply(state, "%s", STR(proxy->buffer));
2944
smtpd_chat_reply(state, "%s", STR(proxy->reply));
3147
3151
if (state->err == CLEANUP_STAT_OK) {
3148
3152
(void) proxy->cmd(state, SMTPD_PROX_WANT_ANY, ".");
3149
3153
if (state->err == CLEANUP_STAT_OK &&
3150
*STR(proxy->buffer) != '2')
3154
*STR(proxy->reply) != '2')
3151
3155
state->err = CLEANUP_STAT_CONT;
3236
3240
state->error_mask = 0;
3237
3241
state->junk_cmds = 0;
3239
smtpd_chat_reply(state, "%s", STR(proxy->buffer));
3243
smtpd_chat_reply(state, "%s", STR(proxy->reply));
3241
3245
smtpd_chat_reply(state,
3242
3246
"250 2.0.0 Ok: queued as %s", state->queue_id);
3272
3276
state->error_mask |= MAIL_ERROR_POLICY;
3273
3277
detail = cleanup_stat_detail(CLEANUP_STAT_CONT);
3275
smtpd_chat_reply(state, "%s", STR(proxy->buffer));
3279
smtpd_chat_reply(state, "%s", STR(proxy->reply));
3276
3280
} else if (why && LEN(why) > 0) {
3277
3281
/* Allow address-specific DSN status in header/body_checks. */
3278
3282
smtpd_chat_reply(state, "%d %s", detail->smtp, STR(why));
3287
3291
detail->smtp, detail->dsn, detail->text);
3288
3292
} else if ((state->err & CLEANUP_STAT_PROXY) != 0) {
3289
3293
state->error_mask |= MAIL_ERROR_SOFTWARE;
3290
smtpd_chat_reply(state, "%s", STR(proxy->buffer));
3294
smtpd_chat_reply(state, "%s", STR(proxy->reply));
3292
3296
state->error_mask |= MAIL_ERROR_SOFTWARE;
3293
3297
detail = cleanup_stat_detail(CLEANUP_STAT_BAD);
3302
3306
msg_info("proxy-%s: %s: %s;%s",
3303
3307
(state->err == CLEANUP_STAT_OK) ? "accept" : "reject",
3304
state->where, STR(proxy->buffer), smtpd_whatsup(state));
3308
state->where, STR(proxy->reply), smtpd_whatsup(state));
3307
3311
* Cleanup. The client may send another MAIL command.
3401
3406
smtpd_chat_reply(state, "502 5.5.1 VRFY command is disabled");
3404
if (smtpd_milters != 0 && (err = milter_other_event(smtpd_milters)) != 0
3405
&& (err[0] == '5' || err[0] == '4')) {
3406
state->error_mask |= MAIL_ERROR_POLICY;
3407
smtpd_chat_reply(state, "%s", err);
3410
3409
if (argc < 2) {
3411
3410
state->error_mask |= MAIL_ERROR_PROTOCOL;
3412
3411
smtpd_chat_reply(state, "501 5.5.4 Syntax: VRFY address");
3416
* XXX The client event count/rate control must be consistent in its use
3417
* of client address information in connect and disconnect events. For
3418
* now we exclude xclient authorized hosts from event count/rate control.
3420
if (SMTPD_STAND_ALONE(state) == 0
3423
&& var_smtpd_crcpt_limit > 0
3424
&& !namadr_list_match(hogger_list, state->name, state->addr)
3425
&& anvil_clnt_rcpt(anvil_clnt, state->service, state->addr,
3426
&rate) == ANVIL_STAT_OK
3427
&& rate > var_smtpd_crcpt_limit) {
3428
state->error_mask |= MAIL_ERROR_POLICY;
3429
msg_warn("Recipient address rate limit exceeded: %d from %s for service %s",
3430
rate, state->namaddr, state->service);
3431
smtpd_chat_reply(state, "450 4.7.1 Error: too many recipients from %s",
3435
if (smtpd_milters != 0 && (err = milter_other_event(smtpd_milters)) != 0
3436
&& (err[0] == '5' || err[0] == '4')) {
3437
state->error_mask |= MAIL_ERROR_POLICY;
3438
smtpd_chat_reply(state, "%s", err);
3416
3442
collapse_args(argc - 1, argv + 1);
3417
3443
if (extract_addr(state, argv + 1, REJECT_EMPTY_ADDR, SLOPPY) != 0) {
4206
4232
namaddr = state->namaddr,
4207
4233
cipher_grade = cipher_grade,
4208
4234
cipher_exclusions = STR(cipher_exclusions),
4209
fpt_dgst = var_smtpd_tls_fpt_dgst);
4235
mdalg = var_smtpd_tls_fpt_dgst);
4211
4237
#endif /* USE_TLSPROXY */
4346
4372
state->port, var_smtpd_tmout);
4347
4373
if (state->tlsproxy == 0) {
4348
4374
state->error_mask |= MAIL_ERROR_SOFTWARE;
4349
/* RFC 4954 Section 6. */
4375
/* RFC 3207 Section 4. */
4350
4376
smtpd_chat_reply(state, "454 4.7.0 TLS not available due to local problem");
4353
4379
#else /* USE_TLSPROXY */
4354
4380
if (smtpd_tls_ctx == 0) {
4355
4381
state->error_mask |= MAIL_ERROR_SOFTWARE;
4356
/* RFC 4954 Section 6. */
4382
/* RFC 3207 Section 4. */
4357
4383
smtpd_chat_reply(state, "454 4.7.0 TLS not available due to local problem");
5128
5154
log_level = var_smtpd_tls_loglevel,
5129
5155
verifydepth = var_smtpd_tls_ccert_vd,
5130
5156
cache_type = TLS_MGR_SCACHE_SMTPD,
5132
= var_smtpd_tls_scache_timeout,
5133
5157
set_sessid = var_smtpd_tls_set_sessid,
5134
5158
cert_file = cert_file,
5135
5159
key_file = var_smtpd_tls_key_file,
5148
5172
var_smtpd_tls_mand_proto :
5149
5173
var_smtpd_tls_proto,
5150
5174
ask_ccert = ask_client_cert,
5151
fpt_dgst = var_smtpd_tls_fpt_dgst);
5175
mdalg = var_smtpd_tls_fpt_dgst);
5153
5177
msg_warn("No server certs available. TLS won't be enabled");
5154
5178
#endif /* USE_TLSPROXY */
5302
5326
VAR_SMTPD_POLICY_TTL, DEF_SMTPD_POLICY_TTL, &var_smtpd_policy_ttl, 1, 0,
5304
5328
VAR_SMTPD_STARTTLS_TMOUT, DEF_SMTPD_STARTTLS_TMOUT, &var_smtpd_starttls_tmout, 1, 0,
5305
VAR_SMTPD_TLS_SCACHTIME, DEF_SMTPD_TLS_SCACHTIME, &var_smtpd_tls_scache_timeout, 0, 0,
5307
5330
VAR_MILT_CONN_TIME, DEF_MILT_CONN_TIME, &var_milt_conn_time, 1, 0,
5308
5331
VAR_MILT_CMD_TIME, DEF_MILT_CMD_TIME, &var_milt_cmd_time, 1, 0,
5365
5388
VAR_LOCAL_RCPT_MAPS, DEF_LOCAL_RCPT_MAPS, &var_local_rcpt_maps, 0, 0,
5366
5389
VAR_SMTPD_SASL_OPTS, DEF_SMTPD_SASL_OPTS, &var_smtpd_sasl_opts, 0, 0,
5367
5390
VAR_SMTPD_SASL_PATH, DEF_SMTPD_SASL_PATH, &var_smtpd_sasl_path, 1, 0,
5391
VAR_SMTPD_SASL_SERVICE, DEF_SMTPD_SASL_SERVICE, &var_smtpd_sasl_service, 1, 0,
5368
5392
VAR_CYRUS_CONF_PATH, DEF_CYRUS_CONF_PATH, &var_cyrus_conf_path, 0, 0,
5369
5393
VAR_SMTPD_SASL_REALM, DEF_SMTPD_SASL_REALM, &var_smtpd_sasl_realm, 0, 0,
5370
5394
VAR_SMTPD_SASL_EXCEPTIONS_NETWORKS, DEF_SMTPD_SASL_EXCEPTIONS_NETWORKS, &var_smtpd_sasl_exceptions_networks, 0, 0,