DevHeads.net

HI,

postfix 2.5.6 fails compiling on OpenSolaris build 130 and later, I think because
the NIS include files got cleaned up.

This looks related to NIS+ removal from OpenSolaris (not Solaris), see link:
http://mail.opensolaris.org/pipermail/opensolaris-arc/2009-October/01845...)

I couldn't find where he presence of NIS on a system is detected.
My Question: There an easy way to completely leave out the NIS code from compiling?

Thanks much,
Thomas

/opt/SUNWspro/bin/cc -Dstrcasecmp=fix_strcasecmp -Dstrncasecmp=fix_strncasecmp -DHAS_PCRE -I/usr/include/pcre -i -xO4

Hi.

I might have found some possible bugs/inconsistencies in the documentation:

1) http://www.postfix.org/postconf.5.html#smtpd_tls_CApath
Refers to smtp_tls_CAfile, but I think smtps_tls_CAfile is meant.

2) To include the root-CA or not?!
http://www.postfix.org/TLS_README.html#server_cert_key seems to say
that the root CA of the server certificate needs not to be included in
the smtpd_tls_cert_file (or it's brothers for DSA, etc) (but only
intermediate CAs):

and

But:
http://www.postfix.org/postconf.5.html#smtpd_tls_cert_file tells
something different, for example in the foll

Mailman 3.x will introduce a LMTP server and it will generate a Postfix style
transport map.

A postmaster will only have to add that maps path to $transport_maps and
create a dedicated lmtp service in master.cf.

I would like to simplify that step and provide a dedicated lmtp service in
master.cf that remains commented out until a postmaster decides to use that.

Would that be feasible? What would I have to do? I guess I should provide the
entry and some documentation that describes what to do - a MAILMAN readme or
something alike.

p at rick

I have to say I'm not familiar with postfix' memory management.

Reading local/recipient.c, I'm wondering where state.msg_attr.{local,user} are myree()d in the return (bounce_append(...)) case.

I'm not sure whether such novice's questions are considered appropriate for this list, but could someone hint me (off-list, if appropriate) to how that works?

Thanks.

I noticed that 2.7 now defines HAS_CLOSEFROM for FreeBSD 8.0. However,
because the closefrom() system call was "merged" into RELENG_7, Postfix
fails to compile for anyone running FreeBSD 7-STABLE. I appreciate that
Postfix cannot be made to compile on every iteration of all platforms,
but in case you are amenable to a small patch (one we use in the ports
tree), it is below. You can ignore the initial reference to FREEBSD9,
which correlates with a modification of makedefs to support the latest
development branch.

HI ALL:
I try to understand how the initial_destination_concurrency and
default_destination_concurrency_limit work? How can it support to improve
the output of delivery. I do a small test.
I config the postfix like this:
qmgr_message_active_limit = 50
qmgr_message_recipient_limit = 50
initial_destination_concurrency = 10
default_destination_concurrency_limit = 10
default_destination_rate_delay = 10s

and then, I send 5 mail to one server, such as <...> at A dot com, 5 mail for the
other server, such as <...> at B dot com.
From the server side, I can see postfix send mail one by one.

Please find included, a pacth to let postfix 2.7 runs
on FreeBSD 8.

Patch is also on :
http://www.calyopea.com/postfix-2.7-20090828.freebsd8.patch
(it will be removed in 1 month)

Best regards. P.Moulin

I recently discovered a case where having a check_client_ns_access
restriction would've spared me a round of whack-a-spammer, so the attached
patch implements check_client_{mx,ns}_access and the companion
check_reverse_client_hostname_{mx,ns}_access restrictions. It applies to
both postfix-2.7-20090828 and the corresponding -nonprod releases.
Feedback would be appreciated; I've tested these a bit, but am not
entirely sure I've got the SMTPD_STATE semantics correct.

-Rob

P.S. I posted a small patch to add a warning for smtpd_helo_required on
July 17th...

Hi. I have noticed that postfix does not support dovecot's
`valid-client-cert' parameter for SASL authentication. I have
implemented this feature and attached my changes as a diff.

The code base I used is located here:
ftp://ftp.porcupine.org/mirrors/postfix-release/experimental/postfix-2.7...

Feedback is welcome.

Here are the postscreen results for the week of July 20-26 inclusive. The
DNSBL numbers are for zen and barracuda only; others that appear in the
rejection list are applied more selectively. Pregreeters are allowed to
reach the real smtpd, all were rejected for other reasons.

Client certificates can be used to authenticate a user that connects to
LDAP. The postfix dict_ldap already supports using client certificates
when connecting.

The attached patch adds the missing bit, and allows authentication using
a client certificate by using sasl 'EXTERNAL' when binding.

Adds a new config option:

bind_mech
Mechanism to use for binding. \simple\ means use the
\bind_dn\ and \bind_pw\ to do a simple bind. \external\
means use a client certificate specified in \tls_cert\
as credentials.

I finally got around to building a new snapshot and enabling postscreen
last night, mostly as I'm interested in the correlation between
pregreeters and some existing heavy-hitting restrictions, and thus am not
using it to drop connections just yet.

I noticed that "postscreen_greet_action = continue" doesn't quite work as
advertised when smtpd_helo_required is enabled, specifically that each
PREGREET connection is dropped after the handoff to the real SMTP server
due to a missing HELO/EHLO.

Hi All:

I am viewing the source code of postfix-2.6.2 these days, and I find a
place not so comprehensible.

In line 204 of file qmgr_active.c, we move the queue file to the active queue.
But in line 229 of the same file, we call function qmgr_message_alloc,
and in this function,
we call function mail_queue_remove again in line 1464 of file
qmgr_message.c to move
the queue file from deferred directory.

I wonder why we delete the letter again to do the definitely useless job.

Thank you!

I'd like to propose a Postfix-specific ESMTP feature that would
enable the caching of TLS connections by disabling crypto on
the session before putting it into the cache, and re-enabling
crypto right after.

S: 220 server.example.com ESMTP
C: EHLO client.example.com
S: 250-server.example.com
S: 250-PIPELINING
S: 250 STARTTLS
C: STARTTLS
S: 220 2.0.0 Ready to start TLS
C:
S:
C: EHLO client.example.com
S: 250-server.example.com
S: 250-PIPELINING
S: 250 XSTOPTLS <--- new ESMTP feature!
C: MAIL FROM:<<...> at example dot com>
C: RCPT TO:<<...> at example dot com>

Hi,

current 2.6.1 tries to detect if epoll is available under linux by compiling a
short code snippet and executing it. Epoll is disabled if the code does not
exit successfully. But if the headers needed for epoll aren't available,
compiling fails and makedefs exits. I don't think this is a good solution as I
see no other way for the user to fix this than to patch the makedefs-script.

I prefer if epoll would be disabled if the needed headers aren't available.
The attached patch implements this behavior.

Kind regards,

Gerd

Hi,
Some days ago, I intalled a mailserver using postfix 2.5.6 source package. In the beginning, ererything works fine.
Then, I decieded to add a SASL module, so i download cyrus-sasl-2.1.22 , and compiled them.
unfortunately, the sasl module didn't work. The log only displayed that smtpd daemon exit unnormally. I googled the internet to solve this proble, but nothing help.

Hello.

There is a race condition in handling hash type lookup table. Problem results
from that smtpd (and probably other daemons) keeps database files open for all
time it is running. During that, if database file will be changed (e.g.
postmap will be invoked to rebuild database file), smtpd will not find
existing keys because binary arrangement of database file will be different.
Problem appears when number of entries in database is greater than some value
(on my systems it was 4174, but I don't know what it results from, so it may
be different on other systems).

(hopefully the address is correct);
when using balsa and postfix I keep hitting this:

postfix/sendmail[3059]: fatal: Recipient addresses must
be specified on the command line or via the -t option

Is this something that need to be changed with balsa,
or can I change this somewhere else?

regards;

Hi,

i often use "postmap -q -" interactive from a shell or as a background
process for lookups in perl scripts.

Is it possible to make postmap -q flush its output after each line?

--- postmap.c 2007-12-04 17:25:13.000000000 +0100
+++ postmap.c.modified 2009-03-06 08:30:52.000000000 +0100
@@ -410,13 +410,12 @@
dicts[n]->type, dicts[n]->name);
}
vstream_printf("%s %s\n", STR(keybuf), value);
+ vstream_fflush(VSTREAM_OUT);
found = 1;
break;
}
}
}
- if (

Hello,

I assume this would be the right forum to ask this question, but correct
me if I'm wrong.

I know that Postfix is under IBM license. Is it permitted to copy
Postfix source code into GPL-based project (with proper citations of
course)?

There are a few functions that I am interested in, nothing more. I could
rewrite them in my own words if I must, but I would obviously prefer the
convenience of simply citing their original authors...

- Tom Rapier

I've read the thread from 2007 regarding the security implications of tcp
for virtual mailbox and user lookup. I feel that restricting the
connectivity to localhost would be just as secure as non-hash text files
like pcre/regex. I'm trying to integrate domain/mailbox lookups and an LMTP
service inside a DB environment.

Is there any possibility that the implicit defer_if_permit patch (what I'd
been calling smtpd_delay_soft_reject) will be included in 2.6?

I'm not sure if postfix handles the mbox encoding itself, or if it
uses one of the plethora of external unix commands for that.
If it does, I would like to report a bug:

--Priority: Medium

--Description:
Postfix doesn't escape mbox >From lines properly, resulting in data corruption.

--Steps to reproduce:
To an account tied to a postfix mbox, send a message with something
like this in the body:

I got a new email...
From the president!

Here's the message:

--Suggested solution:
Simply prepend a > to already-prepended From_ lines as well as bare From_ lines.
Otherwise, when it's decoded

Indeed, and with Wietse's modular design, you can plug in an instance
manager that does that. Is this a sound enough idea to include as
a standard feature in the (under construction) postmulti(1) manager?

I would assume "instance.sh ...", when found, runs instead of "postfix
-c $confid_directory ...", rather than before it. It becomes the
responsibility of instance.sh to actually start/stop/... the instance.

I am somewhat concerned that this is too much rope.

In about 10 minutes there will be a postfix-2.6-20090121-nonprod
snapshot with the multi-instance API presented in the past couple
days, and with a simple proof-of-concept multi-instance manager.
It's ready for Victor to make the few changes necessary to fit in
his postmulti command. That will be all for Postfix 2.6.

ftp://ftp.porcupine.org/mirrors/postfix-release/index.html

Wietse

Off-topic footnote: have look at http://www.xsharp.org/samples/
for a look into the future of programming.

Hi all!

I'm working on a PKI Integration for MTAs. For that to work I'd like to know what the best
way of notificating our components out of postfix is. Any ideas?

a bit more concrete:

Upon connecting to a server or receiving a connection by another server we've to decide if that other server has a SSL
certificate, receive that certificate, decide what our policy is and update the postfix tables concerning that data.
We're working on the whole certificate part and there'll be a generic *NIX-client for that.

These are examples of two small patches for aliases(5) and local(8). I'm
not sure if this type of info should be included (currently it's not
after all), but it could be useful for certain configurations (and for
sake of more detailed info).

I asked a while ago about it, and I recall few rare similar questions in
the past, after searching the archives (mainly regarding local(8) and
$myorigin).

Either way - for your consideration. If it was ok to add these details,
I'd expand overview and address rewrite as well. Patches were made
against postfix 2.5.5 .

Both TLS_README and postconf(5) state that smtpd_tls_req_ccert implies
smtpd_tls_ask_ccert; however, I noticed today that enforced TLS stopped
working after removing the supposedly redundant smtpd_tls_ask_ccert=yes
from a light-volume submission port.

Hello,
I am planning to modify the source code of cleanup(8) to suit my
needs - will be the resulting patch wanted by developers here and
possibly included in next releases?

The functionality I want to do is to disable the application of
virtual aliases to new emails, because I want amavis to know and report
the original recipient address. Then, when the mail is reinserted to the
postfix again, aliasing can be done.

By using current configuration options it is impossible to achieve
such a configuration (to my knowledge)...

Thanks. I'm reasonably confident at this point that the semantic
complexity exceeds that of the implementation, and I've been aiming for
correct semantics without excessive bloat in already complex code.

Here's a revised version which reimplements the 'active' bit as a set of
flags. This is still missing complementary behavior for defer_if_reject
and full documentation, and a lot of the logic in the code paths involved
could probably stand to be wrapped in macros for increased clarity.

The small patch attached fixes a couple of small issues with glibc version
detection in sys_defs.h. This fixes the build on ancient versions (don't
ask) and is slightly more future-proof.

-Rob

http://www.postfix.org/DATABASE_README.html

Postfix lookup table types
add 'command' lookup table type.

command:/path/to/command

It will query/search and return necessary info