[pkg-kolab] r124 - in trunk/kolab-postfix: . debian debian/patches
debian/po
Steffen Joeris
white-guest at costa.debian.org
Mon Jan 9 16:44:30 UTC 2006
Author: white-guest
Date: 2006-01-09 16:43:55 +0000 (Mon, 09 Jan 2006)
New Revision: 124
Added:
trunk/kolab-postfix/debian/
trunk/kolab-postfix/debian/README.Debian
trunk/kolab-postfix/debian/arch-version
trunk/kolab-postfix/debian/changelog
trunk/kolab-postfix/debian/conffiles
trunk/kolab-postfix/debian/config
trunk/kolab-postfix/debian/control
trunk/kolab-postfix/debian/copyright
trunk/kolab-postfix/debian/dirs
trunk/kolab-postfix/debian/functions
trunk/kolab-postfix/debian/init.d
trunk/kolab-postfix/debian/ip-down.d
trunk/kolab-postfix/debian/ip-up.d
trunk/kolab-postfix/debian/kolab-postfix-dev.copyright
trunk/kolab-postfix/debian/kolab-postfix-dev.dirs
trunk/kolab-postfix/debian/kolab-postfix-dev.postinst
trunk/kolab-postfix/debian/kolab-postfix-dev.prerm
trunk/kolab-postfix/debian/kolab-postfix-doc.copyright
trunk/kolab-postfix/debian/kolab-postfix-doc.dirs
trunk/kolab-postfix/debian/kolab-postfix-doc.doc-base
trunk/kolab-postfix/debian/kolab-postfix-doc.postinst
trunk/kolab-postfix/debian/kolab-postfix-doc.prerm
trunk/kolab-postfix/debian/kolab-postfix-ldap.README.Debian
trunk/kolab-postfix/debian/kolab-postfix-ldap.copyright
trunk/kolab-postfix/debian/kolab-postfix-ldap.dirs
trunk/kolab-postfix/debian/kolab-postfix-ldap.files
trunk/kolab-postfix/debian/kolab-postfix-ldap.postinst
trunk/kolab-postfix/debian/kolab-postfix-ldap.prerm
trunk/kolab-postfix/debian/kolab-postfix-mysql.README.Debian
trunk/kolab-postfix/debian/kolab-postfix-mysql.copyright
trunk/kolab-postfix/debian/kolab-postfix-mysql.dirs
trunk/kolab-postfix/debian/kolab-postfix-mysql.files
trunk/kolab-postfix/debian/kolab-postfix-mysql.postinst
trunk/kolab-postfix/debian/kolab-postfix-mysql.prerm
trunk/kolab-postfix/debian/kolab-postfix-pcre.README.Debian
trunk/kolab-postfix/debian/kolab-postfix-pcre.copyright
trunk/kolab-postfix/debian/kolab-postfix-pcre.dirs
trunk/kolab-postfix/debian/kolab-postfix-pcre.files
trunk/kolab-postfix/debian/kolab-postfix-pcre.postinst
trunk/kolab-postfix/debian/kolab-postfix-pcre.prerm
trunk/kolab-postfix/debian/kolab-postfix-pgsql.README.Debian
trunk/kolab-postfix/debian/kolab-postfix-pgsql.copyright
trunk/kolab-postfix/debian/kolab-postfix-pgsql.dirs
trunk/kolab-postfix/debian/kolab-postfix-pgsql.files
trunk/kolab-postfix/debian/kolab-postfix-pgsql.postinst
trunk/kolab-postfix/debian/kolab-postfix-pgsql.prerm
trunk/kolab-postfix/debian/kolab-postfix-tls.copyright
trunk/kolab-postfix/debian/kolab-postfix-tls.dirs
trunk/kolab-postfix/debian/kolab-postfix-tls.postinst
trunk/kolab-postfix/debian/kolab-postfix-tls.postrm
trunk/kolab-postfix/debian/kolab-postfix-tls.preinst
trunk/kolab-postfix/debian/kolab-postfix-tls.prerm
trunk/kolab-postfix/debian/lintian-override
trunk/kolab-postfix/debian/patches/
trunk/kolab-postfix/debian/patches/00list
trunk/kolab-postfix/debian/patches/10cyrus.dpatch
trunk/kolab-postfix/debian/patches/10greylist.dpatch
trunk/kolab-postfix/debian/patches/10hostname.dpatch
trunk/kolab-postfix/debian/patches/10main.cf.dpatch
trunk/kolab-postfix/debian/patches/10man.dpatch
trunk/kolab-postfix/debian/patches/10master.cf.dpatch
trunk/kolab-postfix/debian/patches/10rmail.dpatch
trunk/kolab-postfix/debian/patches/10smtplinelength.dpatch
trunk/kolab-postfix/debian/patches/20maps.dpatch
trunk/kolab-postfix/debian/patches/30-kolab.dpatch
trunk/kolab-postfix/debian/patches/50tls.dpatch
trunk/kolab-postfix/debian/patches/60hpux.dpatch
trunk/kolab-postfix/debian/patches/master.cf.local
trunk/kolab-postfix/debian/po/
trunk/kolab-postfix/debian/po/POTFILES.in
trunk/kolab-postfix/debian/po/cs.po
trunk/kolab-postfix/debian/po/de.po
trunk/kolab-postfix/debian/po/es.po
trunk/kolab-postfix/debian/po/fr.po
trunk/kolab-postfix/debian/po/it.po
trunk/kolab-postfix/debian/po/ja.po
trunk/kolab-postfix/debian/po/nl.po
trunk/kolab-postfix/debian/po/pt_BR.po
trunk/kolab-postfix/debian/po/ru.po
trunk/kolab-postfix/debian/po/templates.pot
trunk/kolab-postfix/debian/postinst
trunk/kolab-postfix/debian/postrm
trunk/kolab-postfix/debian/preinst
trunk/kolab-postfix/debian/prerm
trunk/kolab-postfix/debian/rules
trunk/kolab-postfix/debian/shlibs
trunk/kolab-postfix/debian/templates
trunk/kolab-postfix/debian/tls-patch
trunk/kolab-postfix/debian/update-libc.d
trunk/kolab-postfix/debian/vars.in
Log:
* Initial version of postfix packaging
* I think it needs some corrections :(
Added: trunk/kolab-postfix/debian/README.Debian
===================================================================
--- trunk/kolab-postfix/debian/README.Debian 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/README.Debian 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,19 @@
+There are some significant differences between the Debian Postfix packages,
+and the source from upstream:
+
+1. The Debian install is chrooted by default.
+2. IPV6 support is present and enabled.
+3. TLS/SASL support is found in the postfix-tls package.
+4. Dynamically loadable map support.
+5. For policy reasons:
+ a. SASL configuration is found in /etc/postfix/sasl
+ b. myhostname=/path/to/file is supported (and used) in main.cf
+
+Known caveats:
+1. The dynamically loadable modules are not found in the chroot.
+ Therefore, proxy maps may require you to copy the appropriate shared
+ object into the chroot if you chroot the proxy service in master.cf.
+2. Some map types (and SASL support) require some extra configuration
+ (beyond what upstream indicates) to run inside the chroot. The simplest
+ solution for the maps is to use the proxy service, which is not chrooted.
+ SASL is a bit more complex, and is on the TODO list...
Added: trunk/kolab-postfix/debian/arch-version
===================================================================
--- trunk/kolab-postfix/debian/arch-version 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/arch-version 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1 @@
+lamont at debian.org--2004/postfix--debian--2.1--patch-6
Added: trunk/kolab-postfix/debian/changelog
===================================================================
--- trunk/kolab-postfix/debian/changelog 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/changelog 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,1395 @@
+kolab-postfix (2.1.5-1) unstable; urgency=low
+
+ * Add patch for Kolab (30-kolab.dpatch)
+ * Use postfix from sarge
+ * Postfix upstream will include kolab patch in next upstream
+ so it is only a temporary solution to use an own postfix
+ and for that we try to use the sarge postfix
+
+ -- <steffen.joeris at skolelinux.de> Mon, 9 Jan 2006 13:44:54 +0000
+
+postfix (2.1.5-9) unstable; urgency=low
+
+ * more cleanup in if-up.d script. Closes: #297127
+
+ -- LaMont Jones <lamont at debian.org> Sun, 27 Feb 2005 09:33:07 -0700
+
+postfix (2.1.5-8) unstable; urgency=low
+
+ * Only force queue run in if-up.d script if postfix is running.
+ Closes: #296817
+
+ -- LaMont Jones <lamont at debian.org> Sat, 26 Feb 2005 22:03:17 -0700
+
+postfix (2.1.5-7) unstable; urgency=low
+
+ * Fix stupid typo: /etc/network/ip-* -> /etc/network/if-*.
+ Thanks to Andrew Bennetts. Closes: #296525
+
+ -- LaMont Jones <lamont at debian.org> Tue, 22 Feb 2005 20:10:19 -0700
+
+postfix (2.1.5-6) unstable; urgency=low
+
+ * inet_interfaces=loopback-only from 2.2 snapshot. Closes: #293250, #292086
+ * Add relay entry to master.cf if missing. Closes: #260593
+
+ -- LaMont Jones <lamont at mmjgroup.com> Thu, 3 Feb 2005 11:57:06 -0700
+
+postfix (2.1.5-5) unstable; urgency=low
+
+ * Actually stop postfix in preinst. Closes: #290855
+
+ -- LaMont Jones <lamont at debian.org> Mon, 17 Jan 2005 20:24:49 -0700
+
+postfix (2.1.5-4) unstable; urgency=low
+
+ * cleanup 50tls. Closes: #288557
+
+ -- LaMont Jones <lamont at debian.org> Tue, 4 Jan 2005 12:03:29 -0700
+
+postfix (2.1.5-3) unstable; urgency=low
+
+ * postmap and postalias would segv on map types that do not support
+ creation.
+ * restart when postfix-not-running needs to start
+ * clone ppp ifup/down scripts into etc/network as well.
+ * Switch to using dpatch to manage patches.
+
+ -- LaMont Jones <lamont at debian.org> Tue, 28 Dec 2004 08:37:23 -0700
+
+postfix (2.1.5-2) unstable; urgency=low
+
+ * Update pt_BR debconf template. Closes: #281986
+ * Update es debconf template. Closes: #283165
+ * Update ja debconf template. Closes: #280114
+ * Update fr debconf template. Closes: #281214
+ * Fix broken upgrade case in postfix-tls.
+ * Drop duplicate debconf Depends. Closes: #284003
+
+ -- LaMont Jones <lamont at debian.org> Sat, 11 Dec 2004 03:39:58 -0700
+
+postfix (2.1.5-1) unstable; urgency=low
+
+ * New upstream version
+ * Drop 'HP' config option from the templates.
+ * Build-Depend: groff-base
+ * Deliver man pages for master.cf services in 8postfix section.
+ Remove smtpd.8.gz diversion. Closes: #274777
+ * Add a README.Debian. Closes: #274323, #272087
+ * Fix typo in postmap man page. Closes: #271369
+ * Add Czech translations. Closes: #275338
+
+ -- LaMont Jones <lamont at debian.org> Sat, 30 Oct 2004 21:59:51 -0600
+
+postfix (2.1.4-5) unstable; urgency=low
+
+ * Only listen on loopback for local-only client.
+ * updated Brazilian Portugese translations. Closes: #263857
+ * ipv6 patch version of own_inet_addr behaved incorrectly.
+ * Deal with null domain names better.
+ * Properly cleanup on purge. Closes: #166913, #251668
+ * Only listen on loopback for local-only and satellite config.
+ * tls_random_exchange_name needs to default to /var/spool/postfix/prng_exch
+ Closes: #270122
+
+ -- LaMont Jones <lamont at mmjgroup.com> Sun, 5 Sep 2004 19:33:39 -0600
+
+postfix (2.1.4-4) unstable; urgency=low
+
+ * New italian translations. Closes: #262705
+ * Use invoke-rc.d if present. Closes: #262621
+
+ -- LaMont Jones <lamont at debian.org> Sun, 1 Aug 2004 10:47:00 -0600
+
+postfix (2.1.4-3) unstable; urgency=low
+
+ * Cleanup typos in postinst. Closes: #262194,#262127
+ * Fix typo in smtp/TLS. Closes: #258775
+
+ -- LaMont Jones <lamont at debian.org> Fri, 30 Jul 2004 01:39:49 -0600
+
+postfix (2.1.4-2) unstable; urgency=low
+
+ * use start-stop-daemon to launch postfix.
+ * Update japanese translations. Closes: #260822
+ * Update French translations. Closes: #261124
+ * Update Dutch translations. Closes: #261336
+ * Need to handle sdbm map creation. Closes: #261842
+
+ -- LaMont Jones <lamont at debian.org> Wed, 28 Jul 2004 09:29:53 -0600
+
+postfix (2.1.4-1) unstable; urgency=low
+
+ * New upstream
+ * Deal with being configured _really_ early. Closes: #255884
+ * Fix typo in spf.pl. Closes: #256912
+ * Clean up log message in smtp_connect. Closes: #257052
+ * Correct debconf template. Closes: #258876
+ * Better dynamicmaps.cf conversion. Closes: #257326
+ * Always ask about root email address, not just after preinst
+ decides that we need to. Closes: #256055
+
+ -- LaMont Jones <lamont at debian.org> Sun, 11 Jul 2004 18:25:31 -0600
+
+postfix (2.1.3-1) unstable; urgency=medium
+
+ * New upstream
+ * New translations. Closes: #254405, #255675
+ * Deliver qshape. Closes: #254414
+ * remove (default) setgid_group decl from main.cf.
+ * Add trace and verify to master.cf in postinst. Closes: #255260
+
+ -- LaMont Jones <lamont at debian.org> Tue, 22 Jun 2004 13:39:08 -0600
+
+postfix (2.1.1-8) unstable; urgency=low
+
+ * dpkg-divert revisited. Closes: #254211, #252162
+
+ -- LaMont Jones <lamont at debian.org> Sun, 13 Jun 2004 12:23:32 -0600
+
+postfix (2.1.1-7) unstable; urgency=low
+
+ * Missing html pages. Closes: #254164
+ * Really add back in gdbm support. Sigh.
+
+ -- LaMont Jones <lamont at debian.org> Sun, 13 Jun 2004 11:49:52 -0600
+
+postfix (2.1.1-6) unstable; urgency=low
+
+ * Force rename of nqmgr->qmgr in master.cf if needed. Closes: #254043
+
+ -- LaMont Jones <lamont at debian.org> Sat, 12 Jun 2004 19:41:21 -0600
+
+postfix (2.1.1-5) unstable; urgency=low
+
+ * Prototypes missing from pfixtls stuff cause broken sdbm maps on
+ 64-bit architectures. Closes: #254025
+
+ -- LaMont Jones <lamont at debian.org> Sat, 12 Jun 2004 09:23:55 -0600
+
+postfix (2.1.1-4) unstable; urgency=low
+
+ * Can't drop gdbm completely until sarge actually ships. :-(
+ * Deliver more examples. (greylisting, etc.) Closes: #252838
+ * Fix typo in postinst. Closes: #250105
+ * Don't ask procmail question if procmail is not installed. Closes: #229280
+ * Italian templates. Closes: #253501
+ * Make postconf diversion from ancient postfix-tls go away.
+ Closes: #253277, #252398, #250404
+ * Don't complain when trying to bind ipv6 addresses on a machine without
+ ipv6. Closes: #253371
+ * Remove all references to cyrus from master.cf, at the request of the
+ Cyrus maintainer (hmh at debian.org). See README.postfix in the cyrus
+ packages. Closes: #253952, #228721
+ * Better master.cf handling. Closes: #232715
+ * Apply patch from Victor to fix va_arg usage (ppc broke.) Closes: #253228
+
+ -- LaMont Jones <lamont at debian.org> Sat, 12 Jun 2004 07:46:39 -0600
+
+postfix (2.1.1-3) unstable; urgency=low
+
+ * add back postfix-files. Closes: #252316
+ * Remove unused variable from init.d script. Closes: #252371
+
+ -- LaMont Jones <lamont at debian.org> Wed, 2 Jun 2004 21:35:29 -0600
+
+postfix (2.1.1-2) unstable; urgency=low
+
+ * Add IPv6 support. This may change when upstream incorporates IPv6,
+ but is based on the most likely configuration interface.
+ Closes: #144840.
+ * clean up config files that aren't needed under /etc/postfix
+
+ -- LaMont Jones <lamont at debian.org> Wed, 2 Jun 2004 06:44:15 -0600
+
+postfix (2.1.1-1) unstable; urgency=low
+
+ * New upstream. Closes: #250507, #144128, #220674, #170691
+ GDBM support is now turned off, results in a fatal error.
+ * Add Russian debconf template. Closes: #135847
+ * Patch from upstream fixing get_hostname failures.
+
+ -- LaMont Jones <lamont at debian.org> Sun, 30 May 2004 17:07:10 -0600
+
+postfix (2.0.19-1) unstable; urgency=low
+
+ * New upstream version
+ * Minor tweaks to main.cf.debian. (Shorten it some more.)
+ * Have update-libc.d/postfix check to make sure postfix is installed.
+ Closes: #230330
+ * Cleanup resolvconf output. Closes: #225797
+ * Add abort option to /etc/init.d/postfix. Closes: #230573
+ * Recommend: resolvconf. Closes: #154669
+ * Update Japanese translation. Closes: #237787
+ * Change the default smtp_line_length_limit to unlimited.
+ * Add spanish debconf template. Closes: #239096
+
+ -- LaMont Jones <lamont at debian.org> Sat, 20 Mar 2004 18:02:39 -0700
+
+postfix (2.0.18-1) unstable; urgency=low
+
+ * New upstream release. Closes: #229045
+
+ -- LaMont Jones <lamont at debian.org> Thu, 22 Jan 2004 08:13:50 -0700
+
+postfix (2.0.17-1) unstable; urgency=low
+
+ * New upstream release
+ * update Japanese debconf template. Closes: #224139
+ * Add some directory decls to default main.cf (match config.) Closes: #226238
+ * it's regex(7), not re_format(7). Closes: #228773
+
+ -- LaMont Jones <lamont at debian.org> Tue, 20 Jan 2004 16:41:40 -0700
+
+postfix (2.0.16-4) unstable; urgency=low
+
+ * /etc/resolvconf/update-libc.d/postfix is a conffile. Closes: #212552
+
+ -- LaMont Jones <lamont at debian.org> Mon, 8 Dec 2003 14:46:22 -0700
+
+postfix (2.0.16-3) unstable; urgency=low
+
+ * Fix NEED_CHROOT in init.d to handle 'y' as well as '-'. Closes: #218512
+ * Change cyrus invocation. Closes: #222893, #174206
+ * Stop delivering HISTORY in postfix-doc (it's in
+ /usr/share/doc/postfix/changelog). Closes: #146959
+ * Make wildcard dynamicmaps.cf entry be a warning, not fatal.
+ Closes: #159988
+ * Add resolfconf support. Closes: #212552
+
+ -- LaMont Jones <lamont at debian.org> Mon, 8 Dec 2003 10:02:34 -0700
+
+postfix (2.0.16-2) unstable; urgency=low
+
+ * Make some centarian happy with the debconf descriptions. Closes: #215019
+ * postfix-tls needs to conflict: postfix-snap-tls. Closes: #215958
+ * Clean up debconf template wrt root mail. Closes: #215104
+
+ -- LaMont Jones <lamont at debian.org> Sun, 26 Oct 2003 18:48:55 -0700
+
+postfix (2.0.16-1) unstable; urgency=low
+
+ * New upstream release.
+
+ -- LaMont Jones <lamont at debian.org> Sat, 20 Sep 2003 13:14:50 -0600
+
+postfix (2.0.14-3) unstable; urgency=low
+
+ * Cleanup dependency screwup.
+
+ -- LaMont Jones <lamont at debian.org> Sun, 14 Sep 2003 09:08:34 -0600
+
+postfix (2.0.14-2) unstable; urgency=low
+
+ * New Brazilian Portuguese, Japanese, Dutch, and French translations.
+ Closes: #207818, #206705, #208048, #210717
+ * Don't set /etc/mailname if hostname has only one label.
+ * Clean up descriptions. Closes: #209874
+ * Quit suggesting cyrus-common, Remove recommends for sasl2 modules,
+ since "that is the sasl2 packages' responsibility." Closes: #209266
+ * Cleanup SASL_README. Closes: #202815
+ * Change the default location for prng_exch to /var/spool/postfix.
+ Closes: #190285
+ * No need for a separate postconf for tls now, get rid of it.
+
+ -- LaMont Jones <lamont at debian.org> Sat, 13 Sep 2003 17:47:38 -0600
+
+postfix (2.0.14-1) unstable; urgency=low
+
+ * New upstream version
+
+ -- LaMont Jones <lamont at debian.org> Tue, 12 Aug 2003 23:44:09 -0600
+
+postfix (2.0.13-4) unstable; urgency=high
+
+ * Ignore errors from chattr, patch based on Gerry Patterson's. Closes: #203279
+ * High urgency because testing (1.1.11) is broken now that openldap 2.1
+ is there.
+
+ -- LaMont Jones <lamont at debian.org> Mon, 28 Jul 2003 20:49:26 -0600
+
+postfix (2.0.13-3) unstable; urgency=low
+
+ * Default to non-synchronous mail queue metadata updates, new debconf
+ question. Closes: #202720
+
+ -- LaMont Jones <lamont at debian.org> Sun, 27 Jul 2003 20:05:21 -0600
+
+postfix (2.0.13-2) unstable; urgency=low
+
+ * Incorporate tls-0.8.15. Closes: #200642
+
+ -- LaMont Jones <lamont at debian.org> Wed, 23 Jul 2003 09:36:34 -0600
+
+postfix (2.0.13-1) unstable; urgency=low
+
+ * New upstream version
+ * Add --system to addgroup's in postinst. Closes: #176905
+
+ -- LaMont Jones <lamont at debian.org> Mon, 30 Jun 2003 12:23:48 -0600
+
+postfix (2.0.12-1) unstable; urgency=low
+
+ * New upstream version. 2.0.11 broke sendmail -bs. Closes: #197660
+
+ -- LaMont Jones <lamont at debian.org> Wed, 18 Jun 2003 20:33:01 -0600
+
+postfix (2.0.11-2) unstable; urgency=low
+
+ * Roll to new gdbm libs.
+ * Fix postfix-tls recommends. Closes: #195032, #191905, #145861, #144636
+ * Deal with missing /etc/postfix/sasl better. Closes: #155246
+ * Don't use -a in [ or test calls. Closes: #196549
+
+ -- LaMont Jones <lamont at debian.org> Wed, 11 Jun 2003 23:18:05 -0600
+
+postfix (2.0.11-1) unstable; urgency=low
+
+ * New upstream version
+
+ -- LaMont Jones <lamont at debian.org> Wed, 11 Jun 2003 10:02:22 -0600
+
+postfix (2.0.10-2) unstable; urgency=low
+
+ * Dynamicmap.cf cleanup needs to happen before db conversion.
+ * Remove ldap cache support (no longer present in ldap 2.1
+ * Add ldap limits.
+
+ -- LaMont Jones <lamont at debian.org> Sun, 25 May 2003 18:12:51 -0600
+
+postfix (2.0.10-1) unstable; urgency=low
+
+ * New upstream version
+ * Include translations: Closes: #190707
+ * restore copyright file for postfix-tls. oops.
+ * Clean up chroot handling. Closes: #193721
+
+ -- LaMont Jones <lamont at debian.org> Thu, 22 May 2003 17:07:11 -0600
+
+postfix (2.0.9-3) unstable; urgency=low
+
+ * Somehow dropped the upstream change in the version number. Closes: #190112
+
+ -- LaMont Jones <lamont at debian.org> Tue, 22 Apr 2003 00:22:40 -0600
+
+postfix (2.0.9-2) unstable; urgency=low
+
+ * Rebuild against ldap 2.1 and sasl2. Closes: #146627, #177153
+ * Use --system in addgroup. Closes: #189833
+
+ -- LaMont Jones <lamont at debian.org> Sun, 20 Apr 2003 20:08:19 -0600
+
+postfix (2.0.9-1) unstable; urgency=low
+
+ * New upstream release.
+ - Refuses to run if netblocks have non-zero host parts, since too many
+ people can't seem to get them right... (2.0.8)
+ - The SMTP client did not deliver a partial last line when someone
+ submitted 8BITMIME mail not ending in newline via /usr/sbin/sendmail
+ while MIME input processing was turned off (not the default), and
+ MIME 8bit->7bit conversion was requested upon delivery. (2.0.9)
+ * Fix debconf dependency. Closes: #188401
+ * Switch to db4.1 - auto convert all databases: This is a low priority
+ debconf question...
+ * Incorporate upstream feedback in dict_pgsql.[ch] (Now part of the
+ upstream snapshot releases.)
+ * Fix hp-ux build again..
+
+ -- LaMont Jones <lamont at debian.org> Fri, 18 Apr 2003 23:58:30 -0600
+
+postfix (2.0.7-3) unstable; urgency=low
+
+ * Real upstream 2.0.7 release...
+ - The SMTP server access map actions HOLD, DISCARD, FILTER (and
+ REDIRECT in snapshots) dumped core with smtpd_delay_reject=no,
+ and with ETRN.
+ - The DISCARD action now works as expected and causes Postfix to
+ skip other restrictions such as REJECT.
+ - The postsuper manual page documented support for the -c command
+ line option, but the feature was not implemented.
+ - The VRFY command was broken as of Postfix 2.0, and would always
+ reply with 252 (neutral) unless the service was disabled.
+ * rename the french templates file. Closes: #184314
+ * Add german template translations. Closes: #185626
+ * Add a commented out delay_warning_time = 4h. Closes: #171704
+ * Allow empty mynetworks --> no mynetworks in the file. Closes: #160493
+
+ -- LaMont Jones <lamont at debian.org> Thu, 20 Mar 2003 12:33:27 -0700
+
+postfix (2.0.7-2) unstable; urgency=low
+
+ * The "there is no 2.0.7 yet" relase. Sigh. This is 2.0.7-1 minus the
+ upstream patch-that-isn't. sigh.
+
+ -- LaMont Jones <lamont at debian.org> Mon, 17 Mar 2003 18:40:55 -0700
+
+postfix (2.0.7-1) unstable; urgency=low
+
+ * New upstream release, cosmetic fixes.
+ * Add French templates. Closes: #184314
+ * have postfix-tls Recommend libsasl-modules-plain, libsasl-digestmd5-plain.
+ Closes: #176048
+ * Fix code for dealing with dynamicmaps.cf. Closes: #184759
+ * Make sure we ask about dynamicmaps upgrade when we should. Closes: #184106
+
+ -- LaMont Jones <lamont at debian.org> Sun, 16 Mar 2003 22:19:04 -0700
+
+postfix (2.0.6-1) unstable; urgency=low
+
+ * New upstream release:
+ Postfix truncates non-address information in message address headers
+ (comments, etc.) to 250 characters per address, in order to protect
+ vulnerable Sendmail systems against exploitation of a remote buffer
+ overflow problem (CERT advisory CA-2003-07).
+
+ -- LaMont Jones <lamont at debian.org> Thu, 6 Mar 2003 22:25:25 -0700
+
+postfix (2.0.5-1) unstable; urgency=low
+
+ * New upstream release.
+ The smtpd_hard_error_limit and smtpd_soft_error_limit values now
+ behave as documented, that is, smtpd_hard_error_limit=1 causes
+ Postfix to disconnect upon the first client error. Previously,
+ there was an off-by-one error causing Postfix to change behavior
+ after smtpd_hard/soft_error_limit+1 errors.
+ * Switch to gettext based template translations. Closes: #183455, #140699
+ * Fix typo in postinst. Closes: #156654
+
+ -- LaMont Jones <lamont at debian.org> Tue, 4 Mar 2003 22:06:34 -0700
+
+postfix (2.0.4-1) unstable; urgency=low
+
+ * New upstream release. Closes: #181831
+ * more template cleanup. Closes: #178523
+
+ -- LaMont Jones <lamont at debian.org> Sun, 23 Feb 2003 09:12:04 -0700
+
+postfix (2.0.3-5) unstable; urgency=low
+
+ * Add pgsql support (by Lenart Janos <ocsi at debian.org>), based on
+ http://downloads.rhyme.com.au/postfix/postfix-1.1.11-20020613pg_020626.patch.gz
+ * Explicitly link libraries. Closes: #180678
+ * Fix debconf prompts. Closes: #179365
+
+ -- LaMont Jones <lamont at debian.org> Mon, 17 Feb 2003 20:27:54 -0700
+
+postfix (2.0.3-4) unstable; urgency=low
+
+ * Switch to -O1 for all archs, since it's not just sparc that has
+ optimization issues with gcc 3.2. Closes: #179246
+
+ -- LaMont Jones <lamont at debian.org> Sat, 1 Feb 2003 13:21:14 -0700
+
+postfix (2.0.3-3) unstable; urgency=low
+
+ * Use -O1 on sparc. Closes: #179087
+
+ -- LaMont Jones <lamont at debian.org> Thu, 30 Jan 2003 14:17:27 -0700
+
+postfix (2.0.3-2) unstable; urgency=low
+
+ * Fix bashism in init.d script. Closes: #178368, #178424
+ * Cleanup the error message for missing maps. Closes: #177774
+
+ -- LaMont Jones <lamont at debian.org> Sun, 26 Jan 2003 10:35:01 -0700
+
+postfix (2.0.3-1) unstable; urgency=low
+
+ * New upstream version.
+
+ -- LaMont Jones <lamont at debian.org> Fri, 24 Jan 2003 20:45:03 -0700
+
+postfix (2.0.2-3) unstable; urgency=low
+
+ * Handle dynamicmaps upgrade for 'No configuration' users. Closes: #178037
+ * Force proxymap service into master.cf. Closes: #177914
+ * Make chroot-syncing configurable. Closes: #165326
+
+ -- LaMont Jones <lamont at debian.org> Thu, 23 Jan 2003 15:37:33 -0700
+
+postfix (2.0.2-2) unstable; urgency=low
+
+ * make sasl paths autoswitch for sasl1 vs sasl2.
+ * deal with maps transition for sdbm and tcp maps. Closes:#177592
+
+ -- LaMont Jones <lamont at debian.org> Mon, 20 Jan 2003 09:40:51 -0700
+
+postfix (2.0.2-1) unstable; urgency=low
+
+ * New upstream release
+ * Fix postconf -m. Closes: #150072
+
+ -- LaMont Jones <lamont at debian.org> Sat, 18 Jan 2003 22:10:01 -0700
+
+postfix (2.0.1-3) unstable; urgency=low
+
+ * Fix typo in preinst. Closes: #176897
+
+ -- LaMont Jones <lamont at debian.org> Wed, 15 Jan 2003 12:51:31 -0700
+
+postfix (2.0.1-2) unstable; urgency=low
+
+ * Patch from upstream for sendmail -bs. Closes: #176783
+ * Clean up postfix-dev Depends. Closes: #176851
+
+ -- LaMont Jones <lamont at debian.org> Wed, 15 Jan 2003 07:12:39 -0700
+
+postfix (2.0.1-1) unstable; urgency=low
+
+ * New upstream version. Adds proxymap service. Closes: #96157
+ * Deal with multiple alias maps in preinst. Closes: #175384, #156661
+
+ -- LaMont Jones <lamont at debian.org> Mon, 13 Jan 2003 22:43:22 -0700
+
+postfix (2.0.0.1-1) unstable; urgency=low
+
+ * New upstream version. See /usr/share/doc/postfix/changelog.
+ * Fix SASL v1 paths. This closes Bug#174191 (the opposite of
+ Bug#159724). Thanks to Jonas Smedegard (dr at jones.dk) for the patch.
+ * Correct s/certficate/certificate/. Closes Bug#156345. Ditto.
+
+ -- LaMont Jones <lamont at debian.org> Fri, 27 Dec 2002 01:02:55 -0700
+
+postfix (1.1.12-1) unstable; urgency=low
+
+ * New upstream relase.
+ * Fix postfix-tls description. Closes: #160697
+ * New upstream TLS (0.8.11a).
+ * Fix wildcard transport initialization. Closes: #167093
+ * Use libsasl-dev: libldap2-dev conflicts with it. Closes: #160670
+
+ -- LaMont Jones <lamont at debian.org> Mon, 23 Dec 2002 10:34:17 -0700
+
+postfix (1.1.11.0-3) unstable; urgency=low
+
+ * setting wrong flags in config. Closes: #159882
+ * Enhancements to rbl support.
+ * Make nqmgr the default.
+ * One more tls screwup, it would appear. Closes: #144968
+
+ -- LaMont Jones <lamont at debian.org> Thu, 12 Sep 2002 10:37:36 -0600
+
+postfix (1.1.11.0-2) unstable; urgency=low
+
+ * Fix sasl2 roll screwup. Closes: #159724
+ * Fix template typo. Closes: #159734
+
+ -- LaMont Jones <lamont at debian.org> Thu, 5 Sep 2002 09:44:40 -0600
+
+postfix (1.1.11.0-1) unstable; urgency=low
+
+ * Merge in tls stuff from snapshots, using tls-0.8.7. Requires a bump
+ of the upstream version number because of the old postfix-tls version
+ numbering.
+ * Need to deliver /etc/postfix/sasl.
+ * If we couldn't set the LDAP protocol version, we didn't remember that.
+ Closes: #158730, #158288
+ * Read system values for mynetworks and mydestination if main.cf exists.
+ (Once mydestination is set, we'll always read it from main.cf if it
+ exists...) Closes: #145072, #142726
+ * Add flush to the list of directories that get created/chowned.
+ Closes: #156791
+ * Quit depending on postfix-pcre and postfix-ldap, just suggests.
+ Closes: #144201
+ * Handle == VERP as well as -= VERP. Makes murphy happy.
+ * Make /usr/lib/postfix the default daemon directory. Closes: #155250.
+
+ -- LaMont Jones <lamont at debian.org> Tue, 3 Sep 2002 23:48:01 -0600
+
+postfix (1.1.11-2) unstable; urgency=low
+
+ * reincorporate lost fixes from upstream merge.
+
+ -- LaMont Jones <lamont at debian.org> Sun, 14 Jul 2002 10:11:31 -0600
+
+postfix (1.1.11-1) unstable; urgency=low
+
+ * New upstream version.
+
+ -- LaMont Jones <lamont at debian.org> Fri, 12 Jul 2002 21:32:06 -0600
+
+postfix (1.1.11-0.woody1) testing; urgency=medium
+
+ * New upstream version. Closes: #150298, #146626
+
+ -- LaMont Jones <lamont at debian.org> Thu, 11 Jul 2002 12:03:14 -0600
+
+postfix (1.1.7-7) unstable; urgency=low
+
+ * Actually fix wildcard transports. Was dying if transport map didn't
+ hit, and there wasn't a wildcard. Closes: #145884
+
+ -- LaMont Jones <lamont at debian.org> Sun, 5 May 2002 22:18:57 -0600
+
+postfix (1.1.7-6) unstable; urgency=low
+
+ * HP config, and root address setting in postinst were broken.
+ * Fix wildcard transport change. Closes: #145745, #145792
+ * Turn off optimization on hppa for now.
+
+ -- LaMont Jones <lamont at debian.org> Sat, 4 May 2002 11:19:13 -0600
+
+postfix (1.1.7-5) unstable; urgency=low
+
+ * Changes to transport maps: add wildcard, and have ':' to tell
+ postfix to pretend that there is no match for this entry, which
+ allows a relayhost-for-all-but-these type config.
+ * Patch from Victor.Duchovni at morganstanley.com to implement timeouts
+ in LDAP bind.
+ * Add 'HP' option to mailer type, does HP-esque config (transport map
+ entries).
+ * Only copy everything to the chroot if something is being run chrooted.
+ Closes: #139782
+
+ -- LaMont Jones <lamont at debian.org> Thu, 2 May 2002 23:27:22 -0600
+
+postfix (1.1.7-4) unstable; urgency=low
+
+ * Can't touch files in directories that don't exist.
+
+ -- LaMont Jones <lamont at debian.org> Mon, 22 Apr 2002 23:30:28 -0600
+
+postfix (1.1.7-3) unstable; urgency=medium
+
+ * The keep-the-maintainer sane release, to keep postfix and postfix-tls
+ source sane in the CVS tree.
+ * Mention package names in the README files.
+ * Make things happier for postfix-tls.
+
+ -- LaMont Jones <lamont at debian.org> Mon, 22 Apr 2002 21:57:58 -0600
+
+postfix (1.1.7-2) unstable; urgency=medium
+
+ * If $myorigin bears no resemblance to $myhostname, then include it in
+ $mydestination by default. Closes: #142296
+ * Prompt for a root alias (and add it _iff_ creating /etc/aliases).
+
+ -- LaMont Jones <lamont at debian.org> Fri, 19 Apr 2002 12:50:08 -0600
+
+postfix (1.1.7-1) unstable; urgency=low
+
+ * New upstream patch-release. Various minor bug fixes.
+ * Cause a 'no' answer to append_dot_mydomain to re-prompt for destinations,
+ since localhost needs to be added. Closes: #141129, #123745.
+ * Do a restart instead of start for dpkg-reconfigure. Closes: #140163
+ * Add support for ldap_version and ldap_chase_referrals, patch from
+ Sami Haahtinen <ressu at debian.org>. Closes: #139756
+ * Deliver upstream changelog in postfix package (as well as postfix-doc)
+
+ -- LaMont Jones <lamont at debian.org> Sun, 7 Apr 2002 15:47:54 -0600
+
+postfix (1.1.6-1) unstable; urgency=low
+
+ * New upstream patch-release.
+ * Add ldap_result_filter (from postfix-snap ldap map) into released bits.
+ * Add a pointer to SASL being in postfix-tls.
+ * Add debconf question about append_dot_mydomain. Closes: #131167
+ * Fix ldap map screwup in 1.1.4-3. Closes: #139872
+
+ -- LaMont Jones <lamont at debian.org> Thu, 28 Mar 2002 12:26:40 -0700
+
+postfix (1.1.4-3) unstable; urgency=low
+
+ * Call ber_free in dict_ldap.c, get rid of memory leak.
+ * Break %u %d (in dict_ldap) on rightmost @, not leftmost.
+ * Unset TZ when launching postfix. Closes: #125658.
+ * Upstream dropped creation of flush service. Closes: #136793
+
+ -- LaMont Jones <lamont at debian.org> Fri, 22 Mar 2002 22:53:00 -0700
+
+postfix (1.1.4-2) unstable; urgency=low
+
+ * Let the user say to not fix master.cf. Closes: #136113.
+ * Fix queue related perms. Closes: #136118, #136296.
+ * /usr/share/doc/postfix/changelog is (still) delivered by postfix-doc,
+ not postfix. Closes: #136133.
+ * Templates now indicate just when relayhost's MX RR's are used.
+ Closes: #103738
+
+ -- LaMont Jones <lamont at debian.org> Sat, 2 Mar 2002 01:54:49 -0700
+
+postfix (1.1.4-1) unstable; urgency=low
+
+ * New upstream version. See /usr/share/doc/postfix/changelog.
+ Corner case problem in qmgr with certain length addrs, resulting
+ in SEGV.
+
+ -- LaMont Jones <lamont at debian.org> Tue, 26 Feb 2002 02:34:34 -0700
+
+postfix (1.1.3-2) unstable; urgency=low
+
+ * postfix-script link needs removed on install too. Closes: #135051
+ * Comment on ciriticality of directory settings in main.cf.debian.
+
+ -- LaMont Jones <lamont at debian.org> Thu, 21 Feb 2002 12:43:35 -0700
+
+postfix (1.1.3-1) unstable; urgency=low
+
+ * New upstream version. See /usr/share/doc/postfix/changelog.
+
+ -- LaMont Jones <lamont at debian.org> Sun, 3 Feb 2002 21:40:49 -0700
+
+postfix (1.1.1-3) unstable; urgency=low
+
+ * If postfix-script is a link, then nuke it in preinst. Closes: #130635
+
+ -- LaMont Jones <lamont at debian.org> Mon, 28 Jan 2002 08:59:38 -0700
+
+postfix (1.1.1-2) unstable; urgency=low
+
+ * Fix postfix-dev depends, so that postfix-tls and friends build from
+ source. Closes: #130743
+ * Use LD_LIBRARY_PATH when building shlibdeps.
+ * remove statoverrides on remoev, and postdrop group on purge.
+ Closes: #130786
+
+ -- LaMont Jones <lamont at debian.org> Fri, 25 Jan 2002 11:52:09 -0700
+
+postfix (1.1.1-1) unstable; urgency=high
+
+ * New upstream version.
+ When the postmap command creates a non-existent result file, the
+ new file inherits the group/other read permissions of the source
+ file. Closes: #130315
+ * Move dict_ldap.so build point to global, instead of util, to correct
+ build order. (hp-ux build now actually works.)
+
+ -- LaMont Jones <lamont at debian.org> Tue, 22 Jan 2002 12:38:45 -0700
+
+postfix (1.1.0-1) unstable; urgency=low
+
+ * New upstream version. Closes: #129735
+ pickup now unpriv, cleanup and flush public.
+ * Add postfix-dev package to allow loadable modules to be built.
+ * use $DAEMON in init.d script to facilitate passing it arguments.
+ Closes: #126288
+ * make default (on new install only) biff = no. Closes: #105914
+ * Allow (but warn about) permit_sasl_authenticated in main.cf, even with
+ no SASL support. (Helps out postfix-tls.)
+ * Fix shlibs file.
+ * Fix segv in postqueue -s.
+ * Cleanup hpux diff
+
+ -- LaMont Jones <lamont at debian.org> Tue, 22 Jan 2002 10:44:20 -0700
+
+postfix (0.0.20011217.SNAPSHOT-1) unstable; urgency=high
+
+ * New upstream version. Closes: #123734, #124149
+ Postfix configuration file comments no longer continue on the next
+ line when that next line starts with whitespace. This change avoids
+ surprises, but it may cause unexpected behavior with existing,
+ poorly formatted, configuration files. Caveat user.
+ * Handle iPlanet 5.0 (and probably other SDK's) in dict_ldap.c, by defining
+ LDAP_CONST and LDAP_OPT_SUCCESS if <ldap.h> doesn't.
+ * Only enable lber logging when debuglevel>0. Closes: #125919.
+
+ -- LaMont Jones <lamont at debian.org> Sat, 22 Dec 2001 21:54:33 -0700
+
+postfix (0.0.20011210.SNAPSHOT-2) unstable; urgency=high
+ * Various fixes in (hp-ux) build rules
+
+ -- LaMont Jones <lamont at debian.org> Wed, 12 Dec 2001 15:56:04 -0700
+
+postfix (0.0.20011210.SNAPSHOT-1) unstable; urgency=high
+
+ * New upstream version.
+ * High urgency to get sendmail -bs fix into testing (0.0.20011125.SNAPSHOT-1
+ should have been.)
+ * Make lack of /etc/postfix/dynamicmaps.cf be a warning, instead of
+ an obscure failure (SIGBUS).
+ * Include LDAP patch from Will Day willday at rom.oit.gatech.edu (deal with
+ timeouts from LDAP server by reconnecting, instead of saying '451',
+ other cleanup.)
+ * Upstream version of ia64 alignment fix added.
+ * main.cf.dist is not gziped. Closes: #122709.
+ * add diversion of smtpd package's smtpd.8 (to smtpd.real.8).
+
+ -- LaMont Jones <lamont at debian.org> Tue, 11 Dec 2001 09:18:57 -0700
+
+postfix (0.0.20011125.SNAPSHOT-1) unstable; urgency=low
+
+ * New upstream version. See /usr/share/doc/postfix/changelog.
+ * Fix smtpd session-rest bug. (patch from upstream.)
+ * Move default config file to /usr/share/postfix, per policy.
+ * Fix procmail invocation. (quotes around $EXTENSION).
+ * Fix sendmail -bs, broken as of 20011115.SNAPSHOT-1. Closes: #120375
+
+ -- LaMont Jones <lamont at debian.org> Sun, 25 Nov 2001 20:11:43 -0700
+
+postfix (0.0.20011115.SNAPSHOT-1) unstable; urgency=low
+
+ * New upstream version. See /usr/share/doc/postfix/changelog.
+
+ -- LaMont Jones <lamont at debian.org> Fri, 16 Nov 2001 05:39:39 -0700
+
+postfix (0.0.20011008.SNAPSHOT-2) unstable; urgency=low
+
+ * Make the default mailbox_size_limit (in debconf) be unlimited.
+ Closes: #117101.
+
+ -- LaMont Jones <lamont at debian.org> Thu, 25 Oct 2001 17:12:53 -0600
+
+postfix (0.0.20011008.SNAPSHOT-1) unstable; urgency=low
+
+ * New upstream version. See /usr/share/doc/postfix/changelog.
+ * Treat bogus DN's in _special_result_attributes the same as DN's that
+ have no _result_attribute (that is, ignore them.)
+ * Change default SMTP banner to include Debian/GNU.
+ * Add a bit more descriptive text to postfix-* packages. Closes: #110227
+ * Fix how mailbox_command gets set (support extensions.) Closes: #109867
+
+ -- LaMont Jones <lamont at debian.org> Tue, 16 Oct 2001 07:04:33 -0600
+
+postfix (0.0.20010808.SNAPSHOT-1) unstable; urgency=low
+
+ * New upstream version.
+ * Include brazilian templates translation. Closes: #105281.
+
+ -- LaMont Jones <lamont at debian.org> Mon, 13 Aug 2001 13:18:14 -0600
+
+postfix (0.0.20010714.SNAPSHOT-3) unstable; urgency=low
+
+ * Remove needless use File::Copy from config. Closes: #107795
+ * Don't run newaliases if there's no main.cf.
+ * Restore nuked man pages. Closes: #107632
+
+ -- LaMont Jones <lamont at debian.org> Wed, 8 Aug 2001 12:18:19 -0600
+
+postfix (0.0.20010714.SNAPSHOT-2) unstable; urgency=low
+
+ * Fix typo in debconf usage. Closes: #107531.
+
+ -- LaMont Jones <lamont at debian.org> Thu, 2 Aug 2001 17:22:32 -0600
+
+postfix (0.0.20010714.SNAPSHOT-1) unstable; urgency=low
+
+ * New upstream version.
+ * Dynamically load various maps at runtime. This splits the package
+ into the base postfix package, and various map-support packages.
+ * Add mysql support (suggests libmysqlclient10) Closes: #64923
+ * Move shared libs to /usr/lib. Closes: #101688.
+ * use Debian::Debconf::Client::ConfModule, which works with all revs of
+ debconf. Closes: #103947.
+
+ -- LaMont Jones <lamont at debian.org> Wed, 1 Aug 2001 12:56:39 -0600
+
+postfix (0.0.20010610.SNAPSHOT-1) unstable; urgency=high
+ * New upstream version. Includes RFC282[12] support, and other changes.
+ See /usr/share/doc/postfix/changelog.
+
+ -- LaMont Jones <lamont at debian.org> Mon, 11 Jun 2001 08:54:52 -0600
+
+postfix (0.0.20010502.SNAPSHOT-5) unstable; urgency=high
+ * Fix corner case where newaliases did not get run. Closes: #99165.
+ * Don't purge /etc/postfix and /var/spool/postfix at purge. Closes: #98987.
+
+ -- LaMont Jones <lamont at debian.org> Tue, 29 May 2001 23:30:15 -0600
+
+postfix (0.0.20010502.SNAPSHOT-4) unstable; urgency=high
+ * Reduce the disk/memory footprint of Postfix by using shlibs for util,
+ global, dns, and master libraries.
+ * Support 'debug' and 'nostrip' options in DEB_BUILD_OPTIONS
+ * dpkg-statoverride exits (correctly) with non-zero status in places
+ where it didn't before.
+
+ -- LaMont Jones <lamont at debian.org> Wed, 23 May 2001 22:13:25 -0600
+
+postfix (0.0.20010502.SNAPSHOT-3) unstable; urgency=high
+ * No-maps case wasn't handled well for upgrades.
+ Closes: #98008, #97763, #98116.
+ * Make no-config case more prominant in selections, partially addresses
+ #97670.
+ * Correct sample-ldap.cf to correctly specify timeout parm. Closes: #93978.
+
+ -- LaMont Jones <lamont at debian.org> Sun, 20 May 2001 08:17:33 -0600
+
+postfix (0.0.20010502.SNAPSHOT-2) unstable; urgency=low
+ * Cleanup warning for db2->db3 upgrade, try to restart
+ even if they say no to auto-conversion. Closes: #97587.
+
+ -- LaMont Jones <lamont at debian.org> Tue, 15 May 2001 10:41:16 -0600
+
+postfix (0.0.20010502.SNAPSHOT-1) unstable; urgency=low
+ * New upstream version. Includes all fixes through 20010228-pl02.
+ See /usr/share/doc/postfix/changelog.
+ * Add 'Conflicts: libnss-db (<<2.2-3)' to force db3 version of
+ libnss-db, if libnss-db is on the machine.
+ * Auto-convert postfix maps when upgrading to db3. Closes: #94954, #95587.
+ * Add || true on removing overrides. Closes: #96820.
+ * Add scalemail support into the default master.cf.
+
+ -- LaMont Jones <lamont at debian.org> Sun, 6 May 2001 08:53:21 -0600
+
+postfix (0.0.20010329.SNAPSHOT-5) unstable; urgency=low
+ * compromise with upstream on how to do the db3 changeover...
+ * With libdb3 change, libdb2/3 interactions go away. Closes: #94379.
+
+ -- LaMont Jones <lamont at debian.org> Fri, 20 Apr 2001 23:43:37 -0600
+
+postfix (0.0.20010329.SNAPSHOT-4) unstable; urgency=low
+ * Change to use libdb3 to avoid any libdb2/3 interactions in libc.
+
+ -- LaMont Jones <lamont at debian.org> Wed, 18 Apr 2001 07:56:37 -0600
+
+postfix (0.0.20010329.SNAPSHOT-3) unstable; urgency=low
+ * Eliminate useless notes from LDAP dictionaries.
+ * If relayhost was manually set on an internet site, upgrades would
+ clear the relayhost. Closes: #93161.
+
+ -- LaMont Jones <lamont at debian.org> Sat, 7 Apr 2001 22:14:47 -0600
+
+postfix (0.0.20010329.SNAPSHOT-2) unstable; urgency=low
+ * Somehow lost dbm support.
+
+ -- LaMont Jones <lamont at debian.org> Wed, 4 Apr 2001 11:47:12 -0600
+
+postfix (0.0.20010329.SNAPSHOT-1) unstable; urgency=low
+ * New upstream version.
+ * Add ia64 workaround in mymalloc.c (was causing SIGBUS).
+ * Lintian (debconf config) fixes.
+
+ -- LaMont Jones <lamont at debian.org> Fri, 30 Mar 2001 22:39:24 -0700
+
+postfix (0.0.20010228-2) unstable; urgency=low
+ * No configuration on install failed. Closes: #88085
+
+ -- LaMont Jones <lamont at debian.org> Thu, 1 Mar 2001 11:47:45 -0700
+
+postfix (0.0.20010228-1) unstable; urgency=low
+ * FIRST NON-BETA RELEASE!!! Otherwise, no change from
+ 0.0.20010225.SNAPSHOT-1. Differences from upstream are:
+ - nqmgr and virtual delivery agents are included (these are
+ still pretty fluid, and therefore not in the upstream
+ release, although they remain in the upstream snapshots.)
+ - rmail client from Sendmail is included.
+ - minor bug fixes in LDAP maps (to be incorporated upstream
+ very soon - they just didn't make the cut for first release.)
+
+ -- LaMont Jones <lamont at debian.org> Wed, 28 Feb 2001 16:03:40 -0700
+
+postfix (0.0.20010225.SNAPSHOT-1) unstable; urgency=low
+ * New upstream revision.
+ * Introduces mynetworks_style config parameter, which affects how
+ mynetworks is built by default.
+
+ -- LaMont Jones <lamont at debian.org> Mon, 26 Feb 2001 09:41:28 -0700
+
+postfix (0.0.20010222.SNAPSHOT-1) unstable; urgency=low
+ * New upstream revision, release candidtate. See
+ /usr/share/doc/postfix/changelog and .../RELEASE_NOTES for details.
+ - Postfix no longer automatically delivers recipients one at a time
+ when their domain is listed in $mydestination. This change solves
+ delivery performance problems with delivery via LMTP, and with
+ firewall relays that forward all mail for $mydestination to an
+ inside host. See xxx_destination_recipient_limit.
+ - Virtual mailbox delivery agent (actually introduced in 0.0.20010128)
+ - Closes: #87255.
+ * Fix core dump in closing ldap maps without _domain specified.
+ * Always ask whether to use a world-writable maildrop (even for "No
+ configuration" case.) Closes: #86408.
+ * Teach init.d script about force-reload. Closes: #86399.
+
+ -- LaMont Jones <lamont at debian.org> Fri, 23 Feb 2001 08:03:53 -0700
+
+postfix (0.0.20010204.SNAPSHOT-1) unstable; urgency=low
+ * New upstream release.
+ * Make 'No configuration' the default if main.cf exists. Closes: #84335.
+ * Make sure to handle maildrop perms even in 'No configuration' case.
+ Reported by Branden Robinson on IRC.
+
+ -- LaMont Jones <lamont at debian.org> Sun, 4 Feb 2001 18:16:02 -0700
+
+postfix (0.0.20010128.SNAPSHOT-1) unstable; urgency=low
+ * New upstream release, near-to-release.
+ * it's mydestination, not destinations. Closes: #83606.
+
+ -- LaMont Jones <lamont at debian.org> Sun, 28 Jan 2001 21:15:18 -0700
+
+postfix (0.0.20001217.SNAPSHOT-7) unstable; urgency=high
+ * Fix stupid mistake with move of main.cf.dist to examples. (install fails)
+
+ -- LaMont Jones <lamont at debian.org> Tue, 23 Jan 2001 15:24:58 -0700
+
+postfix (0.0.20001217.SNAPSHOT-6) unstable; urgency=low
+ * When copying /etc/passwd into chroot (because of local_maps), strip
+ passwords...
+ * Leave the source-default for myorigin set to the upstream default.
+ Move main.cf.{default,dist} to /usr/share/doc/postfix/examples.
+ Reported by Marco d'Itri. Closes: #82905.
+ * Remove pointless README's from the binary.
+ * /etc/postfix/{pcre_table,regexp_table} were not listed as config
+ files.
+
+ -- LaMont Jones <lamont at debian.org> Sat, 20 Jan 2001 10:51:30 -0700
+
+postfix (0.0.20001217.SNAPSHOT-5) unstable; urgency=low
+ * If using local_recipient_maps = ... unix:passwd.byname, then copy
+ /etc/passwd into the chroot jail so that local users get mail.
+ Closes: #65473.
+ * remove dpkg-statoverride workaround.
+ * If 'No configuration' is specified, leave main.cf ALONE.
+
+ -- LaMont Jones <lamont at debian.org> Sat, 13 Jan 2001 21:02:25 -0700
+
+postfix (0.0.20001217.SNAPSHOT-4) unstable; urgency=low
+ * Fix ldap_domain. Closes: #81558.
+ * Fix version comparison in preinst. Closes: #81044.
+ * Give procmail question a default answer (on iff procmail exists).
+ * Use dpkg-statoverride to deal with postdrop. Closes: #65083, #65089
+ * Remove contents of /var/spool/postfix/{lib,etc} in prerm.
+
+ -- LaMont Jones <lamont at debian.org> Thu, 11 Jan 2001 18:43:37 -0700
+
+postfix (0.0.20001217.SNAPSHOT-2) unstable; urgency=low
+ * maildrop was created in /etc/postfix. Closes: #80117.
+
+ -- LaMont Jones <lamont at debian.org> Wed, 20 Dec 2000 07:50:35 -0700
+
+postfix (0.0.20001217.SNAPSHOT-1) unstable; urgency=low
+ * New upstream version. See /usr/share/doc/postfix/RELEASE_NOTES.
+ - All time-related config parameters (except for LDAP and MYSQL)
+ now take a 1 letter suffix to indicate units: (s)econd, (m)inute,
+ (h)our, (d)ay, (w)eek.
+ - Partial rewrite of MYSQL client around memory problems - needs
+ more work and a production test. Please report any problems.
+ - local_transport and default_transport now accept transport:destination
+ notation. The :destination is optional.
+ - Fix for postconf -m defect.
+ - Starting with snapshot-20000531, mail submitted via the sendmail
+ interface (SMTP was OK) had unterminated text records, and parts of
+ lines longer than 2048 bytes deleted from message content.
+ - Failure to connect to an LDAP server could result in coredumps
+ due to a dangling pointer.
+ * Don't set myhostname in postinst if main.cf exists. Closes: #79390.
+ * Allow myorigin=/etc/mailname, which will help eliminate stomping on
+ main.cf. Setting the mailname with debconf will result in /etc/mailname
+ having the new mailname, and myorigin=/etc/mailname.
+
+ -- LaMont Jones <lamont at debian.org> Sun, 17 Dec 2000 21:31:04 -0700
+
+postfix (0.0.20001210.SNAPSHOT-1) unstable; urgency=low
+ * New upstream version. See /usr/share/doc/postfix/RELEASE_NOTES.
+ - local delivery agent now logs warning when unable to create
+ /file/name.lock (on /file/name deliveries). Delivery continues
+ as before.
+ - The queue manager could deadlock for 10 seconds when bouncing
+ mail under extreme load from one-to-one mass mailings.
+ - Local delivery performance was substandard, because the per-user
+ concurrency limit accidentally applied to the entire local
+ domain.
+ - smtp client skips "CODE TEXT" (instead of treating it as "CODE
+ SPACE TEXT".
+ - Changes in libutil and libglobal routines, may affect third party
+ code.
+ - mailbox locking now fully run-time configurable.
+ - "import_environment" and "export_environment" parameters now
+ provide explicit control over the environment of postfix daemons.
+ - "mailbox_transport" and "fallback_transport" parameters now
+ understand the form "transport:nexthop", with suitable defaults.
+
+ -- LaMont Jones <lamont at debian.org> Sun, 10 Dec 2000 22:56:06 -0700
+
+postfix (0.0.20001121.SNAPSHOT-1) unstable; urgency=low
+ * New upstream version, support for sendmail style virtual domains.
+ Upstream fix for #76760. (sendmail now supports -G option.)
+ * Defaults were handled poorly in config code. Closes: #77444.
+ * More debconf cleanup. Closes: #77094.
+ * Only set myorigin in /etc/init.d/postfix if /etc/mailname is newer
+ than /etc/postfix/main.cf (was unconditional). Closes: #77789.
+ * Prior rev had problems if upgrading a non-world-writable mailspool
+ from -3. Closes: #78222.
+
+ -- LaMont Jones <lamont at debian.org> Mon, 27 Nov 2000 20:34:27 -0700
+
+postfix (0.0.20001030.SNAPSHOT-4) unstable; urgency=low
+ * Remove -G option from rmail's invocation of sendmail. Closes: #76760.
+ * Cleanup debconf config file. Closes: #76759, #76770.
+
+ -- LaMont Jones <lamont at debian.org> Wed, 11 Nov 2000 19:16:40 -0600
+
+postfix (0.0.20001030.SNAPSHOT-3) unstable; urgency=low
+ * If /etc/mailname doesn't exist, don't set myorigin at startup.
+ Closes: #76546, #76584.
+ * LDAP queries were broken if _domain was not specified.
+ * Integrated debconf support, based on patches by Colin Walters
+ <walters at cis.ohio-state.edu> and John Goerzen <jgoerzen at progenylinux.com>,
+ and some Perl help from Tommi Virtanen on IRC.
+ * Change default 'mynetworks' to just 127.0.0.0/8. If the machine
+ is supposed to relay mail for other hosts, main.cf needs to be
+ edited. Closes: #72744, #56287, #74288.
+ * Upgrade rmail to the copy from sendmail 8.11.1.
+
+ -- LaMont Jones <lamont at debian.org> Wed, 10 Nov 2000 08:11:46 -0600
+
+postfix (0.0.20001030.SNAPSHOT-2) unstable; urgency=low
+ * Remove bash-ism in /etc/init.d/postfix. Closes: #76292.
+
+ -- LaMont Jones <lamont at debian.org> Sun, 5 Nov 2000 12:35:04 -0600
+
+postfix (0.0.20001030.SNAPSHOT-1) unstable; urgency=low
+
+ * New upstream version: DSN-style bounce messages, better LDAP support
+ Closes: #72659, #75017, #75962.
+ * Fix bsmtp line. Closes: #72504
+ * Fix build-depends line. Closes: #73678
+ * Copy resolv.conf at ppp startup. Closes: #74497
+ * Remove SASL support (introduced in prior NMU). Waiting for
+ the upstream author to support SASL.
+ * Add quotes in postinst. Closes: #68351
+
+ -- LaMont Jones <lamont at debian.org> Tue, 31 Oct 2000 16:09:40 -0600
+
+postfix (0.0.20000531.SNAPSHOT-1.1) unstable; urgency=low
+
+ * NMU for libdb2/glibc upgrade
+ * Move build-deps to general control section
+ * Add version to libdb2 build-dep, also changed libopenldap-dev to
+ libldap2-dev and libpcre2-dev to libpcre3-dev.
+ * Fixed some minor compilation problems with dict_ldap.c for libldap2
+ * debian/rules: modify AUXLIBS to include libgdbm, libsasl and libdb2,
+ and add -ldl to LIBS.
+
+ -- Ben Collins <bcollins at debian.org> Wed, 27 Sep 2000 16:22:15 -0400
+
+postfix (0.0.20000531.SNAPSHOT-1) unstable; urgency=low
+ * New upstream SNAPSHOT. FEATURES IN SNAPSHOTS ARE SUBJECT TO CHANGE
+ WITHOUT WARNING. Future uploads to unstable may or may not roll
+ such changes into your configuration. You have been warned...
+ See /usr/share/doc/postfix/RELEASE_NOTES.
+
+ Note that queue files from this version and later will not be accepted
+ by earlier versions of Postfix, so downgrading would be a challenge...
+ (Old queue files work just fine with this version.)
+
+ * Content filtering support. See /usr/share/doc/postfix/FILTER_README.
+ * LMTP support. See /usr/share/doc/postfix/LMTP_README.
+ * nroff commands are gone from the config files. Closes: #49674.
+
+ -- LaMont Jones <lamont at debian.org> Wed, 31 May 2000 22:39:40 -0600
+
+postfix (0.0.19991231pl08-1) unstable; urgency=low
+ * New upstream version: adds body_checks for content filter looking
+ at non-header lines one at a time (including MIME headers in the
+ message body.)
+
+ -- LaMont Jones <lamont at debian.org> Sun, 28 May 2000 21:29:16 -0600
+
+postfix (0.0.19991231pl07-1) unstable; urgency=low
+ * New upstream version, see RELEASE_NOTES for changes.
+ * Makefile cleanup, switch to using doc-base. Closes: #64086.
+ Also gets rid of /usr/share/doc/postfix/index.html.
+
+ -- LaMont Jones <lamont at debian.org> Wed, 24 May 2000 10:24:17 -0600
+
+postfix (0.0.19991231pl05-2) frozen unstable; urgency=low
+ * Provide /usr/share/doc/postfix/index.html. Closes: #60801.
+ * Change cyrus delivery agent in master.cf. Closes: #62512.
+ * Handle case where admin created postfix user, but not group before
+ installing. Closes: #61049.
+ * Add -e to startup script, avoiding nuking libnss_*so*. Closes: #62330.
+ * Quit creating /usr/man/man[158]. Closes: #61430.
+ * lintian fixes.
+ * Suggest procmail, rather than recommend.
+
+ -- LaMont Jones <lamont at debian.org> Wed, 24 May 2000 07:21:27 -0600
+
+postfix (0.0.19991231pl05-1) frozen unstable; urgency=low
+ * New upstream patch rev.
+ * Postdrop should be owned by root. Closes: #59058
+ * Better detection of when postfix user already exists. Closes: #59417
+ * If hostname is not set, figure it out at runtime. Closes: #58199
+ # Upload to unstable and frozen. Closes: #60343
+
+ -- LaMont Jones <lamont at debian.org> Wed, 15 Mar 2000 09:41:54 -0600
+
+postfix (0.0.19991231pl04-1) frozen; urgency=low
+ * New upstream version.
+ * Make postfix run chrooted, like it's supposed to.
+ * Eliminate complaints about different libnss* versions in chroot. Closes
+ #58364, #58181.
+
+ -- LaMont Jones <lamont at debian.org> Sun, 20 Feb 2000 10:57:28 -0600
+
+postfix (0.0.19991231pl02-1) unstable; urgency=low
+ * New upstream version, with incompatible changes in transport map
+ processing. Many other enhancements, see the upstream changelog
+ for more detail.
+ * RELEASE_NOTES didn't make it into the package before, because it
+ was overwritten by HISTORY (as changelog).
+
+ -- LaMont Jones <lamont at debian.org> Mon, 10 Jan 1999 22:22:53 -0600
+
+postfix (0.0.19990906pl07-1) unstable; urgency=low
+ * New upstream patch.
+ * Make console messages match standard. Closes #44677,45209
+ * Rename HISTORY to changelog, per policy. Closes #46034
+ * Move docs to /usr/share/doc/postfix, per current policy. Closes #47279
+ * Only automatically start Postfix on an upgrade. Close #48855
+
+ -- LaMont Jones <lamont at debian.org> Sun, 14 Nov 1999 11:06:56 -0600
+
+postfix (0.0.19990906pl02-1) unstable; urgency=low
+ * New upstream patch.
+ * Add in the rest of the README files, and BEWARE file.
+
+ -- LaMont Jones <lamont at debian.org> Tue, 7 Sep 1999 12:49:06 -0600
+
+postfix (0.0.19990906pl01-1) unstable; urgency=low
+ * New upstream version.
+ * process check_sender_access (without a warning) when no sender has
+ been specified.
+
+ -- LaMont Jones <lamont at debian.org> Tue, 7 Sep 1999 09:39:02 -0600
+
+postfix (0.0.19990627-6) unstable; urgency=low
+ * Missing several files from /usr/doc/postfix/html. Closes Bug#43407
+ * Upstream patch: possible core dump from VRFY with check_relay_domains
+ * Copy files into the chroot at startup time, add comment to the same
+ effect in ip-up.d/postfix.
+ * Rebuild with gcc 2.95-1.1, Closes Bug#43676
+ * New dict_ldap.c from upstream (and sideways). I understand that this
+ should be in the next beta. Add LDAP support (static built with
+ libopenldap1 1.2.6-1) Closes Bug#43609
+ * Upstream patch: lock around DB open to avoid race with DB rebuilds.
+
+ -- LaMont Jones <lamont at debian.org> Tue, 31 Aug 1999 20:13:23 -0600
+
+postfix (0.0.19990627-5) unstable; urgency=low
+ * Bad port number in error message from smtp_connect (Bug#43178)
+ * Better fix for always_bcc problem (Bug#43235)
+
+ -- LaMont Jones <lamont at debian.org> Thu, 19 Aug 1999 20:52:11 -0600
+
+postfix (0.0.19990627-4) unstable; urgency=low
+ * Fix postinstall script's check for NIS. (Bug #43036)
+
+ -- LaMont Jones <lamont at debian.org> Mon, 16 Aug 1999 07:05:23 -0600
+
+postfix (0.0.19990627-3) unstable; urgency=low
+ * Various upstream fixes:
+ * Fix to build with libpcre2 2.07 (don't try to build with < 2.06) Bug #43004
+ * Fix sendmail exit status.
+ * Add $SENDER to supported mailbox_command arguments.
+ * always_bcc and sendmail -t didn't mix well (sendmail only sent to the
+ always_bcc recipient.)
+
+ -- LaMont Jones <lamont at debian.org> Sat, 14 Aug 1999 19:00:14 -0600
+
+postfix (0.0.19990627-2) unstable; urgency=low
+ * Postinst failed copying stuff into the chroot if the file did not exist
+ on the system. (Bug #41013)
+
+ -- LaMont Jones <lamont at debian.org> Thu, 8 Jul 1999 17:29:34 -0600
+
+postfix (0.0.19990627-0) unstable; urgency=low
+ * New upstream SNAPSHOT (pre-beta).
+ * DFSG compatible license!!!!
+ * Cleanup init.d to just let postfix-script say it's piece. (Bug #39822)
+ * Don't deliver /etc/postfix files that aren't conffiles... (Bug #40313)
+
+ -- LaMont Jones <lamont at debian.org> Sun, 27 Jun 1999 23:15:57 -0600
+
+postfix (0.0.19990601-3) unstable; urgency=low
+ * /usr/include/paths.h has a bad value for _PATH_MAILDIR. Fixed by getting
+ a good copy of libc6-dev (2.1.1-10, not -5...)
+
+ -- LaMont Jones <lamont at debian.org> Sun, 6 Jun 1999 23:23:21 -0600
+
+postfix (0.0.19990601-2) unstable; urgency=low
+ * Have postinst take care of installing postfix-script,
+ instead of defaulting it in the package. (Bug #39009)
+
+ -- LaMont Jones <lamont at debian.org> Sat, 5 Jun 1999 22:13:41 -0600
+
+postfix (0.0.19990601-1) unstable; urgency=low
+ * New upstream version
+ * Fix handling of mailname (Bug #37593)
+ * Remove prompt in preinst (Bug #35413)
+ * Only prompt when absolutely necessary during install/upgrade.
+ * Add PCRE support, using libpcre.a (Bug #36780)
+ * See /usr/doc/postfix/changelog for incompatible changes from
+ prior version.
+ * The supported map types in this build are: environ, unix, hash,
+ btree, nis, pcre, and regexp.
+
+ -- LaMont Jones <lamont at debian.org> Tue, 1 Jun 1999 22:27:21 -0600
+
+postfix (0.0.19990317pl01-2) unstable; urgency=low
+ * add dhelp support
+
+ -- LaMont Jones <lamont at debian.org> Wed, 12 May 1999 17:25:00 -0600
+
+postfix (0.0.19990317pl01-1) unstable; urgency=low
+ * New upstream release
+ * If suidmanager is being used, unregister /usr/sbin/sendmail (Bug #33995).
+ This works around a sendmail defect (#33656), fixed in sendmail 8.9.3-2.
+ * Don't override CC setting in debian/rules (Bug #34720).
+ * Add rmail: actually, copy the source over from sendmail 8.9.3-2, and
+ wrap a Postfix-style makefile around it. (Bug #31814)
+ * Actually list the dependency on adduser. (Bug #34979)
+
+ -- LaMont Jones <lamont at debian.org> Wed, 24 Mar 1999 01:00:15 -0700
+
+postfix (0.0.19990122pl01-1) unstable; urgency=low
+ * Upstream patch release, see /usr/doc/postfix/changelog.
+ * Fix upload to include orig and .diff. Sigh.
+ * Add /usr/lib/sendmail symlink (bug 30940)
+
+ -- LaMont Jones <lamont at debian.org> Mon, 1 Feb 1999 20:10:59 -0600
+
+postfix (0.0.19990122-1) unstable; urgency=low
+ * New upstream version. See /usr/doc/postfix/changelog.
+ * Use dot locks, in conformance with Debian standards. (bug 32683)
+
+ -- LaMont Jones <lamont at debian.org> Wed, 22 Jan 1999 23:30:14 -0600
+
+postfix (0.0.19981230pl01-1) unstable; urgency=low
+ * Upstream patch for > 50 recipients per delivery. Refused recipients
+ (with transient errors) would not be retried.
+
+ -- LaMont Jones <lamont at debian.org> Wed, 13 Jan 1999 20:31:10 -0600
+
+postfix (0.0.19981230-3) unstable; urgency=low
+ * Make sure that postdrop and maildrop have the right permissions
+ in all of the permutations of writable/non world-writable
+ maildrop.
+
+ -- LaMont Jones <lamont at debian.org> Sat, 9 Jan 1999 18:31:10 -0600
+
+postfix (0.0.19981230-2) unstable; urgency=low
+ * Fix erroneous symlink /usr/lib/zoneinfo - should be in
+ /var/spool/postfix/usr/lib, not the system root...
+ * Fix sed screwup in post-inst alias_maps expansion.
+
+ -- LaMont Jones <lamont at debian.org> Fri, 8 Jan 1999 23:10:20 -0600
+
+postfix (0.0.19981230-1) unstable; urgency=low
+ * New upstream version. See /usr/doc/postfix/HISTORY for changes.
+ Still suffers from the same not-quite-DFSG license.
+ * This version allows you to have a non-world-writable maildrop,
+ if you desire. The (additional) group used for this purpose is
+ 'postdrop', as is the setgid program in /usr/sbin.
+ * Split daemon and user commands. post* now live in /usr/sbin,
+ and the daemon programs live in /usr/lib/postfix.
+ * Check if NIS is installed, and do (or do not) include nis:mail.aliases
+ accordingly.
+ * Make /etc/aliases not be a conffile, and don't delete it during
+ dpkg --purge. The correct answer here is probably to have all of
+ the MTA's that use /etc/aliases depend on a package that provides
+ just that, and that way switching MTA's won't nuke the alias
+ file...
+
+ -- LaMont Jones <lamont at debian.org> Sun, 3 Jan 1999 19:40:30 -0600
+
+postfix (0.0.19981211-1) unstable; urgency=low
+
+ * Fix lintian errors, other minor cleanup.
+
+ -- LaMont Jones <lamont at debian.org> Mon, 14 Dec 1998 11:22:32 -0600
+
+postfix (0.0.19981211-0) unstable; urgency=low
+
+ * Initial beta release, contains IBM code and contrib diretcory.
+ Claims to be Beta-19981211 internally...
+
+ -- LaMont Jones <lamont at debian.org> Fri, 11 Dec 1998 22:31:37 -0600
Added: trunk/kolab-postfix/debian/conffiles
===================================================================
--- trunk/kolab-postfix/debian/conffiles 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/conffiles 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,9 @@
+/etc/init.d/kolab-postfix
+/etc/ppp/ip-up.d/kolab-postfix
+/etc/ppp/ip-down.d/kolab-postfix
+/etc/network/if-up.d/kolab-postfix
+/etc/network/if-down.d/kolab-postfix
+/etc/kolab-postfix/kolab-postfix-script
+/etc/kolab-postfix/kolab-post-install
+/etc/kolab-postfix/kolab-postfix-files
+/etc/resolvconf/update-libc.d/kolab-postfix
Added: trunk/kolab-postfix/debian/config
===================================================================
--- trunk/kolab-postfix/debian/config 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/config 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,355 @@
+#!/usr/bin/perl -w
+# -*-CPerl-*-
+# Script to configure Postfix.
+# Based on code by Colin Walters <walters at cis.ohio-state.edu>,
+# and John Goerzen <jgoerzen at progenylinux.com>.
+
+use Debconf::Client::ConfModule qw(:all);
+use Fcntl;
+
+my $version = version(2.0);
+capb("backup");
+title("Postfix Configuration");
+
+# begin configuration script
+
+my $topstate;
+my $back;
+my $noninteractive;
+
+# Regexps for checking domain names, blatantly stolen from exim config
+my $rfc1035_label_re= '[0-9A-Za-z]([-0-9A-Za-z]*[0-9A-Za-z])?';
+my $rfc1035_domain_re= "$rfc1035_label_re(\\.$rfc1035_label_re)*";
+my $network_re= '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}';
+
+$topstate = "start";
+
+while ($topstate ne "done") {
+ TOPSTATE: {
+ if ($topstate eq "start") {
+ if (fget("postfix/main_mailer_type", "isdefault") eq "true") {
+ if (-f "/etc/kolab-postfix/main.cf") {
+ set("postfix/main_mailer_type", "No configuration");
+ }
+ }
+ $noninteractive = (((input("high", "postfix/main_mailer_type"))[0]) == 30);
+ if ($noninteractive) {
+ my $mailertype = get("postfix/main_mailer_type");
+ if ($mailertype eq "No configuration") {
+ # We can't display a note here, because it could send mail,
+ # which isn't configured...
+ #$noninteractive = ((input("critical", "postfix/not_configured"))[0] == 30);
+ #go();
+ $topstate="ending-setup";
+ } else {
+ $topstate="root";
+ }
+ } else {
+ go();
+ $back = (((go())[0]) == 30);
+ $mailertype = get("postfix/main_mailer_type");
+ if ($mailertype eq "No configuration") {
+ $topstate="ending-setup";
+ } else {
+ fset("postfix/main_mailer_type", "changed", "true");
+ if ($back) {
+ fset("postfix/main_mailer_type", "isdefault", "true");
+ fset("postfix/db2_db3_upgrade", "isdefault", "true");
+ } else {
+ fset("postfix/main_mailer_type", "changed", "true");
+ $topstate = "root";
+ if (!(($mailertype eq "Internet with smarthost") ||
+ ($mailertype eq "Satellite system") ||
+ ($mailertype eq "HP"))) {
+ set("postfix/relayhost", "");
+ fset("postfix/relayhost", "changed", "true");
+ }
+ }
+ }
+ }
+ }
+
+ if ($topstate eq "root") {
+ if (fget("postfix/root_address", "isdefault") eq "true") {
+ open(F,"getent passwd 1000|");
+ @l=<F>;
+ close(F);
+ if ($#l > 0) {
+ $l[0] =~ s/:.*$//;
+ set("postfix/root_address",$l[0]);
+ fset("postfix/root_address", "changed", "true");
+ }
+ }
+ $noninteractive = (((input("medium", "postfix/root_address"))[0]) == 30);
+ if (!$noninteractive) {
+ go();
+ fset("postfix/root_address", "changed", "true");
+ }
+ $topstate="mailname";
+ }
+
+ if ($topstate eq "mailname") {
+ my $mailertype = get("postfix/main_mailer_type");
+ if (fget("postfix/mailname", "isdefault") eq "true") {
+ my $mailname;
+ if (-f "/etc/mailname") {
+ $mailname =`cat /etc/mailname`;
+ chomp $mailname;
+ } else {
+ $mailname = `hostname --fqdn 2>/dev/null` || "localdomain";
+ chomp $mailname;
+ }
+ set("postfix/mailname", $mailname);
+ }
+ $noninteractive = (((input("high", "postfix/mailname"))[0]) == 30);
+ if ($noninteractive) {
+ $topstate = "relayhost";
+ } else {
+ $back = (((go())[0]) == 30);
+ if ($back) {
+ fset("postfix/main_mailer_type", "isdefault", "true");
+ fset("postfix/mailname", "isdefault", "true");
+ $topstate = "type";
+ } else {
+ # error checking
+ my $mailname = get("postfix/mailname");
+ fset("postfix/mailname", "changed", "true");
+ if (not ($mailname =~ /$rfc1035_domain_re/)) {
+ set("postfix/rfc1035_violation", "false");
+ fset("postfix/rfc1035_violation", "isdefault", "true");
+ subst("postfix/rfc1035_violation", "enteredstring", $mailname);
+ $noninteractive = (((input("high", "postfix/rfc1035_violation"))[0]) == 30);
+ $back = (((go())[0]) == 30);
+ if ($back) {
+ fset("postfix/mailname", "isdefault", "true");
+ # and back around to ask mailname again.
+ }
+ if (get("postfix/rfc1035_violation") eq "true") {
+ # they wanted to continue despite the error
+ $topstate = "relayhost";
+ } else {
+ fset("postfix/mailname", "isdefault", "true");
+ # and back around to ask mailname again.
+ }
+ } else {
+ # their mailname passed error checking, go on
+ $topstate = "relayhost";
+ }
+ }
+ }
+ }
+
+ if ($topstate eq "relayhost") {
+ my $mailertype = get("postfix/main_mailer_type");
+ if (($mailertype eq "Internet with smarthost") || ($mailertype eq "Satellite system")) {
+ if (fget("postfix/relayhost", "isdefault") eq "true") {
+ my $hostname = `hostname --domain` || "localdomain";
+ chomp $hostname;
+ my $relayname = "smtp." . $hostname;
+ set("postfix/relayhost", $relayname);
+ }
+ $noninteractive = (((input("high", "postfix/relayhost"))[0]) == 30);
+ } else {
+ # skip relayhost if we're an "Internet site" or a "Local only"
+ $topstate = "destinations";
+ $noninteractive=1;
+ }
+ if ($noninteractive) {
+ $topstate = "destinations";
+ } else {
+ $back = (((go())[0]) == 30);
+ if ($back) {
+ fset("postfix/mailname", "isdefault", "true");
+ fset("postfix/relayhost", "isdefault", "true");
+ $topstate = "mailname"; # we skip back to the last question of
+ # equal or higher priority
+ } else {
+ fset("postfix/relayhost", "changed", "true");
+ $topstate = "destinations";
+ }
+ }
+ }
+
+ if ($topstate eq "destinations") {
+ my $mailertype = get("postfix/main_mailer_type");
+ my $hostname = `hostname --fqdn` || "localhost";
+ chomp $hostname;
+ my $domain = `hostname --domain` || "localdomain";
+ chomp $domain;
+ my $mailname = get("postfix/mailname") || "localhost";
+ my $destinations;
+ my $priority="medium";
+ if (fget("postfix/destinations", "set") eq "true") {
+ if ((-x "/usr/sbin/postconf") && (-f "/etc/postfix/main.cf")) {
+ if (open(POSTCONF, "postconf -h mydestination |")) {
+ $destinations=<POSTCONF>;
+ close(POSTCONF);
+ chomp $destinations;
+ set("postfix/destinations", $destinations);
+ }
+ }
+ } else {
+ if ($mailertype eq "Internet Site") {
+ if ($mailname eq $hostname) {
+ $destinations = join ", ",($mailname, "localhost." . $domain, ", localhost");
+ } else {
+ $destinations = join ", ",($mailname, $hostname, "localhost." . $domain . ", localhost");
+ }
+ } else {
+ # don't accept mail for $mailname by default if we have a relayhost or local only mail,
+ # unless the mailname bears no resemblance to $myorigin.
+ $destinations = join ", ",($hostname, "localhost." . $domain . ", localhost" );
+ unless ( $hostname =~ m/(^|[\.])$mailname$/ ) {
+ $destinations = $mailname . ", " . $destinations;
+ }
+ }
+ set("postfix/destinations", $destinations);
+ fset("postfix/destinations","set","true");
+ }
+ if ($mailertype eq "Local only") {
+ $priority="low";
+ }
+ $noninteractive = (((input($priority, "postfix/destinations"))[0]) == 30);
+ if ($noninteractive) {
+ $topstate = "chattr";
+ } else {
+ $back = (((go())[0]) == 30);
+ if ($back) {
+ fset("postfix/relayhost", "isdefault", "true");
+ fset("postfix/destinations", "isdefault", "true");
+ $topstate = "relayhost";
+ } else {
+ fset("postfix/destinations", "changed", "true");
+ $topstate = "chattr";
+ }
+ }
+ }
+
+ if ($topstate eq "chattr") {
+ $noninteractive = (((input("medium", "postfix/chattr"))[0]) == 30);
+ if ($noninteractive) {
+ $topstate = "mynetworks";
+ } else {
+ $back = (((go())[0]) == 30);
+ if ($back) {
+ fset("postfix/destinations", "isdefault", "true");
+ fset("postfix/chattr", "isdefault", "true");
+ $topstate = "destinations";
+ } else {
+ fset("postfix/chattr", "changed", "true");
+ $topstate = "mynetworks";
+ }
+ }
+ }
+
+ if ($topstate eq "mynetworks") {
+ if ((-x "/usr/sbin/postconf") && (-f "/etc/postfix/main.cf")) {
+ my $mynetworks;
+ if (open(POSTCONF, "postconf -h mynetworks |")) {
+ $mynetworks=<POSTCONF>;
+ close(POSTCONF);
+ chomp $mynetworks;
+ set("postfix/mynetworks", $mynetworks);
+ }
+ }
+ $noninteractive = (((input("low", "postfix/mynetworks"))[0]) == 30);
+ if ($noninteractive) {
+ $topstate = "procmail";
+ } else {
+ $back = (((go())[0]) == 30);
+ if ($back) {
+ fset("postfix/chattr", "isdefault", "true");
+ fset("postfix/mynetworks", "isdefault", "true");
+ $topstate = "chattr";
+ } else {
+ fset("postfix/mynetworks", "changed", "true");
+ $topstate = "procmail";
+ }
+ }
+ }
+
+ if ($topstate eq "procmail") {
+ if (fget("postfix/procmail", "isdefault") eq "true") {
+ my $pmdefault="false";
+ if (-x "/usr/bin/procmail") {
+ $pmdefault="true";
+ }
+ set("postfix/procmail", $pmdefault);
+ }
+ if (-x "/usr/bin/procmail") {
+ $noninteractive = (((input("low", "postfix/procmail"))[0]) == 30);
+ } else {
+ $noninteractive = 1;
+ }
+ if ($noninteractive) {
+ $topstate = "mailbox_limit";
+ } else {
+ $back = (((go())[0]) == 30);
+ if ($back) {
+ fset("postfix/mynetworks", "isdefault", "true");
+ fset("postfix/procmail", "isdefault", "true");
+ $topstate = "mynetworks";
+ } else {
+ fset("postfix/procmail", "changed", "true");
+ $topstate = "mailbox_limit";
+ }
+ }
+ }
+
+ if ($topstate eq "mailbox_limit") {
+ $noninteractive = (((input("low", "postfix/mailbox_limit"))[0]) == 30);
+ if ($noninteractive) {
+ $topstate = "recipient_delim";
+ } else {
+ $back = (((go())[0]) == 30);
+ if ($back) {
+ fset("postfix/procmail", "isdefault", "true");
+ fset("postfix/mailbox_limit", "isdefault", "true");
+ $topstate = "procmail";
+ } else {
+ fset("postfix/mailbox_limit", "changed", "true");
+ $topstate = "recipient_delim";
+ }
+ }
+ }
+
+ if ($topstate eq "recipient_delim") {
+ $noninteractive = (((input("low", "postfix/recipient_delim"))[0]) == 30);
+ if ($noninteractive) {
+ $topstate = "ending-setup";
+ } else {
+ $back = (((go())[0]) == 30);
+ if ($back) {
+ fset("postfix/mailbox_limit", "isdefault", "true");
+ fset("postfix/recipient_delim", "isdefault", "true");
+ $topstate = "mailbox_limit";
+ } else {
+ my $delim = get("postfix/recipient_delim");
+ if (length($delim) > 1) {
+ fset("postfix/bad_recipient_delimiter","isdefault","true");
+ subst("postfix/bad_recipient_delimiter", "enteredstring", $delim);
+ $noninteractive = (((input("low", "postfix/bad_recipient_delimiter"))[0]) == 30);
+ fset("postfix/recipient_delim","isdefault","true");
+ # and do it again...
+ } else {
+ fset("postfix/recipient_delim", "changed", "true");
+ $topstate = "ending-setup";
+ }
+ }
+ }
+ }
+
+ if ($topstate eq "ending-setup") {
+ if ($ARGV[1] eq "reconfigure") {
+ # touch /var/lib/postfix/reload
+ sysopen RESTARTFILE, "/var/spool/postfix/reload", O_CREAT;
+ close RESTARTFILE;
+ } else {
+ # touch /var/lib/postfix/restart
+ sysopen RESTARTFILE, "/var/spool/postfix/restart", O_CREAT;
+ close RESTARTFILE;
+ }
+ $topstate = "done";
+ }
+ } # end TOPSTATE
+} # end while ($topstate ne q(done))
Added: trunk/kolab-postfix/debian/control
===================================================================
--- trunk/kolab-postfix/debian/control 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/control 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,94 @@
+Source: kolab-postfix
+Section: mail
+Priority: extra
+Maintainer: LaMont Jones <lamont at debian.org>
+Standards-Version: 3.5.2.0
+Build-Depends: debhelper (>= 4.1.16), libdb4.2-dev, libgdbm-dev, libldap2-dev (>=2.1), libpcre3-dev, libmysqlclient10-dev, patch, libssl-dev (>=0.9.7-1), libsasl2-dev, postgresql-dev, po-debconf (>= 0.5.0), groff-base, dpatch
+
+Package: kolab-postfix
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, adduser (>=3.48), dpkg (>= 1.8.3)
+Recommends: mail-reader, resolvconf
+Replaces: postfix-doc (<<1.1.7-0), postfix-tls
+Suggests: procmail, postfix-mysql, postfix-pgsql, postfix-ldap, postfix-pcre
+Conflicts: mail-transport-agent, smail, libnss-db (<< 2.2-3), postfix-tls (<< 2.0-0), postfix
+Provides: mail-transport-agent
+Description: A high-performance mail transport agent
+ ${Description}
+ .
+ This package does not have SASL or TLS support. For SASL and TLS support,
+ install postfix-tls.
+
+Package: kolab-postfix-ldap
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, postfix (= ${Source-Version})
+Conflicts: postfix-ldap
+Description: LDAP map support for Postfix
+ ${Description}
+ .
+ This provides support for LDAP maps in Postfix. If you plan to use LDAP maps
+ with Postfix, you need this.
+
+Package: kolab-postfix-pcre
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, postfix (= ${Source-Version})
+Conflicts: postfix-pcre
+Description: PCRE map support for Postfix
+ ${Description}
+ .
+ This provides support for PCRE (perl compatible regular expression) maps in
+ Postfix. If you plan to use PCRE maps with Postfix, you need this.
+
+Package: kolab-postfix-mysql
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, postfix (= ${Source-Version})
+Conflicts: postfix-mysql
+Description: MYSQL map support for Postfix
+ ${Description}
+ .
+ This provides support for MYSQL maps in Postfix. If you plan to use MYSQL
+ maps with Postfix, you need this.
+
+Package: kolab-postfix-pgsql
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, postfix (= ${Source-Version})
+Conflicts: postfix-pgsql
+Description: PGSQL map support for Postfix
+ ${Description}
+ .
+ This provides support for PGSQL maps in Postfix. If you plan to use PGSQL
+ maps with Postfix, you need this.
+
+Package: kolab-postfix-dev
+Architecture: all
+Section: devel
+Depends: postfix (>= ${Upstream}-0), postfix (<< ${Upstream}.0-0)
+Conflicts: postfix-dev
+Description: Postfix loadable modules development environment
+ ${Description}
+ .
+ This provides the headers and library links to build additional map
+ types for Postfix. If you're not developing postfix modules, then you
+ do not need this.
+
+Package: kolab-postfix-doc
+Architecture: all
+Section: doc
+Conflicts: postfix-doc
+Suggests: postfix
+Replaces: postfix (<<0.0.20020113), postfix-tls
+Description: Postfix documentation
+ ${Description}
+ .
+ This package provides documentation for Postfix.
+
+Package: kolab-postfix-tls
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, postfix (= ${Source-Version})
+Conflicts: postfix-snap-tls, postfix-tls
+Recommends: mail-reader
+Description: TLS and SASL support for Postfix
+ ${Description}
+ .
+ This package adds support for TLS (see RFC 2487) and SASL (see RFC 2554) to
+ Postfix.
Added: trunk/kolab-postfix/debian/copyright
===================================================================
--- trunk/kolab-postfix/debian/copyright 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/copyright 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,326 @@
+This is the Debian GNU/Linux prepackaged version of Postfix, a mail transport
+agent.
+
+Postfix was created by Wietse Venema <wietse at porcupine.org>; the Debian
+package has been assembled by LaMont Jones <lamont at debian.org> from sources
+available from http://www.postfix.org.
+
+
+ Copyright (c) 1999, International Business Machines Corporation
+ and others. All Rights Reserved.
+
+The following copyright and license applies to this software:
+
+ IBM PUBLIC LICENSE VERSION 1.0 - SECURE MAILER
+
+ THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS IBM PUBLIC
+ LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THE
+ PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
+
+ 1. DEFINITIONS
+
+ "Contribution" means:
+ a) in the case of International Business Machines Corporation ("IBM"),
+ the Original Program, and
+ b) in the case of each Contributor,
+ i) changes to the Program, and
+ ii) additions to the Program;
+ where such changes and/or additions to the Program originate
+ from and are distributed by that particular Contributor.
+ A Contribution 'originates' from a Contributor if it was added
+ to the Program by such Contributor itself or anyone acting on
+ such Contributor's behalf.
+ Contributions do not include additions to the Program which:
+ (i) are separate modules of software distributed in conjunction
+ with the Program under their own license agreement, and
+ (ii) are not derivative works of the Program.
+
+ "Contributor" means IBM and any other entity that distributes the Program.
+
+ "Licensed Patents " mean patent claims licensable by a Contributor which
+ are necessarily infringed by the use or sale of its Contribution alone
+ or when combined with the Program.
+
+ "Original Program" means the original version of the software accompanying
+ this Agreement as released by IBM, including source code, object code
+ and documentation, if any.
+
+ "Program" means the Original Program and Contributions.
+
+ "Recipient" means anyone who receives the Program under this Agreement,
+ including all Contributors.
+
+ 2. GRANT OF RIGHTS
+
+ a) Subject to the terms of this Agreement, each Contributor hereby
+ grants Recipient a non-exclusive, worldwide, royalty-free copyright
+ license to reproduce, prepare derivative works of, publicly display,
+ publicly perform, distribute and sublicense the Contribution of such
+ Contributor, if any, and such derivative works, in source code and
+ object code form.
+
+ b) Subject to the terms of this Agreement, each Contributor hereby
+ grants Recipient a non-exclusive, worldwide, royalty-free patent
+ license under Licensed Patents to make, use, sell, offer to sell,
+ import and otherwise transfer the Contribution of such Contributor,
+ if any, in source code and object code form. This patent license
+ shall apply to the combination of the Contribution and the Program
+ if, at the time the Contribution is added by the Contributor, such
+ addition of the Contribution causes such combination to be covered
+ by the Licensed Patents. The patent license shall not apply to any
+ other combinations which include the Contribution. No hardware per
+ se is licensed hereunder.
+
+ c) Recipient understands that although each Contributor grants the
+ licenses to its Contributions set forth herein, no assurances are
+ provided by any Contributor that the Program does not infringe the
+ patent or other intellectual property rights of any other entity.
+ Each Contributor disclaims any liability to Recipient for claims
+ brought by any other entity based on infringement of intellectual
+ property rights or otherwise. As a condition to exercising the rights
+ and licenses granted hereunder, each Recipient hereby assumes sole
+ responsibility to secure any other intellectual property rights
+ needed, if any. For example, if a third party patent license
+ is required to allow Recipient to distribute the Program, it is
+ Recipient's responsibility to acquire that license before distributing
+ the Program.
+
+ d) Each Contributor represents that to its knowledge it has sufficient
+ copyright rights in its Contribution, if any, to grant the copyright
+ license set forth in this Agreement.
+
+ 3. REQUIREMENTS
+
+ A Contributor may choose to distribute the Program in object code form
+ under its own license agreement, provided that:
+ a) it complies with the terms and conditions of this Agreement; and
+ b) its license agreement:
+ i) effectively disclaims on behalf of all Contributors all
+ warranties and conditions, express and implied, including
+ warranties or conditions of title and non-infringement, and
+ implied warranties or conditions of merchantability and fitness
+ for a particular purpose;
+ ii) effectively excludes on behalf of all Contributors all
+ liability for damages, including direct, indirect, special,
+ incidental and consequential damages, such as lost profits;
+ iii) states that any provisions which differ from this Agreement
+ are offered by that Contributor alone and not by any other
+ party; and
+ iv) states that source code for the Program is available from
+ such Contributor, and informs licensees how to obtain it in a
+ reasonable manner on or through a medium customarily used for
+ software exchange.
+
+ When the Program is made available in source code form:
+ a) it must be made available under this Agreement; and
+ b) a copy of this Agreement must be included with each copy of the
+ Program.
+
+ Each Contributor must include the following in a conspicuous location
+ in the Program:
+
+ Copyright (c) 1997,1998,1999, International Business Machines
+ Corporation and others. All Rights Reserved.
+
+ In addition, each Contributor must identify itself as the originator of
+ its Contribution, if any, in a manner that reasonably allows subsequent
+ Recipients to identify the originator of the Contribution.
+
+ 4. COMMERCIAL DISTRIBUTION
+
+ Commercial distributors of software may accept certain responsibilities
+ with respect to end users, business partners and the like. While this
+ license is intended to facilitate the commercial use of the Program, the
+ Contributor who includes the Program in a commercial product offering
+ should do so in a manner which does not create potential liability for
+ other Contributors. Therefore, if a Contributor includes the Program in
+ a commercial product offering, such Contributor ("Commercial Contributor")
+ hereby agrees to defend and indemnify every other Contributor
+ ("Indemnified Contributor") against any losses, damages and costs
+ (collectively "Losses") arising from claims, lawsuits and other legal
+ actions brought by a third party against the Indemnified Contributor to
+ the extent caused by the acts or omissions of such Commercial Contributor
+ in connection with its distribution of the Program in a commercial
+ product offering. The obligations in this section do not apply to any
+ claims or Losses relating to any actual or alleged intellectual property
+ infringement. In order to qualify, an Indemnified Contributor must:
+ a) promptly notify the Commercial Contributor in writing of such claim,
+ and
+ b) allow the Commercial Contributor to control, and cooperate with
+ the Commercial Contributor in, the defense and any related
+ settlement negotiations. The Indemnified Contributor may
+ participate in any such claim at its own expense.
+
+ For example, a Contributor might include the Program in a commercial
+ product offering, Product X. That Contributor is then a Commercial
+ Contributor. If that Commercial Contributor then makes performance
+ claims, or offers warranties related to Product X, those performance
+ claims and warranties are such Commercial Contributor's responsibility
+ alone. Under this section, the Commercial Contributor would have to
+ defend claims against the other Contributors related to those performance
+ claims and warranties, and if a court requires any other Contributor to
+ pay any damages as a result, the Commercial Contributor must pay those
+ damages.
+
+ 5. NO WARRANTY
+
+ EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED
+ ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER
+ EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
+ CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A
+ PARTICULAR PURPOSE. Each Recipient is solely responsible for determining
+ the appropriateness of using and distributing the Program and assumes
+ all risks associated with its exercise of rights under this Agreement,
+ including but not limited to the risks and costs of program errors,
+ compliance with applicable laws, damage to or loss of data, programs or
+ equipment, and unavailability or interruption of operations.
+
+ 6. DISCLAIMER OF LIABILITY
+
+ EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR
+ ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT,
+ INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING
+ WITHOUT LIMITATION LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
+ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION
+ OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF
+ ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+ 7. GENERAL
+
+ If any provision of this Agreement is invalid or unenforceable under
+ applicable law, it shall not affect the validity or enforceability of
+ the remainder of the terms of this Agreement, and without further action
+ by the parties hereto, such provision shall be reformed to the minimum
+ extent necessary to make such provision valid and enforceable.
+
+ If Recipient institutes patent litigation against a Contributor with
+ respect to a patent applicable to software (including a cross-claim or
+ counterclaim in a lawsuit), then any patent licenses granted by that
+ Contributor to such Recipient under this Agreement shall terminate
+ as of the date such litigation is filed. In addition, If Recipient
+ institutes patent litigation against any entity (including a cross-claim
+ or counterclaim in a lawsuit) alleging that the Program itself (excluding
+ combinations of the Program with other software or hardware) infringes
+ such Recipient's patent(s), then such Recipient's rights granted under
+ Section 2(b) shall terminate as of the date such litigation is filed.
+
+ All Recipient's rights under this Agreement shall terminate if it fails
+ to comply with any of the material terms or conditions of this Agreement
+ and does not cure such failure in a reasonable period of time after
+ becoming aware of such noncompliance. If all Recipient's rights under
+ this Agreement terminate, Recipient agrees to cease use and distribution
+ of the Program as soon as reasonably practicable. However, Recipient's
+ obligations under this Agreement and any licenses granted by Recipient
+ relating to the Program shall continue and survive.
+
+ IBM may publish new versions (including revisions) of this Agreement
+ from time to time. Each new version of the Agreement will be given a
+ distinguishing version number. The Program (including Contributions)
+ may always be distributed subject to the version of the Agreement under
+ which it was received. In addition, after a new version of the Agreement
+ is published, Contributor may elect to distribute the Program (including
+ its Contributions) under the new version. No one other than IBM has the
+ right to modify this Agreement. Except as expressly stated in Sections
+ 2(a) and 2(b) above, Recipient receives no rights or licenses to the
+ intellectual property of any Contributor under this Agreement, whether
+ expressly, by implication, estoppel or otherwise. All rights in the
+ Program not expressly granted under this Agreement are reserved.
+
+ This Agreement is governed by the laws of the State of New York and the
+ intellectual property laws of the United States of America. No party to
+ this Agreement will bring a legal action under this Agreement more than
+ one year after the cause of action arose. Each party waives its rights
+ to a jury trial in any resulting litigation.
+
+The following license applies to rmail, distributed with Postfix:
+
+ SENDMAIL LICENSE
+
+ The following license terms and conditions apply, unless a different
+ license is obtained from Sendmail, Inc., 6425 Christie Ave, Fourth Floor,
+ Emeryville, CA 94608, or by electronic mail at license at sendmail.com.
+
+ License Terms:
+
+ Use, Modification and Redistribution (including distribution of any
+ modified or derived work) in source and binary forms is permitted only if
+ each of the following conditions is met:
+
+ 1. Redistributions qualify as "freeware" or "Open Source Software" under
+ one of the following terms:
+
+ (a) Redistributions are made at no charge beyond the reasonable cost of
+ materials and delivery.
+
+ (b) Redistributions are accompanied by a copy of the Source Code or by an
+ irrevocable offer to provide a copy of the Source Code for up to three
+ years at the cost of materials and delivery. Such redistributions
+ must allow further use, modification, and redistribution of the Source
+ Code under substantially the same terms as this license. For the
+ purposes of redistribution "Source Code" means the complete compilable
+ and linkable source code of sendmail including all modifications.
+
+ 2. Redistributions of source code must retain the copyright notices as they
+ appear in each source code file, these license terms, and the
+ disclaimer/limitation of liability set forth as paragraph 6 below.
+
+ 3. Redistributions in binary form must reproduce the Copyright Notice,
+ these license terms, and the disclaimer/limitation of liability set
+ forth as paragraph 6 below, in the documentation and/or other materials
+ provided with the distribution. For the purposes of binary distribution
+ the "Copyright Notice" refers to the following language:
+ "Copyright (c) 1998-2000 Sendmail, Inc. All rights reserved."
+
+ 4. Neither the name of Sendmail, Inc. nor the University of California nor
+ the names of their contributors may be used to endorse or promote
+ products derived from this software without specific prior written
+ permission. The name "sendmail" is a trademark of Sendmail, Inc.
+
+ 5. All redistributions must comply with the conditions imposed by the
+ University of California on certain embedded code, whose copyright
+ notice and conditions for redistribution are as follows:
+
+ (a) Copyright (c) 1988, 1993 The Regents of the University of
+ California. All rights reserved.
+
+ (b) Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+
+ (i) Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+
+ (ii) Redistributions in binary form must reproduce the above
+ copyright notice, this list of conditions and the following
+ disclaimer in the documentation and/or other materials provided
+ with the distribution.
+
+ (iii) Neither the name of the University nor the names of its
+ contributors may be used to endorse or promote products derived
+ from this software without specific prior written permission.
+
+ 6. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY
+ SENDMAIL, INC. AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
+ WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
+ NO EVENT SHALL SENDMAIL, INC., THE REGENTS OF THE UNIVERSITY OF
+ CALIFORNIA OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+ USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+ $Revision: 1.1.4.3 $, Last updated $Date: 2003/07/23 16:13:15 $
+
+The TLS patch was written by Lutz Jänicke <Lutz.Jaenicke at aet.TU-Cottbus.DE>.
+Downlaoded from ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls, it has the
+following license:
+
+ This software is free. You can do with it whatever you want. I would
+ however kindly ask you to acknowledge the use of this package, if you
+ are going use it in your software, which you might be going to
+ distribute. I would also like to receive a note if you are a satisfied
+ user :-)
Added: trunk/kolab-postfix/debian/dirs
===================================================================
--- trunk/kolab-postfix/debian/dirs 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/dirs 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,24 @@
+DEBIAN
+etc/init.d
+etc/ppp/ip-up.d
+etc/ppp/ip-down.d
+etc/network/if-up.d
+etc/network/if-down.d
+usr/bin
+usr/sbin
+usr/lib/kolab-postfix
+usr/share/doc/kolab-postfix
+usr/share/man/man1
+usr/share/man/man5
+usr/share/man/man8
+usr/share/lintian/overrides
+usr/share/kolab-postfix
+etc/kolab-postfix
+etc/resolvconf/update-libc.d
+var/spool/kolab-postfix
+var/spool/kolab-postfix/etc
+var/spool/kolab-postfix/lib
+var/spool/kolab-postfix/usr
+var/spool/kolab-postfix/usr/lib
+var/spool/kolab-postfix/usr/lib/zoneinfo
+var/log
Added: trunk/kolab-postfix/debian/functions
===================================================================
--- trunk/kolab-postfix/debian/functions 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/functions 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,25 @@
+addmap()
+{
+ name=$1
+ if [ "x$2" != "x" ]; then
+ mkmap=${2:=}
+ fi
+ FILE=/etc/kolab-postfix/dynamicmaps.cf
+ if ! grep -q "^${name}[[:space:]]" ${FILE}; then
+ echo "Adding ${name} map entry to ${FILE}"
+ echo "${name} /usr/lib/postfix/dict_${name}.so dict_${name}_open ${mkmap}" >> ${FILE}
+ fi
+ return 0
+}
+delmap()
+{
+ name=$1
+ FILE=/etc/kolab-postfix/dynamicmaps.cf
+ if grep -q "^${name}[[:space:]]" ${FILE}; then
+ echo "Removing ${name} map entry from ${FILE}"
+ sed "/^${name}[[:space:]]/d" ${FILE} > ${FILE}.$$ && \
+ cp ${FILE}.$$ ${FILE} && \
+ rm ${FILE}.$$
+ fi
+ return 0
+}
Added: trunk/kolab-postfix/debian/init.d
===================================================================
--- trunk/kolab-postfix/debian/init.d 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/init.d 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,91 @@
+#!/bin/sh -e
+
+# Start or stop Postfix
+#
+# LaMont Jones <lamont at debian.org>
+# based on sendmail's init.d script
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+DAEMON=/usr/sbin/postfix
+NAME=Postfix
+TZ=
+unset TZ
+
+# Defaults - don't touch, edit /etc/default/postfix
+SYNC_CHROOT="y"
+
+test -f /etc/default/postfix && . /etc/default/postfix
+
+test -x $DAEMON && test -f /etc/postfix/main.cf || exit 0
+
+case "$1" in
+ start)
+ echo -n "Starting mail transport agent: Postfix"
+
+ # see if anything is running chrooted.
+ NEED_CHROOT=$(awk '/^[0-9a-z]/ && ($5 ~ "[-yY]") { print "y"; exit}' /etc/postfix/master.cf)
+
+ if [ -n "$NEED_CHROOT" ] && [ -n "$SYNC_CHROOT" ]; then
+ # Make sure that the chroot environment is set up correctly.
+ oldumask=$(umask)
+ umask 022
+ cd $(postconf -h queue_directory)
+
+ # if we're using unix:passwd.byname, then we need to add etc/passwd.
+ local_maps=$(postconf -h local_recipient_maps)
+ if [ "X$local_maps" != "X${local_maps#*unix:passwd.byname}" ]; then
+ if [ "X$local_maps" = "X${local_maps#*proxy:unix:passwd.byname}" ]; then
+ sed 's/^\([^:]*\):[^:]*/\1:x/' /etc/passwd > etc/passwd
+ chmod a+r etc/passwd
+ fi
+ fi
+
+ FILES="etc/localtime etc/services etc/resolv.conf etc/hosts \
+ etc/nsswitch.conf"
+ for file in $FILES; do
+ [ -d ${file%/*} ] || mkdir -p ${file%/*}
+ if [ -f /${file} ]; then rm -f ${file} && cp /${file} ${file}; fi
+ if [ -f ${file} ]; then chmod a+rX ${file}; fi
+ done
+ rm -f usr/lib/zoneinfo/localtime
+ ln -sf /etc/localtime usr/lib/zoneinfo/localtime
+ rm -f lib/libnss_*so*
+ tar cf - /lib/libnss_*so* 2>/dev/null |tar xf -
+ umask $oldumask
+ fi
+
+ start-stop-daemon --start --exec ${DAEMON} -- start 2>&1 |
+ (grep -v 'starting the Postfix' 1>&2 || /bin/true)
+ echo "."
+ ;;
+
+ stop)
+ echo -n "Stopping mail transport agent: Postfix"
+ ${DAEMON} stop 2>&1 |
+ (grep -v 'stopping the Postfix' 1>&2 || /bin/true)
+ echo "."
+ ;;
+
+ restart)
+ $0 stop || true
+ $0 start
+ ;;
+
+ force-reload|reload)
+ echo -n "Reloading Postfix configuration..."
+ ${DAEMON} reload 2>&1 |
+ (grep -v 'refreshing the Postfix' 1>&2 || /bin/true)
+ echo "done."
+ ;;
+
+ flush|check|abort)
+ ${DAEMON} $1
+ ;;
+
+ *)
+ echo "Usage: /etc/init.d/postfix {start|stop|restart|reload|flush|check|abort|force-reload}"
+ exit 1
+ ;;
+esac
+
+exit 0
Added: trunk/kolab-postfix/debian/ip-down.d
===================================================================
--- trunk/kolab-postfix/debian/ip-down.d 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/ip-down.d 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,12 @@
+#!/bin/sh -e
+
+# Called when ppp disconnects
+# Written by LaMont Jones <lamont at debian.org>
+
+# start or reload Postfix as needed
+if [ ! -x /sbin/resolvconf ]; then
+ cp /etc/resolv.conf $(postconf -h queue_directory)/etc/resolv.conf
+ /etc/init.d/postfix reload >/dev/null 2>&1
+fi
+
+exit 0
Added: trunk/kolab-postfix/debian/ip-up.d
===================================================================
--- trunk/kolab-postfix/debian/ip-up.d 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/ip-up.d 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,21 @@
+#!/bin/sh -e
+# Called when a new interface comes up
+# Written by LaMont Jones <lamont at debian.org>
+
+# start or reload Postfix as needed
+if [ ! -x /sbin/resolvconf ]; then
+ cp /etc/resolv.conf $(postconf -h queue_directory)/etc/resolv.conf
+ /etc/init.d/postfix reload >/dev/null 2>&1
+fi
+
+# If master is running, force a queue run to unload any mail that is
+# hanging around. Yes, sendmail is a symlink...
+if [ -f /var/spool/postfix/pid/master.pid ]; then
+ pid=$(sed 's/ //g' /var/spool/postfix/pid/master.pid)
+ exe=$(ls -l /proc/$pid/exe 2>/dev/null | sed 's/.* //')
+ if [ "X$exe" = "X/usr/lib/postfix/master" ]; then
+ if [ -x /usr/sbin/sendmail ]; then
+ /usr/sbin/sendmail -q
+ fi
+ fi
+fi
Added: trunk/kolab-postfix/debian/kolab-postfix-dev.copyright
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-dev.copyright 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-dev.copyright 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,324 @@
+This is the Debian GNU/Linux prepackaged version of Postfix, a mail transport
+agent.
+
+Postfix was created by Wietse Venema <wietse at porcupine.org>; the Debian
+package has been assembled by LaMont Jones <lamont at debian.org> from sources
+available from http://www.postfix.org.
+
+ Copyright (c) 1999, International Business Machines Corporation
+ and others. All Rights Reserved.
+
+The following copyright and license applies to this software:
+
+ IBM PUBLIC LICENSE VERSION 1.0 6/14/1999 - SECURE MAILER
+
+ THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS IBM PUBLIC
+ LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THE
+ PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
+
+ 1. DEFINITIONS
+
+ "Contribution" means:
+ a) in the case of International Business Machines Corporation ("IBM"),
+ the Original Program, and
+ b) in the case of each Contributor,
+ i) changes to the Program, and
+ ii) additions to the Program;
+ where such changes and/or additions to the Program originate
+ from and are distributed by that particular Contributor.
+ A Contribution 'originates' from a Contributor if it was added
+ to the Program by such Contributor itself or anyone acting on
+ such Contributor's behalf.
+ Contributions do not include additions to the Program which:
+ (i) are separate modules of software distributed in conjunction
+ with the Program under their own license agreement, and
+ (ii) are not derivative works of the Program.
+
+ "Contributor" means IBM and any other entity that distributes the Program.
+
+ "Licensed Patents " mean patent claims licensable by a Contributor which
+ are necessarily infringed by the use or sale of its Contribution alone
+ or when combined with the Program.
+
+ "Original Program" means the original version of the software accompanying
+ this Agreement as released by IBM, including source code, object code
+ and documentation, if any.
+
+ "Program" means the Original Program and Contributions.
+
+ "Recipient" means anyone who receives the Program under this Agreement,
+ including all Contributors.
+
+ 2. GRANT OF RIGHTS
+
+ a) Subject to the terms of this Agreement, each Contributor hereby
+ grants Recipient a non-exclusive, worldwide, royalty-free copyright
+ license to reproduce, prepare derivative works of, publicly display,
+ publicly perform, distribute and sublicense the Contribution of such
+ Contributor, if any, and such derivative works, in source code and
+ object code form.
+
+ b) Subject to the terms of this Agreement, each Contributor hereby
+ grants Recipient a non-exclusive, worldwide, royalty-free patent
+ license under Licensed Patents to make, use, sell, offer to sell,
+ import and otherwise transfer the Contribution of such Contributor,
+ if any, in source code and object code form. This patent license
+ shall apply to the combination of the Contribution and the Program
+ if, at the time the Contribution is added by the Contributor, such
+ addition of the Contribution causes such combination to be covered
+ by the Licensed Patents. The patent license shall not apply to any
+ other combinations which include the Contribution. No hardware per
+ se is licensed hereunder.
+
+ c) Recipient understands that although each Contributor grants the
+ licenses to its Contributions set forth herein, no assurances are
+ provided by any Contributor that the Program does not infringe the
+ patent or other intellectual property rights of any other entity.
+ Each Contributor disclaims any liability to Recipient for claims
+ brought by any other entity based on infringement of intellectual
+ property rights or otherwise. As a condition to exercising the rights
+ and licenses granted hereunder, each Recipient hereby assumes sole
+ responsibility to secure any other intellectual property rights
+ needed, if any. For example, if a third party patent license
+ is required to allow Recipient to distribute the Program, it is
+ Recipient's responsibility to acquire that license before distributing
+ the Program.
+
+ d) Each Contributor represents that to its knowledge it has sufficient
+ copyright rights in its Contribution, if any, to grant the copyright
+ license set forth in this Agreement.
+
+ 3. REQUIREMENTS
+
+ A Contributor may choose to distribute the Program in object code form
+ under its own license agreement, provided that:
+ a) it complies with the terms and conditions of this Agreement; and
+ b) its license agreement:
+ i) effectively disclaims on behalf of all Contributors all
+ warranties and conditions, express and implied, including
+ warranties or conditions of title and non-infringement, and
+ implied warranties or conditions of merchantability and fitness
+ for a particular purpose;
+ ii) effectively excludes on behalf of all Contributors all
+ liability for damages, including direct, indirect, special,
+ incidental and consequential damages, such as lost profits;
+ iii) states that any provisions which differ from this Agreement
+ are offered by that Contributor alone and not by any other
+ party; and
+ iv) states that source code for the Program is available from
+ such Contributor, and informs licensees how to obtain it in a
+ reasonable manner on or through a medium customarily used for
+ software exchange.
+
+ When the Program is made available in source code form:
+ a) it must be made available under this Agreement; and
+ b) a copy of this Agreement must be included with each copy of the
+ Program.
+
+ Each Contributor must include the following in a conspicuous location
+ in the Program:
+
+ Copyright (c) {date here}, International Business Machines Corporation
+ and others. All Rights Reserved.
+
+ In addition, each Contributor must identify itself as the originator of
+ its Contribution, if any, in a manner that reasonably allows subsequent
+ Recipients to identify the originator of the Contribution.
+
+ 4. COMMERCIAL DISTRIBUTION
+
+ Commercial distributors of software may accept certain responsibilities
+ with respect to end users, business partners and the like. While this
+ license is intended to facilitate the commercial use of the Program, the
+ Contributor who includes the Program in a commercial product offering
+ should do so in a manner which does not create potential liability for
+ other Contributors. Therefore, if a Contributor includes the Program in
+ a commercial product offering, such Contributor ("Commercial Contributor")
+ hereby agrees to defend and indemnify every other Contributor
+ ("Indemnified Contributor") against any losses, damages and costs
+ (collectively "Losses") arising from claims, lawsuits and other legal
+ actions brought by a third party against the Indemnified Contributor to
+ the extent caused by the acts or omissions of such Commercial Contributor
+ in connection with its distribution of the Program in a commercial
+ product offering. The obligations in this section do not apply to any
+ claims or Losses relating to any actual or alleged intellectual property
+ infringement. In order to qualify, an Indemnified Contributor must:
+ a) promptly notify the Commercial Contributor in writing of such claim,
+ and
+ b) allow the Commercial Contributor to control, and cooperate with
+ the Commercial Contributor in, the defense and any related
+ settlement negotiations. The Indemnified Contributor may
+ participate in any such claim at its own expense.
+
+ For example, a Contributor might include the Program in a commercial
+ product offering, Product X. That Contributor is then a Commercial
+ Contributor. If that Commercial Contributor then makes performance
+ claims, or offers warranties related to Product X, those performance
+ claims and warranties are such Commercial Contributor's responsibility
+ alone. Under this section, the Commercial Contributor would have to
+ defend claims against the other Contributors related to those performance
+ claims and warranties, and if a court requires any other Contributor to
+ pay any damages as a result, the Commercial Contributor must pay those
+ damages.
+
+ 5. NO WARRANTY
+
+ EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED
+ ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER
+ EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
+ CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A
+ PARTICULAR PURPOSE. Each Recipient is solely responsible for determining
+ the appropriateness of using and distributing the Program and assumes
+ all risks associated with its exercise of rights under this Agreement,
+ including but not limited to the risks and costs of program errors,
+ compliance with applicable laws, damage to or loss of data, programs or
+ equipment, and unavailability or interruption of operations.
+
+ 6. DISCLAIMER OF LIABILITY
+
+ EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR
+ ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT,
+ INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING
+ WITHOUT LIMITATION LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
+ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION
+ OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF
+ ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+ 7. GENERAL
+
+ If any provision of this Agreement is invalid or unenforceable under
+ applicable law, it shall not affect the validity or enforceability of
+ the remainder of the terms of this Agreement, and without further action
+ by the parties hereto, such provision shall be reformed to the minimum
+ extent necessary to make such provision valid and enforceable.
+
+ If Recipient institutes patent litigation against a Contributor with
+ respect to a patent applicable to software (including a cross-claim or
+ counterclaim in a lawsuit), then any patent licenses granted by that
+ Contributor to such Recipient under this Agreement shall terminate
+ as of the date such litigation is filed. In addition, If Recipient
+ institutes patent litigation against any entity (including a cross-claim
+ or counterclaim in a lawsuit) alleging that the Program itself (excluding
+ combinations of the Program with other software or hardware) infringes
+ such Recipient's patent(s), then such Recipient's rights granted under
+ Section 2(b) shall terminate as of the date such litigation is filed.
+
+ All Recipient's rights under this Agreement shall terminate if it fails
+ to comply with any of the material terms or conditions of this Agreement
+ and does not cure such failure in a reasonable period of time after
+ becoming aware of such noncompliance. If all Recipient's rights under
+ this Agreement terminate, Recipient agrees to cease use and distribution
+ of the Program as soon as reasonably practicable. However, Recipient's
+ obligations under this Agreement and any licenses granted by Recipient
+ relating to the Program shall continue and survive.
+
+ IBM may publish new versions (including revisions) of this Agreement
+ from time to time. Each new version of the Agreement will be given a
+ distinguishing version number. The Program (including Contributions)
+ may always be distributed subject to the version of the Agreement under
+ which it was received. In addition, after a new version of the Agreement
+ is published, Contributor may elect to distribute the Program (including
+ its Contributions) under the new version. No one other than IBM has the
+ right to modify this Agreement. Except as expressly stated in Sections
+ 2(a) and 2(b) above, Recipient receives no rights or licenses to the
+ intellectual property of any Contributor under this Agreement, whether
+ expressly, by implication, estoppel or otherwise. All rights in the
+ Program not expressly granted under this Agreement are reserved.
+
+ This Agreement is governed by the laws of the State of New York and the
+ intellectual property laws of the United States of America. No party to
+ this Agreement will bring a legal action under this Agreement more than
+ one year after the cause of action arose. Each party waives its rights
+ to a jury trial in any resulting litigation.
+
+The following license applies to rmail, distributed with Postfix:
+ SENDMAIL LICENSE
+
+ The following license terms and conditions apply, unless a different
+ license is obtained from Sendmail, Inc., 1401 Park Avenue, Emeryville, CA
+ 94608, or by electronic mail at license at sendmail.com.
+
+ License Terms:
+
+ Use, Modification and Redistribution (including distribution of any
+ modified or derived work) in source and binary forms is permitted only if
+ each of the following conditions is met:
+
+ 1. Redistributions qualify as "freeware" or "Open Source Software" under
+ one of the following terms:
+
+ (a) Redistributions are made at no charge beyond the reasonable cost of
+ materials and delivery.
+
+ (b) Redistributions are accompanied by a copy of the Source Code or by an
+ irrevocable offer to provide a copy of the Source Code for up to three
+ years at the cost of materials and delivery. Such redistributions
+ must allow further use, modification, and redistribution of the Source
+ Code under substantially the same terms as this license. For the
+ purposes of redistribution "Source Code" means the complete source
+ code of sendmail including all modifications.
+
+ Other forms of redistribution are allowed only under a separate royalty-
+ free agreement permitting such redistribution subject to standard
+ commercial terms and conditions. A copy of such agreement may be
+ obtained from Sendmail, Inc. at the above address.
+
+ 2. Redistributions of source code must retain the copyright notices as they
+ appear in each source code file, these license terms, and the
+ disclaimer/limitation of liability set forth as paragraph 6 below.
+
+ 3. Redistributions in binary form must reproduce the Copyright Notice,
+ these license terms, and the disclaimer/limitation of liability set
+ forth as paragraph 6 below, in the documentation and/or other materials
+ provided with the distribution. For the purposes of binary distribution
+ the "Copyright Notice" refers to the following language:
+ "Copyright (c) 1998 Sendmail, Inc. All rights reserved."
+
+ 4. Neither the name of Sendmail, Inc. nor the University of California nor
+ the names of their contributors may be used to endorse or promote
+ products derived from this software without specific prior written
+ permission. The name "sendmail" is a trademark of Sendmail, Inc.
+
+ 5. All redistributions must comply with the conditions imposed by the
+ University of California on certain embedded code, whose copyright
+ notice and conditions for redistribution are as follows:
+
+ (a) Copyright (c) 1988, 1993 The Regents of the University of
+ California. All rights reserved.
+
+ (b) Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+
+ (i) Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+
+ (ii) Redistributions in binary form must reproduce the above
+ copyright notice, this list of conditions and the following
+ disclaimer in the documentation and/or other materials provided
+ with the distribution.
+
+ (iii) All advertising materials mentioning features or use of this
+ software must display the following acknowledgement: "This
+ product includes software developed by the University of
+ California, Berkeley and its contributors."
+
+ (iv) Neither the name of the University nor the names of its
+ contributors may be used to endorse or promote products derived
+ from this software without specific prior written permission.
+
+ 6. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY
+ SENDMAIL, INC. AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
+ WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
+ NO EVENT SHALL SENDMAIL, INC., THE REGENTS OF THE UNIVERSITY OF
+ CALIFORNIA OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+ USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+ (Version 8.6, last updated 6/24/1998)
Added: trunk/kolab-postfix/debian/kolab-postfix-dev.dirs
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-dev.dirs 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-dev.dirs 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,2 @@
+usr/include/kolab-postfix
+usr/lib
Added: trunk/kolab-postfix/debian/kolab-postfix-dev.postinst
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-dev.postinst 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-dev.postinst 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,47 @@
+#! /bin/sh
+# postinst script for #PACKAGE#
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <postinst> `configure' <most-recently-configured-version>
+# * <old-postinst> `abort-upgrade' <new version>
+# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+# <new-version>
+# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+# <failed-install-package> <version> `removing'
+# <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+#
+# quoting from the policy:
+# Any necessary prompting should almost always be confined to the
+# post-installation script, and should be protected with a conditional
+# so that unnecessary prompting doesn't happen if a package's
+# installation fails and the `postinst' is called with `abort-upgrade',
+# `abort-remove' or `abort-deconfigure'.
+
+case "$1" in
+ configure)
+
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 0
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+
Added: trunk/kolab-postfix/debian/kolab-postfix-dev.prerm
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-dev.prerm 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-dev.prerm 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,37 @@
+#! /bin/sh
+# prerm script for #PACKAGE#
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <prerm> `remove'
+# * <old-prerm> `upgrade' <new-version>
+# * <new-prerm> `failed-upgrade' <old-version>
+# * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
+# * <deconfigured's-prerm> `deconfigure' `in-favour'
+# <package-being-installed> <version> `removing'
+# <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+
+case "$1" in
+ remove|upgrade|deconfigure)
+# install-info --quiet --remove /usr/info/#PACKAGE#.info.gz
+ ;;
+ failed-upgrade)
+ ;;
+ *)
+ echo "prerm called with unknown argument \`$1'" >&2
+ exit 0
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+
Added: trunk/kolab-postfix/debian/kolab-postfix-doc.copyright
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-doc.copyright 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-doc.copyright 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,324 @@
+This is the Debian GNU/Linux prepackaged version of Postfix, a mail transport
+agent.
+
+Postfix was created by Wietse Venema <wietse at porcupine.org>; the Debian
+package has been assembled by LaMont Jones <lamont at debian.org> from sources
+available from http://www.postfix.org.
+
+ Copyright (c) 1999, International Business Machines Corporation
+ and others. All Rights Reserved.
+
+The following copyright and license applies to this software:
+
+ IBM PUBLIC LICENSE VERSION 1.0 6/14/1999 - SECURE MAILER
+
+ THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS IBM PUBLIC
+ LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THE
+ PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
+
+ 1. DEFINITIONS
+
+ "Contribution" means:
+ a) in the case of International Business Machines Corporation ("IBM"),
+ the Original Program, and
+ b) in the case of each Contributor,
+ i) changes to the Program, and
+ ii) additions to the Program;
+ where such changes and/or additions to the Program originate
+ from and are distributed by that particular Contributor.
+ A Contribution 'originates' from a Contributor if it was added
+ to the Program by such Contributor itself or anyone acting on
+ such Contributor's behalf.
+ Contributions do not include additions to the Program which:
+ (i) are separate modules of software distributed in conjunction
+ with the Program under their own license agreement, and
+ (ii) are not derivative works of the Program.
+
+ "Contributor" means IBM and any other entity that distributes the Program.
+
+ "Licensed Patents " mean patent claims licensable by a Contributor which
+ are necessarily infringed by the use or sale of its Contribution alone
+ or when combined with the Program.
+
+ "Original Program" means the original version of the software accompanying
+ this Agreement as released by IBM, including source code, object code
+ and documentation, if any.
+
+ "Program" means the Original Program and Contributions.
+
+ "Recipient" means anyone who receives the Program under this Agreement,
+ including all Contributors.
+
+ 2. GRANT OF RIGHTS
+
+ a) Subject to the terms of this Agreement, each Contributor hereby
+ grants Recipient a non-exclusive, worldwide, royalty-free copyright
+ license to reproduce, prepare derivative works of, publicly display,
+ publicly perform, distribute and sublicense the Contribution of such
+ Contributor, if any, and such derivative works, in source code and
+ object code form.
+
+ b) Subject to the terms of this Agreement, each Contributor hereby
+ grants Recipient a non-exclusive, worldwide, royalty-free patent
+ license under Licensed Patents to make, use, sell, offer to sell,
+ import and otherwise transfer the Contribution of such Contributor,
+ if any, in source code and object code form. This patent license
+ shall apply to the combination of the Contribution and the Program
+ if, at the time the Contribution is added by the Contributor, such
+ addition of the Contribution causes such combination to be covered
+ by the Licensed Patents. The patent license shall not apply to any
+ other combinations which include the Contribution. No hardware per
+ se is licensed hereunder.
+
+ c) Recipient understands that although each Contributor grants the
+ licenses to its Contributions set forth herein, no assurances are
+ provided by any Contributor that the Program does not infringe the
+ patent or other intellectual property rights of any other entity.
+ Each Contributor disclaims any liability to Recipient for claims
+ brought by any other entity based on infringement of intellectual
+ property rights or otherwise. As a condition to exercising the rights
+ and licenses granted hereunder, each Recipient hereby assumes sole
+ responsibility to secure any other intellectual property rights
+ needed, if any. For example, if a third party patent license
+ is required to allow Recipient to distribute the Program, it is
+ Recipient's responsibility to acquire that license before distributing
+ the Program.
+
+ d) Each Contributor represents that to its knowledge it has sufficient
+ copyright rights in its Contribution, if any, to grant the copyright
+ license set forth in this Agreement.
+
+ 3. REQUIREMENTS
+
+ A Contributor may choose to distribute the Program in object code form
+ under its own license agreement, provided that:
+ a) it complies with the terms and conditions of this Agreement; and
+ b) its license agreement:
+ i) effectively disclaims on behalf of all Contributors all
+ warranties and conditions, express and implied, including
+ warranties or conditions of title and non-infringement, and
+ implied warranties or conditions of merchantability and fitness
+ for a particular purpose;
+ ii) effectively excludes on behalf of all Contributors all
+ liability for damages, including direct, indirect, special,
+ incidental and consequential damages, such as lost profits;
+ iii) states that any provisions which differ from this Agreement
+ are offered by that Contributor alone and not by any other
+ party; and
+ iv) states that source code for the Program is available from
+ such Contributor, and informs licensees how to obtain it in a
+ reasonable manner on or through a medium customarily used for
+ software exchange.
+
+ When the Program is made available in source code form:
+ a) it must be made available under this Agreement; and
+ b) a copy of this Agreement must be included with each copy of the
+ Program.
+
+ Each Contributor must include the following in a conspicuous location
+ in the Program:
+
+ Copyright (c) {date here}, International Business Machines Corporation
+ and others. All Rights Reserved.
+
+ In addition, each Contributor must identify itself as the originator of
+ its Contribution, if any, in a manner that reasonably allows subsequent
+ Recipients to identify the originator of the Contribution.
+
+ 4. COMMERCIAL DISTRIBUTION
+
+ Commercial distributors of software may accept certain responsibilities
+ with respect to end users, business partners and the like. While this
+ license is intended to facilitate the commercial use of the Program, the
+ Contributor who includes the Program in a commercial product offering
+ should do so in a manner which does not create potential liability for
+ other Contributors. Therefore, if a Contributor includes the Program in
+ a commercial product offering, such Contributor ("Commercial Contributor")
+ hereby agrees to defend and indemnify every other Contributor
+ ("Indemnified Contributor") against any losses, damages and costs
+ (collectively "Losses") arising from claims, lawsuits and other legal
+ actions brought by a third party against the Indemnified Contributor to
+ the extent caused by the acts or omissions of such Commercial Contributor
+ in connection with its distribution of the Program in a commercial
+ product offering. The obligations in this section do not apply to any
+ claims or Losses relating to any actual or alleged intellectual property
+ infringement. In order to qualify, an Indemnified Contributor must:
+ a) promptly notify the Commercial Contributor in writing of such claim,
+ and
+ b) allow the Commercial Contributor to control, and cooperate with
+ the Commercial Contributor in, the defense and any related
+ settlement negotiations. The Indemnified Contributor may
+ participate in any such claim at its own expense.
+
+ For example, a Contributor might include the Program in a commercial
+ product offering, Product X. That Contributor is then a Commercial
+ Contributor. If that Commercial Contributor then makes performance
+ claims, or offers warranties related to Product X, those performance
+ claims and warranties are such Commercial Contributor's responsibility
+ alone. Under this section, the Commercial Contributor would have to
+ defend claims against the other Contributors related to those performance
+ claims and warranties, and if a court requires any other Contributor to
+ pay any damages as a result, the Commercial Contributor must pay those
+ damages.
+
+ 5. NO WARRANTY
+
+ EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED
+ ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER
+ EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
+ CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A
+ PARTICULAR PURPOSE. Each Recipient is solely responsible for determining
+ the appropriateness of using and distributing the Program and assumes
+ all risks associated with its exercise of rights under this Agreement,
+ including but not limited to the risks and costs of program errors,
+ compliance with applicable laws, damage to or loss of data, programs or
+ equipment, and unavailability or interruption of operations.
+
+ 6. DISCLAIMER OF LIABILITY
+
+ EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR
+ ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT,
+ INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING
+ WITHOUT LIMITATION LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
+ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION
+ OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF
+ ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+ 7. GENERAL
+
+ If any provision of this Agreement is invalid or unenforceable under
+ applicable law, it shall not affect the validity or enforceability of
+ the remainder of the terms of this Agreement, and without further action
+ by the parties hereto, such provision shall be reformed to the minimum
+ extent necessary to make such provision valid and enforceable.
+
+ If Recipient institutes patent litigation against a Contributor with
+ respect to a patent applicable to software (including a cross-claim or
+ counterclaim in a lawsuit), then any patent licenses granted by that
+ Contributor to such Recipient under this Agreement shall terminate
+ as of the date such litigation is filed. In addition, If Recipient
+ institutes patent litigation against any entity (including a cross-claim
+ or counterclaim in a lawsuit) alleging that the Program itself (excluding
+ combinations of the Program with other software or hardware) infringes
+ such Recipient's patent(s), then such Recipient's rights granted under
+ Section 2(b) shall terminate as of the date such litigation is filed.
+
+ All Recipient's rights under this Agreement shall terminate if it fails
+ to comply with any of the material terms or conditions of this Agreement
+ and does not cure such failure in a reasonable period of time after
+ becoming aware of such noncompliance. If all Recipient's rights under
+ this Agreement terminate, Recipient agrees to cease use and distribution
+ of the Program as soon as reasonably practicable. However, Recipient's
+ obligations under this Agreement and any licenses granted by Recipient
+ relating to the Program shall continue and survive.
+
+ IBM may publish new versions (including revisions) of this Agreement
+ from time to time. Each new version of the Agreement will be given a
+ distinguishing version number. The Program (including Contributions)
+ may always be distributed subject to the version of the Agreement under
+ which it was received. In addition, after a new version of the Agreement
+ is published, Contributor may elect to distribute the Program (including
+ its Contributions) under the new version. No one other than IBM has the
+ right to modify this Agreement. Except as expressly stated in Sections
+ 2(a) and 2(b) above, Recipient receives no rights or licenses to the
+ intellectual property of any Contributor under this Agreement, whether
+ expressly, by implication, estoppel or otherwise. All rights in the
+ Program not expressly granted under this Agreement are reserved.
+
+ This Agreement is governed by the laws of the State of New York and the
+ intellectual property laws of the United States of America. No party to
+ this Agreement will bring a legal action under this Agreement more than
+ one year after the cause of action arose. Each party waives its rights
+ to a jury trial in any resulting litigation.
+
+The following license applies to rmail, distributed with Postfix:
+ SENDMAIL LICENSE
+
+ The following license terms and conditions apply, unless a different
+ license is obtained from Sendmail, Inc., 1401 Park Avenue, Emeryville, CA
+ 94608, or by electronic mail at license at sendmail.com.
+
+ License Terms:
+
+ Use, Modification and Redistribution (including distribution of any
+ modified or derived work) in source and binary forms is permitted only if
+ each of the following conditions is met:
+
+ 1. Redistributions qualify as "freeware" or "Open Source Software" under
+ one of the following terms:
+
+ (a) Redistributions are made at no charge beyond the reasonable cost of
+ materials and delivery.
+
+ (b) Redistributions are accompanied by a copy of the Source Code or by an
+ irrevocable offer to provide a copy of the Source Code for up to three
+ years at the cost of materials and delivery. Such redistributions
+ must allow further use, modification, and redistribution of the Source
+ Code under substantially the same terms as this license. For the
+ purposes of redistribution "Source Code" means the complete source
+ code of sendmail including all modifications.
+
+ Other forms of redistribution are allowed only under a separate royalty-
+ free agreement permitting such redistribution subject to standard
+ commercial terms and conditions. A copy of such agreement may be
+ obtained from Sendmail, Inc. at the above address.
+
+ 2. Redistributions of source code must retain the copyright notices as they
+ appear in each source code file, these license terms, and the
+ disclaimer/limitation of liability set forth as paragraph 6 below.
+
+ 3. Redistributions in binary form must reproduce the Copyright Notice,
+ these license terms, and the disclaimer/limitation of liability set
+ forth as paragraph 6 below, in the documentation and/or other materials
+ provided with the distribution. For the purposes of binary distribution
+ the "Copyright Notice" refers to the following language:
+ "Copyright (c) 1998 Sendmail, Inc. All rights reserved."
+
+ 4. Neither the name of Sendmail, Inc. nor the University of California nor
+ the names of their contributors may be used to endorse or promote
+ products derived from this software without specific prior written
+ permission. The name "sendmail" is a trademark of Sendmail, Inc.
+
+ 5. All redistributions must comply with the conditions imposed by the
+ University of California on certain embedded code, whose copyright
+ notice and conditions for redistribution are as follows:
+
+ (a) Copyright (c) 1988, 1993 The Regents of the University of
+ California. All rights reserved.
+
+ (b) Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+
+ (i) Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+
+ (ii) Redistributions in binary form must reproduce the above
+ copyright notice, this list of conditions and the following
+ disclaimer in the documentation and/or other materials provided
+ with the distribution.
+
+ (iii) All advertising materials mentioning features or use of this
+ software must display the following acknowledgement: "This
+ product includes software developed by the University of
+ California, Berkeley and its contributors."
+
+ (iv) Neither the name of the University nor the names of its
+ contributors may be used to endorse or promote products derived
+ from this software without specific prior written permission.
+
+ 6. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY
+ SENDMAIL, INC. AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
+ WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
+ NO EVENT SHALL SENDMAIL, INC., THE REGENTS OF THE UNIVERSITY OF
+ CALIFORNIA OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+ USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+ (Version 8.6, last updated 6/24/1998)
Added: trunk/kolab-postfix/debian/kolab-postfix-doc.dirs
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-doc.dirs 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-doc.dirs 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,6 @@
+usr/share/doc/kolab-postfix
+usr/share/doc/kolab-postfix/html
+usr/share/doc/kolab-postfix/examples
+usr/share/doc/kolab-postfix-doc
+usr/share/doc/kolab-postfix-tls
+usr/share/doc/kolab-postfix-tls/html
Added: trunk/kolab-postfix/debian/kolab-postfix-doc.doc-base
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-doc.doc-base 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-doc.doc-base 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,9 @@
+Document: postfix
+Title: Postfix documentation
+Author: Wietse Venema <wietse at porcupine.org>
+Abstract: This document describes Postfix: how to configure and use it.
+Section: Apps/Mail
+
+Format: HTML
+Index: /usr/share/doc/postfix/html/index.html
+Files: /usr/share/doc/postfix/html/*.html
Added: trunk/kolab-postfix/debian/kolab-postfix-doc.postinst
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-doc.postinst 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-doc.postinst 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,47 @@
+#! /bin/sh
+# postinst script for #PACKAGE#
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <postinst> `configure' <most-recently-configured-version>
+# * <old-postinst> `abort-upgrade' <new version>
+# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+# <new-version>
+# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+# <failed-install-package> <version> `removing'
+# <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+#
+# quoting from the policy:
+# Any necessary prompting should almost always be confined to the
+# post-installation script, and should be protected with a conditional
+# so that unnecessary prompting doesn't happen if a package's
+# installation fails and the `postinst' is called with `abort-upgrade',
+# `abort-remove' or `abort-deconfigure'.
+
+case "$1" in
+ configure)
+
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 0
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+
Added: trunk/kolab-postfix/debian/kolab-postfix-doc.prerm
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-doc.prerm 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-doc.prerm 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,37 @@
+#! /bin/sh
+# prerm script for #PACKAGE#
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <prerm> `remove'
+# * <old-prerm> `upgrade' <new-version>
+# * <new-prerm> `failed-upgrade' <old-version>
+# * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
+# * <deconfigured's-prerm> `deconfigure' `in-favour'
+# <package-being-installed> <version> `removing'
+# <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+
+case "$1" in
+ remove|upgrade|deconfigure)
+# install-info --quiet --remove /usr/info/#PACKAGE#.info.gz
+ ;;
+ failed-upgrade)
+ ;;
+ *)
+ echo "prerm called with unknown argument \`$1'" >&2
+ exit 0
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+
Added: trunk/kolab-postfix/debian/kolab-postfix-ldap.README.Debian
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-ldap.README.Debian 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-ldap.README.Debian 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,2 @@
+The postfix-doc package contains documentation on how to configure this
+map type. See /usr/share/doc/postfix/html/LDAP_README.html
Added: trunk/kolab-postfix/debian/kolab-postfix-ldap.copyright
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-ldap.copyright 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-ldap.copyright 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,324 @@
+This is the Debian GNU/Linux prepackaged version of Postfix, a mail transport
+agent.
+
+Postfix was created by Wietse Venema <wietse at porcupine.org>; the Debian
+package has been assembled by LaMont Jones <lamont at debian.org> from sources
+available from http://www.postfix.org.
+
+ Copyright (c) 1999, International Business Machines Corporation
+ and others. All Rights Reserved.
+
+The following copyright and license applies to this software:
+
+ IBM PUBLIC LICENSE VERSION 1.0 6/14/1999 - SECURE MAILER
+
+ THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS IBM PUBLIC
+ LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THE
+ PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
+
+ 1. DEFINITIONS
+
+ "Contribution" means:
+ a) in the case of International Business Machines Corporation ("IBM"),
+ the Original Program, and
+ b) in the case of each Contributor,
+ i) changes to the Program, and
+ ii) additions to the Program;
+ where such changes and/or additions to the Program originate
+ from and are distributed by that particular Contributor.
+ A Contribution 'originates' from a Contributor if it was added
+ to the Program by such Contributor itself or anyone acting on
+ such Contributor's behalf.
+ Contributions do not include additions to the Program which:
+ (i) are separate modules of software distributed in conjunction
+ with the Program under their own license agreement, and
+ (ii) are not derivative works of the Program.
+
+ "Contributor" means IBM and any other entity that distributes the Program.
+
+ "Licensed Patents " mean patent claims licensable by a Contributor which
+ are necessarily infringed by the use or sale of its Contribution alone
+ or when combined with the Program.
+
+ "Original Program" means the original version of the software accompanying
+ this Agreement as released by IBM, including source code, object code
+ and documentation, if any.
+
+ "Program" means the Original Program and Contributions.
+
+ "Recipient" means anyone who receives the Program under this Agreement,
+ including all Contributors.
+
+ 2. GRANT OF RIGHTS
+
+ a) Subject to the terms of this Agreement, each Contributor hereby
+ grants Recipient a non-exclusive, worldwide, royalty-free copyright
+ license to reproduce, prepare derivative works of, publicly display,
+ publicly perform, distribute and sublicense the Contribution of such
+ Contributor, if any, and such derivative works, in source code and
+ object code form.
+
+ b) Subject to the terms of this Agreement, each Contributor hereby
+ grants Recipient a non-exclusive, worldwide, royalty-free patent
+ license under Licensed Patents to make, use, sell, offer to sell,
+ import and otherwise transfer the Contribution of such Contributor,
+ if any, in source code and object code form. This patent license
+ shall apply to the combination of the Contribution and the Program
+ if, at the time the Contribution is added by the Contributor, such
+ addition of the Contribution causes such combination to be covered
+ by the Licensed Patents. The patent license shall not apply to any
+ other combinations which include the Contribution. No hardware per
+ se is licensed hereunder.
+
+ c) Recipient understands that although each Contributor grants the
+ licenses to its Contributions set forth herein, no assurances are
+ provided by any Contributor that the Program does not infringe the
+ patent or other intellectual property rights of any other entity.
+ Each Contributor disclaims any liability to Recipient for claims
+ brought by any other entity based on infringement of intellectual
+ property rights or otherwise. As a condition to exercising the rights
+ and licenses granted hereunder, each Recipient hereby assumes sole
+ responsibility to secure any other intellectual property rights
+ needed, if any. For example, if a third party patent license
+ is required to allow Recipient to distribute the Program, it is
+ Recipient's responsibility to acquire that license before distributing
+ the Program.
+
+ d) Each Contributor represents that to its knowledge it has sufficient
+ copyright rights in its Contribution, if any, to grant the copyright
+ license set forth in this Agreement.
+
+ 3. REQUIREMENTS
+
+ A Contributor may choose to distribute the Program in object code form
+ under its own license agreement, provided that:
+ a) it complies with the terms and conditions of this Agreement; and
+ b) its license agreement:
+ i) effectively disclaims on behalf of all Contributors all
+ warranties and conditions, express and implied, including
+ warranties or conditions of title and non-infringement, and
+ implied warranties or conditions of merchantability and fitness
+ for a particular purpose;
+ ii) effectively excludes on behalf of all Contributors all
+ liability for damages, including direct, indirect, special,
+ incidental and consequential damages, such as lost profits;
+ iii) states that any provisions which differ from this Agreement
+ are offered by that Contributor alone and not by any other
+ party; and
+ iv) states that source code for the Program is available from
+ such Contributor, and informs licensees how to obtain it in a
+ reasonable manner on or through a medium customarily used for
+ software exchange.
+
+ When the Program is made available in source code form:
+ a) it must be made available under this Agreement; and
+ b) a copy of this Agreement must be included with each copy of the
+ Program.
+
+ Each Contributor must include the following in a conspicuous location
+ in the Program:
+
+ Copyright (c) {date here}, International Business Machines Corporation
+ and others. All Rights Reserved.
+
+ In addition, each Contributor must identify itself as the originator of
+ its Contribution, if any, in a manner that reasonably allows subsequent
+ Recipients to identify the originator of the Contribution.
+
+ 4. COMMERCIAL DISTRIBUTION
+
+ Commercial distributors of software may accept certain responsibilities
+ with respect to end users, business partners and the like. While this
+ license is intended to facilitate the commercial use of the Program, the
+ Contributor who includes the Program in a commercial product offering
+ should do so in a manner which does not create potential liability for
+ other Contributors. Therefore, if a Contributor includes the Program in
+ a commercial product offering, such Contributor ("Commercial Contributor")
+ hereby agrees to defend and indemnify every other Contributor
+ ("Indemnified Contributor") against any losses, damages and costs
+ (collectively "Losses") arising from claims, lawsuits and other legal
+ actions brought by a third party against the Indemnified Contributor to
+ the extent caused by the acts or omissions of such Commercial Contributor
+ in connection with its distribution of the Program in a commercial
+ product offering. The obligations in this section do not apply to any
+ claims or Losses relating to any actual or alleged intellectual property
+ infringement. In order to qualify, an Indemnified Contributor must:
+ a) promptly notify the Commercial Contributor in writing of such claim,
+ and
+ b) allow the Commercial Contributor to control, and cooperate with
+ the Commercial Contributor in, the defense and any related
+ settlement negotiations. The Indemnified Contributor may
+ participate in any such claim at its own expense.
+
+ For example, a Contributor might include the Program in a commercial
+ product offering, Product X. That Contributor is then a Commercial
+ Contributor. If that Commercial Contributor then makes performance
+ claims, or offers warranties related to Product X, those performance
+ claims and warranties are such Commercial Contributor's responsibility
+ alone. Under this section, the Commercial Contributor would have to
+ defend claims against the other Contributors related to those performance
+ claims and warranties, and if a court requires any other Contributor to
+ pay any damages as a result, the Commercial Contributor must pay those
+ damages.
+
+ 5. NO WARRANTY
+
+ EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED
+ ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER
+ EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
+ CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A
+ PARTICULAR PURPOSE. Each Recipient is solely responsible for determining
+ the appropriateness of using and distributing the Program and assumes
+ all risks associated with its exercise of rights under this Agreement,
+ including but not limited to the risks and costs of program errors,
+ compliance with applicable laws, damage to or loss of data, programs or
+ equipment, and unavailability or interruption of operations.
+
+ 6. DISCLAIMER OF LIABILITY
+
+ EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR
+ ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT,
+ INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING
+ WITHOUT LIMITATION LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
+ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION
+ OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF
+ ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+ 7. GENERAL
+
+ If any provision of this Agreement is invalid or unenforceable under
+ applicable law, it shall not affect the validity or enforceability of
+ the remainder of the terms of this Agreement, and without further action
+ by the parties hereto, such provision shall be reformed to the minimum
+ extent necessary to make such provision valid and enforceable.
+
+ If Recipient institutes patent litigation against a Contributor with
+ respect to a patent applicable to software (including a cross-claim or
+ counterclaim in a lawsuit), then any patent licenses granted by that
+ Contributor to such Recipient under this Agreement shall terminate
+ as of the date such litigation is filed. In addition, If Recipient
+ institutes patent litigation against any entity (including a cross-claim
+ or counterclaim in a lawsuit) alleging that the Program itself (excluding
+ combinations of the Program with other software or hardware) infringes
+ such Recipient's patent(s), then such Recipient's rights granted under
+ Section 2(b) shall terminate as of the date such litigation is filed.
+
+ All Recipient's rights under this Agreement shall terminate if it fails
+ to comply with any of the material terms or conditions of this Agreement
+ and does not cure such failure in a reasonable period of time after
+ becoming aware of such noncompliance. If all Recipient's rights under
+ this Agreement terminate, Recipient agrees to cease use and distribution
+ of the Program as soon as reasonably practicable. However, Recipient's
+ obligations under this Agreement and any licenses granted by Recipient
+ relating to the Program shall continue and survive.
+
+ IBM may publish new versions (including revisions) of this Agreement
+ from time to time. Each new version of the Agreement will be given a
+ distinguishing version number. The Program (including Contributions)
+ may always be distributed subject to the version of the Agreement under
+ which it was received. In addition, after a new version of the Agreement
+ is published, Contributor may elect to distribute the Program (including
+ its Contributions) under the new version. No one other than IBM has the
+ right to modify this Agreement. Except as expressly stated in Sections
+ 2(a) and 2(b) above, Recipient receives no rights or licenses to the
+ intellectual property of any Contributor under this Agreement, whether
+ expressly, by implication, estoppel or otherwise. All rights in the
+ Program not expressly granted under this Agreement are reserved.
+
+ This Agreement is governed by the laws of the State of New York and the
+ intellectual property laws of the United States of America. No party to
+ this Agreement will bring a legal action under this Agreement more than
+ one year after the cause of action arose. Each party waives its rights
+ to a jury trial in any resulting litigation.
+
+The following license applies to rmail, distributed with Postfix:
+ SENDMAIL LICENSE
+
+ The following license terms and conditions apply, unless a different
+ license is obtained from Sendmail, Inc., 1401 Park Avenue, Emeryville, CA
+ 94608, or by electronic mail at license at sendmail.com.
+
+ License Terms:
+
+ Use, Modification and Redistribution (including distribution of any
+ modified or derived work) in source and binary forms is permitted only if
+ each of the following conditions is met:
+
+ 1. Redistributions qualify as "freeware" or "Open Source Software" under
+ one of the following terms:
+
+ (a) Redistributions are made at no charge beyond the reasonable cost of
+ materials and delivery.
+
+ (b) Redistributions are accompanied by a copy of the Source Code or by an
+ irrevocable offer to provide a copy of the Source Code for up to three
+ years at the cost of materials and delivery. Such redistributions
+ must allow further use, modification, and redistribution of the Source
+ Code under substantially the same terms as this license. For the
+ purposes of redistribution "Source Code" means the complete source
+ code of sendmail including all modifications.
+
+ Other forms of redistribution are allowed only under a separate royalty-
+ free agreement permitting such redistribution subject to standard
+ commercial terms and conditions. A copy of such agreement may be
+ obtained from Sendmail, Inc. at the above address.
+
+ 2. Redistributions of source code must retain the copyright notices as they
+ appear in each source code file, these license terms, and the
+ disclaimer/limitation of liability set forth as paragraph 6 below.
+
+ 3. Redistributions in binary form must reproduce the Copyright Notice,
+ these license terms, and the disclaimer/limitation of liability set
+ forth as paragraph 6 below, in the documentation and/or other materials
+ provided with the distribution. For the purposes of binary distribution
+ the "Copyright Notice" refers to the following language:
+ "Copyright (c) 1998 Sendmail, Inc. All rights reserved."
+
+ 4. Neither the name of Sendmail, Inc. nor the University of California nor
+ the names of their contributors may be used to endorse or promote
+ products derived from this software without specific prior written
+ permission. The name "sendmail" is a trademark of Sendmail, Inc.
+
+ 5. All redistributions must comply with the conditions imposed by the
+ University of California on certain embedded code, whose copyright
+ notice and conditions for redistribution are as follows:
+
+ (a) Copyright (c) 1988, 1993 The Regents of the University of
+ California. All rights reserved.
+
+ (b) Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+
+ (i) Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+
+ (ii) Redistributions in binary form must reproduce the above
+ copyright notice, this list of conditions and the following
+ disclaimer in the documentation and/or other materials provided
+ with the distribution.
+
+ (iii) All advertising materials mentioning features or use of this
+ software must display the following acknowledgement: "This
+ product includes software developed by the University of
+ California, Berkeley and its contributors."
+
+ (iv) Neither the name of the University nor the names of its
+ contributors may be used to endorse or promote products derived
+ from this software without specific prior written permission.
+
+ 6. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY
+ SENDMAIL, INC. AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
+ WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
+ NO EVENT SHALL SENDMAIL, INC., THE REGENTS OF THE UNIVERSITY OF
+ CALIFORNIA OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+ USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+ (Version 8.6, last updated 6/24/1998)
Added: trunk/kolab-postfix/debian/kolab-postfix-ldap.dirs
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-ldap.dirs 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-ldap.dirs 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1 @@
+usr/lib/kolab-postfix
Added: trunk/kolab-postfix/debian/kolab-postfix-ldap.files
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-ldap.files 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-ldap.files 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1 @@
+usr/lib/postfix/dict_ldap.so
Added: trunk/kolab-postfix/debian/kolab-postfix-ldap.postinst
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-ldap.postinst 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-ldap.postinst 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,49 @@
+#! /bin/sh
+# postinst script for #PACKAGE#
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <postinst> `configure' <most-recently-configured-version>
+# * <old-postinst> `abort-upgrade' <new version>
+# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+# <new-version>
+# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+# <failed-install-package> <version> `removing'
+# <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+#
+# quoting from the policy:
+# Any necessary prompting should almost always be confined to the
+# post-installation script, and should be protected with a conditional
+# so that unnecessary prompting doesn't happen if a package's
+# installation fails and the `postinst' is called with `abort-upgrade',
+# `abort-remove' or `abort-deconfigure'.
+
+. /usr/share/postfix/postinst.functions
+
+case "$1" in
+ configure)
+ addmap ldap
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 0
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+
Added: trunk/kolab-postfix/debian/kolab-postfix-ldap.prerm
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-ldap.prerm 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-ldap.prerm 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,37 @@
+#! /bin/sh
+# prerm script for #PACKAGE#
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <prerm> `remove'
+# * <old-prerm> `upgrade' <new-version>
+# * <new-prerm> `failed-upgrade' <old-version>
+# * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
+# * <deconfigured's-prerm> `deconfigure' `in-favour'
+# <package-being-installed> <version> `removing'
+# <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+
+case "$1" in
+ remove|upgrade|deconfigure)
+# install-info --quiet --remove /usr/info/#PACKAGE#.info.gz
+ ;;
+ failed-upgrade)
+ ;;
+ *)
+ echo "prerm called with unknown argument \`$1'" >&2
+ exit 0
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+
Added: trunk/kolab-postfix/debian/kolab-postfix-mysql.README.Debian
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-mysql.README.Debian 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-mysql.README.Debian 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,2 @@
+The postfix-doc package contains documentation on how to configure this
+map type. See /usr/share/doc/postfix/html/MYSQL_README.html
Added: trunk/kolab-postfix/debian/kolab-postfix-mysql.copyright
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-mysql.copyright 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-mysql.copyright 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,324 @@
+This is the Debian GNU/Linux prepackaged version of Postfix, a mail transport
+agent.
+
+Postfix was created by Wietse Venema <wietse at porcupine.org>; the Debian
+package has been assembled by LaMont Jones <lamont at debian.org> from sources
+available from http://www.postfix.org.
+
+ Copyright (c) 1999, International Business Machines Corporation
+ and others. All Rights Reserved.
+
+The following copyright and license applies to this software:
+
+ IBM PUBLIC LICENSE VERSION 1.0 6/14/1999 - SECURE MAILER
+
+ THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS IBM PUBLIC
+ LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THE
+ PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
+
+ 1. DEFINITIONS
+
+ "Contribution" means:
+ a) in the case of International Business Machines Corporation ("IBM"),
+ the Original Program, and
+ b) in the case of each Contributor,
+ i) changes to the Program, and
+ ii) additions to the Program;
+ where such changes and/or additions to the Program originate
+ from and are distributed by that particular Contributor.
+ A Contribution 'originates' from a Contributor if it was added
+ to the Program by such Contributor itself or anyone acting on
+ such Contributor's behalf.
+ Contributions do not include additions to the Program which:
+ (i) are separate modules of software distributed in conjunction
+ with the Program under their own license agreement, and
+ (ii) are not derivative works of the Program.
+
+ "Contributor" means IBM and any other entity that distributes the Program.
+
+ "Licensed Patents " mean patent claims licensable by a Contributor which
+ are necessarily infringed by the use or sale of its Contribution alone
+ or when combined with the Program.
+
+ "Original Program" means the original version of the software accompanying
+ this Agreement as released by IBM, including source code, object code
+ and documentation, if any.
+
+ "Program" means the Original Program and Contributions.
+
+ "Recipient" means anyone who receives the Program under this Agreement,
+ including all Contributors.
+
+ 2. GRANT OF RIGHTS
+
+ a) Subject to the terms of this Agreement, each Contributor hereby
+ grants Recipient a non-exclusive, worldwide, royalty-free copyright
+ license to reproduce, prepare derivative works of, publicly display,
+ publicly perform, distribute and sublicense the Contribution of such
+ Contributor, if any, and such derivative works, in source code and
+ object code form.
+
+ b) Subject to the terms of this Agreement, each Contributor hereby
+ grants Recipient a non-exclusive, worldwide, royalty-free patent
+ license under Licensed Patents to make, use, sell, offer to sell,
+ import and otherwise transfer the Contribution of such Contributor,
+ if any, in source code and object code form. This patent license
+ shall apply to the combination of the Contribution and the Program
+ if, at the time the Contribution is added by the Contributor, such
+ addition of the Contribution causes such combination to be covered
+ by the Licensed Patents. The patent license shall not apply to any
+ other combinations which include the Contribution. No hardware per
+ se is licensed hereunder.
+
+ c) Recipient understands that although each Contributor grants the
+ licenses to its Contributions set forth herein, no assurances are
+ provided by any Contributor that the Program does not infringe the
+ patent or other intellectual property rights of any other entity.
+ Each Contributor disclaims any liability to Recipient for claims
+ brought by any other entity based on infringement of intellectual
+ property rights or otherwise. As a condition to exercising the rights
+ and licenses granted hereunder, each Recipient hereby assumes sole
+ responsibility to secure any other intellectual property rights
+ needed, if any. For example, if a third party patent license
+ is required to allow Recipient to distribute the Program, it is
+ Recipient's responsibility to acquire that license before distributing
+ the Program.
+
+ d) Each Contributor represents that to its knowledge it has sufficient
+ copyright rights in its Contribution, if any, to grant the copyright
+ license set forth in this Agreement.
+
+ 3. REQUIREMENTS
+
+ A Contributor may choose to distribute the Program in object code form
+ under its own license agreement, provided that:
+ a) it complies with the terms and conditions of this Agreement; and
+ b) its license agreement:
+ i) effectively disclaims on behalf of all Contributors all
+ warranties and conditions, express and implied, including
+ warranties or conditions of title and non-infringement, and
+ implied warranties or conditions of merchantability and fitness
+ for a particular purpose;
+ ii) effectively excludes on behalf of all Contributors all
+ liability for damages, including direct, indirect, special,
+ incidental and consequential damages, such as lost profits;
+ iii) states that any provisions which differ from this Agreement
+ are offered by that Contributor alone and not by any other
+ party; and
+ iv) states that source code for the Program is available from
+ such Contributor, and informs licensees how to obtain it in a
+ reasonable manner on or through a medium customarily used for
+ software exchange.
+
+ When the Program is made available in source code form:
+ a) it must be made available under this Agreement; and
+ b) a copy of this Agreement must be included with each copy of the
+ Program.
+
+ Each Contributor must include the following in a conspicuous location
+ in the Program:
+
+ Copyright (c) {date here}, International Business Machines Corporation
+ and others. All Rights Reserved.
+
+ In addition, each Contributor must identify itself as the originator of
+ its Contribution, if any, in a manner that reasonably allows subsequent
+ Recipients to identify the originator of the Contribution.
+
+ 4. COMMERCIAL DISTRIBUTION
+
+ Commercial distributors of software may accept certain responsibilities
+ with respect to end users, business partners and the like. While this
+ license is intended to facilitate the commercial use of the Program, the
+ Contributor who includes the Program in a commercial product offering
+ should do so in a manner which does not create potential liability for
+ other Contributors. Therefore, if a Contributor includes the Program in
+ a commercial product offering, such Contributor ("Commercial Contributor")
+ hereby agrees to defend and indemnify every other Contributor
+ ("Indemnified Contributor") against any losses, damages and costs
+ (collectively "Losses") arising from claims, lawsuits and other legal
+ actions brought by a third party against the Indemnified Contributor to
+ the extent caused by the acts or omissions of such Commercial Contributor
+ in connection with its distribution of the Program in a commercial
+ product offering. The obligations in this section do not apply to any
+ claims or Losses relating to any actual or alleged intellectual property
+ infringement. In order to qualify, an Indemnified Contributor must:
+ a) promptly notify the Commercial Contributor in writing of such claim,
+ and
+ b) allow the Commercial Contributor to control, and cooperate with
+ the Commercial Contributor in, the defense and any related
+ settlement negotiations. The Indemnified Contributor may
+ participate in any such claim at its own expense.
+
+ For example, a Contributor might include the Program in a commercial
+ product offering, Product X. That Contributor is then a Commercial
+ Contributor. If that Commercial Contributor then makes performance
+ claims, or offers warranties related to Product X, those performance
+ claims and warranties are such Commercial Contributor's responsibility
+ alone. Under this section, the Commercial Contributor would have to
+ defend claims against the other Contributors related to those performance
+ claims and warranties, and if a court requires any other Contributor to
+ pay any damages as a result, the Commercial Contributor must pay those
+ damages.
+
+ 5. NO WARRANTY
+
+ EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED
+ ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER
+ EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
+ CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A
+ PARTICULAR PURPOSE. Each Recipient is solely responsible for determining
+ the appropriateness of using and distributing the Program and assumes
+ all risks associated with its exercise of rights under this Agreement,
+ including but not limited to the risks and costs of program errors,
+ compliance with applicable laws, damage to or loss of data, programs or
+ equipment, and unavailability or interruption of operations.
+
+ 6. DISCLAIMER OF LIABILITY
+
+ EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR
+ ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT,
+ INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING
+ WITHOUT LIMITATION LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
+ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION
+ OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF
+ ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+ 7. GENERAL
+
+ If any provision of this Agreement is invalid or unenforceable under
+ applicable law, it shall not affect the validity or enforceability of
+ the remainder of the terms of this Agreement, and without further action
+ by the parties hereto, such provision shall be reformed to the minimum
+ extent necessary to make such provision valid and enforceable.
+
+ If Recipient institutes patent litigation against a Contributor with
+ respect to a patent applicable to software (including a cross-claim or
+ counterclaim in a lawsuit), then any patent licenses granted by that
+ Contributor to such Recipient under this Agreement shall terminate
+ as of the date such litigation is filed. In addition, If Recipient
+ institutes patent litigation against any entity (including a cross-claim
+ or counterclaim in a lawsuit) alleging that the Program itself (excluding
+ combinations of the Program with other software or hardware) infringes
+ such Recipient's patent(s), then such Recipient's rights granted under
+ Section 2(b) shall terminate as of the date such litigation is filed.
+
+ All Recipient's rights under this Agreement shall terminate if it fails
+ to comply with any of the material terms or conditions of this Agreement
+ and does not cure such failure in a reasonable period of time after
+ becoming aware of such noncompliance. If all Recipient's rights under
+ this Agreement terminate, Recipient agrees to cease use and distribution
+ of the Program as soon as reasonably practicable. However, Recipient's
+ obligations under this Agreement and any licenses granted by Recipient
+ relating to the Program shall continue and survive.
+
+ IBM may publish new versions (including revisions) of this Agreement
+ from time to time. Each new version of the Agreement will be given a
+ distinguishing version number. The Program (including Contributions)
+ may always be distributed subject to the version of the Agreement under
+ which it was received. In addition, after a new version of the Agreement
+ is published, Contributor may elect to distribute the Program (including
+ its Contributions) under the new version. No one other than IBM has the
+ right to modify this Agreement. Except as expressly stated in Sections
+ 2(a) and 2(b) above, Recipient receives no rights or licenses to the
+ intellectual property of any Contributor under this Agreement, whether
+ expressly, by implication, estoppel or otherwise. All rights in the
+ Program not expressly granted under this Agreement are reserved.
+
+ This Agreement is governed by the laws of the State of New York and the
+ intellectual property laws of the United States of America. No party to
+ this Agreement will bring a legal action under this Agreement more than
+ one year after the cause of action arose. Each party waives its rights
+ to a jury trial in any resulting litigation.
+
+The following license applies to rmail, distributed with Postfix:
+ SENDMAIL LICENSE
+
+ The following license terms and conditions apply, unless a different
+ license is obtained from Sendmail, Inc., 1401 Park Avenue, Emeryville, CA
+ 94608, or by electronic mail at license at sendmail.com.
+
+ License Terms:
+
+ Use, Modification and Redistribution (including distribution of any
+ modified or derived work) in source and binary forms is permitted only if
+ each of the following conditions is met:
+
+ 1. Redistributions qualify as "freeware" or "Open Source Software" under
+ one of the following terms:
+
+ (a) Redistributions are made at no charge beyond the reasonable cost of
+ materials and delivery.
+
+ (b) Redistributions are accompanied by a copy of the Source Code or by an
+ irrevocable offer to provide a copy of the Source Code for up to three
+ years at the cost of materials and delivery. Such redistributions
+ must allow further use, modification, and redistribution of the Source
+ Code under substantially the same terms as this license. For the
+ purposes of redistribution "Source Code" means the complete source
+ code of sendmail including all modifications.
+
+ Other forms of redistribution are allowed only under a separate royalty-
+ free agreement permitting such redistribution subject to standard
+ commercial terms and conditions. A copy of such agreement may be
+ obtained from Sendmail, Inc. at the above address.
+
+ 2. Redistributions of source code must retain the copyright notices as they
+ appear in each source code file, these license terms, and the
+ disclaimer/limitation of liability set forth as paragraph 6 below.
+
+ 3. Redistributions in binary form must reproduce the Copyright Notice,
+ these license terms, and the disclaimer/limitation of liability set
+ forth as paragraph 6 below, in the documentation and/or other materials
+ provided with the distribution. For the purposes of binary distribution
+ the "Copyright Notice" refers to the following language:
+ "Copyright (c) 1998 Sendmail, Inc. All rights reserved."
+
+ 4. Neither the name of Sendmail, Inc. nor the University of California nor
+ the names of their contributors may be used to endorse or promote
+ products derived from this software without specific prior written
+ permission. The name "sendmail" is a trademark of Sendmail, Inc.
+
+ 5. All redistributions must comply with the conditions imposed by the
+ University of California on certain embedded code, whose copyright
+ notice and conditions for redistribution are as follows:
+
+ (a) Copyright (c) 1988, 1993 The Regents of the University of
+ California. All rights reserved.
+
+ (b) Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+
+ (i) Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+
+ (ii) Redistributions in binary form must reproduce the above
+ copyright notice, this list of conditions and the following
+ disclaimer in the documentation and/or other materials provided
+ with the distribution.
+
+ (iii) All advertising materials mentioning features or use of this
+ software must display the following acknowledgement: "This
+ product includes software developed by the University of
+ California, Berkeley and its contributors."
+
+ (iv) Neither the name of the University nor the names of its
+ contributors may be used to endorse or promote products derived
+ from this software without specific prior written permission.
+
+ 6. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY
+ SENDMAIL, INC. AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
+ WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
+ NO EVENT SHALL SENDMAIL, INC., THE REGENTS OF THE UNIVERSITY OF
+ CALIFORNIA OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+ USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+ (Version 8.6, last updated 6/24/1998)
Added: trunk/kolab-postfix/debian/kolab-postfix-mysql.dirs
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-mysql.dirs 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-mysql.dirs 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1 @@
+usr/lib/kolab-postfix
Added: trunk/kolab-postfix/debian/kolab-postfix-mysql.files
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-mysql.files 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-mysql.files 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1 @@
+usr/lib/postfix/dict_mysql.so
Added: trunk/kolab-postfix/debian/kolab-postfix-mysql.postinst
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-mysql.postinst 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-mysql.postinst 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,49 @@
+#! /bin/sh
+# postinst script for #PACKAGE#
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <postinst> `configure' <most-recently-configured-version>
+# * <old-postinst> `abort-upgrade' <new version>
+# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+# <new-version>
+# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+# <failed-install-package> <version> `removing'
+# <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+#
+# quoting from the policy:
+# Any necessary prompting should almost always be confined to the
+# post-installation script, and should be protected with a conditional
+# so that unnecessary prompting doesn't happen if a package's
+# installation fails and the `postinst' is called with `abort-upgrade',
+# `abort-remove' or `abort-deconfigure'.
+
+. /usr/share/postfix/postinst.functions
+
+case "$1" in
+ configure)
+ addmap mysql
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 0
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+
Added: trunk/kolab-postfix/debian/kolab-postfix-mysql.prerm
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-mysql.prerm 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-mysql.prerm 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,37 @@
+#! /bin/sh
+# prerm script for #PACKAGE#
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <prerm> `remove'
+# * <old-prerm> `upgrade' <new-version>
+# * <new-prerm> `failed-upgrade' <old-version>
+# * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
+# * <deconfigured's-prerm> `deconfigure' `in-favour'
+# <package-being-installed> <version> `removing'
+# <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+
+case "$1" in
+ remove|upgrade|deconfigure)
+# install-info --quiet --remove /usr/info/#PACKAGE#.info.gz
+ ;;
+ failed-upgrade)
+ ;;
+ *)
+ echo "prerm called with unknown argument \`$1'" >&2
+ exit 0
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+
Added: trunk/kolab-postfix/debian/kolab-postfix-pcre.README.Debian
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-pcre.README.Debian 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-pcre.README.Debian 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,2 @@
+The postfix-doc package contains documentation on how to configure this
+map type. See /usr/share/doc/postfix/html/PCRE_README.html
Added: trunk/kolab-postfix/debian/kolab-postfix-pcre.copyright
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-pcre.copyright 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-pcre.copyright 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,324 @@
+This is the Debian GNU/Linux prepackaged version of Postfix, a mail transport
+agent.
+
+Postfix was created by Wietse Venema <wietse at porcupine.org>; the Debian
+package has been assembled by LaMont Jones <lamont at debian.org> from sources
+available from http://www.postfix.org.
+
+ Copyright (c) 1999, International Business Machines Corporation
+ and others. All Rights Reserved.
+
+The following copyright and license applies to this software:
+
+ IBM PUBLIC LICENSE VERSION 1.0 6/14/1999 - SECURE MAILER
+
+ THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS IBM PUBLIC
+ LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THE
+ PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
+
+ 1. DEFINITIONS
+
+ "Contribution" means:
+ a) in the case of International Business Machines Corporation ("IBM"),
+ the Original Program, and
+ b) in the case of each Contributor,
+ i) changes to the Program, and
+ ii) additions to the Program;
+ where such changes and/or additions to the Program originate
+ from and are distributed by that particular Contributor.
+ A Contribution 'originates' from a Contributor if it was added
+ to the Program by such Contributor itself or anyone acting on
+ such Contributor's behalf.
+ Contributions do not include additions to the Program which:
+ (i) are separate modules of software distributed in conjunction
+ with the Program under their own license agreement, and
+ (ii) are not derivative works of the Program.
+
+ "Contributor" means IBM and any other entity that distributes the Program.
+
+ "Licensed Patents " mean patent claims licensable by a Contributor which
+ are necessarily infringed by the use or sale of its Contribution alone
+ or when combined with the Program.
+
+ "Original Program" means the original version of the software accompanying
+ this Agreement as released by IBM, including source code, object code
+ and documentation, if any.
+
+ "Program" means the Original Program and Contributions.
+
+ "Recipient" means anyone who receives the Program under this Agreement,
+ including all Contributors.
+
+ 2. GRANT OF RIGHTS
+
+ a) Subject to the terms of this Agreement, each Contributor hereby
+ grants Recipient a non-exclusive, worldwide, royalty-free copyright
+ license to reproduce, prepare derivative works of, publicly display,
+ publicly perform, distribute and sublicense the Contribution of such
+ Contributor, if any, and such derivative works, in source code and
+ object code form.
+
+ b) Subject to the terms of this Agreement, each Contributor hereby
+ grants Recipient a non-exclusive, worldwide, royalty-free patent
+ license under Licensed Patents to make, use, sell, offer to sell,
+ import and otherwise transfer the Contribution of such Contributor,
+ if any, in source code and object code form. This patent license
+ shall apply to the combination of the Contribution and the Program
+ if, at the time the Contribution is added by the Contributor, such
+ addition of the Contribution causes such combination to be covered
+ by the Licensed Patents. The patent license shall not apply to any
+ other combinations which include the Contribution. No hardware per
+ se is licensed hereunder.
+
+ c) Recipient understands that although each Contributor grants the
+ licenses to its Contributions set forth herein, no assurances are
+ provided by any Contributor that the Program does not infringe the
+ patent or other intellectual property rights of any other entity.
+ Each Contributor disclaims any liability to Recipient for claims
+ brought by any other entity based on infringement of intellectual
+ property rights or otherwise. As a condition to exercising the rights
+ and licenses granted hereunder, each Recipient hereby assumes sole
+ responsibility to secure any other intellectual property rights
+ needed, if any. For example, if a third party patent license
+ is required to allow Recipient to distribute the Program, it is
+ Recipient's responsibility to acquire that license before distributing
+ the Program.
+
+ d) Each Contributor represents that to its knowledge it has sufficient
+ copyright rights in its Contribution, if any, to grant the copyright
+ license set forth in this Agreement.
+
+ 3. REQUIREMENTS
+
+ A Contributor may choose to distribute the Program in object code form
+ under its own license agreement, provided that:
+ a) it complies with the terms and conditions of this Agreement; and
+ b) its license agreement:
+ i) effectively disclaims on behalf of all Contributors all
+ warranties and conditions, express and implied, including
+ warranties or conditions of title and non-infringement, and
+ implied warranties or conditions of merchantability and fitness
+ for a particular purpose;
+ ii) effectively excludes on behalf of all Contributors all
+ liability for damages, including direct, indirect, special,
+ incidental and consequential damages, such as lost profits;
+ iii) states that any provisions which differ from this Agreement
+ are offered by that Contributor alone and not by any other
+ party; and
+ iv) states that source code for the Program is available from
+ such Contributor, and informs licensees how to obtain it in a
+ reasonable manner on or through a medium customarily used for
+ software exchange.
+
+ When the Program is made available in source code form:
+ a) it must be made available under this Agreement; and
+ b) a copy of this Agreement must be included with each copy of the
+ Program.
+
+ Each Contributor must include the following in a conspicuous location
+ in the Program:
+
+ Copyright (c) {date here}, International Business Machines Corporation
+ and others. All Rights Reserved.
+
+ In addition, each Contributor must identify itself as the originator of
+ its Contribution, if any, in a manner that reasonably allows subsequent
+ Recipients to identify the originator of the Contribution.
+
+ 4. COMMERCIAL DISTRIBUTION
+
+ Commercial distributors of software may accept certain responsibilities
+ with respect to end users, business partners and the like. While this
+ license is intended to facilitate the commercial use of the Program, the
+ Contributor who includes the Program in a commercial product offering
+ should do so in a manner which does not create potential liability for
+ other Contributors. Therefore, if a Contributor includes the Program in
+ a commercial product offering, such Contributor ("Commercial Contributor")
+ hereby agrees to defend and indemnify every other Contributor
+ ("Indemnified Contributor") against any losses, damages and costs
+ (collectively "Losses") arising from claims, lawsuits and other legal
+ actions brought by a third party against the Indemnified Contributor to
+ the extent caused by the acts or omissions of such Commercial Contributor
+ in connection with its distribution of the Program in a commercial
+ product offering. The obligations in this section do not apply to any
+ claims or Losses relating to any actual or alleged intellectual property
+ infringement. In order to qualify, an Indemnified Contributor must:
+ a) promptly notify the Commercial Contributor in writing of such claim,
+ and
+ b) allow the Commercial Contributor to control, and cooperate with
+ the Commercial Contributor in, the defense and any related
+ settlement negotiations. The Indemnified Contributor may
+ participate in any such claim at its own expense.
+
+ For example, a Contributor might include the Program in a commercial
+ product offering, Product X. That Contributor is then a Commercial
+ Contributor. If that Commercial Contributor then makes performance
+ claims, or offers warranties related to Product X, those performance
+ claims and warranties are such Commercial Contributor's responsibility
+ alone. Under this section, the Commercial Contributor would have to
+ defend claims against the other Contributors related to those performance
+ claims and warranties, and if a court requires any other Contributor to
+ pay any damages as a result, the Commercial Contributor must pay those
+ damages.
+
+ 5. NO WARRANTY
+
+ EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED
+ ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER
+ EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
+ CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A
+ PARTICULAR PURPOSE. Each Recipient is solely responsible for determining
+ the appropriateness of using and distributing the Program and assumes
+ all risks associated with its exercise of rights under this Agreement,
+ including but not limited to the risks and costs of program errors,
+ compliance with applicable laws, damage to or loss of data, programs or
+ equipment, and unavailability or interruption of operations.
+
+ 6. DISCLAIMER OF LIABILITY
+
+ EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR
+ ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT,
+ INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING
+ WITHOUT LIMITATION LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
+ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION
+ OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF
+ ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+ 7. GENERAL
+
+ If any provision of this Agreement is invalid or unenforceable under
+ applicable law, it shall not affect the validity or enforceability of
+ the remainder of the terms of this Agreement, and without further action
+ by the parties hereto, such provision shall be reformed to the minimum
+ extent necessary to make such provision valid and enforceable.
+
+ If Recipient institutes patent litigation against a Contributor with
+ respect to a patent applicable to software (including a cross-claim or
+ counterclaim in a lawsuit), then any patent licenses granted by that
+ Contributor to such Recipient under this Agreement shall terminate
+ as of the date such litigation is filed. In addition, If Recipient
+ institutes patent litigation against any entity (including a cross-claim
+ or counterclaim in a lawsuit) alleging that the Program itself (excluding
+ combinations of the Program with other software or hardware) infringes
+ such Recipient's patent(s), then such Recipient's rights granted under
+ Section 2(b) shall terminate as of the date such litigation is filed.
+
+ All Recipient's rights under this Agreement shall terminate if it fails
+ to comply with any of the material terms or conditions of this Agreement
+ and does not cure such failure in a reasonable period of time after
+ becoming aware of such noncompliance. If all Recipient's rights under
+ this Agreement terminate, Recipient agrees to cease use and distribution
+ of the Program as soon as reasonably practicable. However, Recipient's
+ obligations under this Agreement and any licenses granted by Recipient
+ relating to the Program shall continue and survive.
+
+ IBM may publish new versions (including revisions) of this Agreement
+ from time to time. Each new version of the Agreement will be given a
+ distinguishing version number. The Program (including Contributions)
+ may always be distributed subject to the version of the Agreement under
+ which it was received. In addition, after a new version of the Agreement
+ is published, Contributor may elect to distribute the Program (including
+ its Contributions) under the new version. No one other than IBM has the
+ right to modify this Agreement. Except as expressly stated in Sections
+ 2(a) and 2(b) above, Recipient receives no rights or licenses to the
+ intellectual property of any Contributor under this Agreement, whether
+ expressly, by implication, estoppel or otherwise. All rights in the
+ Program not expressly granted under this Agreement are reserved.
+
+ This Agreement is governed by the laws of the State of New York and the
+ intellectual property laws of the United States of America. No party to
+ this Agreement will bring a legal action under this Agreement more than
+ one year after the cause of action arose. Each party waives its rights
+ to a jury trial in any resulting litigation.
+
+The following license applies to rmail, distributed with Postfix:
+ SENDMAIL LICENSE
+
+ The following license terms and conditions apply, unless a different
+ license is obtained from Sendmail, Inc., 1401 Park Avenue, Emeryville, CA
+ 94608, or by electronic mail at license at sendmail.com.
+
+ License Terms:
+
+ Use, Modification and Redistribution (including distribution of any
+ modified or derived work) in source and binary forms is permitted only if
+ each of the following conditions is met:
+
+ 1. Redistributions qualify as "freeware" or "Open Source Software" under
+ one of the following terms:
+
+ (a) Redistributions are made at no charge beyond the reasonable cost of
+ materials and delivery.
+
+ (b) Redistributions are accompanied by a copy of the Source Code or by an
+ irrevocable offer to provide a copy of the Source Code for up to three
+ years at the cost of materials and delivery. Such redistributions
+ must allow further use, modification, and redistribution of the Source
+ Code under substantially the same terms as this license. For the
+ purposes of redistribution "Source Code" means the complete source
+ code of sendmail including all modifications.
+
+ Other forms of redistribution are allowed only under a separate royalty-
+ free agreement permitting such redistribution subject to standard
+ commercial terms and conditions. A copy of such agreement may be
+ obtained from Sendmail, Inc. at the above address.
+
+ 2. Redistributions of source code must retain the copyright notices as they
+ appear in each source code file, these license terms, and the
+ disclaimer/limitation of liability set forth as paragraph 6 below.
+
+ 3. Redistributions in binary form must reproduce the Copyright Notice,
+ these license terms, and the disclaimer/limitation of liability set
+ forth as paragraph 6 below, in the documentation and/or other materials
+ provided with the distribution. For the purposes of binary distribution
+ the "Copyright Notice" refers to the following language:
+ "Copyright (c) 1998 Sendmail, Inc. All rights reserved."
+
+ 4. Neither the name of Sendmail, Inc. nor the University of California nor
+ the names of their contributors may be used to endorse or promote
+ products derived from this software without specific prior written
+ permission. The name "sendmail" is a trademark of Sendmail, Inc.
+
+ 5. All redistributions must comply with the conditions imposed by the
+ University of California on certain embedded code, whose copyright
+ notice and conditions for redistribution are as follows:
+
+ (a) Copyright (c) 1988, 1993 The Regents of the University of
+ California. All rights reserved.
+
+ (b) Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+
+ (i) Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+
+ (ii) Redistributions in binary form must reproduce the above
+ copyright notice, this list of conditions and the following
+ disclaimer in the documentation and/or other materials provided
+ with the distribution.
+
+ (iii) All advertising materials mentioning features or use of this
+ software must display the following acknowledgement: "This
+ product includes software developed by the University of
+ California, Berkeley and its contributors."
+
+ (iv) Neither the name of the University nor the names of its
+ contributors may be used to endorse or promote products derived
+ from this software without specific prior written permission.
+
+ 6. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY
+ SENDMAIL, INC. AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
+ WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
+ NO EVENT SHALL SENDMAIL, INC., THE REGENTS OF THE UNIVERSITY OF
+ CALIFORNIA OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+ USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+ (Version 8.6, last updated 6/24/1998)
Added: trunk/kolab-postfix/debian/kolab-postfix-pcre.dirs
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-pcre.dirs 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-pcre.dirs 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1 @@
+usr/lib/kolab-postfix
Added: trunk/kolab-postfix/debian/kolab-postfix-pcre.files
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-pcre.files 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-pcre.files 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1 @@
+usr/lib/postfix/dict_pcre.so
Added: trunk/kolab-postfix/debian/kolab-postfix-pcre.postinst
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-pcre.postinst 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-pcre.postinst 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,49 @@
+#! /bin/sh
+# postinst script for #PACKAGE#
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <postinst> `configure' <most-recently-configured-version>
+# * <old-postinst> `abort-upgrade' <new version>
+# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+# <new-version>
+# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+# <failed-install-package> <version> `removing'
+# <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+#
+# quoting from the policy:
+# Any necessary prompting should almost always be confined to the
+# post-installation script, and should be protected with a conditional
+# so that unnecessary prompting doesn't happen if a package's
+# installation fails and the `postinst' is called with `abort-upgrade',
+# `abort-remove' or `abort-deconfigure'.
+
+. /usr/share/postfix/postinst.functions
+
+case "$1" in
+ configure)
+ addmap pcre
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 0
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+
Added: trunk/kolab-postfix/debian/kolab-postfix-pcre.prerm
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-pcre.prerm 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-pcre.prerm 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,37 @@
+#! /bin/sh
+# prerm script for #PACKAGE#
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <prerm> `remove'
+# * <old-prerm> `upgrade' <new-version>
+# * <new-prerm> `failed-upgrade' <old-version>
+# * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
+# * <deconfigured's-prerm> `deconfigure' `in-favour'
+# <package-being-installed> <version> `removing'
+# <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+
+case "$1" in
+ remove|upgrade|deconfigure)
+# install-info --quiet --remove /usr/info/#PACKAGE#.info.gz
+ ;;
+ failed-upgrade)
+ ;;
+ *)
+ echo "prerm called with unknown argument \`$1'" >&2
+ exit 0
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+
Added: trunk/kolab-postfix/debian/kolab-postfix-pgsql.README.Debian
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-pgsql.README.Debian 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-pgsql.README.Debian 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,2 @@
+The postfix-doc package contains documentation on how to configure this
+map type. See /usr/share/doc/postfix/html/PGSQL_README.html
Added: trunk/kolab-postfix/debian/kolab-postfix-pgsql.copyright
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-pgsql.copyright 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-pgsql.copyright 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,324 @@
+This is the Debian GNU/Linux prepackaged version of Postfix, a mail transport
+agent.
+
+Postfix was created by Wietse Venema <wietse at porcupine.org>; the Debian
+package has been assembled by LaMont Jones <lamont at debian.org> from sources
+available from http://www.postfix.org.
+
+ Copyright (c) 1999, International Business Machines Corporation
+ and others. All Rights Reserved.
+
+The following copyright and license applies to this software:
+
+ IBM PUBLIC LICENSE VERSION 1.0 6/14/1999 - SECURE MAILER
+
+ THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS IBM PUBLIC
+ LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THE
+ PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
+
+ 1. DEFINITIONS
+
+ "Contribution" means:
+ a) in the case of International Business Machines Corporation ("IBM"),
+ the Original Program, and
+ b) in the case of each Contributor,
+ i) changes to the Program, and
+ ii) additions to the Program;
+ where such changes and/or additions to the Program originate
+ from and are distributed by that particular Contributor.
+ A Contribution 'originates' from a Contributor if it was added
+ to the Program by such Contributor itself or anyone acting on
+ such Contributor's behalf.
+ Contributions do not include additions to the Program which:
+ (i) are separate modules of software distributed in conjunction
+ with the Program under their own license agreement, and
+ (ii) are not derivative works of the Program.
+
+ "Contributor" means IBM and any other entity that distributes the Program.
+
+ "Licensed Patents " mean patent claims licensable by a Contributor which
+ are necessarily infringed by the use or sale of its Contribution alone
+ or when combined with the Program.
+
+ "Original Program" means the original version of the software accompanying
+ this Agreement as released by IBM, including source code, object code
+ and documentation, if any.
+
+ "Program" means the Original Program and Contributions.
+
+ "Recipient" means anyone who receives the Program under this Agreement,
+ including all Contributors.
+
+ 2. GRANT OF RIGHTS
+
+ a) Subject to the terms of this Agreement, each Contributor hereby
+ grants Recipient a non-exclusive, worldwide, royalty-free copyright
+ license to reproduce, prepare derivative works of, publicly display,
+ publicly perform, distribute and sublicense the Contribution of such
+ Contributor, if any, and such derivative works, in source code and
+ object code form.
+
+ b) Subject to the terms of this Agreement, each Contributor hereby
+ grants Recipient a non-exclusive, worldwide, royalty-free patent
+ license under Licensed Patents to make, use, sell, offer to sell,
+ import and otherwise transfer the Contribution of such Contributor,
+ if any, in source code and object code form. This patent license
+ shall apply to the combination of the Contribution and the Program
+ if, at the time the Contribution is added by the Contributor, such
+ addition of the Contribution causes such combination to be covered
+ by the Licensed Patents. The patent license shall not apply to any
+ other combinations which include the Contribution. No hardware per
+ se is licensed hereunder.
+
+ c) Recipient understands that although each Contributor grants the
+ licenses to its Contributions set forth herein, no assurances are
+ provided by any Contributor that the Program does not infringe the
+ patent or other intellectual property rights of any other entity.
+ Each Contributor disclaims any liability to Recipient for claims
+ brought by any other entity based on infringement of intellectual
+ property rights or otherwise. As a condition to exercising the rights
+ and licenses granted hereunder, each Recipient hereby assumes sole
+ responsibility to secure any other intellectual property rights
+ needed, if any. For example, if a third party patent license
+ is required to allow Recipient to distribute the Program, it is
+ Recipient's responsibility to acquire that license before distributing
+ the Program.
+
+ d) Each Contributor represents that to its knowledge it has sufficient
+ copyright rights in its Contribution, if any, to grant the copyright
+ license set forth in this Agreement.
+
+ 3. REQUIREMENTS
+
+ A Contributor may choose to distribute the Program in object code form
+ under its own license agreement, provided that:
+ a) it complies with the terms and conditions of this Agreement; and
+ b) its license agreement:
+ i) effectively disclaims on behalf of all Contributors all
+ warranties and conditions, express and implied, including
+ warranties or conditions of title and non-infringement, and
+ implied warranties or conditions of merchantability and fitness
+ for a particular purpose;
+ ii) effectively excludes on behalf of all Contributors all
+ liability for damages, including direct, indirect, special,
+ incidental and consequential damages, such as lost profits;
+ iii) states that any provisions which differ from this Agreement
+ are offered by that Contributor alone and not by any other
+ party; and
+ iv) states that source code for the Program is available from
+ such Contributor, and informs licensees how to obtain it in a
+ reasonable manner on or through a medium customarily used for
+ software exchange.
+
+ When the Program is made available in source code form:
+ a) it must be made available under this Agreement; and
+ b) a copy of this Agreement must be included with each copy of the
+ Program.
+
+ Each Contributor must include the following in a conspicuous location
+ in the Program:
+
+ Copyright (c) {date here}, International Business Machines Corporation
+ and others. All Rights Reserved.
+
+ In addition, each Contributor must identify itself as the originator of
+ its Contribution, if any, in a manner that reasonably allows subsequent
+ Recipients to identify the originator of the Contribution.
+
+ 4. COMMERCIAL DISTRIBUTION
+
+ Commercial distributors of software may accept certain responsibilities
+ with respect to end users, business partners and the like. While this
+ license is intended to facilitate the commercial use of the Program, the
+ Contributor who includes the Program in a commercial product offering
+ should do so in a manner which does not create potential liability for
+ other Contributors. Therefore, if a Contributor includes the Program in
+ a commercial product offering, such Contributor ("Commercial Contributor")
+ hereby agrees to defend and indemnify every other Contributor
+ ("Indemnified Contributor") against any losses, damages and costs
+ (collectively "Losses") arising from claims, lawsuits and other legal
+ actions brought by a third party against the Indemnified Contributor to
+ the extent caused by the acts or omissions of such Commercial Contributor
+ in connection with its distribution of the Program in a commercial
+ product offering. The obligations in this section do not apply to any
+ claims or Losses relating to any actual or alleged intellectual property
+ infringement. In order to qualify, an Indemnified Contributor must:
+ a) promptly notify the Commercial Contributor in writing of such claim,
+ and
+ b) allow the Commercial Contributor to control, and cooperate with
+ the Commercial Contributor in, the defense and any related
+ settlement negotiations. The Indemnified Contributor may
+ participate in any such claim at its own expense.
+
+ For example, a Contributor might include the Program in a commercial
+ product offering, Product X. That Contributor is then a Commercial
+ Contributor. If that Commercial Contributor then makes performance
+ claims, or offers warranties related to Product X, those performance
+ claims and warranties are such Commercial Contributor's responsibility
+ alone. Under this section, the Commercial Contributor would have to
+ defend claims against the other Contributors related to those performance
+ claims and warranties, and if a court requires any other Contributor to
+ pay any damages as a result, the Commercial Contributor must pay those
+ damages.
+
+ 5. NO WARRANTY
+
+ EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED
+ ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER
+ EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
+ CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A
+ PARTICULAR PURPOSE. Each Recipient is solely responsible for determining
+ the appropriateness of using and distributing the Program and assumes
+ all risks associated with its exercise of rights under this Agreement,
+ including but not limited to the risks and costs of program errors,
+ compliance with applicable laws, damage to or loss of data, programs or
+ equipment, and unavailability or interruption of operations.
+
+ 6. DISCLAIMER OF LIABILITY
+
+ EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR
+ ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT,
+ INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING
+ WITHOUT LIMITATION LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
+ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION
+ OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF
+ ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+ 7. GENERAL
+
+ If any provision of this Agreement is invalid or unenforceable under
+ applicable law, it shall not affect the validity or enforceability of
+ the remainder of the terms of this Agreement, and without further action
+ by the parties hereto, such provision shall be reformed to the minimum
+ extent necessary to make such provision valid and enforceable.
+
+ If Recipient institutes patent litigation against a Contributor with
+ respect to a patent applicable to software (including a cross-claim or
+ counterclaim in a lawsuit), then any patent licenses granted by that
+ Contributor to such Recipient under this Agreement shall terminate
+ as of the date such litigation is filed. In addition, If Recipient
+ institutes patent litigation against any entity (including a cross-claim
+ or counterclaim in a lawsuit) alleging that the Program itself (excluding
+ combinations of the Program with other software or hardware) infringes
+ such Recipient's patent(s), then such Recipient's rights granted under
+ Section 2(b) shall terminate as of the date such litigation is filed.
+
+ All Recipient's rights under this Agreement shall terminate if it fails
+ to comply with any of the material terms or conditions of this Agreement
+ and does not cure such failure in a reasonable period of time after
+ becoming aware of such noncompliance. If all Recipient's rights under
+ this Agreement terminate, Recipient agrees to cease use and distribution
+ of the Program as soon as reasonably practicable. However, Recipient's
+ obligations under this Agreement and any licenses granted by Recipient
+ relating to the Program shall continue and survive.
+
+ IBM may publish new versions (including revisions) of this Agreement
+ from time to time. Each new version of the Agreement will be given a
+ distinguishing version number. The Program (including Contributions)
+ may always be distributed subject to the version of the Agreement under
+ which it was received. In addition, after a new version of the Agreement
+ is published, Contributor may elect to distribute the Program (including
+ its Contributions) under the new version. No one other than IBM has the
+ right to modify this Agreement. Except as expressly stated in Sections
+ 2(a) and 2(b) above, Recipient receives no rights or licenses to the
+ intellectual property of any Contributor under this Agreement, whether
+ expressly, by implication, estoppel or otherwise. All rights in the
+ Program not expressly granted under this Agreement are reserved.
+
+ This Agreement is governed by the laws of the State of New York and the
+ intellectual property laws of the United States of America. No party to
+ this Agreement will bring a legal action under this Agreement more than
+ one year after the cause of action arose. Each party waives its rights
+ to a jury trial in any resulting litigation.
+
+The following license applies to rmail, distributed with Postfix:
+ SENDMAIL LICENSE
+
+ The following license terms and conditions apply, unless a different
+ license is obtained from Sendmail, Inc., 1401 Park Avenue, Emeryville, CA
+ 94608, or by electronic mail at license at sendmail.com.
+
+ License Terms:
+
+ Use, Modification and Redistribution (including distribution of any
+ modified or derived work) in source and binary forms is permitted only if
+ each of the following conditions is met:
+
+ 1. Redistributions qualify as "freeware" or "Open Source Software" under
+ one of the following terms:
+
+ (a) Redistributions are made at no charge beyond the reasonable cost of
+ materials and delivery.
+
+ (b) Redistributions are accompanied by a copy of the Source Code or by an
+ irrevocable offer to provide a copy of the Source Code for up to three
+ years at the cost of materials and delivery. Such redistributions
+ must allow further use, modification, and redistribution of the Source
+ Code under substantially the same terms as this license. For the
+ purposes of redistribution "Source Code" means the complete source
+ code of sendmail including all modifications.
+
+ Other forms of redistribution are allowed only under a separate royalty-
+ free agreement permitting such redistribution subject to standard
+ commercial terms and conditions. A copy of such agreement may be
+ obtained from Sendmail, Inc. at the above address.
+
+ 2. Redistributions of source code must retain the copyright notices as they
+ appear in each source code file, these license terms, and the
+ disclaimer/limitation of liability set forth as paragraph 6 below.
+
+ 3. Redistributions in binary form must reproduce the Copyright Notice,
+ these license terms, and the disclaimer/limitation of liability set
+ forth as paragraph 6 below, in the documentation and/or other materials
+ provided with the distribution. For the purposes of binary distribution
+ the "Copyright Notice" refers to the following language:
+ "Copyright (c) 1998 Sendmail, Inc. All rights reserved."
+
+ 4. Neither the name of Sendmail, Inc. nor the University of California nor
+ the names of their contributors may be used to endorse or promote
+ products derived from this software without specific prior written
+ permission. The name "sendmail" is a trademark of Sendmail, Inc.
+
+ 5. All redistributions must comply with the conditions imposed by the
+ University of California on certain embedded code, whose copyright
+ notice and conditions for redistribution are as follows:
+
+ (a) Copyright (c) 1988, 1993 The Regents of the University of
+ California. All rights reserved.
+
+ (b) Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+
+ (i) Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+
+ (ii) Redistributions in binary form must reproduce the above
+ copyright notice, this list of conditions and the following
+ disclaimer in the documentation and/or other materials provided
+ with the distribution.
+
+ (iii) All advertising materials mentioning features or use of this
+ software must display the following acknowledgement: "This
+ product includes software developed by the University of
+ California, Berkeley and its contributors."
+
+ (iv) Neither the name of the University nor the names of its
+ contributors may be used to endorse or promote products derived
+ from this software without specific prior written permission.
+
+ 6. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY
+ SENDMAIL, INC. AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
+ WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
+ NO EVENT SHALL SENDMAIL, INC., THE REGENTS OF THE UNIVERSITY OF
+ CALIFORNIA OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+ USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+ (Version 8.6, last updated 6/24/1998)
Added: trunk/kolab-postfix/debian/kolab-postfix-pgsql.dirs
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-pgsql.dirs 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-pgsql.dirs 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1 @@
+usr/lib/kolab-postfix
Added: trunk/kolab-postfix/debian/kolab-postfix-pgsql.files
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-pgsql.files 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-pgsql.files 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1 @@
+usr/lib/postfix/dict_pgsql.so
Added: trunk/kolab-postfix/debian/kolab-postfix-pgsql.postinst
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-pgsql.postinst 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-pgsql.postinst 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,49 @@
+#! /bin/sh
+# postinst script for #PACKAGE#
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <postinst> `configure' <most-recently-configured-version>
+# * <old-postinst> `abort-upgrade' <new version>
+# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+# <new-version>
+# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+# <failed-install-package> <version> `removing'
+# <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+#
+# quoting from the policy:
+# Any necessary prompting should almost always be confined to the
+# post-installation script, and should be protected with a conditional
+# so that unnecessary prompting doesn't happen if a package's
+# installation fails and the `postinst' is called with `abort-upgrade',
+# `abort-remove' or `abort-deconfigure'.
+
+. /usr/share/postfix/postinst.functions
+
+case "$1" in
+ configure)
+ addmap pgsql
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 0
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+
Added: trunk/kolab-postfix/debian/kolab-postfix-pgsql.prerm
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-pgsql.prerm 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-pgsql.prerm 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,37 @@
+#! /bin/sh
+# prerm script for #PACKAGE#
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <prerm> `remove'
+# * <old-prerm> `upgrade' <new-version>
+# * <new-prerm> `failed-upgrade' <old-version>
+# * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
+# * <deconfigured's-prerm> `deconfigure' `in-favour'
+# <package-being-installed> <version> `removing'
+# <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+
+case "$1" in
+ remove|upgrade|deconfigure)
+# install-info --quiet --remove /usr/info/#PACKAGE#.info.gz
+ ;;
+ failed-upgrade)
+ ;;
+ *)
+ echo "prerm called with unknown argument \`$1'" >&2
+ exit 0
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+
Added: trunk/kolab-postfix/debian/kolab-postfix-tls.copyright
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-tls.copyright 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-tls.copyright 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,326 @@
+This is the Debian GNU/Linux prepackaged version of Postfix, a mail transport
+agent, with TLS and SASL support.
+
+Postfix was created by Wietse Venema <wietse at porcupine.org>; the Debian
+package has been assembled by LaMont Jones <lamont at debian.org> from sources
+available from http://www.postfix.org.
+
+ Copyright (c) 1999, International Business Machines Corporation
+ and others. All Rights Reserved.
+
+The following copyright and license applies to this software:
+
+ IBM PUBLIC LICENSE VERSION 1.0 - SECURE MAILER
+
+ THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS IBM PUBLIC
+ LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THE
+ PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
+
+ 1. DEFINITIONS
+
+ "Contribution" means:
+ a) in the case of International Business Machines Corporation ("IBM"),
+ the Original Program, and
+ b) in the case of each Contributor,
+ i) changes to the Program, and
+ ii) additions to the Program;
+ where such changes and/or additions to the Program originate
+ from and are distributed by that particular Contributor.
+ A Contribution 'originates' from a Contributor if it was added
+ to the Program by such Contributor itself or anyone acting on
+ such Contributor's behalf.
+ Contributions do not include additions to the Program which:
+ (i) are separate modules of software distributed in conjunction
+ with the Program under their own license agreement, and
+ (ii) are not derivative works of the Program.
+
+ "Contributor" means IBM and any other entity that distributes the Program.
+
+ "Licensed Patents " mean patent claims licensable by a Contributor which
+ are necessarily infringed by the use or sale of its Contribution alone
+ or when combined with the Program.
+
+ "Original Program" means the original version of the software accompanying
+ this Agreement as released by IBM, including source code, object code
+ and documentation, if any.
+
+ "Program" means the Original Program and Contributions.
+
+ "Recipient" means anyone who receives the Program under this Agreement,
+ including all Contributors.
+
+ 2. GRANT OF RIGHTS
+
+ a) Subject to the terms of this Agreement, each Contributor hereby
+ grants Recipient a non-exclusive, worldwide, royalty-free copyright
+ license to reproduce, prepare derivative works of, publicly display,
+ publicly perform, distribute and sublicense the Contribution of such
+ Contributor, if any, and such derivative works, in source code and
+ object code form.
+
+ b) Subject to the terms of this Agreement, each Contributor hereby
+ grants Recipient a non-exclusive, worldwide, royalty-free patent
+ license under Licensed Patents to make, use, sell, offer to sell,
+ import and otherwise transfer the Contribution of such Contributor,
+ if any, in source code and object code form. This patent license
+ shall apply to the combination of the Contribution and the Program
+ if, at the time the Contribution is added by the Contributor, such
+ addition of the Contribution causes such combination to be covered
+ by the Licensed Patents. The patent license shall not apply to any
+ other combinations which include the Contribution. No hardware per
+ se is licensed hereunder.
+
+ c) Recipient understands that although each Contributor grants the
+ licenses to its Contributions set forth herein, no assurances are
+ provided by any Contributor that the Program does not infringe the
+ patent or other intellectual property rights of any other entity.
+ Each Contributor disclaims any liability to Recipient for claims
+ brought by any other entity based on infringement of intellectual
+ property rights or otherwise. As a condition to exercising the rights
+ and licenses granted hereunder, each Recipient hereby assumes sole
+ responsibility to secure any other intellectual property rights
+ needed, if any. For example, if a third party patent license
+ is required to allow Recipient to distribute the Program, it is
+ Recipient's responsibility to acquire that license before distributing
+ the Program.
+
+ d) Each Contributor represents that to its knowledge it has sufficient
+ copyright rights in its Contribution, if any, to grant the copyright
+ license set forth in this Agreement.
+
+ 3. REQUIREMENTS
+
+ A Contributor may choose to distribute the Program in object code form
+ under its own license agreement, provided that:
+ a) it complies with the terms and conditions of this Agreement; and
+ b) its license agreement:
+ i) effectively disclaims on behalf of all Contributors all
+ warranties and conditions, express and implied, including
+ warranties or conditions of title and non-infringement, and
+ implied warranties or conditions of merchantability and fitness
+ for a particular purpose;
+ ii) effectively excludes on behalf of all Contributors all
+ liability for damages, including direct, indirect, special,
+ incidental and consequential damages, such as lost profits;
+ iii) states that any provisions which differ from this Agreement
+ are offered by that Contributor alone and not by any other
+ party; and
+ iv) states that source code for the Program is available from
+ such Contributor, and informs licensees how to obtain it in a
+ reasonable manner on or through a medium customarily used for
+ software exchange.
+
+ When the Program is made available in source code form:
+ a) it must be made available under this Agreement; and
+ b) a copy of this Agreement must be included with each copy of the
+ Program.
+
+ Each Contributor must include the following in a conspicuous location
+ in the Program:
+
+ Copyright (c) 1997,1998,1999, International Business Machines
+ Corporation and others. All Rights Reserved.
+
+ In addition, each Contributor must identify itself as the originator of
+ its Contribution, if any, in a manner that reasonably allows subsequent
+ Recipients to identify the originator of the Contribution.
+
+ 4. COMMERCIAL DISTRIBUTION
+
+ Commercial distributors of software may accept certain responsibilities
+ with respect to end users, business partners and the like. While this
+ license is intended to facilitate the commercial use of the Program, the
+ Contributor who includes the Program in a commercial product offering
+ should do so in a manner which does not create potential liability for
+ other Contributors. Therefore, if a Contributor includes the Program in
+ a commercial product offering, such Contributor ("Commercial Contributor")
+ hereby agrees to defend and indemnify every other Contributor
+ ("Indemnified Contributor") against any losses, damages and costs
+ (collectively "Losses") arising from claims, lawsuits and other legal
+ actions brought by a third party against the Indemnified Contributor to
+ the extent caused by the acts or omissions of such Commercial Contributor
+ in connection with its distribution of the Program in a commercial
+ product offering. The obligations in this section do not apply to any
+ claims or Losses relating to any actual or alleged intellectual property
+ infringement. In order to qualify, an Indemnified Contributor must:
+ a) promptly notify the Commercial Contributor in writing of such claim,
+ and
+ b) allow the Commercial Contributor to control, and cooperate with
+ the Commercial Contributor in, the defense and any related
+ settlement negotiations. The Indemnified Contributor may
+ participate in any such claim at its own expense.
+
+ For example, a Contributor might include the Program in a commercial
+ product offering, Product X. That Contributor is then a Commercial
+ Contributor. If that Commercial Contributor then makes performance
+ claims, or offers warranties related to Product X, those performance
+ claims and warranties are such Commercial Contributor's responsibility
+ alone. Under this section, the Commercial Contributor would have to
+ defend claims against the other Contributors related to those performance
+ claims and warranties, and if a court requires any other Contributor to
+ pay any damages as a result, the Commercial Contributor must pay those
+ damages.
+
+ 5. NO WARRANTY
+
+ EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED
+ ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER
+ EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
+ CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A
+ PARTICULAR PURPOSE. Each Recipient is solely responsible for determining
+ the appropriateness of using and distributing the Program and assumes
+ all risks associated with its exercise of rights under this Agreement,
+ including but not limited to the risks and costs of program errors,
+ compliance with applicable laws, damage to or loss of data, programs or
+ equipment, and unavailability or interruption of operations.
+
+ 6. DISCLAIMER OF LIABILITY
+
+ EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR
+ ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT,
+ INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING
+ WITHOUT LIMITATION LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
+ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION
+ OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF
+ ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+ 7. GENERAL
+
+ If any provision of this Agreement is invalid or unenforceable under
+ applicable law, it shall not affect the validity or enforceability of
+ the remainder of the terms of this Agreement, and without further action
+ by the parties hereto, such provision shall be reformed to the minimum
+ extent necessary to make such provision valid and enforceable.
+
+ If Recipient institutes patent litigation against a Contributor with
+ respect to a patent applicable to software (including a cross-claim or
+ counterclaim in a lawsuit), then any patent licenses granted by that
+ Contributor to such Recipient under this Agreement shall terminate
+ as of the date such litigation is filed. In addition, If Recipient
+ institutes patent litigation against any entity (including a cross-claim
+ or counterclaim in a lawsuit) alleging that the Program itself (excluding
+ combinations of the Program with other software or hardware) infringes
+ such Recipient's patent(s), then such Recipient's rights granted under
+ Section 2(b) shall terminate as of the date such litigation is filed.
+
+ All Recipient's rights under this Agreement shall terminate if it fails
+ to comply with any of the material terms or conditions of this Agreement
+ and does not cure such failure in a reasonable period of time after
+ becoming aware of such noncompliance. If all Recipient's rights under
+ this Agreement terminate, Recipient agrees to cease use and distribution
+ of the Program as soon as reasonably practicable. However, Recipient's
+ obligations under this Agreement and any licenses granted by Recipient
+ relating to the Program shall continue and survive.
+
+ IBM may publish new versions (including revisions) of this Agreement
+ from time to time. Each new version of the Agreement will be given a
+ distinguishing version number. The Program (including Contributions)
+ may always be distributed subject to the version of the Agreement under
+ which it was received. In addition, after a new version of the Agreement
+ is published, Contributor may elect to distribute the Program (including
+ its Contributions) under the new version. No one other than IBM has the
+ right to modify this Agreement. Except as expressly stated in Sections
+ 2(a) and 2(b) above, Recipient receives no rights or licenses to the
+ intellectual property of any Contributor under this Agreement, whether
+ expressly, by implication, estoppel or otherwise. All rights in the
+ Program not expressly granted under this Agreement are reserved.
+
+ This Agreement is governed by the laws of the State of New York and the
+ intellectual property laws of the United States of America. No party to
+ this Agreement will bring a legal action under this Agreement more than
+ one year after the cause of action arose. Each party waives its rights
+ to a jury trial in any resulting litigation.
+
+The following license applies to rmail, distributed with Postfix:
+
+ SENDMAIL LICENSE
+
+ The following license terms and conditions apply, unless a different
+ license is obtained from Sendmail, Inc., 6425 Christie Ave, Fourth Floor,
+ Emeryville, CA 94608, or by electronic mail at license at sendmail.com.
+
+ License Terms:
+
+ Use, Modification and Redistribution (including distribution of any
+ modified or derived work) in source and binary forms is permitted only if
+ each of the following conditions is met:
+
+ 1. Redistributions qualify as "freeware" or "Open Source Software" under
+ one of the following terms:
+
+ (a) Redistributions are made at no charge beyond the reasonable cost of
+ materials and delivery.
+
+ (b) Redistributions are accompanied by a copy of the Source Code or by an
+ irrevocable offer to provide a copy of the Source Code for up to three
+ years at the cost of materials and delivery. Such redistributions
+ must allow further use, modification, and redistribution of the Source
+ Code under substantially the same terms as this license. For the
+ purposes of redistribution "Source Code" means the complete compilable
+ and linkable source code of sendmail including all modifications.
+
+ 2. Redistributions of source code must retain the copyright notices as they
+ appear in each source code file, these license terms, and the
+ disclaimer/limitation of liability set forth as paragraph 6 below.
+
+ 3. Redistributions in binary form must reproduce the Copyright Notice,
+ these license terms, and the disclaimer/limitation of liability set
+ forth as paragraph 6 below, in the documentation and/or other materials
+ provided with the distribution. For the purposes of binary distribution
+ the "Copyright Notice" refers to the following language:
+ "Copyright (c) 1998-2000 Sendmail, Inc. All rights reserved."
+
+ 4. Neither the name of Sendmail, Inc. nor the University of California nor
+ the names of their contributors may be used to endorse or promote
+ products derived from this software without specific prior written
+ permission. The name "sendmail" is a trademark of Sendmail, Inc.
+
+ 5. All redistributions must comply with the conditions imposed by the
+ University of California on certain embedded code, whose copyright
+ notice and conditions for redistribution are as follows:
+
+ (a) Copyright (c) 1988, 1993 The Regents of the University of
+ California. All rights reserved.
+
+ (b) Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+
+ (i) Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+
+ (ii) Redistributions in binary form must reproduce the above
+ copyright notice, this list of conditions and the following
+ disclaimer in the documentation and/or other materials provided
+ with the distribution.
+
+ (iii) Neither the name of the University nor the names of its
+ contributors may be used to endorse or promote products derived
+ from this software without specific prior written permission.
+
+ 6. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY
+ SENDMAIL, INC. AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
+ WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
+ NO EVENT SHALL SENDMAIL, INC., THE REGENTS OF THE UNIVERSITY OF
+ CALIFORNIA OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+ USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+ $Revision: 1.1.2.1 $, Last updated $Date: 2003/05/22 06:34:17 $
+
+The following license applies to the TLS patch, which is available from:
+http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/.
+
+ License:
+ ========
+ - This software is free. You can do with it whatever you want.
+ I would however kindly ask you to acknowledge the use of this
+ package, if you are going use it in your software, which you might
+ be going to distribute. I would also like to receive a note if you
+ are a satisfied user :-)
Added: trunk/kolab-postfix/debian/kolab-postfix-tls.dirs
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-tls.dirs 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-tls.dirs 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,5 @@
+DEBIAN
+usr/lib/kolab-postfix
+usr/sbin
+usr/share/man/man8
+etc/kolab-postfix/sasl
Added: trunk/kolab-postfix/debian/kolab-postfix-tls.postinst
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-tls.postinst 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-tls.postinst 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,71 @@
+#!/bin/sh -e
+
+# Debian Postfix postinst
+# LaMont Jones <lamont at debian.org>
+# Based on debconf code by Colin Walters <walters at cis.ohio-state.edu>,
+# and John Goerzen <jgoerzen at progenylinux.com>.
+
+# Use debconf.
+. /usr/share/debconf/confmodule
+CHROOT=/var/spool/postfix
+
+umask 022
+
+# postinst processing
+
+. /usr/share/postfix/postinst.functions
+
+#DEBHELPER#
+
+case "$1" in
+ configure)
+ # see below
+ ;;
+
+ abort-upgrade)
+ exit 0
+ ;;
+
+ abort-remove|abort-deconfigure)
+ exit 0
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+CHANGES=""
+
+cd /etc/postfix
+
+# all done with debconf here.
+db_stop
+
+# make sure that sdbm is in the maplist correctly.
+F=/etc/postfix/dynamicmaps.cf
+if ! grep -q '^sdbm[[:space:]].*mkmap_sdbm_open$' $F; then
+ echo "Fixing sdbm entry in ${F}"
+ delmap sdbm >/dev/null
+ addmap sdbm mkmap_sdbm_open >/dev/null
+fi
+
+# handle sasl-smtp[d] -> smtp[d] change. oops..
+if [ -d /etc/postfix/sasl ]; then
+ cd /etc/postfix/sasl
+ for file in smtp smtpd; do
+ if [ -r sasl-${file}.conf ] && [ ! -r ${file}.conf ]; then
+ ln -s sasl-${file}.conf ${file}.conf
+ fi
+ done
+fi
+
+[ -x /usr/sbin/invoke-rc.d ] && \
+ INIT="invoke-rc.d postfix" || \
+ INIT="/etc/init.d/postfix"
+# start postfix
+if [ -f /var/spool/postfix/restart ]; then
+ rm -f /var/spool/postfix/restart
+ ${INIT} start
+fi
Added: trunk/kolab-postfix/debian/kolab-postfix-tls.postrm
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-tls.postrm 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-tls.postrm 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,34 @@
+#!/bin/sh -e
+
+# Debian Postfix postrm
+
+# LaMont Jones <lamont at debian.org>
+
+case "$1" in
+ remove)
+ dpkg-divert --package postfix-tls --remove --rename \
+ --divert /usr/lib/postfix/lmtp.postfix \
+ /usr/lib/postfix/lmtp
+ dpkg-divert --package postfix-tls --remove --rename \
+ --divert /usr/lib/postfix/smtp.postfix \
+ /usr/lib/postfix/smtp
+ dpkg-divert --package postfix-tls --remove --rename \
+ --divert /usr/lib/postfix/smtpd.postfix \
+ /usr/lib/postfix/smtpd
+ ;;
+
+ upgrade)
+ ;;
+
+ purge)
+ ;;
+
+ failed-upgrade|abort-install|abort-upgrade|disappear)
+ ;;
+
+ *)
+ echo "postrm called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+#DEBHELPER#
Added: trunk/kolab-postfix/debian/kolab-postfix-tls.preinst
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-tls.preinst 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-tls.preinst 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,66 @@
+#!/bin/sh -e
+
+# Debian Postfix preinst
+# LaMont Jones <lamont at debian.org>
+# Modified to use debconf by Colin Walters <levanti at verbum.org>
+
+# do we have debconf?
+if [ -f /usr/share/debconf/confmodule ]; then
+ . /usr/share/debconf/confmodule
+ DEBCONF=true
+else
+ DEBCONF=
+fi
+
+dpkg_vers=$(dpkg --status dpkg | sed -n '/Version: /s/^Version: //p')
+CONFIG=/etc/postfix/main.cf
+POSTDROP=/usr/sbin/postdrop
+
+case "$1" in
+ install)
+ if [ -d /var/spool/postfix ] && [ -f /etc/postfix/main.cf ] && \
+ [ -x /etc/init.d/postfix ]; then
+ touch /var/spool/postfix/restart
+ if [ ! start-stop-daemon -K -q -o \
+ --pidfile /var/spool/postfix/pid/master.pid \
+ --exec /usr/lib/postfix/master 2>/dev/null ]; then :; fi
+ fi
+ ;;
+
+ upgrade)
+ if [ -d /var/spool/postfix ] && [ -f /etc/postfix/main.cf ] && \
+ [ -x /etc/init.d/postfix ]; then
+ touch /var/spool/postfix/restart
+ if [ ! start-stop-daemon -K -q -o \
+ --pidfile /var/spool/postfix/pid/master.pid \
+ --exec /usr/lib/postfix/master 2>/dev/null ]; then :; fi
+ fi
+ ;;
+
+ abort-upgrade)
+ ;;
+
+ *)
+ echo "preinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# deal with smtpd delivering a man page on top of us.
+if [ install = "$1" -o upgrade = "$1" ]; then
+ dpkg-divert --package postfix-tls --add --rename \
+ --divert /usr/lib/postfix/lmtp.postfix \
+ /usr/lib/postfix/lmtp
+ dpkg-divert --package postfix-tls --add --rename \
+ --divert /usr/lib/postfix/smtp.postfix \
+ /usr/lib/postfix/smtp
+ dpkg-divert --package postfix-tls --add --rename \
+ --divert /usr/lib/postfix/smtpd.postfix \
+ /usr/lib/postfix/smtpd
+ rm -f /usr/sbin/postconf.postfix
+ dpkg-divert --package postfix-tls --remove \
+ --divert /usr/sbin/postconf.postfix \
+ /usr/sbin/postconf 2>/dev/null
+fi
+
+#DEBHELPER#
Added: trunk/kolab-postfix/debian/kolab-postfix-tls.prerm
===================================================================
--- trunk/kolab-postfix/debian/kolab-postfix-tls.prerm 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/kolab-postfix-tls.prerm 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,25 @@
+#!/bin/sh -e
+
+# Debian Postfix prerm
+# LaMont Jones <lamont at debian.org>
+
+case "$1" in
+ upgrade)
+ ;;
+
+ deconfigure)
+ ;;
+
+ remove)
+ ;;
+
+ failed-upgrade)
+ ;;
+
+ *)
+ echo "prerm called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+#DEBHELPER#
+exit 0
Added: trunk/kolab-postfix/debian/lintian-override
===================================================================
--- trunk/kolab-postfix/debian/lintian-override 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/lintian-override 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,3 @@
+# Lintian doesn't know how to parse the damn files.
+postfix: postinst-unsafe-ldconfig
+postfix: postrm-unsafe-ldconfig
Added: trunk/kolab-postfix/debian/patches/00list
===================================================================
--- trunk/kolab-postfix/debian/patches/00list 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/patches/00list 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,12 @@
+10cyrus
+10greylist
+10hostname
+10main.cf
+10man
+10master.cf
+10rmail
+10smtplinelength
+20maps
+50tls
+60hpux
+30-kolab
Added: trunk/kolab-postfix/debian/patches/10cyrus.dpatch
===================================================================
--- trunk/kolab-postfix/debian/patches/10cyrus.dpatch 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/patches/10cyrus.dpatch 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,15 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10cyrus.dpatch by LaMont Jones <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad postfix-2.1.5/README_FILES/CYRUS_README /tmp/dpep.PCT31n/postfix-2.1.5/README_FILES/CYRUS_README
+--- postfix-2.1.5/README_FILES/CYRUS_README 2004-04-11 15:05:32.000000000 -0600
++++ /tmp/dpep.PCT31n/postfix-2.1.5/README_FILES/CYRUS_README 2004-12-27 22:18:15.721024714 -0700
+@@ -3,3 +3,4 @@
+ -------------------------------------------------------------------------------
+ This document will be made available via http://www.postfix.org/.
+
++See also /usr/share/doc/cyrus21-doc/README.postfix.gz.
Added: trunk/kolab-postfix/debian/patches/10greylist.dpatch
===================================================================
--- trunk/kolab-postfix/debian/patches/10greylist.dpatch 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/patches/10greylist.dpatch 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,19 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10greylist.dpatch by LaMont Jones <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad postfix-2.1.5/examples/smtpd-policy/greylist.pl /tmp/dpep.TDysRy/postfix-2.1.5/examples/smtpd-policy/greylist.pl
+--- postfix-2.1.5/examples/smtpd-policy/greylist.pl 2004-02-10 18:37:27.000000000 -0700
++++ /tmp/dpep.TDysRy/postfix-2.1.5/examples/smtpd-policy/greylist.pl 2004-12-27 22:18:25.645891286 -0700
+@@ -73,7 +73,7 @@
+ # In case of database corruption, this script saves the database as
+ # $database_name.time(), so that the mail system does not get stuck.
+ #
+-$database_name="/var/mta/greylist.db";
++$database_name="/var/lib/kolab-postfix/greylist.db";
+ $greylist_delay=60;
+
+ #
Added: trunk/kolab-postfix/debian/patches/10hostname.dpatch
===================================================================
--- trunk/kolab-postfix/debian/patches/10hostname.dpatch 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/patches/10hostname.dpatch 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,40 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10hostname.dpatch by LaMont Jones <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad postfix-2.1.5/src/util/get_hostname.c /tmp/dpep.AXM3Gz/postfix-2.1.5/src/util/get_hostname.c
+--- postfix-2.1.5/src/util/get_hostname.c 2001-01-28 07:00:12.000000000 -0700
++++ /tmp/dpep.AXM3Gz/postfix-2.1.5/src/util/get_hostname.c 2004-12-27 22:18:38.981024795 -0700
+@@ -33,6 +33,7 @@
+ #include <sys/param.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <netdb.h>
+
+ #if (MAXHOSTNAMELEN < 256)
+ #undef MAXHOSTNAMELEN
+@@ -55,6 +56,7 @@
+ const char *get_hostname(void)
+ {
+ char namebuf[MAXHOSTNAMELEN + 1];
++ struct hostent *hp;
+
+ /*
+ * The gethostname() call is not (or not yet) in ANSI or POSIX, but it is
+@@ -66,9 +68,11 @@
+ if (gethostname(namebuf, sizeof(namebuf)) < 0)
+ msg_fatal("gethostname: %m");
+ namebuf[MAXHOSTNAMELEN] = 0;
+- if (valid_hostname(namebuf, DO_GRIPE) == 0)
++ if (!(hp = gethostbyname(namebuf)))
++ msg_fatal("gethostbyname: %m");
++ if (valid_hostname(hp->h_name, DO_GRIPE) == 0)
+ msg_fatal("unable to use my own hostname");
+- my_host_name = mystrdup(namebuf);
++ my_host_name = mystrdup(hp->h_name);
+ }
+ return (my_host_name);
+ }
Added: trunk/kolab-postfix/debian/patches/10main.cf.dpatch
===================================================================
--- trunk/kolab-postfix/debian/patches/10main.cf.dpatch 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/patches/10main.cf.dpatch 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,101 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10main.cf.dpatch by LaMont Jones <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad postfix-2.1.5/conf/main.cf /tmp/dpep.wXGn65/postfix-2.1.5/conf/main.cf
+--- postfix-2.1.5/conf/main.cf 2004-12-27 22:02:52.879396736 -0700
++++ /tmp/dpep.wXGn65/postfix-2.1.5/conf/main.cf 2004-12-27 22:18:47.208256287 -0700
+@@ -27,7 +27,7 @@
+ # See the files in examples/chroot-setup for setting up Postfix chroot
+ # environments on different UNIX systems.
+ #
+-queue_directory = /var/spool/postfix
++#queue_directory = /var/spool/kolab-postfix
+
+ # The command_directory parameter specifies the location of all
+ # postXXX commands.
+@@ -38,7 +38,7 @@
+ # daemon programs (i.e. programs listed in the master.cf file). This
+ # directory must be owned by root.
+ #
+-daemon_directory = /usr/libexec/postfix
++daemon_directory = /usr/lib/kolab-postfix
+
+ # QUEUE AND PROCESS OWNERSHIP
+ #
+@@ -49,7 +49,7 @@
+ # particular, don't specify nobody or daemon. PLEASE USE A DEDICATED
+ # USER.
+ #
+-mail_owner = postfix
++#mail_owner = postfix
+
+ # The default_privs parameter specifies the default rights used by
+ # the local delivery agent for delivery to external file or command.
+@@ -88,6 +88,11 @@
+ # myorigin also specifies the default domain name that is appended
+ # to recipient addresses that have no @domain part.
+ #
++# Debian GNU/Linux specific: Specifying a file name will cause the
++# first line of that file to be used as the name. The Debian default
++# is /etc/mailname.
++#
++#myorigin = /etc/mailname
+ #myorigin = $myhostname
+ #myorigin = $mydomain
+
+@@ -253,6 +258,7 @@
+ #mynetworks = 168.100.189.0/28, 127.0.0.0/8
+ #mynetworks = $config_directory/mynetworks
+ #mynetworks = hash:/etc/postfix/network_table
++mynetworks = 127.0.0.0/8
+
+ # The relay_domains parameter restricts what destinations this system will
+ # relay mail to. See the smtpd_recipient_restrictions description in
+@@ -433,8 +439,8 @@
+ # IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
+ # ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
+ #
+-#mailbox_command = /some/where/procmail
+-#mailbox_command = /some/where/procmail -a "$EXTENSION"
++#mailbox_command = /usr/bin/procmail
++#mailbox_command = /usr/bin/procmail -a "$EXTENSION"
+
+ # The mailbox_transport specifies the optional transport in master.cf
+ # to use after processing aliases and .forward files. This parameter
+@@ -536,6 +542,8 @@
+ #
+ #smtpd_banner = $myhostname ESMTP $mail_name
+ #smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
++smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
++
+
+ # PARALLEL DELIVERY TO THE SAME DESTINATION
+ #
+@@ -560,7 +568,7 @@
+ # logging level when an SMTP client or server host name or address
+ # matches a pattern in the debug_peer_list parameter.
+ #
+-debug_peer_level = 2
++#debug_peer_level = 2
+
+ # The debug_peer_list parameter specifies an optional list of domain
+ # or network patterns, /file/name patterns or type:name tables. When
+diff -urNad postfix-2.1.5/conf/main.cf.debian /tmp/dpep.wXGn65/postfix-2.1.5/conf/main.cf.debian
+--- postfix-2.1.5/conf/main.cf.debian 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.wXGn65/postfix-2.1.5/conf/main.cf.debian 2004-12-27 22:18:47.208256287 -0700
+@@ -0,0 +1,11 @@
++# See /usr/share/postfix/main.cf.dist for a commented, more complete version
++
++smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
++biff = no
++
++# appending .domain is the MUA's job.
++append_dot_mydomain = no
++
++# Uncomment the next line to generate "delayed mail" warnings
++#delay_warning_time = 4h
++
Added: trunk/kolab-postfix/debian/patches/10man.dpatch
===================================================================
--- trunk/kolab-postfix/debian/patches/10man.dpatch 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/patches/10man.dpatch 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,947 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10man.dpatch by LaMont Jones <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad postfix-release/man/Makefile.in /tmp/dpep.ZyQ85Z/postfix-release/man/Makefile.in
+--- postfix-release/man/Makefile.in 2004-12-27 22:31:17.051071712 -0700
++++ /tmp/dpep.ZyQ85Z/postfix-release/man/Makefile.in 2004-12-27 22:39:32.648539161 -0700
+@@ -3,6 +3,8 @@
+ # For now, just hard-coded rules for daemons, commands, config files.
+
+ DAEMONS = man8/bounce.8 man8/defer.8 man8/cleanup.8 man8/error.8 man8/local.8 \
++ man8/qmqp-sink.8 man8/qmqp-source.8 \
++ man8/smtp-sink.8 man8/smtp-source.8 \
+ man8/lmtp.8 man8/master.8 man8/pickup.8 man8/pipe.8 man8/qmgr.8 \
+ man8/showq.8 man8/smtp.8 man8/smtpd.8 man8/trivial-rewrite.8 \
+ man8/oqmgr.8 man8/spawn.8 man8/flush.8 man8/virtual.8 man8/qmqpd.8 \
+@@ -103,6 +105,12 @@
+ (cmp -s junk $? || mv junk $?)
+ ../mantools/srctoman $? >$@
+
++man8/qmqp-sink.8: ../src/smtpstone/qmqp-sink.c
++ ../mantools/srctoman $? >$@
++
++man8/qmqp-source.8: ../src/smtpstone/qmqp-source.c
++ ../mantools/srctoman $? >$@
++
+ man8/qmqpd.8: ../src/qmqpd/qmqpd.c
+ ../mantools/fixman ../proto/postconf.proto $? >junk && \
+ (cmp -s junk $? || mv junk $?)
+@@ -123,6 +131,12 @@
+ (cmp -s junk $? || mv junk $?)
+ ../mantools/srctoman $? >$@
+
++man8/smtp-sink.8: ../src/smtpstone/smtp-sink.c
++ ../mantools/srctoman $? >$@
++
++man8/smtp-source.8: ../src/smtpstone/smtp-source.c
++ ../mantools/srctoman $? >$@
++
+ man8/smtpd.8: ../src/smtpd/smtpd.c
+ ../mantools/fixman ../proto/postconf.proto $? >junk && \
+ (cmp -s junk $? || mv junk $?)
+diff -urNad postfix-release/mantools/postlink /tmp/dpep.ZyQ85Z/postfix-release/mantools/postlink
+--- postfix-release/mantools/postlink 2004-12-27 22:31:17.054071067 -0700
++++ /tmp/dpep.ZyQ85Z/postfix-release/mantools/postlink 2004-12-27 22:39:32.651538517 -0700
+@@ -47,360 +47,360 @@
+ p
+ d
+ }
+- s;[[:<:]]autho[-</bB>]*\n*[ <bB>]*rized_verp_clients[[:>:]];<a href="postconf.5.html#authorized_verp_clients">&</a>;g
+- s;[[:<:]]debugger_command[[:>:]];<a href="postconf.5.html#debugger_command">&</a>;g
+- s;[[:<:]]2bounce_notice_recipi[-</bB>]*\n*[ <bB>]*ent[[:>:]];<a href="postconf.5.html#2bounce_notice_recipient">&</a>;g
+- s;[[:<:]]access_map_reject_code[[:>:]];<a href="postconf.5.html#access_map_reject_code">&</a>;g
+- s;[[:<:]]address_verify_default_transport[[:>:]];<a href="postconf.5.html#address_verify_default_transport">&</a>;g
+- s;[[:<:]]address_verify_local_transport[[:>:]];<a href="postconf.5.html#address_verify_local_transport">&</a>;g
+- s;[[:<:]]address_verify_map[[:>:]];<a href="postconf.5.html#address_verify_map">&</a>;g
+- s;[[:<:]]address_verify_negative_cache[[:>:]];<a href="postconf.5.html#address_verify_negative_cache">&</a>;g
+- s;[[:<:]]address_verify_negative_expire_time[[:>:]];<a href="postconf.5.html#address_verify_negative_expire_time">&</a>;g
+- s;[[:<:]]address_verify_negative_refresh_time[[:>:]];<a href="postconf.5.html#address_verify_negative_refresh_time">&</a>;g
+- s;[[:<:]]address_verify_poll_count[[:>:]];<a href="postconf.5.html#address_verify_poll_count">&</a>;g
+- s;[[:<:]]address_verify_poll_delay[[:>:]];<a href="postconf.5.html#address_verify_poll_delay">&</a>;g
+- s;[[:<:]]address_verify_positive_expire_time[[:>:]];<a href="postconf.5.html#address_verify_positive_expire_time">&</a>;g
+- s;[[:<:]]address_verify_positive_refresh_time[[:>:]];<a href="postconf.5.html#address_verify_positive_refresh_time">&</a>;g
+- s;[[:<:]]address_verify_relay_transport[[:>:]];<a href="postconf.5.html#address_verify_relay_transport">&</a>;g
+- s;[[:<:]]address_verify_relayhost[[:>:]];<a href="postconf.5.html#address_verify_relayhost">&</a>;g
+- s;[[:<:]]address_verify_sender[[:>:]];<a href="postconf.5.html#address_verify_sender">&</a>;g
+- s;[[:<:]]address_verify_service_name[[:>:]];<a href="postconf.5.html#address_verify_service_name">&</a>;g
+- s;[[:<:]]address_verify_transport_maps[[:>:]];<a href="postconf.5.html#address_verify_transport_maps">&</a>;g
+- s;[[:<:]]address_verify_virtual_transport[[:>:]];<a href="postconf.5.html#address_verify_virtual_transport">&</a>;g
+- s;[[:<:]]alias_database[[:>:]];<a href="postconf.5.html#alias_database">&</a>;g
+- s;[[:<:]]alias_maps[[:>:]];<a href="postconf.5.html#alias_maps">&</a>;g
+- s;[[:<:]]allow_mail_to_commands[[:>:]];<a href="postconf.5.html#allow_mail_to_commands">&</a>;g
+- s;[[:<:]]allow_mail_to_files[[:>:]];<a href="postconf.5.html#allow_mail_to_files">&</a>;g
+- s;[[:<:]]allow_min_user[[:>:]];<a href="postconf.5.html#allow_min_user">&</a>;g
+- s;[[:<:]]allow_percent_hack[[:>:]];<a href="postconf.5.html#allow_percent_hack">&</a>;g
+- s;[[:<:]]allow_untrusted_routing[[:>:]];<a href="postconf.5.html#allow_untrusted_routing">&</a>;g
+- s;[[:<:]]alternate_config_directories[[:>:]];<a href="postconf.5.html#alternate_config_directories">&</a>;g
+- s;[[:<:]]always_bcc[[:>:]];<a href="postconf.5.html#always_bcc">&</a>;g
+- s;[[:<:]]anvil_rate_time_unit[[:>:]];<a href="postconf.5.html#anvil_rate_time_unit">&</a>;g
+- s;[[:<:]]append_at_myorigin[[:>:]];<a href="postconf.5.html#append_at_myorigin">&</a>;g
+- s;[[:<:]]append_dot_mydomain[[:>:]];<a href="postconf.5.html#append_dot_mydomain">&</a>;g
+- s;[[:<:]]application_event_drain_time[[:>:]];<a href="postconf.5.html#application_event_drain_time">&</a>;g
+- s;[[:<:]]backwards_bounce_logfile_compatibility[[:>:]];<a href="postconf.5.html#backwards_bounce_logfile_compatibility">&</a>;g
+- s;[[:<:]]berkeley_db_create_buffer_size[[:>:]];<a href="postconf.5.html#berkeley_db_create_buffer_size">&</a>;g
+- s;[[:<:]]berkeley_db_read_buffer_size[[:>:]];<a href="postconf.5.html#berkeley_db_read_buffer_size">&</a>;g
+- s;[[:<:]]best_mx_transport[[:>:]];<a href="postconf.5.html#best_mx_transport">&</a>;g
+- s;[[:<:]]biff[[:>:]];<a href="postconf.5.html#biff">&</a>;g
+- s;[[:<:]]body_checks[[:>:]];<a href="postconf.5.html#body_checks">&</a>;g
+- s;[[:<:]]body_checks_size_limit[[:>:]];<a href="postconf.5.html#body_checks_size_limit">&</a>;g
+- s;[[:<:]]bounce_notice_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#bounce_notice_recipient">&</a>;g
+- s;[[:<:]]bounce_queue_lifetime[[:>:]];<a href="postconf.5.html#bounce_queue_lifetime">&</a>;g
+- s;[[:<:]]bounce_service_name[[:>:]];<a href="postconf.5.html#bounce_service_name">&</a>;g
+- s;[[:<:]]bounce_size_limit[[:>:]];<a href="postconf.5.html#bounce_size_limit">&</a>;g
+- s;[[:<:]]broken_sasl_auth_clients[[:>:]];<a href="postconf.5.html#broken_sasl_auth_clients">&</a>;g
+- s;[[:<:]]canonical_maps[[:>:]];<a href="postconf.5.html#canonical_maps">&</a>;g
+- s;[[:<:]]cleanup_service_name[[:>:]];<a href="postconf.5.html#cleanup_service_name">&</a>;g
+- s;[[:<:]]anvil_status_update_time[[:>:]];<a href="postconf.5.html#anvil_status_update_time">&</a>;g
+- s;[[:<:]]command_directory[[:>:]];<a href="postconf.5.html#command_directory">&</a>;g
+- s;[[:<:]]command_expan[-</bB>]*\n* *[<bB>]*sion_filter[[:>:]];<a href="postconf.5.html#command_expansion_filter">&</a>;g
+- s;[[:<:]]command_time_limit[[:>:]];<a href="postconf.5.html#command_time_limit">&</a>;g
+- s;[[:<:]]config_direc[-</bB>]*\n*[ <bB>]*tory[[:>:]];<a href="postconf.5.html#config_directory">&</a>;g
+- s;[[:<:]]con[-</bB>]*\n*[ <bB>]*tent_filter[[:>:]];<a href="postconf.5.html#content_filter">&</a>;g
+- s;[[:<:]]daemon_directory[[:>:]];<a href="postconf.5.html#daemon_directory">&</a>;g
+- s;[[:<:]]daemon_timeout[[:>:]];<a href="postconf.5.html#daemon_timeout">&</a>;g
+- s;[[:<:]]debug_peer_level[[:>:]];<a href="postconf.5.html#debug_peer_level">&</a>;g
+- s;[[:<:]]debug_peer_list[[:>:]];<a href="postconf.5.html#debug_peer_list">&</a>;g
+- s;[[:<:]]default_database_type[[:>:]];<a href="postconf.5.html#default_database_type">&</a>;g
+- s;[[:<:]]default_deliv[-</Bb>]*\n* *[<Bb>]*ery_slot_cost[[:>:]];<a href="postconf.5.html#default_delivery_slot_cost">&</a>;g
+- s;[[:<:]]default_deliv[-</Bb>]*\n* *[<Bb>]*ery_slot_discount[[:>:]];<a href="postconf.5.html#default_delivery_slot_discount">&</a>;g
+- s;[[:<:]]default_deliv[-</Bb>]*\n* *[<Bb>]*ery_slot_loan[[:>:]];<a href="postconf.5.html#default_delivery_slot_loan">&</a>;g
+- s;[[:<:]]default_destina[-</Bb>]*\n* *[<Bb>]*tion_concurrency_limit[[:>:]];<a href="postconf.5.html#default_destination_concurrency_limit">&</a>;g
+- s;[[:<:]]default_destina[-</Bb>]*\n* *[<Bb>]*tion_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#default_destination_recipient_limit">&</a>;g
+- s;[[:<:]]default_extra_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#default_extra_recipient_limit">&</a>;g
+- s;[[:<:]]default_minimum_deliv[-</Bb>]*\n* *[<Bb>]*ery_slots[[:>:]];<a href="postconf.5.html#default_minimum_delivery_slots">&</a>;g
+- s;[[:<:]]default_privs[[:>:]];<a href="postconf.5.html#default_privs">&</a>;g
+- s;[[:<:]]default_process_limit[[:>:]];<a href="postconf.5.html#default_process_limit">&</a>;g
+- s;[[:<:]]default_rbl_reply[[:>:]];<a href="postconf.5.html#default_rbl_reply">&</a>;g
+- s;[[:<:]]default_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#default_recipient_limit">&</a>;g
+- s;[[:<:]]default_transport[[:>:]];<a href="postconf.5.html#default_transport">&</a>;g
+- s;[[:<:]]default_verp_delimiters[[:>:]];<a href="postconf.5.html#default_verp_delimiters">&</a>;g
+- s;[[:<:]]defer_code[[:>:]];<a href="postconf.5.html#defer_code">&</a>;g
+- s;[[:<:]]defer_service_name[[:>:]];<a href="postconf.5.html#defer_service_name">&</a>;g
+- s;[[:<:]]defer_transports[[:>:]];<a href="postconf.5.html#defer_transports">&</a>;g
+- s;[[:<:]]delay_notice_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#delay_notice_recipient">&</a>;g
+- s;[[:<:]]delay_warning_time[[:>:]];<a href="postconf.5.html#delay_warning_time">&</a>;g
+- s;[[:<:]]deliver_lock_attempts[[:>:]];<a href="postconf.5.html#deliver_lock_attempts">&</a>;g
+- s;[[:<:]]deliver_lock_delay[[:>:]];<a href="postconf.5.html#deliver_lock_delay">&</a>;g
+- s;[[:<:]]disable_dns_lookups[[:>:]];<a href="postconf.5.html#disable_dns_lookups">&</a>;g
+- s;[[:<:]]disable_mime_input_processing[[:>:]];<a href="postconf.5.html#disable_mime_input_processing">&</a>;g
+- s;[[:<:]]disable_mime_output_conversion[[:>:]];<a href="postconf.5.html#disable_mime_output_conversion">&</a>;g
+- s;[[:<:]]disable_verp_bounces[[:>:]];<a href="postconf.5.html#disable_verp_bounces">&</a>;g
+- s;[[:<:]]disable_vrfy_command[[:>:]];<a href="postconf.5.html#disable_vrfy_command">&</a>;g
+- s;[[:<:]]dont_remove[[:>:]];<a href="postconf.5.html#dont_remove">&</a>;g
+- s;[[:<:]]double_bounce_sender[[:>:]];<a href="postconf.5.html#double_bounce_sender">&</a>;g
+- s;[[:<:]]dupli[-</bB>]*\n* *[<bB>]*cate_filter_limit[[:>:]];<a href="postconf.5.html#duplicate_filter_limit">&</a>;g
+- s;[[:<:]]empty_address_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#empty_address_recipient">&</a>;g
+- s;[[:<:]]enable_original_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#enable_original_recipient">&</a>;g
+- s;[[:<:]]error_notice_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#error_notice_recipient">&</a>;g
+- s;[[:<:]]error_service_name[[:>:]];<a href="postconf.5.html#error_service_name">&</a>;g
+- s;[[:<:]]expand_owner_alias[[:>:]];<a href="postconf.5.html#expand_owner_alias">&</a>;g
+- s;[[:<:]]export_environment[[:>:]];<a href="postconf.5.html#export_environment">&</a>;g
+- s;[[:<:]]fallback_relay[[:>:]];<a href="postconf.5.html#fallback_relay">&</a>;g
+- s;[[:<:]]fallback_transport[[:>:]];<a href="postconf.5.html#fallback_transport">&</a>;g
+- s;[[:<:]]fast_flush_domains[[:>:]];<a href="postconf.5.html#fast_flush_domains">&</a>;g
+- s;[[:<:]]fast_flush_purge_time[[:>:]];<a href="postconf.5.html#fast_flush_purge_time">&</a>;g
+- s;[[:<:]]fast_flush_refresh_time[[:>:]];<a href="postconf.5.html#fast_flush_refresh_time">&</a>;g
+- s;[[:<:]]fault_injection_code[[:>:]];<a href="postconf.5.html#fault_injection_code">&</a>;g
+- s;[[:<:]]flush_service_name[[:>:]];<a href="postconf.5.html#flush_service_name">&</a>;g
+- s;[[:<:]]fork_attempts[[:>:]];<a href="postconf.5.html#fork_attempts">&</a>;g
+- s;[[:<:]]fork_delay[[:>:]];<a href="postconf.5.html#fork_delay">&</a>;g
+- s;[[:<:]]forward_expan[-</bB>]*\n* *[<bB>]*sion_filter[[:>:]];<a href="postconf.5.html#forward_expansion_filter">&</a>;g
+- s;[[:<:]]for[-</bB>]*\n* *[<bB>]*ward_path[[:>:]];<a href="postconf.5.html#forward_path">&</a>;g
+- s;[[:<:]]hash_queue_depth[[:>:]];<a href="postconf.5.html#hash_queue_depth">&</a>;g
+- s;[[:<:]]hash_queue_names[[:>:]];<a href="postconf.5.html#hash_queue_names">&</a>;g
+- s;[[:<:]]header_address_token_limit[[:>:]];<a href="postconf.5.html#header_address_token_limit">&</a>;g
+- s;[[:<:]]header_checks[[:>:]];<a href="postconf.5.html#header_checks">&</a>;g
+- s;[[:<:]]header_size_limit[[:>:]];<a href="postconf.5.html#header_size_limit">&</a>;g
+- s;[[:<:]]helpful_warnings[[:>:]];<a href="postconf.5.html#helpful_warnings">&</a>;g
+- s;[[:<:]]home_mailbox[[:>:]];<a href="postconf.5.html#home_mailbox">&</a>;g
+- s;[[:<:]]hopcount_limit[[:>:]];<a href="postconf.5.html#hopcount_limit">&</a>;g
+- s;[[:<:]]html_direc[-</bB>]*\n*[ <bB>]*tory[[:>:]];<a href="postconf.5.html#html_directory">&</a>;g
+- s;[[:<:]]ignore_mx_lookup_error[[:>:]];<a href="postconf.5.html#ignore_mx_lookup_error">&</a>;g
+- s;[[:<:]]import_environment[[:>:]];<a href="postconf.5.html#import_environment">&</a>;g
+- s;[[:<:]]in_flow_delay[[:>:]];<a href="postconf.5.html#in_flow_delay">&</a>;g
+- s;[[:<:]]inet_interfaces[[:>:]];<a href="postconf.5.html#inet_interfaces">&</a>;g
+- s;[[:<:]]initial_destination_concurrency[[:>:]];<a href="postconf.5.html#initial_destination_concurrency">&</a>;g
+- s;[[:<:]]invalid_hostname_reject_code[[:>:]];<a href="postconf.5.html#invalid_hostname_reject_code">&</a>;g
+- s;[[:<:]]ipc_idle[[:>:]];<a href="postconf.5.html#ipc_idle">&</a>;g
+- s;[[:<:]]ipc_timeout[[:>:]];<a href="postconf.5.html#ipc_timeout">&</a>;g
+- s;[[:<:]]ipc_ttl[[:>:]];<a href="postconf.5.html#ipc_ttl">&</a>;g
+- s;[[:<:]]line_length_limit[[:>:]];<a href="postconf.5.html#line_length_limit">&</a>;g
+- s;[[:<:]]lmtp_cache_connection[[:>:]];<a href="postconf.5.html#lmtp_cache_connection">&</a>;g
+- s;[[:<:]]lmtp_connect_timeout[[:>:]];<a href="postconf.5.html#lmtp_connect_timeout">&</a>;g
+- s;[[:<:]]lmtp_data_done_timeout[[:>:]];<a href="postconf.5.html#lmtp_data_done_timeout">&</a>;g
+- s;[[:<:]]lmtp_data_init_timeout[[:>:]];<a href="postconf.5.html#lmtp_data_init_timeout">&</a>;g
+- s;[[:<:]]lmtp_data_xfer_timeout[[:>:]];<a href="postconf.5.html#lmtp_data_xfer_timeout">&</a>;g
+- s;[[:<:]]lmtp_lhlo_timeout[[:>:]];<a href="postconf.5.html#lmtp_lhlo_timeout">&</a>;g
+- s;[[:<:]]lmtp_mail_timeout[[:>:]];<a href="postconf.5.html#lmtp_mail_timeout">&</a>;g
+- s;[[:<:]]lmtp_quit_timeout[[:>:]];<a href="postconf.5.html#lmtp_quit_timeout">&</a>;g
+- s;[[:<:]]lmtp_rcpt_timeout[[:>:]];<a href="postconf.5.html#lmtp_rcpt_timeout">&</a>;g
+- s;[[:<:]]lmtp_rset_timeout[[:>:]];<a href="postconf.5.html#lmtp_rset_timeout">&</a>;g
+- s;[[:<:]]lmtp_sasl_auth_enable[[:>:]];<a href="postconf.5.html#lmtp_sasl_auth_enable">&</a>;g
+- s;[[:<:]]lmtp_sasl_password_maps[[:>:]];<a href="postconf.5.html#lmtp_sasl_password_maps">&</a>;g
+- s;[[:<:]]lmtp_sasl_security_options[[:>:]];<a href="postconf.5.html#lmtp_sasl_security_options">&</a>;g
+- s;[[:<:]]lmtp_send_xforward_command[[:>:]];<a href="postconf.5.html#lmtp_send_xforward_command">&</a>;g
+- s;[[:<:]]lmtp_skip_quit_response[[:>:]];<a href="postconf.5.html#lmtp_skip_quit_response">&</a>;g
+- s;[[:<:]]lmtp_tcp_port[[:>:]];<a href="postconf.5.html#lmtp_tcp_port">&</a>;g
+- s;[[:<:]]lmtp_xforward_timeout[[:>:]];<a href="postconf.5.html#lmtp_xforward_timeout">&</a>;g
+- s;[[:<:]]local_command_shell[[:>:]];<a href="postconf.5.html#local_command_shell">&</a>;g
+- s;[[:<:]]local_destination_concurrency_limit[[:>:]];<a href="postconf.5.html#local_destination_concurrency_limit">&</a>;g
+- s;[[:<:]]local_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#local_destination_recipient_limit">&</a>;g
+- s;[[:<:]]local_recip[-</bB>]*\n* *[<bB>]*ient_maps[[:>:]];<a href="postconf.5.html#local_recipient_maps">&</a>;g
+- s;[[:<:]]local_transport[[:>:]];<a href="postconf.5.html#local_transport">&</a>;g
+- s;[[:<:]]luser_relay[[:>:]];<a href="postconf.5.html#luser_relay">&</a>;g
+- s;[[:<:]]mail_name[[:>:]];<a href="postconf.5.html#mail_name">&</a>;g
+- s;[[:<:]]mail_owner[[:>:]];<a href="postconf.5.html#mail_owner">&</a>;g
+- s;[[:<:]]mail_release_date[[:>:]];<a href="postconf.5.html#mail_release_date">&</a>;g
+- s;[[:<:]]mail_spool_direc[-</bB>]*\n* *[<bB>]*tory[[:>:]];<a href="postconf.5.html#mail_spool_directory">&</a>;g
+- s;[[:<:]]mail_version[[:>:]];<a href="postconf.5.html#mail_version">&</a>;g
+- s;[[:<:]]mail[-</bB>]*\n* *[<bB>]*box_command[[:>:]];<a href="postconf.5.html#mailbox_command">&</a>;g
+- s;[[:<:]]mail[-</bB>]*\n* *[<bB>]*box_command_maps[[:>:]];<a href="postconf.5.html#mailbox_command_maps">&</a>;g
+- s;[[:<:]]mail[-</bB>]*\n* *[<bB>]*box_deliv[-</Bb>]*\n* *[<Bb>]*ery_lock[[:>:]];<a href="postconf.5.html#mailbox_delivery_lock">&</a>;g
+- s;[[:<:]]mail[-</bB>]*\n* *[<bB>]*box_size_limit[[:>:]];<a href="postconf.5.html#mailbox_size_limit">&</a>;g
+- s;[[:<:]]mail[-</bB>]*\n* *[<bB>]*box_transport[[:>:]];<a href="postconf.5.html#mailbox_transport">&</a>;g
+- s;[[:<:]]mailq_path[[:>:]];<a href="postconf.5.html#mailq_path">&</a>;g
+- s;[[:<:]]manpage_directory[[:>:]];<a href="postconf.5.html#manpage_directory">&</a>;g
+- s;[[:<:]]maps_rbl_domains[[:>:]];<a href="postconf.5.html#maps_rbl_domains">&</a>;g
+- s;[[:<:]]maps_rbl_reject_code[[:>:]];<a href="postconf.5.html#maps_rbl_reject_code">&</a>;g
+- s;[[:<:]]masquerade_classes[[:>:]];<a href="postconf.5.html#masquerade_classes">&</a>;g
+- s;[[:<:]]masquerade_domains[[:>:]];<a href="postconf.5.html#masquerade_domains">&</a>;g
+- s;[[:<:]]masquerade_exceptions[[:>:]];<a href="postconf.5.html#masquerade_exceptions">&</a>;g
+- s;[[:<:]]max_idle[[:>:]];<a href="postconf.5.html#max_idle">&</a>;g
+- s;[[:<:]]max_use[[:>:]];<a href="postconf.5.html#max_use">&</a>;g
+- s;[[:<:]]maxi[-</bB>]*\n*[ <bB>]*mal_backoff_time[[:>:]];<a href="postconf.5.html#maximal_backoff_time">&</a>;g
+- s;[[:<:]]maxi[-</bB>]*\n*[ <bB>]*mal_queue_lifetime[[:>:]];<a href="postconf.5.html#maximal_queue_lifetime">&</a>;g
+- s;[[:<:]]message_size_limit[[:>:]];<a href="postconf.5.html#message_size_limit">&</a>;g
+- s;[[:<:]]mime_boundary_length_limit[[:>:]];<a href="postconf.5.html#mime_boundary_length_limit">&</a>;g
+- s;[[:<:]]mime_header_checks[[:>:]];<a href="postconf.5.html#mime_header_checks">&</a>;g
+- s;[[:<:]]mime_nesting_limit[[:>:]];<a href="postconf.5.html#mime_nesting_limit">&</a>;g
+- s;[[:<:]]minimal_backoff_time[[:>:]];<a href="postconf.5.html#minimal_backoff_time">&</a>;g
+- s;[[:<:]]multi_recip[-</bB>]*\n* *[<bB>]*ient_bounce_reject_code[[:>:]];<a href="postconf.5.html#multi_recipient_bounce_reject_code">&</a>;g
+- s;[[:<:]]mydes[-</bB>]*\n*[ <bB>]*tina[-</bB>]*\n*[ <bB>]*tion[[:>:]];<a href="postconf.5.html#mydestination">&</a>;g
+- s;[[:<:]]mydomain[[:>:]];<a href="postconf.5.html#mydomain">&</a>;g
+- s;[[:<:]]myhostname[[:>:]];<a href="postconf.5.html#myhostname">&</a>;g
+- s;[[:<:]]mynetworks[[:>:]];<a href="postconf.5.html#mynetworks">&</a>;g
+- s;[[:<:]]mynetworks_style[[:>:]];<a href="postconf.5.html#mynetworks_style">&</a>;g
+- s;[[:<:]]myorigin[[:>:]];<a href="postconf.5.html#myorigin">&</a>;g
+- s;[[:<:]]nested_header_checks[[:>:]];<a href="postconf.5.html#nested_header_checks">&</a>;g
+- s;[[:<:]]newaliases_path[[:>:]];<a href="postconf.5.html#newaliases_path">&</a>;g
+- s;[[:<:]]non_fqdn_reject_code[[:>:]];<a href="postconf.5.html#non_fqdn_reject_code">&</a>;g
+- s;[[:<:]]notify_classes[[:>:]];<a href="postconf.5.html#notify_classes">&</a>;g
+- s;[[:<:]]owner_request_special[[:>:]];<a href="postconf.5.html#owner_request_special">&</a>;g
+- s;[[:<:]]parent_domain_matches_subdomains[[:>:]];<a href="postconf.5.html#parent_domain_matches_subdomains">&</a>;g
+- s;[[:<:]]permit_mx_backup_networks[[:>:]];<a href="postconf.5.html#permit_mx_backup_networks">&</a>;g
+- s;[[:<:]]pickup_service_name[[:>:]];<a href="postconf.5.html#pickup_service_name">&</a>;g
+- s;[[:<:]]prepend_delivered_header[[:>:]];<a href="postconf.5.html#prepend_delivered_header">&</a>;g
+- s;[[:<:]]process_id[[:>:]];<a href="postconf.5.html#process_id">&</a>;g
+- s;[[:<:]]process_id_directory[[:>:]];<a href="postconf.5.html#process_id_directory">&</a>;g
+- s;[[:<:]]process_name[[:>:]];<a href="postconf.5.html#process_name">&</a>;g
+- s;[[:<:]]propagate_unmatched_extensions[[:>:]];<a href="postconf.5.html#propagate_unmatched_extensions">&</a>;g
+- s;[[:<:]]proxy_interfaces[[:>:]];<a href="postconf.5.html#proxy_interfaces">&</a>;g
+- s;[[:<:]]proxy_read_maps[[:>:]];<a href="postconf.5.html#proxy_read_maps">&</a>;g
+- s;[[:<:]]qmgr_clog_warn_time[[:>:]];<a href="postconf.5.html#qmgr_clog_warn_time">&</a>;g
+- s;[[:<:]]qmgr_fudge_factor[[:>:]];<a href="postconf.5.html#qmgr_fudge_factor">&</a>;g
+- s;[[:<:]]qmgr_message_active_limit[[:>:]];<a href="postconf.5.html#qmgr_message_active_limit">&</a>;g
+- s;[[:<:]]qmgr_message_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#qmgr_message_recipient_limit">&</a>;g
+- s;[[:<:]]qmgr_message_recip[-</bB>]*\n* *[<bB>]*ient_minimum[[:>:]];<a href="postconf.5.html#qmgr_message_recipient_minimum">&</a>;g
+- s;[[:<:]]qmqpd_authorized_clients[[:>:]];<a href="postconf.5.html#qmqpd_authorized_clients">&</a>;g
+- s;[[:<:]]qmqpd_error_delay[[:>:]];<a href="postconf.5.html#qmqpd_error_delay">&</a>;g
+- s;[[:<:]]qmqpd_timeout[[:>:]];<a href="postconf.5.html#qmqpd_timeout">&</a>;g
+- s;[[:<:]]queue_directory[[:>:]];<a href="postconf.5.html#queue_directory">&</a>;g
+- s;[[:<:]]queue_file_attribute_count_limit[[:>:]];<a href="postconf.5.html#queue_file_attribute_count_limit">&</a>;g
+- s;[[:<:]]queue_minfree[[:>:]];<a href="postconf.5.html#queue_minfree">&</a>;g
+- s;[[:<:]]queue_run_delay[[:>:]];<a href="postconf.5.html#queue_run_delay">&</a>;g
+- s;[[:<:]]queue_service_name[[:>:]];<a href="postconf.5.html#queue_service_name">&</a>;g
+- s;[[:<:]]rbl_reply_maps[[:>:]];<a href="postconf.5.html#rbl_reply_maps">&</a>;g
+- s;[[:<:]]readme_directory[[:>:]];<a href="postconf.5.html#readme_directory">&</a>;g
+- s;[[:<:]]receive_override_options[[:>:]];<a href="postconf.5.html#receive_override_options">&</a>;g
+- s;[[:<:]]no_unknown_recip[-</bB>]*\n* *[<bB>]*ient_checks[[:>:]];<a href="postconf.5.html#no_unknown_recipient_checks">&</a>;g
+- s;[[:<:]]no_address_mappings[[:>:]];<a href="postconf.5.html#no_address_mappings">&</a>;g
+- s;[[:<:]]no_header_body_checks[[:>:]];<a href="postconf.5.html#no_header_body_checks">&</a>;g
+- s;[[:<:]]recip[-</bB>]*\n* *[<bB>]*ient_bcc_maps[[:>:]];<a href="postconf.5.html#recipient_bcc_maps">&</a>;g
+- s;[[:<:]]recip[-</bB>]*\n* *[<bB>]*ient_canonical_maps[[:>:]];<a href="postconf.5.html#recipient_canonical_maps">&</a>;g
+- s;[[:<:]]recip[-</bB>]*\n* *[<bB>]*ient_delim[-</bB>]*\n* *[<bB>]*iter[[:>:]];<a href="postconf.5.html#recipient_delimiter">&<\/a>;g
+- s;[[:<:]]reject_code[[:>:]];<a href="postconf.5.html#reject_code">&</a>;g
+- s;[[:<:]]relay_domains[[:>:]];<a href="postconf.5.html#relay_domains">&</a>;g
+- s;[[:<:]]relay_domains_reject_code[[:>:]];<a href="postconf.5.html#relay_domains_reject_code">&</a>;g
+- s;[[:<:]]relay_recipi[-</bB>]*\n*[ <bB>]*ent_maps[[:>:]];<a href="postconf.5.html#relay_recipient_maps">&</a>;g
+- s;[[:<:]]relay_transport[[:>:]];<a href="postconf.5.html#relay_transport">&</a>;g
+- s;[[:<:]]relayhost[[:>:]];<a href="postconf.5.html#relayhost">&</a>;g
+- s;[[:<:]]relocated_maps[[:>:]];<a href="postconf.5.html#relocated_maps">&</a>;g
+- s;[[:<:]]require_home_directory[[:>:]];<a href="postconf.5.html#require_home_directory">&</a>;g
+- s;[[:<:]]resolve_dequoted_address[[:>:]];<a href="postconf.5.html#resolve_dequoted_address">&</a>;g
+- s;[[:<:]]rewrite_service_name[[:>:]];<a href="postconf.5.html#rewrite_service_name">&</a>;g
+- s;[[:<:]]sample_directory[[:>:]];<a href="postconf.5.html#sample_directory">&</a>;g
+- s;[[:<:]]sender_based_routing[[:>:]];<a href="postconf.5.html#sender_based_routing">&</a>;g
+- s;[[:<:]]sender_bcc_maps[[:>:]];<a href="postconf.5.html#sender_bcc_maps">&</a>;g
+- s;[[:<:]]sender_canonical_maps[[:>:]];<a href="postconf.5.html#sender_canonical_maps">&</a>;g
+- s;[[:<:]]sendmail_path[[:>:]];<a href="postconf.5.html#sendmail_path">&</a>;g
+- s;[[:<:]]service_throttle_time[[:>:]];<a href="postconf.5.html#service_throttle_time">&</a>;g
+- s;[[:<:]]setgid_group[[:>:]];<a href="postconf.5.html#setgid_group">&</a>;g
+- s;[[:<:]]show_user_unknown_table_name[[:>:]];<a href="postconf.5.html#show_user_unknown_table_name">&</a>;g
+- s;[[:<:]]showq_service_name[[:>:]];<a href="postconf.5.html#showq_service_name">&</a>;g
+- s;[[:<:]]smtp_always_send_ehlo[[:>:]];<a href="postconf.5.html#smtp_always_send_ehlo">&</a>;g
+- s;[[:<:]]smtp_bind_address[[:>:]];<a href="postconf.5.html#smtp_bind_address">&</a>;g
+- s;[[:<:]]smtp_connect_timeout[[:>:]];<a href="postconf.5.html#smtp_connect_timeout">&</a>;g
+- s;[[:<:]]smtp_data_done_timeout[[:>:]];<a href="postconf.5.html#smtp_data_done_timeout">&</a>;g
+- s;[[:<:]]smtp_data_init_timeout[[:>:]];<a href="postconf.5.html#smtp_data_init_timeout">&</a>;g
+- s;[[:<:]]smtp_data_xfer_timeout[[:>:]];<a href="postconf.5.html#smtp_data_xfer_timeout">&</a>;g
+- s;[[:<:]]smtp_defer_if_no_mx_address_found[[:>:]];<a href="postconf.5.html#smtp_defer_if_no_mx_address_found">&</a>;g
+- s;[[:<:]]lmtp_destination_concurrency_limit[[:>:]];<a href="postconf.5.html#lmtp_destination_concurrency_limit">&</a>;g
+- s;[[:<:]]lmtp_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#lmtp_destination_recipient_limit">&</a>;g
+- s;[[:<:]]relay_destination_concurrency_limit[[:>:]];<a href="postconf.5.html#relay_destination_concurrency_limit">&</a>;g
+- s;[[:<:]]relay_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#relay_destination_recipient_limit">&</a>;g
+- s;[[:<:]]resolve_null_domain[[:>:]];<a href="postconf.5.html#resolve_null_domain">&</a>;g
+- s;[[:<:]]smtp_destination_concurrency_limit[[:>:]];<a href="postconf.5.html#smtp_destination_concurrency_limit">&</a>;g
+- s;[[:<:]]smtp_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#smtp_destination_recipient_limit">&</a>;g
+- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_destination_concurrency_limit[[:>:]];<a href="postconf.5.html#virtual_destination_concurrency_limit">&</a>;g
+- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#virtual_destination_recipient_limit">&</a>;g
+- s;[[:<:]]smtp_helo_name[[:>:]];<a href="postconf.5.html#smtp_helo_name">&</a>;g
+- s;[[:<:]]smtp_helo_timeout[[:>:]];<a href="postconf.5.html#smtp_helo_timeout">&</a>;g
+- s;[[:<:]]smtp_host_lookup[[:>:]];<a href="postconf.5.html#smtp_host_lookup">&</a>;g
+- s;[[:<:]]smtp_line_length_limit[[:>:]];<a href="postconf.5.html#smtp_line_length_limit">&</a>;g
+- s;[[:<:]]smtp_mail_timeout[[:>:]];<a href="postconf.5.html#smtp_mail_timeout">&</a>;g
+- s;[[:<:]]smtp_mx_address_limit[[:>:]];<a href="postconf.5.html#smtp_mx_address_limit">&</a>;g
+- s;[[:<:]]smtp_mx_session_limit[[:>:]];<a href="postconf.5.html#smtp_mx_session_limit">&</a>;g
+- s;[[:<:]]smtp_never_send_ehlo[[:>:]];<a href="postconf.5.html#smtp_never_send_ehlo">&</a>;g
+- s;[[:<:]]smtp_pix_workaround_delay_time[[:>:]];<a href="postconf.5.html#smtp_pix_workaround_delay_time">&</a>;g
+- s;[[:<:]]smtp_pix_workaround_threshold_time[[:>:]];<a href="postconf.5.html#smtp_pix_workaround_threshold_time">&</a>;g
+- s;[[:<:]]smtp_quit_timeout[[:>:]];<a href="postconf.5.html#smtp_quit_timeout">&</a>;g
+- s;[[:<:]]smtp_quote_rfc821_envelope[[:>:]];<a href="postconf.5.html#smtp_quote_rfc821_envelope">&</a>;g
+- s;[[:<:]]smtp_randomize_addresses[[:>:]];<a href="postconf.5.html#smtp_randomize_addresses">&</a>;g
+- s;[[:<:]]smtp_rcpt_timeout[[:>:]];<a href="postconf.5.html#smtp_rcpt_timeout">&</a>;g
+- s;[[:<:]]smtp_rset_timeout[[:>:]];<a href="postconf.5.html#smtp_rset_timeout">&</a>;g
+- s;[[:<:]]smtp_sasl_auth_enable[[:>:]];<a href="postconf.5.html#smtp_sasl_auth_enable">&</a>;g
+- s;[[:<:]]smtp_sasl_password_maps[[:>:]];<a href="postconf.5.html#smtp_sasl_password_maps">&</a>;g
+- s;[[:<:]]smtp_sasl_security_options[[:>:]];<a href="postconf.5.html#smtp_sasl_security_options">&</a>;g
+- s;[[:<:]]smtp_send_xforward_command[[:>:]];<a href="postconf.5.html#smtp_send_xforward_command">&</a>;g
+- s;[[:<:]]smtp_skip_4xx_greeting[[:>:]];<a href="postconf.5.html#smtp_skip_4xx_greeting">&</a>;g
+- s;[[:<:]]smtp_skip_5xx_greeting[[:>:]];<a href="postconf.5.html#smtp_skip_5xx_greeting">&</a>;g
+- s;[[:<:]]smtp_skip_quit_response[[:>:]];<a href="postconf.5.html#smtp_skip_quit_response">&</a>;g
+- s;[[:<:]]smtp_xforward_timeout[[:>:]];<a href="postconf.5.html#smtp_xforward_timeout">&</a>;g
+- s;[[:<:]]smtpd_autho[-</bB>]*\n*[ <bB>]*rized_verp_clients[[:>:]];<a href="postconf.5.html#smtpd_authorized_verp_clients">&</a>;g
+- s;[[:<:]]smtpd_autho[-</bB>]*\n*[ <bB>]*rized_xclient_hosts[[:>:]];<a href="postconf.5.html#smtpd_authorized_xclient_hosts">&</a>;g
+- s;[[:<:]]smtpd_autho[-</bB>]*\n*[ <bB>]*rized_xforward_hosts[[:>:]];<a href="postconf.5.html#smtpd_authorized_xforward_hosts">&</a>;g
+- s;[[:<:]]smtpd_banner[[:>:]];<a href="postconf.5.html#smtpd_banner">&</a>;g
+- s;[[:<:]]smtpd_client_connection_count_limit[[:>:]];<a href="postconf.5.html#smtpd_client_connection_count_limit">&</a>;g
+- s;[[:<:]]smtpd_client_connection_limit_exceptions[[:>:]];<a href="postconf.5.html#smtpd_client_connection_limit_exceptions">&</a>;g
+- s;[[:<:]]smtpd_client_connection_rate_limit[[:>:]];<a href="postconf.5.html#smtpd_client_connection_rate_limit">&</a>;g
+- s;[[:<:]]smtpd_client_restrictions[[:>:]];<a href="postconf.5.html#smtpd_client_restrictions">&</a>;g
+- s;[[:<:]]smtpd_data_restrictions[[:>:]];<a href="postconf.5.html#smtpd_data_restrictions">&</a>;g
+- s;[[:<:]]smtpd_delay_reject[[:>:]];<a href="postconf.5.html#smtpd_delay_reject">&</a>;g
+- s;[[:<:]]smtpd_error_sleep_time[[:>:]];<a href="postconf.5.html#smtpd_error_sleep_time">&</a>;g
+- s;[[:<:]]smtpd_etrn_restrictions[[:>:]];<a href="postconf.5.html#smtpd_etrn_restrictions">&</a>;g
+- s;[[:<:]]smtpd_expansion_filter[[:>:]];<a href="postconf.5.html#smtpd_expansion_filter">&</a>;g
+- s;[[:<:]]smtpd_hard_error_limit[[:>:]];<a href="postconf.5.html#smtpd_hard_error_limit">&</a>;g
+- s;[[:<:]]smtpd_helo_required[[:>:]];<a href="postconf.5.html#smtpd_helo_required">&</a>;g
+- s;[[:<:]]smtpd_helo_restrictions[[:>:]];<a href="postconf.5.html#smtpd_helo_restrictions">&</a>;g
+- s;[[:<:]]smtpd_history_flush_threshold[[:>:]];<a href="postconf.5.html#smtpd_history_flush_threshold">&</a>;g
+- s;[[:<:]]smtpd_junk_command_limit[[:>:]];<a href="postconf.5.html#smtpd_junk_command_limit">&</a>;g
+- s;[[:<:]]smtpd_noop_commands[[:>:]];<a href="postconf.5.html#smtpd_noop_commands">&</a>;g
+- s;[[:<:]]smtpd_null_access_lookup_key[[:>:]];<a href="postconf.5.html#smtpd_null_access_lookup_key">&</a>;g
+- s;[[:<:]]smtpd_recipient_overshoot_limit[[:>:]];<a href="postconf.5.html#smtpd_recipient_overshoot_limit">&</a>;g
+- s;[[:<:]]smtpd_policy_service_max_idle[[:>:]];<a href="postconf.5.html#smtpd_policy_service_max_idle">&</a>;g
+- s;[[:<:]]smtpd_policy_service_max_ttl[[:>:]];<a href="postconf.5.html#smtpd_policy_service_max_ttl">&</a>;g
+- s;[[:<:]]smtpd_policy_service_timeout[[:>:]];<a href="postconf.5.html#smtpd_policy_service_timeout">&</a>;g
+- s;[[:<:]]smtpd_proxy_ehlo[[:>:]];<a href="postconf.5.html#smtpd_proxy_ehlo">&</a>;g
+- s;[[:<:]]smtpd_proxy_filter[[:>:]];<a href="postconf.5.html#smtpd_proxy_filter">&</a>;g
+- s;[[:<:]]smtpd_proxy_timeout[[:>:]];<a href="postconf.5.html#smtpd_proxy_timeout">&</a>;g
+- s;[[:<:]]smtpd_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#smtpd_recipient_limit">&</a>;g
+- s;[[:<:]]smtpd_recip[-</bB>]*\n* *[<bB>]*ient_restrictions[[:>:]];<a href="postconf.5.html#smtpd_recipient_restrictions">&</a>;g
+- s;[[:<:]]smtpd_reject_unlisted_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#smtpd_reject_unlisted_recipient">&</a>;g
+- s;[[:<:]]smtpd_reject_unlisted_sender[[:>:]];<a href="postconf.5.html#smtpd_reject_unlisted_sender">&</a>;g
+- s;[[:<:]]smtpd_restriction_classes[[:>:]];<a href="postconf.5.html#smtpd_restriction_classes">&</a>;g
+- s;[[:<:]]smtpd_sasl_application_name[[:>:]];<a href="postconf.5.html#smtpd_sasl_application_name">&</a>;g
+- s;[[:<:]]smtpd_sasl_auth_enable[[:>:]];<a href="postconf.5.html#smtpd_sasl_auth_enable">&</a>;g
+- s;[[:<:]]smtpd_sasl_exceptions_networks[[:>:]];<a href="postconf.5.html#smtpd_sasl_exceptions_networks">&</a>;g
+- s;[[:<:]]smtpd_sasl_local_domain[[:>:]];<a href="postconf.5.html#smtpd_sasl_local_domain">&</a>;g
+- s;[[:<:]]smtpd_sasl_security_options[[:>:]];<a href="postconf.5.html#smtpd_sasl_security_options">&</a>;g
+- s;[[:<:]]smtpd_sender_login_maps[[:>:]];<a href="postconf.5.html#smtpd_sender_login_maps">&</a>;g
+- s;[[:<:]]smtpd_sender_restrictions[[:>:]];<a href="postconf.5.html#smtpd_sender_restrictions">&</a>;g
+- s;[[:<:]]smtpd_soft_error_limit[[:>:]];<a href="postconf.5.html#smtpd_soft_error_limit">&</a>;g
+- s;[[:<:]]smtpd_timeout[[:>:]];<a href="postconf.5.html#smtpd_timeout">&</a>;g
+- s;[[:<:]]soft_bounce[[:>:]];<a href="postconf.5.html#soft_bounce">&</a>;g
+- s;[[:<:]]stale_lock_time[[:>:]];<a href="postconf.5.html#stale_lock_time">&</a>;g
+- s;[[:<:]]strict_7bit_headers[[:>:]];<a href="postconf.5.html#strict_7bit_headers">&</a>;g
+- s;[[:<:]]strict_8bitmime[[:>:]];<a href="postconf.5.html#strict_8bitmime">&</a>;g
+- s;[[:<:]]strict_8bitmime_body[[:>:]];<a href="postconf.5.html#strict_8bitmime_body">&</a>;g
+- s;[[:<:]]strict_mime_encoding_domain[[:>:]];<a href="postconf.5.html#strict_mime_encoding_domain">&</a>;g
+- s;[[:<:]]strict_rfc821_envelopes[[:>:]];<a href="postconf.5.html#strict_rfc821_envelopes">&</a>;g
+- s;[[:<:]]sun_mailtool_compatibility[[:>:]];<a href="postconf.5.html#sun_mailtool_compatibility">&</a>;g
+- s;[[:<:]]swap_bangpath[[:>:]];<a href="postconf.5.html#swap_bangpath">&</a>;g
+- s;[[:<:]]syslog_facility[[:>:]];<a href="postconf.5.html#syslog_facility">&</a>;g
+- s;[[:<:]]syslog_name[[:>:]];<a href="postconf.5.html#syslog_name">&</a>;g
+- s;[[:<:]]trace_service_name[[:>:]];<a href="postconf.5.html#trace_service_name">&</a>;g
+- s;[[:<:]]transport_maps[[:>:]];<a href="postconf.5.html#transport_maps">&</a>;g
+- s;[[:<:]]transport_retry_time[[:>:]];<a href="postconf.5.html#transport_retry_time">&</a>;g
+- s;[[:<:]]trigger_timeout[[:>:]];<a href="postconf.5.html#trigger_timeout">&</a>;g
+- s;[[:<:]]undisclosed_recip[-</bB>]*\n* *[<bB>]*ients_header[[:>:]];<a href="postconf.5.html#undisclosed_recipients_header">&</a>;g
+- s;[[:<:]]unknown_address_reject_code[[:>:]];<a href="postconf.5.html#unknown_address_reject_code">&</a>;g
+- s;[[:<:]]unknown_client_reject_code[[:>:]];<a href="postconf.5.html#unknown_client_reject_code">&</a>;g
+- s;[[:<:]]unknown_hostname_reject_code[[:>:]];<a href="postconf.5.html#unknown_hostname_reject_code">&</a>;g
+- s;[[:<:]]unknown_local_recip[-</bB>]*\n* *[<bB>]*ient_reject_code[[:>:]];<a href="postconf.5.html#unknown_local_recipient_reject_code">&</a>;g
+- s;[[:<:]]unknown_relay_recipi[-</bB>]*\n*[ <bB>]*ent_reject_code[[:>:]];<a href="postconf.5.html#unknown_relay_recipient_reject_code">&</a>;g
+- s;[[:<:]]unknown_virtual_alias_reject_code[[:>:]];<a href="postconf.5.html#unknown_virtual_alias_reject_code">&</a>;g
+- s;[[:<:]]unknown_virtual_mail[-</bB>]*\n* *[<bB>]*box_reject_code[[:>:]];<a href="postconf.5.html#unknown_virtual_mailbox_reject_code">&</a>;g
+- s;[[:<:]]unverified_recip[-</bB>]*\n* *[<bB>]*ient_reject_code[[:>:]];<a href="postconf.5.html#unverified_recipient_reject_code">&</a>;g
+- s;[[:<:]]unverified_sender_reject_code[[:>:]];<a href="postconf.5.html#unverified_sender_reject_code">&</a>;g
+- s;[[:<:]]verp_delimiter_filter[[:>:]];<a href="postconf.5.html#verp_delimiter_filter">&</a>;g
+- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_alias_domains[[:>:]];<a href="postconf.5.html#virtual_alias_domains">&</a>;g
+- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_alias_expansion_limit[[:>:]];<a href="postconf.5.html#virtual_alias_expansion_limit">&</a>;g
+- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_alias_maps[[:>:]];<a href="postconf.5.html#virtual_alias_maps">&</a>;g
+- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_maps[[:>:]];<a href="postconf.5.html#virtual_maps">&</a>;g
+- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_alias_recursion_limit[[:>:]];<a href="postconf.5.html#virtual_alias_recursion_limit">&</a>;g
+- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_gid_maps[[:>:]];<a href="postconf.5.html#virtual_gid_maps">&</a>;g
+- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_base[[:>:]];<a href="postconf.5.html#virtual_mailbox_base">&</a>;g
+- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_domains[[:>:]];<a href="postconf.5.html#virtual_mailbox_domains">&</a>;g
+- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_limit[[:>:]];<a href="postconf.5.html#virtual_mailbox_limit">&</a>;g
+- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_lock[[:>:]];<a href="postconf.5.html#virtual_mailbox_lock">&</a>;g
+- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_maps[[:>:]];<a href="postconf.5.html#virtual_mailbox_maps">&</a>;g
+- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_minimum_uid[[:>:]];<a href="postconf.5.html#virtual_minimum_uid">&</a>;g
+- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_transport[[:>:]];<a href="postconf.5.html#virtual_transport">&</a>;g
+- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_uid_maps[[:>:]];<a href="postconf.5.html#virtual_uid_maps">&</a>;g
++ s;[\[{(<]autho[-</bB>]*\n*[ <bB>]*rized_verp_clients[\]})>];<a href="postconf.5.html#authorized_verp_clients">&</a>;g
++ s;[\[{(<]debugger_command[\]})>];<a href="postconf.5.html#debugger_command">&</a>;g
++ s;[\[{(<]2bounce_notice_recipi[-</bB>]*\n*[ <bB>]*ent[\]})>];<a href="postconf.5.html#2bounce_notice_recipient">&</a>;g
++ s;[\[{(<]access_map_reject_code[\]})>];<a href="postconf.5.html#access_map_reject_code">&</a>;g
++ s;[\[{(<]address_verify_default_transport[\]})>];<a href="postconf.5.html#address_verify_default_transport">&</a>;g
++ s;[\[{(<]address_verify_local_transport[\]})>];<a href="postconf.5.html#address_verify_local_transport">&</a>;g
++ s;[\[{(<]address_verify_map[\]})>];<a href="postconf.5.html#address_verify_map">&</a>;g
++ s;[\[{(<]address_verify_negative_cache[\]})>];<a href="postconf.5.html#address_verify_negative_cache">&</a>;g
++ s;[\[{(<]address_verify_negative_expire_time[\]})>];<a href="postconf.5.html#address_verify_negative_expire_time">&</a>;g
++ s;[\[{(<]address_verify_negative_refresh_time[\]})>];<a href="postconf.5.html#address_verify_negative_refresh_time">&</a>;g
++ s;[\[{(<]address_verify_poll_count[\]})>];<a href="postconf.5.html#address_verify_poll_count">&</a>;g
++ s;[\[{(<]address_verify_poll_delay[\]})>];<a href="postconf.5.html#address_verify_poll_delay">&</a>;g
++ s;[\[{(<]address_verify_positive_expire_time[\]})>];<a href="postconf.5.html#address_verify_positive_expire_time">&</a>;g
++ s;[\[{(<]address_verify_positive_refresh_time[\]})>];<a href="postconf.5.html#address_verify_positive_refresh_time">&</a>;g
++ s;[\[{(<]address_verify_relay_transport[\]})>];<a href="postconf.5.html#address_verify_relay_transport">&</a>;g
++ s;[\[{(<]address_verify_relayhost[\]})>];<a href="postconf.5.html#address_verify_relayhost">&</a>;g
++ s;[\[{(<]address_verify_sender[\]})>];<a href="postconf.5.html#address_verify_sender">&</a>;g
++ s;[\[{(<]address_verify_service_name[\]})>];<a href="postconf.5.html#address_verify_service_name">&</a>;g
++ s;[\[{(<]address_verify_transport_maps[\]})>];<a href="postconf.5.html#address_verify_transport_maps">&</a>;g
++ s;[\[{(<]address_verify_virtual_transport[\]})>];<a href="postconf.5.html#address_verify_virtual_transport">&</a>;g
++ s;[\[{(<]alias_database[\]})>];<a href="postconf.5.html#alias_database">&</a>;g
++ s;[\[{(<]alias_maps[\]})>];<a href="postconf.5.html#alias_maps">&</a>;g
++ s;[\[{(<]allow_mail_to_commands[\]})>];<a href="postconf.5.html#allow_mail_to_commands">&</a>;g
++ s;[\[{(<]allow_mail_to_files[\]})>];<a href="postconf.5.html#allow_mail_to_files">&</a>;g
++ s;[\[{(<]allow_min_user[\]})>];<a href="postconf.5.html#allow_min_user">&</a>;g
++ s;[\[{(<]allow_percent_hack[\]})>];<a href="postconf.5.html#allow_percent_hack">&</a>;g
++ s;[\[{(<]allow_untrusted_routing[\]})>];<a href="postconf.5.html#allow_untrusted_routing">&</a>;g
++ s;[\[{(<]alternate_config_directories[\]})>];<a href="postconf.5.html#alternate_config_directories">&</a>;g
++ s;[\[{(<]always_bcc[\]})>];<a href="postconf.5.html#always_bcc">&</a>;g
++ s;[\[{(<]anvil_rate_time_unit[\]})>];<a href="postconf.5.html#anvil_rate_time_unit">&</a>;g
++ s;[\[{(<]append_at_myorigin[\]})>];<a href="postconf.5.html#append_at_myorigin">&</a>;g
++ s;[\[{(<]append_dot_mydomain[\]})>];<a href="postconf.5.html#append_dot_mydomain">&</a>;g
++ s;[\[{(<]application_event_drain_time[\]})>];<a href="postconf.5.html#application_event_drain_time">&</a>;g
++ s;[\[{(<]backwards_bounce_logfile_compatibility[\]})>];<a href="postconf.5.html#backwards_bounce_logfile_compatibility">&</a>;g
++ s;[\[{(<]berkeley_db_create_buffer_size[\]})>];<a href="postconf.5.html#berkeley_db_create_buffer_size">&</a>;g
++ s;[\[{(<]berkeley_db_read_buffer_size[\]})>];<a href="postconf.5.html#berkeley_db_read_buffer_size">&</a>;g
++ s;[\[{(<]best_mx_transport[\]})>];<a href="postconf.5.html#best_mx_transport">&</a>;g
++ s;[\[{(<]biff[\]})>];<a href="postconf.5.html#biff">&</a>;g
++ s;[\[{(<]body_checks[\]})>];<a href="postconf.5.html#body_checks">&</a>;g
++ s;[\[{(<]body_checks_size_limit[\]})>];<a href="postconf.5.html#body_checks_size_limit">&</a>;g
++ s;[\[{(<]bounce_notice_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#bounce_notice_recipient">&</a>;g
++ s;[\[{(<]bounce_queue_lifetime[\]})>];<a href="postconf.5.html#bounce_queue_lifetime">&</a>;g
++ s;[\[{(<]bounce_service_name[\]})>];<a href="postconf.5.html#bounce_service_name">&</a>;g
++ s;[\[{(<]bounce_size_limit[\]})>];<a href="postconf.5.html#bounce_size_limit">&</a>;g
++ s;[\[{(<]broken_sasl_auth_clients[\]})>];<a href="postconf.5.html#broken_sasl_auth_clients">&</a>;g
++ s;[\[{(<]canonical_maps[\]})>];<a href="postconf.5.html#canonical_maps">&</a>;g
++ s;[\[{(<]cleanup_service_name[\]})>];<a href="postconf.5.html#cleanup_service_name">&</a>;g
++ s;[\[{(<]anvil_status_update_time[\]})>];<a href="postconf.5.html#anvil_status_update_time">&</a>;g
++ s;[\[{(<]command_directory[\]})>];<a href="postconf.5.html#command_directory">&</a>;g
++ s;[\[{(<]command_expan[-</bB>]*\n* *[<bB>]*sion_filter[\]})>];<a href="postconf.5.html#command_expansion_filter">&</a>;g
++ s;[\[{(<]command_time_limit[\]})>];<a href="postconf.5.html#command_time_limit">&</a>;g
++ s;[\[{(<]config_direc[-</bB>]*\n*[ <bB>]*tory[\]})>];<a href="postconf.5.html#config_directory">&</a>;g
++ s;[\[{(<]con[-</bB>]*\n*[ <bB>]*tent_filter[\]})>];<a href="postconf.5.html#content_filter">&</a>;g
++ s;[\[{(<]daemon_directory[\]})>];<a href="postconf.5.html#daemon_directory">&</a>;g
++ s;[\[{(<]daemon_timeout[\]})>];<a href="postconf.5.html#daemon_timeout">&</a>;g
++ s;[\[{(<]debug_peer_level[\]})>];<a href="postconf.5.html#debug_peer_level">&</a>;g
++ s;[\[{(<]debug_peer_list[\]})>];<a href="postconf.5.html#debug_peer_list">&</a>;g
++ s;[\[{(<]default_database_type[\]})>];<a href="postconf.5.html#default_database_type">&</a>;g
++ s;[\[{(<]default_deliv[-</Bb>]*\n* *[<Bb>]*ery_slot_cost[\]})>];<a href="postconf.5.html#default_delivery_slot_cost">&</a>;g
++ s;[\[{(<]default_deliv[-</Bb>]*\n* *[<Bb>]*ery_slot_discount[\]})>];<a href="postconf.5.html#default_delivery_slot_discount">&</a>;g
++ s;[\[{(<]default_deliv[-</Bb>]*\n* *[<Bb>]*ery_slot_loan[\]})>];<a href="postconf.5.html#default_delivery_slot_loan">&</a>;g
++ s;[\[{(<]default_destina[-</Bb>]*\n* *[<Bb>]*tion_concurrency_limit[\]})>];<a href="postconf.5.html#default_destination_concurrency_limit">&</a>;g
++ s;[\[{(<]default_destina[-</Bb>]*\n* *[<Bb>]*tion_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#default_destination_recipient_limit">&</a>;g
++ s;[\[{(<]default_extra_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#default_extra_recipient_limit">&</a>;g
++ s;[\[{(<]default_minimum_deliv[-</Bb>]*\n* *[<Bb>]*ery_slots[\]})>];<a href="postconf.5.html#default_minimum_delivery_slots">&</a>;g
++ s;[\[{(<]default_privs[\]})>];<a href="postconf.5.html#default_privs">&</a>;g
++ s;[\[{(<]default_process_limit[\]})>];<a href="postconf.5.html#default_process_limit">&</a>;g
++ s;[\[{(<]default_rbl_reply[\]})>];<a href="postconf.5.html#default_rbl_reply">&</a>;g
++ s;[\[{(<]default_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#default_recipient_limit">&</a>;g
++ s;[\[{(<]default_transport[\]})>];<a href="postconf.5.html#default_transport">&</a>;g
++ s;[\[{(<]default_verp_delimiters[\]})>];<a href="postconf.5.html#default_verp_delimiters">&</a>;g
++ s;[\[{(<]defer_code[\]})>];<a href="postconf.5.html#defer_code">&</a>;g
++ s;[\[{(<]defer_service_name[\]})>];<a href="postconf.5.html#defer_service_name">&</a>;g
++ s;[\[{(<]defer_transports[\]})>];<a href="postconf.5.html#defer_transports">&</a>;g
++ s;[\[{(<]delay_notice_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#delay_notice_recipient">&</a>;g
++ s;[\[{(<]delay_warning_time[\]})>];<a href="postconf.5.html#delay_warning_time">&</a>;g
++ s;[\[{(<]deliver_lock_attempts[\]})>];<a href="postconf.5.html#deliver_lock_attempts">&</a>;g
++ s;[\[{(<]deliver_lock_delay[\]})>];<a href="postconf.5.html#deliver_lock_delay">&</a>;g
++ s;[\[{(<]disable_dns_lookups[\]})>];<a href="postconf.5.html#disable_dns_lookups">&</a>;g
++ s;[\[{(<]disable_mime_input_processing[\]})>];<a href="postconf.5.html#disable_mime_input_processing">&</a>;g
++ s;[\[{(<]disable_mime_output_conversion[\]})>];<a href="postconf.5.html#disable_mime_output_conversion">&</a>;g
++ s;[\[{(<]disable_verp_bounces[\]})>];<a href="postconf.5.html#disable_verp_bounces">&</a>;g
++ s;[\[{(<]disable_vrfy_command[\]})>];<a href="postconf.5.html#disable_vrfy_command">&</a>;g
++ s;[\[{(<]dont_remove[\]})>];<a href="postconf.5.html#dont_remove">&</a>;g
++ s;[\[{(<]double_bounce_sender[\]})>];<a href="postconf.5.html#double_bounce_sender">&</a>;g
++ s;[\[{(<]dupli[-</bB>]*\n* *[<bB>]*cate_filter_limit[\]})>];<a href="postconf.5.html#duplicate_filter_limit">&</a>;g
++ s;[\[{(<]empty_address_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#empty_address_recipient">&</a>;g
++ s;[\[{(<]enable_original_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#enable_original_recipient">&</a>;g
++ s;[\[{(<]error_notice_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#error_notice_recipient">&</a>;g
++ s;[\[{(<]error_service_name[\]})>];<a href="postconf.5.html#error_service_name">&</a>;g
++ s;[\[{(<]expand_owner_alias[\]})>];<a href="postconf.5.html#expand_owner_alias">&</a>;g
++ s;[\[{(<]export_environment[\]})>];<a href="postconf.5.html#export_environment">&</a>;g
++ s;[\[{(<]fallback_relay[\]})>];<a href="postconf.5.html#fallback_relay">&</a>;g
++ s;[\[{(<]fallback_transport[\]})>];<a href="postconf.5.html#fallback_transport">&</a>;g
++ s;[\[{(<]fast_flush_domains[\]})>];<a href="postconf.5.html#fast_flush_domains">&</a>;g
++ s;[\[{(<]fast_flush_purge_time[\]})>];<a href="postconf.5.html#fast_flush_purge_time">&</a>;g
++ s;[\[{(<]fast_flush_refresh_time[\]})>];<a href="postconf.5.html#fast_flush_refresh_time">&</a>;g
++ s;[\[{(<]fault_injection_code[\]})>];<a href="postconf.5.html#fault_injection_code">&</a>;g
++ s;[\[{(<]flush_service_name[\]})>];<a href="postconf.5.html#flush_service_name">&</a>;g
++ s;[\[{(<]fork_attempts[\]})>];<a href="postconf.5.html#fork_attempts">&</a>;g
++ s;[\[{(<]fork_delay[\]})>];<a href="postconf.5.html#fork_delay">&</a>;g
++ s;[\[{(<]forward_expan[-</bB>]*\n* *[<bB>]*sion_filter[\]})>];<a href="postconf.5.html#forward_expansion_filter">&</a>;g
++ s;[\[{(<]for[-</bB>]*\n* *[<bB>]*ward_path[\]})>];<a href="postconf.5.html#forward_path">&</a>;g
++ s;[\[{(<]hash_queue_depth[\]})>];<a href="postconf.5.html#hash_queue_depth">&</a>;g
++ s;[\[{(<]hash_queue_names[\]})>];<a href="postconf.5.html#hash_queue_names">&</a>;g
++ s;[\[{(<]header_address_token_limit[\]})>];<a href="postconf.5.html#header_address_token_limit">&</a>;g
++ s;[\[{(<]header_checks[\]})>];<a href="postconf.5.html#header_checks">&</a>;g
++ s;[\[{(<]header_size_limit[\]})>];<a href="postconf.5.html#header_size_limit">&</a>;g
++ s;[\[{(<]helpful_warnings[\]})>];<a href="postconf.5.html#helpful_warnings">&</a>;g
++ s;[\[{(<]home_mailbox[\]})>];<a href="postconf.5.html#home_mailbox">&</a>;g
++ s;[\[{(<]hopcount_limit[\]})>];<a href="postconf.5.html#hopcount_limit">&</a>;g
++ s;[\[{(<]html_direc[-</bB>]*\n*[ <bB>]*tory[\]})>];<a href="postconf.5.html#html_directory">&</a>;g
++ s;[\[{(<]ignore_mx_lookup_error[\]})>];<a href="postconf.5.html#ignore_mx_lookup_error">&</a>;g
++ s;[\[{(<]import_environment[\]})>];<a href="postconf.5.html#import_environment">&</a>;g
++ s;[\[{(<]in_flow_delay[\]})>];<a href="postconf.5.html#in_flow_delay">&</a>;g
++ s;[\[{(<]inet_interfaces[\]})>];<a href="postconf.5.html#inet_interfaces">&</a>;g
++ s;[\[{(<]initial_destination_concurrency[\]})>];<a href="postconf.5.html#initial_destination_concurrency">&</a>;g
++ s;[\[{(<]invalid_hostname_reject_code[\]})>];<a href="postconf.5.html#invalid_hostname_reject_code">&</a>;g
++ s;[\[{(<]ipc_idle[\]})>];<a href="postconf.5.html#ipc_idle">&</a>;g
++ s;[\[{(<]ipc_timeout[\]})>];<a href="postconf.5.html#ipc_timeout">&</a>;g
++ s;[\[{(<]ipc_ttl[\]})>];<a href="postconf.5.html#ipc_ttl">&</a>;g
++ s;[\[{(<]line_length_limit[\]})>];<a href="postconf.5.html#line_length_limit">&</a>;g
++ s;[\[{(<]lmtp_cache_connection[\]})>];<a href="postconf.5.html#lmtp_cache_connection">&</a>;g
++ s;[\[{(<]lmtp_connect_timeout[\]})>];<a href="postconf.5.html#lmtp_connect_timeout">&</a>;g
++ s;[\[{(<]lmtp_data_done_timeout[\]})>];<a href="postconf.5.html#lmtp_data_done_timeout">&</a>;g
++ s;[\[{(<]lmtp_data_init_timeout[\]})>];<a href="postconf.5.html#lmtp_data_init_timeout">&</a>;g
++ s;[\[{(<]lmtp_data_xfer_timeout[\]})>];<a href="postconf.5.html#lmtp_data_xfer_timeout">&</a>;g
++ s;[\[{(<]lmtp_lhlo_timeout[\]})>];<a href="postconf.5.html#lmtp_lhlo_timeout">&</a>;g
++ s;[\[{(<]lmtp_mail_timeout[\]})>];<a href="postconf.5.html#lmtp_mail_timeout">&</a>;g
++ s;[\[{(<]lmtp_quit_timeout[\]})>];<a href="postconf.5.html#lmtp_quit_timeout">&</a>;g
++ s;[\[{(<]lmtp_rcpt_timeout[\]})>];<a href="postconf.5.html#lmtp_rcpt_timeout">&</a>;g
++ s;[\[{(<]lmtp_rset_timeout[\]})>];<a href="postconf.5.html#lmtp_rset_timeout">&</a>;g
++ s;[\[{(<]lmtp_sasl_auth_enable[\]})>];<a href="postconf.5.html#lmtp_sasl_auth_enable">&</a>;g
++ s;[\[{(<]lmtp_sasl_password_maps[\]})>];<a href="postconf.5.html#lmtp_sasl_password_maps">&</a>;g
++ s;[\[{(<]lmtp_sasl_security_options[\]})>];<a href="postconf.5.html#lmtp_sasl_security_options">&</a>;g
++ s;[\[{(<]lmtp_send_xforward_command[\]})>];<a href="postconf.5.html#lmtp_send_xforward_command">&</a>;g
++ s;[\[{(<]lmtp_skip_quit_response[\]})>];<a href="postconf.5.html#lmtp_skip_quit_response">&</a>;g
++ s;[\[{(<]lmtp_tcp_port[\]})>];<a href="postconf.5.html#lmtp_tcp_port">&</a>;g
++ s;[\[{(<]lmtp_xforward_timeout[\]})>];<a href="postconf.5.html#lmtp_xforward_timeout">&</a>;g
++ s;[\[{(<]local_command_shell[\]})>];<a href="postconf.5.html#local_command_shell">&</a>;g
++ s;[\[{(<]local_destination_concurrency_limit[\]})>];<a href="postconf.5.html#local_destination_concurrency_limit">&</a>;g
++ s;[\[{(<]local_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#local_destination_recipient_limit">&</a>;g
++ s;[\[{(<]local_recip[-</bB>]*\n* *[<bB>]*ient_maps[\]})>];<a href="postconf.5.html#local_recipient_maps">&</a>;g
++ s;[\[{(<]local_transport[\]})>];<a href="postconf.5.html#local_transport">&</a>;g
++ s;[\[{(<]luser_relay[\]})>];<a href="postconf.5.html#luser_relay">&</a>;g
++ s;[\[{(<]mail_name[\]})>];<a href="postconf.5.html#mail_name">&</a>;g
++ s;[\[{(<]mail_owner[\]})>];<a href="postconf.5.html#mail_owner">&</a>;g
++ s;[\[{(<]mail_release_date[\]})>];<a href="postconf.5.html#mail_release_date">&</a>;g
++ s;[\[{(<]mail_spool_direc[-</bB>]*\n* *[<bB>]*tory[\]})>];<a href="postconf.5.html#mail_spool_directory">&</a>;g
++ s;[\[{(<]mail_version[\]})>];<a href="postconf.5.html#mail_version">&</a>;g
++ s;[\[{(<]mail[-</bB>]*\n* *[<bB>]*box_command[\]})>];<a href="postconf.5.html#mailbox_command">&</a>;g
++ s;[\[{(<]mail[-</bB>]*\n* *[<bB>]*box_command_maps[\]})>];<a href="postconf.5.html#mailbox_command_maps">&</a>;g
++ s;[\[{(<]mail[-</bB>]*\n* *[<bB>]*box_deliv[-</Bb>]*\n* *[<Bb>]*ery_lock[\]})>];<a href="postconf.5.html#mailbox_delivery_lock">&</a>;g
++ s;[\[{(<]mail[-</bB>]*\n* *[<bB>]*box_size_limit[\]})>];<a href="postconf.5.html#mailbox_size_limit">&</a>;g
++ s;[\[{(<]mail[-</bB>]*\n* *[<bB>]*box_transport[\]})>];<a href="postconf.5.html#mailbox_transport">&</a>;g
++ s;[\[{(<]mailq_path[\]})>];<a href="postconf.5.html#mailq_path">&</a>;g
++ s;[\[{(<]manpage_directory[\]})>];<a href="postconf.5.html#manpage_directory">&</a>;g
++ s;[\[{(<]maps_rbl_domains[\]})>];<a href="postconf.5.html#maps_rbl_domains">&</a>;g
++ s;[\[{(<]maps_rbl_reject_code[\]})>];<a href="postconf.5.html#maps_rbl_reject_code">&</a>;g
++ s;[\[{(<]masquerade_classes[\]})>];<a href="postconf.5.html#masquerade_classes">&</a>;g
++ s;[\[{(<]masquerade_domains[\]})>];<a href="postconf.5.html#masquerade_domains">&</a>;g
++ s;[\[{(<]masquerade_exceptions[\]})>];<a href="postconf.5.html#masquerade_exceptions">&</a>;g
++ s;[\[{(<]max_idle[\]})>];<a href="postconf.5.html#max_idle">&</a>;g
++ s;[\[{(<]max_use[\]})>];<a href="postconf.5.html#max_use">&</a>;g
++ s;[\[{(<]maxi[-</bB>]*\n*[ <bB>]*mal_backoff_time[\]})>];<a href="postconf.5.html#maximal_backoff_time">&</a>;g
++ s;[\[{(<]maxi[-</bB>]*\n*[ <bB>]*mal_queue_lifetime[\]})>];<a href="postconf.5.html#maximal_queue_lifetime">&</a>;g
++ s;[\[{(<]message_size_limit[\]})>];<a href="postconf.5.html#message_size_limit">&</a>;g
++ s;[\[{(<]mime_boundary_length_limit[\]})>];<a href="postconf.5.html#mime_boundary_length_limit">&</a>;g
++ s;[\[{(<]mime_header_checks[\]})>];<a href="postconf.5.html#mime_header_checks">&</a>;g
++ s;[\[{(<]mime_nesting_limit[\]})>];<a href="postconf.5.html#mime_nesting_limit">&</a>;g
++ s;[\[{(<]minimal_backoff_time[\]})>];<a href="postconf.5.html#minimal_backoff_time">&</a>;g
++ s;[\[{(<]multi_recip[-</bB>]*\n* *[<bB>]*ient_bounce_reject_code[\]})>];<a href="postconf.5.html#multi_recipient_bounce_reject_code">&</a>;g
++ s;[\[{(<]mydes[-</bB>]*\n*[ <bB>]*tina[-</bB>]*\n*[ <bB>]*tion[\]})>];<a href="postconf.5.html#mydestination">&</a>;g
++ s;[\[{(<]mydomain[\]})>];<a href="postconf.5.html#mydomain">&</a>;g
++ s;[\[{(<]myhostname[\]})>];<a href="postconf.5.html#myhostname">&</a>;g
++ s;[\[{(<]mynetworks[\]})>];<a href="postconf.5.html#mynetworks">&</a>;g
++ s;[\[{(<]mynetworks_style[\]})>];<a href="postconf.5.html#mynetworks_style">&</a>;g
++ s;[\[{(<]myorigin[\]})>];<a href="postconf.5.html#myorigin">&</a>;g
++ s;[\[{(<]nested_header_checks[\]})>];<a href="postconf.5.html#nested_header_checks">&</a>;g
++ s;[\[{(<]newaliases_path[\]})>];<a href="postconf.5.html#newaliases_path">&</a>;g
++ s;[\[{(<]non_fqdn_reject_code[\]})>];<a href="postconf.5.html#non_fqdn_reject_code">&</a>;g
++ s;[\[{(<]notify_classes[\]})>];<a href="postconf.5.html#notify_classes">&</a>;g
++ s;[\[{(<]owner_request_special[\]})>];<a href="postconf.5.html#owner_request_special">&</a>;g
++ s;[\[{(<]parent_domain_matches_subdomains[\]})>];<a href="postconf.5.html#parent_domain_matches_subdomains">&</a>;g
++ s;[\[{(<]permit_mx_backup_networks[\]})>];<a href="postconf.5.html#permit_mx_backup_networks">&</a>;g
++ s;[\[{(<]pickup_service_name[\]})>];<a href="postconf.5.html#pickup_service_name">&</a>;g
++ s;[\[{(<]prepend_delivered_header[\]})>];<a href="postconf.5.html#prepend_delivered_header">&</a>;g
++ s;[\[{(<]process_id[\]})>];<a href="postconf.5.html#process_id">&</a>;g
++ s;[\[{(<]process_id_directory[\]})>];<a href="postconf.5.html#process_id_directory">&</a>;g
++ s;[\[{(<]process_name[\]})>];<a href="postconf.5.html#process_name">&</a>;g
++ s;[\[{(<]propagate_unmatched_extensions[\]})>];<a href="postconf.5.html#propagate_unmatched_extensions">&</a>;g
++ s;[\[{(<]proxy_interfaces[\]})>];<a href="postconf.5.html#proxy_interfaces">&</a>;g
++ s;[\[{(<]proxy_read_maps[\]})>];<a href="postconf.5.html#proxy_read_maps">&</a>;g
++ s;[\[{(<]qmgr_clog_warn_time[\]})>];<a href="postconf.5.html#qmgr_clog_warn_time">&</a>;g
++ s;[\[{(<]qmgr_fudge_factor[\]})>];<a href="postconf.5.html#qmgr_fudge_factor">&</a>;g
++ s;[\[{(<]qmgr_message_active_limit[\]})>];<a href="postconf.5.html#qmgr_message_active_limit">&</a>;g
++ s;[\[{(<]qmgr_message_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#qmgr_message_recipient_limit">&</a>;g
++ s;[\[{(<]qmgr_message_recip[-</bB>]*\n* *[<bB>]*ient_minimum[\]})>];<a href="postconf.5.html#qmgr_message_recipient_minimum">&</a>;g
++ s;[\[{(<]qmqpd_authorized_clients[\]})>];<a href="postconf.5.html#qmqpd_authorized_clients">&</a>;g
++ s;[\[{(<]qmqpd_error_delay[\]})>];<a href="postconf.5.html#qmqpd_error_delay">&</a>;g
++ s;[\[{(<]qmqpd_timeout[\]})>];<a href="postconf.5.html#qmqpd_timeout">&</a>;g
++ s;[\[{(<]queue_directory[\]})>];<a href="postconf.5.html#queue_directory">&</a>;g
++ s;[\[{(<]queue_file_attribute_count_limit[\]})>];<a href="postconf.5.html#queue_file_attribute_count_limit">&</a>;g
++ s;[\[{(<]queue_minfree[\]})>];<a href="postconf.5.html#queue_minfree">&</a>;g
++ s;[\[{(<]queue_run_delay[\]})>];<a href="postconf.5.html#queue_run_delay">&</a>;g
++ s;[\[{(<]queue_service_name[\]})>];<a href="postconf.5.html#queue_service_name">&</a>;g
++ s;[\[{(<]rbl_reply_maps[\]})>];<a href="postconf.5.html#rbl_reply_maps">&</a>;g
++ s;[\[{(<]readme_directory[\]})>];<a href="postconf.5.html#readme_directory">&</a>;g
++ s;[\[{(<]receive_override_options[\]})>];<a href="postconf.5.html#receive_override_options">&</a>;g
++ s;[\[{(<]no_unknown_recip[-</bB>]*\n* *[<bB>]*ient_checks[\]})>];<a href="postconf.5.html#no_unknown_recipient_checks">&</a>;g
++ s;[\[{(<]no_address_mappings[\]})>];<a href="postconf.5.html#no_address_mappings">&</a>;g
++ s;[\[{(<]no_header_body_checks[\]})>];<a href="postconf.5.html#no_header_body_checks">&</a>;g
++ s;[\[{(<]recip[-</bB>]*\n* *[<bB>]*ient_bcc_maps[\]})>];<a href="postconf.5.html#recipient_bcc_maps">&</a>;g
++ s;[\[{(<]recip[-</bB>]*\n* *[<bB>]*ient_canonical_maps[\]})>];<a href="postconf.5.html#recipient_canonical_maps">&</a>;g
++ s;[\[{(<]recip[-</bB>]*\n* *[<bB>]*ient_delim[-</bB>]*\n* *[<bB>]*iter[\]})>];<a href="postconf.5.html#recipient_delimiter">&<\/a>;g
++ s;[\[{(<]reject_code[\]})>];<a href="postconf.5.html#reject_code">&</a>;g
++ s;[\[{(<]relay_domains[\]})>];<a href="postconf.5.html#relay_domains">&</a>;g
++ s;[\[{(<]relay_domains_reject_code[\]})>];<a href="postconf.5.html#relay_domains_reject_code">&</a>;g
++ s;[\[{(<]relay_recipi[-</bB>]*\n*[ <bB>]*ent_maps[\]})>];<a href="postconf.5.html#relay_recipient_maps">&</a>;g
++ s;[\[{(<]relay_transport[\]})>];<a href="postconf.5.html#relay_transport">&</a>;g
++ s;[\[{(<]relayhost[\]})>];<a href="postconf.5.html#relayhost">&</a>;g
++ s;[\[{(<]relocated_maps[\]})>];<a href="postconf.5.html#relocated_maps">&</a>;g
++ s;[\[{(<]require_home_directory[\]})>];<a href="postconf.5.html#require_home_directory">&</a>;g
++ s;[\[{(<]resolve_dequoted_address[\]})>];<a href="postconf.5.html#resolve_dequoted_address">&</a>;g
++ s;[\[{(<]rewrite_service_name[\]})>];<a href="postconf.5.html#rewrite_service_name">&</a>;g
++ s;[\[{(<]sample_directory[\]})>];<a href="postconf.5.html#sample_directory">&</a>;g
++ s;[\[{(<]sender_based_routing[\]})>];<a href="postconf.5.html#sender_based_routing">&</a>;g
++ s;[\[{(<]sender_bcc_maps[\]})>];<a href="postconf.5.html#sender_bcc_maps">&</a>;g
++ s;[\[{(<]sender_canonical_maps[\]})>];<a href="postconf.5.html#sender_canonical_maps">&</a>;g
++ s;[\[{(<]sendmail_path[\]})>];<a href="postconf.5.html#sendmail_path">&</a>;g
++ s;[\[{(<]service_throttle_time[\]})>];<a href="postconf.5.html#service_throttle_time">&</a>;g
++ s;[\[{(<]setgid_group[\]})>];<a href="postconf.5.html#setgid_group">&</a>;g
++ s;[\[{(<]show_user_unknown_table_name[\]})>];<a href="postconf.5.html#show_user_unknown_table_name">&</a>;g
++ s;[\[{(<]showq_service_name[\]})>];<a href="postconf.5.html#showq_service_name">&</a>;g
++ s;[\[{(<]smtp_always_send_ehlo[\]})>];<a href="postconf.5.html#smtp_always_send_ehlo">&</a>;g
++ s;[\[{(<]smtp_bind_address[\]})>];<a href="postconf.5.html#smtp_bind_address">&</a>;g
++ s;[\[{(<]smtp_connect_timeout[\]})>];<a href="postconf.5.html#smtp_connect_timeout">&</a>;g
++ s;[\[{(<]smtp_data_done_timeout[\]})>];<a href="postconf.5.html#smtp_data_done_timeout">&</a>;g
++ s;[\[{(<]smtp_data_init_timeout[\]})>];<a href="postconf.5.html#smtp_data_init_timeout">&</a>;g
++ s;[\[{(<]smtp_data_xfer_timeout[\]})>];<a href="postconf.5.html#smtp_data_xfer_timeout">&</a>;g
++ s;[\[{(<]smtp_defer_if_no_mx_address_found[\]})>];<a href="postconf.5.html#smtp_defer_if_no_mx_address_found">&</a>;g
++ s;[\[{(<]lmtp_destination_concurrency_limit[\]})>];<a href="postconf.5.html#lmtp_destination_concurrency_limit">&</a>;g
++ s;[\[{(<]lmtp_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#lmtp_destination_recipient_limit">&</a>;g
++ s;[\[{(<]relay_destination_concurrency_limit[\]})>];<a href="postconf.5.html#relay_destination_concurrency_limit">&</a>;g
++ s;[\[{(<]relay_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#relay_destination_recipient_limit">&</a>;g
++ s;[\[{(<]resolve_null_domain[\]})>];<a href="postconf.5.html#resolve_null_domain">&</a>;g
++ s;[\[{(<]smtp_destination_concurrency_limit[\]})>];<a href="postconf.5.html#smtp_destination_concurrency_limit">&</a>;g
++ s;[\[{(<]smtp_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#smtp_destination_recipient_limit">&</a>;g
++ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_destination_concurrency_limit[\]})>];<a href="postconf.5.html#virtual_destination_concurrency_limit">&</a>;g
++ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#virtual_destination_recipient_limit">&</a>;g
++ s;[\[{(<]smtp_helo_name[\]})>];<a href="postconf.5.html#smtp_helo_name">&</a>;g
++ s;[\[{(<]smtp_helo_timeout[\]})>];<a href="postconf.5.html#smtp_helo_timeout">&</a>;g
++ s;[\[{(<]smtp_host_lookup[\]})>];<a href="postconf.5.html#smtp_host_lookup">&</a>;g
++ s;[\[{(<]smtp_line_length_limit[\]})>];<a href="postconf.5.html#smtp_line_length_limit">&</a>;g
++ s;[\[{(<]smtp_mail_timeout[\]})>];<a href="postconf.5.html#smtp_mail_timeout">&</a>;g
++ s;[\[{(<]smtp_mx_address_limit[\]})>];<a href="postconf.5.html#smtp_mx_address_limit">&</a>;g
++ s;[\[{(<]smtp_mx_session_limit[\]})>];<a href="postconf.5.html#smtp_mx_session_limit">&</a>;g
++ s;[\[{(<]smtp_never_send_ehlo[\]})>];<a href="postconf.5.html#smtp_never_send_ehlo">&</a>;g
++ s;[\[{(<]smtp_pix_workaround_delay_time[\]})>];<a href="postconf.5.html#smtp_pix_workaround_delay_time">&</a>;g
++ s;[\[{(<]smtp_pix_workaround_threshold_time[\]})>];<a href="postconf.5.html#smtp_pix_workaround_threshold_time">&</a>;g
++ s;[\[{(<]smtp_quit_timeout[\]})>];<a href="postconf.5.html#smtp_quit_timeout">&</a>;g
++ s;[\[{(<]smtp_quote_rfc821_envelope[\]})>];<a href="postconf.5.html#smtp_quote_rfc821_envelope">&</a>;g
++ s;[\[{(<]smtp_randomize_addresses[\]})>];<a href="postconf.5.html#smtp_randomize_addresses">&</a>;g
++ s;[\[{(<]smtp_rcpt_timeout[\]})>];<a href="postconf.5.html#smtp_rcpt_timeout">&</a>;g
++ s;[\[{(<]smtp_rset_timeout[\]})>];<a href="postconf.5.html#smtp_rset_timeout">&</a>;g
++ s;[\[{(<]smtp_sasl_auth_enable[\]})>];<a href="postconf.5.html#smtp_sasl_auth_enable">&</a>;g
++ s;[\[{(<]smtp_sasl_password_maps[\]})>];<a href="postconf.5.html#smtp_sasl_password_maps">&</a>;g
++ s;[\[{(<]smtp_sasl_security_options[\]})>];<a href="postconf.5.html#smtp_sasl_security_options">&</a>;g
++ s;[\[{(<]smtp_send_xforward_command[\]})>];<a href="postconf.5.html#smtp_send_xforward_command">&</a>;g
++ s;[\[{(<]smtp_skip_4xx_greeting[\]})>];<a href="postconf.5.html#smtp_skip_4xx_greeting">&</a>;g
++ s;[\[{(<]smtp_skip_5xx_greeting[\]})>];<a href="postconf.5.html#smtp_skip_5xx_greeting">&</a>;g
++ s;[\[{(<]smtp_skip_quit_response[\]})>];<a href="postconf.5.html#smtp_skip_quit_response">&</a>;g
++ s;[\[{(<]smtp_xforward_timeout[\]})>];<a href="postconf.5.html#smtp_xforward_timeout">&</a>;g
++ s;[\[{(<]smtpd_autho[-</bB>]*\n*[ <bB>]*rized_verp_clients[\]})>];<a href="postconf.5.html#smtpd_authorized_verp_clients">&</a>;g
++ s;[\[{(<]smtpd_autho[-</bB>]*\n*[ <bB>]*rized_xclient_hosts[\]})>];<a href="postconf.5.html#smtpd_authorized_xclient_hosts">&</a>;g
++ s;[\[{(<]smtpd_autho[-</bB>]*\n*[ <bB>]*rized_xforward_hosts[\]})>];<a href="postconf.5.html#smtpd_authorized_xforward_hosts">&</a>;g
++ s;[\[{(<]smtpd_banner[\]})>];<a href="postconf.5.html#smtpd_banner">&</a>;g
++ s;[\[{(<]smtpd_client_connection_count_limit[\]})>];<a href="postconf.5.html#smtpd_client_connection_count_limit">&</a>;g
++ s;[\[{(<]smtpd_client_connection_limit_exceptions[\]})>];<a href="postconf.5.html#smtpd_client_connection_limit_exceptions">&</a>;g
++ s;[\[{(<]smtpd_client_connection_rate_limit[\]})>];<a href="postconf.5.html#smtpd_client_connection_rate_limit">&</a>;g
++ s;[\[{(<]smtpd_client_restrictions[\]})>];<a href="postconf.5.html#smtpd_client_restrictions">&</a>;g
++ s;[\[{(<]smtpd_data_restrictions[\]})>];<a href="postconf.5.html#smtpd_data_restrictions">&</a>;g
++ s;[\[{(<]smtpd_delay_reject[\]})>];<a href="postconf.5.html#smtpd_delay_reject">&</a>;g
++ s;[\[{(<]smtpd_error_sleep_time[\]})>];<a href="postconf.5.html#smtpd_error_sleep_time">&</a>;g
++ s;[\[{(<]smtpd_etrn_restrictions[\]})>];<a href="postconf.5.html#smtpd_etrn_restrictions">&</a>;g
++ s;[\[{(<]smtpd_expansion_filter[\]})>];<a href="postconf.5.html#smtpd_expansion_filter">&</a>;g
++ s;[\[{(<]smtpd_hard_error_limit[\]})>];<a href="postconf.5.html#smtpd_hard_error_limit">&</a>;g
++ s;[\[{(<]smtpd_helo_required[\]})>];<a href="postconf.5.html#smtpd_helo_required">&</a>;g
++ s;[\[{(<]smtpd_helo_restrictions[\]})>];<a href="postconf.5.html#smtpd_helo_restrictions">&</a>;g
++ s;[\[{(<]smtpd_history_flush_threshold[\]})>];<a href="postconf.5.html#smtpd_history_flush_threshold">&</a>;g
++ s;[\[{(<]smtpd_junk_command_limit[\]})>];<a href="postconf.5.html#smtpd_junk_command_limit">&</a>;g
++ s;[\[{(<]smtpd_noop_commands[\]})>];<a href="postconf.5.html#smtpd_noop_commands">&</a>;g
++ s;[\[{(<]smtpd_null_access_lookup_key[\]})>];<a href="postconf.5.html#smtpd_null_access_lookup_key">&</a>;g
++ s;[\[{(<]smtpd_recipient_overshoot_limit[\]})>];<a href="postconf.5.html#smtpd_recipient_overshoot_limit">&</a>;g
++ s;[\[{(<]smtpd_policy_service_max_idle[\]})>];<a href="postconf.5.html#smtpd_policy_service_max_idle">&</a>;g
++ s;[\[{(<]smtpd_policy_service_max_ttl[\]})>];<a href="postconf.5.html#smtpd_policy_service_max_ttl">&</a>;g
++ s;[\[{(<]smtpd_policy_service_timeout[\]})>];<a href="postconf.5.html#smtpd_policy_service_timeout">&</a>;g
++ s;[\[{(<]smtpd_proxy_ehlo[\]})>];<a href="postconf.5.html#smtpd_proxy_ehlo">&</a>;g
++ s;[\[{(<]smtpd_proxy_filter[\]})>];<a href="postconf.5.html#smtpd_proxy_filter">&</a>;g
++ s;[\[{(<]smtpd_proxy_timeout[\]})>];<a href="postconf.5.html#smtpd_proxy_timeout">&</a>;g
++ s;[\[{(<]smtpd_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#smtpd_recipient_limit">&</a>;g
++ s;[\[{(<]smtpd_recip[-</bB>]*\n* *[<bB>]*ient_restrictions[\]})>];<a href="postconf.5.html#smtpd_recipient_restrictions">&</a>;g
++ s;[\[{(<]smtpd_reject_unlisted_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#smtpd_reject_unlisted_recipient">&</a>;g
++ s;[\[{(<]smtpd_reject_unlisted_sender[\]})>];<a href="postconf.5.html#smtpd_reject_unlisted_sender">&</a>;g
++ s;[\[{(<]smtpd_restriction_classes[\]})>];<a href="postconf.5.html#smtpd_restriction_classes">&</a>;g
++ s;[\[{(<]smtpd_sasl_application_name[\]})>];<a href="postconf.5.html#smtpd_sasl_application_name">&</a>;g
++ s;[\[{(<]smtpd_sasl_auth_enable[\]})>];<a href="postconf.5.html#smtpd_sasl_auth_enable">&</a>;g
++ s;[\[{(<]smtpd_sasl_exceptions_networks[\]})>];<a href="postconf.5.html#smtpd_sasl_exceptions_networks">&</a>;g
++ s;[\[{(<]smtpd_sasl_local_domain[\]})>];<a href="postconf.5.html#smtpd_sasl_local_domain">&</a>;g
++ s;[\[{(<]smtpd_sasl_security_options[\]})>];<a href="postconf.5.html#smtpd_sasl_security_options">&</a>;g
++ s;[\[{(<]smtpd_sender_login_maps[\]})>];<a href="postconf.5.html#smtpd_sender_login_maps">&</a>;g
++ s;[\[{(<]smtpd_sender_restrictions[\]})>];<a href="postconf.5.html#smtpd_sender_restrictions">&</a>;g
++ s;[\[{(<]smtpd_soft_error_limit[\]})>];<a href="postconf.5.html#smtpd_soft_error_limit">&</a>;g
++ s;[\[{(<]smtpd_timeout[\]})>];<a href="postconf.5.html#smtpd_timeout">&</a>;g
++ s;[\[{(<]soft_bounce[\]})>];<a href="postconf.5.html#soft_bounce">&</a>;g
++ s;[\[{(<]stale_lock_time[\]})>];<a href="postconf.5.html#stale_lock_time">&</a>;g
++ s;[\[{(<]strict_7bit_headers[\]})>];<a href="postconf.5.html#strict_7bit_headers">&</a>;g
++ s;[\[{(<]strict_8bitmime[\]})>];<a href="postconf.5.html#strict_8bitmime">&</a>;g
++ s;[\[{(<]strict_8bitmime_body[\]})>];<a href="postconf.5.html#strict_8bitmime_body">&</a>;g
++ s;[\[{(<]strict_mime_encoding_domain[\]})>];<a href="postconf.5.html#strict_mime_encoding_domain">&</a>;g
++ s;[\[{(<]strict_rfc821_envelopes[\]})>];<a href="postconf.5.html#strict_rfc821_envelopes">&</a>;g
++ s;[\[{(<]sun_mailtool_compatibility[\]})>];<a href="postconf.5.html#sun_mailtool_compatibility">&</a>;g
++ s;[\[{(<]swap_bangpath[\]})>];<a href="postconf.5.html#swap_bangpath">&</a>;g
++ s;[\[{(<]syslog_facility[\]})>];<a href="postconf.5.html#syslog_facility">&</a>;g
++ s;[\[{(<]syslog_name[\]})>];<a href="postconf.5.html#syslog_name">&</a>;g
++ s;[\[{(<]trace_service_name[\]})>];<a href="postconf.5.html#trace_service_name">&</a>;g
++ s;[\[{(<]transport_maps[\]})>];<a href="postconf.5.html#transport_maps">&</a>;g
++ s;[\[{(<]transport_retry_time[\]})>];<a href="postconf.5.html#transport_retry_time">&</a>;g
++ s;[\[{(<]trigger_timeout[\]})>];<a href="postconf.5.html#trigger_timeout">&</a>;g
++ s;[\[{(<]undisclosed_recip[-</bB>]*\n* *[<bB>]*ients_header[\]})>];<a href="postconf.5.html#undisclosed_recipients_header">&</a>;g
++ s;[\[{(<]unknown_address_reject_code[\]})>];<a href="postconf.5.html#unknown_address_reject_code">&</a>;g
++ s;[\[{(<]unknown_client_reject_code[\]})>];<a href="postconf.5.html#unknown_client_reject_code">&</a>;g
++ s;[\[{(<]unknown_hostname_reject_code[\]})>];<a href="postconf.5.html#unknown_hostname_reject_code">&</a>;g
++ s;[\[{(<]unknown_local_recip[-</bB>]*\n* *[<bB>]*ient_reject_code[\]})>];<a href="postconf.5.html#unknown_local_recipient_reject_code">&</a>;g
++ s;[\[{(<]unknown_relay_recipi[-</bB>]*\n*[ <bB>]*ent_reject_code[\]})>];<a href="postconf.5.html#unknown_relay_recipient_reject_code">&</a>;g
++ s;[\[{(<]unknown_virtual_alias_reject_code[\]})>];<a href="postconf.5.html#unknown_virtual_alias_reject_code">&</a>;g
++ s;[\[{(<]unknown_virtual_mail[-</bB>]*\n* *[<bB>]*box_reject_code[\]})>];<a href="postconf.5.html#unknown_virtual_mailbox_reject_code">&</a>;g
++ s;[\[{(<]unverified_recip[-</bB>]*\n* *[<bB>]*ient_reject_code[\]})>];<a href="postconf.5.html#unverified_recipient_reject_code">&</a>;g
++ s;[\[{(<]unverified_sender_reject_code[\]})>];<a href="postconf.5.html#unverified_sender_reject_code">&</a>;g
++ s;[\[{(<]verp_delimiter_filter[\]})>];<a href="postconf.5.html#verp_delimiter_filter">&</a>;g
++ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_alias_domains[\]})>];<a href="postconf.5.html#virtual_alias_domains">&</a>;g
++ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_alias_expansion_limit[\]})>];<a href="postconf.5.html#virtual_alias_expansion_limit">&</a>;g
++ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_alias_maps[\]})>];<a href="postconf.5.html#virtual_alias_maps">&</a>;g
++ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_maps[\]})>];<a href="postconf.5.html#virtual_maps">&</a>;g
++ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_alias_recursion_limit[\]})>];<a href="postconf.5.html#virtual_alias_recursion_limit">&</a>;g
++ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_gid_maps[\]})>];<a href="postconf.5.html#virtual_gid_maps">&</a>;g
++ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_base[\]})>];<a href="postconf.5.html#virtual_mailbox_base">&</a>;g
++ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_domains[\]})>];<a href="postconf.5.html#virtual_mailbox_domains">&</a>;g
++ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_limit[\]})>];<a href="postconf.5.html#virtual_mailbox_limit">&</a>;g
++ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_lock[\]})>];<a href="postconf.5.html#virtual_mailbox_lock">&</a>;g
++ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_maps[\]})>];<a href="postconf.5.html#virtual_mailbox_maps">&</a>;g
++ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_minimum_uid[\]})>];<a href="postconf.5.html#virtual_minimum_uid">&</a>;g
++ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_transport[\]})>];<a href="postconf.5.html#virtual_transport">&</a>;g
++ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_uid_maps[\]})>];<a href="postconf.5.html#virtual_uid_maps">&</a>;g
+
+ # Undo hyperlinks of manual pages with the same name as parameters.
+
+@@ -424,7 +424,7 @@
+ s/[<bB>]*pickup[</bB>]*(8)/<a href="pickup.8.html">&<\/a>/g
+ s/[<bB>]*pipe[</bB>]*(8)/<a href="pipe.8.html">&<\/a>/g
+ s/[<bB>]*oqmgr[</bB>]*(8)/<a href="qmgr.8.html">&<\/a>/g
+- s/[<bB>]*[[:<:]]qmgr[</bB>]*(8)/<a href="qmgr.8.html">&<\/a>/g
++ s/[<bB>]*[\[{(<]qmgr[</bB>]*(8)/<a href="qmgr.8.html">&<\/a>/g
+ s/[<bB>]*qmqpd[</bB>]*(8)/<a href="qmqpd.8.html">&<\/a>/g
+ s/[<bB>]*showq[</bB>]*(8)/<a href="showq.8.html">&<\/a>/g
+ s/[<bB>]*smtp[</bB>]*(8)/<a href="smtp.8.html">&<\/a>/g
+@@ -475,9 +475,9 @@
+
+ # Hyperlink README document names
+
+- s/[[:<:]][A-Z_]*_README[[:>:]]/<a href="&.html">&<\/a>/g
+- s/[[:<:]]INSTALL[[:>:]]/<a href="&.html">&<\/a>/g
+- s/[[:<:]]OVERVIEW[[:>:]]/<a href="&.html">&<\/a>/g
++ s/[\[{(<][A-Z_]*_README[\]})>]/<a href="&.html">&<\/a>/g
++ s/[\[{(<]INSTALL[\]})>]/<a href="&.html">&<\/a>/g
++ s/[\[{(<]OVERVIEW[\]})>]/<a href="&.html">&<\/a>/g
+ s/"type:table"/"<a href="DATABASE_README.html">type:table<\/a>"/g
+
+ # Split manual page hyperlinks across newlines
+@@ -486,61 +486,61 @@
+
+ # Access restrictions - generic
+
+- s;[[:<:]]check_policy_service[[:>:]];<a href="postconf.5.html#check_policy_service">&</a>;g
+- s;[[:<:]]defer_if_permit[[:>:]];<a href="postconf.5.html#defer_if_permit">&</a>;g
+- s;[[:<:]]defer_if_reject[[:>:]];<a href="postconf.5.html#defer_if_reject">&</a>;g
+- s;[[:<:]]reject_multi_recip[-</bB>]*\n* *[<bB>]*ient_bounce[[:>:]];<a href="postconf.5.html#reject_multi_recipient_bounce">&</a>;g
+- s;[[:<:]]reject_unauth_pipelining[[:>:]];<a href="postconf.5.html#reject_unauth_pipelining">&</a>;g
+- s;[[:<:]]warn_if_reject[[:>:]];<a href="postconf.5.html#warn_if_reject">&</a>;g
++ s;[\[{(<]check_policy_service[\]})>];<a href="postconf.5.html#check_policy_service">&</a>;g
++ s;[\[{(<]defer_if_permit[\]})>];<a href="postconf.5.html#defer_if_permit">&</a>;g
++ s;[\[{(<]defer_if_reject[\]})>];<a href="postconf.5.html#defer_if_reject">&</a>;g
++ s;[\[{(<]reject_multi_recip[-</bB>]*\n* *[<bB>]*ient_bounce[\]})>];<a href="postconf.5.html#reject_multi_recipient_bounce">&</a>;g
++ s;[\[{(<]reject_unauth_pipelining[\]})>];<a href="postconf.5.html#reject_unauth_pipelining">&</a>;g
++ s;[\[{(<]warn_if_reject[\]})>];<a href="postconf.5.html#warn_if_reject">&</a>;g
+
+ # Access restrictions - client
+
+- s;[[:<:]]check_client_access[[:>:]];<a href="postconf.5.html#check_client_access">&</a>;g
+- s;[[:<:]]permit_mynetworks[[:>:]];<a href="postconf.5.html#permit_mynetworks">&</a>;g
+- s;[[:<:]]reject_unknown_client[[:>:]];<a href="postconf.5.html#reject_unknown_client">&</a>;g
+- s;[[:<:]]reject_rbl_client[[:>:]];<a href="postconf.5.html#reject_rbl_client">&</a>;g
+- s;[[:<:]]reject_rhsbl_client[[:>:]];<a href="postconf.5.html#reject_rhsbl_client">&</a>;g
++ s;[\[{(<]check_client_access[\]})>];<a href="postconf.5.html#check_client_access">&</a>;g
++ s;[\[{(<]permit_mynetworks[\]})>];<a href="postconf.5.html#permit_mynetworks">&</a>;g
++ s;[\[{(<]reject_unknown_client[\]})>];<a href="postconf.5.html#reject_unknown_client">&</a>;g
++ s;[\[{(<]reject_rbl_client[\]})>];<a href="postconf.5.html#reject_rbl_client">&</a>;g
++ s;[\[{(<]reject_rhsbl_client[\]})>];<a href="postconf.5.html#reject_rhsbl_client">&</a>;g
+
+ # Access restrictions - helo
+
+- s;[[:<:]]check_helo_access[[:>:]];<a href="postconf.5.html#check_helo_access">&</a>;g
+- s;[[:<:]]reject_invalid_hostname[[:>:]];<a href="postconf.5.html#reject_invalid_hostname">&</a>;g
+- s;[[:<:]]reject_non_fqdn_hostname[[:>:]];<a href="postconf.5.html#reject_non_fqdn_hostname">&</a>;g
+- s;[[:<:]]reject_unknown_hostname[[:>:]];<a href="postconf.5.html#reject_unknown_hostname">&</a>;g
++ s;[\[{(<]check_helo_access[\]})>];<a href="postconf.5.html#check_helo_access">&</a>;g
++ s;[\[{(<]reject_invalid_hostname[\]})>];<a href="postconf.5.html#reject_invalid_hostname">&</a>;g
++ s;[\[{(<]reject_non_fqdn_hostname[\]})>];<a href="postconf.5.html#reject_non_fqdn_hostname">&</a>;g
++ s;[\[{(<]reject_unknown_hostname[\]})>];<a href="postconf.5.html#reject_unknown_hostname">&</a>;g
+
+ # Access restrictions - sender
+
+- s;[[:<:]]check_sender_access[[:>:]];<a href="postconf.5.html#check_sender_access">&</a>;g
+- s;[[:<:]]\(reject_authenti\)\([-</bB>]*\n*[ <bB>]*\)\(cated_sender_login_mismatch\)[[:>:]];<a href="postconf.5.html#reject_authenticated_sender_login_mismatch">\1<\/a>\2<a href="postconf.5.html#reject_authenticated_sender_login_mismatch">\3</a>;g
+- s;[[:<:]]reject_non_fqdn_sender[[:>:]];<a href="postconf.5.html#reject_non_fqdn_sender">&</a>;g
+- s;[[:<:]]reject_rhsbl_sender[[:>:]];<a href="postconf.5.html#reject_rhsbl_sender">&</a>;g
+- s;[[:<:]]reject_sender_login_mis[-</bB>]*\n*[ <bB>]*match[[:>:]];<a href="postconf.5.html#reject_sender_login_mismatch">&</a>;g
+- s;[[:<:]]reject_unauthenticated_sender_login_mismatch[[:>:]];<a href="postconf.5.html#reject_unauthenticated_sender_login_mismatch">&</a>;g
+- s;[[:<:]]reject_unknown_sender_domain[[:>:]];<a href="postconf.5.html#reject_unknown_sender_domain">&</a>;g
+- s;[[:<:]]reject_unlisted_sender[[:>:]];<a href="postconf.5.html#reject_unlisted_sender">&</a>;g
+- s;[[:<:]]reject_unveri[-</bB>]*\n*[ <bB>]*fied_sender[[:>:]];<a href="postconf.5.html#reject_unverified_sender">&</a>;g
++ s;[\[{(<]check_sender_access[\]})>];<a href="postconf.5.html#check_sender_access">&</a>;g
++ s;[\[{(<]\(reject_authenti\)\([-</bB>]*\n*[ <bB>]*\)\(cated_sender_login_mismatch\)[\]})>];<a href="postconf.5.html#reject_authenticated_sender_login_mismatch">\1<\/a>\2<a href="postconf.5.html#reject_authenticated_sender_login_mismatch">\3</a>;g
++ s;[\[{(<]reject_non_fqdn_sender[\]})>];<a href="postconf.5.html#reject_non_fqdn_sender">&</a>;g
++ s;[\[{(<]reject_rhsbl_sender[\]})>];<a href="postconf.5.html#reject_rhsbl_sender">&</a>;g
++ s;[\[{(<]reject_sender_login_mis[-</bB>]*\n*[ <bB>]*match[\]})>];<a href="postconf.5.html#reject_sender_login_mismatch">&</a>;g
++ s;[\[{(<]reject_unauthenticated_sender_login_mismatch[\]})>];<a href="postconf.5.html#reject_unauthenticated_sender_login_mismatch">&</a>;g
++ s;[\[{(<]reject_unknown_sender_domain[\]})>];<a href="postconf.5.html#reject_unknown_sender_domain">&</a>;g
++ s;[\[{(<]reject_unlisted_sender[\]})>];<a href="postconf.5.html#reject_unlisted_sender">&</a>;g
++ s;[\[{(<]reject_unveri[-</bB>]*\n*[ <bB>]*fied_sender[\]})>];<a href="postconf.5.html#reject_unverified_sender">&</a>;g
+
+ # Access restrictions - recip[-</bB>]*\n* *[<bB>]*ient
+
+- s;[[:<:]]check_recip[-</bB>]*\n* *[<bB>]*ient_access[[:>:]];<a href="postconf.5.html#check_recipient_access">&</a>;g
+- s;[[:<:]]check_recip[-</bB>]*\n* *[<bB>]*ient_mx_access[[:>:]];<a href="postconf.5.html#check_recipient_mx_access">&</a>;g
+- s;[[:<:]]check_recip[-</bB>]*\n* *[<bB>]*ient_ns_access[[:>:]];<a href="postconf.5.html#check_recipient_ns_access">&</a>;g
+- s;[[:<:]]permit_auth_destination[[:>:]];<a href="postconf.5.html#permit_auth_destination">&</a>;g
+- s;[[:<:]]permit_mx_backup[[:>:]];<a href="postconf.5.html#permit_mx_backup">&</a>;g
+- s;[[:<:]]reject_non_fqdn_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#reject_non_fqdn_recipient">&</a>;g
+- s;[[:<:]]reject_rhsbl_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#reject_rhsbl_recipient">&</a>;g
+- s;[[:<:]]reject_unauth_destination[[:>:]];<a href="postconf.5.html#reject_unauth_destination">&</a>;g
+- s;[[:<:]]reject_unknown_recipi[-</bB>]*\n*[ <bB>]*ent_domain[[:>:]];<a href="postconf.5.html#reject_unknown_recipient_domain">&</a>;g
+- s;[[:<:]]reject_unlisted_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#reject_unlisted_recipient">&</a>;g
+- s;[[:<:]]reject_unveri[-</bB>]*\n*[ <bB>]*fied_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#reject_unverified_recipient">&</a>;g
++ s;[\[{(<]check_recip[-</bB>]*\n* *[<bB>]*ient_access[\]})>];<a href="postconf.5.html#check_recipient_access">&</a>;g
++ s;[\[{(<]check_recip[-</bB>]*\n* *[<bB>]*ient_mx_access[\]})>];<a href="postconf.5.html#check_recipient_mx_access">&</a>;g
++ s;[\[{(<]check_recip[-</bB>]*\n* *[<bB>]*ient_ns_access[\]})>];<a href="postconf.5.html#check_recipient_ns_access">&</a>;g
++ s;[\[{(<]permit_auth_destination[\]})>];<a href="postconf.5.html#permit_auth_destination">&</a>;g
++ s;[\[{(<]permit_mx_backup[\]})>];<a href="postconf.5.html#permit_mx_backup">&</a>;g
++ s;[\[{(<]reject_non_fqdn_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#reject_non_fqdn_recipient">&</a>;g
++ s;[\[{(<]reject_rhsbl_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#reject_rhsbl_recipient">&</a>;g
++ s;[\[{(<]reject_unauth_destination[\]})>];<a href="postconf.5.html#reject_unauth_destination">&</a>;g
++ s;[\[{(<]reject_unknown_recipi[-</bB>]*\n*[ <bB>]*ent_domain[\]})>];<a href="postconf.5.html#reject_unknown_recipient_domain">&</a>;g
++ s;[\[{(<]reject_unlisted_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#reject_unlisted_recipient">&</a>;g
++ s;[\[{(<]reject_unveri[-</bB>]*\n*[ <bB>]*fied_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#reject_unverified_recipient">&</a>;g
+
+ # Access restrictions - etrn
+
+- s;[[:<:]]check_etrn_access[[:>:]];<a href="postconf.5.html#check_etrn_access">&</a>;g
++ s;[\[{(<]check_etrn_access[\]})>];<a href="postconf.5.html#check_etrn_access">&</a>;g
+
+ # Split parameter or restriction hyperlinks across line breaks
+
+- s/\(<a href="[^"]*">\)\([-a-z0-9_]*\)[[:>:]]\([-</bB>]*\n *[<bB>]*\)[[:<:]]\([-a-z0-9_]*\)\(<\/a>\)/\1\2\5\3\1\4\5/
++ s/\(<a href="[^"]*">\)\([-a-z0-9_]*\)[\]})>]\([-</bB>]*\n *[<bB>]*\)[\[{(<]\([-a-z0-9_]*\)\(<\/a>\)/\1\2\5\3\1\4\5/
+
+ # Glue manual/parameter/restriction hyperlinks without line breaks.
+
+@@ -551,7 +551,7 @@
+
+ s/\(http:\/\/[^ ,"()]*[^ ,"():;!?.]\)/<a href="\1">\1<\/a>/
+ s/\(ftp:\/\/[^ ,"()]*[^ ,"():;!?.]\)/<a href="\1">\1<\/a>/
+- s/[[:<:]]RFC *\([1-9][0-9]*\)/<a href="http:\/\/www.faqs.org\/rfcs\/rfc\1.html">&<\/a>/
++ s/[\[{(<]RFC *\([1-9][0-9]*\)/<a href="http:\/\/www.faqs.org\/rfcs\/rfc\1.html">&<\/a>/
+
+ # Hyperlink phrases not in headers.
+
+@@ -572,32 +572,32 @@
+ s/relay domains*/<a href="ADDRESS_CLASS_README.html#relay_domain_class">&<\/a>/
+ s/default domains*/<a href="ADDRESS_CLASS_README.html#default_domain_class">&<\/a>/
+ s/mydestination domains*/<a href="ADDRESS_CLASS_README.html#local_domain_class">&<\/a>/
+- s/[[:<:]]"*maildrop"* *queues*[[:>:]]/<a href="QSHAPE_README.html#maildrop_queue">&<\/a>/
+- s/[[:<:]]\("*maildrop"*\),/<a href="QSHAPE_README.html#maildrop_queue">\1<\/a>,/
+- s/[[:<:]]\("*incoming"*\) and[[:>:]]/<a href="QSHAPE_README.html#incoming_queue">\1<\/a> and/
+- s/[[:<:]]\("*incoming"*\) or[[:>:]]/<a href="QSHAPE_README.html#incoming_queue">\1<\/a> or/
+- s/[[:<:]]"*incoming"* *queues*[[:>:]]/<a href="QSHAPE_README.html#incoming_queue">&<\/a>/
+- s/<b> *incoming *<\/b> *queues*[[:>:]]/<a href="QSHAPE_README.html#incoming_queue">&<\/a>/
+- s/[[:<:]]"*active"* *queues*[[:>:]]/<a href="QSHAPE_README.html#active_queue">&<\/a>/
+- s/[[:<:]]"*deferred"* *queues*[[:>:]]/<a href="QSHAPE_README.html#deferred_queue">&<\/a>/
+- s/[[:<:]]"*hold"* *queues*[[:>:]]/<a href="QSHAPE_README.html#hold_queue">&<\/a>/
+- s/[[:<:]]\("*hold"*\),/<a href="QSHAPE_README.html#hold_queue">\1<\/a>,/
++ s/[\[{(<]"*maildrop"* *queues*[\]})>]/<a href="QSHAPE_README.html#maildrop_queue">&<\/a>/
++ s/[\[{(<]\("*maildrop"*\),/<a href="QSHAPE_README.html#maildrop_queue">\1<\/a>,/
++ s/[\[{(<]\("*incoming"*\) and[\]})>]/<a href="QSHAPE_README.html#incoming_queue">\1<\/a> and/
++ s/[\[{(<]\("*incoming"*\) or[\]})>]/<a href="QSHAPE_README.html#incoming_queue">\1<\/a> or/
++ s/[\[{(<]"*incoming"* *queues*[\]})>]/<a href="QSHAPE_README.html#incoming_queue">&<\/a>/
++ s/<b> *incoming *<\/b> *queues*[\]})>]/<a href="QSHAPE_README.html#incoming_queue">&<\/a>/
++ s/[\[{(<]"*active"* *queues*[\]})>]/<a href="QSHAPE_README.html#active_queue">&<\/a>/
++ s/[\[{(<]"*deferred"* *queues*[\]})>]/<a href="QSHAPE_README.html#deferred_queue">&<\/a>/
++ s/[\[{(<]"*hold"* *queues*[\]})>]/<a href="QSHAPE_README.html#hold_queue">&<\/a>/
++ s/[\[{(<]\("*hold"*\),/<a href="QSHAPE_README.html#hold_queue">\1<\/a>,/
+
+ # Hyperlink map types.
+
+- s/[[:<:]]\(cidr\):/<a href="cidr_table.5.html">\1<\/a>:/g
+- s/[[:<:]]\(pcre\):/<a href="pcre_table.5.html">\1<\/a>:/g
+- s/[[:<:]]\(proxy\):/<a href="proxymap.8.html">\1<\/a>:/g
+- s/[[:<:]]\(pgsql\):/<a href="pgsql_table.5.html">\1<\/a>:/g
+- s/[[:<:]]\(mysql\):/<a href="mysql_table.5.html">\1<\/a>:/g
+- s/[[:<:]]\(ldap\):/<a href="ldap_table.5.html">\1<\/a>:/g
+- s/[[:<:]]\(regexp\):/<a href="regexp_table.5.html">\1<\/a>:/g
+- #s/[[:<:]]\(tcp\):/<a href="tcp_table.5.html">\1<\/a>:/g
++ s/[\[{(<]\(cidr\):/<a href="cidr_table.5.html">\1<\/a>:/g
++ s/[\[{(<]\(pcre\):/<a href="pcre_table.5.html">\1<\/a>:/g
++ s/[\[{(<]\(proxy\):/<a href="proxymap.8.html">\1<\/a>:/g
++ s/[\[{(<]\(pgsql\):/<a href="pgsql_table.5.html">\1<\/a>:/g
++ s/[\[{(<]\(mysql\):/<a href="mysql_table.5.html">\1<\/a>:/g
++ s/[\[{(<]\(ldap\):/<a href="ldap_table.5.html">\1<\/a>:/g
++ s/[\[{(<]\(regexp\):/<a href="regexp_table.5.html">\1<\/a>:/g
++ #s/[\[{(<]\(tcp\):/<a href="tcp_table.5.html">\1<\/a>:/g
+
+ # Do nice links for smtp:host:port etc.
+
+- s/[[:<:]]\(error\):/<a href="error.8.html">\1<\/a>:/g
+- s/[[:<:]]\(smtp\):/<a href="smtp.8.html">\1<\/a>:/g
+- s/[[:<:]]\(lmtp\):/<a href="lmtp.8.html">\1<\/a>:/g
++ s/[\[{(<]\(error\):/<a href="error.8.html">\1<\/a>:/g
++ s/[\[{(<]\(smtp\):/<a href="smtp.8.html">\1<\/a>:/g
++ s/[\[{(<]\(lmtp\):/<a href="lmtp.8.html">\1<\/a>:/g
+
+ ' "$@"
Added: trunk/kolab-postfix/debian/patches/10master.cf.dpatch
===================================================================
--- trunk/kolab-postfix/debian/patches/10master.cf.dpatch 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/patches/10master.cf.dpatch 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,81 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10master.cf.dpatch by LaMont Jones <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad postfix-2.1.5/conf/master.cf /tmp/dpep.YcxBnZ/postfix-2.1.5/conf/master.cf
+--- postfix-2.1.5/conf/master.cf 2004-12-27 22:02:52.864399960 -0700
++++ /tmp/dpep.YcxBnZ/postfix-2.1.5/conf/master.cf 2004-12-27 22:19:03.606731307 -0700
+@@ -77,26 +77,26 @@
+ # service type private unpriv chroot wakeup maxproc command + args
+ # (yes) (yes) (yes) (never) (100)
+ # ==========================================================================
+-smtp inet n - n - - smtpd
+-#submission inet n - n - - smtpd
++smtp inet n - - - - smtpd
++#submission inet n - - - - smtpd
+ # -o smtpd_etrn_restrictions=reject
+-#628 inet n - n - - qmqpd
+-pickup fifo n - n 60 1 pickup
+-cleanup unix n - n - 0 cleanup
+-qmgr fifo n - n 300 1 qmgr
+-#qmgr fifo n - n 300 1 oqmgr
+-rewrite unix - - n - - trivial-rewrite
+-bounce unix - - n - 0 bounce
+-defer unix - - n - 0 bounce
+-trace unix - - n - 0 bounce
+-verify unix - - n - 1 verify
+-flush unix n - n 1000? 0 flush
++#628 inet n - - - - qmqpd
++pickup fifo n - - 60 1 pickup
++cleanup unix n - - - 0 cleanup
++qmgr fifo n - - 300 1 qmgr
++#qmgr fifo n - - 300 1 oqmgr
++rewrite unix - - - - - trivial-rewrite
++bounce unix - - - - 0 bounce
++defer unix - - - - 0 bounce
++trace unix - - - - 0 bounce
++verify unix - - - - 1 verify
++flush unix n - - 1000? 0 flush
+ proxymap unix - - n - - proxymap
+-smtp unix - - n - - smtp
+-relay unix - - n - - smtp
++smtp unix - - - - - smtp
++relay unix - - - - - smtp
+ # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+-showq unix n - n - - showq
+-error unix - - n - - error
++showq unix n - - - - showq
++error unix - - - - - error
+ local unix - n n - - local
+ virtual unix - n n - - virtual
+ lmtp unix - - n - - lmtp
+@@ -109,18 +109,16 @@
+ #
+ maildrop unix - n n - - pipe
+ flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
+-#
+-# The Cyrus deliver program has changed incompatibly, multiple times.
+-#
+-old-cyrus unix - n n - - pipe
+- flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+-# Cyrus 2.1.5 (Amos Gouaux)
+-# Also specify in main.cf: cyrus_destination_recipient_limit=1
+-cyrus unix - n n - - pipe
+- user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+ uucp unix - n n - - pipe
+ flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+ ifmail unix - n n - - pipe
+ flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+ bsmtp unix - n n - - pipe
+- flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
++ flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$nexthop -f$sender $recipient
++scalemail-backend unix - n n - 2 pipe
++ flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
++
++# only used by postfix-tls
++#tlsmgr fifo - - n 300 1 tlsmgr
++#smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
++#587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
Added: trunk/kolab-postfix/debian/patches/10rmail.dpatch
===================================================================
--- trunk/kolab-postfix/debian/patches/10rmail.dpatch 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/patches/10rmail.dpatch 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,698 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10rmail.dpatch by LaMont Jones <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad postfix-2.1.5/Makefile.in /tmp/dpep.5gIPzk/postfix-2.1.5/Makefile.in
+--- postfix-2.1.5/Makefile.in 2004-12-27 22:02:52.848403399 -0700
++++ /tmp/dpep.5gIPzk/postfix-2.1.5/Makefile.in 2004-12-27 22:19:13.392627752 -0700
+@@ -1,10 +1,11 @@
+ SHELL = /bin/sh
+ WARN = -Wmissing-prototypes -Wformat
+-OPTS = 'CC=$(CC)'
++OPTS = "CC=$(CC)"
+ DIRS = src/util src/global src/dns src/master src/postfix src/smtpstone \
+ src/sendmail src/error src/pickup src/cleanup src/smtpd src/local \
+ src/lmtp src/trivial-rewrite src/qmgr src/oqmgr src/smtp src/bounce \
+ src/pipe src/showq src/postalias src/postcat src/postconf src/postdrop \
++ rmail \
+ src/postkick src/postlock src/postlog src/postmap src/postqueue \
+ src/postsuper src/qmqpd src/spawn src/flush src/verify \
+ src/virtual src/proxymap
+diff -urNad postfix-2.1.5/rmail/LICENSE /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/LICENSE
+--- postfix-2.1.5/rmail/LICENSE 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/LICENSE 2004-12-27 22:19:13.392627752 -0700
+@@ -0,0 +1,79 @@
++ SENDMAIL LICENSE
++
++The following license terms and conditions apply, unless a different
++license is obtained from Sendmail, Inc., 6425 Christie Ave, Fourth Floor,
++Emeryville, CA 94608, or by electronic mail at license at sendmail.com.
++
++License Terms:
++
++Use, Modification and Redistribution (including distribution of any
++modified or derived work) in source and binary forms is permitted only if
++each of the following conditions is met:
++
++1. Redistributions qualify as "freeware" or "Open Source Software" under
++ one of the following terms:
++
++ (a) Redistributions are made at no charge beyond the reasonable cost of
++ materials and delivery.
++
++ (b) Redistributions are accompanied by a copy of the Source Code or by an
++ irrevocable offer to provide a copy of the Source Code for up to three
++ years at the cost of materials and delivery. Such redistributions
++ must allow further use, modification, and redistribution of the Source
++ Code under substantially the same terms as this license. For the
++ purposes of redistribution "Source Code" means the complete compilable
++ and linkable source code of sendmail including all modifications.
++
++2. Redistributions of source code must retain the copyright notices as they
++ appear in each source code file, these license terms, and the
++ disclaimer/limitation of liability set forth as paragraph 6 below.
++
++3. Redistributions in binary form must reproduce the Copyright Notice,
++ these license terms, and the disclaimer/limitation of liability set
++ forth as paragraph 6 below, in the documentation and/or other materials
++ provided with the distribution. For the purposes of binary distribution
++ the "Copyright Notice" refers to the following language:
++ "Copyright (c) 1998-2000 Sendmail, Inc. All rights reserved."
++
++4. Neither the name of Sendmail, Inc. nor the University of California nor
++ the names of their contributors may be used to endorse or promote
++ products derived from this software without specific prior written
++ permission. The name "sendmail" is a trademark of Sendmail, Inc.
++
++5. All redistributions must comply with the conditions imposed by the
++ University of California on certain embedded code, whose copyright
++ notice and conditions for redistribution are as follows:
++
++ (a) Copyright (c) 1988, 1993 The Regents of the University of
++ California. All rights reserved.
++
++ (b) Redistribution and use in source and binary forms, with or without
++ modification, are permitted provided that the following conditions
++ are met:
++
++ (i) Redistributions of source code must retain the above copyright
++ notice, this list of conditions and the following disclaimer.
++
++ (ii) Redistributions in binary form must reproduce the above
++ copyright notice, this list of conditions and the following
++ disclaimer in the documentation and/or other materials provided
++ with the distribution.
++
++ (iii) Neither the name of the University nor the names of its
++ contributors may be used to endorse or promote products derived
++ from this software without specific prior written permission.
++
++6. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY
++ SENDMAIL, INC. AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
++ WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
++ MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
++ NO EVENT SHALL SENDMAIL, INC., THE REGENTS OF THE UNIVERSITY OF
++ CALIFORNIA OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
++ INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
++ USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
++ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
++ THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
++
++$Revision: 1.1.2.1 $, Last updated $Date: 2004/12/28 05:34:15 $
+diff -urNad postfix-2.1.5/rmail/Makefile.in /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/Makefile.in
+--- postfix-2.1.5/rmail/Makefile.in 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/Makefile.in 2004-12-27 22:19:13.392627752 -0700
+@@ -0,0 +1,56 @@
++SHELL = /bin/sh
++SRCS = rmail.c
++OBJS = rmail.o
++HDRS =
++TESTSRC =
++WARN = -W -Wformat -Wimplicit -Wmissing-prototypes \
++ -Wparentheses -Wstrict-prototypes -Wswitch -Wuninitialized \
++ -Wunused
++DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE) -DHASSNPRINTF -DHASSTRERROR
++CFLAGS = $(DEBUG) $(OPT) $(DEFS)
++TESTPROG=
++PROG = rmail
++INC_DIR =
++LIBS =
++
++.c.o:; $(CC) $(CFLAGS) -c $*.c
++
++$(PROG): $(OBJS) $(LIBS)
++ $(CC) $(CFLAGS) -o $@ $(OBJS) $(LIBS) $(SYSLIBS)
++
++Makefile: Makefile.in
++ (set -e; echo "# DO NOT EDIT"; $(OPTS) sh ../makedefs; cat $?) >$@
++
++test: $(TESTPROG)
++
++update: ../bin/$(PROG)
++
++../bin/$(PROG): $(PROG)
++ cp $(PROG) ../bin
++
++printfck: $(OBJS) $(PROG)
++ rm -rf printfck
++ mkdir printfck
++ sed '1,/^# do not edit/!d' Makefile >printfck/Makefile
++ set -e; for i in *.c; do printfck -f .printfck $$i >printfck/$$i; done
++ cd printfck; make "INC_DIR=../../include" `cd ..; ls *.o`
++
++lint:
++ lint $(DEFS) $(SRCS) $(LINTFIX)
++
++clean:
++ rm -f *.o *core $(PROG) $(TESTPROG) junk
++ rm -rf printfck
++
++tidy: clean
++
++depend: $(MAKES)
++ (sed '1,/^# do not edit/!d' Makefile.in; \
++ set -e; for i in [a-z][a-z0-9]*.c; do \
++ $(CC) -E $(DEFS) $(INCL) $$i | sed -n -e '/^# *1 *"\([^"]*\)".*/{' \
++ -e 's//'`echo $$i|sed 's/c$$/o/'`': \1/' -e 'p' -e '}'; \
++ done) | grep -v '[.][o][:][ ][/]' >$$$$ && mv $$$$ Makefile.in
++ @make -f Makefile.in Makefile
++
++# do not edit below this line - it is generated by 'make depend'
++rmail.o: rmail.c
+diff -urNad postfix-2.1.5/rmail/rmail.8 /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/rmail.8
+--- postfix-2.1.5/rmail/rmail.8 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/rmail.8 2004-12-27 22:19:13.393627537 -0700
+@@ -0,0 +1,49 @@
++.\" Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers.
++.\" All rights reserved.
++.\" Copyright (c) 1983, 1990
++.\" The Regents of the University of California. All rights reserved.
++.\"
++.\" By using this file, you agree to the terms and conditions set
++.\" forth in the LICENSE file which can be found at the top level of
++.\" the sendmail distribution.
++.\"
++.\"
++.\" $Id: 10rmail.dpatch,v 1.1.2.1 2004/12/28 05:34:15 lamont Exp $
++.\"
++.TH RMAIL 8 "$Date: 2004/12/28 05:34:15 $"
++.SH NAME
++.B rmail
++\- handle remote mail received via uucp
++.SH SYNOPSIS
++.B rmail
++.I
++user ...
++.SH DESCRIPTION
++.B Rmail
++interprets incoming mail received via
++uucp(1),
++collapsing ``From'' lines in the form generated
++by
++mail.local(8)
++into a single line of the form ``return-path!sender'',
++and passing the processed mail on to
++sendmail(8).
++.PP
++.B Rmail
++is explicitly designed for use with
++uucp
++and
++sendmail.
++.SH SEE ALSO
++uucp(1),
++mail.local(8),
++sendmail(8)
++.SH HISTORY
++The
++.B rmail
++program appeared in
++4.2BSD.
++.SH BUGS
++.B Rmail
++should not reside in
++/bin.
+diff -urNad postfix-2.1.5/rmail/rmail.c /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/rmail.c
+--- postfix-2.1.5/rmail/rmail.c 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/rmail.c 2004-12-27 22:19:13.393627537 -0700
+@@ -0,0 +1,475 @@
++/*
++ * Copyright (c) 1998-2000 Sendmail, Inc. and its suppliers.
++ * All rights reserved.
++ * Copyright (c) 1988, 1993
++ * The Regents of the University of California. All rights reserved.
++ *
++ * By using this file, you agree to the terms and conditions set
++ * forth in the LICENSE file which can be found at the top level of
++ * the sendmail distribution.
++ *
++ */
++
++#ifndef lint
++static char copyright[] =
++"@(#) Copyright (c) 1998-2000 Sendmail, Inc. and its suppliers.\n\
++ All rights reserved.\n\
++ Copyright (c) 1988, 1993\n\
++ The Regents of the University of California. All rights reserved.\n";
++#endif /* ! lint */
++
++#ifndef lint
++static char id[] = "@(#)$Id: 10rmail.dpatch,v 1.1.2.1 2004/12/28 05:34:15 lamont Exp $";
++#endif /* ! lint */
++
++/*
++ * RMAIL -- UUCP mail server.
++ *
++ * This program reads the >From ... remote from ... lines that UUCP is so
++ * fond of and turns them into something reasonable. It then execs sendmail
++ * with various options built from these lines.
++ *
++ * The expected syntax is:
++ *
++ * <user> := [-a-z0-9]+
++ * <date> := ctime format
++ * <site> := [-a-z0-9!]+
++ * <blank line> := "^\n$"
++ * <from> := "From" <space> <user> <space> <date>
++ * [<space> "remote from" <space> <site>]
++ * <forward> := ">" <from>
++ * msg := <from> <forward>* <blank-line> <body>
++ *
++ * The output of rmail(8) compresses the <forward> lines into a single
++ * from path.
++ *
++ * The err(3) routine is included here deliberately to make this code
++ * a bit more portable.
++ */
++
++#include <sys/types.h>
++#include <sys/param.h>
++#include <sys/stat.h>
++#include <sys/wait.h>
++
++#include <ctype.h>
++#include <fcntl.h>
++#ifdef BSD4_4
++# define FORK vfork
++# include <paths.h>
++#else /* BSD4_4 */
++# define FORK fork
++# ifndef _PATH_SENDMAIL
++# define _PATH_SENDMAIL "/usr/lib/sendmail"
++# endif /* ! _PATH_SENDMAIL */
++#endif /* BSD4_4 */
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <unistd.h>
++#ifdef EX_OK
++# undef EX_OK /* unistd.h may have another use for this */
++#endif /* EX_OK */
++#include <sysexits.h>
++
++#ifndef MAX
++# define MAX(a, b) ((a) < (b) ? (b) : (a))
++#endif /* ! MAX */
++
++#ifndef __P
++# ifdef __STDC__
++# define __P(protos) protos
++# else /* __STDC__ */
++# define __P(protos) ()
++# define const
++# endif /* __STDC__ */
++#endif /* ! __P */
++
++#ifndef STDIN_FILENO
++# define STDIN_FILENO 0
++#endif /* ! STDIN_FILENO */
++
++#if defined(BSD4_4) || defined(linux) || SOLARIS >= 20600 || (SOLARIS < 10000 && SOLARIS >= 206) || _AIX4 >= 40300 || defined(HPUX11)
++# define HASSNPRINTF 1
++#endif /* defined(BSD4_4) || defined(linux) || SOLARIS >= 20600 || (SOLARIS < 10000 && SOLARIS >= 206) || _AIX4 >= 40300 || defined(HPUX11) */
++
++#if defined(sun) && !defined(BSD) && !defined(SOLARIS) && !defined(__svr4__) && !defined(__SVR4)
++# define memmove(d, s, l) (bcopy((s), (d), (l)))
++#endif /* defined(sun) && !defined(BSD) && !defined(SOLARIS) && !defined(__svr4__) && !defined(__SVR4) */
++
++#if !HASSNPRINTF
++extern int snprintf __P((char *, size_t, const char *, ...));
++#endif /* !HASSNPRINTF */
++
++#if defined(BSD4_4) || defined(__osf__) || defined(__GNU_LIBRARY__) || defined(IRIX64) || defined(IRIX5) || defined(IRIX6)
++# ifndef HASSTRERROR
++# define HASSTRERROR 1
++# endif /* ! HASSTRERROR */
++#endif /* defined(BSD4_4) || defined(__osf__) || defined(__GNU_LIBRARY__) ||
++ defined(IRIX64) || defined(IRIX5) || defined(IRIX6) */
++
++#if defined(SUNOS403) || defined(NeXT) || (defined(MACH) && defined(i386) && !defined(__GNU__)) || defined(oldBSD43) || defined(MORE_BSD) || defined(umipsbsd) || defined(ALTOS_SYSTEM_V) || defined(RISCOS) || defined(_AUX_SOURCE) || defined(UMAXV) || defined(titan) || defined(UNIXWARE) || defined(sony_news) || defined(luna) || defined(nec_ews_svr4) || defined(_nec_ews_svr4) || defined(__MAXION__)
++# undef WIFEXITED
++# undef WEXITSTATUS
++# define WIFEXITED(st) (((st) & 0377) == 0)
++# define WEXITSTATUS(st) (((st) >> 8) & 0377)
++#endif /* defined(SUNOS403) || defined(NeXT) || (defined(MACH) && defined(i386) && !defined(__GNU__)) || defined(oldBSD43) || defined(MORE_BSD) || defined(umipsbsd) || defined(ALTOS_SYSTEM_V) || defined(RISCOS) || defined(_AUX_SOURCE) || defined(UMAXV) || defined(titan) || defined(UNIXWARE) || defined(sony_news) || defined(luna) || defined(nec_ews_svr4) || defined(_nec_ews_svr4) || defined(__MAXION__) */
++
++#include <errno.h>
++
++static void err __P((int, const char *, ...));
++static void usage __P((void));
++static char *xalloc __P((int));
++
++#define newstr(s) strcpy(xalloc(strlen(s) + 1), s)
++
++static char *
++xalloc(sz)
++ register int sz;
++{
++ register char *p;
++
++ /* some systems can't handle size zero mallocs */
++ if (sz <= 0)
++ sz = 1;
++
++ p = malloc((unsigned) sz);
++ if (p == NULL)
++ err(EX_TEMPFAIL, "out of memory");
++ return (p);
++}
++
++int
++main(argc, argv)
++ int argc;
++ char *argv[];
++{
++ int ch, debug, i, pdes[2], pid, status;
++ size_t fplen = 0, fptlen = 0, len;
++ off_t offset;
++ FILE *fp;
++ char *addrp = NULL, *domain, *p, *t;
++ char *from_path, *from_sys, *from_user;
++ char **args, buf[2048], lbuf[2048];
++ struct stat sb;
++ extern char *optarg;
++ extern int optind;
++
++ debug = 0;
++ domain = "UUCP"; /* Default "domain". */
++ while ((ch = getopt(argc, argv, "D:T")) != -1)
++ {
++ switch (ch)
++ {
++ case 'T':
++ debug = 1;
++ break;
++
++ case 'D':
++ domain = optarg;
++ break;
++
++ case '?':
++ default:
++ usage();
++ }
++ }
++
++ argc -= optind;
++ argv += optind;
++
++ if (argc < 1)
++ usage();
++
++ from_path = from_sys = from_user = NULL;
++ for (offset = 0; ; )
++ {
++ /* Get and nul-terminate the line. */
++ if (fgets(lbuf, sizeof(lbuf), stdin) == NULL)
++ exit(EX_DATAERR);
++ if ((p = strchr(lbuf, '\n')) == NULL)
++ err(EX_DATAERR, "line too long");
++ *p = '\0';
++
++ /* Parse lines until reach a non-"From" line. */
++ if (!strncmp(lbuf, "From ", 5))
++ addrp = lbuf + 5;
++ else if (!strncmp(lbuf, ">From ", 6))
++ addrp = lbuf + 6;
++ else if (offset == 0)
++ err(EX_DATAERR,
++ "missing or empty From line: %s", lbuf);
++ else
++ {
++ *p = '\n';
++ break;
++ }
++
++ if (addrp == NULL || *addrp == '\0')
++ err(EX_DATAERR, "corrupted From line: %s", lbuf);
++
++ /* Use the "remote from" if it exists. */
++ for (p = addrp; (p = strchr(p + 1, 'r')) != NULL; )
++ {
++ if (!strncmp(p, "remote from ", 12))
++ {
++ for (t = p += 12; *t != '\0'; ++t)
++ {
++ if (isascii(*t) && isspace(*t))
++ break;
++ }
++ *t = '\0';
++ if (debug)
++ fprintf(stderr, "remote from: %s\n", p);
++ break;
++ }
++ }
++
++ /* Else use the string up to the last bang. */
++ if (p == NULL)
++ {
++ if (*addrp == '!')
++ err(EX_DATAERR, "bang starts address: %s",
++ addrp);
++ else if ((t = strrchr(addrp, '!')) != NULL)
++ {
++ *t = '\0';
++ p = addrp;
++ addrp = t + 1;
++ if (*addrp == '\0')
++ err(EX_DATAERR,
++ "corrupted From line: %s", lbuf);
++ if (debug)
++ fprintf(stderr, "bang: %s\n", p);
++ }
++ }
++
++ /* 'p' now points to any system string from this line. */
++ if (p != NULL)
++ {
++ /* Nul terminate it as necessary. */
++ for (t = p; *t != '\0'; ++t)
++ {
++ if (isascii(*t) && isspace(*t))
++ break;
++ }
++ *t = '\0';
++
++ /* If the first system, copy to the from_sys string. */
++ if (from_sys == NULL)
++ {
++ from_sys = newstr(p);
++ if (debug)
++ fprintf(stderr, "from_sys: %s\n",
++ from_sys);
++ }
++
++ /* Concatenate to the path string. */
++ len = t - p;
++ if (from_path == NULL)
++ {
++ fplen = 0;
++ if ((from_path = malloc(fptlen = 256)) == NULL)
++ err(EX_TEMPFAIL, NULL);
++ }
++ if (fplen + len + 2 > fptlen)
++ {
++ fptlen += MAX(fplen + len + 2, 256);
++ if ((from_path = realloc(from_path,
++ fptlen)) == NULL)
++ err(EX_TEMPFAIL, NULL);
++ }
++ memmove(from_path + fplen, p, len);
++ fplen += len;
++ from_path[fplen++] = '!';
++ from_path[fplen] = '\0';
++ }
++
++ /* Save off from user's address; the last one wins. */
++ for (p = addrp; *p != '\0'; ++p)
++ {
++ if (isascii(*p) && isspace(*p))
++ break;
++ }
++ *p = '\0';
++ if (*addrp == '\0')
++ addrp = "<>";
++ if (from_user != NULL)
++ free(from_user);
++ from_user = newstr(addrp);
++
++ if (debug)
++ {
++ if (from_path != NULL)
++ fprintf(stderr, "from_path: %s\n", from_path);
++ fprintf(stderr, "from_user: %s\n", from_user);
++ }
++
++ if (offset != -1)
++ offset = (off_t)ftell(stdin);
++ }
++
++
++ /* Allocate args (with room for sendmail args as well as recipients */
++ args = (char **)xalloc(sizeof(*args) * (10 + argc));
++
++ i = 0;
++ args[i++] = _PATH_SENDMAIL; /* Build sendmail's argument list. */
++ args[i++] = "-G"; /* relay submission */
++ args[i++] = "-oee"; /* No errors, just status. */
++ args[i++] = "-odq"; /* Queue it, don't try to deliver. */
++ args[i++] = "-oi"; /* Ignore '.' on a line by itself. */
++
++ /* set from system and protocol used */
++ if (from_sys == NULL)
++ snprintf(buf, sizeof(buf), "-p%s", domain);
++ else if (strchr(from_sys, '.') == NULL)
++ snprintf(buf, sizeof(buf), "-p%s:%s.%s",
++ domain, from_sys, domain);
++ else
++ snprintf(buf, sizeof(buf), "-p%s:%s", domain, from_sys);
++ args[i++] = newstr(buf);
++
++ /* Set name of ``from'' person. */
++ snprintf(buf, sizeof(buf), "-f%s%s",
++ from_path ? from_path : "", from_user);
++ args[i++] = newstr(buf);
++
++ /*
++ ** Don't copy arguments beginning with - as they will be
++ ** passed to sendmail and could be interpreted as flags.
++ ** To prevent confusion of sendmail wrap < and > around
++ ** the address (helps to pass addrs like @gw1, at gw2:aa at bb)
++ */
++
++ while (*argv != NULL)
++ {
++ if (**argv == '-')
++ err(EX_USAGE, "dash precedes argument: %s", *argv);
++
++ if (strchr(*argv, ',') == NULL || strchr(*argv, '<') != NULL)
++ args[i++] = *argv;
++ else
++ {
++ len = strlen(*argv) + 3;
++ if ((args[i] = malloc(len)) == NULL)
++ err(EX_TEMPFAIL, "Cannot malloc");
++ snprintf(args[i++], len, "<%s>", *argv);
++ }
++ argv++;
++ argc--;
++
++ /* Paranoia check, argc used for args[] bound */
++ if (argc < 0)
++ err(EX_SOFTWARE, "Argument count mismatch");
++ }
++ args[i] = NULL;
++
++ if (debug)
++ {
++ fprintf(stderr, "Sendmail arguments:\n");
++ for (i = 0; args[i] != NULL; i++)
++ fprintf(stderr, "\t%s\n", args[i]);
++ }
++
++ /*
++ ** If called with a regular file as standard input, seek to the right
++ ** position in the file and just exec sendmail. Could probably skip
++ ** skip the stat, but it's not unreasonable to believe that a failed
++ ** seek will cause future reads to fail.
++ */
++
++ if (!fstat(STDIN_FILENO, &sb) && S_ISREG(sb.st_mode))
++ {
++ if (lseek(STDIN_FILENO, offset, SEEK_SET) != offset)
++ err(EX_TEMPFAIL, "stdin seek");
++ (void) execv(_PATH_SENDMAIL, args);
++ err(EX_OSERR, "%s", _PATH_SENDMAIL);
++ }
++
++ if (pipe(pdes) < 0)
++ err(EX_OSERR, NULL);
++
++ switch (pid = FORK())
++ {
++ case -1: /* Err. */
++ err(EX_OSERR, NULL);
++ /* NOTREACHED */
++
++ case 0: /* Child. */
++ if (pdes[0] != STDIN_FILENO)
++ {
++ (void) dup2(pdes[0], STDIN_FILENO);
++ (void) close(pdes[0]);
++ }
++ (void) close(pdes[1]);
++ (void) execv(_PATH_SENDMAIL, args);
++ _exit(127);
++ /* NOTREACHED */
++ }
++
++ if ((fp = fdopen(pdes[1], "w")) == NULL)
++ err(EX_OSERR, NULL);
++ (void) close(pdes[0]);
++
++ /* Copy the file down the pipe. */
++ do
++ {
++ (void) fprintf(fp, "%s", lbuf);
++ } while (fgets(lbuf, sizeof(lbuf), stdin) != NULL);
++
++ if (ferror(stdin))
++ err(EX_TEMPFAIL, "stdin: %s", strerror(errno));
++
++ if (fclose(fp))
++ err(EX_OSERR, NULL);
++
++ if ((waitpid(pid, &status, 0)) == -1)
++ err(EX_OSERR, "%s", _PATH_SENDMAIL);
++
++ if (!WIFEXITED(status))
++ err(EX_OSERR, "%s: did not terminate normally", _PATH_SENDMAIL);
++
++ if (WEXITSTATUS(status))
++ err(status, "%s: terminated with %d (non-zero) status",
++ _PATH_SENDMAIL, WEXITSTATUS(status));
++ exit(EX_OK);
++ /* NOTREACHED */
++ return EX_OK;
++}
++
++static void
++usage()
++{
++ (void) fprintf(stderr, "usage: rmail [-T] [-D domain] user ...\n");
++ exit(EX_USAGE);
++}
++
++#ifdef __STDC__
++# include <stdarg.h>
++#else /* __STDC__ */
++# include <varargs.h>
++#endif /* __STDC__ */
++
++static void
++#ifdef __STDC__
++err(int eval, const char *fmt, ...)
++#else /* __STDC__ */
++err(eval, fmt, va_alist)
++ int eval;
++ const char *fmt;
++ va_dcl
++#endif /* __STDC__ */
++{
++ va_list ap;
++#ifdef __STDC__
++ va_start(ap, fmt);
++#else /* __STDC__ */
++ va_start(ap);
++#endif /* __STDC__ */
++ (void) fprintf(stderr, "rmail: ");
++ (void) vfprintf(stderr, fmt, ap);
++ va_end(ap);
++ (void) fprintf(stderr, "\n");
++ exit(eval);
++}
Added: trunk/kolab-postfix/debian/patches/10smtplinelength.dpatch
===================================================================
--- trunk/kolab-postfix/debian/patches/10smtplinelength.dpatch 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/patches/10smtplinelength.dpatch 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,19 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10smtplinelength.dpatch by LaMont Jones <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad postfix-2.1.5/src/global/mail_params.h /tmp/dpep.k6WNIS/postfix-2.1.5/src/global/mail_params.h
+--- postfix-2.1.5/src/global/mail_params.h 2004-12-27 22:21:10.756399492 -0700
++++ /tmp/dpep.k6WNIS/postfix-2.1.5/src/global/mail_params.h 2004-12-27 22:21:15.100465701 -0700
+@@ -837,7 +837,7 @@
+ extern bool var_smtp_rand_addr;
+
+ #define VAR_SMTP_LINE_LIMIT "smtp_line_length_limit"
+-#define DEF_SMTP_LINE_LIMIT 990
++#define DEF_SMTP_LINE_LIMIT 0
+ extern int var_smtp_line_limit;
+
+ #define VAR_SMTP_PIX_THRESH "smtp_pix_workaround_threshold_time"
Added: trunk/kolab-postfix/debian/patches/20maps.dpatch
===================================================================
--- trunk/kolab-postfix/debian/patches/20maps.dpatch 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/patches/20maps.dpatch 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,2762 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 20maps.dpatch by LaMont Jones <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad postfix-release/conf/postfix-files /tmp/dpep.TxugCA/postfix-release/conf/postfix-files
+--- postfix-release/conf/postfix-files 2004-12-27 22:28:28.638273359 -0700
++++ /tmp/dpep.TxugCA/postfix-release/conf/postfix-files 2004-12-27 22:29:11.315099642 -0700
+@@ -62,6 +62,9 @@
+ $queue_directory/saved:d:$mail_owner:-:700:ucr
+ $queue_directory/trace:d:$mail_owner:-:700:ucr
+ $daemon_directory/bounce:f:root:-:755
++$daemon_directory/dict_ldap.so:f:root:-:755
++$daemon_directory/dict_pcre.so:f:root:-:755
++$daemon_directory/dict_mysql.so:f:root:-:755
+ $daemon_directory/cleanup:f:root:-:755
+ $daemon_directory/error:f:root:-:755
+ $daemon_directory/flush:f:root:-:755
+@@ -81,6 +84,10 @@
+ $daemon_directory/trivial-rewrite:f:root:-:755
+ $daemon_directory/verify:f:root:-:755
+ $daemon_directory/virtual:f:root:-:755
++/usr/lib/libpostfix-dns.so.1:f:root:-:755
++/usr/lib/libpostfix-global.so.1:f:root:-:755
++/usr/lib/libpostfix-master.so.1:f:root:-:755
++/usr/lib/libpostfix-util.so.1:f:root:-:755
+ $daemon_directory/nqmgr:h:$daemon_directory/qmgr
+ $command_directory/postalias:f:root:-:755
+ $command_directory/postcat:f:root:-:755
+@@ -100,6 +107,7 @@
+ $config_directory/access:f:root:-:644:p
+ $config_directory/aliases:f:root:-:644:p
+ $config_directory/canonical:f:root:-:644:p
++$config_directory/dynamicmaps.cf:f:root:-:644:p
+ $config_directory/cidr_table:f:root:-:644:o
+ $config_directory/header_checks:f:root:-:644:p
+ $config_directory/install.cf:f:root:-:644:o
+diff -urNad postfix-release/makedefs /tmp/dpep.TxugCA/postfix-release/makedefs
+--- postfix-release/makedefs 2004-12-27 22:28:28.639273144 -0700
++++ /tmp/dpep.TxugCA/postfix-release/makedefs 2004-12-27 22:29:11.315099642 -0700
+@@ -208,6 +208,20 @@
+ # CCARGS="$CCARGS -DHAS_DBM -DPATH_NDBM_H='<gdbm/ndbm.h>'"
+ # GDBM_LIBS=gdbm
+ # fi
++
++ # XXX: post-sarge
++ # But, we'll keep shipping it (with error generation) until
++ # sarge releases.
++ if [ -f /usr/include/gdbm-ndbm.h ]
++ then
++ CCARGS="$CCARGS -DHAS_DBM -DHAS_GDBM -DPATH_NDBM_H='<gdbm-ndbm.h>'"
++ GDBM_LIBS=gdbm_compat
++ elif [ -f /usr/include/gdbm/ndbm.h ]
++ then
++ CCARGS="$CCARGS -DHAS_DBM -DHAS_GDBM -DPATH_NDBM_H='<gdbm/ndbm.h>'"
++ GDBM_LIBS=gdbm
++ fi
++
+ SYSLIBS="-ldb"
+ for name in nsl resolv $GDBM_LIBS
+ do
+diff -urNad postfix-release/src/dns/Makefile.in /tmp/dpep.TxugCA/postfix-release/src/dns/Makefile.in
+--- postfix-release/src/dns/Makefile.in 2004-12-27 22:28:28.639273144 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/dns/Makefile.in 2004-12-27 22:29:11.315099642 -0700
+@@ -12,7 +12,7 @@
+ LIB_DIR = ../../lib
+ INC_DIR = ../../include
+
+-.c.o:; $(CC) $(CFLAGS) -c $*.c
++.c.o:; $(CC) -fPIC $(CFLAGS) -c $*.c
+
+ all: $(LIB)
+
+@@ -24,12 +24,10 @@
+ tests: test
+
+ $(LIB): $(OBJS)
+- $(AR) $(ARFL) $(LIB) $?
+- $(RANLIB) $(LIB)
++ gcc -shared -Wl,-soname,libpostfix-dns.so.1 -o $(LIB) $(OBJS) $(LIBS) $(SYSLIBS)
+
+ $(LIB_DIR)/$(LIB): $(LIB)
+ cp $(LIB) $(LIB_DIR)
+- $(RANLIB) $(LIB_DIR)/$(LIB)
+
+ update: $(LIB_DIR)/$(LIB) $(HDRS)
+ -for i in $(HDRS); \
+diff -urNad postfix-release/src/global/Makefile.in /tmp/dpep.TxugCA/postfix-release/src/global/Makefile.in
+--- postfix-release/src/global/Makefile.in 2004-12-27 22:28:28.640272930 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/global/Makefile.in 2004-12-27 22:29:11.316099427 -0700
+@@ -3,6 +3,7 @@
+ canon_addr.c cfg_parser.c cleanup_strerror.c cleanup_strflags.c \
+ clnt_stream.c debug_peer.c debug_process.c defer.c \
+ deliver_completed.c deliver_flock.c deliver_pass.c deliver_request.c \
++ dict_sdbm.c sdbm.c \
+ dict_ldap.c dict_mysql.c dict_pgsql.c dict_proxy.c domain_list.c \
+ dot_lockfile.c dot_lockfile_as.c ext_prop.c file_id.c flush_clnt.c \
+ header_opts.c header_token.c hold_message.c input_transp.c \
+@@ -27,7 +28,7 @@
+ canon_addr.o cfg_parser.o cleanup_strerror.o cleanup_strflags.o \
+ clnt_stream.o debug_peer.o debug_process.o defer.o \
+ deliver_completed.o deliver_flock.o deliver_pass.o deliver_request.o \
+- dict_ldap.o dict_mysql.o dict_pgsql.o dict_proxy.o domain_list.o \
++ dict_proxy.o domain_list.o \
+ dot_lockfile.o dot_lockfile_as.o ext_prop.o file_id.o flush_clnt.o \
+ header_opts.o header_token.o hold_message.o input_transp.o \
+ is_header.o log_adhoc.o mail_addr.o mail_addr_crunch.o \
+@@ -51,6 +52,7 @@
+ canon_addr.h cfg_parser.h cleanup_user.h clnt_stream.h config.h \
+ debug_peer.h debug_process.h defer.h deliver_completed.h \
+ deliver_flock.h deliver_pass.h deliver_request.h dict_ldap.h \
++ dict_sdbm.h sdbm.h \
+ dict_mysql.h dict_pgsql.h dict_proxy.h domain_list.h dot_lockfile.h \
+ dot_lockfile_as.h ext_prop.h file_id.h flush_clnt.h header_opts.h \
+ header_token.h hold_message.h input_transp.h is_header.h \
+@@ -84,10 +86,14 @@
+ LIB_DIR = ../../lib
+ INC_DIR = ../../include
+ MAKES =
++SDBMSO = dict_sdbm.so
++LDAPSO = dict_ldap.so
++MYSQLSO = dict_mysql.so
++PGSQLSO = dict_pgsql.so
+
+-.c.o:; $(CC) $(CFLAGS) -c $*.c
++.c.o:; $(CC) -fPIC $(CFLAGS) -c $*.c
+
+-all: $(LIB)
++all: $(LIB) $(SDBMSO) $(LDAPSO) $(MYSQLSO) $(PGSQLSO)
+
+ Makefile: Makefile.in
+ (set -e; echo "# DO NOT EDIT"; $(OPTS) $(SHELL) ../../makedefs && cat $?) >$@
+@@ -95,14 +101,36 @@
+ test: $(TESTPROG)
+
+ $(LIB): $(OBJS)
+- $(AR) $(ARFL) $(LIB) $?
+- $(RANLIB) $(LIB)
++ gcc -shared -Wl,-soname,libpostfix-global.so.1 -o $(LIB) $(OBJS) $(LIBS) $(SYSLIBS)
++
++$(SDBMSO): dict_sdbm.o sdbm.o
++ gcc -shared -Wl,-soname,dict_sdbm.so -o $@ dict_sdbm.o sdbm.o -L. -lutil -lglobal
++
++$(LDAPSO): dict_ldap.o
++ gcc -shared -Wl,-soname,dict_ldap.so -o $@ $? -lldap -llber -L../../lib -lutil -L. -lglobal
++
++$(MYSQLSO): dict_mysql.o
++ gcc -shared -Wl,-soname,dict_mysql.so -o $@ $? -lmysqlclient -L. -lutil -lglobal
++
++$(PGSQLSO): dict_pgsql.o
++ gcc -shared -Wl,-soname,dict_pgsql.so -o $@ $? -lpq -L. -lutil -lglobal
+
+ $(LIB_DIR)/$(LIB): $(LIB)
+ cp $(LIB) $(LIB_DIR)
+- $(RANLIB) $(LIB_DIR)/$(LIB)
+
+-update: $(LIB_DIR)/$(LIB) $(HDRS)
++$(LIB_DIR)/$(SDBMSO): $(SDBMSO)
++ cp $(SDBMSO) $(LIB_DIR)
++
++$(LIB_DIR)/$(LDAPSO): $(LDAPSO)
++ cp $(LDAPSO) $(LIB_DIR)
++
++$(LIB_DIR)/$(MYSQLSO): $(MYSQLSO)
++ cp $(MYSQLSO) $(LIB_DIR)
++
++$(LIB_DIR)/$(PGSQLSO): $(PGSQLSO)
++ cp $(PGSQLSO) $(LIB_DIR)
++
++update: $(LIB_DIR)/$(LIB) $(LIB_DIR)/${LDAPSO} $(LIB_DIR)/${MYSQLSO} $(LIB_DIR)/${PGSQLSO} $(LIB_DIR)/$(SDBMSO) $(HDRS)
+ -for i in $(HDRS); \
+ do \
+ cmp -s $$i $(INC_DIR)/$$i 2>/dev/null || cp $$i $(INC_DIR); \
+@@ -354,7 +382,7 @@
+ lint $(DEFS) $(SRCS) $(LINTFIX)
+
+ clean:
+- rm -f *.o $(LIB) *core $(TESTPROG) junk
++ rm -f *.o $(LIB) $(SDBMSO) $(LDAPSO) $(MYSQLSO) $(PGSQLSO) *core $(TESTPROG) junk
+ rm -rf printfck
+
+ tidy: clean
+@@ -569,6 +597,10 @@
+ dict_proxy.o: mail_params.h
+ dict_proxy.o: clnt_stream.h
+ dict_proxy.o: dict_proxy.h
++dict_sdbm.o: ../../include/sys_defs.h
++dict_sdbm.o: sdbm.h
++dict_sdbm.o: dict_sdbm.c
++dict_sdbm.o: dict_sdbm.h
+ domain_list.o: domain_list.c
+ domain_list.o: ../../include/sys_defs.h
+ domain_list.o: ../../include/match_list.h
+@@ -643,6 +675,10 @@
+ hold_message.o: ../../include/vstream.h
+ hold_message.o: mail_params.h
+ hold_message.o: hold_message.h
++inet_interfaces_to_af.o: inet_interfaces_to_af.c
++inet_interfaces_to_af.o: ../../include/sys_defs.h
++inet_interfaces_to_af.o: mail_params.h
++inet_interfaces_to_af.o: inet_interfaces_to_af.h
+ input_transp.o: input_transp.c
+ input_transp.o: ../../include/sys_defs.h
+ input_transp.o: ../../include/name_mask.h
+@@ -1088,6 +1124,7 @@
+ own_inet_addr.o: ../../include/vbuf.h
+ own_inet_addr.o: mail_params.h
+ own_inet_addr.o: own_inet_addr.h
++own_inet_addr.o: inet_interfaces_to_af.h
+ pipe_command.o: pipe_command.c
+ pipe_command.o: ../../include/sys_defs.h
+ pipe_command.o: ../../include/msg.h
+@@ -1220,6 +1257,8 @@
+ rewrite_clnt.o: mail_params.h
+ rewrite_clnt.o: clnt_stream.h
+ rewrite_clnt.o: rewrite_clnt.h
++sdbm.o: sdbm.c
++sdbm.o: sdbm.h
+ sent.o: sent.c
+ sent.o: ../../include/sys_defs.h
+ sent.o: ../../include/msg.h
+diff -urNad postfix-release/src/global/dict_sdbm.c /tmp/dpep.TxugCA/postfix-release/src/global/dict_sdbm.c
+--- postfix-release/src/global/dict_sdbm.c 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/global/dict_sdbm.c 2004-12-27 22:29:11.317099212 -0700
+@@ -0,0 +1,469 @@
++/*++
++/* NAME
++/* dict_sdbm 3
++/* SUMMARY
++/* dictionary manager interface to SDBM files
++/* SYNOPSIS
++/* #include <dict_sdbm.h>
++/*
++/* DICT *dict_sdbm_open(path, open_flags, dict_flags)
++/* const char *name;
++/* const char *path;
++/* int open_flags;
++/* int dict_flags;
++/* DESCRIPTION
++/* dict_sdbm_open() opens the named SDBM database and makes it available
++/* via the generic interface described in dict_open(3).
++/* DIAGNOSTICS
++/* Fatal errors: cannot open file, file write error, out of memory.
++/* SEE ALSO
++/* dict(3) generic dictionary manager
++/* sdbm(3) data base subroutines
++/* LICENSE
++/* .ad
++/* .fi
++/* The Secure Mailer license must be distributed with this software.
++/* AUTHOR(S)
++/* Wietse Venema
++/* IBM T.J. Watson Research
++/* P.O. Box 704
++/* Yorktown Heights, NY 10598, USA
++/*--*/
++
++#include "sys_defs.h"
++
++/* System library. */
++
++#include <sys/stat.h>
++#include <string.h>
++#include <unistd.h>
++
++/* Utility library. */
++
++#include "msg.h"
++#include "mymalloc.h"
++#include "htable.h"
++#include "iostuff.h"
++#include "vstring.h"
++#include "myflock.h"
++#include "stringops.h"
++#include "dict.h"
++#include "dict_sdbm.h"
++#include "sdbm.h"
++
++/* Application-specific. */
++
++typedef struct {
++ DICT dict; /* generic members */
++ SDBM *dbm; /* open database */
++ char *path; /* pathname */
++} DICT_SDBM;
++
++/* dict_sdbm_lookup - find database entry */
++
++static const char *dict_sdbm_lookup(DICT *dict, const char *name)
++{
++ DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
++ datum dbm_key;
++ datum dbm_value;
++ static VSTRING *buf;
++ const char *result = 0;
++
++ dict_errno = 0;
++
++ /*
++ * Acquire an exclusive lock.
++ */
++ if ((dict->flags & DICT_FLAG_LOCK)
++ && myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_SHARED) < 0)
++ msg_fatal("%s: lock dictionary: %m", dict_sdbm->path);
++
++ /*
++ * See if this DBM file was written with one null byte appended to key
++ * and value.
++ */
++ if (dict->flags & DICT_FLAG_TRY1NULL) {
++ dbm_key.dptr = (void *) name;
++ dbm_key.dsize = strlen(name) + 1;
++ dbm_value = sdbm_fetch(dict_sdbm->dbm, dbm_key);
++ if (dbm_value.dptr != 0) {
++ dict->flags &= ~DICT_FLAG_TRY0NULL;
++ result = dbm_value.dptr;
++ }
++ }
++
++ /*
++ * See if this DBM file was written with no null byte appended to key and
++ * value.
++ */
++ if (result == 0 && (dict->flags & DICT_FLAG_TRY0NULL)) {
++ dbm_key.dptr = (void *) name;
++ dbm_key.dsize = strlen(name);
++ dbm_value = sdbm_fetch(dict_sdbm->dbm, dbm_key);
++ if (dbm_value.dptr != 0) {
++ if (buf == 0)
++ buf = vstring_alloc(10);
++ vstring_strncpy(buf, dbm_value.dptr, dbm_value.dsize);
++ dict->flags &= ~DICT_FLAG_TRY1NULL;
++ result = vstring_str(buf);
++ }
++ }
++
++ /*
++ * Release the exclusive lock.
++ */
++ if ((dict->flags & DICT_FLAG_LOCK)
++ && myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
++ msg_fatal("%s: unlock dictionary: %m", dict_sdbm->path);
++
++ return (result);
++}
++
++/* dict_sdbm_update - add or update database entry */
++
++static void dict_sdbm_update(DICT *dict, const char *name, const char *value)
++{
++ DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
++ datum dbm_key;
++ datum dbm_value;
++ int status;
++
++ dbm_key.dptr = (void *) name;
++ dbm_value.dptr = (void *) value;
++ dbm_key.dsize = strlen(name);
++ dbm_value.dsize = strlen(value);
++
++ /*
++ * If undecided about appending a null byte to key and value, choose a
++ * default depending on the platform.
++ */
++ if ((dict->flags & DICT_FLAG_TRY1NULL)
++ && (dict->flags & DICT_FLAG_TRY0NULL)) {
++#ifdef DBM_NO_TRAILING_NULL
++ dict->flags &= ~DICT_FLAG_TRY1NULL;
++#else
++ dict->flags &= ~DICT_FLAG_TRY0NULL;
++#endif
++ }
++
++ /*
++ * Optionally append a null byte to key and value.
++ */
++ if (dict->flags & DICT_FLAG_TRY1NULL) {
++ dbm_key.dsize++;
++ dbm_value.dsize++;
++ }
++
++ /*
++ * Acquire an exclusive lock.
++ */
++ if ((dict->flags & DICT_FLAG_LOCK)
++ && myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) < 0)
++ msg_fatal("%s: lock dictionary: %m", dict_sdbm->path);
++
++ /*
++ * Do the update.
++ */
++ if ((status = sdbm_store(dict_sdbm->dbm, dbm_key, dbm_value,
++ (dict->flags & DICT_FLAG_DUP_REPLACE) ? DBM_REPLACE : DBM_INSERT)) < 0)
++ msg_fatal("error writing SDBM database %s: %m", dict_sdbm->path);
++ if (status) {
++ if (dict->flags & DICT_FLAG_DUP_IGNORE)
++ /* void */ ;
++ else if (dict->flags & DICT_FLAG_DUP_WARN)
++ msg_warn("%s: duplicate entry: \"%s\"", dict_sdbm->path, name);
++ else
++ msg_fatal("%s: duplicate entry: \"%s\"", dict_sdbm->path, name);
++ }
++
++ /*
++ * Release the exclusive lock.
++ */
++ if ((dict->flags & DICT_FLAG_LOCK)
++ && myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
++ msg_fatal("%s: unlock dictionary: %m", dict_sdbm->path);
++}
++
++
++/* dict_sdbm_delete - delete one entry from the dictionary */
++
++static int dict_sdbm_delete(DICT *dict, const char *name)
++{
++ DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
++ datum dbm_key;
++ int status = 1;
++ int flags = 0;
++
++ /*
++ * Acquire an exclusive lock.
++ */
++ if ((dict->flags & DICT_FLAG_LOCK)
++ && myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) < 0)
++ msg_fatal("%s: lock dictionary: %m", dict_sdbm->path);
++
++ /*
++ * See if this DBM file was written with one null byte appended to key
++ * and value.
++ */
++ if (dict->flags & DICT_FLAG_TRY1NULL) {
++ dbm_key.dptr = (void *) name;
++ dbm_key.dsize = strlen(name) + 1;
++ sdbm_clearerr(dict_sdbm->dbm);
++ if ((status = sdbm_delete(dict_sdbm->dbm, dbm_key)) < 0) {
++ if (sdbm_error(dict_sdbm->dbm) != 0) /* fatal error */
++ msg_fatal("error deleting from %s: %m", dict_sdbm->path);
++ status = 1; /* not found */
++ } else {
++ dict->flags &= ~DICT_FLAG_TRY0NULL; /* found */
++ }
++ }
++
++ /*
++ * See if this DBM file was written with no null byte appended to key and
++ * value.
++ */
++ if (status > 0 && (dict->flags & DICT_FLAG_TRY0NULL)) {
++ dbm_key.dptr = (void *) name;
++ dbm_key.dsize = strlen(name);
++ sdbm_clearerr(dict_sdbm->dbm);
++ if ((status = sdbm_delete(dict_sdbm->dbm, dbm_key)) < 0) {
++ if (sdbm_error(dict_sdbm->dbm) != 0) /* fatal error */
++ msg_fatal("error deleting from %s: %m", dict_sdbm->path);
++ status = 1; /* not found */
++ } else {
++ dict->flags &= ~DICT_FLAG_TRY1NULL; /* found */
++ }
++ }
++
++ /*
++ * Release the exclusive lock.
++ */
++ if ((dict->flags & DICT_FLAG_LOCK)
++ && myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
++ msg_fatal("%s: unlock dictionary: %m", dict_sdbm->path);
++
++ return (status);
++}
++
++/* traverse the dictionary */
++
++static int dict_sdbm_sequence(DICT *dict, const int function,
++ const char **key, const char **value)
++{
++ char *myname = "dict_sdbm_sequence";
++ DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
++ datum dbm_key;
++ datum dbm_value;
++ int status = 0;
++ static VSTRING *key_buf;
++ static VSTRING *value_buf;
++
++ /*
++ * Acquire an exclusive lock.
++ */
++ if ((dict->flags & DICT_FLAG_LOCK)
++ && myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) < 0)
++ msg_fatal("%s: lock dictionary: %m", dict_sdbm->path);
++
++ /*
++ * Determine and execute the seek function. It returns the key.
++ */
++ switch (function) {
++ case DICT_SEQ_FUN_FIRST:
++ dbm_key = sdbm_firstkey(dict_sdbm->dbm);
++ break;
++ case DICT_SEQ_FUN_NEXT:
++ dbm_key = sdbm_nextkey(dict_sdbm->dbm);
++ break;
++ default:
++ msg_panic("%s: invalid function: %d", myname, function);
++ }
++
++ /*
++ * Release the exclusive lock.
++ */
++ if ((dict->flags & DICT_FLAG_LOCK)
++ && myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
++ msg_fatal("%s: unlock dictionary: %m", dict_sdbm->path);
++
++ if (dbm_key.dptr != 0 && dbm_key.dsize > 0) {
++
++ /*
++ * See if this DB file was written with one null byte appended to key
++ * an d value or not. If necessary, copy the key.
++ */
++ if (((char *) dbm_key.dptr)[dbm_key.dsize - 1] == 0) {
++ *key = dbm_key.dptr;
++ } else {
++ if (key_buf == 0)
++ key_buf = vstring_alloc(10);
++ vstring_strncpy(key_buf, dbm_key.dptr, dbm_key.dsize);
++ *key = vstring_str(key_buf);
++ }
++
++ /*
++ * Fetch the corresponding value.
++ */
++ dbm_value = sdbm_fetch(dict_sdbm->dbm, dbm_key);
++
++ if (dbm_value.dptr != 0 && dbm_value.dsize > 0) {
++
++ /*
++ * See if this DB file was written with one null byte appended to
++ * key and value or not. If necessary, copy the key.
++ */
++ if (((char *) dbm_value.dptr)[dbm_value.dsize - 1] == 0) {
++ *value = dbm_value.dptr;
++ } else {
++ if (value_buf == 0)
++ value_buf = vstring_alloc(10);
++ vstring_strncpy(value_buf, dbm_value.dptr, dbm_value.dsize);
++ *value = vstring_str(value_buf);
++ }
++ } else {
++
++ /*
++ * Determine if we have hit the last record or an error
++ * condition.
++ */
++ if (sdbm_error(dict_sdbm->dbm))
++ msg_fatal("error seeking %s: %m", dict_sdbm->path);
++ return (1); /* no error: eof/not found
++ * (should not happen!) */
++ }
++ } else {
++
++ /*
++ * Determine if we have hit the last record or an error condition.
++ */
++ if (sdbm_error(dict_sdbm->dbm))
++ msg_fatal("error seeking %s: %m", dict_sdbm->path);
++ return (1); /* no error: eof/not found */
++ }
++ return (0);
++}
++
++/* dict_sdbm_close - disassociate from data base */
++
++static void dict_sdbm_close(DICT *dict)
++{
++ DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
++
++ sdbm_close(dict_sdbm->dbm);
++ myfree(dict_sdbm->path);
++ myfree((char *) dict_sdbm);
++}
++
++/* dict_sdbm_open - open SDBM data base */
++
++DICT *dict_sdbm_open(const char *path, int open_flags, int dict_flags)
++{
++ DICT_SDBM *dict_sdbm;
++ struct stat st;
++ SDBM *dbm;
++ char *dbm_path;
++ int lock_fd;
++
++ if (dict_flags & DICT_FLAG_LOCK) {
++ dbm_path = concatenate(path, ".pag", (char *) 0);
++ if ((lock_fd = open(dbm_path, open_flags, 0644)) < 0)
++ msg_fatal("open database %s: %m", dbm_path);
++ if (myflock(lock_fd, INTERNAL_LOCK, MYFLOCK_OP_SHARED) < 0)
++ msg_fatal("shared-lock database %s for open: %m", dbm_path);
++ }
++
++ /*
++ * XXX SunOS 5.x has no const in dbm_open() prototype.
++ */
++ if ((dbm = sdbm_open((char *) path, open_flags, 0644)) == 0)
++ msg_fatal("open database %s.{dir,pag}: %m", path);
++
++ if (dict_flags & DICT_FLAG_LOCK) {
++ if (myflock(lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
++ msg_fatal("unlock database %s for open: %m", dbm_path);
++ if (close(lock_fd) < 0)
++ msg_fatal("close database %s: %m", dbm_path);
++ myfree(dbm_path);
++ }
++ dict_sdbm = (DICT_SDBM *) mymalloc(sizeof(*dict_sdbm));
++ dict_sdbm->dict.lookup = dict_sdbm_lookup;
++ dict_sdbm->dict.update = dict_sdbm_update;
++ dict_sdbm->dict.delete = dict_sdbm_delete;
++ dict_sdbm->dict.sequence = dict_sdbm_sequence;
++ dict_sdbm->dict.close = dict_sdbm_close;
++ dict_sdbm->dict.lock_fd = sdbm_dirfno(dbm);
++ dict_sdbm->dict.stat_fd = sdbm_pagfno(dbm);
++ if (fstat(dict_sdbm->dict.stat_fd, &st) < 0)
++ msg_fatal("dict_sdbm_open: fstat: %m");
++ dict_sdbm->dict.mtime = st.st_mtime;
++ close_on_exec(sdbm_pagfno(dbm), CLOSE_ON_EXEC);
++ close_on_exec(sdbm_dirfno(dbm), CLOSE_ON_EXEC);
++ dict_sdbm->dict.flags = dict_flags | DICT_FLAG_FIXED;
++ if ((dict_flags & (DICT_FLAG_TRY0NULL | DICT_FLAG_TRY1NULL)) == 0)
++ dict_sdbm->dict.flags |= (DICT_FLAG_TRY0NULL | DICT_FLAG_TRY1NULL);
++ dict_sdbm->dbm = dbm;
++ dict_sdbm->path = mystrdup(path);
++
++ return (&dict_sdbm->dict);
++}
++
++#include "mkmap.h"
++
++typedef struct MKMAP_DBM {
++ MKMAP mkmap; /* parent class */
++ char *lock_file; /* path name */
++ int lock_fd; /* -1 or open locked file */
++} MKMAP_DBM;
++
++/* mkmap_dbm_after_close - clean up after closing database */
++
++static void mkmap_sdbm_after_close(MKMAP *mp)
++{
++ MKMAP_DBM *mkmap = (MKMAP_DBM *) mp;
++
++ if (mkmap->lock_fd >= 0 && close(mkmap->lock_fd) < 0)
++ msg_warn("close %s: %m", mkmap->lock_file);
++ myfree(mkmap->lock_file);
++}
++
++/* mkmap_sdbm_open - create or open database */
++
++MKMAP *mkmap_sdbm_open(const char *path)
++{
++ MKMAP_DBM *mkmap = (MKMAP_DBM *) mymalloc(sizeof(*mkmap));
++ char *pag_file;
++ int pag_fd;
++
++ /*
++ * Fill in the generic members.
++ */
++ mkmap->lock_file = concatenate(path, ".dir", (char *) 0);
++ mkmap->mkmap.open = dict_sdbm_open;
++ mkmap->mkmap.after_open = 0;
++ mkmap->mkmap.after_close = mkmap_sdbm_after_close;
++
++ /*
++ * Unfortunately, not all systems support locking on open(), so we open
++ * the .dir and .pag files before truncating them. Keep one file open for
++ * locking.
++ */
++ if ((mkmap->lock_fd = open(mkmap->lock_file, O_CREAT | O_RDWR, 0644)) < 0)
++ msg_fatal("open %s: %m", mkmap->lock_file);
++
++ pag_file = concatenate(path, ".pag", (char *) 0);
++ if ((pag_fd = open(pag_file, O_CREAT | O_RDWR, 0644)) < 0)
++ msg_fatal("open %s: %m", pag_file);
++ if (close(pag_fd))
++ msg_warn("close %s: %m", pag_file);
++ myfree(pag_file);
++
++ /*
++ * Get an exclusive lock - we're going to change the database so we can't
++ * have any spectators.
++ */
++ if (myflock(mkmap->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) < 0)
++ msg_fatal("lock %s: %m", mkmap->lock_file);
++
++ return (&mkmap->mkmap);
++}
++
+diff -urNad postfix-release/src/global/dict_sdbm.h /tmp/dpep.TxugCA/postfix-release/src/global/dict_sdbm.h
+--- postfix-release/src/global/dict_sdbm.h 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/global/dict_sdbm.h 2004-12-27 22:29:11.317099212 -0700
+@@ -0,0 +1,36 @@
++#ifndef _DICT_SDBM_H_INCLUDED_
++#define _DICT_SDBM_H_INCLUDED_
++
++/*++
++/* NAME
++/* dict_dbm 3h
++/* SUMMARY
++/* dictionary manager interface to DBM files
++/* SYNOPSIS
++/* #include <dict_dbm.h>
++/* DESCRIPTION
++/* .nf
++
++ /*
++ * Utility library.
++ */
++#include <dict.h>
++
++ /*
++ * External interface.
++ */
++#define DICT_TYPE_SDBM "sdbm"
++extern DICT *dict_sdbm_open(const char *, int, int);
++
++/* LICENSE
++/* .ad
++/* .fi
++/* The Secure Mailer license must be distributed with this software.
++/* AUTHOR(S)
++/* Wietse Venema
++/* IBM T.J. Watson Research
++/* P.O. Box 704
++/* Yorktown Heights, NY 10598, USA
++/*--*/
++
++#endif
+diff -urNad postfix-release/src/global/mail_conf.c /tmp/dpep.TxugCA/postfix-release/src/global/mail_conf.c
+--- postfix-release/src/global/mail_conf.c 2004-12-27 22:28:28.642272500 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/global/mail_conf.c 2004-12-27 22:29:11.318098997 -0700
+@@ -175,6 +175,13 @@
+ path = concatenate(var_config_dir, "/", "main.cf", (char *) 0);
+ dict_load_file(CONFIG_DICT, path);
+ myfree(path);
++
++#ifndef NO_DYNAMIC_MAPS
++ path = concatenate(var_config_dir, "/", "dynamicmaps.cf", (char *) 0);
++ dict_open_dlinfo(path);
++ myfree(path);
++#endif
++
+ }
+
+ /* mail_conf_eval - expand macros in string */
+diff -urNad postfix-release/src/global/mail_dict.c /tmp/dpep.TxugCA/postfix-release/src/global/mail_dict.c
+--- postfix-release/src/global/mail_dict.c 2004-12-27 22:28:28.642272500 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/global/mail_dict.c 2004-12-27 22:29:11.318098997 -0700
+@@ -45,6 +45,7 @@
+
+ static DICT_OPEN_INFO dict_open_info[] = {
+ DICT_TYPE_PROXY, dict_proxy_open,
++#ifndef MAX_DYNAMIC_MAPS
+ #ifdef HAS_LDAP
+ DICT_TYPE_LDAP, dict_ldap_open,
+ #endif
+@@ -54,6 +55,7 @@
+ #ifdef HAS_PGSQL
+ DICT_TYPE_PGSQL, dict_pgsql_open,
+ #endif
++#endif /* MAX_DYNAMIC_MAPS */
+ 0,
+ };
+
+diff -urNad postfix-release/src/global/mail_params.c /tmp/dpep.TxugCA/postfix-release/src/global/mail_params.c
+--- postfix-release/src/global/mail_params.c 2004-12-27 22:28:28.643272285 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/global/mail_params.c 2004-12-27 22:29:11.318098997 -0700
+@@ -149,6 +149,8 @@
+ #include <valid_hostname.h>
+ #include <stringops.h>
+ #include <safe.h>
++#include <safe_open.h>
++#include <mymalloc.h>
+ #ifdef HAS_DB
+ #include <dict_db.h>
+ #endif
+@@ -422,6 +424,38 @@
+ (long) var_sgid_gid);
+ }
+
++static char *read_file(const char *name)
++{
++ char *ret;
++ VSTRING *why=vstring_alloc(1);
++ VSTRING *new_name=vstring_alloc(1);
++ VSTREAM *vp=safe_open(name, O_RDONLY, 0, NULL, -1, -1, why);
++
++ /*
++ * Ugly macros to make complex expressions less unreadable.
++ */
++#define SKIP(start, var, cond) \
++ for (var = start; *var && (cond); var++);
++
++#define TRIM(s) { \
++ char *p; \
++ for (p = (s) + strlen(s); p > (s) && ISSPACE(p[-1]); p--); \
++ *p = 0; \
++ }
++
++ if (!vp) {
++ msg_fatal("%s: unable to open: %s",name,vstring_str(why));
++ }
++ vstring_get_nonl(new_name,vp);
++ vstream_fclose(vp);
++ SKIP(vstring_str(new_name),ret,ISSPACE(*ret));
++ ret=mystrdup(ret);
++ TRIM(ret);
++ vstring_free(why);
++ vstring_free(new_name);
++ return ret;
++}
++
+ /* mail_params_init - configure built-in parameters */
+
+ void mail_params_init()
+@@ -563,6 +597,9 @@
+ * Variables that are needed by almost every program.
+ */
+ get_mail_conf_str_table(other_str_defaults);
++ if (*var_myorigin=='/') {
++ var_myorigin=read_file(var_myorigin);
++ }
+ get_mail_conf_int_table(other_int_defaults);
+ get_mail_conf_bool_table(bool_defaults);
+ get_mail_conf_time_table(time_defaults);
+diff -urNad postfix-release/src/global/mkmap_open.c /tmp/dpep.TxugCA/postfix-release/src/global/mkmap_open.c
+--- postfix-release/src/global/mkmap_open.c 2004-12-27 22:28:28.643272285 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/global/mkmap_open.c 2004-12-27 22:29:11.318098997 -0700
+@@ -144,7 +144,16 @@
+ */
+ for (mp = mkmap_types; /* void */ ; mp++) {
+ if (mp->type == 0)
++#ifndef NO_DYNAMIC_MAPS
++ {
++ static MKMAP_OPEN_INFO oi;
++ oi.before_open=dict_mkmap_func(type);
++ oi.type=type;
++ mp=&oi;
++ }
++#else
+ msg_fatal("unsupported map type: %s", type);
++#endif
+ if (strcmp(type, mp->type) == 0)
+ break;
+ }
+diff -urNad postfix-release/src/global/sdbm.c /tmp/dpep.TxugCA/postfix-release/src/global/sdbm.c
+--- postfix-release/src/global/sdbm.c 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/global/sdbm.c 2004-12-27 22:29:11.320098567 -0700
+@@ -0,0 +1,972 @@
++/*++
++/* NAME
++/* sdbm 3h
++/* SUMMARY
++/* SDBM Simple DBM: ndbm work-alike hashed database library
++/* SYNOPSIS
++/* include "sdbm.h"
++/* DESCRIPTION
++/* This file includes the public domain SDBM (ndbm work-alike hashed
++/* database library), based on Per-Aake Larson's Dynamic Hashing
++/* algorithms. BIT 18 (1978).
++/* author: oz at nexus.yorku.ca
++/* status: public domain
++/* The file has been patched following the advice of Uwe Ohse
++/* <uwe at ohse.de>:
++/* --------------------------------------------------------------
++/* this patch fixes a problem with sdbms .dir file, which arrises when
++/* a second .dir block is needed for the first time. read() returns 0
++/* in that case, and the library forgot to initialize that new block.
++/*
++/* A related problem is that the calculation of db->maxbno is wrong.
++/* It just appends 4096*BYTESIZ bits, which is not enough except for
++/* small databases (.dir basically doubles everytime it's too small).
++/* --------------------------------------------------------------
++/* According to Uwe Ohse, the patch has also been submitted to the
++/* author of SDBM. (The 4096*BYTESIZ bits comment may apply with a
++/* different size for Postfix/TLS, as the patch was sent against the
++/* original SDBM distributiona and for Postfix/TLS I have changed the
++/* default sizes.
++/* .nf
++/*--*/
++
++/*
++ * sdbm - ndbm work-alike hashed database library
++ * based on Per-Aake Larson's Dynamic Hashing algorithms. BIT 18 (1978).
++ * author: oz at nexus.yorku.ca
++ * status: public domain.
++ *
++ * core routines
++ */
++
++#include <stdio.h>
++#include <stdlib.h>
++#ifdef WIN32
++#include <io.h>
++#include <errno.h>
++#else
++#include <unistd.h>
++#endif
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <fcntl.h>
++#include <errno.h>
++#include <string.h>
++#ifdef __STDC__
++#include <stddef.h>
++#endif
++#include <mymalloc.h>
++
++#include <sdbm.h>
++
++/*
++ * useful macros
++ */
++#define bad(x) ((x).dptr == NULL || (x).dsize <= 0)
++#define exhash(item) sdbm_hash((item).dptr, (item).dsize)
++#define ioerr(db) ((db)->flags |= DBM_IOERR)
++
++#define OFF_PAG(off) (long) (off) * PBLKSIZ
++#define OFF_DIR(off) (long) (off) * DBLKSIZ
++
++static long masks[] =
++{
++ 000000000000, 000000000001, 000000000003, 000000000007,
++ 000000000017, 000000000037, 000000000077, 000000000177,
++ 000000000377, 000000000777, 000000001777, 000000003777,
++ 000000007777, 000000017777, 000000037777, 000000077777,
++ 000000177777, 000000377777, 000000777777, 000001777777,
++ 000003777777, 000007777777, 000017777777, 000037777777,
++ 000077777777, 000177777777, 000377777777, 000777777777,
++ 001777777777, 003777777777, 007777777777, 017777777777
++};
++
++datum nullitem =
++{NULL, 0};
++
++typedef struct
++{
++ int dirf; /* directory file descriptor */
++ int pagf; /* page file descriptor */
++ int flags; /* status/error flags, see below */
++ long maxbno; /* size of dirfile in bits */
++ long curbit; /* current bit number */
++ long hmask; /* current hash mask */
++ long blkptr; /* current block for nextkey */
++ int keyptr; /* current key for nextkey */
++ long blkno; /* current page to read/write */
++ long pagbno; /* current page in pagbuf */
++ char *pagbuf; /* page file block buffer */
++ long dirbno; /* current block in dirbuf */
++ char *dirbuf; /* directory file block buffer */
++} DBM;
++
++
++/* ************************* */
++
++/*
++ * sdbm - ndbm work-alike hashed database library
++ * based on Per-Aake Larson's Dynamic Hashing algorithms. BIT 18 (1978).
++ * author: oz at nexus.yorku.ca
++ * status: public domain. keep it that way.
++ *
++ * hashing routine
++ */
++
++/*
++ * polynomial conversion ignoring overflows
++ * [this seems to work remarkably well, in fact better
++ * then the ndbm hash function. Replace at your own risk]
++ * use: 65599 nice.
++ * 65587 even better.
++ */
++static long sdbm_hash (char *str, int len)
++{
++ unsigned long n = 0;
++
++#ifdef DUFF
++#define HASHC n = *str++ + 65599 * n
++ if (len > 0)
++ {
++ int loop = (len + 8 - 1) >> 3;
++
++ switch (len & (8 - 1))
++ {
++ case 0:
++ do
++ {
++ HASHC;
++ case 7:
++ HASHC;
++ case 6:
++ HASHC;
++ case 5:
++ HASHC;
++ case 4:
++ HASHC;
++ case 3:
++ HASHC;
++ case 2:
++ HASHC;
++ case 1:
++ HASHC;
++ }
++ while (--loop);
++ }
++
++ }
++#else
++ while (len--)
++ n = *str++ + 65599 * n;
++#endif
++ return n;
++}
++
++/*
++ * check page sanity:
++ * number of entries should be something
++ * reasonable, and all offsets in the index should be in order.
++ * this could be made more rigorous.
++ */
++static int chkpage (char *pag)
++{
++ int n;
++ int off;
++ short *ino = (short *) pag;
++
++ if ((n = ino[0]) < 0 || n > PBLKSIZ / sizeof (short))
++ return 0;
++
++ if (n > 0)
++ {
++ off = PBLKSIZ;
++ for (ino++; n > 0; ino += 2)
++ {
++ if (ino[0] > off || ino[1] > off ||
++ ino[1] > ino[0])
++ return 0;
++ off = ino[1];
++ n -= 2;
++ }
++ }
++ return 1;
++}
++
++/*
++ * search for the key in the page.
++ * return offset index in the range 0 < i < n.
++ * return 0 if not found.
++ */
++static int seepair (char *pag, int n, char *key, int siz)
++{
++ int i;
++ int off = PBLKSIZ;
++ short *ino = (short *) pag;
++
++ for (i = 1; i < n; i += 2)
++ {
++ if (siz == off - ino[i] &&
++ memcmp (key, pag + ino[i], siz) == 0)
++ return i;
++ off = ino[i + 1];
++ }
++ return 0;
++}
++
++#ifdef SEEDUPS
++static int duppair (char *pag, datum key)
++{
++ short *ino = (short *) pag;
++
++ return ino[0] > 0 && seepair (pag, ino[0], key.dptr, key.dsize) > 0;
++}
++
++#endif
++
++/* ************************* */
++
++/*
++ * sdbm - ndbm work-alike hashed database library
++ * based on Per-Aake Larson's Dynamic Hashing algorithms. BIT 18 (1978).
++ * author: oz at nexus.yorku.ca
++ * status: public domain.
++ *
++ * page-level routines
++ */
++
++/*
++ * page format:
++ * +------------------------------+
++ * ino | n | keyoff | datoff | keyoff |
++ * +------------+--------+--------+
++ * | datoff | - - - ----> |
++ * +--------+---------------------+
++ * | F R E E A R E A |
++ * +--------------+---------------+
++ * | <---- - - - | data |
++ * +--------+-----+----+----------+
++ * | key | data | key |
++ * +--------+----------+----------+
++ *
++ * calculating the offsets for free area: if the number
++ * of entries (ino[0]) is zero, the offset to the END of
++ * the free area is the block size. Otherwise, it is the
++ * nth (ino[ino[0]]) entry's offset.
++ */
++
++static int fitpair (char *pag, int need)
++{
++ int n;
++ int off;
++ int avail;
++ short *ino = (short *) pag;
++
++ off = ((n = ino[0]) > 0) ? ino[n] : PBLKSIZ;
++ avail = off - (n + 1) * sizeof (short);
++ need += 2 * sizeof (short);
++
++ return need <= avail;
++}
++
++static void putpair (char *pag, datum key, datum val)
++{
++ int n;
++ int off;
++ short *ino = (short *) pag;
++
++ off = ((n = ino[0]) > 0) ? ino[n] : PBLKSIZ;
++/*
++ * enter the key first
++ */
++ off -= key.dsize;
++ (void) memcpy (pag + off, key.dptr, key.dsize);
++ ino[n + 1] = off;
++/*
++ * now the data
++ */
++ off -= val.dsize;
++ (void) memcpy (pag + off, val.dptr, val.dsize);
++ ino[n + 2] = off;
++/*
++ * adjust item count
++ */
++ ino[0] += 2;
++}
++
++static datum getpair (char *pag, datum key)
++{
++ int i;
++ int n;
++ datum val;
++ short *ino = (short *) pag;
++
++ if ((n = ino[0]) == 0)
++ return nullitem;
++
++ if ((i = seepair (pag, n, key.dptr, key.dsize)) == 0)
++ return nullitem;
++
++ val.dptr = pag + ino[i + 1];
++ val.dsize = ino[i] - ino[i + 1];
++ return val;
++}
++
++static datum getnkey (char *pag, int num)
++{
++ datum key;
++ int off;
++ short *ino = (short *) pag;
++
++ num = num * 2 - 1;
++ if (ino[0] == 0 || num > ino[0])
++ return nullitem;
++
++ off = (num > 1) ? ino[num - 1] : PBLKSIZ;
++
++ key.dptr = pag + ino[num];
++ key.dsize = off - ino[num];
++
++ return key;
++}
++
++static int delpair (char *pag, datum key)
++{
++ int n;
++ int i;
++ short *ino = (short *) pag;
++
++ if ((n = ino[0]) == 0)
++ return 0;
++
++ if ((i = seepair (pag, n, key.dptr, key.dsize)) == 0)
++ return 0;
++/*
++ * found the key. if it is the last entry
++ * [i.e. i == n - 1] we just adjust the entry count.
++ * hard case: move all data down onto the deleted pair,
++ * shift offsets onto deleted offsets, and adjust them.
++ * [note: 0 < i < n]
++ */
++ if (i < n - 1)
++ {
++ int m;
++ char *dst = pag + (i == 1 ? PBLKSIZ : ino[i - 1]);
++ char *src = pag + ino[i + 1];
++ int zoo = dst - src;
++
++/*
++ * shift data/keys down
++ */
++ m = ino[i + 1] - ino[n];
++#ifdef DUFF
++#define MOVB *--dst = *--src
++ if (m > 0)
++ {
++ int loop = (m + 8 - 1) >> 3;
++
++ switch (m & (8 - 1))
++ {
++ case 0:
++ do
++ {
++ MOVB;
++ case 7:
++ MOVB;
++ case 6:
++ MOVB;
++ case 5:
++ MOVB;
++ case 4:
++ MOVB;
++ case 3:
++ MOVB;
++ case 2:
++ MOVB;
++ case 1:
++ MOVB;
++ }
++ while (--loop);
++ }
++ }
++#else
++ dst -= m;
++ src -= m;
++ memmove (dst, src, m);
++#endif
++/*
++ * adjust offset index up
++ */
++ while (i < n - 1)
++ {
++ ino[i] = ino[i + 2] + zoo;
++ i++;
++ }
++ }
++ ino[0] -= 2;
++ return 1;
++}
++
++static void splpage (char *pag, char *new, long sbit)
++{
++ datum key;
++ datum val;
++
++ int n;
++ int off = PBLKSIZ;
++ char cur[PBLKSIZ];
++ short *ino = (short *) cur;
++
++ (void) memcpy (cur, pag, PBLKSIZ);
++ (void) memset (pag, 0, PBLKSIZ);
++ (void) memset (new, 0, PBLKSIZ);
++
++ n = ino[0];
++ for (ino++; n > 0; ino += 2)
++ {
++ key.dptr = cur + ino[0];
++ key.dsize = off - ino[0];
++ val.dptr = cur + ino[1];
++ val.dsize = ino[0] - ino[1];
++/*
++ * select the page pointer (by looking at sbit) and insert
++ */
++ (void) putpair ((exhash (key) & sbit) ? new : pag, key, val);
++
++ off = ino[1];
++ n -= 2;
++ }
++}
++
++static int getdbit (DBM * db, long dbit)
++{
++ long c;
++ long dirb;
++
++ c = dbit / BYTESIZ;
++ dirb = c / DBLKSIZ;
++
++ if (dirb != db->dirbno)
++ {
++ int got;
++ if (lseek (db->dirf, OFF_DIR (dirb), SEEK_SET) < 0
++ || (got = read(db->dirf, db->dirbuf, DBLKSIZ)) < 0)
++ return 0;
++ if (got==0)
++ memset(db->dirbuf,0,DBLKSIZ);
++ db->dirbno = dirb;
++ }
++
++ return db->dirbuf[c % DBLKSIZ] & (1 << dbit % BYTESIZ);
++}
++
++static int setdbit (DBM * db, long dbit)
++{
++ long c;
++ long dirb;
++
++ c = dbit / BYTESIZ;
++ dirb = c / DBLKSIZ;
++
++ if (dirb != db->dirbno)
++ {
++ int got;
++ if (lseek (db->dirf, OFF_DIR (dirb), SEEK_SET) < 0
++ || (got = read(db->dirf, db->dirbuf, DBLKSIZ)) < 0)
++ return 0;
++ if (got==0)
++ memset(db->dirbuf,0,DBLKSIZ);
++ db->dirbno = dirb;
++ }
++
++ db->dirbuf[c % DBLKSIZ] |= (1 << dbit % BYTESIZ);
++
++#if 0
++ if (dbit >= db->maxbno)
++ db->maxbno += DBLKSIZ * BYTESIZ;
++#else
++ if (OFF_DIR((dirb+1))*BYTESIZ > db->maxbno)
++ db->maxbno=OFF_DIR((dirb+1))*BYTESIZ;
++#endif
++
++ if (lseek (db->dirf, OFF_DIR (dirb), SEEK_SET) < 0
++ || write (db->dirf, db->dirbuf, DBLKSIZ) < 0)
++ return 0;
++
++ return 1;
++}
++
++/*
++ * getnext - get the next key in the page, and if done with
++ * the page, try the next page in sequence
++ */
++static datum getnext (DBM * db)
++{
++ datum key;
++
++ for (;;)
++ {
++ db->keyptr++;
++ key = getnkey (db->pagbuf, db->keyptr);
++ if (key.dptr != NULL)
++ return key;
++/*
++ * we either run out, or there is nothing on this page..
++ * try the next one... If we lost our position on the
++ * file, we will have to seek.
++ */
++ db->keyptr = 0;
++ if (db->pagbno != db->blkptr++)
++ if (lseek (db->pagf, OFF_PAG (db->blkptr), SEEK_SET) < 0)
++ break;
++ db->pagbno = db->blkptr;
++ if (read (db->pagf, db->pagbuf, PBLKSIZ) <= 0)
++ break;
++ if (!chkpage (db->pagbuf))
++ break;
++ }
++
++ return ioerr (db), nullitem;
++}
++
++/*
++ * all important binary trie traversal
++ */
++static int getpage (DBM * db, long hash)
++{
++ int hbit;
++ long dbit;
++ long pagb;
++
++ dbit = 0;
++ hbit = 0;
++ while (dbit < db->maxbno && getdbit (db, dbit))
++ dbit = 2 * dbit + ((hash & (1 << hbit++)) ? 2 : 1);
++
++ db->curbit = dbit;
++ db->hmask = masks[hbit];
++
++ pagb = hash & db->hmask;
++/*
++ * see if the block we need is already in memory.
++ * note: this lookaside cache has about 10% hit rate.
++ */
++ if (pagb != db->pagbno)
++ {
++/*
++ * note: here, we assume a "hole" is read as 0s.
++ * if not, must zero pagbuf first.
++ */
++ if (lseek (db->pagf, OFF_PAG (pagb), SEEK_SET) < 0
++ || read (db->pagf, db->pagbuf, PBLKSIZ) < 0)
++ return 0;
++ if (!chkpage (db->pagbuf))
++ return 0;
++ db->pagbno = pagb;
++ }
++ return 1;
++}
++
++/*
++ * makroom - make room by splitting the overfull page
++ * this routine will attempt to make room for SPLTMAX times before
++ * giving up.
++ */
++static int makroom (DBM * db, long hash, int need)
++{
++ long newp;
++ char twin[PBLKSIZ];
++ char *pag = db->pagbuf;
++ char *new = twin;
++ int smax = SPLTMAX;
++
++ do
++ {
++/*
++ * split the current page
++ */
++ (void) splpage (pag, new, db->hmask + 1);
++/*
++ * address of the new page
++ */
++ newp = (hash & db->hmask) | (db->hmask + 1);
++
++/*
++ * write delay, read avoidence/cache shuffle:
++ * select the page for incoming pair: if key is to go to the new page,
++ * write out the previous one, and copy the new one over, thus making
++ * it the current page. If not, simply write the new page, and we are
++ * still looking at the page of interest. current page is not updated
++ * here, as sdbm_store will do so, after it inserts the incoming pair.
++ */
++ if (hash & (db->hmask + 1))
++ {
++ if (lseek (db->pagf, OFF_PAG (db->pagbno), SEEK_SET) < 0
++ || write (db->pagf, db->pagbuf, PBLKSIZ) < 0)
++ return 0;
++ db->pagbno = newp;
++ (void) memcpy (pag, new, PBLKSIZ);
++ }
++ else if (lseek (db->pagf, OFF_PAG (newp), SEEK_SET) < 0
++ || write (db->pagf, new, PBLKSIZ) < 0)
++ return 0;
++
++ if (!setdbit (db, db->curbit))
++ return 0;
++/*
++ * see if we have enough room now
++ */
++ if (fitpair (pag, need))
++ return 1;
++/*
++ * try again... update curbit and hmask as getpage would have
++ * done. because of our update of the current page, we do not
++ * need to read in anything. BUT we have to write the current
++ * [deferred] page out, as the window of failure is too great.
++ */
++ db->curbit = 2 * db->curbit +
++ ((hash & (db->hmask + 1)) ? 2 : 1);
++ db->hmask |= db->hmask + 1;
++
++ if (lseek (db->pagf, OFF_PAG (db->pagbno), SEEK_SET) < 0
++ || write (db->pagf, db->pagbuf, PBLKSIZ) < 0)
++ return 0;
++
++ }
++ while (--smax);
++/*
++ * if we are here, this is real bad news. After SPLTMAX splits,
++ * we still cannot fit the key. say goodnight.
++ */
++#ifdef BADMESS
++ (void) write (2, "sdbm: cannot insert after SPLTMAX attempts.\n", 44);
++#endif
++ return 0;
++
++}
++
++static SDBM *sdbm_prep (char *dirname, char *pagname, int flags, int mode)
++{
++ SDBM *db;
++ struct stat dstat;
++
++ if ((db = (SDBM *) mymalloc (sizeof (SDBM))) == NULL)
++ return errno = ENOMEM, (SDBM *) NULL;
++
++ db->flags = 0;
++ db->blkptr = 0;
++ db->keyptr = 0;
++/*
++ * adjust user flags so that WRONLY becomes RDWR,
++ * as required by this package. Also set our internal
++ * flag for RDONLY if needed.
++ */
++ if (flags & O_WRONLY)
++ flags = (flags & ~O_WRONLY) | O_RDWR;
++ else if ((flags & 03) == O_RDONLY)
++ db->flags = DBM_RDONLY;
++#if defined(OS2) || defined(MSDOS) || defined(WIN32)
++ flags |= O_BINARY;
++#endif
++
++/*
++ * Make sure to ignore the O_EXCL option, as the file might exist due
++ * to the locking.
++ */
++ flags &= ~O_EXCL;
++
++/*
++ * open the files in sequence, and stat the dirfile.
++ * If we fail anywhere, undo everything, return NULL.
++ */
++
++ if ((db->pagf = open (pagname, flags, mode)) > -1)
++ {
++ if ((db->dirf = open (dirname, flags, mode)) > -1)
++ {
++/*
++ * need the dirfile size to establish max bit number.
++ */
++ if (fstat (db->dirf, &dstat) == 0)
++ {
++ /*
++ * success
++ */
++ return db;
++ }
++ msg_info ("closing dirf");
++ (void) close (db->dirf);
++ }
++ msg_info ("closing pagf");
++ (void) close (db->pagf);
++ }
++ myfree ((char *) db);
++ return (SDBM *) NULL;
++}
++
++static DBM *sdbm_internal_open (SDBM * sdbm)
++{
++ DBM *db;
++ struct stat dstat;
++
++ if ((db = (DBM *) mymalloc (sizeof (DBM))) == NULL)
++ return errno = ENOMEM, (DBM *) NULL;
++
++ db->flags = sdbm->flags;
++ db->hmask = 0;
++ db->blkptr = sdbm->blkptr;
++ db->keyptr = sdbm->keyptr;
++ db->pagf = sdbm->pagf;
++ db->dirf = sdbm->dirf;
++ db->pagbuf = sdbm->pagbuf;
++ db->dirbuf = sdbm->dirbuf;
++
++/*
++ * need the dirfile size to establish max bit number.
++ */
++ if (fstat (db->dirf, &dstat) == 0)
++ {
++/*
++ * zero size: either a fresh database, or one with a single,
++ * unsplit data page: dirpage is all zeros.
++ */
++ db->dirbno = (!dstat.st_size) ? 0 : -1;
++ db->pagbno = -1;
++ db->maxbno = dstat.st_size * BYTESIZ;
++
++ (void) memset (db->pagbuf, 0, PBLKSIZ);
++ (void) memset (db->dirbuf, 0, DBLKSIZ);
++ return db;
++ }
++ myfree ((char *) db);
++ return (DBM *) NULL;
++}
++
++static void sdbm_internal_close (DBM * db)
++{
++ if (db == NULL)
++ errno = EINVAL;
++ else
++ {
++ myfree ((char *) db);
++ }
++}
++
++datum sdbm_fetch (SDBM * sdb, datum key)
++{
++ datum retval;
++ DBM *db;
++
++ if (sdb == NULL || bad (key))
++ return errno = EINVAL, nullitem;
++
++ if (!(db = sdbm_internal_open (sdb)))
++ return errno = EINVAL, nullitem;
++
++ if (getpage (db, exhash (key)))
++ {
++ retval = getpair (db->pagbuf, key);
++ sdbm_internal_close (db);
++ return retval;
++ }
++
++ sdbm_internal_close (db);
++
++ return ioerr (sdb), nullitem;
++}
++
++int sdbm_delete (SDBM * sdb, datum key)
++{
++ int retval;
++ DBM *db;
++
++ if (sdb == NULL || bad (key))
++ return errno = EINVAL, -1;
++ if (sdbm_rdonly (sdb))
++ return errno = EPERM, -1;
++
++ if (!(db = sdbm_internal_open (sdb)))
++ return errno = EINVAL, -1;
++
++ if (getpage (db, exhash (key)))
++ {
++ if (!delpair (db->pagbuf, key))
++ retval = -1;
++/*
++ * update the page file
++ */
++ else if (lseek (db->pagf, OFF_PAG (db->pagbno), SEEK_SET) < 0
++ || write (db->pagf, db->pagbuf, PBLKSIZ) < 0)
++ retval = ioerr (sdb), -1;
++ else
++ retval = 0;
++ }
++ else
++ retval = ioerr (sdb), -1;
++
++ sdbm_internal_close (db);
++
++ return retval;
++}
++
++int sdbm_store (SDBM * sdb, datum key, datum val, int flags)
++{
++ int need;
++ int retval;
++ long hash;
++ DBM *db;
++
++ if (sdb == NULL || bad (key))
++ return errno = EINVAL, -1;
++ if (sdbm_rdonly (sdb))
++ return errno = EPERM, -1;
++
++ need = key.dsize + val.dsize;
++/*
++ * is the pair too big (or too small) for this database ??
++ */
++ if (need < 0 || need > PAIRMAX)
++ return errno = EINVAL, -1;
++
++ if (!(db = sdbm_internal_open (sdb)))
++ return errno = EINVAL, -1;
++
++ if (getpage (db, (hash = exhash (key))))
++ {
++/*
++ * if we need to replace, delete the key/data pair
++ * first. If it is not there, ignore.
++ */
++ if (flags == DBM_REPLACE)
++ (void) delpair (db->pagbuf, key);
++#ifdef SEEDUPS
++ else if (duppair (db->pagbuf, key))
++ {
++ sdbm_internal_close (db);
++ return 1;
++ }
++#endif
++/*
++ * if we do not have enough room, we have to split.
++ */
++ if (!fitpair (db->pagbuf, need))
++ if (!makroom (db, hash, need))
++ {
++ sdbm_internal_close (db);
++ return ioerr (db), -1;
++ }
++/*
++ * we have enough room or split is successful. insert the key,
++ * and update the page file.
++ */
++ (void) putpair (db->pagbuf, key, val);
++
++ if (lseek (db->pagf, OFF_PAG (db->pagbno), SEEK_SET) < 0
++ || write (db->pagf, db->pagbuf, PBLKSIZ) < 0)
++ {
++ sdbm_internal_close (db);
++ return ioerr (db), -1;
++ }
++ /*
++ * success
++ */
++ sdbm_internal_close (db);
++ return 0;
++ }
++
++ sdbm_internal_close (db);
++ return ioerr (sdb), -1;
++}
++
++/*
++ * the following two routines will break if
++ * deletions aren't taken into account. (ndbm bug)
++ */
++datum sdbm_firstkey (SDBM * sdb)
++{
++ datum retval;
++ DBM *db;
++
++ if (sdb == NULL)
++ return errno = EINVAL, nullitem;
++
++ if (!(db = sdbm_internal_open (sdb)))
++ return errno = EINVAL, nullitem;
++
++/*
++ * start at page 0
++ */
++ if (lseek (db->pagf, OFF_PAG (0), SEEK_SET) < 0
++ || read (db->pagf, db->pagbuf, PBLKSIZ) < 0)
++ {
++ sdbm_internal_close (db);
++ return ioerr (sdb), nullitem;
++ }
++ db->pagbno = 0;
++ db->blkptr = 0;
++ db->keyptr = 0;
++
++ retval = getnext (db);
++ sdb->blkptr = db->blkptr;
++ sdb->keyptr = db->keyptr;
++ sdbm_internal_close (db);
++ return retval;
++}
++
++datum sdbm_nextkey (SDBM * sdb)
++{
++ datum retval;
++ DBM *db;
++
++ if (sdb == NULL)
++ return errno = EINVAL, nullitem;
++
++ if (!(db = sdbm_internal_open (sdb)))
++ return errno = EINVAL, nullitem;
++
++ retval = getnext (db);
++ sdb->blkptr = db->blkptr;
++ sdb->keyptr = db->keyptr;
++ sdbm_internal_close (db);
++ return retval;
++}
++
++void sdbm_close (SDBM * db)
++{
++ if (db == NULL)
++ errno = EINVAL;
++ else
++ {
++ (void) close (db->dirf);
++ (void) close (db->pagf);
++ myfree ((char *) db);
++ }
++}
++
++SDBM *sdbm_open (char *file, int flags, int mode)
++{
++ SDBM *db;
++ char *dirname;
++ char *pagname;
++ int n;
++
++ if (file == NULL || !*file)
++ return errno = EINVAL, (SDBM *) NULL;
++/*
++ * need space for two seperate filenames
++ */
++ n = strlen (file) * 2 + strlen (DIRFEXT) + strlen (PAGFEXT) + 2;
++
++ if ((dirname = (char *) mymalloc ((unsigned) n)) == NULL)
++ return errno = ENOMEM, (SDBM *) NULL;
++/*
++ * build the file names
++ */
++ dirname = strcat (strcpy (dirname, file), DIRFEXT);
++ pagname = strcpy (dirname + strlen (dirname) + 1, file);
++ pagname = strcat (pagname, PAGFEXT);
++
++ db = sdbm_prep (dirname, pagname, flags, mode);
++ myfree ((char *) dirname);
++ return db;
++}
++
+diff -urNad postfix-release/src/global/sdbm.h /tmp/dpep.TxugCA/postfix-release/src/global/sdbm.h
+--- postfix-release/src/global/sdbm.h 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/global/sdbm.h 2004-12-27 22:29:11.320098567 -0700
+@@ -0,0 +1,97 @@
++/*++
++/* NAME
++/* sdbm 3h
++/* SUMMARY
++/* SDBM Simple DBM: ndbm work-alike hashed database library
++/* SYNOPSIS
++/* include "sdbm.h"
++/* DESCRIPTION
++/* .nf
++/*--*/
++
++#ifndef UTIL_SDBM_H
++#define UTIL_SDBM_H
++
++/*
++ * sdbm - ndbm work-alike hashed database library
++ * based on Per-Ake Larson's Dynamic Hashing algorithms. BIT 18 (1978).
++ * author: oz at nexus.yorku.ca
++ * status: public domain.
++ */
++
++#define DUFF /* go ahead and use the loop-unrolled version */
++
++#include <stdio.h>
++
++#define DBLKSIZ 16384 /* SSL cert chains require more */
++#define PBLKSIZ 8192 /* SSL cert chains require more */
++#define PAIRMAX 8008 /* arbitrary on PBLKSIZ-N */
++#define SPLTMAX 10 /* maximum allowed splits */
++ /* for a single insertion */
++#define DIRFEXT ".dir"
++#define PAGFEXT ".pag"
++
++typedef struct {
++ int dirf; /* directory file descriptor */
++ int pagf; /* page file descriptor */
++ int flags; /* status/error flags, see below */
++ long blkptr; /* current block for nextkey */
++ int keyptr; /* current key for nextkey */
++ char pagbuf[PBLKSIZ]; /* page file block buffer */
++ char dirbuf[DBLKSIZ]; /* directory file block buffer */
++} SDBM;
++
++#define DBM_RDONLY 0x1 /* data base open read-only */
++#define DBM_IOERR 0x2 /* data base I/O error */
++
++/*
++ * utility macros
++ */
++#define sdbm_rdonly(db) ((db)->flags & DBM_RDONLY)
++#define sdbm_error(db) ((db)->flags & DBM_IOERR)
++
++#define sdbm_clearerr(db) ((db)->flags &= ~DBM_IOERR) /* ouch */
++
++#define sdbm_dirfno(db) ((db)->dirf)
++#define sdbm_pagfno(db) ((db)->pagf)
++
++typedef struct {
++ char *dptr;
++ int dsize;
++} datum;
++
++extern datum nullitem;
++
++/*
++ * flags to sdbm_store
++ */
++#define DBM_INSERT 0
++#define DBM_REPLACE 1
++
++/*
++ * ndbm interface
++ */
++extern SDBM *sdbm_open(char *, int, int);
++extern void sdbm_close(SDBM *);
++extern datum sdbm_fetch(SDBM *, datum);
++extern int sdbm_delete(SDBM *, datum);
++extern int sdbm_store(SDBM *, datum, datum, int);
++extern datum sdbm_firstkey(SDBM *);
++extern datum sdbm_nextkey(SDBM *);
++
++/*
++ * sdbm - ndbm work-alike hashed database library
++ * tuning and portability constructs [not nearly enough]
++ * author: oz at nexus.yorku.ca
++ */
++
++#define BYTESIZ 8
++
++/*
++ * important tuning parms (hah)
++ */
++
++#define SEEDUPS /* always detect duplicates */
++#define BADMESS /* generate a message for worst case:
++ cannot make room after SPLTMAX splits */
++#endif /* UTIL_SDBM_H */
+diff -urNad postfix-release/src/master/Makefile.in /tmp/dpep.TxugCA/postfix-release/src/master/Makefile.in
+--- postfix-release/src/master/Makefile.in 2004-12-27 22:28:28.645271855 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/master/Makefile.in 2004-12-27 22:29:11.320098567 -0700
+@@ -20,7 +20,7 @@
+ INC_DIR = ../../include
+ BIN_DIR = ../../libexec
+
+-.c.o:; $(CC) $(CFLAGS) -c $*.c
++.c.o:; $(CC) `for i in $(LIB_OBJ); do [ $$i = $@ ] && echo -fPIC; done` $(CFLAGS) -c $*.c
+
+ all: $(PROG) $(LIB)
+
+@@ -35,12 +35,10 @@
+ tests: test
+
+ $(LIB): $(LIB_OBJ)
+- $(AR) $(ARFL) $(LIB) $?
+- $(RANLIB) $(LIB)
++ gcc -shared -Wl,-soname,libpostfix-master.so.1 -o $(LIB) $(LIB_OBJ) $(LIBS) $(SYSLIBS)
+
+ $(LIB_DIR)/$(LIB): $(LIB)
+ cp $(LIB) $(LIB_DIR)/$(LIB)
+- $(RANLIB) $(LIB_DIR)/$(LIB)
+
+ $(BIN_DIR)/$(PROG): $(PROG)
+ cp $(PROG) $(BIN_DIR)
+diff -urNad postfix-release/src/postconf/postconf.c /tmp/dpep.TxugCA/postfix-release/src/postconf/postconf.c
+--- postfix-release/src/postconf/postconf.c 2004-12-27 22:28:28.646271640 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/postconf/postconf.c 2004-12-27 22:29:11.321098352 -0700
+@@ -822,6 +822,16 @@
+ {
+ ARGV *maps_argv;
+ int i;
++#ifndef NO_DYNAMIC_MAPS
++ char *path;
++ char *config_dir;
++
++ var_config_dir = mystrdup((config_dir = safe_getenv(CONF_ENV_PATH)) != 0 ?
++ config_dir : DEF_CONFIG_DIR); /* XXX */
++ path = concatenate(var_config_dir, "/", "dynamicmaps.cf", (char *) 0);
++ dict_open_dlinfo(path);
++ myfree(path);
++#endif
+
+ maps_argv = dict_mapnames();
+ for (i = 0; i < maps_argv->argc; i++)
+diff -urNad postfix-release/src/postmap/postmap.c /tmp/dpep.TxugCA/postfix-release/src/postmap/postmap.c
+--- postfix-release/src/postmap/postmap.c 2004-12-27 22:28:28.647271425 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/postmap/postmap.c 2004-12-27 22:29:11.321098352 -0700
+@@ -5,7 +5,7 @@
+ /* Postfix lookup table management
+ /* SYNOPSIS
+ /* .fi
+-/* \fBpostmap\fR [\fB-Nfinoprvw\fR] [\fB-c \fIconfig_dir\fR]
++/* \fBpostmap\fR [\fB-Nfinopruvw\fR] [\fB-c \fIconfig_dir\fR]
+ /* [\fB-d \fIkey\fR] [\fB-q \fIkey\fR]
+ /* [\fIfile_type\fR:]\fIfile_name\fR ...
+ /* DESCRIPTION
+@@ -92,6 +92,8 @@
+ /* .IP \fB-r\fR
+ /* When updating a table, do not warn about duplicate entries; silently
+ /* replace them.
++/* .IP \fB-u\fR
++/* Upgrade the database to the current version.
+ /* .IP \fB-v\fR
+ /* Enable verbose logging for debugging purposes. Multiple \fB-v\fR
+ /* options make the software increasingly verbose.
+@@ -102,7 +104,7 @@
+ /* Arguments:
+ /* .IP \fIfile_type\fR
+ /* The database type. To find out what types are supported, use
+-/* the "\fBpostconf -m" command.
++/* the "\fBpostconf -m\fR" command.
+ /*
+ /* The \fBpostmap\fR command can query any supported file type,
+ /* but it can create only the following file types:
+@@ -484,6 +486,18 @@
+ return (status == 0);
+ }
+
++/* postmap_upgrade - upgrade a map */
++
++static int postmap_upgrade(const char *map_type, const char *map_name)
++{
++ DICT *dict;
++
++ dict = dict_open3(map_type, map_name, O_RDWR,
++ DICT_FLAG_LOCK|DICT_FLAG_UPGRADE);
++ dict_close(dict);
++ return (dict != 0);
++}
++
+ /* usage - explain */
+
+ static NORETURN usage(char *myname)
+@@ -504,6 +518,7 @@
+ int dict_flags = DICT_FLAG_DUP_WARN | DICT_FLAG_FOLD_KEY;
+ char *query = 0;
+ char *delkey = 0;
++ int upgrade=0;
+ int found;
+
+ /*
+@@ -540,7 +555,7 @@
+ /*
+ * Parse JCL.
+ */
+- while ((ch = GETOPT(argc, argv, "Nc:d:finopq:rvw")) > 0) {
++ while ((ch = GETOPT(argc, argv, "Nc:d:finopq:ruvw")) > 0) {
+ switch (ch) {
+ default:
+ usage(argv[0]);
+@@ -554,8 +569,8 @@
+ msg_fatal("out of memory");
+ break;
+ case 'd':
+- if (query || delkey)
+- msg_fatal("specify only one of -q or -d");
++ if (query || delkey || upgrade)
++ msg_fatal("specify only one of -q or -d or -u");
+ delkey = optarg;
+ break;
+ case 'f':
+@@ -575,14 +590,19 @@
+ postmap_flags &= ~POSTMAP_FLAG_SAVE_PERM;
+ break;
+ case 'q':
+- if (query || delkey)
+- msg_fatal("specify only one of -q or -d");
++ if (query || delkey || upgrade)
++ msg_fatal("specify only one of -q or -d or -u");
+ query = optarg;
+ break;
+ case 'r':
+ dict_flags &= ~(DICT_FLAG_DUP_WARN | DICT_FLAG_DUP_IGNORE);
+ dict_flags |= DICT_FLAG_DUP_REPLACE;
+ break;
++ case 'u':
++ if (query || delkey || upgrade)
++ msg_fatal("specify only one of -q or -d or -u");
++ upgrade=1;
++ break;
+ case 'v':
+ msg_verbose++;
+ break;
+@@ -633,6 +653,21 @@
+ optind++;
+ }
+ exit(1);
++ } else if (upgrade) { /* Upgrade the map(s) */
++ int success = 1;
++ if (optind + 1 > argc)
++ usage(argv[0]);
++ while (optind < argc) {
++ if ((path_name = split_at(argv[optind], ':')) != 0) {
++ success &= postmap_upgrade(argv[optind], path_name);
++ } else {
++ success &= postmap_upgrade(var_db_type, path_name);
++ }
++ if (!success)
++ exit(1);
++ optind++;
++ }
++ exit(0);
+ } else { /* create/update map(s) */
+ if (optind + 1 > argc)
+ usage(argv[0]);
+diff -urNad postfix-release/src/util/Makefile.in /tmp/dpep.TxugCA/postfix-release/src/util/Makefile.in
+--- postfix-release/src/util/Makefile.in 2004-12-27 22:28:28.648271210 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/util/Makefile.in 2004-12-27 22:29:11.322098138 -0700
+@@ -4,6 +4,7 @@
+ chroot_uid.c clean_env.c close_on_exec.c concatenate.c ctable.c \
+ dict.c dict_alloc.c dict_db.c dict_dbm.c dict_debug.c dict_env.c \
+ dict_cidr.c dict_ht.c dict_ni.c dict_nis.c \
++ load_lib.c \
+ dict_nisplus.c dict_open.c dict_pcre.c dict_regexp.c \
+ dict_static.c dict_tcp.c dict_unix.c dir_forest.c doze.c \
+ duplex_pipe.c environ.c events.c exec_command.c fifo_listen.c \
+@@ -34,8 +35,8 @@
+ chroot_uid.o clean_env.o close_on_exec.o concatenate.o ctable.o \
+ dict.o dict_alloc.o dict_db.o dict_dbm.o dict_debug.o dict_env.o \
+ dict_cidr.o dict_ht.o dict_ni.o dict_nis.o \
+- dict_nisplus.o dict_open.o dict_pcre.o dict_regexp.o \
+- dict_static.o dict_tcp.o dict_unix.o dir_forest.o doze.o \
++ dict_nisplus.o dict_open.o dict_regexp.o \
++ dict_static.o dict_unix.o dir_forest.o doze.o \
+ duplex_pipe.o environ.o events.o exec_command.o fifo_listen.o \
+ fifo_trigger.o file_limit.o find_inet.o fsspace.o fullname.o \
+ get_domainname.o get_hostname.o hex_quote.o host_port.o htable.o \
+@@ -58,10 +59,11 @@
+ vstream_popen.o vstring.o vstring_vstream.o watchdog.o writable.o \
+ write_buf.o write_wait.o auto_clnt.o attr_clnt.o attr_scan_plain.o \
+ attr_print_plain.o sane_connect.o $(STRCASE) neuter.o name_code.o \
+- uppercase.o
++ uppercase.o load_lib.o
+ HDRS = argv.h attr.h base64_code.h binhash.h chroot_uid.h clean_env.h \
+ connect.h ctable.h dict.h dict_db.h dict_dbm.h dict_env.h \
+ dict_cidr.h dict_ht.h dict_ni.h dict_nis.h \
++ load_lib.h \
+ dict_nisplus.h dict_pcre.h dict_regexp.h \
+ dict_static.h dict_tcp.h dict_unix.h dir_forest.h events.h \
+ exec_command.h find_inet.h fsspace.h fullname.h get_domainname.h \
+@@ -72,7 +74,7 @@
+ msg_syslog.h msg_vstream.h mvect.h myflock.h mymalloc.h myrand.h \
+ name_mask.h netstring.h nvtable.h open_as.h open_lock.h \
+ percentm.h posix_signals.h readlline.h ring.h safe.h safe_open.h \
+- sane_accept.h sane_fsops.h sane_socketpair.h sane_time.h \
++ sane_accept.h sane_fsops.h sane_socketpair.h sane_time.h load_lib.h \
+ scan_dir.h set_eugid.h set_ugid.h sigdelay.h spawn_command.h \
+ split_at.h stat_as.h stringops.h sys_defs.h timed_connect.h \
+ timed_wait.h trigger.h username.h valid_hostname.h vbuf.h \
+@@ -84,6 +86,8 @@
+ CFLAGS = $(DEBUG) $(OPT) $(DEFS)
+ FILES = Makefile $(SRCS) $(HDRS)
+ INCL =
++PCRESO = dict_pcre.so
++TCPSO = dict_tcp.so
+ LIB = libutil.a
+ TESTPROG= dict_open dup2_pass_on_exec events exec_command fifo_open \
+ fifo_rdonly_bug fifo_rdwr_bug fifo_trigger fsspace fullname \
+@@ -96,8 +100,9 @@
+
+ LIB_DIR = ../../lib
+ INC_DIR = ../../include
++LIBS = $(LIB_DIR)/$(LIB) $(LIB_DIR)/$(PCRESO) $(LIB_DIR)/$(TCPSO)
+
+-.c.o:; $(CC) $(CFLAGS) -c $*.c
++.c.o:; $(CC) -fPIC $(CFLAGS) -c $*.c
+
+ all: $(LIB)
+
+@@ -106,15 +111,25 @@
+
+ test: $(TESTPROG)
+
++$(PCRESO): dict_pcre.o
++ gcc -shared -Wl,-soname,dict_pcre.so -o $@ $? -lpcre -L. -lutil
++
++$(TCPSO): dict_tcp.o
++ gcc -shared -Wl,-soname,dict_tcp.so -o $@ $? -L. -lutil
++
+ $(LIB): $(OBJS)
+- $(AR) $(ARFL) $(LIB) $?
+- $(RANLIB) $(LIB)
++ gcc -shared -Wl,-soname,libpostfix-util.so.1 -o $(LIB) $(OBJS) -ldl $(SYSLIBS)
+
+ $(LIB_DIR)/$(LIB): $(LIB)
+ cp $(LIB) $(LIB_DIR)
+- $(RANLIB) $(LIB_DIR)/$(LIB)
+
+-update: $(LIB_DIR)/$(LIB) $(HDRS)
++$(LIB_DIR)/$(PCRESO): $(PCRESO)
++ cp $(PCRESO) $(LIB_DIR)
++
++$(LIB_DIR)/$(TCPSO): $(TCPSO)
++ cp $(TCPSO) $(LIB_DIR)
++
++update: $(LIBS) $(HDRS)
+ -for i in $(HDRS); \
+ do \
+ cmp -s $$i $(INC_DIR)/$$i 2>/dev/null || cp $$i $(INC_DIR); \
+@@ -136,7 +151,8 @@
+ lint $(SRCS)
+
+ clean:
+- rm -f *.o $(LIB) *core $(TESTPROG) junk $(MAKES) *.tmp
++ rm -f *.o $(LIB) $(PCRESO) $(TCPSO) *core $(TESTPROG) \
++ junk $(MAKES) *.tmp
+ rm -rf printfck
+
+ tidy: clean
+diff -urNad postfix-release/src/util/dict.h /tmp/dpep.TxugCA/postfix-release/src/util/dict.h
+--- postfix-release/src/util/dict.h 2004-12-27 22:28:28.649270995 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/util/dict.h 2004-12-27 22:29:11.323097923 -0700
+@@ -61,6 +61,7 @@
+ #define DICT_FLAG_NO_REGSUB (1<<11) /* disallow regexp substitution */
+ #define DICT_FLAG_NO_PROXY (1<<12) /* disallow proxy mapping */
+ #define DICT_FLAG_NO_UNAUTH (1<<13) /* disallow unauthenticated data */
++#define DICT_FLAG_UPGRADE (1<<30) /* Upgrade the db */
+
+ #define DICT_FLAG_PARANOID \
+ (DICT_FLAG_NO_REGSUB | DICT_FLAG_NO_PROXY | DICT_FLAG_NO_UNAUTH)
+@@ -102,6 +103,11 @@
+ extern DICT *dict_open(const char *, int, int);
+ extern DICT *dict_open3(const char *, const char *, int, int);
+ extern void dict_open_register(const char *, DICT *(*) (const char *, int, int));
++#ifndef NO_DYNAMIC_MAPS
++extern void dict_open_dlinfo(const char *path);
++typedef void* (*dict_mkmap_func_t)(const char *);
++dict_mkmap_func_t dict_mkmap_func(const char *dict_type);
++#endif
+
+ #define dict_get(dp, key) (dp)->lookup((dp), (key))
+ #define dict_put(dp, key, val) (dp)->update((dp), (key), (val))
+diff -urNad postfix-release/src/util/dict_db.c /tmp/dpep.TxugCA/postfix-release/src/util/dict_db.c
+--- postfix-release/src/util/dict_db.c 2004-12-27 22:28:28.649270995 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/util/dict_db.c 2004-12-27 22:29:11.323097923 -0700
+@@ -548,6 +548,12 @@
+ msg_fatal("set DB cache size %d: %m", dict_db_cache_size);
+ if (type == DB_HASH && db->set_h_nelem(db, DICT_DB_NELM) != 0)
+ msg_fatal("set DB hash element count %d: %m", DICT_DB_NELM);
++ if (dict_flags & DICT_FLAG_UPGRADE) {
++ if (msg_verbose)
++ msg_info("upgrading database %s",db_path);
++ if ((errno = db->upgrade(db,db_path,0)) != 0)
++ msg_fatal("upgrade of database %s: %m",db_path);
++ }
+ #if (DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR > 0)
+ if ((errno = db->open(db, 0, db_path, 0, type, db_flags, 0644)) != 0)
+ msg_fatal("open database %s: %m", db_path);
+diff -urNad postfix-release/src/util/dict_dbm.c /tmp/dpep.TxugCA/postfix-release/src/util/dict_dbm.c
+--- postfix-release/src/util/dict_dbm.c 2004-12-27 22:28:28.650270780 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/util/dict_dbm.c 2004-12-27 22:29:11.323097923 -0700
+@@ -371,6 +371,10 @@
+ char *dbm_path;
+ int lock_fd;
+
++#ifdef HAVE_GDBM
++ msg_error("%s: gdbm maps use locking that is incompatible with postfix. Use a hash map instead.",
++ path);
++#endif
+ /*
+ * Note: DICT_FLAG_LOCK is used only by programs that do fine-grained (in
+ * the time domain) locking while accessing individual database records.
+diff -urNad postfix-release/src/util/dict_open.c /tmp/dpep.TxugCA/postfix-release/src/util/dict_open.c
+--- postfix-release/src/util/dict_open.c 2004-12-27 22:28:28.650270780 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/util/dict_open.c 2004-12-27 22:29:35.775841614 -0700
+@@ -42,6 +42,10 @@
+ /* dict_open_register(type, open)
+ /* char *type;
+ /* DICT *(*open) (const char *, int, int);
++/*
++/* ARGV *dict_mapnames()
++/*
++/* void (*)() dict_mkmap_func(const char *dict_type)
+ /* DESCRIPTION
+ /* This module implements a low-level interface to multiple
+ /* physical dictionary types.
+@@ -135,6 +139,13 @@
+ /* associated data structures.
+ /*
+ /* dict_open_register() adds support for a new dictionary type.
++/*
++/* dict_mapnames() returns an ARGV list containing all of the known
++/* map types, including dynamic maps.
++/*
++/* dict_mkmap_func() returns a pointer to the mkmap setup function
++/* for the given map type, as given in /etc/dynamicmaps.cf
++/*
+ /* DIAGNOSTICS
+ /* Fatal error: open error, unsupported dictionary type, attempt to
+ /* update non-writable dictionary.
+@@ -158,6 +169,9 @@
+ #include <strings.h>
+ #endif
+
++#include <sys/stat.h>
++#include <unistd.h>
++
+ /* Utility library. */
+
+ #include <argv.h>
+@@ -180,6 +194,27 @@
+ #include <split_at.h>
+ #include <htable.h>
+
++#ifndef NO_DYNAMIC_MAPS
++#include <load_lib.h>
++#include <vstring.h>
++#include <vstream.h>
++#include <vstring_vstream.h>
++#include <mvect.h>
++
++ /*
++ * Interface for dynamic map loading.
++ */
++typedef struct {
++ const char *pattern;
++ const char *soname;
++ const char *openfunc;
++ const char *mkmapfunc;
++} DLINFO;
++
++static DLINFO *dict_dlinfo;
++static DLINFO *dict_open_dlfind(const char *type);
++#endif
++
+ /*
+ * lookup table for available map types.
+ */
+@@ -191,9 +226,11 @@
+ static DICT_OPEN_INFO dict_open_info[] = {
+ DICT_TYPE_ENVIRON, dict_env_open,
+ DICT_TYPE_UNIX, dict_unix_open,
++#ifndef MAX_DYNAMIC_MAPS
+ #ifdef SNAPSHOT
+ DICT_TYPE_TCP, dict_tcp_open,
+ #endif
++#endif
+ #ifdef HAS_DBM
+ DICT_TYPE_DBM, dict_dbm_open,
+ #endif
+@@ -210,9 +247,11 @@
+ #ifdef HAS_NETINFO
+ DICT_TYPE_NETINFO, dict_ni_open,
+ #endif
++#ifndef MAX_DYNAMIC_MAPS
+ #ifdef HAS_PCRE
+ DICT_TYPE_PCRE, dict_pcre_open,
+ #endif
++#endif /* MAX_DYNAMIC_MAPS */
+ #ifdef HAS_POSIX_REGEXP
+ DICT_TYPE_REGEXP, dict_regexp_open,
+ #endif
+@@ -267,8 +306,31 @@
+
+ if (dict_open_hash == 0)
+ dict_open_init();
+- if ((dp = (DICT_OPEN_INFO *) htable_find(dict_open_hash, dict_type)) == 0)
+- msg_fatal("unsupported dictionary type: %s", dict_type);
++ if ((dp = (DICT_OPEN_INFO *) htable_find(dict_open_hash, dict_type)) == 0) {
++#ifdef NO_DYNAMIC_MAPS
++ msg_fatal("%s: unsupported dictionary type: %s", myname, dict_type);
++#else
++ struct stat st;
++ LIB_FN fn[2];
++ DICT *(*open) (const char *, int, int);
++ DLINFO *dl=dict_open_dlfind(dict_type);
++ if (!dl)
++ msg_fatal("%s: unsupported dictionary type: %s: Is the postfix-%s package installed?", myname, dict_type, dict_type);
++ if (stat(dl->soname,&st) < 0) {
++ msg_fatal("%s: unsupported dictionary type: %s (%s not found. Is the postfix-%s package installed?)",
++ myname, dict_type, dl->soname, dict_type);
++ }
++ fn[0].name = dl->openfunc;
++ fn[0].ptr = (void**)&open;
++ fn[1].name = NULL;
++ load_library_symbols(dl->soname, fn, NULL);
++ dict_open_register(dict_type, open);
++ dp = (DICT_OPEN_INFO *) htable_find(dict_open_hash, dict_type);
++#endif
++ }
++ if (msg_verbose>1) {
++ msg_info("%s: calling %s open routine",myname,dict_type);
++ }
+ if ((dict = dp->open(dict_name, open_flags, dict_flags)) == 0)
+ msg_fatal("opening %s:%s %m", dict_type, dict_name);
+ if (msg_verbose)
+@@ -276,6 +338,36 @@
+ return (dict);
+ }
+
++dict_mkmap_func_t dict_mkmap_func(const char *dict_type)
++{
++ char *myname="dict_mkmap_func";
++ struct stat st;
++ LIB_FN fn[2];
++ dict_mkmap_func_t mkmap;
++ DLINFO *dl;
++#ifndef NO_DYNAMIC_MAPS
++ if (!dict_dlinfo)
++ msg_fatal("dlinfo==NULL");
++ dl=dict_open_dlfind(dict_type);
++ if (!dl)
++ msg_fatal("%s: unsupported dictionary type: %s: Is the postfix-%s package installed?", myname, dict_type, dict_type);
++ if (stat(dl->soname,&st) < 0) {
++ msg_fatal("%s: unsupported dictionary type: %s (%s not found. Is the postfix-%s package installed?)",
++ myname, dict_type, dl->soname, dict_type);
++ }
++ if (!dl->mkmapfunc)
++ msg_fatal("%s: unsupported dictionary type: %s does not allow map creation.", myname, dict_type);
++
++ fn[0].name = dl->mkmapfunc;
++ fn[0].ptr = (void**)&mkmap;
++ fn[1].name = NULL;
++ load_library_symbols(dl->soname, fn, NULL);
++ return mkmap;
++#else
++ return (void(*)())NULL;
++#endif
++}
++
+ /* dict_open_register - register dictionary type */
+
+ void dict_open_register(const char *type,
+@@ -302,6 +394,9 @@
+ HTABLE_INFO **ht;
+ DICT_OPEN_INFO *dp;
+ ARGV *mapnames;
++#ifndef NO_DYNAMIC_MAPS
++ DLINFO *dlp;
++#endif
+
+ if (dict_open_hash == 0)
+ dict_open_init();
+@@ -310,11 +405,99 @@
+ dp = (DICT_OPEN_INFO *) ht[0]->value;
+ argv_add(mapnames, dp->type, ARGV_END);
+ }
++#ifndef NO_DYNAMIC_MAPS
++ if (!dict_dlinfo)
++ msg_fatal("dlinfo==NULL");
++ for (dlp=dict_dlinfo; dlp->pattern; dlp++) {
++ argv_add(mapnames, dlp->pattern, ARGV_END);
++ }
++#endif
+ myfree((char *) ht_info);
+ argv_terminate(mapnames);
+ return mapnames;
+ }
+
++#ifndef NO_DYNAMIC_MAPS
++#define STREQ(x,y) (x == y || (x[0] == y[0] && strcmp(x,y) == 0))
++
++void dict_open_dlinfo(const char *path)
++{
++ char *myname="dict_open_dlinfo";
++ VSTREAM *conf_fp=vstream_fopen(path,O_RDONLY,0);
++ VSTRING *buf = vstring_alloc(100);
++ char *cp;
++ ARGV *argv;
++ MVECT vector;
++ int nelm=0;
++ int linenum=0;
++
++ dict_dlinfo=(DLINFO*)mvect_alloc(&vector,sizeof(DLINFO),3,NULL,NULL);
++
++ if (!conf_fp) {
++ msg_warn("%s: cannot open %s. No dynamic maps will be allowed.",
++ myname, path);
++ } else {
++ while (vstring_get_nonl(buf,conf_fp) != VSTREAM_EOF) {
++ cp = vstring_str(buf);
++ linenum++;
++ if (*cp == '#' || *cp == '\0')
++ continue;
++ argv = argv_split(cp, " \t");
++ if (argv->argc != 3 && argv->argc != 4) {
++ msg_fatal("%s: Expected \"pattern .so-name open-function [mkmap-function]\" at line %d",
++ myname, linenum);
++ }
++ if (STREQ(argv->argv[0],"*")) {
++ msg_warn("%s: wildcard dynamic map entry no longer supported.",
++ myname);
++ continue;
++ }
++ if (argv->argv[1][0] != '/') {
++ msg_fatal("%s: .so name must begin with a \"/\" at line %d",
++ myname, linenum);
++ }
++ if (nelm >= vector.nelm) {
++ dict_dlinfo=(DLINFO*)mvect_realloc(&vector,vector.nelm+3);
++ }
++ dict_dlinfo[nelm].pattern = mystrdup(argv->argv[0]);
++ dict_dlinfo[nelm].soname = mystrdup(argv->argv[1]);
++ dict_dlinfo[nelm].openfunc = mystrdup(argv->argv[2]);
++ if (argv->argc==4)
++ dict_dlinfo[nelm].mkmapfunc = mystrdup(argv->argv[3]);
++ else
++ dict_dlinfo[nelm].mkmapfunc = NULL;
++ nelm++;
++ argv_free(argv);
++ }
++ }
++ if (nelm >= vector.nelm) {
++ dict_dlinfo=(DLINFO*)mvect_realloc(&vector,vector.nelm+1);
++ }
++ dict_dlinfo[nelm].pattern = NULL;
++ dict_dlinfo[nelm].soname = NULL;
++ dict_dlinfo[nelm].openfunc = NULL;
++ dict_dlinfo[nelm].mkmapfunc = NULL;
++ if (conf_fp)
++ vstream_fclose(conf_fp);
++ vstring_free(buf);
++}
++
++static DLINFO *dict_open_dlfind(const char *type)
++{
++ DLINFO *dp;
++
++ if (!dict_dlinfo)
++ return NULL;
++
++ for (dp=dict_dlinfo; dp->pattern; dp++) {
++ if (STREQ(dp->pattern,type))
++ return dp;
++ }
++ return NULL;
++}
++
++#endif /* !NO_DYNAMIC_MAPS */
++
+ #ifdef TEST
+
+ /*
+diff -urNad postfix-release/src/util/load_lib.c /tmp/dpep.TxugCA/postfix-release/src/util/load_lib.c
+--- postfix-release/src/util/load_lib.c 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/util/load_lib.c 2004-12-27 22:29:11.324097708 -0700
+@@ -0,0 +1,135 @@
++/*++
++/* NAME
++/* load_lib 3
++/* SUMMARY
++/* library loading wrappers
++/* SYNOPSIS
++/* #include <load_lib.h>
++/*
++/* extern int load_library_symbols(const char *, LIB_FN *, LIB_FN *);
++/* const char *libname;
++/* LIB_FN *libfuncs;
++/* LIB_FN *libdata;
++/*
++/* DESCRIPTION
++/* This module loads functions from libraries, returnine pointers
++/* to the named functions.
++/*
++/* load_library_symbols() loads all of the desired functions, and
++/* returns zero for success, or exits via msg_fatal().
++/*
++/* SEE ALSO
++/* msg(3) diagnostics interface
++/* DIAGNOSTICS
++/* Problems are reported via the msg(3) diagnostics routines:
++/* library not found, symbols not found, other fatal errors.
++/* LICENSE
++/* .ad
++/* .fi
++/* The Secure Mailer license must be distributed with this software.
++/* AUTHOR(S)
++/* LaMont Jones
++/* Hewlett-Packard Company
++/* 3404 Harmony Road
++/* Fort Collins, CO 80528, USA
++/*
++/* Wietse Venema
++/* IBM T.J. Watson Research
++/* P.O. Box 704
++/* Yorktown Heights, NY 10598, USA
++/*--*/
++
++/* System libraries. */
++
++#include "sys_defs.h"
++#include <stdlib.h>
++#include <stddef.h>
++#include <string.h>
++#if defined(HAS_DLOPEN)
++#include <dlfcn.h>
++#elif defined(HAS_SHL_LOAD)
++#include <dl.h>
++#endif
++
++/* Application-specific. */
++
++#include "msg.h"
++#include "load_lib.h"
++
++extern int load_library_symbols(const char * libname, LIB_FN * libfuncs, LIB_FN * libdata)
++{
++ char *myname = "load_library_symbols";
++ LIB_FN *fn;
++
++#if defined(HAS_DLOPEN)
++ void *handle;
++ char *emsg;
++
++ handle=dlopen(libname,RTLD_NOW);
++ emsg=dlerror();
++ if (emsg) {
++ msg_fatal("%s: dlopen failure loading %s: %s", myname, libname, emsg);
++ }
++
++ if (libfuncs) {
++ for (fn=libfuncs; fn->name; fn++) {
++ *(fn->ptr) = dlsym(handle,fn->name);
++ emsg=dlerror();
++ if (emsg) {
++ msg_fatal("%s: dlsym failure looking up %s in %s: %s", myname,
++ fn->name, libname, emsg);
++ }
++ if (msg_verbose>1) {
++ msg_info("loaded %s = %lx",fn->name, *((long*)(fn->ptr)));
++ }
++ }
++ }
++
++ if (libdata) {
++ for (fn=libdata; fn->name; fn++) {
++ *(fn->ptr) = dlsym(handle,fn->name);
++ emsg=dlerror();
++ if (emsg) {
++ msg_fatal("%s: dlsym failure looking up %s in %s: %s", myname,
++ fn->name, libname, emsg);
++ }
++ if (msg_verbose>1) {
++ msg_info("loaded %s = %lx",fn->name, *((long*)(fn->ptr)));
++ }
++ }
++ }
++#elif defined(HAS_SHL_LOAD)
++ shl_t handle;
++
++ handle = shl_load(libname,BIND_IMMEDIATE,0);
++
++ if (libfuncs) {
++ for (fn=libfuncs; fn->name; fn++) {
++ if (shl_findsym(&handle,fn->name,TYPE_PROCEDURE,fn->ptr) != 0) {
++ msg_fatal("%s: shl_findsym failure looking up %s in %s: %m",
++ myname, fn->name, libname);
++ }
++ if (msg_verbose>1) {
++ msg_info("loaded %s = %x",fn->name, *((long*)(fn->ptr)));
++ }
++ }
++ }
++
++ if (libdata) {
++ for (fn=libdata; fn->name; fn++) {
++ if (shl_findsym(&handle,fn->name,TYPE_DATA,fn->ptr) != 0) {
++ msg_fatal("%s: shl_findsym failure looking up %s in %s: %m",
++ myname, fn->name, libname);
++ }
++ if (msg_verbose>1) {
++ msg_info("loaded %s = %x",fn->name, *((long*)(fn->ptr)));
++ }
++ }
++ }
++
++#else
++ msg_fatal("%s: need dlopen or shl_load support for dynamic libraries",
++ myname);
++#endif
++ return 0;
++}
+diff -urNad postfix-release/src/util/load_lib.h /tmp/dpep.TxugCA/postfix-release/src/util/load_lib.h
+--- postfix-release/src/util/load_lib.h 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/util/load_lib.h 2004-12-27 22:29:11.324097708 -0700
+@@ -0,0 +1,41 @@
++#ifndef _LOAD_LIB_H_INCLUDED_
++#define _LOAD_LIB_H_INCLUDED_
++
++/*++
++/* NAME
++/* load_lib 3h
++/* SUMMARY
++/* library loading wrappers
++/* SYNOPSIS
++/* #include "load_lib.h"
++/* DESCRIPTION
++/* .nf
++
++ /*
++ * External interface.
++ */
++/* NULL name terminates list */
++typedef struct LIB_FN {
++ const char *name;
++ void **ptr;
++} LIB_FN;
++
++extern int load_library_symbols(const char *, LIB_FN *, LIB_FN *);
++
++/* LICENSE
++/* .ad
++/* .fi
++/* The Secure Mailer license must be distributed with this software.
++/* AUTHOR(S)
++/* LaMont Jones
++/* Hewlett-Packard Company
++/* 3404 Harmony Road
++/* Fort Collins, CO 80528, USA
++/*
++/* Wietse Venema
++/* IBM T.J. Watson Research
++/* P.O. Box 704
++/* Yorktown Heights, NY 10598, USA
++/*--*/
++
++#endif
+diff -urNad postfix-release/src/util/sys_defs.h /tmp/dpep.TxugCA/postfix-release/src/util/sys_defs.h
+--- postfix-release/src/util/sys_defs.h 2004-12-27 22:28:28.652270351 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/util/sys_defs.h 2004-12-27 22:29:11.325097493 -0700
+@@ -550,11 +550,25 @@
+ #define UNIX_DOMAIN_CONNECT_BLOCKS_FOR_ACCEPT
+ #define PREPEND_PLUS_TO_OPTSTRING
+ #define HAS_POSIX_REGEXP
++#define HAS_DLOPEN
+ #define NATIVE_SENDMAIL_PATH "/usr/sbin/sendmail"
+ #define NATIVE_MAILQ_PATH "/usr/bin/mailq"
+ #define NATIVE_NEWALIAS_PATH "/usr/bin/newaliases"
+ #define NATIVE_COMMAND_DIR "/usr/sbin"
++#ifdef DEBIAN
++#define NATIVE_DAEMON_DIR "/usr/lib/postfix"
++#ifndef DEF_MANPAGE_DIR
++#define DEF_MANPAGE_DIR "/usr/share/man"
++#endif
++#ifndef DEF_SAMPLE_DIR
++#define DEF_SAMPLE_DIR "/usr/share/doc/postfix/examples"
++#endif
++#ifndef DEF_README_DIR
++#define DEF_README_DIR "/usr/share/doc/postfix"
++#endif
++#else
+ #define NATIVE_DAEMON_DIR "/usr/libexec/postfix"
++#endif
+ #if __GLIBC__ >= 2 && __GLIBC_MINOR__ >= 1
+ #define SOCKADDR_SIZE socklen_t
+ #define SOCKOPT_SIZE socklen_t
+@@ -620,6 +634,7 @@
+ #define USE_STATFS
+ #define STATFS_IN_SYS_VFS_H
+ #define HAS_POSIX_REGEXP
++#define HAS_DLOPEN
+ #define NATIVE_SENDMAIL_PATH "/usr/sbin/sendmail"
+ #define NATIVE_MAILQ_PATH "/usr/bin/mailq"
+ #define NATIVE_NEWALIAS_PATH "/usr/bin/newaliases"
+@@ -655,6 +670,7 @@
+ #define USE_STATFS
+ #define STATFS_IN_SYS_VFS_H
+ #define HAS_POSIX_REGEXP
++#define HAS_SHL_LOAD
+ #define NATIVE_SENDMAIL_PATH "/usr/sbin/sendmail"
+ #define NATIVE_MAILQ_PATH "/usr/bin/mailq"
+ #define NATIVE_NEWALIAS_PATH "/usr/bin/newaliases"
+@@ -692,6 +708,7 @@
+ #define USE_STATFS
+ #define STATFS_IN_SYS_VFS_H
+ #define HAS_POSIX_REGEXP
++#define HAS_SHL_LOAD
+ #define NATIVE_SENDMAIL_PATH "/usr/bin/sendmail"
+ #define NATIVE_MAILQ_PATH "/usr/bin/mailq"
+ #define NATIVE_NEWALIAS_PATH "/usr/bin/newaliases"
Added: trunk/kolab-postfix/debian/patches/30-kolab.dpatch
===================================================================
--- trunk/kolab-postfix/debian/patches/30-kolab.dpatch 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/patches/30-kolab.dpatch 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,41 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 30kolab.dpatch by Steffen Joeris <steffen.joeris at skolelinux.de>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+--- postfix-2.1.5/src/pipe/pipe.c.orig 2006-01-09 13:34:33.000000000 +0000
++++ postfix-2.1.5/src/pipe/pipe.c 2006-01-09 13:41:08.000000000 +0000
+@@ -349,6 +349,7 @@
+ #define PIPE_OPT_FOLD_USER (1<<16)
+ #define PIPE_OPT_FOLD_HOST (1<<17)
+ #define PIPE_OPT_QUOTE_LOCAL (1<<18)
++#define PIPE_OPT_ALLOW_NO_SENDER (1<<19)
+
+ #define PIPE_OPT_FOLD_FLAGS (PIPE_OPT_FOLD_USER | PIPE_OPT_FOLD_HOST)
+
+@@ -660,6 +661,9 @@
+ case 'h':
+ attr->flags |= PIPE_OPT_FOLD_HOST;
+ break;
++ case 'n':
++ attr->flags |= PIPE_OPT_ALLOW_NO_SENDER;
++ break;
+ case 'q':
+ attr->flags |= PIPE_OPT_QUOTE_LOCAL;
+ break;
+@@ -865,6 +869,13 @@
+ get_service_attr(&attr, argv);
+ }
+
++ if ((attr.flags & PIPE_OPT_ALLOW_NO_SENDER) == 0 && request->sender[0] == 0) {
++ buf = vstring_alloc(100);
++ canon_addr_internal(buf, MAIL_ADDR_MAIL_DAEMON);
++ myfree(request->sender);
++ request->sender = vstring_export(buf);
++ }
++
+ /*
+ * The D flag cannot be specified for multi-recipient deliveries.
+ */
Added: trunk/kolab-postfix/debian/patches/50tls.dpatch
===================================================================
--- trunk/kolab-postfix/debian/patches/50tls.dpatch 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/patches/50tls.dpatch 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,30216 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 50tls.dpatch by LaMont Jones <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad postfix-release/conf/postfix-files /tmp/dpep.cXJuVH/postfix-release/conf/postfix-files
+--- postfix-release/conf/postfix-files 2005-02-03 10:22:12.216284906 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/conf/postfix-files 2005-02-03 10:22:12.846144411 -0700
+@@ -81,6 +81,7 @@
+ $daemon_directory/smtp:f:root:-:755
+ $daemon_directory/smtpd:f:root:-:755
+ $daemon_directory/spawn:f:root:-:755
++$daemon_directory/tlsmgr:f:root:-:755
+ $daemon_directory/trivial-rewrite:f:root:-:755
+ $daemon_directory/verify:f:root:-:755
+ $daemon_directory/virtual:f:root:-:755
+@@ -173,6 +174,7 @@
+ $manpage_directory/man8/smtp.8:f:root:-:644
+ $manpage_directory/man8/smtpd.8:f:root:-:644
+ $manpage_directory/man8/spawn.8:f:root:-:644
++$manpage_directory/man8/tlsmgr.8:f:root:-:644
+ $manpage_directory/man8/trace.8:f:root:-:644
+ $manpage_directory/man8/trivial-rewrite.8:f:root:-:644
+ $manpage_directory/man8/verify.8:f:root:-:644
+@@ -184,6 +186,7 @@
+ $sample_directory/sample-debug.cf:f:root:-:644:o
+ $sample_directory/sample-filter.cf:f:root:-:644:o:o
+ $sample_directory/sample-flush.cf:f:root:-:644:o
++$sample_directory/sample-ipv6.cf:f:root:-:644:o
+ $sample_directory/sample-ldap.cf:f:root:-:644:o
+ $sample_directory/sample-lmtp.cf:f:root:-:644:o
+ $sample_directory/sample-local.cf:f:root:-:644:o
+@@ -204,6 +207,7 @@
+ $sample_directory/sample-scheduler.cf:f:root:-:644:o
+ $sample_directory/sample-smtp.cf:f:root:-:644:o
+ $sample_directory/sample-smtpd.cf:f:root:-:644:o
++$sample_directory/sample-tls.cf:f:root:-:644:o
+ $sample_directory/sample-transport.cf:f:root:-:644:o
+ $sample_directory/sample-verify.cf:f:root:-:644:o
+ $sample_directory/sample-virtual.cf:f:root:-:644:o
+@@ -222,6 +226,7 @@
+ $readme_directory/FILTER_README:f:root:-:644
+ $readme_directory/HOSTING_README:f:root:-:644:o
+ $readme_directory/INSTALL:f:root:-:644
++$readme_directory/IPV6_README:f:root:-:644
+ $readme_directory/LDAP_README:f:root:-:644
+ $readme_directory/LINUX_README:f:root:-:644
+ $readme_directory/LMTP_README:f:root:-:644
+diff -urNad postfix-release/IPv6-ChangeLog /tmp/dpep.cXJuVH/postfix-release/IPv6-ChangeLog
+--- postfix-release/IPv6-ChangeLog 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/IPv6-ChangeLog 2005-02-03 10:22:12.847144188 -0700
+@@ -0,0 +1,470 @@
++ChangeLog for Dean Strik's IPv6 patch for Postfix. The patch is based on
++PLD's patch, which in turn seems to be based on KAME's. For more information:
++
++ http://www.ipnet6.org/postfix/
++
++---------------------------------------------------------------------
++
++Version 1.24 Postfix release 2.1.1
++ Postfix release 2.0.20
++ Postfix snapshot 2.0.19-20040312
++ Postfix snapshot 2.2-20040504
++
++ Bugfix: Prefixlen non-noll host portion validation (in CIDR maps
++ for example) yielded incorrect results sometimes because signed
++ arithmetic was used instad of unsigned.
++ File: util/match_ops.c
++
++ Patch correction: The TLS+IPv6 patch for Postfix 2.1.0 missed
++ the master.cf update (used for new installattions). Added it
++ back.
++
++Version 1.23 Postfix release 2.1.0
++ Postfix release 2.0.20
++ Postfix snapshot 2.0.19-20040312
++
++ Patch fixes: Several code fixes to make the patch compile
++ and work correctly when compiled without IPv6 support.
++
++ Bugfix (Solaris only?): address family length was not updated
++ which could cause client hostname validation errors.
++ File: smtpd/smtpd_peer.c
++
++ Portability: added support for Darwin 7.3+. This may need
++ some further testing.
++
++ Cleanup: Restructure and redocument interface address
++ retrieval functions. (This reduced the number of preprocessor
++ statements from 99 to 93 ;)
++ File: util/inet_addr_local.c
++
++ Cleanup: make several explicit casts to have compilers shut
++ their pie holes about uninteresting things.
++
++Version 1.22 Postfix release 2.0.19
++ Postfix snapshot 2.0.19-20040312
++
++ Feature: Support "inet_interfaces = IPv4:all" and
++ "inet_interfaces = IPv6:all", to restrict postfix to use
++ either IPv4-only or IPv6-only. A more complete implementation
++ will be part of a future patch. (Slightly modified) patch by
++ Michal Ludvig, SuSE.
++ Files: util/interfaces_to_af.[ch], util/inet_addr_local.c,
++ global/own_inet_addr.c, global/wildcard_inet_addr.[ch],
++ master/master_ent.ch
++
++ Bugfix: In Postfix snapshots, a #define was misplaced with
++ the effect that IPv6 subnets were not included in auto-
++ generated $mynetworks (i.e., mynetworks not defined in main.cf,
++ when also mynetworks_style=subnet) on Linux 2.x systems.
++ File: utils/sys_defs.h
++
++Version 1.21a Postfix snapshots 2.0.18-2004{0122,0205,0209}
++ 2.0.19-20040312
++
++ TLS/snapshot version: Update TLS patch to 0.8.18-20040122.
++ Performed as a total repatch. 0.8.18 is cleaner with tls_*
++ variables if TLS is not actually compiled in.
++
++Version 1.21 Postfix releases 2.0.18 - 2.0.19
++ Postfix snapshot 2.0.16-20031231
++
++ Bugfix: The SMTP client could fail to setup a connection,
++ erroring with a bogus "getaddrinfo(...): hostname nor servname
++ provided" warning, because the wrong address was selected.
++ File: smtp/smtp_connect.c
++
++ Safety: in dynamically growing data structures, update the
++ length info after (instead of before) updating the data size.
++ File: util/inet_addr_list.c
++
++Version 1.20 Postfix release 2.0.16
++ Postfix snapshot 2.0.16-20031207
++
++ Bugfix: The SMTP client would abort when binding to specific
++ IPv6 addresses.
++ File: smtp/smtp_connect.c
++
++ Synchronisation/bugfix: LMTP source address binding is identical
++ to the SMTP source binding setup, avoiding the need for
++ lmtp_bind_address(6) if inet_interfaces is set to a single
++ host for an address family.
++ File: lmtp/lmtp_connect.c
++
++Version 1.19 Postfix release 2.0.16
++ Postfix snapshot 2.0.16-20031207
++
++ Bugfix: Synchronisation of TLS patches in snapshots of 1.18[ab]
++ was not complete, causing a crash of smtpd if used with the new
++ proxy agent.
++ File: smtpd/smtpd.c
++
++ Bugfix: SMTP source address binding based on a single hostname
++ in inet_interfaces did not work since the code counted IPv4 and
++ IPv6 addresses instead of only the used address family. Fixed,
++ thereby no longer requiring exact specification of
++ smtp_bind_address(6) in this case.
++ File: smtp/smtp_connect.c
++
++ Bugfix: The QMQP sink server did not compile correctly. This
++ program, part of smtpstone tools, is not compiled or installed
++ by default.
++ File: smtpstone/qmqp-sink.c
++
++ Bugfix: NI_WITHSCOPEID was not correctly defined everywhere,
++ which could result in EAI_BADFLAGS. Changed location of
++ definition to correct it.
++ Files: util/sys_defs.h, util/inet_addr_list.h
++
++Version 1.18b Postfix snapshot 2.0.16-20030921
++
++ IPv6 support: Added IPv6-enabled code to the new snapshot
++ check_*_{ns,mx}_access restrictions.
++ File: smtpd/smtpd_check.c
++
++Version 1.18a Postfix release 2.0.16
++
++ Update (TLS patches): Updated Lutz Jaenicke's TLS patch to
++ version 0.8.16. See pfixtls/ChangeLog for details.
++ Diff contributed by Tuomo Soini.
++
++ The TLS+IPv6 patch now contains the original TLS patch
++ documentation from Lutz Jaenicke.
++
++Version 1.18 Postfix releases 2.0.14 - 2.0.15
++ Postfix snapshot 2.0.14-20030812
++
++ Bugfix: Perform actual hostname verification in the SMTP
++ and QMTP servers. This was never supported in the IPv6
++ patch. Reported by Wolfgang S. Rupprecht.
++ Files: smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c
++
++ IPv6 address ranges using address/prefixlength (e.g. in
++ mynetworks and access maps) should be written as
++ [ipv6:addr:ess]/plen (e.g. [fec0:10:20::]/48). The old
++ supported syntax, [ipv6:addr:ess/plen] is deprecated and
++ support will be removed in a later version.
++ Thanks to Dr. Peter Bieringer and Pekka Savola for discussion.
++ Files: util/match_ops.c, global/mynetworks.c
++
++ Explicitly prefer IPv6 over IPv4 addresses when delivering
++ to a host when MX lookups are disabled when SMTP address
++ randomization is on (default).
++ File: smtp/smtp_addr.c
++
++ Compliance: write IPv6 address literals in mail headers
++ as [IPv6:addr] instead of [addr] as per RFC 2821:4.1.3
++ tagging requirement, for example [IPv6:fec0:10:20::1].
++ Pointed out by Dr. Peter Bieringer.
++ Files: smtpd/smtpd{,_peer,_state}.c, smtpd/smtpd.h
++
++Version 1.17 Postfix release 2.0.13, 2.0.14
++ Postfix snapshot 2.0.13-20030706, 2.0.14-20030812
++
++ Bugfix: Two memory allocation/deallocation bugs were
++ introduced in patch 1.16. The impact of these bugs could
++ be 'arbitrary' memory corruption.
++ File: util/match_ops.c
++
++Version 1.16 Postfix release 2.0.13
++ Postfix snapshot 2.0.13-20030706
++
++ Cleanup: rewrote match_ops.c. This rewrite is partly based on
++ patch by Takahiro Igarashi. The rewrite enables some better
++ handling of scoped addresses, and drops all GPL code from the
++ patch, easying license considerations. Also, allowed for
++ use of this code by the CIDR maps.
++ Files: util/match_ops.[ch]
++
++ Bugfix: correctly relay for scoped unicast addresses when
++ applicable. Until now, while Postfix was able to recognize
++ scoped addresses, it was not able to see e.g. fe80::10%fxp0
++ as local in mynetworks validation. KAME-only code.
++ (I've never heard of people using scoped addresses (think
++ link-local addresses) for mail relaying though...)
++ Files: util/inet_addr_list.[ch]
++
++ Feature (snapshot only): rewrote CIDR maps code to support
++ IPv6 addresses, using new match_ops code. Allow the use
++ of [::/0] since it allows one to easily disable further
++ checks for IPv6 addresses.
++ File: util/dict_cidr.c
++
++ Consistency: require IPv6 addresses in inet_interfaces to
++ be enclosed in square brackets.
++ File: util/inet_addr_host.c
++
++ Bugfix: (Linux2-only) A #define was misspelled. This could
++ lead to Postfix being unable to read the system's local IPv6
++ addresses (e.g. when using inet_interfaces).
++ Spotted by Jochen Friedrich.
++ File: util/sys_defs.h
++
++ Cleanup: require non-null host portion in CIDR /
++ prefixlength notations for IPv6 (was IPv4-only).
++
++Version 1.15a Postfix release 2.0.13
++
++ Update (TLS patches): Updated Lutz Jaenicke's TLS patch
++ to version 0.8.15. This version introduces new options
++ for managing SASL mechanisms. More information at:
++ http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/
++ Diff contributed by Tuomo Soini.
++
++Version 1.15 Postfix release 2.0.12, 2.0.13
++ Postfix snapshot 2.0.12-20030621
++
++ Bugfix (TLS-snapshots only): a change in Postfix snapshot
++ 2.0.11-20030609 broke initialisation of TLS in smtpd,
++ causing TLS to both be unadvertised and unaccepted.
++ This was fixed again by reordering initialisation.
++ File: smtpd/smtpd.c
++
++ Update (TLS patches): Updated Lutz Jaenicke's TLS patch
++ to version 0.8.14. This version introduces a few fixes and
++ uses USE_SSL instead of HAS_SSL. More information at:
++ http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/
++ Diff contributed by Tuomo Soini.
++
++ Bugfix (Postfix releases only - this was already added to
++ the snapshots in patch 1.14). KAME derived systems only.
++ Correctly decode scoped addresses, including network
++ interface specifiers.
++ File: util/inet_addr_local.c
++
++Version 1.14 Postfix releases 2.0.9, 2.0.10, 2.0.11, 2.0.12
++ Postfix snapshots 2.0.9-20030424, 2.0.10-20030521,
++ 2.0.11-20030609, 2.0.12-20030611
++
++ Patch change: made the patch available as an IPv6-only
++ patch (i.e., without the TLS code). This on popular
++ request by users and packagers.
++ A TLS+IPv6 version is still available of course.
++
++ Bugfix: correctly decode scoped addresses from now on
++ (KAME derived systems only). I think the original code
++ was written by Itojun, so I'm rather puzzled that it
++ didn't work...
++ File: util/inet_addr_local.c
++
++ Bugfix/portability: Recent KAME snapshots return both
++ TCP and SCTP address information on getaddrinfo() if
++ no protocol was specified. This causes the socket counts
++ to be wrong, confusing child processes.
++ Merged patch by JINMEI Tatuya of KAME to fix this.
++ Files: master/master.h, master/master_{ent,conf}.[ch],
++ util/inet_listen.c
++
++ Documentation: added an IPV6_README file to the patch.
++ This file contains the primary documentation. Also,
++ added a sample-ipv6.cf to describe the (currently few)
++ IPv6 related main.cf parameters.
++
++ Bugfix: the netmask structures for the *unsupported*
++ platforms (boldly assume /64) were added to the wrong
++ list (addresses instead of masks). This bug did not affect
++ any supported platform though.
++ File: util/inet_addr_local.c
++
++ Portability: added support for HP/Compaq Tru64Unix V5.1
++ and later. (compiled with CompaqCC only).
++ Thanks to Sten Spans for providing root access to an
++ IPv6-connected Tru64 testing machine.
++
++Version 1.13 Postfix releases 2.0.4 - 2.0.9
++ Postfix snapshots 2.0.3-20030126 - 2.0.7-20030319
++
++ Bugfix: Due to a missing storage pointer, DNS lookup
++ results in the permit_mx_backups code were not processed,
++ and smtpd would likely crash.
++ Thanks to Wouter de Jong for reporting the crashes.
++ File: smtpd/smtpd_check.c
++
++ Incompatible change: The addresses given to the parameters
++ smtp_bind_address6 and lmtp_bind_address6 now need to be
++ enclosed in square brackets for consistency.
++ Files: [ls]mtp/[ls]mtp_connect.c
++
++Version 1.12 Postfix releases 2.0.2, 2.0.3
++ Postfix snapshots 2.0.2-20030115, 2.0.3-20030126
++
++ Bugfix/workaround (Solaris): A simplified comparison
++ function for Solaris' qsort() function, would result
++ in corruption of network addresses in the SMTP client.
++ Fixed. Reported with possible fix by Edvard Tuinder.
++ File: smtp/smtp_addr.c
++
++Version 1.11 Postfix releases 2.0.0.x, 2.0.1, 2.0.2
++ Postfix snapshots 2.0.0-20030105, 2.0.1-20030112
++ 2.0.2-20030115
++
++ Bugfix (Solaris): Properly initialize lifconf structure
++ when requesting host interface addresses. If you get
++ warnings about SIOCGLIFCONF with earlier versions,
++ please upgrade.
++ File: util/inet_addr_local.c
++
++ Patch fix: fixed compilation errors in case the patch is
++ applied but built without IPv6 support (i.e., on unsupported
++ platforms).
++
++Version 1.10 Postfix snapshots 1.1.12-200212{19,21}
++ Postfix releases 2.0.0, 2.0.0.{1,2}
++ Postfix snapshots 2.0.0-20021223 - 2.0.0-20030101
++
++ 'Bugfix': don't show spurious warnings on Linux systems
++ about missing /proc/net/if_inet6 unless verbose mode
++ is enabled.
++ File: util/inet_addr_local.c
++
++ Bugfix: If unable to create a socket for a specific adress
++ in the SMTP client (e.g., when trying to create an IPv6
++ connection while the local host has no configured IPv6
++ addresses), then stop the attempt.
++ File: smtp/smtp_connect.c
++
++ Small bugfix: never query DNS for <localpart@[domain.tld]>.
++ This syntax now correctly generates an error immediately.
++ File: global/resolve_local.c
++
++ Updated TLS patch to 0.8.12-1.1.12-20021219-0.9.6h, fixing
++ a bug with "sendmail -bs".
++
++Version 1.9 Postfix version 1.1.11-20021115
++ Postfix version 1.1.12-2002{1124,1209-1213}
++
++ Bugfix: with getifaddrs() code (*BSD, linux-USAGI), IPv4
++ netmasks were set to /32 effectively. Work around broken
++ netmask data structures (*BSD only perhaps).
++
++ Bugfix: same data corruption in another place created
++ entirely wrong IPv4 netmasks. Work around broken
++ SIOCGIFNETMASK structure.
++
++ New code was added for correct IPv6 netmasks. The original
++ code did not contain IPv6 netmask support at all!
++ For Solaris, use SIOCGLIF*; Linux: /proc/net/if_inet6.
++ Getifaddrs() support is used otherwise. This should cover
++ all supported systems. Other systems also work, prefix
++ length is always set to /64 then.
++
++ Since there are no classes (context: Class A, class B etc
++ networks) with IPv6, default to IPv6 subnet style if the
++ mynetworks style is 'class'. I recommend against this style
++ anyway.
++
++ Added support to display IPv6 nets mynetworks output.
++
++Version 1.8 Postfix version 1.1.11-200211{01,15}
++
++ An earlier author of the patch made a typo in the GAI_STRERROR()
++ macro, resulting in bogus error messages when checking for
++ PTR records. Fixed.
++
++ IPv4-mapped addresses in the smtpd are converted to true IPv4
++ addresses just after the connection has been made. This means
++ that all IPv4-mapped addresses are now logged as true IPv4
++ addresses. Hence beside RBL checks, also access maps now treat
++ IPv4-mapped addresses as native IPv4. Note that ::ffff:...
++ entries in your access tables will no longer work.
++
++ You can now specify IPv6 'parent' networks in your access maps,
++ e.g. to reject all mail from 3ffe:200:... nodes, add the line
++ 3ffe:200 REJECT
++ Use of trailing colons is discouraged because postmap will
++ warn about it possibly being an alias...
++ NOTE: I'll soon obsolete this again in favor of the more
++ common address/len notation. This was just so trivial to add
++ that it didn't hurt and I needed it :)
++
++ For easy reference, the version of the TLS/IPv6 patch can be
++ dynamically queried using the tls_ipv6_version variable.
++ This gives the short version (like, "1.8").
++
++ The service bind address for 'inet' sockets in master.cf (e.g.,
++ smtpd), must be enclosed in square brackets '[..]' for IPv6
++ addresses. The old style (without brackets) still works but is
++ unsupported and may be removed in the future. Example
++ [::1]:smtp inet n - n - - smtpd
++
++Version 1.7 Postfix version 1.1.11-20021029 - 1.1.11-20021101
++
++ Postfix' SMTP client performs randomization of MX addresses
++ when sending mail. This however could result in A records
++ being used before AAAA records. This has been corrected.
++
++ Note that from Postfix version 1.1.11-20021029 on, there is
++ a proxy_interfaces parameter. This has of course not been
++ ported to IPv6 addresses...
++
++Version 1.6 Postfix version 1.1.11-20020928
++
++ Added IPv6 support for backup_mx_networks feature; also the
++ behaviour when DNS lookups fail when checking whether the
++ local host is an MX for a domain conforms to the IPv4 case:
++ defer rather than allow.
++
++Version 1.5 Postfix version 1.1.11-20020917
++
++ I introduced two bugs when I rewrote my older LMTP IPv6 patch.
++ These bugs effectively rendered LMTP useless. Now fixed.
++ Bugs spotted by Kaj Niemi.
++
++ Now supports Solaris 8 and 9. Due to lack of testing equipment,
++ this has been only tested in production on Solaris 9, both
++ with gcc and the Sun Workshop Compiler.
++
++Version 1.4 Postfix version 1.1.11-20020822 - 1.1.11-20020917
++
++ OpenBSD (>=200003) and FreeBSD release 4 and up now use
++ getifaddrs(). This makes for cleaner code. The old code
++ seems to be bug-ridden anyway.
++
++ Got rid of some compiler warnings. Should be cleaner on
++ Alpha as well now. Thanks to Sten Spans for providing me
++ access to an Alpha running FreeBSD4.
++
++ Fixed an old bug in smtpd memory alloation if you compiled
++ without IPv6 support (the wrong buffer size was used. This
++ was harmless for IPv6-enabled compiles since the sizes were
++ equal then).
++
++ Added ChangeLog to the patch (as IPv6-ChangeLog) (this
++ was absent in 1.3 contrary to docs).
++
++Version 1.3 Postfix version 1.1.11-20020613 - 1.1.11-20020718
++
++ FYI: In postfix version 1.1.11-20020718, DNS lookups for
++ AAAA can be done natively. The code matches the code in
++ the patch (though the #ifdef changed from INET6 to T_AAAA).
++ This change causes the patch for 1.1.11-20020718 to be a
++ bit smaller.
++
++Version 1.2 Postfix version 1.1.11-20020613
++
++ Added IPv6 support for the LMTP client.
++
++ Added lmtp_bind_address and lmtp_bind_address6 parameters,
++ similar to those for smtp.
++
++ Added IPv6 support for the QMQP server.
++
++Version 1.1 Postfix version 1.1.11-20020602 - 1.1.11-20020613
++
++ Added parameter smtp_bind_address6. By using this parameter,
++ it is possible to bind to an IPv6 address, independently of
++ IPv4 address binding.
++
++ Lutz fixed a bug in his TLS patch regarding SASL. Incorporated.
++
++Version 1.0.x Postfix version 1.1.8-20020505 - 1.1.11-20020602
++
++ Patch derived from PLD's IPv6 patch for Postfix, revision 1.10
++ which applied to early Postfix snapshots 1.1.x. Updated this
++ patch to apply to 1.1.8-20020505.
++
++ Added compile-time checks for SS_LEN. Some Linux installations,
++ and maybe other systems, do define SA_LEN, but not SS_LEN.
++
++ Several updates of postfix snapshots.
++
+diff -urNad postfix-release/makedefs /tmp/dpep.cXJuVH/postfix-release/makedefs
+--- postfix-release/makedefs 2005-02-03 10:22:12.217284683 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/makedefs 2005-02-03 10:22:12.847144188 -0700
+@@ -327,6 +327,33 @@
+ ;;
+ esac
+
++# Check for IPv6 support
++
++if [ -z "$NO_IPV6" ] ; then
++if [ -f /usr/include/netinet6/in6.h ] ; then
++ grep __KAME__ /usr/include/netinet6/in6.h 2>&1 >/dev/null
++ if [ $? = 1 ]; then
++ INET6=
++ else
++ if [ -f /usr/local/v6/lib/libinet6.a ]; then
++ INET6=kame
++ else
++ INET6=kame-merged
++ fi
++ fi
++fi
++if [ -z "$INET6" -a -f /usr/include/netinet/ip6.h ]; then
++ case "$SYSTYPE" in
++ SUNOS5) INET6=solaris ;;
++ OSF1) INET6=osf1 ;;
++ *) ;;
++ esac
++fi
++if [ -z "$INET6" -a -f /usr/include/netinet/ip6.h -a -f /usr/include/linux/icmpv6.h ]; then
++ INET6=linux
++fi
++fi # [-z NO_IPV6]
++
+ # Defaults that can be overruled (make makefiles CC=cc OPT=-O6 DEBUG=)
+ # Disable optimizations by default when compiling for Purify. Disable
+ # optimizations by default with gcc 2.8, until the compiler is known to
+@@ -346,6 +373,31 @@
+ -Wparentheses -Wstrict-prototypes -Wswitch -Wuninitialized \
+ -Wunused'}
+
++case "$INET6" in
++kame)
++ CCARGS="$CCARGS -DINET6 -DINET6_KAME"
++ CCARGS="$CCARGS -D__ss_family=ss_family -D__ss_len=ss_len"
++ if test -f /usr/local/v6/lib/libinet6.a; then
++ SYSLIBS="$SYSLIBS -L/usr/local/v6/lib -linet6"
++ fi
++ ;;
++kame-merged)
++ CCARGS="$CCARGS -DINET6 -DINET6_KAME"
++ CCARGS="$CCARGS -D__ss_family=ss_family -D__ss_len=ss_len"
++ ;;
++solaris|osf1)
++ CCARGS="$CCARGS -DINET6 -D__ss_family=ss_family -D__ss_len=ss_len"
++ ;;
++linux)
++ CCARGS="$CCARGS -DINET6 -D__ss_family=ss_family"
++ if test -f /usr/include/libinet6/netinet/ip6.h -a \
++ -f /usr/lib/libinet6.a; then
++ CCARGS="$CCARGS -I/usr/include/libinet6 -DUSAGI_LIBINET6"
++ SYSLIBS="$SYSLIBS -linet6"
++ fi
++ ;;
++esac
++
+ export SYSTYPE AR ARFL RANLIB SYSLIBS CC OPT DEBUG AWK OPTS
+
+ sed 's/ / /g' <<EOF
+diff -urNad postfix-release/man/man8/tlsmgr.8 /tmp/dpep.cXJuVH/postfix-release/man/man8/tlsmgr.8
+--- postfix-release/man/man8/tlsmgr.8 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/man/man8/tlsmgr.8 2005-02-03 10:22:12.848143965 -0700
+@@ -0,0 +1,130 @@
++.TH TLSMGR 8
++.ad
++.fi
++.SH NAME
++tlsmgr
++\-
++Postfix TLS session cache and PRNG handling manager
++.SH SYNOPSIS
++.na
++.nf
++\fBtlsmgr\fR [generic Postfix daemon options]
++.SH DESCRIPTION
++.ad
++.fi
++The tlsmgr process does housekeeping on the session cache database
++files. It runs through the databases and removes expired entries
++and entries written by older (incompatible) versions.
++
++The tlsmgr is responsible for the PRNG handling. The used internal
++OpenSSL PRNG has a pool size of 8192 bits (= 1024 bytes). The pool
++is initially seeded at startup from an external source (EGD or
++/dev/urandom) and additional seed is obtained later during program
++run at a configurable period. The exact time of seed query is
++using random information and is equally distributed in the range of
++[0-\fBtls_random_reseed_period\fR] with a \fBtls_random_reseed_period\fR
++having a default of 1 hour.
++
++Tlsmgr can be run chrooted and with dropped privileges, as it will
++connect to the entropy source at startup.
++
++The PRNG is additionally seeded internally by the data found in the
++session cache and timevalues.
++
++Tlsmgr reads the old value of the exchange file at startup to keep
++entropy already collected during previous runs.
++
++From the PRNG random pool a cryptographically strong 1024 byte random
++sequence is written into the PRNG exchange file. The file is updated
++periodically with the time changing randomly from
++[0-\fBtls_random_prng_update_period\fR].
++.SH STANDARDS
++.na
++.nf
++.SH SECURITY
++.na
++.nf
++.ad
++.fi
++Tlsmgr is not security-sensitive. It only deals with external data
++to be fed into the PRNG, the contents is never trusted. The session
++cache housekeeping will only remove entries if expired and will never
++touch the contents of the cached data.
++.SH DIAGNOSTICS
++.ad
++.fi
++Problems and transactions are logged to the syslog daemon.
++.SH BUGS
++.ad
++.fi
++There is no automatic means to limit the number of entries in the
++session caches and/or the size of the session cache files.
++.SH CONFIGURATION PARAMETERS
++.na
++.nf
++.ad
++.fi
++The following \fBmain.cf\fR parameters are especially relevant to
++this program. See the Postfix \fBmain.cf\fR file for syntax details
++and for default values. Use the \fBpostfix reload\fR command after
++a configuration change.
++.SH Session Cache
++.ad
++.fi
++.IP \fBsmtpd_tls_session_cache_database\fR
++Name of the SDBM file (type sdbm:) containing the SMTP server session
++cache. If the file does not exist, it is created.
++.IP \fBsmtpd_tls_session_cache_timeout\fR
++Expiry time of SMTP server session cache entries in seconds. Entries
++older than this are removed from the session cache. A cleanup-run is
++performed periodically every \fBsmtpd_tls_session_cache_timeout\fR
++seconds. Default is 3600 (= 1 hour).
++.IP \fBsmtp_tls_session_cache_database\fR
++Name of the SDBM file (type sdbm:) containing the SMTP client session
++cache. If the file does not exist, it is created.
++.IP \fBsmtp_tls_session_cache_timeout\fR
++Expiry time of SMTP client session cache entries in seconds. Entries
++older than this are removed from the session cache. A cleanup-run is
++performed periodically every \fBsmtp_tls_session_cache_timeout\fR
++seconds. Default is 3600 (= 1 hour).
++.SH Pseudo Random Number Generator
++.ad
++.fi
++.IP \fBtls_random_source\fR
++Name of the EGD socket or device or regular file to obtain entropy
++from. The type of entropy source must be specified by preceding the
++name with the appropriate type: egd:/path/to/egd_socket,
++dev:/path/to/devicefile, or /path/to/regular/file.
++tlsmgr opens \fBtls_random_source\fR and tries to read
++\fBtls_random_bytes\fR from it.
++.IP \fBtls_random_bytes\fR
++Number of bytes to be read from \fBtls_random_source\fR.
++Default value is 32 bytes. If using EGD, a maximum of 255 bytes is read.
++.IP \fBtls_random_exchange_name\fR
++Name of the file written by tlsmgr and read by smtp and smtpd at
++startup. The length is 1024 bytes. Default value is
++/etc/postfix/prng_exch.
++.IP \fBtls_random_reseed_period\fR
++Time in seconds until the next reseed from external sources is due.
++This is the maximum value. The actual point in time is calculated
++with a random factor equally distributed between 0 and this maximum
++value. Default is 3600 (= 60 minutes).
++.IP \fBtls_random_prng_update_period\fR
++Time in seconds until the PRNG exchange file is updated with new
++pseude random values. This is the maximum value. The actual point
++in time is calculated with a random factor equally distributed
++between 0 and this maximum value. Default is 60 (= 1 minute).
++.SH SEE ALSO
++.na
++.nf
++smtp(8) SMTP client
++smtpd(8) SMTP server
++.SH LICENSE
++.na
++.nf
++.ad
++.fi
++The Secure Mailer license must be distributed with this software.
++.SH AUTHOR(S)
++.na
++.nf
+diff -urNad postfix-release/proto/Makefile.in /tmp/dpep.cXJuVH/postfix-release/proto/Makefile.in
+--- postfix-release/proto/Makefile.in 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/proto/Makefile.in 2005-02-03 10:22:12.848143965 -0700
+@@ -29,6 +29,7 @@
+ ../html/SMTPD_POLICY_README.html \
+ ../html/SMTPD_PROXY_README.html \
+ ../html/STANDARD_CONFIGURATION_README.html \
++ ../html/TLS_README.html \
+ ../html/TUNING_README.html \
+ ../html/UUCP_README.html ../html/ULTRIX_README.html \
+ ../html/VERP_README.html ../html/VIRTUAL_README.html \
+@@ -59,6 +60,7 @@
+ ../README_FILES/SMTPD_ACCESS_README \
+ ../README_FILES/SMTPD_POLICY_README ../README_FILES/SMTPD_PROXY_README \
+ ../README_FILES/STANDARD_CONFIGURATION_README \
++ ../README_FILES/TLS_README \
+ ../README_FILES/TUNING_README \
+ ../README_FILES/UUCP_README ../README_FILES/ULTRIX_README \
+ ../README_FILES/VERP_README ../README_FILES/VIRTUAL_README \
+@@ -233,6 +235,9 @@
+ ../html/STANDARD_CONFIGURATION_README.html: STANDARD_CONFIGURATION_README.html
+ $(POSTLINK) $? >$@
+
++../html/TLS_README.html: TLS_README.html
++ $(POSTLINK) $? >$@
++
+ ../html/TUNING_README.html: TUNING_README.html
+ $(POSTLINK) $? >$@
+
+@@ -356,6 +361,9 @@
+ ../README_FILES/STANDARD_CONFIGURATION_README: STANDARD_CONFIGURATION_README.html
+ $(HT2READ) $? >$@
+
++../README_FILES/TLS_README: TLS_README.html
++ $(HT2READ) $? >$@
++
+ ../README_FILES/TUNING_README: TUNING_README.html
+ $(HT2READ) $? >$@
+
+diff -urNad postfix-release/proto/postconf.proto /tmp/dpep.cXJuVH/postfix-release/proto/postconf.proto
+--- postfix-release/proto/postconf.proto 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/proto/postconf.proto 2005-02-03 10:22:12.985113413 -0700
+@@ -3814,6 +3814,20 @@
+ <dd>Permit the request when the client IP address matches any
+ network listed in $mynetworks. </dd>
+
++<dt><b><a name="permit_tls_all_clientcerts">permit_tls_all_clientcerts</a></b></dt>
++
++<dd> Permit the request when the remote SMTP client certificate is
++verified successfully. This option must be used only if a special
++CA issues the certificates and only this CA is listed as trusted
++CA, otherwise all clients with a recognized certificate would be
++allowed to relay. </dd>
++
++<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
++
++<dd>Permit the request when the remote SMTP client certificate is
++verified successfully, and the certificate fingerprint is listed
++in $relay_clientcerts. </dd>
++
+ <dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>
+
+ <dd>Reject the request when the reversed client network address is
+@@ -6787,3 +6801,618 @@
+ remote domains. Available before Postfix version 2.0. With Postfix 2.1
+ and later, this is replaced by separate controls: virtual_alias_domains
+ and virtual_alias_maps. </p>
++
++%PARAM smtpd_tls_cert_file
++
++<p> File with the Postfix SMTP server RSA certificate in PEM format.
++This file may also contain the server private key. </p>
++
++<p> Both RSA and DSA certificates are supported. When both types
++are present, the cipher used determines which certificate will be
++presented to the client. For Netscape and OpenSSL clients without
++special cipher choices the RSA certificate is preferred. </p>
++
++<p> In order to verify a certificate, the CA certificate (in case
++of a certificate chain, all CA certificates) must be available.
++You should add these certificates to the server certificate, the
++server certificate first, then the issuing CA(s). </p>
++
++<p> Example: the certificate for "server.dom.ain" was issued by
++"intermediate CA" which itself has a certificate of "root CA".
++Create the server.pem file with "cat server_cert.pem intermediate_CA.pem
++root_CA.pem > server.pem". </p>
++
++<p> If you want to accept certificates issued by these CAs yourself,
++you can also add the CA certificates to the smtpd_tls_CAfile, in
++which case it is not necessary to have them in the smtpd_tls_dcert_file
++or smtpd_tls_cert_file. </p>
++
++<p> A certificate supplied here must be usable as SSL server
++certificate and hence pass the "openssl verify -purpose sslserver
++..." test. </p>
++
++<p> Example: </p>
++
++<pre>
++smtpd_tls_cert_file = /etc/postfix/server.pem
++</pre>
++
++%PARAM smtpd_tls_key_file $smtpd_tls_cert_file
++
++<p> File with the Postfix SMTP server RSA private key in PEM format.
++This file may be combined with the server certificate file specified
++with $smtpd_tls_cert_file. </p>
++
++<p> The private key must not be encrypted. In other words, the key
++must be accessible without password. </p>
++
++%PARAM smtpd_tls_dcert_file
++
++<p> File with the Postfix SMTP server DSA certificate in PEM format.
++This file may also contain the server private key. <p>
++
++<p> See the discussion under smtpd_tls_cert_file for more details.
++</p>
++
++<p> Example: </p>
++
++<pre>
++smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
++</pre>
++
++%PARAM smtpd_tls_dkey_file $smtpd_tls_dcert_file
++
++<p> File with the Postfix SMTP server DSA private key in PEM format.
++This file may be combined with the server certificate file specified
++with $smtpd_tls_dcert_file. </p>
++
++<p> The private key must not be encrypted. In other words, the key
++must be accessible without password. </p>
++
++%PARAM smtpd_tls_CAfile
++
++<p> The file with the certificate of the certification authority
++(CA) that issued the Postfix SMTP server certificate. This is
++needed only when the CA certificate is not already present in the
++server certificate file. This file may also contain the CA
++certificates of other trusted CAs. You must use this file for the
++list of trusted CAs if you want to use chroot-mode. </p>
++
++<p> Example: </p>
++
++<pre>
++smtpd_tls_CAfile = /etc/postfix/CAcert.pem
++</pre>
++
++%PARAM smtpd_tls_CApath
++
++<p> Directory with PEM format certificate authority certificates
++that the Postfix SMTP server offers to remote SMTP clients for the
++purpose of client certificate verification. Do not forget to create
++the necessary "hash" links with, for example, "$OPENSSL_HOME/bin/c_rehash
++/etc/postfix/certs". </p>
++
++<p> To use this option in chroot mode, this directory (or a copy)
++must be inside the chroot jail. Please note that in this case the
++CA certificates are not offered to the client, so that e.g. Netscape
++clients might not offer certificates issued by them. Use of this
++feature is therefore not recommended. </p>
++
++<p> Example: </p>
++
++<pre>
++smtpd_tls_CApath = /etc/postfix/certs
++</pre>
++
++%PARAM smtpd_tls_loglevel 0
++
++<p> Enable additional Postfix SMTP server logging of TLS activity.
++Each logging level also includes the information that is logged at
++a lower logging level. </p>
++
++<dl compact>
++
++<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
++
++<dt> </dt> <dd> 1 Log TLS handshake and certificate information. </dd>
++
++<dt> </dt> <dd> 2 Log levels during TLS negotiation. </dd>
++
++<dt> </dt> <dd> 3 Log hexadecimal and ASCII dump of TLS negotiation
++process. </dd>
++
++<dt> </dt> <dd> 4 Also log hexadecimal and ASCII dump of complete
++transmission after STARTTLS. </dd>
++
++</dl>
++
++<p> Use "smtpd_tls_loglevel = 3" only in case of problems. Use of
++loglevel 4 is strongly discouraged. </p>
++
++%PARAM smtpd_tls_received_header no
++
++<p> Request that the Postfix SMTP server produces Received: message
++headers that include information about the protocol and cipher used,
++as well as the client CommonName and client certificate issuer
++CommonName. This is disabled by default, as the information may
++be modified in transit through other mail servers. Only information
++that was recorded by the final destination can be trusted. </p>
++
++%PARAM smtpd_use_tls no
++
++<p> Enable TLS support in the Postfix SMTP server. </p>
++
++<p> Note: when invoked via "sendmail -bs", Postfix will never offer
++STARTTLS due to insufficient privileges to access the server private
++key. This is intended behavior. </p>
++
++%PARAM smtpd_enforce_tls no
++
++<p> Require that remote SMTP clients use TLS encryption. According
++to RFC 2487 this MUST NOT be applied in case of a publicly-referenced
++SMTP server. This option is off by default and should only rarely
++be used. </p>
++
++<p> This option implies "smtpd_use_tls = yes". </p>
++
++<p> Note: when invoked via "sendmail -bs", Postfix will never offer
++STARTTLS due to insufficient privileges to access the server private
++key. This is intended behavior. </p>
++
++%PARAM smtpd_tls_wrappermode no
++
++<p> Run the Postfix SMTP server in the non-standard "wrapper" mode,
++instead of using the STARTTLS command. </p>
++
++<p> If you want to support this service, enable a special port in
++master.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP
++server's command line. Port 465 (smtps) was once chosen for this
++purpose. </p>
++
++%PARAM smtpd_tls_ask_ccert no
++
++<p> Ask a remote SMTP client for a client certificate. This
++information is needed for certificate based mail relaying with,
++for example, the permit_tls_clientcerts feature. </p>
++
++<p> Some clients such as Netscape will either complain if no
++certificate is available (for the list of CAs in /etc/postfix/certs)
++or will offer multiple client certificates to choose from. This
++may be annoying, so this option is "off" by default. </p>
++
++%PARAM smtpd_tls_req_ccert no
++
++<p> When TLS encryption is enforced, require a remote SMTP client
++certificate in order to allow TLS connections to proceed. This
++option implies "smtpd_tls_ask_ccert = yes". </p>
++
++<p> When TLS encryption is optional, remote SMTP clients can bypass
++the restriction by simply not using STARTTLS at all. For this reason
++a TLS connection will be handled as if only "smtpd_tls_ask_ccert
++= yes" is specified. </p>
++
++%PARAM smtpd_tls_ccert_verifydepth 5
++
++<p> The verification depth for remote SMTP client certificates. A
++depth of 1 is sufficient if the issuing CA is listed in a local CA
++file. The default value should also suffice for longer chains (the
++root CA issues special CA which then issues the actual certificate...).
++</p>
++
++%PARAM smtpd_tls_auth_only no
++
++<p> When TLS encryption is optional in the Postfix SMTP server, do
++not announce or accept SASL authentication over un-encrypted
++connections. </p>
++
++%PARAM smtpd_tls_session_cache_database
++
++<p> Name of the SDBM file (type sdbm:) containing the optional
++Postfix SMTP server TLS session cache. SDBM is required in order
++to support concurrent updates. The file is created if it does not
++exist. </p>
++
++<p> Example: </p>
++
++<pre>
++smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache
++</pre>
++
++%PARAM smtpd_tls_session_cache_timeout 3600s
++
++<p> The expiration time of Postfix SMTP server TLS session cache
++information. A cache cleanup is performed periodically every
++$smtpd_tls_session_cache_timeout seconds. </p>
++
++%PARAM relay_clientcerts
++
++<p> The list of remote SMTP client certificates for which the
++Postfix SMTP server will allow access with the permit_tls_clientcerts
++feature. This feature does not use certificate names, because
++Postfix list manipulation routines treat whitespace and some other
++characters as special. Instead we use certificate fingerprints as
++they are difficult to fake but easy to use for lookup. </p>
++
++<p> Postfix lookup tables are in the form of (key, value) pairs.
++Since we only need the key, the value can be chosen freely, e.g.
++the name of the user or host:
++D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home </p>
++
++<p> Example: </p>
++
++<pre>
++relay_clientcerts = hash:/etc/postfix/relay_clientcerts
++</pre>
++
++%PARAM smtpd_tls_cipherlist
++
++<p> Controls the Postfix SMTP server TLS cipher selection scheme.
++For details, see the OpenSSL documentation. Note: do not use ""
++quotes around the parameter value. </p>
++
++%PARAM smtpd_tls_dh1024_param_file
++
++<p> File with DH parameters that the Postfix SMTP server should
++use with EDH ciphers. </p>
++
++<p> Instead of using the exact same parameter sets as distributed
++with other TLS packages, it is more secure to generate your own
++set of parameters with something like the following command: </p>
++
++<pre>
++openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024
++</pre>
++
++<p> Your actual source for entropy may differ. Some systems have
++/dev/random; on other system you may consider using the "Entropy
++Gathering Daemon EGD", available at http://www.lothar.com/tech/crypto/.
++</p>
++
++<p> Example: </p>
++
++<pre>
++smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
++</pre>
++
++%PARAM smtpd_tls_dh512_param_file
++
++<p> File with DH parameters that the Postfix SMTP server should
++use with EDH ciphers. </p>
++
++<p> See also the discussion under the smtpd_tls_dh1024_param_file
++configuration parameter. </p>
++
++<p> Example: </p>
++
++<pre>
++smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
++</pre>
++
++%PARAM smtpd_starttls_timeout 300s
++
++<p> The time limit for Postfix SMTP server write and read operations
++during TLS startup and shutdown handshake procedures. </p>
++
++%PARAM smtp_tls_cert_file
++
++<p> File with the Postfix SMTP client RSA certificate in PEM format.
++This file may also contain the client private key, and these may
++be the same as the server certificate and key file. </p>
++
++<p> In order to verify certificates, the CA certificate (in case
++of a certificate chain, all CA certificates) must be available.
++You should add these certificates to the server certificate, the
++server certificate first, then the issuing CA(s). </p>
++
++<p> Example: the certificate for "client.dom.ain" was issued by
++"intermediate CA" which itself has a certificate of "root CA".
++Create the client.pem file with "cat client_cert.pem intermediate_CA.pem
++root_CA.pem > client.pem". </p>
++
++<p> If you want to accept remote SMTP server certificates issued
++by these CAs yourself, you can also add the CA certificates to the
++smtp_tls_CAfile, in which case it is not necessary to have them in
++the smtp_tls_cert_file or smtp_tls_dcert_file. </p>
++
++<p> A certificate supplied here must be usable as SSL client certificate and
++hence pass the "openssl verify -purpose sslclient ..." test. </p>
++
++<p> Example: </p>
++
++<pre>
++smtp_tls_cert_file = /etc/postfix/client.pem
++</pre>
++
++%PARAM smtp_tls_key_file $smtp_tls_cert_file
++
++<p> File with the Postfix SMTP client RSA private key in PEM format.
++This file may be combined with the client certificate file specified
++with $smtp_tls_cert_file. </p>
++
++<p> The private key must not be encrypted. In other words, the key
++must be accessible without password. </p>
++
++<p> Example: </p>
++
++<pre>
++smtp_tls_key_file = $smtp_tls_cert_file
++</pre>
++
++%PARAM smtp_tls_CAfile
++
++<p> The file with the certificate of the certification authority
++(CA) that issued the Postfix SMTP client certificate. This is
++needed only when the CA certificate is not already present in the
++client certificate file. </p>
++
++<p> Example: </p>
++
++<pre>
++smtp_tls_CAfile = /etc/postfix/CAcert.pem
++</pre>
++
++%PARAM smtp_tls_CApath
++
++<p> Directory with PEM format certificate authority certificates
++that the Postfix SMTP client uses to verify a remote SMTP server
++certificate. Don't forget to create the necessary "hash" links
++with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
++</p>
++
++<p> To use this option in chroot mode, this directory (or a copy)
++must be inside the chroot jail. </p>
++
++<p> Example: </p>
++
++<pre>
++smtp_tls_CApath = /etc/postfix/certs
++</pre>
++
++%PARAM smtp_tls_loglevel 0
++
++<p> Enable additional Postfix SMTP client logging of TLS activity.
++Each logging level also includes the information that is logged at
++a lower logging level. </p>
++
++<dl compact>
++
++<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
++
++<dt> </dt> <dd> 1 Log TLS handshake and certificate information. </dd>
++
++<dt> </dt> <dd> 2 Log levels during TLS negotiation. </dd>
++
++<dt> </dt> <dd> 3 Log hexadecimal and ASCII dump of TLS negotiation
++process. </dd>
++
++<dt> </dt> <dd> 4 Log hexadecimal and ASCII dump of complete
++transmission after STARTTLS. </dd>
++
++</dl>
++
++<p> Use "smtp_tls_loglevel = 3" only in case of problems. Use of
++loglevel 4 is strongly discouraged. </p>
++
++%PARAM smtp_tls_session_cache_database
++
++<p> Name of the SDBM file (type sdbm:) containing the optional
++Postfix SMTP client TLS session cache. SDBM is required in order
++to support concurrent updates. The file is created if it does not
++exist. </p>
++
++<p> Example: </p>
++
++<pre>
++smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache
++</pre>
++
++%PARAM smtp_tls_session_cache_timeout 3600s
++
++<p> The expiration time of Postfix SMTP client TLS session cache
++information. A cache cleanup is performed periodically every
++$smtp_tls_session_cache_timeout seconds. </p>
++
++%PARAM smtp_use_tls no
++
++<p> Always use TLS when a remote SMTP server announces STARTTLS
++support. Beware: some remote SMTP servers offer STARTTLS even if
++it is not configured. If the TLS handshake fails, and no other
++server is available, delivery is deferred and mail stays in the
++queue. If this is a concern for you, use the smtp_tls_per_site
++feature instead. </p>
++
++%PARAM smtp_enforce_tls no
++
++<p> Require that remote SMTP servers use TLS encryption. This also
++requires that the remote SMTP server hostname matches the information
++in the remote server certificate, and that the remote SMTP server
++certificate was issued by a CA that is trusted by the Postfix SMTP
++client. If the certificate doesn't verify or the hostname doesn't
++match, delivery is deferred and mail stays in the queue. </p>
++
++<p> The hostname used in the check is performed against all names
++provided as dNSNames in the SubjectAlternativeName. If no dNSNames
++are specified, the CommonName is checked. The behavior may be
++changed with the smtp_tls_enforce_peername option. </p>
++
++<p> This option is useful only if you are definitely sure that you
++will only connect to servers that support RFC 2487 _and_ that
++provide valid server certificates. It is relatively safe to use
++for local clients that only send email to one mailhub with the
++necessary STARTTLS support. </p>
++
++%PARAM smtp_tls_enforce_peername yes
++
++<p> When TLS encryption is enforced, require that the remote SMTP
++server hostname matches the information in the remote SMTP server
++certificate. As of RFC 2487 the requirements for hostname checking
++for MTA clients are not set. </p>
++
++<p> This option can be set to "no" to disable strict peer name
++checking. This setting has no effect on sessions that are controlled
++via the smtp_tls_per_site table. </p>
++
++<p> Disabling the hostname verification can make sense in closed
++environment where special CAs are created. If not used carefully,
++this option opens the danger of a "man-in-the-middle" attack (the
++CommonName of this attacker will be logged). </p>
++
++%PARAM smtp_tls_per_site
++
++<p> Optional lookup tables with the Postfix SMTP client TLS usage
++policy by next-hop domain name and by remote SMTP server hostname.
++</p>
++
++<p> Table format: domain names or server hostnames are specified
++on the left-hand side; no wildcards are allowed. On the right hand
++side specify one of the following keywords: </p>
++
++<dl>
++
++<dt> NONE </dt> <dd>Don't use TLS at all. </dd>
++
++<dt> MAY </dt> <dd>Try to use STARTTLS if offered,
++otherwise use the un-encrypted connection. </dd>
++
++<dt> MUST </dt> <dd>Require usage of STARTTLS, require that the
++remote SMTP server hostname matches the information in the remote
++SMTP server certificate, and require that the remote SMTP server
++certificate was issued by a trusted CA. </dd>
++
++<dt> MUST_NOPEERMATCH </dt> <dd>Require usage of STARTTLS, but do
++not require that the remote SMTP server hostname matches the
++information in the remote SMTP server certificate, or that the
++server certificate was issued by a trusted CA. </dd>
++
++</dl>
++
++<p> Special hint for enforcement mode: since no secure DNS lookup
++mechanism is available, the recommended setup is: specify local
++transport(5) table entries for sensitive domains with explicit
++smtp:[mailhost] destinations (since you can assure security of this
++table unlike DNS), then specify MUST for these mail hosts in the
++smtp_tls_per_site table. </p>
++
++%PARAM smtp_tls_scert_verifydepth 5
++
++<p> The verification depth for remote SMTP server certificates. A
++depth of 1 is sufficient, if the certificate is directly issued by
++a CA listed in the CA files. The default value (5) should suffice
++for longer chains (the root CA issues special CA which then issues
++the actual certificate...). </p>
++
++%PARAM smtp_tls_note_starttls_offer no
++
++<p> Log the hostname of a remote SMTP server that offers STARTTLS,
++when TLS is not already enabled for that server. </p>
++
++<p> The logfile record looks like: </p>
++
++<pre>
++postfix/smtp[pid]: Host offered STARTTLS: [name.of.host]
++</pre>
++
++%PARAM smtp_tls_cipherlist
++
++<p> Controls the Postfix SMTP client TLS cipher selection scheme.
++For details, see the OpenSSL documentation. Note: do not use ""
++quotes around the parameter value. </p>
++
++%PARAM smtp_starttls_timeout 300s
++
++<p> Time limit for Postfix SMTP client write and read operations
++during TLS startup and shutdown handshake procedures. </p>
++
++%PARAM smtp_tls_dkey_file $smtp_tls_dcert_file
++
++<p> File with the Postfix SMTP client DSA private key in PEM format.
++The private key must not be encrypted. In other words, the key must
++be accessible without password. </p>
++
++<p> This file may be combined with the server certificate file
++specified with $smtp_tls_cert_file. </p>
++
++%PARAM smtp_tls_dcert_file
++
++<p> File with the Postfix SMTP client DSA certificate in PEM format.
++This file may also contain the server private key. </p>
++
++<p> See the discussion under smtp_tls_cert_file for more details.
++</p>
++
++<p> Example: </p>
++
++<pre>
++smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
++</pre>
++
++%PARAM tls_random_exchange_name ${config_directory}/prng_exch
++
++<p> Name of the pseudo random number generator (PRNG) seed file
++that is maintained by tlsmgr(8), and that is read by the smtp(8)
++and smtpd(8) processes upon startup. The file length is fixed at
++1024 bytes, and is created by tlsmgr(8) when it does not exist.
++</p>
++
++<p> Since this file is changed by Postfix, it should probably be
++kept in the /var file system, instead of under $config_directory.
++The location should not be inside the chroot jail. </p>
++
++%PARAM tls_random_source
++
++<p> The external entropy source for the in-memory tlsmgr(8) pseudo
++random number generator (PRNG) pool. Be sure to specify a non-blocking
++source. If this source is not a regular file, the entropy source
++type must be prepended: egd:/path/to/egd_socket for a source with
++EGD compatible socket interface, or dev:/path/to/device for a
++device file. </p>
++
++%PARAM tls_random_bytes 32
++
++<p> The number of bytes that tlsmgr(8) reads from $tls_random_source
++when (re)seeding the in-memory pseudo random number generator (PRNG)
++pool. The default of 32 bytes (256 bits) is good enough for 128bit
++symmetric keys. If using EGD, a maximum of 255 bytes is read. </p>
++
++%PARAM tls_random_reseed_period 3600s
++
++<p> The maximal time between attempts by tlsmgr(8) to re-seed the
++in-memory pseudo random number generator (PRNG) pool from external
++sources. The actual time between re-seeding attempts is calculated
++using the PRNG, and is between 0 and the time specified. </p>
++
++%PARAM tls_random_prng_update_period 60s
++
++<p> The maximal time between attempts by tlsmgr(8) to rewrite the
++pseudo random number generator (PRNG) seed file specified with
++$tls_random_exchange_name. This file is read by smtpd(8) and smtpd(8)
++processes in order to seed their PRNGs. The actual time between
++rewriting attempts is calculated using the PRNG, and is between 0
++and the time specified. </p>
++
++%PARAM tls_daemon_random_source
++
++<p> Optional external source of entropy that can be read by smtpd(8)
++and smtpd(8) processes in order to initialize their PRNGs. Be sure
++to specify a non-blocking source. The entropy source type must be
++prepended to the source name: egd:/path/to/egd_socket for a source
++with EGD compatible socket interface, or dev:/path/to/device for
++a device file. </p>
++
++<p> Examples: </p>
++
++<pre>
++tls_daemon_random_source = dev:/dev/urandom
++tls_daemon_random_source = egd:/var/run/egd-pool
++</pre>
++
++%PARAM tls_daemon_random_bytes 32
++
++<p> The amount of data that smtpd(8) and smtpd(8) processes read
++from the entropy source specified with $tls_daemon_random_source.
++The default of 32 bytes (equivalent to 256 bits) is sufficient to
++generate a 128bit (or 168bit) session key. </p>
++
++<p> Usage of this option may drain EGD (consider the case of 50
++smtp(8) processes starting up with a full queue and "postfix start",
++which will request 1600 bytes of entropy). This is however not
+diff -urNad postfix-release/proto/TLS_README.html /tmp/dpep.cXJuVH/postfix-release/proto/TLS_README.html
+--- postfix-release/proto/TLS_README.html 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/proto/TLS_README.html 2005-02-03 10:22:12.994111406 -0700
+@@ -0,0 +1,1093 @@
++<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
++ "http://www.w3.org/TR/html4/loose.dtd">
++
++<html>
++
++<head>
++
++<title>Postfix TLS Support </title>
++
++<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
++
++</head>
++
++<body>
++
++<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix TLS Support
++</h1>
++
++<hr>
++
++<h2> Purpose of this document </h2>
++
++<p> This document describes how to configure the Transport Layer
++Security (TLS) support in the Postfix SMTP client and Postfix SMTP server,
++and how to configure the TLS manager daemon that maintains the
++Pseudo Random Number Generator (PRNG) pool and the TLS session
++cache information. </p>
++
++<p> Topics covered in this document: </p>
++
++<ul>
++
++<li><a href="#server_tls">SMTP Server specific settings</a>
++
++<li> <a href="#client_tls">SMTP Client specific settings</a>
++
++<li><a href="#tlsmgr_controls"> TLS manager specific settings </a>
++
++<li><a href="#problems"> Reporting problems </a>
++
++<li><a href="#credits"> Credits </a>
++
++</ul>
++
++<h2><a name="server_tls">SMTP Server specific settings</a></h2>
++
++<p> Topics covered in this section: </p>
++
++<ul>
++
++<li><a href="#server_cert_key">Server-side certificate and private
++key configuration </a>
++
++<li><a href="#server_logging"> Server-side TLS activity logging
++</a>
++
++<li><a href="#server_enable">Enabling TLS in the Postfix SMTP server </a>
++
++<li><a href="#server_vrfy_client">Client certificate verification</a>
++
++<li><a href="#server_tls_auth">Supporting AUTH over TLS only</a>
++
++<li><a href="#server_tls_cache">Server-side TLS session cache</a>
++
++<li><a href="#server_access">Server access control</a>
++
++<li><a href="#server_cipher">Server-side cipher controls</a>
++
++<li><a href="#server_misc"> Miscellaneous server controls</a>
++
++</ul>
++
++<h3><a name="server_cert_key">Server-side certificate and private
++key configuration </a> </h3>
++
++<p> In order to use TLS, the Postfix SMTP server needs a certificate
++and a private key. Both must be in "pem" format. The private key
++must not be encrypted, meaning: the key must be accessible without
++password. Both certificate and private key may be in the same
++file. </p>
++
++<p> Both RSA and DSA certificates are supported. Typically you will
++only have RSA certificates issued by a commercial CA. In addition,
++the tools supplied with OpenSSL will by default issue RSA certificates.
++You can have both at the same time, in which case the cipher used
++determines which certificate is presented. For Netscape and OpenSSL
++clients without special cipher choices, the RSA certificate is
++preferred. </p>
++
++<p> In order for remote SMTP clients to check the Postfix SMTP
++server certificates, the CA certificate (in case of a certificate
++chain, all CA certificates) must be available. You should add
++these certificates to the server certificate, the server certificate
++first, then the issuing CA(s). </p>
++
++<p> Example: the certificate for "server.dom.ain" was issued by
++"intermediate CA" which itself has a certificate issued by "root
++CA". Create the server.pem file with: </p>
++
++<blockquote>
++<pre>
++cat server_cert.pem intermediate_CA.pem root_CA.pem > server.pem
++</pre>
++</blockquote>
++
++<p> If you want the Postfix SMTP server to accept remote SMTP client
++certificates issued by these CAs, you can also add the CA certificates
++to the smtpd_tls_CAfile, in which case it is not necessary to have
++them in the smtpd_tls_cert_file or smtpd_tls_dcert_file. </p>
++
++<p> A Postfix SMTP server certificate supplied here must be usable
++as SSL server certificate and hence pass the "openssl verify -purpose
++sslserver
++..." test. </p>
++
++<p> RSA key and certificate examples: </p>
++
++<blockquote>
++<pre>
++smtpd_tls_cert_file = /etc/postfix/server.pem
++smtpd_tls_key_file = $smtpd_tls_cert_file
++</pre>
++</blockquote>
++
++<p> Their DSA counterparts: </p>
++
++<blockquote>
++<pre>
++smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
++smtpd_tls_dkey_file = $smtpd_tls_dcert_file
++</pre>
++</blockquote>
++
++<p> The Postfix SMTP server certificate was issued by a certification
++authority (CA), the CA-cert of which must be provided with the CA
++file if it is not already provided in the certificate file. The
++CA file may also contain the CA certificates of other trusted CAs.
++You must use this file for the list of trusted CAs if you want to
++use chroot-mode. No default is supplied for this value as of now.
++</p>
++
++<p> Example: </p>
++<blockquote>
++<pre>
++smtpd_tls_CAfile = /etc/postfix/CAcert.pem
++</pre>
++</blockquote>
++
++<p> To verify a remote SMTP client certificate, the Postfix SMTP
++server needs to know the certificates of the issuing certification
++authorities. These certificates in "pem" format are collected in
++a directory. The same CA certificates are offered to clients for
++client verification. Don't forget to create the necessary "hash"
++links with $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs. A typical
++place for the CA certificates may also be $OPENSSL_HOME/certs, so
++there is no default and you explicitly have to set the value here!
++</p>
++
++<p> To use this option in chroot mode, this directory itself or a
++copy of it must be inside the chroot jail. Please note also, that
++the CAs in this directory are not listed to the client, so that
++e.g. Netscape might not offer certificates issued by them. For
++this reason, the use of this feature is discouraged. </p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtpd_tls_CApath = /etc/postfix/certs
++</pre>
++</blockquote>
++
++<h3><a name="server_logging"> Server-side TLS activity logging </a> </h3>
++
++<p> To get additional information about Postfix SMTP server TLS
++activity you can increase the loglevel from 0..4. Each logging
++level also includes the information that is logged at a lower
++logging level. </p>
++
++<blockquote>
++
++<table>
++
++<tr> <td> 0 </td> <td> Disable logging of TLS activity.</td> </tr>
++
++<tr> <td> 1 </td> <td> Log TLS handshake and certificate information.
++</td> </tr>
++
++<tr> <td> 2 </td> <td> Log levels during TLS negotiation. </td>
++</tr>
++
++<tr> <td> 3 </td> <td> Log hexadecimal and ASCII dump of TLS
++negotiation process </td> </tr>
++
++<tr> <td> 4 </td> <td> Log hexadecimal and ASCII dump of complete
++transmission after STARTTLS </td> </tr>
++
++</table>
++
++</blockquote>
++
++<p> Use loglevel 3 only in case of problems. Use of loglevel 4 is
++strongly discouraged. </p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtpd_tls_loglevel = 0
++</pre>
++</blockquote>
++
++<p> To include information about the protocol and cipher used as
++well as the client and issuer CommonName into the "Received:"
++message header, set the smtpd_tls_received_header variable to true.
++The default is no, as the information is not necessarily authentic.
++Only information recorded at the final destination is reliable,
++since the headers may be changed by intermediate servers. </p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtpd_tls_received_header = yes
++</pre>
++</blockquote>
++
++<h3><a name="server_enable">Enabling TLS in the Postfix SMTP server </a> </h3>
++
++<p> By default, TLS is disabled in the Postfix SMTP server, so no
++difference to plain Postfix is visible. Explicitly switch it on
++using "smtpd_use_tls = yes". </p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtpd_use_tls = yes
++</pre>
++</blockquote>
++
++<p> Note: when an unprivileged user invokes "sendmail -bs", STARTTLS
++is never offered due to insufficient privileges to access the server
++private key. This is intended behavior. </p>
++
++<p> You can ENFORCE the use of TLS, so that the Postfix SMTP server
++accepts no commands (except QUIT of course) without TLS encryption,
++by setting "smtpd_enforce_tls = yes". According to RFC 2487 this
++MUST NOT be applied in case of a publicly-referenced Postfix SMTP
++server. So this option is off by default and should only seldom
++be used. Using this option implies "smtpd_use_tls = yes". </p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtpd_enforce_tls = yes
++</pre>
++</blockquote>
++
++<p> Besides RFC 2487 some clients, namely Outlook [Express] prefer
++to run the non-standard "wrapper" mode, not the STARTTLS enhancement
++to SMTP. This is true for OE (Win32 < 5.0 and Win32 >=5.0 when
++run on a port<>25 and OE (5.01 Mac on all ports). </p>
++
++<p> It is strictly discouraged to use this mode from main.cf. If
++you want to support this service, enable a special port in master.cf
++and specify "-o smtpd_tls_wrappermode = yes" as an smtpd(8) command
++line option. Port 465 (smtps) was once chosen for this feature.
++</p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtpd_tls_wrappermode = no
++</pre>
++</blockquote>
++
++<h3><a name="server_vrfy_client">Client certificate verification</a> </h3>
++
++<p> To receive a remote SMTP client certificate, the Postfix SMTP
++server must explicitly ask for one by sending the $smtpd_tls_CAfile
++certificates to the client. Unfortunately, Netscape clients will
++either complain if no matching client certificate is available or
++will offer the user client a list of certificates to choose from.
++This might be annoying, so this option is "off" by default. You
++will however need the certificate if you want to use certificate
++based relaying with, for example, the permit_tls_client_certs
++feature. </p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtpd_tls_ask_ccert = no
++</pre>
++</blockquote>
++
++<p> You may also decide to REQUIRE a remote SMTP client certificate
++before allowing TLS connections. This feature is included for
++completeness, and implies "smtpd_tls_ask_ccert = yes". </p>
++
++<p> Please be aware, that this will inhibit TLS connections without
++a proper client certificate and that it makes sense only when
++non-TLS submission is disabled (smtpd_enforce_tls = yes). Otherwise,
++clients could bypass the restriction by simply not using STARTTLS
++at all. </p>
++
++<p> When TLS is not enforced, the connection will be handled as
++if only "smtpd_tls_ask_ccert = yes" is specified, and a warning is
++logged. </p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtpd_tls_req_ccert = no
++</pre>
++</blockquote>
++
++<p> A client certificate verification depth of 1 is sufficient if
++the certificate is directly issued by a CA listed in the CA file.
++The default value (5) should also suffice for longer chains (root
++CA issues special CA which then issues the actual certificate...)
++</p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtpd_tls_ccert_verifydepth = 5
++</pre>
++</blockquote>
++
++<h3><a name="server_tls_auth">Supporting AUTH over TLS only</a></h3>
++
++<p> Sending AUTH data over an un-encrypted channel poses a security
++risk. When TLS layer encryption is required (smtpd_enforce_tls =
++yes), the Postfix SMTP server will announce and accept AUTH only
++after the TLS layer has been activated with STARTTLS. When TLS
++layer encryption is optional (smtpd_enforce_tls = no), it may
++however still be useful to only offer AUTH when TLS is active. To
++maintain compatibility with non-TLS clients, the default is to
++accept AUTH without encryption. In order to change this behavior,
++set "smtpd_tls_auth_only = yes". </p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtpd_tls_auth_only = no
++</pre>
++</blockquote>
++
++<h3><a name="server_tls_cache">Server-side TLS session cache</a> </h3>
++
++<p> The Postfix SMTP server and the remote SMTP client negotiate a
++session, which takes some computer time and network bandwidth. By
++default, this session information is cached only in the smtpd(8)
++process actually using this session and is lost when the process
++terminates. To share the session information between multiple
++smtpd(8) processes, a persistent session cache can be used based
++on the SDBM databases (routines included in Postfix/TLS). Since
++concurrent writing must be supported, only SDBM can be used. </p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache
++</pre>
++</blockquote>
++
++<p> Cached Postfix SMTP server session information expires after
++a certain amount of time. Postfix/TLS does not use the OpenSSL
++default of 300s, but a longer time of 3600sec (=1 hour). RFC 2246
++recommends a maximum of 24 hours. </p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtpd_tls_session_cache_timeout = 3600s
++</pre>
++</blockquote>
++
++<h3><a name="server_access">Server access control</a> </h3>
++
++<p> Postfix TLS support introduces two additional features for
++Postfix SMTP server access control: </p>
++
++<blockquote>
++
++<dl>
++
++<dt> permit_tls_clientcerts </dt> <dd> <p> Allow the remote SMTP
++client SMTP request if the client certificate passes verification,
++and if its fingerprint is listed in the list of client certificates
++(see relay_clientcerts discussion below). </p> </dd>
++
++<dt> permit_tls_all_clientcerts </dt> <dd> <p> Allow the remote
++client SMTP request if the client certificate passes verification.
++</p> </dd>
++
++</dl>
++
++</blockquote>
++
++<p> The permit_tls_all_clientcerts feature must be used with caution,
++because it can result in too many access permissions. Use this
++feature only if a special CA issues the client certificates, and
++only if this CA is listed as trusted CA. If other CAs are trusted,
++any owner of a valid client certificate would be authorized.
++The permit_tls_all_clientcerts feature can be practical for a
++specially created email relay server. </p>
++
++<p> It is however recommended to stay with the permit_tls_clientcerts
++feature and list all certificates via $relay_clientcerts, as
++permit_tls_all_clientcerts does not permit any control when a
++certificate must no longer be used (e.g. an employee leaving). </p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtpd_recipient_restrictions =
++ ...
++ permit_tls_clientcerts
++ reject_unauth_destination
++ ...
++</pre>
++</blockquote>
++
++<p> The Postfix list manipulation routines give special treatment
++to whitespace and some other characters, making the use of certificate
++names unpractical. Instead we use the certificate fingerprints as
++they are difficult to fake but easy to use for lookup. Postfix
++lookup tables are in the form of (key, value) pairs. Since we only
++need the key, the value can be chosen freely, e.g. the name of
++the user or host:</p>
++
++<blockquote>
++<pre>
++D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home
++</pre>
++</blockquote>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++relay_clientcerts = hash:/etc/postfix/relay_clientcerts
++</pre>
++</blockquote>
++
++<h3><a name="server_cipher">Server-side cipher controls</a> </h3>
++
++<p> To influence the Postfix SMTP server cipher selection scheme,
++you can give cipherlist string. A detailed description would go
++to far here, please refer to the openssl documentation. If you
++don't know what to do with it, simply don't touch it and leave the
++(openssl-)compiled in default! </p>
++
++<p> DO NOT USE " to enclose the string, specify just the string!!! </p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtpd_tls_cipherlist = DEFAULT
++</pre>
++</blockquote>
++
++<p> If you want to take advantage of ciphers with EDH, DH parameters
++are needed. Instead of using the built-in DH parameters for both
++1024bit and 512bit, it is better to generate "own" parameters,
++since otherwise it would "pay" for a possible attacker to start a
++brute force attack against parameters that are used by everybody.
++For this reason, the parameters chosen are already different from
++those distributed with other TLS packages. </p>
++
++<p> To generate your own set of DH parameters, use: </p>
++
++<blockquote>
++<pre>
++openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024
++openssl gendh -out /etc/postfix/dh_512.pem -2 -rand /var/run/egd-pool 512
++</pre>
++</blockquote>
++
++<p> Your source for "entropy" might vary; some systems have
++/dev/random; on other systems you might consider the "Entropy
++Gathering Daemon EGD", available at http://www.lothar.com/tech/crypto/.
++</p>
++
++<p> Examples: </p>
++
++<blockquote>
++<pre>
++smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
++smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
++</pre>
++</blockquote>
++
++<h3><a name="server_misc"> Miscellaneous server controls</a> </h3>
++
++<p> The smtpd_starttls_timeout parameter limits the time of Postfix
++SMTP server write and read operations during TLS startup and shutdown
++handshake procedures. </p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtpd_starttls_timeout = 300s
++</pre>
++</blockquote>
++
++<h2> <a name="client_tls">SMTP Client specific settings</a> </h2>
++
++<p> Topics covered in this section: </p>
++
++<ul>
++
++<li><a href="#client_cert_key">Client-side certificate and private
++key configuration </a>
++
++<li><a href="#client_logging"> Client-side TLS activity logging
++</a>
++
++<li><a href="#client_tls_cache">Client-side TLS session cache</a>
++
++<li><a href="#client_tls"> Enabling TLS in the Postfix SMTP client </a>
++
++<li><a href="#client_vrfy_server">Server certificate verification</a>
++
++<li> <a href="#client_cipher">Client-side cipher controls </a>
++
++<li> <a href="#client_misc"> Miscellaneous client controls </a>
++
++</ul>
++
++<h3><a name="client_cert_key">Client-side certificate and private
++key configuration </a> </h3>
++
++During TLS startup negotiation the Postfix SMTP client may present
++a certificate to the remote SMTP server. The Netscape client is
++rather clever here and lets the user select between only those
++certificates that match CA certificates offered by the remote SMTP
++server. As the Postfix SMTP client uses the "SSL_connect()" function
++from the OpenSSL package, this is not possible and we have to choose
++just one certificate. So for now the default is to use _no_
++certificate and key unless one is explicitly specified here. </p>
++
++<p> Both RSA and DSA certificates are supported. You can have both
++at the same time, in which case the cipher used determines which
++certificate is presented. </p>
++
++<p> It is possible for the Postfix SMTP client to use the same
++key/certificate pair as the Postfix SMTP server. If a certificate
++is to be presented, it must be in "pem" format. The private key
++must not be encrypted, meaning: it must be accessible without
++password. Both parts (certificate and private key) may be in the
++same file. </p>
++
++<p> In order for remote SMTP servers to verify the Postfix SMTP
++client certificates, the CA certificate (in case of a certificate
++chain, all CA certificates) must be available. You should add
++these certificates to the client certificate, the client certificate
++first, then the issuing CA(s). </p>
++
++<p> Example: the certificate for "client.dom.ain" was issued by
++"intermediate CA" which itself has a certificate of "root CA".
++Create the client.pem file with: </p>
++
++<blockquote>
++<pre>
++cat client_cert.pem intermediate_CA.pem root_CA.pem > client.pem
++</pre>
++</blockquote>
++
++<p> If you want the Postfix SMTP client to accept certificates
++issued by these CAs, you can also add the CA certificates to the
++smtp_tls_CAfile, in which case it is not necessary to have them in
++the smtp_tls_cert_file or smtp_tls_dcert_file. </p>
++
++<p> A Postfix SMTP client certificate supplied here must be usable
++as SSL client certificate and hence pass the "openssl verify -purpose
++sslclient
++..." test. </p>
++
++<p> RSA key and certificate examples: </p>
++
++<blockquote>
++<pre>
++smtp_tls_cert_file = /etc/postfix/client.pem
++smtp_tls_key_file = $smtp_tls_cert_file
++</pre>
++</blockquote>
++
++<p> Their DSA counterparts: </p>
++
++<blockquote>
++<pre>
++smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
++smtp_tls_dkey_file = $smtpd_tls_cert_file
++</pre>
++</blockquote>
++
++<p> The Postfix SMTP client certificate was issued by a certification
++authority (CA), the CA-cert of which must be provided with the CA
++file if it is not already provided in the certificate file. The
++CA file may also contain the CA certificates of other trusted CAs.
++You must use this file for the list of trusted CAs if you want to
++use chroot-mode. No default is supplied for this value as of now.
++</p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtp_tls_CAfile = /etc/postfix/CAcert.pem
++</pre>
++</blockquote>
++
++<p> To verify a remote SMTP server certificate, the Postfix SMTP
++client needs to know the certificates of the issuing certification
++authorities. These certificates in "pem" format are collected in
++a directory. Don't forget to create the necessary "hash" links with
++$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs. A typical place for
++the CA certificates may also be $OPENSSL_HOME/certs, so there is
++no default and you explicitly have to set the value here! </p>
++
++<p> To use this option in chroot mode, this directory itself or a
++copy of it must be inside the chroot jail. </p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtp_tls_CApath = /etc/postfix/certs
++</pre>
++</blockquote>
++
++<h3><a name="client_logging"> Client-side TLS activity logging </a> </h3>
++
++<p> To get additional information about Postfix SMTP client TLS
++activity you can increase the loglevel from 0..4. Each logging
++level also includes the information that is logged at a lower
++logging level. </p>
++
++<blockquote>
++
++<table>
++
++<tr> <td> 0 </td> <td> Disable logging of TLS activity.</td> </tr>
++
++<tr> <td> 1 </td> <td> Log TLS handshake and certificate information.
++</td> </tr>
++
++<tr> <td> 2 </td> <td> Log levels during TLS negotiation. </td>
++</tr>
++
++<tr> <td> 3 </td> <td> Log hexadecimal and ASCII dump of TLS
++negotiation process </td> </tr>
++
++<tr> <td> 4 </td> <td> Log hexadecimal and ASCII dump of complete
++transmission after STARTTLS </td> </tr>
++
++</table>
++
++</blockquote>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtp_tls_loglevel = 0
++</pre>
++</blockquote>
++
++<h3><a name="client_tls_cache">Client-side TLS session cache</a> </h3>
++
++<p> The remote SMTP server and the Postfix SMTP client negotiate a
++session, which takes some computer time and network bandwidth. By
++default, this session information is cached only in the smtp(8)
++process actually using this session and is lost when the process
++terminates. To share the session information between multiple
++smtp(8) processes, a persistent session cache can be used based on
++the SDBM databases (routines included in Postfix/TLS). Since
++concurrent writing must be supported, only SDBM can be used. </p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache
++</pre>
++</blockquote>
++
++<p> Cached Postfix SMTP client session information expires after
++a certain amount of time. Postfix/TLS does not use the OpenSSL
++default of 300s, but a longer time of 3600s (=1 hour). RFC 2246
++recommends a maximum of 24 hours. </p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtp_tls_session_cache_timeout = 3600s
++</pre>
++</blockquote>
++
++<h3><a name="client_tls"> Enabling TLS in the Postfix SMTP client </a>
++</h3>
++
++<p> By default, TLS is disabled in the Postfix SMTP client, so no
++difference to plain Postfix is visible. If you enable TLS, the
++Postfix SMTP client will send STARTTLS when TLS support is announced
++by the remote SMTP server. </p>
++
++<p> WARNING: MS Exchange servers will announce STARTTLS support
++even when the service is not configured, so that the TLS handshake
++will fail. It may be wise to not use this option on your central
++mail hub, as you don't know in advance whether you are going to
++connect to such a host. Instead, use the smtp_tls_per_site
++recipient/site specific options that are described below. </p>
++
++<p> When the TLS handshake fails and no other server is available,
++the Postfix SMTP client defers the delivery attempt, and the mail
++stays in the queue. </p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtp_use_tls = yes
++</pre>
++</blockquote>
++
++<p> You can ENFORCE the use of TLS, so that the Postfix SMTP client
++will not deliver mail over un-encrypted connections. In this mode,
++the remote SMTP server hostname must match the information in the
++remote server certificate, and the server certificate must be issued
++by a CA that is trusted by the Postfix SMTP client. If the remote
++server certificate doesn't verify or the remote SMTP server hostname
++doesn't match, and no other server is available, the delivery
++attempt is deferred and the mail stays in the queue. </p>
++
++<p> The remote SMTP server hostname used in the check is beyond
++question, as it must be the principal hostname (no CNAME allowed
++here). Checks are performed against all names provided as dNSNames
++in the SubjectAlternativeName. If no dNSNames are specified, the
++CommonName is checked. The behavior may be changed with the
++smtp_tls_enforce_peername option which is discussed below. </p>
++
++<p> This option is useful only if you know that you will only
++connect to servers that support RFC 2487 _and_ that present server
++certificates that meet the above requirements. An example would
++be a client only sends email to one specific mailhub that offers
++the necessary STARTTLS support. </p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtp_enforce_tls = no
++</pre>
++</blockquote>
++
++<p> As of RFC 2487 the requirements for hostname checking for MTA
++clients are not set. When TLS is required (smtp_enforce_tls = yes),
++the option smtp_tls_enforce_peername can be set to "no" to disable
++strict remote SMTP server hostname checking. In this case, the mail
++delivery will proceed regardless of the CommonName etc. listed in
++the certificate. </p>
++
++<p> Note: the smtp_tls_enforce_peername setting has no effect on
++sessions that are controlled via the smtp_tls_per_site table. </p>
++
++<p> Disabling the remote SMTP server hostname verification can
++make sense in closed environment where special CAs are created.
++If not used carefully, this option opens the danger of a
++"man-in-the-middle" attack (the CommonName of this possible attacker
++is logged). </p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtp_tls_enforce_peername = yes
++</pre>
++</blockquote>
++
++<p> Generally, trying TLS can be a bad idea, as some servers offer
++STARTTLS but the negotiation will fail leading to unexplainable
++failures. Instead, it may be a good idea to choose the TLS usage
++policy based on the recipient or the mailhub to which you are
++connecting. </p>
++
++<p> Deciding the TLS usage policy per recipient may be difficult,
++since a single email delivery attempt can involve several recipients.
++Instead, use of TLS is controlled by the Postfix next-hop destination
++domain name and by the remote SMTP server hostname. If either of these
++matches an entry in the smtp_tls_per_site table, appropriate action
++is taken. </p>
++
++<p> The remote SMTP server hostname is simply the DNS name of the
++server that the Postfix SMTP client connects to. The next-hop
++destination is Postfix specific. By default, this is the domain
++name in the recipient address, but this information can be overruled
++by the transport(5) table or by the relayhost parameter setting.
++In these cases the relayhost etc. must be listed in the smtp_tls_per_site
++table, instead of the recipient domain name. </p>
++
++<p> Format of the table: domain or host names are specified on the
++left-hand side; no wildcards are allowed. On the right hand side
++specify one of the following keywords: </p>
++
++<blockquote>
++
++<dl>
++
++<dt> NONE </dt> <dd> Don't use TLS at all. </dd>
++
++<dt> MAY </dt> <dd> Try to use STARTTLS if offered,
++otherwise use the un-encrypted connection. </dd>
++
++<dt> MUST </dt> <dd> Require usage of STARTTLS, require that the
++remote SMTP server hostname matches the information in the remote
++SMTP server certificate, and require that the remote SMTP server
++certificate was issued by a trusted CA. </dd>
++
++<dt> MUST_NOPEERMATCH </dt> <dd> Require usage of STARTTLS, but do
++not require that the remote SMTP server hostname matches the
++information in the remote SMTP server certificate, or that the
++server certificate was issued by a trusted CA. </dd>
++
++</dl>
++
++</blockquote>
++
++<p> The actual TLS usage policy depends not only on whether the
++next-hop destination or remote SMTP server hostname are found in
++the smtp_tls_per_site table, but also on the smtp_enforce_tls
++setting: </p>
++
++<ul>
++
++<li> <p> If no match was found, the policy is applied as specified
++with smtp_enforce_tls. </p>
++
++<li> <p> If a match was found, and the smtp_enforce_tls policy is
++"enforce", NONE explicitly switches it off; otherwise the "enforce"
++mode is used even for entries that specify MAY. </p>
++
++</ul>
++
++<p> Special hint for TLS enforcement mode: since no secure DNS
++lookup mechanism is available, mail can be delivered to the wrong
++remote SMTP server. This is not prevented by specifying MUST for
++the next-hop domain name. The recommended setup is: specify local
++transport(5) table entries for sensitive domains with explicit
++smtp:[mailhost] destinations (since you can assure security of this
++table unlike DNS), then specify MUST for these mail hosts in the
++smtp_tls_per_site table. </p>
++
++<!-- XXX What it we were to require that each MX host lists the
++domain it is responsible for in its server certificate, and that
++Postfix/TLS includes the next-hop domain name in the peer name
++verification process? -->
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtp_tls_per_site = hash:/etc/postfix/tls_per_site
++</pre>
++</blockquote>
++
++<p> As we decide on a "per site" basis whether or not to use TLS,
++it would be good to have a list of sites that offered "STARTTLS".
++We can collect it ourselves with this option. </p>
++
++<p> If the smtp_tls_note_starttls_offer feature is enabled and a
++server offers STARTTLS while TLS is not already enabled for that
++server, the Postfix SMTP client logs a line as follows: </p>
++
++<blockquote>
++<pre>
++postfix/smtp[pid]: Host offered STARTTLS: [hostname.example.com]
++</pre>
++</blockquote>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtp_tls_note_starttls_offer = yes
++</pre>
++</blockquote>
++
++<h3><a name="client_vrfy_server">Server certificate verification</a> </h3>
++
++<p> When verifying a remote SMTP server certificate, a verification
++depth of 1 is sufficient if the certificate is directly issued by
++a CA specified with smtp_tls_CAfile or smtp_tls_CApath. The default
++value of 5 should also suffice for longer chains (root CA issues
++special CA which then issues the actual certificate...) </p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtp_tls_scert_verifydepth = 5
++</pre>
++</blockquote>
++
++<h3> <a name="client_cipher">Client-side cipher controls </a> </h3>
++
++<p> To influence the Postfix SMTP client cipher selection scheme,
++you can give cipherlist string. A detailed description would go
++to far here, please refer to the openssl documentation. If you
++don't know what to do with it, simply don't touch it and leave the
++(openssl-)compiled in default! </p>
++
++<p> DO NOT USE " to enclose the string, specify just the string!!! </p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtp_tls_cipherlist = DEFAULT
++</pre>
++</blockquote>
++
++<h3> <a name="client_misc"> Miscellaneous client controls </a> </h3>
++
++<p> The smtp_starttls_timeout parameter limits the time of Postfix
++SMTP client write and read operations during TLS startup and shutdown
++handshake procedures. In case of problems the Postfix SMTP client
++tries the next network address on the mail exchanger list, and
++defers delivery if no alternative server is available. </p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtp_starttls_timeout = 300s
++</pre>
++</blockquote>
++
++<h2><a name="tlsmgr_controls"> TLS manager specific settings </a> </h2>
++
++<p> The security of cryptographic software such as TLS depends
++critically on the ability to generate unpredictable numbers for
++keys and other information. To this end, the tlsmgr(8) process
++maintains a Pseudo Random Number Generator (PRNG) pool. This is
++a fixed-size 1024-byte exchange file that is read by the smtp(8)
++and smtpd(8) processes when they initialize. These processes also
++add some more entropy to the file by stirring in their own time
++and process id information. </p>
++
++<p> The tlsmgr(8) process creates the file if it does not already
++exist, and rewrites the file at random time intervals with information
++from its in-memory PRNG pool. The default location is under the
++Postfix configuration directory, which is not the proper place for
++information that is modified by Postfix. Instead, the file location
++should probably be on the /var partition (but _not_ inside the
++chroot jail). </p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++tls_random_exchange_name = /etc/postfix/prng_exch
++</pre>
++</blockquote>
++
++<p> In order to feed its in-memory PRNG pool, the tlsmgr(8) reads
++entropy from an external source, both at startup and during run-time.
++Specify a good entropy source, like EGD or /dev/urandom; be sure
++to only use non-blocking sources. If the entropy source is not a
++regular file, you must prepend the source type to the source name:
++"dev:" for a device special file, or "egd:" for a source with EGD
++compatible socket interface. </p>
++
++<p> Examples (specify only one in main.cf): </p>
++
++<blockquote>
++<pre>
++tls_random_source = dev:/dev/urandom
++tls_random_source = egd:/var/run/egd-pool
++</pre>
++</blockquote>
++
++<p> By default, tlsmgr(8) reads 32 bytes from the external entropy
++source at each seeding event. This amount (256bits) is more than
++sufficient for generating a 128bit symmetric key. With EGD and
++device entropy sources, the tlsmgr(8) limits the amount of data
++read at each step to 255 bytes. If you specify a regular file as
++entropy source, a larger amount of data can be read. </p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++tls_random_bytes = 32
++</pre>
++</blockquote>
++
++<p> In order to update its in-memory PRNG pool, the tlsmgr(8)
++queries the external entropy source again after a random amount of
++time. The time is calculated using the PRNG, and is between 0 and
++the maximal time specified with tls_random_reseed_period. The
++default maximal time interval is 1 hour. </p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++tls_random_reseed_period = 3600s
++</pre>
++</blockquote>
++
++<p> The tlsmgr(8) re-generates the 1024 byte seed exchange file
++after a random amount of time. The time is calculated using the
++PRNG, and is between 0 and the maximal time specified with
++tls_random_update_period. The default maximal time interval is 60
++seconds. </p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++tls_random_prng_update_period = 60s
++</pre>
++</blockquote>
++
++<p> If you have an entropy source available that is not easily
++drained (like /dev/urandom), the smtp(8) and smtpd(8) daemons can
++load additional entropy on startup. By default, an amount of 32
++bytes is read, the equivalent to 256 bits. This is more than
++sufficient to generate a 128bit (or 168bit) session key. However,
++when Postfix needs to generate more than one key it can drain the
++EGD. Consider the case of 50 smtp(8) processes starting up with a
++full queue; this will request 1600bytes of entropy. This is however
++not fatal, as long as "entropy" data can still be read from the
++seed file that is maintained by tlsmgr(8). </p>
++
++<p> Examples: </p>
++
++<blockquote>
++<pre>
++tls_daemon_random_source = dev:/dev/urandom
++tls_daemon_random_source = egd:/var/run/egd-pool
++tls_daemon_random_bytes = 32
++</pre>
++</blockquote>
++
++<h2> <a name="problems"> Reporting problems </a> </h2>
++
++<p> When reporting a problem, please be thorough in the report.
++Patches, when possible, are greatly appreciated too. </p>
++
++<p> Please differentiate when possible between: </p>
++
++<ul>
++
++<li> Problems in the IPv6 code: <postfix-ipv6 at stack.nl>
++
++<li> Problems in the TLS code: <postfix_tls at aet.tu-cottbus.de>
++
++<li> Problems in vanilla Postfix: <postfix-users at postfix.org>
++
++</ul>
++
++<h2><a name="credits">Credits </a> </h2>
++
++<ul>
++
++<li> TLS support for Postfix was originally developed by Lutz
++Jänicke at Cottbus Technical University.
++
++<li> This part of the documentation was compiled by Wietse Venema
++</p>
++
++</ul>
++
++</body>
++
++</html>
+diff -urNad postfix-release/README_FILES/IPV6_README /tmp/dpep.cXJuVH/postfix-release/README_FILES/IPV6_README
+--- postfix-release/README_FILES/IPV6_README 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/README_FILES/IPV6_README 2005-02-03 10:22:13.048099363 -0700
+@@ -0,0 +1,158 @@
++Postfix IPv6 / IPv6+TLS patch
++Maintained by Dean C. Strik <dean at ipnet6.org>
++
++These patches add IPv6 support to Postfix. A combo TLS+IPv6 patch is
++available as a replacement for Lutz Jaenicke's TLS patch.
++
++More information about these IPv6 patches can be found on Dean Strik's
++postfix website at
++ http://www.ipnet6.org/postfix/
++
++CONTENTS
++---------
++ - Supported platforms
++ - Downloads
++ - Installation
++ - Configuration
++ - Mailing list
++ - Known issues
++ - Reporting bugs
++
++SUPPORTED PLATFORMS
++--------------------
++
++Currently, the following platforms are supported:
++ - FreeBSD 4.x/5.x
++ - OpenBSD 2.x/3.x
++ - NetBSD 1.5+
++ - Solaris 8/9
++ - Linux 2.x
++ - Darwin 7.3+
++ - Tru64Unix V5.1+
++Postfix may work on other versions of these operating systems or
++other operating systems entirely. If you find a problem on one
++of the above platforms, please contact me at <dean at ipnet6.org>.
++
++DOWNLOADS
++----------
++
++The official download site is
++
++ http://www.ipnet6.org/postfix/
++
++Patches are offered as HTTP and FTP downloads here. To directly
++access the files on the FTP server, use the following address:
++
++ ftp://ftp.stack.nl/pub/postfix/tls+ipv6/
++
++The patches are in gzipped context diff format.
++
++INSTALLATION
++-------------
++
++The patch is distributed as a gzipped context diff. This used to
++be unified diff (more readable), but it was changed because to
++avoid unidiff limitations.
++
++We assume postfix is already extracted, to the directory
++ postfix-2.1.1
++
++1. Decompress the patch:
++ e.g. $ gunzip tls+ipv6-1.24-pf-2.1.1.patch.gz
++2. Change directory to the postfix source directory
++ e.g. $ cd postfix-2.1.1
++3. Apply the patch
++ e.g. $ patch -s -p 1 < ../tls+ipv6-1.24-pf-2.1.1.patch
++4. Build postfix. The IPv6 patch does not require additional environment
++ variables or arguments to 'make'.
++
++CONFIGURATION
++--------------
++
++In theory, no post-installation configuration of postfix is
++required, although you may want to extend the value of the
++'mynetworks' parameter to include the IPv6 networks the system is
++in.
++
++Also you can restrict Postfix to use IPv6-only or IPv4-only by
++changing the 'inet_interfaces' parameter.
++
++The main.cf parameters regarding IPv6 are documented in the file
++'sample-ipv6.cf' in the samples/ directory.
++
++MAILING LISTS
++--------------
++
++I've created two mailing lists about using IPv6 with Postfix.
++There's a general list (postfix-ipv6) that can be used for discussion.
++Also, there's an announcement-only list (postfix-ipv6-announce)
++for people who only want to get the announcements.
++All announcements are cross-posted to postfix-ipv6 though.
++
++List name: postfix-ipv6
++List type: Discussion / general (incl. announcements)
++List info: http://lists.stack.nl/mailman/listinfo/postfix-ipv6
++List archive: http://lists.stack.nl/pipermail/postfix-ipv6
++List admin: Dean Strik <dean at ipnet6.org>
++
++List name: postfix-ipv6-announce
++List type: Announcements only, moderated
++List info: http://lists.stack.nl/mailman/listinfo/postfix-ipv6-announce
++List archive: http://lists.stack.nl/pipermail/postfix-ipv6-announce
++List admin: Dean Strik <dean at ipnet6.org>
++
++KNOWN ISSUES
++-------------
++
++The patch comes with an IPv6-ChangeLog file. Please always validate
++whether you have the latest version. You can always download the
++latest ChangeLog at
++
++ ftp://ftp.stack.nl/pub/postfix/tls+ipv6/ChangeLog
++
++The following 'issues' and todo items are known (none critical):
++
++ - It is not currently supported to use Postfix network daemons
++ (such as smtp and smtpd) chrooted on Linux systems without
++ mounting the proc filesystem under /var/spool/postfix/proc
++ This is because the proc filesystem is required on Linux to
++ obtain the system's IPv6 address information.
++
++ - The 'smtp_host_lookup' parameter is not effective with IPv6.
++ This is because a different lookup mechanism is used that
++ cannot easily disable the 'local' (i.e., non-DNS) lookups.
++ Whether local files or the DNS are used first, is determined
++ by your operating system, e.g. in /etc/nsswitch.conf or
++ /etc/host.conf.
++
++ - The order of IPv6/IPv4 outgoing connection attempts is not
++ yet configurable. This will be configurable in a later,
++ soon to be released version. Currently, IPv6 is tried before
++ IPv4.
++
++ - No IPv6 open relay checks. Since there is no IPv6 RBL service
++ around at the moment (I'm considering setting one up but it's
++ not a very hot issue), no lookups for IPv6 clients are ever done.
++ Let's not have a lot of worthless DNS traffic. Of course, when
++ this gets implemented, IPv6 client lookups will only be made
++ to DNSBLs that support these.
++
++ - Tru64Unix: Using 'mynetworks_style = subnet' (which I do not
++ recommend in any case...) causes Postfix to assume a /64 for
++ all IPv6-connected IPv6 subnets. I have yet to find a good way
++ for obtaining the prefixlength. Suggestions are welcome!
++
++REPORTING BUGS
++---------------
++
++Of course there may be bugs in the patch. Please report bugs in the
++patch to <dean at ipnet6.org>. Please be thorough in the report.
++Patches, when possible, are greatly appreciated too!
++
++Please differentiate when possible between
++ - Problems in vanilla Postfix: <mailto:postfix-users at postfix.org>
++ - Problems in Lutz' TLS patch: <mailto:postfix_tls at aet.tu-cottbus.de>
++ - Problems in the IPv6 code: <mailto:postfix-ipv6 at stack.nl>
++
++--
++Dean Strik <dean at ipnet6.org>
+diff -urNad postfix-release/README_FILES/SASL_README /tmp/dpep.cXJuVH/postfix-release/README_FILES/SASL_README
+--- postfix-release/README_FILES/SASL_README 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/README_FILES/SASL_README 2005-02-03 10:22:13.048099363 -0700
+@@ -12,6 +12,9 @@
+
+ H�Ho�ow�w P�Po�os�st�tf�fi�ix�x u�us�se�es�s S�SA�AS�SL�L a�au�ut�th�he�en�nt�ti�ic�ca�at�ti�io�on�n i�in�nf�fo�or�rm�ma�at�ti�io�on�n
+
++Note: To use SASL support on Debian GNU/Linux, you must install the
++postfix-tls package.
++
+ Postfix SASL support (RFC 2554) can be used to authenticate remote SMTP clients
+ to the Postfix SMTP server, and to authenticate the Postfix SMTP client to a
+ remote SMTP server.
+@@ -123,21 +126,21 @@
+ smtpd_recipient_restrictions =
+ permit_mynetworks permit_sasl_authenticated ...
+
+-In /usr/local/lib/sasl/smtpd.conf (SASL version 1.5.5) or /usr/local/lib/sasl2/
+-smtpd.conf (SASL version 2.1.1) you need to specify how the server should
+-validate client passwords.
+-
+-In order to authenticate against the UNIX password database, try:
+-
+-(SASL version 1.5.5)
++In /etc/postfix/sasl/smtpd.conf you need to specify how the server
++should validate client passwords.
+
+- /usr/local/lib/sasl/smtpd.conf:
+- pwcheck_method: pwcheck
++IMPORTANT: If you configure SASL to use PAM (pluggable authentication
++modules) authentication, the Postfix SMTP server will abort because
++the SASL password file does not exist (default: /etc/sasldb in
++version 1.5.5, or /etc/sasldb2 in version 2.1.1). To fix, disable
++CRAM-MD5 authentication by specifying 'mech_list: PLAIN LOGIN ANONYMOUS'
++in /etc/postfix/sasl/smtpd.conf, or by deleting /usr/lib/sasl/libcrammd5.so
++(for version 1.5.5).
+
+-(SASL version 2.1.1)
++In order to authenticate against the UNIX password database, try:
+
+- /usr/local/lib/sasl2/smtpd.conf:
+- pwcheck_method: pwcheck
++ /etc/postfix/sasl/smtpd.conf:
++ pwcheck_method: pwcheck
+
+ The name of the file in /usr/local/lib/sasl (SASL version 1.5.5) or /usr/local/
+ lib/sasl2 (SASL version 2.1.1) used by the SASL library for configuration can
+@@ -151,16 +154,9 @@
+ IMPORTANT: postfix processes need to have group read+execute permission for the
+ /var/pwcheck directory, otherwise authentication attempts will fail.
+
+-Alternately, in SASL 1.5.26 and later (including 2.1.1), try:
+-
+-(SASL version 1.5.26)
+-
+- /usr/local/lib/sasl/smtpd.conf:
+- pwcheck_method: saslauthd
+-
+-(SASL version 2.1.1)
++Alternately, in SASL 2.1.1 and later, try:
+
+- /usr/local/lib/sasl2/smtpd.conf:
++ /etc/postfix/sasl/smtpd.conf:
+ pwcheck_method: saslauthd
+
+ The saslauthd daemon is also contained in the cyrus-sasl source tarball. It is
+@@ -169,15 +165,8 @@
+
+ In order to authenticate against SASL's own password database:
+
+-(SASL version 1.5.5)
+-
+- /usr/local/lib/sasl/smtpd.conf:
+- pwcheck_method: sasldb
+-
+-(SASL version 2.1.1)
+-
+- /usr/local/lib/sasl2/smtpd.conf:
+- pwcheck_method: auxprop
++ /etc/postfix/sasl/smtpd.conf:
++ pwcheck_method: sasldb
+
+ This will use the SASL password file (default: /etc/sasldb in version 1.5.5, or
+ /etc/sasldb2 in version 2.1.1), which is maintained with the saslpasswd or
+diff -urNad postfix-release/README_FILES/TLS_README /tmp/dpep.cXJuVH/postfix-release/README_FILES/TLS_README
+--- postfix-release/README_FILES/TLS_README 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/README_FILES/TLS_README 2005-02-03 10:22:13.049099140 -0700
+@@ -0,0 +1,731 @@
++P�Po�os�st�tf�fi�ix�x T�TL�LS�S S�Su�up�pp�po�or�rt�t
++
++-------------------------------------------------------------------------------
++
++P�Pu�ur�rp�po�os�se�e o�of�f t�th�hi�is�s d�do�oc�cu�um�me�en�nt�t
++
++This document describes how to configure the Transport Layer Security (TLS)
++support in the Postfix SMTP client and Postfix SMTP server, and how to
++configure the TLS manager daemon that maintains the Pseudo Random Number
++Generator (PRNG) pool and the TLS session cache information.
++
++Topics covered in this document:
++
++ * SMTP Server specific settings
++ * SMTP Client specific settings
++ * TLS manager specific settings
++ * Reporting problems
++ * Credits
++
++S�SM�MT�TP�P S�Se�er�rv�ve�er�r s�sp�pe�ec�ci�if�fi�ic�c s�se�et�tt�ti�in�ng�gs�s
++
++Topics covered in this section:
++
++ * Server-side certificate and private key configuration
++ * Server-side TLS activity logging
++ * Enabling TLS in the Postfix SMTP server
++ * Client certificate verification
++ * Supporting AUTH over TLS only
++ * Server-side TLS session cache
++ * Server access control
++ * Server-side cipher controls
++ * Miscellaneous server controls
++
++S�Se�er�rv�ve�er�r-�-s�si�id�de�e c�ce�er�rt�ti�if�fi�ic�ca�at�te�e a�an�nd�d p�pr�ri�iv�va�at�te�e k�ke�ey�y c�co�on�nf�fi�ig�gu�ur�ra�at�ti�io�on�n
++
++In order to use TLS, the Postfix SMTP server needs a certificate and a private
++key. Both must be in "pem" format. The private key must not be encrypted,
++meaning: the key must be accessible without password. Both certificate and
++private key may be in the same file.
++
++Both RSA and DSA certificates are supported. Typically you will only have RSA
++certificates issued by a commercial CA. In addition, the tools supplied with
++OpenSSL will by default issue RSA certificates. You can have both at the same
++time, in which case the cipher used determines which certificate is presented.
++For Netscape and OpenSSL clients without special cipher choices, the RSA
++certificate is preferred.
++
++In order for remote SMTP clients to check the Postfix SMTP server certificates,
++the CA certificate (in case of a certificate chain, all CA certificates) must
++be available. You should add these certificates to the server certificate, the
++server certificate first, then the issuing CA(s).
++
++Example: the certificate for "server.dom.ain" was issued by "intermediate CA"
++which itself has a certificate issued by "root CA". Create the server.pem file
++with:
++
++ cat server_cert.pem intermediate_CA.pem root_CA.pem > server.pem
++
++If you want the Postfix SMTP server to accept remote SMTP client certificates
++issued by these CAs, you can also add the CA certificates to the
++smtpd_tls_CAfile, in which case it is not necessary to have them in the
++smtpd_tls_cert_file or smtpd_tls_dcert_file.
++
++A Postfix SMTP server certificate supplied here must be usable as SSL server
++certificate and hence pass the "openssl verify -purpose sslserver ..." test.
++
++RSA key and certificate examples:
++
++ smtpd_tls_cert_file = /etc/postfix/server.pem
++ smtpd_tls_key_file = $smtpd_tls_cert_file
++
++Their DSA counterparts:
++
++ smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
++ smtpd_tls_dkey_file = $smtpd_tls_dcert_file
++
++The Postfix SMTP server certificate was issued by a certification authority
++(CA), the CA-cert of which must be provided with the CA file if it is not
++already provided in the certificate file. The CA file may also contain the CA
++certificates of other trusted CAs. You must use this file for the list of
++trusted CAs if you want to use chroot-mode. No default is supplied for this
++value as of now.
++
++Example:
++
++ smtpd_tls_CAfile = /etc/postfix/CAcert.pem
++
++To verify a remote SMTP client certificate, the Postfix SMTP server needs to
++know the certificates of the issuing certification authorities. These
++certificates in "pem" format are collected in a directory. The same CA
++certificates are offered to clients for client verification. Don't forget to
++create the necessary "hash" links with $OPENSSL_HOME/bin/c_rehash /etc/postfix/
++certs. A typical place for the CA certificates may also be $OPENSSL_HOME/certs,
++so there is no default and you explicitly have to set the value here!
++
++To use this option in chroot mode, this directory itself or a copy of it must
++be inside the chroot jail. Please note also, that the CAs in this directory are
++not listed to the client, so that e.g. Netscape might not offer certificates
++issued by them. For this reason, the use of this feature is discouraged.
++
++Example:
++
++ smtpd_tls_CApath = /etc/postfix/certs
++
++S�Se�er�rv�ve�er�r-�-s�si�id�de�e T�TL�LS�S a�ac�ct�ti�iv�vi�it�ty�y l�lo�og�gg�gi�in�ng�g
++
++To get additional information about Postfix SMTP server TLS activity you can
++increase the loglevel from 0..4. Each logging level also includes the
++information that is logged at a lower logging level.
++
++ 0 Disable logging of TLS activity.
++
++ 1 Log TLS handshake and certificate information.
++
++ 2 Log levels during TLS negotiation.
++
++ 3 Log hexadecimal and ASCII dump of TLS negotiation process
++
++ 4 Log hexadecimal and ASCII dump of complete transmission after STARTTLS
++
++Use loglevel 3 only in case of problems. Use of loglevel 4 is strongly
++discouraged.
++
++Example:
++
++ smtpd_tls_loglevel = 0
++
++To include information about the protocol and cipher used as well as the client
++and issuer CommonName into the "Received:" message header, set the
++smtpd_tls_received_header variable to true. The default is no, as the
++information is not necessarily authentic. Only information recorded at the
++final destination is reliable, since the headers may be changed by intermediate
++servers.
++
++Example:
++
++ smtpd_tls_received_header = yes
++
++E�En�na�ab�bl�li�in�ng�g T�TL�LS�S i�in�n t�th�he�e P�Po�os�st�tf�fi�ix�x S�SM�MT�TP�P s�se�er�rv�ve�er�r
++
++By default, TLS is disabled in the Postfix SMTP server, so no difference to
++plain Postfix is visible. Explicitly switch it on using "smtpd_use_tls = yes".
++
++Example:
++
++ smtpd_use_tls = yes
++
++Note: when an unprivileged user invokes "sendmail -bs", STARTTLS is never
++offered due to insufficient privileges to access the server private key. This
++is intended behavior.
++
++You can ENFORCE the use of TLS, so that the Postfix SMTP server accepts no
++commands (except QUIT of course) without TLS encryption, by setting
++"smtpd_enforce_tls = yes". According to RFC 2487 this MUST NOT be applied in
++case of a publicly-referenced Postfix SMTP server. So this option is off by
++default and should only seldom be used. Using this option implies
++"smtpd_use_tls = yes".
++
++Example:
++
++ smtpd_enforce_tls = yes
++
++Besides RFC 2487 some clients, namely Outlook [Express] prefer to run the non-
++standard "wrapper" mode, not the STARTTLS enhancement to SMTP. This is true for
++OE (Win32 < 5.0 and Win32 >=5.0 when run on a port<>25 and OE (5.01 Mac on all
++ports).
++
++It is strictly discouraged to use this mode from main.cf. If you want to
++support this service, enable a special port in master.cf and specify "-
++o smtpd_tls_wrappermode = yes" as an smtpd(8) command line option. Port 465
++(smtps) was once chosen for this feature.
++
++Example:
++
++ smtpd_tls_wrappermode = no
++
++C�Cl�li�ie�en�nt�t c�ce�er�rt�ti�if�fi�ic�ca�at�te�e v�ve�er�ri�if�fi�ic�ca�at�ti�io�on�n
++
++To receive a remote SMTP client certificate, the Postfix SMTP server must
++explicitly ask for one by sending the $smtpd_tls_CAfile certificates to the
++client. Unfortunately, Netscape clients will either complain if no matching
++client certificate is available or will offer the user client a list of
++certificates to choose from. This might be annoying, so this option is "off" by
++default. You will however need the certificate if you want to use certificate
++based relaying with, for example, the permit_tls_client_certs feature.
++
++Example:
++
++ smtpd_tls_ask_ccert = no
++
++You may also decide to REQUIRE a remote SMTP client certificate before allowing
++TLS connections. This feature is included for completeness, and implies
++"smtpd_tls_ask_ccert = yes".
++
++Please be aware, that this will inhibit TLS connections without a proper client
++certificate and that it makes sense only when non-TLS submission is disabled
++(smtpd_enforce_tls = yes). Otherwise, clients could bypass the restriction by
++simply not using STARTTLS at all.
++
++When TLS is not enforced, the connection will be handled as if only
++"smtpd_tls_ask_ccert = yes" is specified, and a warning is logged.
++
++Example:
++
++ smtpd_tls_req_ccert = no
++
++A client certificate verification depth of 1 is sufficient if the certificate
++is directly issued by a CA listed in the CA file. The default value (5) should
++also suffice for longer chains (root CA issues special CA which then issues the
++actual certificate...)
++
++Example:
++
++ smtpd_tls_ccert_verifydepth = 5
++
++S�Su�up�pp�po�or�rt�ti�in�ng�g A�AU�UT�TH�H o�ov�ve�er�r T�TL�LS�S o�on�nl�ly�y
++
++Sending AUTH data over an un-encrypted channel poses a security risk. When TLS
++layer encryption is required (smtpd_enforce_tls = yes), the Postfix SMTP server
++will announce and accept AUTH only after the TLS layer has been activated with
++STARTTLS. When TLS layer encryption is optional (smtpd_enforce_tls = no), it
++may however still be useful to only offer AUTH when TLS is active. To maintain
++compatibility with non-TLS clients, the default is to accept AUTH without
++encryption. In order to change this behavior, set "smtpd_tls_auth_only = yes".
++
++Example:
++
++ smtpd_tls_auth_only = no
++
++S�Se�er�rv�ve�er�r-�-s�si�id�de�e T�TL�LS�S s�se�es�ss�si�io�on�n c�ca�ac�ch�he�e
++
++The Postfix SMTP server and the remote SMTP client negotiate a session, which
++takes some computer time and network bandwidth. By default, this session
++information is cached only in the smtpd(8) process actually using this session
++and is lost when the process terminates. To share the session information
++between multiple smtpd(8) processes, a persistent session cache can be used
++based on the SDBM databases (routines included in Postfix/TLS). Since
++concurrent writing must be supported, only SDBM can be used.
++
++Example:
++
++ smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache
++
++Cached Postfix SMTP server session information expires after a certain amount
++of time. Postfix/TLS does not use the OpenSSL default of 300s, but a longer
++time of 3600sec (=1 hour). RFC 2246 recommends a maximum of 24 hours.
++
++Example:
++
++ smtpd_tls_session_cache_timeout = 3600s
++
++S�Se�er�rv�ve�er�r a�ac�cc�ce�es�ss�s c�co�on�nt�tr�ro�ol�l
++
++Postfix TLS support introduces two additional features for Postfix SMTP server
++access control:
++
++ permit_tls_clientcerts
++ Allow the remote SMTP client SMTP request if the client certificate
++ passes verification, and if its fingerprint is listed in the list of
++ client certificates (see relay_clientcerts discussion below).
++
++ permit_tls_all_clientcerts
++ Allow the remote client SMTP request if the client certificate passes
++ verification.
++
++The permit_tls_all_clientcerts feature must be used with caution, because it
++can result in too many access permissions. Use this feature only if a special
++CA issues the client certificates, and only if this CA is listed as trusted CA.
++If other CAs are trusted, any owner of a valid client certificate would be
++authorized. The permit_tls_all_clientcerts feature can be practical for a
++specially created email relay server.
++
++It is however recommended to stay with the permit_tls_clientcerts feature and
++list all certificates via $relay_clientcerts, as permit_tls_all_clientcerts
++does not permit any control when a certificate must no longer be used (e.g. an
++employee leaving).
++
++Example:
++
++ smtpd_recipient_restrictions =
++ ...
++ permit_tls_clientcerts
++ reject_unauth_destination
++ ...
++
++The Postfix list manipulation routines give special treatment to whitespace and
++some other characters, making the use of certificate names unpractical. Instead
++we use the certificate fingerprints as they are difficult to fake but easy to
++use for lookup. Postfix lookup tables are in the form of (key, value) pairs.
++Since we only need the key, the value can be chosen freely, e.g. the name of
++the user or host:
++
++ D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home
++
++Example:
++
++ relay_clientcerts = hash:/etc/postfix/relay_clientcerts
++
++S�Se�er�rv�ve�er�r-�-s�si�id�de�e c�ci�ip�ph�he�er�r c�co�on�nt�tr�ro�ol�ls�s
++
++To influence the Postfix SMTP server cipher selection scheme, you can give
++cipherlist string. A detailed description would go to far here, please refer to
++the openssl documentation. If you don't know what to do with it, simply don't
++touch it and leave the (openssl-)compiled in default!
++
++DO NOT USE " to enclose the string, specify just the string!!!
++
++Example:
++
++ smtpd_tls_cipherlist = DEFAULT
++
++If you want to take advantage of ciphers with EDH, DH parameters are needed.
++Instead of using the built-in DH parameters for both 1024bit and 512bit, it is
++better to generate "own" parameters, since otherwise it would "pay" for a
++possible attacker to start a brute force attack against parameters that are
++used by everybody. For this reason, the parameters chosen are already different
++from those distributed with other TLS packages.
++
++To generate your own set of DH parameters, use:
++
++ openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024
++ openssl gendh -out /etc/postfix/dh_512.pem -2 -rand /var/run/egd-pool 512
++
++Your source for "entropy" might vary; some systems have /dev/random; on other
++systems you might consider the "Entropy Gathering Daemon EGD", available at
++http://www.lothar.com/tech/crypto/.
++
++Examples:
++
++ smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
++ smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
++
++M�Mi�is�sc�ce�el�ll�la�an�ne�eo�ou�us�s s�se�er�rv�ve�er�r c�co�on�nt�tr�ro�ol�ls�s
++
++The smtpd_starttls_timeout parameter limits the time of Postfix SMTP server
++write and read operations during TLS startup and shutdown handshake procedures.
++
++Example:
++
++ smtpd_starttls_timeout = 300s
++
++S�SM�MT�TP�P C�Cl�li�ie�en�nt�t s�sp�pe�ec�ci�if�fi�ic�c s�se�et�tt�ti�in�ng�gs�s
++
++Topics covered in this section:
++
++ * Client-side certificate and private key configuration
++ * Client-side TLS activity logging
++ * Client-side TLS session cache
++ * Enabling TLS in the Postfix SMTP client
++ * Server certificate verification
++ * Client-side cipher controls
++ * Miscellaneous client controls
++
++C�Cl�li�ie�en�nt�t-�-s�si�id�de�e c�ce�er�rt�ti�if�fi�ic�ca�at�te�e a�an�nd�d p�pr�ri�iv�va�at�te�e k�ke�ey�y c�co�on�nf�fi�ig�gu�ur�ra�at�ti�io�on�n
++
++During TLS startup negotiation the Postfix SMTP client may present a
++certificate to the remote SMTP server. The Netscape client is rather clever
++here and lets the user select between only those certificates that match CA
++certificates offered by the remote SMTP server. As the Postfix SMTP client uses
++the "SSL_connect()" function from the OpenSSL package, this is not possible and
++we have to choose just one certificate. So for now the default is to use _no_
++certificate and key unless one is explicitly specified here.
++
++Both RSA and DSA certificates are supported. You can have both at the same
++time, in which case the cipher used determines which certificate is presented.
++
++It is possible for the Postfix SMTP client to use the same key/certificate pair
++as the Postfix SMTP server. If a certificate is to be presented, it must be in
++"pem" format. The private key must not be encrypted, meaning: it must be
++accessible without password. Both parts (certificate and private key) may be in
++the same file.
++
++In order for remote SMTP servers to verify the Postfix SMTP client
++certificates, the CA certificate (in case of a certificate chain, all CA
++certificates) must be available. You should add these certificates to the
++client certificate, the client certificate first, then the issuing CA(s).
++
++Example: the certificate for "client.dom.ain" was issued by "intermediate CA"
++which itself has a certificate of "root CA". Create the client.pem file with:
++
++ cat client_cert.pem intermediate_CA.pem root_CA.pem > client.pem
++
++If you want the Postfix SMTP client to accept certificates issued by these CAs,
++you can also add the CA certificates to the smtp_tls_CAfile, in which case it
++is not necessary to have them in the smtp_tls_cert_file or smtp_tls_dcert_file.
++
++A Postfix SMTP client certificate supplied here must be usable as SSL client
++certificate and hence pass the "openssl verify -purpose sslclient ..." test.
++
++RSA key and certificate examples:
++
++ smtp_tls_cert_file = /etc/postfix/client.pem
++ smtp_tls_key_file = $smtp_tls_cert_file
++
++Their DSA counterparts:
++
++ smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
++ smtp_tls_dkey_file = $smtpd_tls_cert_file
++
++The Postfix SMTP client certificate was issued by a certification authority
++(CA), the CA-cert of which must be provided with the CA file if it is not
++already provided in the certificate file. The CA file may also contain the CA
++certificates of other trusted CAs. You must use this file for the list of
++trusted CAs if you want to use chroot-mode. No default is supplied for this
++value as of now.
++
++Example:
++
++ smtp_tls_CAfile = /etc/postfix/CAcert.pem
++
++To verify a remote SMTP server certificate, the Postfix SMTP client needs to
++know the certificates of the issuing certification authorities. These
++certificates in "pem" format are collected in a directory. Don't forget to
++create the necessary "hash" links with $OPENSSL_HOME/bin/c_rehash /etc/postfix/
++certs. A typical place for the CA certificates may also be $OPENSSL_HOME/certs,
++so there is no default and you explicitly have to set the value here!
++
++To use this option in chroot mode, this directory itself or a copy of it must
++be inside the chroot jail.
++
++Example:
++
++ smtp_tls_CApath = /etc/postfix/certs
++
++C�Cl�li�ie�en�nt�t-�-s�si�id�de�e T�TL�LS�S a�ac�ct�ti�iv�vi�it�ty�y l�lo�og�gg�gi�in�ng�g
++
++To get additional information about Postfix SMTP client TLS activity you can
++increase the loglevel from 0..4. Each logging level also includes the
++information that is logged at a lower logging level.
++
++ 0 Disable logging of TLS activity.
++
++ 1 Log TLS handshake and certificate information.
++
++ 2 Log levels during TLS negotiation.
++
++ 3 Log hexadecimal and ASCII dump of TLS negotiation process
++
++ 4 Log hexadecimal and ASCII dump of complete transmission after STARTTLS
++
++Example:
++
++ smtp_tls_loglevel = 0
++
++C�Cl�li�ie�en�nt�t-�-s�si�id�de�e T�TL�LS�S s�se�es�ss�si�io�on�n c�ca�ac�ch�he�e
++
++The remote SMTP server and the Postfix SMTP client negotiate a session, which
++takes some computer time and network bandwidth. By default, this session
++information is cached only in the smtp(8) process actually using this session
++and is lost when the process terminates. To share the session information
++between multiple smtp(8) processes, a persistent session cache can be used
++based on the SDBM databases (routines included in Postfix/TLS). Since
++concurrent writing must be supported, only SDBM can be used.
++
++Example:
++
++ smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache
++
++Cached Postfix SMTP client session information expires after a certain amount
++of time. Postfix/TLS does not use the OpenSSL default of 300s, but a longer
++time of 3600s (=1 hour). RFC 2246 recommends a maximum of 24 hours.
++
++Example:
++
++ smtp_tls_session_cache_timeout = 3600s
++
++E�En�na�ab�bl�li�in�ng�g T�TL�LS�S i�in�n t�th�he�e P�Po�os�st�tf�fi�ix�x S�SM�MT�TP�P c�cl�li�ie�en�nt�t
++
++By default, TLS is disabled in the Postfix SMTP client, so no difference to
++plain Postfix is visible. If you enable TLS, the Postfix SMTP client will send
++STARTTLS when TLS support is announced by the remote SMTP server.
++
++WARNING: MS Exchange servers will announce STARTTLS support even when the
++service is not configured, so that the TLS handshake will fail. It may be wise
++to not use this option on your central mail hub, as you don't know in advance
++whether you are going to connect to such a host. Instead, use the
++smtp_tls_per_site recipient/site specific options that are described below.
++
++When the TLS handshake fails and no other server is available, the Postfix SMTP
++client defers the delivery attempt, and the mail stays in the queue.
++
++Example:
++
++ smtp_use_tls = yes
++
++You can ENFORCE the use of TLS, so that the Postfix SMTP client will not
++deliver mail over un-encrypted connections. In this mode, the remote SMTP
++server hostname must match the information in the remote server certificate,
++and the server certificate must be issued by a CA that is trusted by the
++Postfix SMTP client. If the remote server certificate doesn't verify or the
++remote SMTP server hostname doesn't match, and no other server is available,
++the delivery attempt is deferred and the mail stays in the queue.
++
++The remote SMTP server hostname used in the check is beyond question, as it
++must be the principal hostname (no CNAME allowed here). Checks are performed
++against all names provided as dNSNames in the SubjectAlternativeName. If no
++dNSNames are specified, the CommonName is checked. The behavior may be changed
++with the smtp_tls_enforce_peername option which is discussed below.
++
++This option is useful only if you know that you will only connect to servers
++that support RFC 2487 _and_ that present server certificates that meet the
++above requirements. An example would be a client only sends email to one
++specific mailhub that offers the necessary STARTTLS support.
++
++Example:
++
++ smtp_enforce_tls = no
++
++As of RFC 2487 the requirements for hostname checking for MTA clients are not
++set. When TLS is required (smtp_enforce_tls = yes), the option
++smtp_tls_enforce_peername can be set to "no" to disable strict remote SMTP
++server hostname checking. In this case, the mail delivery will proceed
++regardless of the CommonName etc. listed in the certificate.
++
++Note: the smtp_tls_enforce_peername setting has no effect on sessions that are
++controlled via the smtp_tls_per_site table.
++
++Disabling the remote SMTP server hostname verification can make sense in closed
++environment where special CAs are created. If not used carefully, this option
++opens the danger of a "man-in-the-middle" attack (the CommonName of this
++possible attacker is logged).
++
++Example:
++
++ smtp_tls_enforce_peername = yes
++
++Generally, trying TLS can be a bad idea, as some servers offer STARTTLS but the
++negotiation will fail leading to unexplainable failures. Instead, it may be a
++good idea to choose the TLS usage policy based on the recipient or the mailhub
++to which you are connecting.
++
++Deciding the TLS usage policy per recipient may be difficult, since a single
++email delivery attempt can involve several recipients. Instead, use of TLS is
++controlled by the Postfix next-hop destination domain name and by the remote
++SMTP server hostname. If either of these matches an entry in the
++smtp_tls_per_site table, appropriate action is taken.
++
++The remote SMTP server hostname is simply the DNS name of the server that the
++Postfix SMTP client connects to. The next-hop destination is Postfix specific.
++By default, this is the domain name in the recipient address, but this
++information can be overruled by the transport(5) table or by the relayhost
++parameter setting. In these cases the relayhost etc. must be listed in the
++smtp_tls_per_site table, instead of the recipient domain name.
++
++Format of the table: domain or host names are specified on the left-hand side;
++no wildcards are allowed. On the right hand side specify one of the following
++keywords:
++
++ NONE
++ Don't use TLS at all.
++ MAY
++ Try to use STARTTLS if offered, otherwise use the un-encrypted
++ connection.
++ MUST
++ Require usage of STARTTLS, require that the remote SMTP server hostname
++ matches the information in the remote SMTP server certificate, and
++ require that the remote SMTP server certificate was issued by a trusted
++ CA.
++ MUST_NOPEERMATCH
++ Require usage of STARTTLS, but do not require that the remote SMTP
++ server hostname matches the information in the remote SMTP server
++ certificate, or that the server certificate was issued by a trusted CA.
++
++The actual TLS usage policy depends not only on whether the next-hop
++destination or remote SMTP server hostname are found in the smtp_tls_per_site
++table, but also on the smtp_enforce_tls setting:
++
++ * If no match was found, the policy is applied as specified with
++ smtp_enforce_tls.
++
++ * If a match was found, and the smtp_enforce_tls policy is "enforce", NONE
++ explicitly switches it off; otherwise the "enforce" mode is used even for
++ entries that specify MAY.
++
++Special hint for TLS enforcement mode: since no secure DNS lookup mechanism is
++available, mail can be delivered to the wrong remote SMTP server. This is not
++prevented by specifying MUST for the next-hop domain name. The recommended
++setup is: specify local transport(5) table entries for sensitive domains with
++explicit smtp:[mailhost] destinations (since you can assure security of this
++table unlike DNS), then specify MUST for these mail hosts in the
++smtp_tls_per_site table.
++
++Example:
++
++ smtp_tls_per_site = hash:/etc/postfix/tls_per_site
++
++As we decide on a "per site" basis whether or not to use TLS, it would be good
++to have a list of sites that offered "STARTTLS". We can collect it ourselves
++with this option.
++
++If the smtp_tls_note_starttls_offer feature is enabled and a server offers
++STARTTLS while TLS is not already enabled for that server, the Postfix SMTP
++client logs a line as follows:
++
++ postfix/smtp[pid]: Host offered STARTTLS: [hostname.example.com]
++
++Example:
++
++ smtp_tls_note_starttls_offer = yes
++
++S�Se�er�rv�ve�er�r c�ce�er�rt�ti�if�fi�ic�ca�at�te�e v�ve�er�ri�if�fi�ic�ca�at�ti�io�on�n
++
++When verifying a remote SMTP server certificate, a verification depth of 1 is
++sufficient if the certificate is directly issued by a CA specified with
++smtp_tls_CAfile or smtp_tls_CApath. The default value of 5 should also suffice
++for longer chains (root CA issues special CA which then issues the actual
++certificate...)
++
++Example:
++
++ smtp_tls_scert_verifydepth = 5
++
++C�Cl�li�ie�en�nt�t-�-s�si�id�de�e c�ci�ip�ph�he�er�r c�co�on�nt�tr�ro�ol�ls�s
++
++To influence the Postfix SMTP client cipher selection scheme, you can give
++cipherlist string. A detailed description would go to far here, please refer to
++the openssl documentation. If you don't know what to do with it, simply don't
++touch it and leave the (openssl-)compiled in default!
++
++DO NOT USE " to enclose the string, specify just the string!!!
++
++Example:
++
++ smtp_tls_cipherlist = DEFAULT
++
++M�Mi�is�sc�ce�el�ll�la�an�ne�eo�ou�us�s c�cl�li�ie�en�nt�t c�co�on�nt�tr�ro�ol�ls�s
++
++The smtp_starttls_timeout parameter limits the time of Postfix SMTP client
++write and read operations during TLS startup and shutdown handshake procedures.
++In case of problems the Postfix SMTP client tries the next network address on
++the mail exchanger list, and defers delivery if no alternative server is
++available.
++
++Example:
++
++ smtp_starttls_timeout = 300s
++
++T�TL�LS�S m�ma�an�na�ag�ge�er�r s�sp�pe�ec�ci�if�fi�ic�c s�se�et�tt�ti�in�ng�gs�s
++
++The security of cryptographic software such as TLS depends critically on the
++ability to generate unpredictable numbers for keys and other information. To
++this end, the tlsmgr(8) process maintains a Pseudo Random Number Generator
++(PRNG) pool. This is a fixed-size 1024-byte exchange file that is read by the
++smtp(8) and smtpd(8) processes when they initialize. These processes also add
++some more entropy to the file by stirring in their own time and process id
++information.
++
++The tlsmgr(8) process creates the file if it does not already exist, and
++rewrites the file at random time intervals with information from its in-memory
++PRNG pool. The default location is under the Postfix configuration directory,
++which is not the proper place for information that is modified by Postfix.
++Instead, the file location should probably be on the /var partition (but _not_
++inside the chroot jail).
++
++Example:
++
++ tls_random_exchange_name = /etc/postfix/prng_exch
++
++In order to feed its in-memory PRNG pool, the tlsmgr(8) reads entropy from an
++external source, both at startup and during run-time. Specify a good entropy
++source, like EGD or /dev/urandom; be sure to only use non-blocking sources. If
++the entropy source is not a regular file, you must prepend the source type to
++the source name: "dev:" for a device special file, or "egd:" for a source with
++EGD compatible socket interface.
++
++Examples (specify only one in main.cf):
++
++ tls_random_source = dev:/dev/urandom
++ tls_random_source = egd:/var/run/egd-pool
++
++By default, tlsmgr(8) reads 32 bytes from the external entropy source at each
++seeding event. This amount (256bits) is more than sufficient for generating a
++128bit symmetric key. With EGD and device entropy sources, the tlsmgr(8) limits
++the amount of data read at each step to 255 bytes. If you specify a regular
++file as entropy source, a larger amount of data can be read.
++
++Example:
++
++ tls_random_bytes = 32
++
++In order to update its in-memory PRNG pool, the tlsmgr(8) queries the external
++entropy source again after a random amount of time. The time is calculated
++using the PRNG, and is between 0 and the maximal time specified with
++tls_random_reseed_period. The default maximal time interval is 1 hour.
++
++Example:
++
++ tls_random_reseed_period = 3600s
++
++The tlsmgr(8) re-generates the 1024 byte seed exchange file after a random
++amount of time. The time is calculated using the PRNG, and is between 0 and the
++maximal time specified with tls_random_update_period. The default maximal time
++interval is 60 seconds.
++
++Example:
++
++ tls_random_prng_update_period = 60s
++
++If you have an entropy source available that is not easily drained (like /dev/
++urandom), the smtp(8) and smtpd(8) daemons can load additional entropy on
++startup. By default, an amount of 32 bytes is read, the equivalent to 256 bits.
++This is more than sufficient to generate a 128bit (or 168bit) session key.
++However, when Postfix needs to generate more than one key it can drain the EGD.
++Consider the case of 50 smtp(8) processes starting up with a full queue; this
++will request 1600bytes of entropy. This is however not fatal, as long as
++"entropy" data can still be read from the seed file that is maintained by
++tlsmgr(8).
++
++Examples:
++
++ tls_daemon_random_source = dev:/dev/urandom
++ tls_daemon_random_source = egd:/var/run/egd-pool
++ tls_daemon_random_bytes = 32
++
++R�Re�ep�po�or�rt�ti�in�ng�g p�pr�ro�ob�bl�le�em�ms�s
++
++When reporting a problem, please be thorough in the report. Patches, when
++possible, are greatly appreciated too.
++
++Please differentiate when possible between:
++
++ * Problems in the IPv6 code: stack.nl>
++ * Problems in the TLS code: aet.tu-cottbus.de>
++ * Problems in vanilla Postfix: postfix.org>
++
++C�Cr�re�ed�di�it�ts�s
++
++ * TLS support for Postfix was originally developed by Lutz Jänicke at Cottbus
++ Technical University.
++ * This part of the documentation was compiled by Wietse Venema
++
+diff -urNad postfix-release/src/global/inet_interfaces_to_af.c /tmp/dpep.cXJuVH/postfix-release/src/global/inet_interfaces_to_af.c
+--- postfix-release/src/global/inet_interfaces_to_af.c 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/inet_interfaces_to_af.c 2005-02-03 10:22:13.050098917 -0700
+@@ -0,0 +1,27 @@
++#include <sys_defs.h>
++#include <stdlib.h>
++#include <sys/socket.h>
++#include <mail_params.h>
++#include <inet_interfaces_to_af.h>
++
++int inet_interfaces_to_af (char *inet_interfaces)
++{
++ int af = -1;
++
++ if (inet_interfaces == NULL || *inet_interfaces == '\0')
++ return (af);
++ if (strcasecmp(inet_interfaces, INET_INTERFACES_ALL) == 0 ||
++ strcasecmp(inet_interfaces, INET_INTERFACES_LOCAL) == 0)
++ af = AF_UNSPEC;
++ else if (strcasecmp(inet_interfaces, "IPv6:" DEF_INET_INTERFACES) == 0)
++#ifdef INET6
++ af = AF_INET6;
++#else
++ msg_fatal("unable to bind to IPv6 only (%s=%s): IPv6 not compiled in",
++ VAR_INET_INTERFACES, inet_interfaces);
++#endif
++ else if (strcasecmp(inet_interfaces, "IPv4:" DEF_INET_INTERFACES) == 0)
++ af = AF_INET;
++
++ return (af);
++}
+diff -urNad postfix-release/src/global/inet_interfaces_to_af.h /tmp/dpep.cXJuVH/postfix-release/src/global/inet_interfaces_to_af.h
+--- postfix-release/src/global/inet_interfaces_to_af.h 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/inet_interfaces_to_af.h 2005-02-03 10:22:13.050098917 -0700
+@@ -0,0 +1,6 @@
++#ifndef _INET_INTERFACES_TO_AF_H_INCLUDED_
++#define _INET_INTERFACES_TO_AF_H_INCLUDED_
++
++extern int inet_interfaces_to_af (char *);
++
++#endif
+diff -urNad postfix-release/src/global/mail_params.c /tmp/dpep.cXJuVH/postfix-release/src/global/mail_params.c
+--- postfix-release/src/global/mail_params.c 2005-02-03 10:22:12.220284014 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/mail_params.c 2005-02-03 10:22:13.050098917 -0700
+@@ -46,6 +46,7 @@
+ /* int var_message_limit;
+ /* char *var_mail_release;
+ /* char *var_mail_version;
++/* char *var_tlsipv6_version;
+ /* int var_ipc_idle_limit;
+ /* int var_ipc_ttl_limit;
+ /* char *var_db_type;
+@@ -163,6 +164,7 @@
+ #include "mail_proto.h"
+ #include "verp_sender.h"
+ #include "mail_params.h"
++#include "pfixtls.h"
+
+ /*
+ * Special configuration variables.
+@@ -207,6 +209,9 @@
+ int var_message_limit;
+ char *var_mail_release;
+ char *var_mail_version;
++#ifdef INET6
++char *var_tlsipv6_version;
++#endif
+ int var_ipc_idle_limit;
+ int var_ipc_ttl_limit;
+ char *var_db_type;
+@@ -233,6 +238,31 @@
+ int var_in_flow_delay;
+ char *var_par_dom_match;
+ char *var_config_dirs;
++char *var_tls_rand_exch_name;
++char *var_smtpd_tls_cert_file;
++char *var_smtpd_tls_key_file;
++char *var_smtpd_tls_dcert_file;
++char *var_smtpd_tls_dkey_file;
++char *var_smtpd_tls_CAfile;
++char *var_smtpd_tls_CApath;
++char *var_smtpd_tls_cipherlist;
++char *var_smtpd_tls_dh512_param_file;
++char *var_smtpd_tls_dh1024_param_file;
++int var_smtpd_tls_loglevel;
++char *var_smtpd_tls_scache_db;
++int var_smtpd_tls_scache_timeout;
++char *var_smtp_tls_cert_file;
++char *var_smtp_tls_key_file;
++char *var_smtp_tls_dcert_file;
++char *var_smtp_tls_dkey_file;
++char *var_smtp_tls_CAfile;
++char *var_smtp_tls_CApath;
++char *var_smtp_tls_cipherlist;
++int var_smtp_tls_loglevel;
++char *var_smtp_tls_scache_db;
++int var_smtp_tls_scache_timeout;
++char *var_tls_daemon_rand_source;
++int var_tls_daemon_rand_bytes;
+
+ char *var_import_environ;
+ char *var_export_environ;
+@@ -488,6 +518,9 @@
+ VAR_ALIAS_DB_MAP, DEF_ALIAS_DB_MAP, &var_alias_db_map, 0, 0,
+ VAR_MAIL_RELEASE, DEF_MAIL_RELEASE, &var_mail_release, 1, 0,
+ VAR_MAIL_VERSION, DEF_MAIL_VERSION, &var_mail_version, 1, 0,
++#ifdef INET6
++ VAR_TLSIPV6_VERSION, DEF_TLSIPV6_VERSION, &var_tlsipv6_version, 1, 0,
++#endif
+ VAR_DB_TYPE, DEF_DB_TYPE, &var_db_type, 1, 0,
+ VAR_HASH_QUEUE_NAMES, DEF_HASH_QUEUE_NAMES, &var_hash_queue_names, 1, 0,
+ VAR_RCPT_DELIM, DEF_RCPT_DELIM, &var_rcpt_delim, 0, 1,
+@@ -512,6 +545,26 @@
+ VAR_FLUSH_SERVICE, DEF_FLUSH_SERVICE, &var_flush_service, 1, 0,
+ VAR_VERIFY_SERVICE, DEF_VERIFY_SERVICE, &var_verify_service, 1, 0,
+ VAR_TRACE_SERVICE, DEF_TRACE_SERVICE, &var_trace_service, 1, 0,
++ VAR_TLS_RAND_EXCH_NAME, DEF_TLS_RAND_EXCH_NAME, &var_tls_rand_exch_name, 0, 0,
++ VAR_SMTPD_TLS_CERT_FILE, DEF_SMTPD_TLS_CERT_FILE, &var_smtpd_tls_cert_file, 0, 0,
++ VAR_SMTPD_TLS_KEY_FILE, DEF_SMTPD_TLS_KEY_FILE, &var_smtpd_tls_key_file, 0, 0,
++ VAR_SMTPD_TLS_DCERT_FILE, DEF_SMTPD_TLS_DCERT_FILE, &var_smtpd_tls_dcert_file, 0, 0,
++ VAR_SMTPD_TLS_DKEY_FILE, DEF_SMTPD_TLS_DKEY_FILE, &var_smtpd_tls_dkey_file, 0, 0,
++ VAR_SMTPD_TLS_CA_FILE, DEF_SMTPD_TLS_CA_FILE, &var_smtpd_tls_CAfile, 0, 0,
++ VAR_SMTPD_TLS_CA_PATH, DEF_SMTPD_TLS_CA_PATH, &var_smtpd_tls_CApath, 0, 0,
++ VAR_SMTPD_TLS_CLIST, DEF_SMTPD_TLS_CLIST, &var_smtpd_tls_cipherlist, 0, 0,
++ VAR_SMTPD_TLS_512_FILE, DEF_SMTPD_TLS_512_FILE, &var_smtpd_tls_dh512_param_file, 0, 0,
++ VAR_SMTPD_TLS_1024_FILE, DEF_SMTPD_TLS_1024_FILE, &var_smtpd_tls_dh1024_param_file, 0, 0,
++ VAR_SMTPD_TLS_SCACHE_DB, DEF_SMTPD_TLS_SCACHE_DB, &var_smtpd_tls_scache_db, 0, 0,
++ VAR_SMTP_TLS_CERT_FILE, DEF_SMTP_TLS_CERT_FILE, &var_smtp_tls_cert_file, 0, 0,
++ VAR_SMTP_TLS_KEY_FILE, DEF_SMTP_TLS_KEY_FILE, &var_smtp_tls_key_file, 0, 0,
++ VAR_SMTP_TLS_DCERT_FILE, DEF_SMTP_TLS_DCERT_FILE, &var_smtp_tls_dcert_file, 0, 0,
++ VAR_SMTP_TLS_DKEY_FILE, DEF_SMTP_TLS_DKEY_FILE, &var_smtp_tls_dkey_file, 0, 0,
++ VAR_SMTP_TLS_CA_FILE, DEF_SMTP_TLS_CA_FILE, &var_smtp_tls_CAfile, 0, 0,
++ VAR_SMTP_TLS_CA_PATH, DEF_SMTP_TLS_CA_PATH, &var_smtp_tls_CApath, 0, 0,
++ VAR_SMTP_TLS_CLIST, DEF_SMTP_TLS_CLIST, &var_smtp_tls_cipherlist, 0, 0,
++ VAR_SMTP_TLS_SCACHE_DB, DEF_SMTP_TLS_SCACHE_DB, &var_smtp_tls_scache_db, 0, 0,
++ VAR_TLS_DAEMON_RAND_SOURCE, DEF_TLS_DAEMON_RAND_SOURCE, &var_tls_daemon_rand_source, 0, 0,
+ 0,
+ };
+ static CONFIG_STR_FN_TABLE function_str_defaults_2[] = {
+@@ -534,6 +587,9 @@
+ VAR_TOKEN_LIMIT, DEF_TOKEN_LIMIT, &var_token_limit, 1, 0,
+ VAR_MIME_MAXDEPTH, DEF_MIME_MAXDEPTH, &var_mime_maxdepth, 1, 0,
+ VAR_MIME_BOUND_LEN, DEF_MIME_BOUND_LEN, &var_mime_bound_len, 1, 0,
++ VAR_SMTPD_TLS_LOGLEVEL, DEF_SMTPD_TLS_LOGLEVEL, &var_smtpd_tls_loglevel, 0, 0,
++ VAR_SMTP_TLS_LOGLEVEL, DEF_SMTP_TLS_LOGLEVEL, &var_smtp_tls_loglevel, 0, 0,
++ VAR_TLS_DAEMON_RAND_BYTES, DEF_TLS_DAEMON_RAND_BYTES, &var_tls_daemon_rand_bytes, 0, 0,
+ 0,
+ };
+ static CONFIG_TIME_TABLE time_defaults[] = {
+@@ -546,6 +602,8 @@
+ VAR_FORK_DELAY, DEF_FORK_DELAY, &var_fork_delay, 1, 0,
+ VAR_FLOCK_DELAY, DEF_FLOCK_DELAY, &var_flock_delay, 1, 0,
+ VAR_FLOCK_STALE, DEF_FLOCK_STALE, &var_flock_stale, 1, 0,
++ VAR_SMTPD_TLS_SCACHTIME, DEF_SMTPD_TLS_SCACHTIME, &var_smtpd_tls_scache_timeout, 0, 0,
++ VAR_SMTP_TLS_SCACHTIME, DEF_SMTP_TLS_SCACHTIME, &var_smtp_tls_scache_timeout, 0, 0,
+ VAR_DAEMON_TIMEOUT, DEF_DAEMON_TIMEOUT, &var_daemon_timeout, 1, 0,
+ VAR_IN_FLOW_DELAY, DEF_IN_FLOW_DELAY, &var_in_flow_delay, 0, 10,
+ 0,
+diff -urNad postfix-release/src/global/mail_params.h /tmp/dpep.cXJuVH/postfix-release/src/global/mail_params.h
+--- postfix-release/src/global/mail_params.h 2005-02-03 10:22:12.200288474 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/mail_params.h 2005-02-03 10:22:13.052098471 -0700
+@@ -129,7 +129,9 @@
+ * Virtual host support. Default is to listen on all machine interfaces.
+ */
+ #define VAR_INET_INTERFACES "inet_interfaces" /* listen addresses */
+-#define DEF_INET_INTERFACES "all"
++#define INET_INTERFACES_ALL "all"
++#define INET_INTERFACES_LOCAL "loopback-only"
++#define DEF_INET_INTERFACES INET_INTERFACES_ALL
+ extern char *var_inet_interfaces;
+
+ #define VAR_PROXY_INTERFACES "proxy_interfaces" /* proxies, NATs */
+@@ -519,6 +521,34 @@
+ #define DEF_DUP_FILTER_LIMIT 1000
+ extern int var_dup_filter_limit;
+
++#define VAR_TLS_RAND_EXCH_NAME "tls_random_exchange_name"
++#define DEF_TLS_RAND_EXCH_NAME "${queue_directory}/prng_exch"
++extern char *var_tls_rand_exch_name;
++
++#define VAR_TLS_RAND_SOURCE "tls_random_source"
++#define DEF_TLS_RAND_SOURCE ""
++extern char *var_tls_rand_source;
++
++#define VAR_TLS_RAND_BYTES "tls_random_bytes"
++#define DEF_TLS_RAND_BYTES 32
++extern int var_tls_rand_bytes;
++
++#define VAR_TLS_DAEMON_RAND_SOURCE "tls_daemon_random_source"
++#define DEF_TLS_DAEMON_RAND_SOURCE ""
++extern char *var_tls_daemon_rand_source;
++
++#define VAR_TLS_DAEMON_RAND_BYTES "tls_daemon_random_bytes"
++#define DEF_TLS_DAEMON_RAND_BYTES 32
++extern int var_tls_daemon_rand_bytes;
++
++#define VAR_TLS_RESEED_PERIOD "tls_random_reseed_period"
++#define DEF_TLS_RESEED_PERIOD "3600s"
++extern int var_tls_reseed_period;
++
++#define VAR_TLS_PRNG_UPD_PERIOD "tls_random_prng_update_period"
++#define DEF_TLS_PRNG_UPD_PERIOD "60s"
++extern int var_tls_prng_upd_period;
++
+ /*
+ * Queue manager: relocated databases.
+ */
+@@ -768,6 +798,10 @@
+ #define DEF_SMTP_XFWD_TMOUT "300s"
+ extern int var_smtp_xfwd_tmout;
+
++#define VAR_SMTP_STARTTLS_TMOUT "smtp_starttls_timeout"
++#define DEF_SMTP_STARTTLS_TMOUT "300s"
++extern int var_smtp_starttls_tmout;
++
+ #define VAR_SMTP_MAIL_TMOUT "smtp_mail_timeout"
+ #define DEF_SMTP_MAIL_TMOUT "300s"
+ extern int var_smtp_mail_tmout;
+@@ -828,6 +862,10 @@
+ #define DEF_SMTP_BIND_ADDR ""
+ extern char *var_smtp_bind_addr;
+
++#define VAR_SMTP_BIND_ADDR6 "smtp_bind_address6"
++#define DEF_SMTP_BIND_ADDR6 ""
++extern char *var_smtp_bind_addr6;
++
+ #define VAR_SMTP_HELO_NAME "smtp_helo_name"
+ #define DEF_SMTP_HELO_NAME "$myhostname"
+ extern char *var_smtp_helo_name;
+@@ -869,6 +907,10 @@
+ #define DEF_SMTPD_TMOUT "300s"
+ extern int var_smtpd_tmout;
+
++#define VAR_SMTPD_STARTTLS_TMOUT "smtpd_starttls_timeout"
++#define DEF_SMTPD_STARTTLS_TMOUT "300s"
++extern int var_smtpd_starttls_tmout;
++
+ #define VAR_SMTPD_RCPT_LIMIT "smtpd_recipient_limit"
+ #define DEF_SMTPD_RCPT_LIMIT 1000
+ extern int var_smtpd_rcpt_limit;
+@@ -901,6 +943,150 @@
+ #define DEF_SMTPD_NOOP_CMDS ""
+ extern char *var_smtpd_noop_cmds;
+
++#define VAR_SMTPD_TLS_WRAPPER "smtpd_tls_wrappermode"
++#define DEF_SMTPD_TLS_WRAPPER 0
++extern bool var_smtpd_tls_wrappermode;
++
++#define VAR_SMTPD_USE_TLS "smtpd_use_tls"
++#define DEF_SMTPD_USE_TLS 0
++extern bool var_smtpd_use_tls;
++
++#define VAR_SMTPD_ENFORCE_TLS "smtpd_enforce_tls"
++#define DEF_SMTPD_ENFORCE_TLS 0
++extern bool var_smtpd_enforce_tls;
++
++#define VAR_SMTPD_TLS_AUTH_ONLY "smtpd_tls_auth_only"
++#define DEF_SMTPD_TLS_AUTH_ONLY 0
++extern bool var_smtpd_tls_auth_only;
++
++#define VAR_SMTPD_TLS_ACERT "smtpd_tls_ask_ccert"
++#define DEF_SMTPD_TLS_ACERT 0
++extern bool var_smtpd_tls_ask_ccert;
++
++#define VAR_SMTPD_TLS_RCERT "smtpd_tls_req_ccert"
++#define DEF_SMTPD_TLS_RCERT 0
++extern bool var_smtpd_tls_req_ccert;
++
++#define VAR_SMTPD_TLS_CCERT_VD "smtpd_tls_ccert_verifydepth"
++#define DEF_SMTPD_TLS_CCERT_VD 5
++extern int var_smtpd_tls_ccert_vd;
++
++#define VAR_SMTPD_TLS_CERT_FILE "smtpd_tls_cert_file"
++#define DEF_SMTPD_TLS_CERT_FILE ""
++extern char *var_smtpd_tls_cert_file;
++
++#define VAR_SMTPD_TLS_KEY_FILE "smtpd_tls_key_file"
++#define DEF_SMTPD_TLS_KEY_FILE "$smtpd_tls_cert_file"
++extern char *var_smtpd_tls_key_file;
++
++#define VAR_SMTPD_TLS_DCERT_FILE "smtpd_tls_dcert_file"
++#define DEF_SMTPD_TLS_DCERT_FILE ""
++extern char *var_smtpd_tls_dcert_file;
++
++#define VAR_SMTPD_TLS_DKEY_FILE "smtpd_tls_dkey_file"
++#define DEF_SMTPD_TLS_DKEY_FILE "$smtpd_tls_dcert_file"
++extern char *var_smtpd_tls_dkey_file;
++
++#define VAR_SMTPD_TLS_CA_FILE "smtpd_tls_CAfile"
++#define DEF_SMTPD_TLS_CA_FILE ""
++extern char *var_smtpd_tls_CAfile;
++
++#define VAR_SMTPD_TLS_CA_PATH "smtpd_tls_CApath"
++#define DEF_SMTPD_TLS_CA_PATH ""
++extern char *var_smtpd_tls_CApath;
++
++#define VAR_SMTPD_TLS_CLIST "smtpd_tls_cipherlist"
++#define DEF_SMTPD_TLS_CLIST ""
++extern char *var_smtpd_tls_cipherlist;
++
++#define VAR_SMTPD_TLS_512_FILE "smtpd_tls_dh512_param_file"
++#define DEF_SMTPD_TLS_512_FILE ""
++extern char *var_smtpd_tls_dh512_param_file;
++
++#define VAR_SMTPD_TLS_1024_FILE "smtpd_tls_dh1024_param_file"
++#define DEF_SMTPD_TLS_1024_FILE ""
++extern char *var_smtpd_tls_dh1024_param_file;
++
++#define VAR_SMTPD_TLS_LOGLEVEL "smtpd_tls_loglevel"
++#define DEF_SMTPD_TLS_LOGLEVEL 0
++extern int var_smtpd_tls_loglevel;
++
++#define VAR_SMTPD_TLS_RECHEAD "smtpd_tls_received_header"
++#define DEF_SMTPD_TLS_RECHEAD 0
++extern bool var_smtpd_tls_received_header;
++
++#define VAR_SMTPD_TLS_SCACHE_DB "smtpd_tls_session_cache_database"
++#define DEF_SMTPD_TLS_SCACHE_DB ""
++extern char *var_smtpd_tls_scache_db;
++
++#define VAR_SMTPD_TLS_SCACHTIME "smtpd_tls_session_cache_timeout"
++#define DEF_SMTPD_TLS_SCACHTIME "3600s"
++extern int var_smtpd_tls_scache_timeout;
++
++#define VAR_SMTP_TLS_PER_SITE "smtp_tls_per_site"
++#define DEF_SMTP_TLS_PER_SITE ""
++extern char *var_smtp_tls_per_site;
++
++#define VAR_SMTP_USE_TLS "smtp_use_tls"
++#define DEF_SMTP_USE_TLS 0
++extern bool var_smtp_use_tls;
++
++#define VAR_SMTP_ENFORCE_TLS "smtp_enforce_tls"
++#define DEF_SMTP_ENFORCE_TLS 0
++extern bool var_smtp_enforce_tls;
++
++#define VAR_SMTP_TLS_ENFORCE_PN "smtp_tls_enforce_peername"
++#define DEF_SMTP_TLS_ENFORCE_PN 1
++extern bool var_smtp_tls_enforce_peername;
++
++#define VAR_SMTP_TLS_SCERT_VD "smtp_tls_scert_verifydepth"
++#define DEF_SMTP_TLS_SCERT_VD 5
++extern int var_smtp_tls_scert_vd;
++
++#define VAR_SMTP_TLS_CERT_FILE "smtp_tls_cert_file"
++#define DEF_SMTP_TLS_CERT_FILE ""
++extern char *var_smtp_tls_cert_file;
++
++#define VAR_SMTP_TLS_KEY_FILE "smtp_tls_key_file"
++#define DEF_SMTP_TLS_KEY_FILE "$smtp_tls_cert_file"
++extern char *var_smtp_tls_key_file;
++
++#define VAR_SMTP_TLS_DCERT_FILE "smtp_tls_dcert_file"
++#define DEF_SMTP_TLS_DCERT_FILE ""
++extern char *var_smtp_tls_dcert_file;
++
++#define VAR_SMTP_TLS_DKEY_FILE "smtp_tls_dkey_file"
++#define DEF_SMTP_TLS_DKEY_FILE "$smtp_tls_dcert_file"
++extern char *var_smtp_tls_dkey_file;
++
++#define VAR_SMTP_TLS_CA_FILE "smtp_tls_CAfile"
++#define DEF_SMTP_TLS_CA_FILE ""
++extern char *var_smtp_tls_CAfile;
++
++#define VAR_SMTP_TLS_CA_PATH "smtp_tls_CApath"
++#define DEF_SMTP_TLS_CA_PATH ""
++extern char *var_smtp_tls_CApath;
++
++#define VAR_SMTP_TLS_CLIST "smtp_tls_cipherlist"
++#define DEF_SMTP_TLS_CLIST ""
++extern char *var_smtp_tls_cipherlist;
++
++#define VAR_SMTP_TLS_LOGLEVEL "smtp_tls_loglevel"
++#define DEF_SMTP_TLS_LOGLEVEL 0
++extern int var_smtp_tls_loglevel;
++
++#define VAR_SMTP_TLS_NOTEOFFER "smtp_tls_note_starttls_offer"
++#define DEF_SMTP_TLS_NOTEOFFER 0
++extern bool var_smtp_tls_note_starttls_offer;
++
++#define VAR_SMTP_TLS_SCACHE_DB "smtp_tls_session_cache_database"
++#define DEF_SMTP_TLS_SCACHE_DB ""
++extern char *var_smtp_tls_scache_db;
++
++#define VAR_SMTP_TLS_SCACHTIME "smtp_tls_session_cache_timeout"
++#define DEF_SMTP_TLS_SCACHTIME "3600s"
++extern int var_smtp_tls_scache_timeout;
++
+ /*
+ * SASL authentication support, SMTP server side.
+ */
+@@ -916,6 +1102,10 @@
+ #define DEF_SMTPD_SASL_APPNAME "smtpd"
+ extern char *var_smtpd_sasl_appname;
+
++#define VAR_SMTPD_SASL_TLS_OPTS "smtpd_sasl_tls_security_options"
++#define DEF_SMTPD_SASL_TLS_OPTS "$smtpd_sasl_security_options"
++extern char *var_smtpd_sasl_opts;
++
+ #define VAR_SMTPD_SASL_REALM "smtpd_sasl_local_domain"
+ #define DEF_SMTPD_SASL_REALM ""
+ extern char *var_smtpd_sasl_realm;
+@@ -945,6 +1135,14 @@
+ #define DEF_SMTP_SASL_OPTS "noplaintext, noanonymous"
+ extern char *var_smtp_sasl_opts;
+
++#define VAR_SMTP_SASL_TLS_OPTS "smtp_sasl_tls_security_options"
++#define DEF_SMTP_SASL_TLS_OPTS "$var_smtp_sasl_opts"
++extern char *var_smtp_sasl_tls_opts;
++
++#define VAR_SMTP_SASL_TLSV_OPTS "smtp_sasl_tls_verified_security_options"
++#define DEF_SMTP_SASL_TLSV_OPTS "$var_smtp_sasl_tls_opts"
++extern char *var_smtp_sasl_tls_verified_opts;
++
+ /*
+ * LMTP server. The soft error limit determines how many errors an LMTP
+ * client may make before we start to slow down; the hard error limit
+@@ -1075,6 +1273,14 @@
+ #define DEF_LMTP_QUIT_TMOUT "300s"
+ extern int var_lmtp_quit_tmout;
+
++#define VAR_LMTP_BIND_ADDR "lmtp_bind_address"
++#define DEF_LMTP_BIND_ADDR ""
++extern char *var_lmtp_bind_addr;
++
++#define VAR_LMTP_BIND_ADDR6 "lmtp_bind_address6"
++#define DEF_LMTP_BIND_ADDR6 ""
++extern char *var_lmtp_bind_addr6;
++
+ #define VAR_LMTP_SEND_XFORWARD "lmtp_send_xforward_command"
+ #define DEF_LMTP_SEND_XFORWARD 0
+ extern bool var_lmtp_send_xforward;
+@@ -1234,6 +1440,10 @@
+ #define DEF_RELAY_RCPT_CODE 550
+ extern int var_relay_rcpt_code;
+
++#define VAR_RELAY_CCERTS "relay_clientcerts"
++#define DEF_RELAY_CCERTS ""
++extern char *var_relay_ccerts;
++
+ #define VAR_CLIENT_CHECKS "smtpd_client_restrictions"
+ #define DEF_CLIENT_CHECKS ""
+ extern char *var_client_checks;
+@@ -1352,6 +1562,8 @@
+ #define PERMIT_AUTH_DEST "permit_auth_destination"
+ #define REJECT_UNAUTH_DEST "reject_unauth_destination"
+ #define CHECK_RELAY_DOMAINS "check_relay_domains"
++#define PERMIT_TLS_CLIENTCERTS "permit_tls_clientcerts"
++#define PERMIT_TLS_ALL_CLIENTCERTS "permit_tls_all_clientcerts"
+ #define VAR_RELAY_CODE "relay_domains_reject_code"
+ #define DEF_RELAY_CODE 554
+ extern int var_relay_code;
+diff -urNad postfix-release/src/global/mail_proto.h /tmp/dpep.cXJuVH/postfix-release/src/global/mail_proto.h
+--- postfix-release/src/global/mail_proto.h 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/mail_proto.h 2005-02-03 10:22:13.052098471 -0700
+@@ -42,6 +42,7 @@
+ #define MAIL_SERVICE_LOCAL "local"
+ #define MAIL_SERVICE_PICKUP "pickup"
+ #define MAIL_SERVICE_QUEUE "qmgr"
++#define MAIL_SERVICE_TLSMGR "tlsmgr"
+ #define MAIL_SERVICE_RESOLVE "resolve"
+ #define MAIL_SERVICE_REWRITE "rewrite"
+ #define MAIL_SERVICE_VIRTUAL "virtual"
+diff -urNad postfix-release/src/global/mail_version.h /tmp/dpep.cXJuVH/postfix-release/src/global/mail_version.h
+--- postfix-release/src/global/mail_version.h 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/mail_version.h 2005-02-03 10:22:13.052098471 -0700
+@@ -31,6 +31,14 @@
+ #endif
+ extern char *var_mail_version;
+
++#define VAR_TLSIPV6_VERSION "tls_ipv6_version"
++#ifdef INET6
++#define DEF_TLSIPV6_VERSION "1.24"
++#else
++#define DEF_TLSIPV6_VERSION ""
++#endif
++extern char *var_tlsipv6_version;
++
+ /*
+ * Release date.
+ */
+diff -urNad postfix-release/src/global/Makefile.in /tmp/dpep.cXJuVH/postfix-release/src/global/Makefile.in
+--- postfix-release/src/global/Makefile.in 2005-02-03 10:22:12.218284460 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/Makefile.in 2005-02-03 10:22:13.053098248 -0700
+@@ -23,7 +23,8 @@
+ sent.c smtp_stream.c split_addr.c string_list.c strip_addr.c \
+ sys_exits.c timed_ipc.c tok822_find.c tok822_node.c tok822_parse.c \
+ tok822_resolve.c tok822_rewrite.c tok822_tree.c trace.c verify.c \
+- verify_clnt.c verp_sender.c virtual8_maps.c xtext.c
++ verify_clnt.c verp_sender.c virtual8_maps.c xtext.c pfixtls.c \
++ wildcard_inet_addr.c inet_interfaces_to_af.c
+ OBJS = abounce.o been_here.o bounce.o bounce_log.o \
+ canon_addr.o cfg_parser.o cleanup_strerror.o cleanup_strflags.o \
+ clnt_stream.o debug_peer.o debug_process.o defer.o \
+@@ -47,7 +48,8 @@
+ sent.o smtp_stream.o split_addr.o string_list.o strip_addr.o \
+ sys_exits.o timed_ipc.o tok822_find.o tok822_node.o tok822_parse.o \
+ tok822_resolve.o tok822_rewrite.o tok822_tree.o trace.o verify.o \
+- verify_clnt.o verp_sender.o virtual8_maps.o xtext.o
++ verify_clnt.o verp_sender.o virtual8_maps.o xtext.o \
++ wildcard_inet_addr.o inet_interfaces_to_af.o
+ HDRS = abounce.h been_here.h bounce.h bounce_log.h \
+ canon_addr.h cfg_parser.h cleanup_user.h clnt_stream.h config.h \
+ debug_peer.h debug_process.h defer.h deliver_completed.h \
+@@ -69,7 +71,7 @@
+ resolve_local.h rewrite_clnt.h sent.h smtp_stream.h split_addr.h \
+ string_list.h strip_addr.h sys_exits.h timed_ipc.h tok822.h \
+ trace.h verify.h verify_clnt.h verp_sender.h virtual8_maps.h \
+- xtext.h
++ xtext.h pfixtls.h wildcard_inet_addr.h inet_interfaces_to_af.h
+ TESTSRC = rec2stream.c stream2rec.c recdump.c
+ DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE)
+ CFLAGS = $(DEBUG) $(OPT) $(DEFS)
+@@ -898,6 +900,7 @@
+ mail_params.o: ../../include/attr.h
+ mail_params.o: verp_sender.h
+ mail_params.o: mail_params.h
++mail_params.o: pfixtls.h
+ mail_pathname.o: mail_pathname.c
+ mail_pathname.o: ../../include/sys_defs.h
+ mail_pathname.o: ../../include/stringops.h
+diff -urNad postfix-release/src/global/mynetworks.c /tmp/dpep.cXJuVH/postfix-release/src/global/mynetworks.c
+--- postfix-release/src/global/mynetworks.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/mynetworks.c 2005-02-03 10:22:13.054098025 -0700
+@@ -28,6 +28,13 @@
+ /* IBM T.J. Watson Research
+ /* P.O. Box 704
+ /* Yorktown Heights, NY 10598, USA
++/*
++/* Dean C. Strik
++/* Department ICT Services
++/* Eindhoven University of Technology
++/* P.O. Box 513
++/* 5600 MB Eindhoven, Netherlands
++/* E-mail: <dean at ipnet6.org>
+ /*--*/
+
+ /* System library. */
+@@ -42,7 +49,8 @@
+ #define IN_CLASSD_NSHIFT 28
+ #endif
+
+-#define BITS_PER_ADDR 32
++#define BITS_PER_ADDR_V4 32
++#define BITS_PER_ADDR_V6 128
+
+ /* Utility library. */
+
+@@ -50,6 +58,12 @@
+ #include <vstring.h>
+ #include <inet_addr_list.h>
+ #include <name_mask.h>
++#ifdef INET6
++#include <string.h>
++#include <sys/socket.h>
++#include <netinet/in.h>
++#include <netdb.h>
++#endif
+
+ /* Global library. */
+
+@@ -75,18 +89,25 @@
+ const char *mynetworks(void)
+ {
+ static VSTRING *result;
++ int bits_per_addr;
++#ifdef INET6
++ char hbuf[NI_MAXHOST];
++#endif
+
+ if (result == 0) {
+ char *myname = "mynetworks";
+ INET_ADDR_LIST *my_addr_list;
+ INET_ADDR_LIST *my_mask_list;
+- unsigned long addr;
+- unsigned long mask;
++ unsigned long addr = 0;
++ unsigned long mask = 0;
+ struct in_addr net;
+- int shift;
++ int shift = 0;
+ int junk;
+ int i;
+ int mask_style;
++#ifdef INET6
++ struct sockaddr *sa;
++#endif
+
+ mask_style = name_mask("mynetworks mask style", mask_styles,
+ var_mynetworks_style);
+@@ -107,8 +128,23 @@
+ my_mask_list = own_inet_mask_list();
+
+ for (i = 0; i < my_addr_list->used; i++) {
++#ifdef INET6
++ sa = (struct sockaddr *)&my_addr_list->addrs[i];
++ if (sa->sa_family != AF_INET && sa->sa_family != AF_INET6) {
++ msg_warn("%s: unknown family in address list", myname);
++ continue;
++ }
++ if (sa->sa_family == AF_INET) {
++ bits_per_addr = BITS_PER_ADDR_V4;
++ addr = ntohl(((struct sockaddr_in *)sa)->sin_addr.s_addr);
++ mask = ntohl(((struct sockaddr_in *)
++ &my_mask_list->addrs[i])->sin_addr.s_addr);
++ } else
++ bits_per_addr = BITS_PER_ADDR_V6;
++#else
+ addr = ntohl(my_addr_list->addrs[i].s_addr);
+ mask = ntohl(my_mask_list->addrs[i].s_addr);
++#endif
+
+ switch (mask_style) {
+
+@@ -117,6 +153,9 @@
+ * ISP who gave you a small portion of their network.
+ */
+ case MASK_STYLE_CLASS:
++#ifdef INET6
++ if (sa->sa_family == AF_INET) {
++#endif
+ if (IN_CLASSA(addr)) {
+ mask = IN_CLASSA_NET;
+ shift = IN_CLASSA_NSHIFT;
+@@ -130,24 +169,73 @@
+ mask = IN_CLASSD_NET;
+ shift = IN_CLASSD_NSHIFT;
+ } else {
++#ifdef INET6
++ if (getnameinfo(sa, SA_LEN(sa), hbuf, sizeof(hbuf),
++ NULL, 0, NI_NUMERICHOST))
++ strncpy(hbuf, "???", sizeof(hbuf));
++ msg_fatal("%s: bad address class: %s", myname, hbuf);
++#else
+ msg_fatal("%s: bad address class: %s",
+ myname, inet_ntoa(my_addr_list->addrs[i]));
++#endif
+ }
+ break;
++#ifdef INET6
++ } /* if AF_INET */
++ /*
++ * There are no classes for IPv6, we default to subnets instead.
++ */
++ /* FALLTHROUGH */
++#endif
+
+ /*
+ * Subnet mask. This is safe, but breaks backwards
+ * compatibility when used as default setting.
+ */
+ case MASK_STYLE_SUBNET:
+- for (junk = mask, shift = BITS_PER_ADDR; junk != 0; shift--, (junk <<= 1))
+- /* void */ ;
++#ifdef INET6
++ if (sa->sa_family == AF_INET6) {
++ unsigned char *ac, *end;
++ ac = (unsigned char *)&(((struct sockaddr_in6 *)&my_mask_list->addrs[i])->sin6_addr);
++ end = ac + bits_per_addr / 8;
++ shift = bits_per_addr;
++ while (ac < end) {
++ switch (*(ac++)) {
++ case 0xff: shift -= 8; break;
++ case 0xfe: shift -= 7; break;
++ case 0xfc: shift -= 6; break;
++ case 0xf8: shift -= 5; break;
++ case 0xf0: shift -= 4; break;
++ case 0xe0: shift -= 3; break;
++ case 0xc0: shift -= 2; break;
++ case 0x80: shift -= 1; break;
++ case 0x00: break;
++ default: msg_fatal("%s: inconsistent prefixlen",
++ myname);
++ }
++ }
++ break;
++ }
++#endif
++ /* AF_INET */
++ junk = mask;
++ shift = bits_per_addr;
++ while (junk != 0) {
++ shift--;
++ junk <<= 1;
++ }
+ break;
+
+ /*
+ * Host only. Do not relay authorize other hosts.
+ */
+ case MASK_STYLE_HOST:
++#ifdef INET6
++ if (sa->sa_family == AF_INET6) {
++ shift = 0;
++ break;
++ }
++#endif
+ mask = ~0;
+ shift = 0;
+ break;
+@@ -156,9 +244,20 @@
+ msg_panic("unknown mynetworks mask style: %s",
+ var_mynetworks_style);
+ }
++#ifdef INET6
++ if (sa->sa_family == AF_INET6) {
++ if (getnameinfo(sa, SA_LEN(sa), hbuf, sizeof(hbuf), NULL, 0,
++ NI_NUMERICHOST))
++ msg_fatal("%s: bad address to getnameinfo()", myname);
++ vstring_sprintf_append(result, "[%s]/%d ",
++ hbuf, bits_per_addr - shift);
++ continue;
++ }
++#endif
++ /* AF_INET */
+ net.s_addr = htonl(addr & mask);
+ vstring_sprintf_append(result, "%s/%d ",
+- inet_ntoa(net), BITS_PER_ADDR - shift);
++ inet_ntoa(net), bits_per_addr - shift);
+ }
+ if (msg_verbose)
+ msg_info("%s: %s", myname, vstring_str(result));
+diff -urNad postfix-release/src/global/own_inet_addr.c /tmp/dpep.cXJuVH/postfix-release/src/global/own_inet_addr.c
+--- postfix-release/src/global/own_inet_addr.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/own_inet_addr.c 2005-02-03 10:23:37.570246060 -0700
+@@ -50,6 +50,8 @@
+ #include <netinet/in.h>
+ #include <arpa/inet.h>
+ #include <string.h>
++#include <sys/socket.h>
++#include <netdb.h>
+
+ #ifdef STRCASECMP_IN_STRINGS_H
+ #include <strings.h>
+@@ -63,11 +65,13 @@
+ #include <inet_addr_local.h>
+ #include <inet_addr_host.h>
+ #include <stringops.h>
++#include <sock_addr.h>
+
+ /* Global library. */
+
+ #include <mail_params.h>
+ #include <own_inet_addr.h>
++#include <inet_interfaces_to_af.h>
+
+ /* Application-specific. */
+
+@@ -88,6 +92,10 @@
+ char *bufp;
+ int nvirtual;
+ int nlocal;
++ int done = 0;
++ int af;
++ struct sockaddr_storage *sa;
++ struct sockaddr_storage *ma;
+
+ inet_addr_list_init(addr_list);
+ inet_addr_list_init(mask_list);
+@@ -96,27 +104,52 @@
+ * If we are listening on all interfaces (default), ask the system what
+ * the interfaces are.
+ */
+- if (strcasecmp(var_inet_interfaces, DEF_INET_INTERFACES) == 0) {
+- if (inet_addr_local(addr_list, mask_list) == 0)
+- msg_fatal("could not find any active network interfaces");
+-#if 0
+- if (addr_list->used == 1)
+- msg_warn("found only one active network interface: %s",
+- inet_ntoa(addr_list->addrs[0]));
+-#endif
++ af = inet_interfaces_to_af(var_inet_interfaces);
++ if (strcmp(var_inet_interfaces, INET_INTERFACES_ALL) == 0) {
++ if (af > -1) {
++ if (inet_addr_local(addr_list, mask_list, af) == 0)
++ msg_fatal("could not find any active network interfaces");
++ }
+ }
+
+ /*
++ * Select all loopback interfaces from the system's available interface
++ * list.
++ */
++ else if (strcmp(var_inet_interfaces, INET_INTERFACES_LOCAL) == 0) {
++ int found=0;
++ inet_addr_list_init(&local_addrs);
++ inet_addr_list_init(&local_masks);
++ if (inet_addr_local(&local_addrs, &local_masks, af) == 0)
++ msg_fatal("could not find any active network interfaces");
++ for (sa = local_addrs.addrs, ma = local_masks.addrs;
++ sa < local_addrs.addrs + local_addrs.used; sa++, ma++) {
++ if (sock_addr_in_loopback(SOCK_ADDR_PTR(sa))) {
++ inet_addr_list_append(addr_list, SOCK_ADDR_PTR(sa));
++ inet_addr_list_append(mask_list, SOCK_ADDR_PTR(ma));
++ found=1;
++ if (msg_verbose)
++ msg_info("found one"); /* XXX */
++ }
++ }
++ inet_addr_list_free(&local_addrs);
++ inet_addr_list_free(&local_masks);
++ if (!found)
++ msg_fatal("could not find any loopback addresses");
++ }
++
++ /*
+ * If we are supposed to be listening only on specific interface
+ * addresses (virtual hosting), look up the addresses of those
+ * interfaces.
+ */
+ else {
+ bufp = hosts = mystrdup(var_inet_interfaces);
+- while ((host = mystrtok(&bufp, sep)) != 0)
++ while ((host = mystrtok(&bufp, sep)) != 0) {
+ if (inet_addr_host(addr_list, host) == 0)
+ msg_fatal("config variable %s: host not found: %s",
+ VAR_INET_INTERFACES, host);
++ }
+ myfree(hosts);
+
+ /*
+@@ -129,19 +162,44 @@
+
+ inet_addr_list_init(&local_addrs);
+ inet_addr_list_init(&local_masks);
+- if (inet_addr_local(&local_addrs, &local_masks) == 0)
++ if (inet_addr_local(&local_addrs, &local_masks, AF_UNSPEC) == 0)
+ msg_fatal("could not find any active network interfaces");
+ for (nvirtual = 0; nvirtual < addr_list->used; nvirtual++) {
+ for (nlocal = 0; /* see below */ ; nlocal++) {
+- if (nlocal >= local_addrs.used)
++ if (nlocal >= local_addrs.used) {
++#ifdef INET6
++ char hbuf[NI_MAXHOST];
++ if (getnameinfo((struct sockaddr *)&addr_list->addrs[nvirtual],
++ SS_LEN(addr_list->addrs[nvirtual]), hbuf,
++ sizeof(hbuf), NULL, 0, NI_NUMERICHOST) != 0)
++ strncpy(hbuf, "???", sizeof(hbuf));
++ msg_fatal("parameter %s: no local interface found for %s",
++ VAR_INET_INTERFACES, hbuf);
++#else
+ msg_fatal("parameter %s: no local interface found for %s",
+ VAR_INET_INTERFACES,
+ inet_ntoa(addr_list->addrs[nvirtual]));
++#endif
++ }
++#ifdef INET6
++ if (addr_list->addrs[nvirtual].ss_family ==
++ local_addrs.addrs[nlocal].ss_family &&
++ SS_LEN(addr_list->addrs[nvirtual]) ==
++ SS_LEN(local_addrs.addrs[nlocal]) &&
++ memcmp(&addr_list->addrs[nvirtual],
++ &local_addrs.addrs[nlocal],
++ SS_LEN(local_addrs.addrs[nlocal])) == 0) {
++ inet_addr_list_append(mask_list, (struct sockaddr *)
++ &local_masks.addrs[nlocal]);
++ break;
++ }
++#else
+ if (addr_list->addrs[nvirtual].s_addr
+ == local_addrs.addrs[nlocal].s_addr) {
+ inet_addr_list_append(mask_list, &local_masks.addrs[nlocal]);
+ break;
+ }
++#endif
+ }
+ }
+ inet_addr_list_free(&local_addrs);
+@@ -151,6 +209,49 @@
+
+ /* own_inet_addr - is this my own internet address */
+
++#ifdef INET6
++
++#ifdef INET6_KAME
++#define SA6_ARE_ADDR_EQUAL(a, b) ( \
++ ((a)->sin6_scope_id == 0 || (b)->sin6_scope_id == 0 || \
++ (a)->sin6_scope_id == (b)->sin6_scope_id) && \
++ (memcmp(&(a)->sin6_addr, &(b)->sin6_addr, \
++ sizeof(struct in6_addr)) == 0))
++#else
++#define SA6_ARE_ADDR_EQUAL(a, b) \
++ (memcmp(&(a)->sin6_addr, &(b)->sin6_addr, \
++ sizeof(struct in6_addr)) == 0)
++#endif
++
++int own_inet_addr(struct sockaddr *addr)
++{
++ int i;
++
++ if (addr_list.used == 0)
++ own_inet_addr_init(&addr_list, &mask_list);
++
++ for (i = 0; i < addr_list.used; i++) {
++ if (((struct sockaddr *)&addr_list.addrs[i])->sa_family !=
++ addr->sa_family)
++ continue;
++ switch (addr->sa_family) {
++ case AF_INET:
++ if (((struct sockaddr_in *)addr)->sin_addr.s_addr ==
++ ((struct sockaddr_in *)&addr_list.addrs[i])->sin_addr.s_addr)
++ return (1);
++ break;
++ case AF_INET6:
++ if (SA6_ARE_ADDR_EQUAL((struct sockaddr_in6 *)addr,
++ (struct sockaddr_in6 *)&addr_list.addrs[i]))
++ return (1);
++ break;
++ default:
++ continue;
++ }
++ }
++ return (0);
++}
++#else
+ int own_inet_addr(struct in_addr * addr)
+ {
+ int i;
+@@ -163,6 +264,7 @@
+ return (1);
+ return (0);
+ }
++#endif
+
+ /* own_inet_addr_list - return list of addresses */
+
+@@ -224,8 +326,15 @@
+ proxy_inet_addr_init(&proxy_list);
+
+ for (i = 0; i < proxy_list.used; i++)
++#ifdef INET6
++ if (proxy_list.addrs[i].ss_family == AF_INET && addr->s_addr ==
++ ((struct sockaddr_in *)&(proxy_list.addrs[i]))->
++ sin_addr.s_addr)
++ return (1);
++#else
+ if (addr->s_addr == proxy_list.addrs[i].s_addr)
+ return (1);
++#endif
+ return (0);
+ }
+
+diff -urNad postfix-release/src/global/own_inet_addr.h /tmp/dpep.cXJuVH/postfix-release/src/global/own_inet_addr.h
+--- postfix-release/src/global/own_inet_addr.h 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/own_inet_addr.h 2005-02-03 10:22:13.054098025 -0700
+@@ -15,11 +15,18 @@
+ * System library.
+ */
+ #include <netinet/in.h>
++#ifdef INET6
++#include <sys/socket.h>
++#endif
+
+ /*
+ * External interface.
+ */
++#ifdef INET6
++extern int own_inet_addr(struct sockaddr *);
++#else
+ extern int own_inet_addr(struct in_addr *);
++#endif
+ extern struct INET_ADDR_LIST *own_inet_addr_list(void);
+ extern struct INET_ADDR_LIST *own_inet_mask_list(void);
+ extern int proxy_inet_addr(struct in_addr *);
+diff -urNad postfix-release/src/global/pfixtls.c /tmp/dpep.cXJuVH/postfix-release/src/global/pfixtls.c
+--- postfix-release/src/global/pfixtls.c 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/pfixtls.c 2005-02-03 10:22:13.059096910 -0700
+@@ -0,0 +1,2824 @@
++#ifdef USE_TLS
++/*++
++/* NAME
++/* pfixtls
++/* SUMMARY
++/* interface to openssl routines
++/* SYNOPSIS
++/* #include <pfixtls.h>
++/*
++/* const long scache_db_version;
++/* const long openssl_version;
++/*
++/* int pfixtls_serverengine;
++/*
++/* int pfixtls_clientengine;
++/*
++/* int pfixtls_timed_read(fd, buf, len, timeout, unused_context)
++/* int fd;
++/* void *buf;
++/* unsigned len;
++/* int timeout;
++/* void *context;
++/*
++/* int pfixtls_timed_write(fd, buf, len, timeout, unused_context);
++/* int fd;
++/* void *buf;
++/* unsigned len;
++/* int timeout;
++/* void *context;
++/*
++/* int pfixtls_init_serverengine(verifydepth, askcert);
++/* int verifydepth;
++/* int askcert;
++/*
++/* int pfixtls_start_servertls(stream, timeout, peername, peeraddr,
++/* tls_info, requirecert);
++/* VSTREAM *stream;
++/* int timeout;
++/* const char *peername;
++/* const char *peeraddr;
++/* tls_info_t *tls_info;
++/* int requirecert;
++/*
++/* int pfixtls_stop_servertls(stream, failure, tls_info);
++/* VSTREAM *stream;
++/* int failure;
++/* tls_info_t *tls_info;
++/*
++/* int pfixtls_init_clientengine(verifydepth);
++/* int verifydepth;
++/*
++/* int pfixtls_start_clienttls(stream, timeout, peername, peeraddr,
++/* tls_info);
++/* VSTREAM *stream;
++/* int timeout;
++/* const char *peername;
++/* const char *peeraddr;
++/* tls_info_t *tls_info;
++/*
++/* int pfixtls_stop_clienttls(stream, failure, tls_info);
++/* VSTREAM *stream;
++/* int failure;
++/* tls_info_t *tls_info;
++/*
++/* DESCRIPTION
++/* This module is the interface between Postfix and the OpenSSL library.
++/*
++/* pfixtls_timed_read() reads the requested number of bytes calling
++/* SSL_read(). pfixtls_time_read() will only be called indirect
++/* as a VSTREAM_FN function.
++/* pfixtls_timed_write() is the corresponding write function.
++/*
++/* pfixtls_init_serverengine() is called once when smtpd is started
++/* in order to initialize as much of the TLS stuff as possible.
++/* The certificate handling is also decided during the setup phase,
++/* so that a peer specific handling is not possible.
++/*
++/* pfixtls_init_clientengine() is the corresponding function called
++/* in smtp. Here we take the peer's (server's) certificate in any
++/* case.
++/*
++/* pfixtls_start_servertls() activates the TLS feature for the VSTREAM
++/* passed as argument. We expect that all buffers are flushed and the
++/* TLS handshake can begin immediately. Information about the peer
++/* is stored into the tls_info structure passed as argument.
++/*
++/* pfixtls_stop_servertls() sends the "close notify" alert via
++/* SSL_shutdown() to the peer and resets all connection specific
++/* TLS data. As RFC2487 does not specify a seperate shutdown, it
++/* is supposed that the underlying TCP connection is shut down
++/* immediately afterwards, so we don't care about additional data
++/* coming through the channel.
++/* If the failure flag is set, the session is cleared from the cache.
++/*
++/* pfixtls_start_clienttls() and pfixtls_stop_clienttls() are the
++/* corresponding functions for smtp.
++/*
++/* Once the TLS connection is initiated, information about the TLS
++/* state is available via the tls_info structure:
++/* protocol holds the protocol name (SSLv2, SSLv3, TLSv1),
++/* tls_info->cipher_name the cipher name (e.g. RC4/MD5),
++/* tls_info->cipher_usebits the number of bits actually used (e.g. 40),
++/* tls_info->cipher_algbits the number of bits the algorithm is based on
++/* (e.g. 128).
++/* The last two values may be different when talking to a crippled
++/* - ahem - export controled peer (e.g. 40/128).
++/*
++/* The status of the peer certificate verification is available in
++/* pfixtls_peer_verified. It is set to 1, when the certificate could
++/* be verified.
++/* If the peer offered a certifcate, part of the certificate data are
++/* available as:
++/* tls_info->peer_subject X509v3-oneline with the DN of the peer
++/* tls_info->peer_CN extracted CommonName of the peer
++/* tls_info->peer_issuer X509v3-oneline with the DN of the issuer
++/* tls_info->peer_CN extracted CommonName of the issuer
++/* tls_info->PEER_FINGERPRINT fingerprint of the certificate
++/*
++/* DESCRIPTION (SESSION CACHING)
++/* In order to achieve high performance when using a lot of connections
++/* with TLS, session caching is implemented. It reduces both the CPU load
++/* (less cryptograpic operations) and the network load (the amount of
++/* certificate data exchanged is reduced).
++/* Since postfix uses a setup of independent processes for receiving
++/* and sending email, the processes must exchange the session information.
++/* Several connections at the same time between the identical peers can
++/* occur, so uniqueness and race conditions have to be taken into
++/* account.
++/* I have checked both Apache-SSL (Ben Laurie), using a seperate "gcache"
++/* process and Apache mod_ssl (Ralf S. Engelshall), using shared memory
++/* between several identical processes spawned from one parent.
++/*
++/* Postfix/TLS uses a database approach based on the internal "dict"
++/* interface. Since the session cache information is approximately
++/* 1300 bytes binary data, it will not fit into the dbm/ndbm model.
++/* It also needs write access to the database, ruling out most other
++/* interface, leaving Berkeley DB, which however cannot handle concurrent
++/* access by several processes. Hence a modified SDBM (public domain DBM)
++/* with enhanced buffer size is used and concurrent write capability
++/* is used. SDBM is part of Postfix/TLS.
++/*
++/* Realization:
++/* Both (client and server) session cache are realized by individual
++/* cache databases. A common database would not make sense, since the
++/* key criteria are different (session ID for server, peername for
++/* client).
++/*
++/* Server side:
++/* Session created by OpenSSL have a 32 byte session id, yielding a
++/* 64 char file name. I consider these sessions to be unique. If they
++/* are not, the last session will win, overwriting the older one in
++/* the database. Remember: everything that is lost is a temporary
++/* information and not more than a renegotiation will happen.
++/* Originating from the same client host, several sessions can come
++/* in (e.g. from several users sending mail with Netscape at the same
++/* time), so the session id is the correct identifier; the hostname
++/* is of no importance, here.
++/*
++/* Client side:
++/* We cannot recall sessions based on their session id, because we would
++/* have to check every session on disk for a matching server name, so
++/* the lookup has to be done based on the FQDN of the peer (receiving
++/* host).
++/* With regard to uniqueness, we might experience several open connections
++/* to the same server at the same time. This is even very likely to
++/* happen, since we might have several mails for the same destination
++/* in the queue, when a queue run is started. So several smtp's might
++/* negotiate sessions at the same time. We can however only save one
++/* session for one host.
++/* Like on the server side, the "last write" wins. The reason is
++/* quite simple. If we don't want to overwrite old sessions, an old
++/* session file will just stay in place until it is expired. In the
++/* meantime we would lose "fresh" session however. So we will keep the
++/* fresh one instead to avoid unnecessary renegotiations.
++/*
++/* Session lifetime:
++/* RFC2246 recommends a session lifetime of less than 24 hours. The
++/* default is 300 seconds (5 minutes) for OpenSSL and is also used
++/* this way in e.g. mod_ssl. The typical usage for emails might be
++/* humans typing in emails and sending them, which might take just
++/* a while, so I think 3600 seconds (1 hour) is a good compromise.
++/* If the environment is save (the cached session contains secret
++/* key data), one might even consider using a longer timeout. Anyway,
++/* since everlasting sessions must be avoided, the session timeout
++/* is done based on the creation date of the session and so each
++/* session will timeout eventually.
++/*
++/* Connection failures:
++/* RFC2246 requires us to remove sessions if something went wrong.
++/* Since the in-memory session cache of other smtp[d] processes cannot
++/* be controlled by simple means, we completely rely on the disc
++/* based session caching and remove all sessions from memory after
++/* connection closure.
++/*
++/* Cache cleanup:
++/* Since old entries have to be removed from the session cache, a
++/* cleanup process is needed that runs through the collected session
++/* files on regular basis. The task is performed by tlsmgr based on
++/* the timestamp created by pfixtls and included in the saved session,
++/* so that tlsmgr has not to care about the SSL_SESSION internal data.
++/*
++/* BUGS
++/* The memory allocation policy of the OpenSSL library is not well
++/* documented, especially when loading sessions from disc. Hence there
++/* might be memory leaks.
++/*
++/* LICENSE
++/* AUTHOR(S)
++/* Lutz Jaenicke
++/* BTU Cottbus
++/* Allgemeine Elektrotechnik
++/* Universitaetsplatz 3-4
++/* D-03044 Cottbus, Germany
++/*--*/
++
++/* System library. */
++
++#include <sys_defs.h>
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <sys/time.h> /* gettimeofday, not in POSIX */
++#include <unistd.h>
++#include <stdio.h>
++#include <string.h>
++#include <errno.h>
++#include <ctype.h>
++
++/* Utility library. */
++
++#include <iostuff.h>
++#include <mymalloc.h>
++#include <vstring.h>
++#include <vstream.h>
++#include <dict.h>
++#include <myflock.h>
++#include <stringops.h>
++#include <msg.h>
++#include <connect.h>
++
++/* Application-specific. */
++
++#include "mail_params.h"
++#include "pfixtls.h"
++
++#define STR vstring_str
++
++const tls_info_t tls_info_zero = {
++ 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0, 0
++};
++
++#ifdef USE_SSL
++
++/* OpenSSL library. */
++
++#include <openssl/lhash.h>
++#include <openssl/bn.h>
++#include <openssl/err.h>
++#include <openssl/pem.h>
++#include <openssl/x509.h>
++#include <openssl/x509v3.h>
++#include <openssl/rand.h>
++#include <openssl/ssl.h>
++
++/* We must keep some of the info available */
++static const char hexcodes[] = "0123456789ABCDEF";
++
++/*
++ * When saving sessions, we want to make sure, that the lenght of the key
++ * is somehow limited. When saving client sessions, the hostname is used
++ * as key. According to HP-UX 10.20, MAXHOSTNAMELEN=64. Maybe new standards
++ * will increase this value, but as this will break compatiblity with existing
++ * implementations, we won't see this for long. We therefore choose a limit
++ * of 64 bytes.
++ * The length of the (TLS) session id can be up to 32 bytes according to
++ * RFC2246, so it fits well into the 64bytes limit.
++ */
++#define ID_MAXLENGTH 64 /* Max ID length in bytes */
++
++/*
++ * The session_id_context is set, such that the client knows which services
++ * on a host share the same session information (on the postfix host may
++ * as well run a TLS-enabled webserver.
++ */
++static char server_session_id_context[] = "Postfix/TLS"; /* anything will do */
++static int TLScontext_index = -1;
++static int TLSpeername_index = -1;
++static int do_dump = 0;
++static DH *dh_512 = NULL, *dh_1024 = NULL;
++static SSL_CTX *ctx = NULL;
++
++static int rand_exch_fd = -1;
++
++static DICT *scache_db = NULL;
++const long scache_db_version = 0x00000003L;
++const long openssl_version = OPENSSL_VERSION_NUMBER;
++
++
++int pfixtls_serverengine = 0;
++static int pfixtls_serveractive = 0; /* available or not */
++
++int pfixtls_clientengine = 0;
++static int pfixtls_clientactive = 0; /* available or not */
++
++/*
++ * Define a maxlength for certificate onelines. The length is checked by
++ * all routines when copying.
++ */
++#define CCERT_BUFSIZ 256
++
++typedef struct {
++ SSL *con;
++ BIO *internal_bio; /* postfix/TLS side of pair */
++ BIO *network_bio; /* netsork side of pair */
++ char peer_subject[CCERT_BUFSIZ];
++ char peer_issuer[CCERT_BUFSIZ];
++ char peer_CN[CCERT_BUFSIZ];
++ char issuer_CN[CCERT_BUFSIZ];
++ unsigned char md[EVP_MAX_MD_SIZE];
++ char fingerprint[EVP_MAX_MD_SIZE * 3];
++ char peername_save[129];
++ int enforce_verify_errors;
++ int enforce_CN;
++ int hostname_matched;
++} TLScontext_t;
++
++typedef struct {
++ int pid;
++ struct timeval tv;
++} randseed_t;
++
++static randseed_t randseed;
++
++/*
++ * Finally some "backup" DH-Parameters to be loaded, if no parameters are
++ * explicitely loaded from file.
++ */
++static unsigned char dh512_p[] = {
++ 0x88, 0x3F, 0x00, 0xAF, 0xFC, 0x0C, 0x8A, 0xB8, 0x35, 0xCD, 0xE5, 0xC2,
++ 0x0F, 0x55, 0xDF, 0x06, 0x3F, 0x16, 0x07, 0xBF, 0xCE, 0x13, 0x35, 0xE4,
++ 0x1C, 0x1E, 0x03, 0xF3, 0xAB, 0x17, 0xF6, 0x63, 0x50, 0x63, 0x67, 0x3E,
++ 0x10, 0xD7, 0x3E, 0xB4, 0xEB, 0x46, 0x8C, 0x40, 0x50, 0xE6, 0x91, 0xA5,
++ 0x6E, 0x01, 0x45, 0xDE, 0xC9, 0xB1, 0x1F, 0x64, 0x54, 0xFA, 0xD9, 0xAB,
++ 0x4F, 0x70, 0xBA, 0x5B,
++};
++
++static unsigned char dh512_g[] = {
++ 0x02,
++};
++
++static unsigned char dh1024_p[] = {
++ 0xB0, 0xFE, 0xB4, 0xCF, 0xD4, 0x55, 0x07, 0xE7, 0xCC, 0x88, 0x59, 0x0D,
++ 0x17, 0x26, 0xC5, 0x0C, 0xA5, 0x4A, 0x92, 0x23, 0x81, 0x78, 0xDA, 0x88,
++ 0xAA, 0x4C, 0x13, 0x06, 0xBF, 0x5D, 0x2F, 0x9E, 0xBC, 0x96, 0xB8, 0x51,
++ 0x00, 0x9D, 0x0C, 0x0D, 0x75, 0xAD, 0xFD, 0x3B, 0xB1, 0x7E, 0x71, 0x4F,
++ 0x3F, 0x91, 0x54, 0x14, 0x44, 0xB8, 0x30, 0x25, 0x1C, 0xEB, 0xDF, 0x72,
++ 0x9C, 0x4C, 0xF1, 0x89, 0x0D, 0x68, 0x3F, 0x94, 0x8E, 0xA4, 0xFB, 0x76,
++ 0x89, 0x18, 0xB2, 0x91, 0x16, 0x90, 0x01, 0x99, 0x66, 0x8C, 0x53, 0x81,
++ 0x4E, 0x27, 0x3D, 0x99, 0xE7, 0x5A, 0x7A, 0xAF, 0xD5, 0xEC, 0xE2, 0x7E,
++ 0xFA, 0xED, 0x01, 0x18, 0xC2, 0x78, 0x25, 0x59, 0x06, 0x5C, 0x39, 0xF6,
++ 0xCD, 0x49, 0x54, 0xAF, 0xC1, 0xB1, 0xEA, 0x4A, 0xF9, 0x53, 0xD0, 0xDF,
++ 0x6D, 0xAF, 0xD4, 0x93, 0xE7, 0xBA, 0xAE, 0x9B,
++};
++
++static unsigned char dh1024_g[] = {
++ 0x02,
++};
++
++/*
++ * DESCRIPTION: Keeping control of the network interface using BIO-pairs.
++ *
++ * When the TLS layer is active, all input/output must be filtered through
++ * it. On the other hand to handle timeout conditions, full control over
++ * the network socket must be kept. This rules out the "normal way" of
++ * connecting the TLS layer directly to the socket.
++ * The TLS layer is realized with a BIO-pair:
++ *
++ * postfix | TLS-engine
++ * | |
++ * +--------> SSL_operations()
++ * | /\ ||
++ * | || \/
++ * | BIO-pair (internal_bio)
++ * +--------< BIO-pair (network_bio)
++ * | |
++ * socket |
++ *
++ * The normal postfix operations connect to the SSL operations to send
++ * and retrieve (cleartext) data. Inside the TLS-engine the data are converted
++ * to/from TLS protocol. The TLS functionality itself is only connected to
++ * the internal_bio and hence only has status information about this internal
++ * interface.
++ * Thus, if the SSL_operations() return successfully (SSL_ERROR_NONE) or want
++ * to read (SSL_ERROR_WANT_READ) there may as well be data inside the buffering
++ * BIO-pair. So whenever an SSL_operation() returns without a fatal error,
++ * the BIO-pair internal buffer must be flushed to the network.
++ * NOTE: This is especially true in the SSL_ERROR_WANT_READ case: the TLS-layer
++ * might want to read handshake data, that will never come since its own
++ * written data will only reach the peer after flushing the buffer!
++ *
++ * The BIO-pair buffer size has been set to 8192 bytes, this is an arbitrary
++ * value that can hold more data than the typical PMTU, so that it does
++ * not force the generation of packets smaller than necessary.
++ * It is also larger than the default VSTREAM_BUFSIZE (4096, see vstream.h),
++ * so that large write operations could be handled within one call.
++ * The internal buffer in the network/network_bio handling layer has been
++ * set to the same value, since this seems to be reasonable. The code is
++ * however able to handle arbitrary values smaller or larger than the
++ * buffer size in the BIO-pair.
++ */
++
++const size_t BIO_bufsiz = 8192;
++
++/*
++ * The interface layer between network and BIO-pair. The BIO-pair buffers
++ * the data to/from the TLS layer. Hence, at any time, there may be data
++ * in the buffer that must be written to the network. This writing has
++ * highest priority because the handshake might fail otherwise.
++ * Only then a read_request can be satisfied.
++ */
++static int network_biopair_interop(int fd, int timeout, BIO *network_bio)
++{
++ int want_write;
++ int num_write;
++ int write_pos;
++ int from_bio;
++ int want_read;
++ int num_read;
++ int to_bio;
++#define NETLAYER_BUFFERSIZE 8192
++ char buffer[8192];
++
++ while ((want_write = BIO_ctrl_pending(network_bio)) > 0) {
++ if (want_write > NETLAYER_BUFFERSIZE)
++ want_write = NETLAYER_BUFFERSIZE;
++ from_bio = BIO_read(network_bio, buffer, want_write);
++
++ /*
++ * Write the complete contents of the buffer. Since TLS performs
++ * underlying handshaking, we cannot afford to leave the buffer
++ * unflushed, as we could run into a deadlock trap (the peer
++ * waiting for a final byte and we already waiting for his reply
++ * in read position).
++ */
++ write_pos = 0;
++ do {
++ if (timeout > 0 && write_wait(fd, timeout) < 0)
++ return (-1);
++ num_write = write(fd, buffer + write_pos, from_bio - write_pos);
++ if (num_write <= 0) {
++ if ((num_write < 0) && (timeout > 0) && (errno == EAGAIN)) {
++ msg_warn("write() returns EAGAIN on a writable file descriptor!");
++ msg_warn("pausing to avoid going into a tight select/write loop!");
++ sleep(1);
++ } else {
++ msg_warn("Write failed in network_biopair_interop with errno=%d: num_write=%d, provided=%d", errno, num_write, from_bio - write_pos);
++ return (-1); /* something happened to the socket */
++ }
++ } else
++ write_pos += num_write;
++ } while (write_pos < from_bio);
++ }
++
++ while ((want_read = BIO_ctrl_get_read_request(network_bio)) > 0) {
++ if (want_read > NETLAYER_BUFFERSIZE)
++ want_read = NETLAYER_BUFFERSIZE;
++ if (timeout > 0 && read_wait(fd, timeout) < 0)
++ return (-1);
++ num_read = read(fd, buffer, want_read);
++ if (num_read <= 0) {
++ if ((num_write < 0) && (timeout > 0) && (errno == EAGAIN)) {
++ msg_warn("read() returns EAGAIN on a readable file descriptor!");
++ msg_warn("pausing to avoid going into a tight select/write loop!");
++ sleep(1);
++ } else {
++ msg_warn("Read failed in network_biopair_interop with errno=%d: num_read=%d, want_read=%d", errno, num_read, want_read);
++ return (-1); /* something happened to the socket */
++ }
++ } else {
++ to_bio = BIO_write(network_bio, buffer, num_read);
++ if (to_bio != num_read)
++ msg_fatal("to_bio != num_read");
++ }
++ }
++
++ return (0);
++}
++
++static void pfixtls_print_errors(void);
++
++ /*
++ * Function to perform the handshake for SSL_accept(), SSL_connect(),
++ * and SSL_shutdown() and perform the SSL_read(), SSL_write() operations.
++ * Call the underlying network_biopair_interop-layer to make sure the
++ * write buffer is flushed after every operation (that did not fail with
++ * a fatal error).
++ */
++static int do_tls_operation(int fd, int timeout, TLScontext_t *TLScontext,
++ int (*hsfunc)(SSL *),
++ int (*rfunc)(SSL *, void *, int),
++ int (*wfunc)(SSL *, const void *, int),
++ char *buf, int num)
++{
++ int status;
++ int err;
++ int retval = 0;
++ int biop_retval;
++ int done = 0;
++
++ while (!done) {
++ if (hsfunc)
++ status = hsfunc(TLScontext->con);
++ else if (rfunc)
++ status = rfunc(TLScontext->con, buf, num);
++ else
++ status = wfunc(TLScontext->con, (const char *)buf, num);
++ err = SSL_get_error(TLScontext->con, status);
++
++#if (OPENSSL_VERSION_NUMBER <= 0x0090581fL)
++ /*
++ * There is a bug up to and including OpenSSL-0.9.5a: if an error
++ * occurs while checking the peers certificate due to some certificate
++ * error (e.g. as happend with a RSA-padding error), the error is put
++ * onto the error stack. If verification is not enforced, this error
++ * should be ignored, but the error-queue is not cleared, so we
++ * can find this error here. The bug has been fixed on May 28, 2000.
++ *
++ * This bug so far has only manifested as
++ * 4800:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
++ * 4800:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:396:
++ * 4800:error:0D079006:asn1 encoding routines:ASN1_verify:bad get asn1 object call:a_verify.c:109:
++ * so that we specifically test for this error. We print the errors
++ * to the logfile and automatically clear the error queue. Then we
++ * retry to get another error code. We cannot do better, since we
++ * can only retrieve the last entry of the error-queue without
++ * actually cleaning it on the way.
++ *
++ * This workaround is secure, as verify_result is set to "failed"
++ * anyway.
++ */
++ if (err == SSL_ERROR_SSL) {
++ if (ERR_peek_error() == 0x0407006AL) {
++ pfixtls_print_errors(); /* Keep information for the logfile */
++ msg_info("OpenSSL <= 0.9.5a workaround called: certificate errors ignored");
++ err = SSL_get_error(TLScontext->con, status);
++ }
++ }
++#endif
++
++ switch (err) {
++ case SSL_ERROR_NONE: /* success */
++ retval = status;
++ done = 1; /* no break, flush buffer before */
++ /* leaving */
++ case SSL_ERROR_WANT_WRITE:
++ case SSL_ERROR_WANT_READ:
++ biop_retval = network_biopair_interop(fd, timeout,
++ TLScontext->network_bio);
++ if (biop_retval < 0)
++ return (-1); /* fatal network error */
++ break;
++ case SSL_ERROR_ZERO_RETURN: /* connection was closed cleanly */
++ case SSL_ERROR_SYSCALL:
++ case SSL_ERROR_SSL:
++ default:
++ retval = status;
++ done = 1;
++ ;
++ }
++ };
++ return retval;
++}
++
++int pfixtls_timed_read(int fd, void *buf, unsigned buf_len, int timeout,
++ void *context)
++{
++ int i;
++ int ret;
++ char mybuf[40];
++ char *mybuf2;
++ TLScontext_t *TLScontext;
++
++ TLScontext = (TLScontext_t *)context;
++ if (!TLScontext)
++ msg_fatal("Called tls_timed_read() without TLS-context");
++
++ ret = do_tls_operation(fd, timeout, TLScontext, NULL, SSL_read, NULL,
++ (char *)buf, buf_len);
++ if ((pfixtls_serveractive && var_smtpd_tls_loglevel >= 4) ||
++ (pfixtls_clientactive && var_smtp_tls_loglevel >= 4)) {
++ mybuf2 = (char *) buf;
++ if (ret > 0) {
++ i = 0;
++ while ((i < 39) && (i < ret) && (mybuf2[i] != 0)) {
++ mybuf[i] = mybuf2[i];
++ i++;
++ }
++ mybuf[i] = '\0';
++ msg_info("Read %d chars: %s", ret, mybuf);
++ }
++ }
++ return (ret);
++}
++
++int pfixtls_timed_write(int fd, void *buf, unsigned len, int timeout,
++ void *context)
++{
++ int i;
++ char mybuf[40];
++ char *mybuf2;
++ TLScontext_t *TLScontext;
++
++ TLScontext = (TLScontext_t *)context;
++ if (!TLScontext)
++ msg_fatal("Called tls_timed_write() without TLS-context");
++
++ if ((pfixtls_serveractive && var_smtpd_tls_loglevel >= 4) ||
++ (pfixtls_clientactive && var_smtp_tls_loglevel >= 4)) {
++ mybuf2 = (char *) buf;
++ if (len > 0) {
++ i = 0;
++ while ((i < 39) && (i < len) && (mybuf2[i] != 0)) {
++ mybuf[i] = mybuf2[i];
++ i++;
++ }
++ mybuf[i] = '\0';
++ msg_info("Write %d chars: %s", len, mybuf);
++ }
++ }
++ return (do_tls_operation(fd, timeout, TLScontext, NULL, NULL, SSL_write,
++ buf, len));
++}
++
++/* Add some more entropy to the pool by adding the actual time */
++
++static void pfixtls_stir_seed(void)
++{
++ GETTIMEOFDAY(&randseed.tv);
++ RAND_seed(&randseed, sizeof(randseed_t));
++}
++
++/*
++ * Skeleton taken from OpenSSL crypto/err/err_prn.c.
++ * Query the error stack and print the error string into the logging facility.
++ * Clear the error stack on the way.
++ */
++
++static void pfixtls_print_errors(void)
++{
++ unsigned long l;
++ char buf[256];
++ const char *file;
++ const char *data;
++ int line;
++ int flags;
++ unsigned long es;
++
++ es = CRYPTO_thread_id();
++ while ((l = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0) {
++ if (flags & ERR_TXT_STRING)
++ msg_info("%lu:%s:%s:%d:%s:", es, ERR_error_string(l, buf),
++ file, line, data);
++ else
++ msg_info("%lu:%s:%s:%d:", es, ERR_error_string(l, buf),
++ file, line);
++ }
++}
++
++ /*
++ * Set up the cert things on the server side. We do need both the
++ * private key (in key_file) and the cert (in cert_file).
++ * Both files may be identical.
++ *
++ * This function is taken from OpenSSL apps/s_cb.c
++ */
++
++static int set_cert_stuff(SSL_CTX * ctx, char *cert_file, char *key_file)
++{
++ if (cert_file != NULL) {
++ if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0) {
++ msg_info("unable to get certificate from '%s'", cert_file);
++ pfixtls_print_errors();
++ return (0);
++ }
++ if (key_file == NULL)
++ key_file = cert_file;
++ if (SSL_CTX_use_PrivateKey_file(ctx, key_file,
++ SSL_FILETYPE_PEM) <= 0) {
++ msg_info("unable to get private key from '%s'", key_file);
++ pfixtls_print_errors();
++ return (0);
++ }
++ /* Now we know that a key and cert have been set against
++ * the SSL context */
++ if (!SSL_CTX_check_private_key(ctx)) {
++ msg_info("Private key does not match the certificate public key");
++ return (0);
++ }
++ }
++ return (1);
++}
++
++/* taken from OpenSSL apps/s_cb.c */
++
++static RSA *tmp_rsa_cb(SSL * s, int export, int keylength)
++{
++ static RSA *rsa_tmp = NULL;
++
++ if (rsa_tmp == NULL) {
++ rsa_tmp = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
++ }
++ return (rsa_tmp);
++}
++
++
++static DH *get_dh512(void)
++{
++ DH *dh;
++
++ if (dh_512 == NULL) {
++ /* No parameter file loaded, use the compiled in parameters */
++ if ((dh = DH_new()) == NULL) return(NULL);
++ dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
++ dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
++ if ((dh->p == NULL) || (dh->g == NULL))
++ return(NULL);
++ else
++ dh_512 = dh;
++ }
++ return (dh_512);
++}
++
++static DH *get_dh1024(void)
++{
++ DH *dh;
++
++ if (dh_1024 == NULL) {
++ /* No parameter file loaded, use the compiled in parameters */
++ if ((dh = DH_new()) == NULL) return(NULL);
++ dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
++ dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
++ if ((dh->p == NULL) || (dh->g == NULL))
++ return(NULL);
++ else
++ dh_1024 = dh;
++ }
++ return (dh_1024);
++}
++
++/* partly inspired by mod_ssl */
++
++static DH *tmp_dh_cb(SSL *s, int export, int keylength)
++{
++ DH *dh_tmp = NULL;
++
++ if (export) {
++ if (keylength == 512)
++ dh_tmp = get_dh512(); /* export cipher */
++ else if (keylength == 1024)
++ dh_tmp = get_dh1024(); /* normal */
++ else
++ dh_tmp = get_dh1024(); /* not on-the-fly (too expensive) */
++ /* so use the 1024bit instead */
++ }
++ else {
++ dh_tmp = get_dh1024(); /* sign-only certificate */
++ }
++ return (dh_tmp);
++}
++
++
++/*
++ * match_hostname: match name provided in "buf" against the expected
++ * hostname. Comparison is case-insensitive, wildcard certificates are
++ * supported.
++ * "buf" may be come from some OpenSSL data structures, so we copy before
++ * modifying.
++ */
++static int match_hostname(const char *buf, TLScontext_t *TLScontext)
++{
++ char *hostname_lowercase;
++ char *peername_left;
++ int hostname_matched = 0;
++ int buf_len;
++
++ buf_len = strlen(buf);
++ if (!(hostname_lowercase = (char *)mymalloc(buf_len + 1)))
++ return 0;
++ memcpy(hostname_lowercase, buf, buf_len + 1);
++
++ hostname_lowercase = lowercase(hostname_lowercase);
++ if (!strcmp(TLScontext->peername_save, hostname_lowercase)) {
++ hostname_matched = 1;
++ } else {
++ if ((buf_len > 2) &&
++ (hostname_lowercase[0] == '*') && (hostname_lowercase[1] == '.')) {
++ /*
++ * Allow wildcard certificate matching. The proposed rules in
++ * RFCs (2818: HTTP/TLS, 2830: LDAP/TLS) are different, RFC2874
++ * does not specify a rule, so here the strict rule is applied.
++ * An asterisk '*' is allowed as the leftmost component and may
++ * replace the left most part of the hostname. Matching is done
++ * by removing '*.' from the wildcard name and the Name. from
++ * the peername and compare what is left.
++ */
++ peername_left = strchr(TLScontext->peername_save, '.');
++ if (peername_left) {
++ if (!strcmp(peername_left + 1, hostname_lowercase + 2))
++ hostname_matched = 1;
++ }
++ }
++ }
++ myfree(hostname_lowercase);
++ return hostname_matched;
++}
++
++/*
++ * Skeleton taken from OpenSSL apps/s_cb.c
++ *
++ * The verify_callback is called several times (directly or indirectly) from
++ * crypto/x509/x509_vfy.c. It is called as a last check for several issues,
++ * so this verify_callback() has the famous "last word". If it does return "0",
++ * the handshake is immediately shut down and the connection fails.
++ *
++ * Postfix/TLS has two modes, the "use" mode and the "enforce" mode:
++ *
++ * In the "use" mode we never want the connection to fail just because there is
++ * something wrong with the certificate (as we would have sent happily without
++ * TLS). Therefore the return value is always "1".
++ *
++ * In the "enforce" mode we can shut down the connection as soon as possible.
++ * In server mode TLS itself may be enforced (e.g. to protect passwords),
++ * but certificates are optional. In this case the handshake must not fail
++ * if we are unhappy with the certificate and return "1" in any case.
++ * Only if a certificate is required the certificate must pass the verification
++ * and failure to do so will result in immediate termination (return 0).
++ * In the client mode the decision is made with respect to the peername
++ * enforcement. If we strictly enforce the matching of the expected peername
++ * the verification must fail immediatly on verification errors. We can also
++ * immediatly check the expected peername, as it is the CommonName at level 0.
++ * In all other cases, the problem is logged, so the SSL_get_verify_result()
++ * will inform about the verification failure, but the handshake (and SMTP
++ * connection will continue).
++ *
++ * The only error condition not handled inside the OpenSSL-Library is the
++ * case of a too-long certificate chain, so we check inside verify_callback().
++ * We only take care of this problem, if "ok = 1", because otherwise the
++ * verification already failed because of another problem and we don't want
++ * to overwrite the other error message. And if the verification failed,
++ * there is no such thing as "more failed", "most failed"... :-)
++ */
++
++static int verify_callback(int ok, X509_STORE_CTX * ctx)
++{
++ char buf[256];
++ char *peername_left;
++ X509 *err_cert;
++ int err;
++ int depth;
++ int verify_depth;
++ SSL *con;
++ TLScontext_t *TLScontext;
++
++ err_cert = X509_STORE_CTX_get_current_cert(ctx);
++ err = X509_STORE_CTX_get_error(ctx);
++ depth = X509_STORE_CTX_get_error_depth(ctx);
++
++ con = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
++ TLScontext = SSL_get_ex_data(con, TLScontext_index);
++
++ X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256);
++ if (((pfixtls_serverengine) && (var_smtpd_tls_loglevel >= 2)) ||
++ ((pfixtls_clientengine) && (var_smtp_tls_loglevel >= 2)))
++ msg_info("Peer cert verify depth=%d %s", depth, buf);
++
++ verify_depth = SSL_get_verify_depth(con);
++ if (ok && (verify_depth >= 0) && (depth > verify_depth)) {
++ ok = 0;
++ err = X509_V_ERR_CERT_CHAIN_TOO_LONG;
++ X509_STORE_CTX_set_error(ctx, err);
++ }
++ if (!ok) {
++ msg_info("verify error:num=%d:%s", err,
++ X509_verify_cert_error_string(err));
++ }
++
++ if (ok && (depth == 0) && pfixtls_clientengine) {
++ int i, r;
++ int hostname_matched;
++ int dNSName_found;
++ STACK_OF(GENERAL_NAME) *gens;
++
++ /*
++ * Check out the name certified against the hostname expected.
++ * In case it does not match, print an information about the result.
++ * If a matching is enforced, bump out with a verification error
++ * immediately.
++ * Standards are not always clear with respect to the handling of
++ * dNSNames. RFC3207 does not specify the handling. We therefore follow
++ * the strict rules in RFC2818 (HTTP over TLS), Section 3.1:
++ * The Subject Alternative Name/dNSName has precedence over CommonName
++ * (CN). If dNSName entries are provided, CN is not checked anymore.
++ */
++ hostname_matched = dNSName_found = 0;
++
++ gens = X509_get_ext_d2i(err_cert, NID_subject_alt_name, 0, 0);
++ if (gens) {
++ for (i = 0, r = sk_GENERAL_NAME_num(gens); i < r; ++i) {
++ const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
++ if (gn->type == GEN_DNS) {
++ dNSName_found++;
++ if ((hostname_matched =
++ match_hostname((char *)gn->d.ia5->data, TLScontext)))
++ break;
++ }
++ }
++ sk_GENERAL_NAME_free(gens);
++ }
++ if (dNSName_found) {
++ if (!hostname_matched)
++ msg_info("Peer verification: %d dNSNames in certificate found, but no one does match %s", dNSName_found, TLScontext->peername_save);
++ } else {
++ buf[0] = '\0';
++ if (!X509_NAME_get_text_by_NID(X509_get_subject_name(err_cert),
++ NID_commonName, buf, 256)) {
++ msg_info("Could not parse server's subject CN");
++ pfixtls_print_errors();
++ }
++ else {
++ hostname_matched = match_hostname(buf, TLScontext);
++ if (!hostname_matched)
++ msg_info("Peer verification: CommonName in certificate does not match: %s != %s", buf, TLScontext->peername_save);
++ }
++ }
++
++ if (!hostname_matched) {
++ if (TLScontext->enforce_verify_errors && TLScontext->enforce_CN) {
++ err = X509_V_ERR_CERT_REJECTED;
++ X509_STORE_CTX_set_error(ctx, err);
++ msg_info("Verify failure: Hostname mismatch");
++ ok = 0;
++ }
++ }
++ else
++ TLScontext->hostname_matched = 1;
++ }
++
++ switch (ctx->error) {
++ case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
++ X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256);
++ msg_info("issuer= %s", buf);
++ break;
++ case X509_V_ERR_CERT_NOT_YET_VALID:
++ case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
++ msg_info("cert not yet valid");
++ break;
++ case X509_V_ERR_CERT_HAS_EXPIRED:
++ case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
++ msg_info("cert has expired");
++ break;
++ }
++ if (((pfixtls_serverengine) && (var_smtpd_tls_loglevel >= 2)) ||
++ ((pfixtls_clientengine) && (var_smtp_tls_loglevel >= 2)))
++ msg_info("verify return:%d", ok);
++
++ if (TLScontext->enforce_verify_errors)
++ return (ok);
++ else
++ return (1);
++}
++
++/* taken from OpenSSL apps/s_cb.c */
++
++static void apps_ssl_info_callback(const SSL * s, int where, int ret)
++{
++ char *str;
++ int w;
++
++ w = where & ~SSL_ST_MASK;
++
++ if (w & SSL_ST_CONNECT)
++ str = "SSL_connect";
++ else if (w & SSL_ST_ACCEPT)
++ str = "SSL_accept";
++ else
++ str = "undefined";
++
++ if (where & SSL_CB_LOOP) {
++ msg_info("%s:%s", str, SSL_state_string_long(s));
++ } else if (where & SSL_CB_ALERT) {
++ str = (where & SSL_CB_READ) ? "read" : "write";
++ if ((ret & 0xff) != SSL3_AD_CLOSE_NOTIFY)
++ msg_info("SSL3 alert %s:%s:%s", str,
++ SSL_alert_type_string_long(ret),
++ SSL_alert_desc_string_long(ret));
++ } else if (where & SSL_CB_EXIT) {
++ if (ret == 0)
++ msg_info("%s:failed in %s",
++ str, SSL_state_string_long(s));
++ else if (ret < 0) {
++ msg_info("%s:error in %s",
++ str, SSL_state_string_long(s));
++ }
++ }
++}
++
++/*
++ * taken from OpenSSL crypto/bio/b_dump.c, modified to save a lot of strcpy
++ * and strcat by Matti Aarnio.
++ */
++
++#define TRUNCATE
++#define DUMP_WIDTH 16
++
++static int pfixtls_dump(const char *s, int len)
++{
++ int ret = 0;
++ char buf[160 + 1];
++ char *ss;
++ int i;
++ int j;
++ int rows;
++ int trunc;
++ unsigned char ch;
++
++ trunc = 0;
++
++#ifdef TRUNCATE
++ for (; (len > 0) && ((s[len - 1] == ' ') || (s[len - 1] == '\0')); len--)
++ trunc++;
++#endif
++
++ rows = (len / DUMP_WIDTH);
++ if ((rows * DUMP_WIDTH) < len)
++ rows++;
++
++ for (i = 0; i < rows; i++) {
++ buf[0] = '\0'; /* start with empty string */
++ ss = buf;
++
++ sprintf(ss, "%04x ", i * DUMP_WIDTH);
++ ss += strlen(ss);
++ for (j = 0; j < DUMP_WIDTH; j++) {
++ if (((i * DUMP_WIDTH) + j) >= len) {
++ strcpy(ss, " ");
++ } else {
++ ch = ((unsigned char) *((char *) (s) + i * DUMP_WIDTH + j))
++ & 0xff;
++ sprintf(ss, "%02x%c", ch, j == 7 ? '|' : ' ');
++ ss += 3;
++ }
++ }
++ ss += strlen(ss);
++ *ss++ = ' ';
++ for (j = 0; j < DUMP_WIDTH; j++) {
++ if (((i * DUMP_WIDTH) + j) >= len)
++ break;
++ ch = ((unsigned char) *((char *) (s) + i * DUMP_WIDTH + j)) & 0xff;
++ *ss++ = (((ch >= ' ') && (ch <= '~')) ? ch : '.');
++ if (j == 7) *ss++ = ' ';
++ }
++ *ss = 0;
++ /*
++ * if this is the last call then update the ddt_dump thing so that
++ * we will move the selection point in the debug window
++ */
++ msg_info("%s", buf);
++ ret += strlen(buf);
++ }
++#ifdef TRUNCATE
++ if (trunc > 0) {
++ sprintf(buf, "%04x - <SPACES/NULS>\n", len + trunc);
++ msg_info("%s", buf);
++ ret += strlen(buf);
++ }
++#endif
++ return (ret);
++}
++
++
++
++/* taken from OpenSSL apps/s_cb.c */
++
++static long bio_dump_cb(BIO * bio, int cmd, const char *argp, int argi,
++ long argl, long ret)
++{
++ if (!do_dump)
++ return (ret);
++
++ if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) {
++ msg_info("read from %08lX [%08lX] (%d bytes => %ld (0x%lX))",
++ (unsigned long)bio, (unsigned long)argp, argi,
++ ret, (unsigned long)ret);
++ pfixtls_dump(argp, (int) ret);
++ return (ret);
++ } else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) {
++ msg_info("write to %08lX [%08lX] (%d bytes => %ld (0x%lX))",
++ (unsigned long)bio, (unsigned long)argp, argi,
++ ret, (unsigned long)ret);
++ pfixtls_dump(argp, (int) ret);
++ }
++ return (ret);
++}
++
++
++ /*
++ * Callback to retrieve a session from the external session cache.
++ */
++static SSL_SESSION *get_session_cb(SSL *ssl, unsigned char *SessionID,
++ int length, int *copy)
++{
++ SSL_SESSION *session;
++ char idstring[2 * ID_MAXLENGTH + 1];
++ int n;
++ int uselength;
++ int hex_length;
++ const char *session_hex;
++ pfixtls_scache_info_t scache_info;
++ unsigned char nibble, *data, *sess_data;
++
++ if (length > ID_MAXLENGTH)
++ uselength = ID_MAXLENGTH; /* Limit length of ID */
++ else
++ uselength = length;
++
++ for(n=0 ; n < uselength ; n++)
++ sprintf(idstring + 2 * n, "%02x", SessionID[n]);
++ if (var_smtpd_tls_loglevel >= 3)
++ msg_info("Trying to reload Session from disc: %s", idstring);
++
++ session = NULL;
++
++ session_hex = dict_get(scache_db, idstring);
++ if (session_hex) {
++ hex_length = strlen(session_hex);
++ data = (unsigned char *)mymalloc(hex_length / 2);
++ if (!data) {
++ msg_info("could not allocate memory for session reload");
++ return(NULL);
++ }
++
++ memset(data, 0, hex_length / 2);
++ for (n = 0; n < hex_length; n++) {
++ if ((session_hex[n] >= '0') && (session_hex[n] <= '9'))
++ nibble = session_hex[n] - '0';
++ else
++ nibble = session_hex[n] - 'A' + 10;
++ if (n % 2)
++ data[n / 2] |= nibble;
++ else
++ data[n / 2] |= (nibble << 4);
++ }
++
++ /*
++ * First check the version numbers, since wrong session data might
++ * hit us hard (SEGFAULT). We also have to check for expiry.
++ */
++ memcpy(&scache_info, data, sizeof(pfixtls_scache_info_t));
++ if ((scache_info.scache_db_version != scache_db_version) ||
++ (scache_info.openssl_version != openssl_version) ||
++ (scache_info.timestamp + var_smtpd_tls_scache_timeout < time(NULL)))
++ dict_del(scache_db, idstring);
++ else {
++ sess_data = data + sizeof(pfixtls_scache_info_t);
++ session = d2i_SSL_SESSION(NULL, &sess_data,
++ hex_length / 2 - sizeof(pfixtls_scache_info_t));
++ if (!session)
++ pfixtls_print_errors();
++ }
++ myfree((char *)data);
++ }
++
++ if (session && (var_smtpd_tls_loglevel >= 3))
++ msg_info("Successfully reloaded session from disc");
++
++ return (session);
++}
++
++
++static SSL_SESSION *load_clnt_session(const char *hostname,
++ int enforce_peername)
++{
++ SSL_SESSION *session = NULL;
++ char idstring[ID_MAXLENGTH + 1];
++ int n;
++ int uselength;
++ int length;
++ int hex_length;
++ const char *session_hex;
++ pfixtls_scache_info_t scache_info;
++ unsigned char nibble, *data, *sess_data;
++
++ length = strlen(hostname);
++ if (length > ID_MAXLENGTH)
++ uselength = ID_MAXLENGTH; /* Limit length of ID */
++ else
++ uselength = length;
++
++ for(n=0 ; n < uselength ; n++)
++ idstring[n] = tolower(hostname[n]);
++ idstring[uselength] = '\0';
++ if (var_smtp_tls_loglevel >= 3)
++ msg_info("Trying to reload Session from disc: %s", idstring);
++
++ session_hex = dict_get(scache_db, idstring);
++ if (session_hex) {
++ hex_length = strlen(session_hex);
++ data = (unsigned char *)mymalloc(hex_length / 2);
++ if (!data) {
++ msg_info("could not allocate memory for session reload");
++ return(NULL);
++ }
++
++ memset(data, 0, hex_length / 2);
++ for (n = 0; n < hex_length; n++) {
++ if ((session_hex[n] >= '0') && (session_hex[n] <= '9'))
++ nibble = session_hex[n] - '0';
++ else
++ nibble = session_hex[n] - 'A' + 10;
++ if (n % 2)
++ data[n / 2] |= nibble;
++ else
++ data[n / 2] |= (nibble << 4);
++ }
++
++ /*
++ * First check the version numbers, since wrong session data might
++ * hit us hard (SEGFAULT). We also have to check for expiry.
++ * When we enforce_peername, we may find an old session, that was
++ * saved when enforcement was not set. In this case the session will
++ * be removed and a fresh session will be negotiated.
++ */
++ memcpy(&scache_info, data, sizeof(pfixtls_scache_info_t));
++ if ((scache_info.scache_db_version != scache_db_version) ||
++ (scache_info.openssl_version != openssl_version) ||
++ (scache_info.timestamp + var_smtpd_tls_scache_timeout < time(NULL)))
++ dict_del(scache_db, idstring);
++ else if (enforce_peername && (!scache_info.enforce_peername))
++ dict_del(scache_db, idstring);
++ else {
++ sess_data = data + sizeof(pfixtls_scache_info_t);
++ session = d2i_SSL_SESSION(NULL, &sess_data,
++ hex_length / 2 - sizeof(time_t));
++ strncpy(SSL_SESSION_get_ex_data(session, TLSpeername_index),
++ idstring, ID_MAXLENGTH + 1);
++ if (!session)
++ pfixtls_print_errors();
++ }
++ myfree((char *)data);
++ }
++
++ if (session && (var_smtp_tls_loglevel >= 3))
++ msg_info("Successfully reloaded session from disc");
++
++ return (session);
++}
++
++
++static void create_client_lookup_id(char *idstring, char *hostname)
++{
++ int n, len, uselength;
++
++ len = strlen(hostname);
++ if (len > ID_MAXLENGTH)
++ uselength = ID_MAXLENGTH; /* Limit length of ID */
++ else
++ uselength = len;
++
++ for (n = 0 ; n < uselength ; n++)
++ idstring[n] = tolower(hostname[n]);
++ idstring[uselength] = '\0';
++}
++
++
++static void create_server_lookup_id(char *idstring, SSL_SESSION *session)
++{
++ int n, uselength;
++
++ if (session->session_id_length > ID_MAXLENGTH)
++ uselength = ID_MAXLENGTH; /* Limit length of ID */
++ else
++ uselength = session->session_id_length;
++
++ for(n = 0; n < uselength ; n++)
++ sprintf(idstring + 2 * n, "%02x", session->session_id[n]);
++}
++
++
++static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *session)
++{
++ char idstring[2 * ID_MAXLENGTH + 1];
++ char *hostname;
++
++ if (pfixtls_clientengine) {
++ hostname = SSL_SESSION_get_ex_data(session, TLSpeername_index);
++ create_client_lookup_id(idstring, hostname);
++ if (var_smtp_tls_loglevel >= 3)
++ msg_info("Trying to remove session from disc: %s", idstring);
++ }
++ else {
++ create_server_lookup_id(idstring, session);
++ if (var_smtpd_tls_loglevel >= 3)
++ msg_info("Trying to remove session from disc: %s", idstring);
++ }
++
++ if (scache_db)
++ dict_del(scache_db, idstring);
++}
++
++
++/*
++ * We need space to save the peername into the SSL_SESSION, as we must
++ * look up the external database for client sessions by peername, not
++ * by session id. We therefore allocate place for the peername string,
++ * when a new SSL_SESSION is generated. It is filled later.
++ */
++static int new_peername_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
++ int idx, long argl, void *argp)
++{
++ char *peername;
++
++ peername = (char *)mymalloc(ID_MAXLENGTH + 1);
++ if (!peername)
++ return 0;
++ peername[0] = '\0'; /* initialize */
++ return CRYPTO_set_ex_data(ad, idx, peername);
++}
++
++/*
++ * When the SSL_SESSION is removed again, we must free the memory to avoid
++ * leaks.
++ */
++static void free_peername_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
++ int idx, long argl, void *argp)
++{
++ myfree(CRYPTO_get_ex_data(ad, idx));
++}
++
++/*
++ * Duplicate application data, when a SSL_SESSION is duplicated
++ */
++static int dup_peername_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from,
++ void *from_d, int idx, long argl, void *argp)
++{
++ char *peername_old, *peername_new;
++
++ peername_old = CRYPTO_get_ex_data(from, idx);
++ peername_new = CRYPTO_get_ex_data(to, idx);
++ if (!peername_old || !peername_new)
++ return 0;
++ memcpy(peername_new, peername_old, ID_MAXLENGTH + 1);
++ return 1;
++}
++
++
++ /*
++ * Save a new session to the external cache
++ */
++static int new_session_cb(SSL *ssl, SSL_SESSION *session)
++{
++ char idstring[2 * ID_MAXLENGTH + 1];
++ int n;
++ int dsize;
++ int len;
++ unsigned char *data, *sess_data;
++ pfixtls_scache_info_t scache_info;
++ char *hexdata, *hostname;
++ TLScontext_t *TLScontext;
++
++ if (pfixtls_clientengine) {
++ TLScontext = SSL_get_ex_data(ssl, TLScontext_index);
++ hostname = TLScontext->peername_save;
++ create_client_lookup_id(idstring, hostname);
++ strncpy(SSL_SESSION_get_ex_data(session, TLSpeername_index),
++ hostname, ID_MAXLENGTH + 1);
++ /*
++ * Remember, whether peername matching was enforced when the session
++ * was created. If later enforce mode is enabled, we do not want to
++ * reuse a session that was not sufficiently checked.
++ */
++ scache_info.enforce_peername =
++ (TLScontext->enforce_verify_errors && TLScontext->enforce_CN);
++
++ if (var_smtp_tls_loglevel >= 3)
++ msg_info("Trying to save session for hostID to disc: %s", idstring);
++
++#if (OPENSSL_VERSION_NUMBER < 0x00906011L) || (OPENSSL_VERSION_NUMBER == 0x00907000L)
++ /*
++ * Ugly Hack: OpenSSL before 0.9.6a does not store the verify
++ * result in sessions for the client side.
++ * We modify the session directly which is version specific,
++ * but this bug is version specific, too.
++ *
++ * READ: 0-09-06-01-1 = 0-9-6-a-beta1: all versions before
++ * beta1 have this bug, it has been fixed during development
++ * of 0.9.6a. The development version of 0.9.7 can have this
++ * bug, too. It has been fixed on 2000/11/29.
++ */
++ session->verify_result = SSL_get_verify_result(TLScontext->con);
++#endif
++
++ }
++ else {
++ create_server_lookup_id(idstring, session);
++ if (var_smtpd_tls_loglevel >= 3)
++ msg_info("Trying to save Session to disc: %s", idstring);
++ }
++
++
++ /*
++ * Get the session and convert it into some "database" useable form.
++ * First, get the length of the session to allocate the memory.
++ */
++ dsize = i2d_SSL_SESSION(session, NULL);
++ if (dsize < 0) {
++ msg_info("Could not access session");
++ return 0;
++ }
++ data = (unsigned char *)mymalloc(dsize + sizeof(pfixtls_scache_info_t));
++ if (!data) {
++ msg_info("could not allocate memory for SSL session");
++ return 0;
++ }
++
++ /*
++ * OpenSSL is not robust against wrong session data (might SEGFAULT),
++ * so we secure it against version ids (session cache structure as well
++ * as OpenSSL version).
++ */
++ scache_info.scache_db_version = scache_db_version;
++ scache_info.openssl_version = openssl_version;
++
++ /*
++ * Put a timestamp, so that expiration can be checked without
++ * analyzing the session data itself. (We would need OpenSSL funtions,
++ * since the SSL_SESSION is a private structure.)
++ */
++ scache_info.timestamp = time(NULL);
++
++ memcpy(data, &scache_info, sizeof(pfixtls_scache_info_t));
++ sess_data = data + sizeof(pfixtls_scache_info_t);
++
++ /*
++ * Now, obtain the session. Unfortunately, it is binary and dict_update
++ * cannot handle binary data (it could contain '\0' in it) directly.
++ * To save memory we could use base64 encoding. To make handling easier,
++ * we simply use hex format.
++ */
++ len = i2d_SSL_SESSION(session, &sess_data);
++ len += sizeof(pfixtls_scache_info_t);
++
++ hexdata = (char *)mymalloc(2 * len + 1);
++
++ if (!hexdata) {
++ msg_info("could not allocate memory for SSL session (HEX)");
++ myfree((char *)data);
++ return 0;
++ }
++ for (n = 0; n < len; n++) {
++ hexdata[n * 2] = hexcodes[(data[n] & 0xf0) >> 4];
++ hexdata[(n * 2) + 1] = hexcodes[(data[n] & 0x0f)];
++ }
++ hexdata[len * 2] = '\0';
++
++ /*
++ * The session id is a hex string, all uppercase. We are using SDBM as
++ * compiled into Postfix with 8kB maximum entry size, so we set a limit
++ * when caching. If the session is not cached, we have to renegotiate,
++ * not more, not less. For a real session, this limit should never be
++ * met
++ */
++ if (strlen(idstring) + strlen(hexdata) < 8000)
++ dict_put(scache_db, idstring, hexdata);
++
++ myfree(hexdata);
++ myfree((char *)data);
++ return (1);
++}
++
++
++ /*
++ * pfixtls_exchange_seed: read bytes from the seed exchange-file (expect
++ * 1024 bytes)and immediately write back random bytes. Do so with EXCLUSIVE
++ * lock, so * that each process will find a completely different (and
++ * reseeded) file.
++ */
++static void pfixtls_exchange_seed(void)
++{
++ unsigned char buffer[1024];
++
++ if (rand_exch_fd == -1)
++ return;
++
++ if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) != 0)
++ msg_info("Could not lock random exchange file: %s",
++ strerror(errno));
++
++ lseek(rand_exch_fd, 0, SEEK_SET);
++ if (read(rand_exch_fd, buffer, 1024) < 0)
++ msg_fatal("reading exchange file failed");
++ RAND_seed(buffer, 1024);
++
++ RAND_bytes(buffer, 1024);
++ lseek(rand_exch_fd, 0, SEEK_SET);
++ if (write(rand_exch_fd, buffer, 1024) != 1024)
++ msg_fatal("Writing exchange file failed");
++
++ if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) != 0)
++ msg_fatal("Could not unlock random exchange file: %s",
++ strerror(errno));
++}
++
++ /*
++ * This is the setup routine for the SSL server. As smtpd might be called
++ * more than once, we only want to do the initialization one time.
++ *
++ * The skeleton of this function is taken from OpenSSL apps/s_server.c.
++ */
++
++int pfixtls_init_serverengine(int verifydepth, int askcert)
++{
++ int off = 0;
++ int verify_flags = SSL_VERIFY_NONE;
++ int rand_bytes;
++ int rand_source_dev_fd;
++ int rand_source_socket_fd;
++ unsigned char buffer[255];
++ char *CApath;
++ char *CAfile;
++ char *s_cert_file;
++ char *s_key_file;
++ char *s_dcert_file;
++ char *s_dkey_file;
++ FILE *paramfile;
++
++ if (pfixtls_serverengine)
++ return (0); /* already running */
++
++ if (var_smtpd_tls_loglevel >= 2)
++ msg_info("starting TLS engine");
++
++ /*
++ * Initialize the OpenSSL library by the book!
++ * To start with, we must initialize the algorithms.
++ * We want cleartext error messages instead of just error codes, so we
++ * load the error_strings.
++ */
++ SSL_load_error_strings();
++ OpenSSL_add_ssl_algorithms();
++
++ /*
++ * Side effect, call a non-existing function to disable TLS usage with an
++ * outdated OpenSSL version. There is a security reason (verify_result
++ * is not stored with the session data).
++ */
++#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
++ needs_openssl_095_or_later();
++#endif
++
++ /*
++ * Initialize the PRNG Pseudo Random Number Generator with some seed.
++ */
++ randseed.pid = getpid();
++ GETTIMEOFDAY(&randseed.tv);
++ RAND_seed(&randseed, sizeof(randseed_t));
++
++ /*
++ * Access the external sources for random seed. We will only query them
++ * once, this should be sufficient and we will stir our entropy by using
++ * the prng-exchange file anyway.
++ * For reliability, we don't consider failure to access the additional
++ * source fatal, as we can run happily without it (considering that we
++ * still have the exchange-file). We also don't care how much entropy
++ * we get back, as we must run anyway. We simply stir in the buffer
++ * regardless how many bytes are actually in it.
++ */
++ if (*var_tls_daemon_rand_source) {
++ if (!strncmp(var_tls_daemon_rand_source, "dev:", 4)) {
++ /*
++ * Source is a random device
++ */
++ rand_source_dev_fd = open(var_tls_daemon_rand_source + 4, 0, 0);
++ if (rand_source_dev_fd == -1)
++ msg_info("Could not open entropy device %s",
++ var_tls_daemon_rand_source);
++ else {
++ if (var_tls_daemon_rand_bytes > 255)
++ var_tls_daemon_rand_bytes = 255;
++ read(rand_source_dev_fd, buffer, var_tls_daemon_rand_bytes);
++ RAND_seed(buffer, var_tls_daemon_rand_bytes);
++ close(rand_source_dev_fd);
++ }
++ } else if (!strncmp(var_tls_daemon_rand_source, "egd:", 4)) {
++ /*
++ * Source is a EGD compatible socket
++ */
++ rand_source_socket_fd = unix_connect(var_tls_daemon_rand_source +4,
++ BLOCKING, 10);
++ if (rand_source_socket_fd == -1)
++ msg_info("Could not connect to %s", var_tls_daemon_rand_source);
++ else {
++ if (var_tls_daemon_rand_bytes > 255)
++ var_tls_daemon_rand_bytes = 255;
++ buffer[0] = 1;
++ buffer[1] = var_tls_daemon_rand_bytes;
++ if (write(rand_source_socket_fd, buffer, 2) != 2)
++ msg_info("Could not talk to %s",
++ var_tls_daemon_rand_source);
++ else if (read(rand_source_socket_fd, buffer, 1) != 1)
++ msg_info("Could not read info from %s",
++ var_tls_daemon_rand_source);
++ else {
++ rand_bytes = buffer[0];
++ read(rand_source_socket_fd, buffer, rand_bytes);
++ RAND_seed(buffer, rand_bytes);
++ }
++ close(rand_source_socket_fd);
++ }
++ } else {
++ RAND_load_file(var_tls_daemon_rand_source,
++ var_tls_daemon_rand_bytes);
++ }
++ }
++
++ if (*var_tls_rand_exch_name) {
++ rand_exch_fd = open(var_tls_rand_exch_name, O_RDWR | O_CREAT, 0600);
++ if (rand_exch_fd != -1)
++ pfixtls_exchange_seed();
++ }
++
++ randseed.pid = getpid();
++ GETTIMEOFDAY(&randseed.tv);
++ RAND_seed(&randseed, sizeof(randseed_t));
++
++ /*
++ * The SSL/TLS speficications require the client to send a message in
++ * the oldest specification it understands with the highest level it
++ * understands in the message.
++ * Netscape communicator can still communicate with SSLv2 servers, so it
++ * sends out a SSLv2 client hello. To deal with it, our server must be
++ * SSLv2 aware (even if we don't like SSLv2), so we need to have the
++ * SSLv23 server here. If we want to limit the protocol level, we can
++ * add an option to not use SSLv2/v3/TLSv1 later.
++ */
++ ctx = SSL_CTX_new(SSLv23_server_method());
++ if (ctx == NULL) {
++ pfixtls_print_errors();
++ return (-1);
++ };
++
++ /*
++ * Here we might set SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1.
++ * Of course, the last one would not make sense, since RFC2487 is only
++ * defined for TLS, but we also want to accept Netscape communicator
++ * requests, and it only supports SSLv3.
++ */
++ off |= SSL_OP_ALL; /* Work around all known bugs */
++ SSL_CTX_set_options(ctx, off);
++
++ /*
++ * Set the info_callback, that will print out messages during
++ * communication on demand.
++ */
++ if (var_smtpd_tls_loglevel >= 2)
++ SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
++
++ /*
++ * Set the list of ciphers, if explicitely given; otherwise the
++ * (reasonable) default list is kept.
++ */
++ if (strlen(var_smtpd_tls_cipherlist) != 0)
++ if (SSL_CTX_set_cipher_list(ctx, var_smtpd_tls_cipherlist) == 0) {
++ pfixtls_print_errors();
++ return (-1);
++ }
++
++ /*
++ * Now we must add the necessary certificate stuff: A server key, a
++ * server certificate, and the CA certificates for both the server
++ * cert and the verification of client certificates.
++ * As provided by OpenSSL we support two types of CA certificate handling:
++ * One possibility is to add all CA certificates to one large CAfile,
++ * the other possibility is a directory pointed to by CApath, containing
++ * seperate files for each CA pointed on by softlinks named by the hash
++ * values of the certificate.
++ * The first alternative has the advantage, that the file is opened and
++ * read at startup time, so that you don't have the hassle to maintain
++ * another copy of the CApath directory for chroot-jail. On the other
++ * hand, the file is not really readable.
++ */
++ if (strlen(var_smtpd_tls_CAfile) == 0)
++ CAfile = NULL;
++ else
++ CAfile = var_smtpd_tls_CAfile;
++ if (strlen(var_smtpd_tls_CApath) == 0)
++ CApath = NULL;
++ else
++ CApath = var_smtpd_tls_CApath;
++
++ if (CAfile || CApath) {
++ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
++ msg_info("TLS engine: cannot load CA data");
++ pfixtls_print_errors();
++ return (-1);
++ }
++ if (!SSL_CTX_set_default_verify_paths(ctx)) {
++ msg_info("TLS engine: cannot set verify paths");
++ pfixtls_print_errors();
++ return (-1);
++ }
++ }
++
++ /*
++ * Now we load the certificate and key from the files and check,
++ * whether the cert matches the key (internally done by set_cert_stuff().
++ * We cannot run without (we do not support ADH anonymous Diffie-Hellman
++ * ciphers as of now).
++ * We can use RSA certificates ("cert") and DSA certificates ("dcert"),
++ * both can be made available at the same time. The CA certificates for
++ * both are handled in the same setup already finished.
++ * Which one is used depends on the cipher negotiated (that is: the first
++ * cipher listed by the client which does match the server). A client with
++ * RSA only (e.g. Netscape) will use the RSA certificate only.
++ * A client with openssl-library will use RSA first if not especially
++ * changed in the cipher setup.
++ */
++ if (strlen(var_smtpd_tls_cert_file) == 0)
++ s_cert_file = NULL;
++ else
++ s_cert_file = var_smtpd_tls_cert_file;
++ if (strlen(var_smtpd_tls_key_file) == 0)
++ s_key_file = NULL;
++ else
++ s_key_file = var_smtpd_tls_key_file;
++
++ if (strlen(var_smtpd_tls_dcert_file) == 0)
++ s_dcert_file = NULL;
++ else
++ s_dcert_file = var_smtpd_tls_dcert_file;
++ if (strlen(var_smtpd_tls_dkey_file) == 0)
++ s_dkey_file = NULL;
++ else
++ s_dkey_file = var_smtpd_tls_dkey_file;
++
++ if (s_cert_file) {
++ if (!set_cert_stuff(ctx, s_cert_file, s_key_file)) {
++ msg_info("TLS engine: cannot load RSA cert/key data");
++ pfixtls_print_errors();
++ return (-1);
++ }
++ }
++ if (s_dcert_file) {
++ if (!set_cert_stuff(ctx, s_dcert_file, s_dkey_file)) {
++ msg_info("TLS engine: cannot load DSA cert/key data");
++ pfixtls_print_errors();
++ return (-1);
++ }
++ }
++ if (!s_cert_file && !s_dcert_file) {
++ msg_info("TLS engine: do need at least RSA _or_ DSA cert/key data");
++ return (-1);
++ }
++
++ /*
++ * Sometimes a temporary RSA key might be needed by the OpenSSL
++ * library. The OpenSSL doc indicates, that this might happen when
++ * export ciphers are in use. We have to provide one, so well, we
++ * just do it.
++ */
++ SSL_CTX_set_tmp_rsa_callback(ctx, tmp_rsa_cb);
++
++ /*
++ * We might also need dh parameters, which can either be loaded from
++ * file (preferred) or we simply take the compiled in values.
++ * First, set the callback that will select the values when requested,
++ * then load the (possibly) available DH parameters from files.
++ * We are generous with the error handling, since we do have default
++ * values compiled in, so we will not abort but just log the error message.
++ */
++ SSL_CTX_set_tmp_dh_callback(ctx, tmp_dh_cb);
++ if (strlen(var_smtpd_tls_dh1024_param_file) != 0) {
++ if ((paramfile = fopen(var_smtpd_tls_dh1024_param_file, "r")) != NULL) {
++ dh_1024 = PEM_read_DHparams(paramfile, NULL, NULL, NULL);
++ if (dh_1024 == NULL) {
++ msg_info("TLS engine: cannot load 1024bit DH parameters");
++ pfixtls_print_errors();
++ }
++ }
++ else {
++ msg_info("TLS engine: cannot load 1024bit DH parameters: %s: %s",
++ var_smtpd_tls_dh1024_param_file, strerror(errno));
++ }
++ }
++ if (strlen(var_smtpd_tls_dh512_param_file) != 0) {
++ if ((paramfile = fopen(var_smtpd_tls_dh512_param_file, "r")) != NULL) {
++ dh_512 = PEM_read_DHparams(paramfile, NULL, NULL, NULL);
++ if (dh_512 == NULL) {
++ msg_info("TLS engine: cannot load 512bit DH parameters");
++ pfixtls_print_errors();
++ }
++ }
++ else {
++ msg_info("TLS engine: cannot load 512bit DH parameters: %s: %s",
++ var_smtpd_tls_dh512_param_file, strerror(errno));
++ }
++ }
++
++ /*
++ * If we want to check client certificates, we have to indicate it
++ * in advance. By now we only allow to decide on a global basis.
++ * If we want to allow certificate based relaying, we must ask the
++ * client to provide one with SSL_VERIFY_PEER. The client now can
++ * decide, whether it provides one or not. We can enforce a failure
++ * of the negotiation with SSL_VERIFY_FAIL_IF_NO_PEER_CERT, if we
++ * do not allow a connection without one.
++ * In the "server hello" following the initialization by the "client hello"
++ * the server must provide a list of CAs it is willing to accept.
++ * Some clever clients will then select one from the list of available
++ * certificates matching these CAs. Netscape Communicator will present
++ * the list of certificates for selecting the one to be sent, or it will
++ * issue a warning, if there is no certificate matching the available
++ * CAs.
++ *
++ * With regard to the purpose of the certificate for relaying, we might
++ * like a later negotiation, maybe relaying would already be allowed
++ * for other reasons, but this would involve severe changes in the
++ * internal postfix logic, so we have to live with it the way it is.
++ */
++ if (askcert)
++ verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
++ SSL_CTX_set_verify(ctx, verify_flags, verify_callback);
++ SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));
++
++ /*
++ * Initialize the session cache. We only want external caching to
++ * synchronize between server sessions, so we set it to a minimum value
++ * of 1. If the external cache is disabled, we won't cache at all.
++ * The recall of old sessions "get" and save to disk of just created
++ * sessions "new" is handled by the appropriate callback functions.
++ *
++ * We must not forget to set a session id context to identify to which
++ * kind of server process the session was related. In our case, the
++ * context is just the name of the patchkit: "Postfix/TLS".
++ */
++ SSL_CTX_sess_set_cache_size(ctx, 1);
++ SSL_CTX_set_timeout(ctx, var_smtpd_tls_scache_timeout);
++ SSL_CTX_set_session_id_context(ctx, (void*)&server_session_id_context,
++ sizeof(server_session_id_context));
++
++ /*
++ * The session cache is realized by an external database file, that
++ * must be opened before going to chroot jail. Since the session cache
++ * data can become quite large, "[n]dbm" cannot be used as it has a
++ * size limit that is by far to small.
++ */
++ if (*var_smtpd_tls_scache_db) {
++ /*
++ * Insert a test against other dbms here, otherwise while writing
++ * a session (content to large), we will receive a fatal error!
++ */
++ if (strncmp(var_smtpd_tls_scache_db, "sdbm:", 5))
++ msg_warn("Only sdbm: type allowed for %s",
++ var_smtpd_tls_scache_db);
++ else
++ scache_db = dict_open(var_smtpd_tls_scache_db, O_RDWR,
++ DICT_FLAG_DUP_REPLACE | DICT_FLAG_LOCK | DICT_FLAG_SYNC_UPDATE);
++ if (scache_db) {
++ SSL_CTX_set_session_cache_mode(ctx,
++ SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_AUTO_CLEAR);
++ SSL_CTX_sess_set_get_cb(ctx, get_session_cb);
++ SSL_CTX_sess_set_new_cb(ctx, new_session_cb);
++ SSL_CTX_sess_set_remove_cb(ctx, remove_session_cb);
++ }
++ else
++ msg_warn("Could not open session cache %s",
++ var_smtpd_tls_scache_db);
++ }
++
++ /*
++ * Finally create the global index to access TLScontext information
++ * inside verify_callback.
++ */
++ TLScontext_index = SSL_get_ex_new_index(0, "TLScontext ex_data index",
++ NULL, NULL, NULL);
++
++ pfixtls_serverengine = 1;
++ return (0);
++}
++
++ /*
++ * This is the actual startup routine for the connection. We expect
++ * that the buffers are flushed and the "220 Ready to start TLS" was
++ * send to the client, so that we can immediately can start the TLS
++ * handshake process.
++ */
++int pfixtls_start_servertls(VSTREAM *stream, int timeout,
++ const char *peername, const char *peeraddr,
++ tls_info_t *tls_info, int requirecert)
++{
++ int sts;
++ int j;
++ int verify_flags;
++ unsigned int n;
++ TLScontext_t *TLScontext;
++ SSL_SESSION *session;
++ SSL_CIPHER *cipher;
++ X509 *peer;
++
++ if (!pfixtls_serverengine) { /* should never happen */
++ msg_info("tls_engine not running");
++ return (-1);
++ }
++ if (var_smtpd_tls_loglevel >= 1)
++ msg_info("setting up TLS connection from %s[%s]", peername, peeraddr);
++
++ /*
++ * Allocate a new TLScontext for the new connection and get an SSL
++ * structure. Add the location of TLScontext to the SSL to later
++ * retrieve the information inside the verify_callback().
++ */
++ TLScontext = (TLScontext_t *)mymalloc(sizeof(TLScontext_t));
++ if (!TLScontext) {
++ msg_fatal("Could not allocate 'TLScontext' with mymalloc");
++ }
++ if ((TLScontext->con = (SSL *) SSL_new(ctx)) == NULL) {
++ msg_info("Could not allocate 'TLScontext->con' with SSL_new()");
++ pfixtls_print_errors();
++ myfree((char *)TLScontext);
++ return (-1);
++ }
++ if (!SSL_set_ex_data(TLScontext->con, TLScontext_index, TLScontext)) {
++ msg_info("Could not set application data for 'TLScontext->con'");
++ pfixtls_print_errors();
++ SSL_free(TLScontext->con);
++ myfree((char *)TLScontext);
++ return (-1);
++ }
++
++ /*
++ * Set the verification parameters to be checked in verify_callback().
++ */
++ if (requirecert) {
++ verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
++ verify_flags |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
++ TLScontext->enforce_verify_errors = 1;
++ SSL_set_verify(TLScontext->con, verify_flags, verify_callback);
++ }
++ else {
++ TLScontext->enforce_verify_errors = 0;
++ }
++ TLScontext->enforce_CN = 0;
++
++ /*
++ * The TLS connection is realized by a BIO_pair, so obtain the pair.
++ */
++ if (!BIO_new_bio_pair(&TLScontext->internal_bio, BIO_bufsiz,
++ &TLScontext->network_bio, BIO_bufsiz)) {
++ msg_info("Could not obtain BIO_pair");
++ pfixtls_print_errors();
++ SSL_free(TLScontext->con);
++ myfree((char *)TLScontext);
++ return (-1);
++ }
++
++ /*
++ * Before really starting anything, try to seed the PRNG a little bit
++ * more.
++ */
++ pfixtls_stir_seed();
++ pfixtls_exchange_seed();
++
++ /*
++ * Initialize the SSL connection to accept state. This should not be
++ * necessary anymore since 0.9.3, but the call is still in the library
++ * and maintaining compatibility never hurts.
++ */
++ SSL_set_accept_state(TLScontext->con);
++
++ /*
++ * Connect the SSL-connection with the postfix side of the BIO-pair for
++ * reading and writing.
++ */
++ SSL_set_bio(TLScontext->con, TLScontext->internal_bio,
++ TLScontext->internal_bio);
++
++ /*
++ * If the debug level selected is high enough, all of the data is
++ * dumped: 3 will dump the SSL negotiation, 4 will dump everything.
++ *
++ * We do have an SSL_set_fd() and now suddenly a BIO_ routine is called?
++ * Well there is a BIO below the SSL routines that is automatically
++ * created for us, so we can use it for debugging purposes.
++ */
++ if (var_smtpd_tls_loglevel >= 3)
++ BIO_set_callback(SSL_get_rbio(TLScontext->con), bio_dump_cb);
++
++
++ /* Dump the negotiation for loglevels 3 and 4 */
++ if (var_smtpd_tls_loglevel >= 3)
++ do_dump = 1;
++
++ /*
++ * Now we expect the negotiation to begin. This whole process is like a
++ * black box for us. We totally have to rely on the routines build into
++ * the OpenSSL library. The only thing we can do we already have done
++ * by choosing our own callbacks for session caching and certificate
++ * verification.
++ *
++ * Error handling:
++ * If the SSL handhake fails, we print out an error message and remove
++ * everything that might be there. A session has to be removed anyway,
++ * because RFC2246 requires it.
++ */
++ sts = do_tls_operation(vstream_fileno(stream), timeout, TLScontext,
++ SSL_accept, NULL, NULL, NULL, 0);
++ if (sts <= 0) {
++ msg_info("SSL_accept error from %s[%s]: %d", peername, peeraddr, sts);
++ pfixtls_print_errors();
++ SSL_free(TLScontext->con);
++ myfree((char *)TLScontext);
++ return (-1);
++ }
++
++ /* Only loglevel==4 dumps everything */
++ if (var_smtpd_tls_loglevel < 4)
++ do_dump = 0;
++
++ /*
++ * Lets see, whether a peer certificate is available and what is
++ * the actual information. We want to save it for later use.
++ */
++ peer = SSL_get_peer_certificate(TLScontext->con);
++ if (peer != NULL) {
++ if (SSL_get_verify_result(TLScontext->con) == X509_V_OK)
++ tls_info->peer_verified = 1;
++
++ X509_NAME_oneline(X509_get_subject_name(peer),
++ TLScontext->peer_subject, CCERT_BUFSIZ);
++ if (var_smtpd_tls_loglevel >= 2)
++ msg_info("subject=%s", TLScontext->peer_subject);
++ tls_info->peer_subject = TLScontext->peer_subject;
++ X509_NAME_oneline(X509_get_issuer_name(peer),
++ TLScontext->peer_issuer, CCERT_BUFSIZ);
++ if (var_smtpd_tls_loglevel >= 2)
++ msg_info("issuer=%s", TLScontext->peer_issuer);
++ tls_info->peer_issuer = TLScontext->peer_issuer;
++ if (X509_digest(peer, EVP_md5(), TLScontext->md, &n)) {
++ for (j = 0; j < (int) n; j++) {
++ TLScontext->fingerprint[j * 3] =
++ hexcodes[(TLScontext->md[j] & 0xf0) >> 4];
++ TLScontext->fingerprint[(j * 3) + 1] =
++ hexcodes[(TLScontext->md[j] & 0x0f)];
++ if (j + 1 != (int) n)
++ TLScontext->fingerprint[(j * 3) + 2] = ':';
++ else
++ TLScontext->fingerprint[(j * 3) + 2] = '\0';
++ }
++ if (var_smtpd_tls_loglevel >= 1)
++ msg_info("fingerprint=%s", TLScontext->fingerprint);
++ tls_info->peer_fingerprint = TLScontext->fingerprint;
++ }
++
++ TLScontext->peer_CN[0] = '\0';
++ if (!X509_NAME_get_text_by_NID(X509_get_subject_name(peer),
++ NID_commonName, TLScontext->peer_CN, CCERT_BUFSIZ)) {
++ msg_info("Could not parse client's subject CN");
++ pfixtls_print_errors();
++ }
++ tls_info->peer_CN = TLScontext->peer_CN;
++
++ TLScontext->issuer_CN[0] = '\0';
++ if (!X509_NAME_get_text_by_NID(X509_get_issuer_name(peer),
++ NID_commonName, TLScontext->issuer_CN, CCERT_BUFSIZ)) {
++ msg_info("Could not parse client's issuer CN");
++ pfixtls_print_errors();
++ }
++ if (!TLScontext->issuer_CN[0]) {
++ /* No issuer CN field, use Organization instead */
++ if (!X509_NAME_get_text_by_NID(X509_get_issuer_name(peer),
++ NID_organizationName, TLScontext->issuer_CN, CCERT_BUFSIZ)) {
++ msg_info("Could not parse client's issuer Organization");
++ pfixtls_print_errors();
++ }
++ }
++ tls_info->issuer_CN = TLScontext->issuer_CN;
++
++ if (var_smtpd_tls_loglevel >= 1) {
++ if (tls_info->peer_verified)
++ msg_info("Verified: subject_CN=%s, issuer=%s",
++ TLScontext->peer_CN, TLScontext->issuer_CN);
++ else
++ msg_info("Unverified: subject_CN=%s, issuer=%s",
++ TLScontext->peer_CN, TLScontext->issuer_CN);
++ }
++
++ X509_free(peer);
++ }
++
++ /*
++ * At this point we should have a certificate when required.
++ * We may however have a cached session, so the callback would never
++ * be called. We therefore double-check to make sure and remove the
++ * session, if applicable.
++ */
++ if (requirecert) {
++ if (!tls_info->peer_verified || !tls_info->peer_CN) {
++ msg_info("Re-used session without peer certificate removed");
++ session = SSL_get_session(TLScontext->con);
++ SSL_CTX_remove_session(ctx, session);
++ return (-1);
++ }
++ }
++
++ /*
++ * Finally, collect information about protocol and cipher for logging
++ */
++ tls_info->protocol = SSL_get_version(TLScontext->con);
++ cipher = SSL_get_current_cipher(TLScontext->con);
++ tls_info->cipher_name = SSL_CIPHER_get_name(cipher);
++ tls_info->cipher_usebits = SSL_CIPHER_get_bits(cipher,
++ &(tls_info->cipher_algbits));
++
++ pfixtls_serveractive = 1;
++
++ /*
++ * The TLS engine is active, switch to the pfixtls_timed_read/write()
++ * functions and store the context.
++ */
++ vstream_control(stream,
++ VSTREAM_CTL_READ_FN, pfixtls_timed_read,
++ VSTREAM_CTL_WRITE_FN, pfixtls_timed_write,
++ VSTREAM_CTL_CONTEXT, (void *)TLScontext,
++ VSTREAM_CTL_END);
++
++ if (var_smtpd_tls_loglevel >= 1)
++ msg_info("TLS connection established from %s[%s]: %s with cipher %s (%d/%d bits)",
++ peername, peeraddr,
++ tls_info->protocol, tls_info->cipher_name,
++ tls_info->cipher_usebits, tls_info->cipher_algbits);
++ pfixtls_stir_seed();
++
++ return (0);
++}
++
++ /*
++ * Shut down the TLS connection, that does mean: remove all the information
++ * and reset the flags! This is needed if the actual running smtpd is to
++ * be restarted. We do not give back any value, as there is nothing to
++ * be reported.
++ * Since our session cache is external, we will remove the session from
++ * memory in any case. The SSL_CTX_flush_sessions might be redundant here,
++ * I however want to make sure nothing is left.
++ * RFC2246 requires us to remove sessions if something went wrong, as
++ * indicated by the "failure" value, so we remove it from the external
++ * cache, too.
++ */
++int pfixtls_stop_servertls(VSTREAM *stream, int timeout, int failure,
++ tls_info_t *tls_info)
++{
++ TLScontext_t *TLScontext;
++ int retval;
++
++ if (pfixtls_serveractive) {
++ TLScontext = (TLScontext_t *)vstream_context(stream);
++ /*
++ * Perform SSL_shutdown() twice, as the first attempt may return
++ * to early: it will only send out the shutdown alert but it will
++ * not wait for the peer's shutdown alert. Therefore, when we are
++ * the first party to send the alert, we must call SSL_shutdown()
++ * again.
++ * On failure we don't want to resume the session, so we will not
++ * perform SSL_shutdown() and the session will be removed as being
++ * bad.
++ */
++ if (!failure) {
++ retval = do_tls_operation(vstream_fileno(stream), timeout,
++ TLScontext, SSL_shutdown, NULL, NULL, NULL, 0);
++ if (retval == 0)
++ do_tls_operation(vstream_fileno(stream), timeout, TLScontext,
++ SSL_shutdown, NULL, NULL, NULL, 0);
++ }
++ /*
++ * Free the SSL structure and the BIOs. Warning: the internal_bio is
++ * connected to the SSL structure and is automatically freed with
++ * it. Do not free it again (core dump)!!
++ * Only free the network_bio.
++ */
++ SSL_free(TLScontext->con);
++ BIO_free(TLScontext->network_bio);
++ myfree((char *)TLScontext);
++ vstream_control(stream,
++ VSTREAM_CTL_READ_FN, (VSTREAM_FN) NULL,
++ VSTREAM_CTL_WRITE_FN, (VSTREAM_FN) NULL,
++ VSTREAM_CTL_CONTEXT, (void *) NULL,
++ VSTREAM_CTL_END);
++ SSL_CTX_flush_sessions(ctx, time(NULL));
++
++ pfixtls_stir_seed();
++ pfixtls_exchange_seed();
++
++ *tls_info = tls_info_zero;
++ pfixtls_serveractive = 0;
++
++ }
++
++ return (0);
++}
++
++
++ /*
++ * This is the setup routine for the SSL client. As smtpd might be called
++ * more than once, we only want to do the initialization one time.
++ *
++ * The skeleton of this function is taken from OpenSSL apps/s_client.c.
++ */
++
++int pfixtls_init_clientengine(int verifydepth)
++{
++ int off = 0;
++ int verify_flags = SSL_VERIFY_NONE;
++ int rand_bytes;
++ int rand_source_dev_fd;
++ int rand_source_socket_fd;
++ unsigned char buffer[255];
++ char *CApath;
++ char *CAfile;
++ char *c_cert_file;
++ char *c_key_file;
++
++
++ if (pfixtls_clientengine)
++ return (0); /* already running */
++
++ if (var_smtp_tls_loglevel >= 2)
++ msg_info("starting TLS engine");
++
++ /*
++ * Initialize the OpenSSL library by the book!
++ * To start with, we must initialize the algorithms.
++ * We want cleartext error messages instead of just error codes, so we
++ * load the error_strings.
++ */
++ SSL_load_error_strings();
++ OpenSSL_add_ssl_algorithms();
++
++ /*
++ * Side effect, call a non-existing function to disable TLS usage with an
++ * outdated OpenSSL version. There is a security reason (verify_result
++ * is not stored with the session data).
++ */
++#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
++ needs_openssl_095_or_later();
++#endif
++
++ /*
++ * Initialize the PRNG Pseudo Random Number Generator with some seed.
++ */
++ randseed.pid = getpid();
++ GETTIMEOFDAY(&randseed.tv);
++ RAND_seed(&randseed, sizeof(randseed_t));
++
++ /*
++ * Access the external sources for random seed. We will only query them
++ * once, this should be sufficient and we will stir our entropy by using
++ * the prng-exchange file anyway.
++ * For reliability, we don't consider failure to access the additional
++ * source fatal, as we can run happily without it (considering that we
++ * still have the exchange-file). We also don't care how much entropy
++ * we get back, as we must run anyway. We simply stir in the buffer
++ * regardless how many bytes are actually in it.
++ */
++ if (*var_tls_daemon_rand_source) {
++ if (!strncmp(var_tls_daemon_rand_source, "dev:", 4)) {
++ /*
++ * Source is a random device
++ */
++ rand_source_dev_fd = open(var_tls_daemon_rand_source + 4, 0, 0);
++ if (rand_source_dev_fd == -1)
++ msg_info("Could not open entropy device %s",
++ var_tls_daemon_rand_source);
++ else {
++ if (var_tls_daemon_rand_bytes > 255)
++ var_tls_daemon_rand_bytes = 255;
++ read(rand_source_dev_fd, buffer, var_tls_daemon_rand_bytes);
++ RAND_seed(buffer, var_tls_daemon_rand_bytes);
++ close(rand_source_dev_fd);
++ }
++ } else if (!strncmp(var_tls_daemon_rand_source, "egd:", 4)) {
++ /*
++ * Source is a EGD compatible socket
++ */
++ rand_source_socket_fd = unix_connect(var_tls_daemon_rand_source +4,
++ BLOCKING, 10);
++ if (rand_source_socket_fd == -1)
++ msg_info("Could not connect to %s", var_tls_daemon_rand_source);
++ else {
++ if (var_tls_daemon_rand_bytes > 255)
++ var_tls_daemon_rand_bytes = 255;
++ buffer[0] = 1;
++ buffer[1] = var_tls_daemon_rand_bytes;
++ if (write(rand_source_socket_fd, buffer, 2) != 2)
++ msg_info("Could not talk to %s",
++ var_tls_daemon_rand_source);
++ else if (read(rand_source_socket_fd, buffer, 1) != 1)
++ msg_info("Could not read info from %s",
++ var_tls_daemon_rand_source);
++ else {
++ rand_bytes = buffer[0];
++ read(rand_source_socket_fd, buffer, rand_bytes);
++ RAND_seed(buffer, rand_bytes);
++ }
++ close(rand_source_socket_fd);
++ }
++ } else {
++ RAND_load_file(var_tls_daemon_rand_source,
++ var_tls_daemon_rand_bytes);
++ }
++ }
++
++ if (*var_tls_rand_exch_name) {
++ rand_exch_fd = open(var_tls_rand_exch_name, O_RDWR | O_CREAT, 0600);
++ if (rand_exch_fd != -1)
++ pfixtls_exchange_seed();
++ }
++
++ randseed.pid = getpid();
++ GETTIMEOFDAY(&randseed.tv);
++ RAND_seed(&randseed, sizeof(randseed_t));
++
++ /*
++ * The SSL/TLS speficications require the client to send a message in
++ * the oldest specification it understands with the highest level it
++ * understands in the message.
++ * RFC2487 is only specified for TLSv1, but we want to be as compatible
++ * as possible, so we will start off with a SSLv2 greeting allowing
++ * the best we can offer: TLSv1.
++ * We can restrict this with the options setting later, anyhow.
++ */
++ ctx = SSL_CTX_new(SSLv23_client_method());
++ if (ctx == NULL) {
++ pfixtls_print_errors();
++ return (-1);
++ };
++
++ /*
++ * Here we might set SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1.
++ * Of course, the last one would not make sense, since RFC2487 is only
++ * defined for TLS, but we don't know what is out there. So leave things
++ * completely open, as of today.
++ */
++ off |= SSL_OP_ALL; /* Work around all known bugs */
++ SSL_CTX_set_options(ctx, off);
++
++ /*
++ * Set the info_callback, that will print out messages during
++ * communication on demand.
++ */
++ if (var_smtp_tls_loglevel >= 2)
++ SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
++
++ /*
++ * Set the list of ciphers, if explicitely given; otherwise the
++ * (reasonable) default list is kept.
++ */
++ if (strlen(var_smtp_tls_cipherlist) != 0)
++ if (SSL_CTX_set_cipher_list(ctx, var_smtp_tls_cipherlist) == 0) {
++ pfixtls_print_errors();
++ return (-1);
++ }
++
++ /*
++ * Now we must add the necessary certificate stuff: A client key, a
++ * client certificate, and the CA certificates for both the client
++ * cert and the verification of server certificates.
++ * In fact, we do not need a client certificate, so the certificates
++ * are only loaded (and checked), if supplied. A clever client would
++ * handle multiple client certificates and decide based on the list
++ * of acceptable CAs, sent by the server, which certificate to submit.
++ * OpenSSL does however not do this and also has no callback hoods to
++ * easily realize it.
++ *
++ * As provided by OpenSSL we support two types of CA certificate handling:
++ * One possibility is to add all CA certificates to one large CAfile,
++ * the other possibility is a directory pointed to by CApath, containing
++ * seperate files for each CA pointed on by softlinks named by the hash
++ * values of the certificate.
++ * The first alternative has the advantage, that the file is opened and
++ * read at startup time, so that you don't have the hassle to maintain
++ * another copy of the CApath directory for chroot-jail. On the other
++ * hand, the file is not really readable.
++ */
++ if (strlen(var_smtp_tls_CAfile) == 0)
++ CAfile = NULL;
++ else
++ CAfile = var_smtp_tls_CAfile;
++ if (strlen(var_smtp_tls_CApath) == 0)
++ CApath = NULL;
++ else
++ CApath = var_smtp_tls_CApath;
++ if (CAfile || CApath) {
++ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
++ msg_info("TLS engine: cannot load CA data");
++ pfixtls_print_errors();
++ return (-1);
++ }
++ if (!SSL_CTX_set_default_verify_paths(ctx)) {
++ msg_info("TLS engine: cannot set verify paths");
++ pfixtls_print_errors();
++ return (-1);
++ }
++ }
++
++ if (strlen(var_smtp_tls_cert_file) == 0)
++ c_cert_file = NULL;
++ else
++ c_cert_file = var_smtp_tls_cert_file;
++ if (strlen(var_smtp_tls_key_file) == 0)
++ c_key_file = NULL;
++ else
++ c_key_file = var_smtp_tls_key_file;
++ if (c_cert_file || c_key_file)
++ if (!set_cert_stuff(ctx, c_cert_file, c_key_file)) {
++ msg_info("TLS engine: cannot load cert/key data");
++ pfixtls_print_errors();
++ return (-1);
++ }
++
++ /*
++ * Sometimes a temporary RSA key might be needed by the OpenSSL
++ * library. The OpenSSL doc indicates, that this might happen when
++ * export ciphers are in use. We have to provide one, so well, we
++ * just do it.
++ */
++ SSL_CTX_set_tmp_rsa_callback(ctx, tmp_rsa_cb);
++
++ /*
++ * Finally, the setup for the server certificate checking, done
++ * "by the book".
++ */
++ SSL_CTX_set_verify(ctx, verify_flags, verify_callback);
++
++ /*
++ * Initialize the session cache. We only want external caching to
++ * synchronize between server sessions, so we set it to a minimum value
++ * of 1. If the external cache is disabled, we won't cache at all.
++ *
++ * In case of the client, there is no callback used in OpenSSL, so
++ * we must call the session cache functions manually during the process.
++ */
++ SSL_CTX_sess_set_cache_size(ctx, 1);
++ SSL_CTX_set_timeout(ctx, var_smtp_tls_scache_timeout);
++
++ /*
++ * The session cache is realized by an external database file, that
++ * must be opened before going to chroot jail. Since the session cache
++ * data can become quite large, "[n]dbm" cannot be used as it has a
++ * size limit that is by far to small.
++ */
++ if (*var_smtp_tls_scache_db) {
++ /*
++ * Insert a test against other dbms here, otherwise while writing
++ * a session (content to large), we will receive a fatal error!
++ */
++ if (strncmp(var_smtp_tls_scache_db, "sdbm:", 5))
++ msg_warn("Only sdbm: type allowed for %s",
++ var_smtp_tls_scache_db);
++ else
++ scache_db = dict_open(var_smtp_tls_scache_db, O_RDWR,
++ DICT_FLAG_DUP_REPLACE | DICT_FLAG_LOCK | DICT_FLAG_SYNC_UPDATE);
++ if (!scache_db)
++ msg_warn("Could not open session cache %s",
++ var_smtp_tls_scache_db);
++ /*
++ * It is practical to have OpenSSL automatically save newly created
++ * sessions for us by callback. Therefore we have to enable the
++ * internal session cache for the client side. Disable automatic
++ * clearing, as smtp has limited lifetime anyway and we can call
++ * the cleanup routine at will.
++ */
++ SSL_CTX_set_session_cache_mode(ctx,
++ SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_NO_AUTO_CLEAR);
++ SSL_CTX_sess_set_new_cb(ctx, new_session_cb);
++ }
++
++ /*
++ * Finally create the global index to access TLScontext information
++ * inside verify_callback.
++ */
++ TLScontext_index = SSL_get_ex_new_index(0, "TLScontext ex_data index",
++ NULL, NULL, NULL);
++ TLSpeername_index = SSL_SESSION_get_ex_new_index(0,
++ "TLSpeername ex_data index",
++ new_peername_func,
++ dup_peername_func,
++ free_peername_func);
++
++ pfixtls_clientengine = 1;
++ return (0);
++}
++
++ /*
++ * This is the actual startup routine for the connection. We expect
++ * that the buffers are flushed and the "220 Ready to start TLS" was
++ * received by us, so that we can immediately can start the TLS
++ * handshake process.
++ */
++int pfixtls_start_clienttls(VSTREAM *stream, int timeout,
++ int enforce_peername,
++ const char *peername,
++ tls_info_t *tls_info)
++{
++ int sts;
++ SSL_SESSION *session, *old_session;
++ SSL_CIPHER *cipher;
++ X509 *peer;
++ int verify_flags;
++ TLScontext_t *TLScontext;
++
++ if (!pfixtls_clientengine) { /* should never happen */
++ msg_info("tls_engine not running");
++ return (-1);
++ }
++ if (var_smtpd_tls_loglevel >= 1)
++ msg_info("setting up TLS connection to %s", peername);
++
++ /*
++ * Allocate a new TLScontext for the new connection and get an SSL
++ * structure. Add the location of TLScontext to the SSL to later
++ * retrieve the information inside the verify_callback().
++ */
++ TLScontext = (TLScontext_t *)mymalloc(sizeof(TLScontext_t));
++ if (!TLScontext) {
++ msg_fatal("Could not allocate 'TLScontext' with mymalloc");
++ }
++ if ((TLScontext->con = (SSL *) SSL_new(ctx)) == NULL) {
++ msg_info("Could not allocate 'TLScontext->con' with SSL_new()");
++ pfixtls_print_errors();
++ myfree((char *)TLScontext);
++ return (-1);
++ }
++ if (!SSL_set_ex_data(TLScontext->con, TLScontext_index, TLScontext)) {
++ msg_info("Could not set application data for 'TLScontext->con'");
++ pfixtls_print_errors();
++ SSL_free(TLScontext->con);
++ myfree((char *)TLScontext);
++ return (-1);
++ }
++
++ /*
++ * Set the verification parameters to be checked in verify_callback().
++ */
++ if (enforce_peername) {
++ verify_flags = SSL_VERIFY_PEER;
++ TLScontext->enforce_verify_errors = 1;
++ TLScontext->enforce_CN = 1;
++ SSL_set_verify(TLScontext->con, verify_flags, verify_callback);
++ }
++ else {
++ TLScontext->enforce_verify_errors = 0;
++ TLScontext->enforce_CN = 0;
++ }
++ TLScontext->hostname_matched = 0;
++
++ /*
++ * The TLS connection is realized by a BIO_pair, so obtain the pair.
++ */
++ if (!BIO_new_bio_pair(&TLScontext->internal_bio, BIO_bufsiz,
++ &TLScontext->network_bio, BIO_bufsiz)) {
++ msg_info("Could not obtain BIO_pair");
++ pfixtls_print_errors();
++ SSL_free(TLScontext->con);
++ myfree((char *)TLScontext);
++ return (-1);
++ }
++
++ old_session = NULL;
++
++ /*
++ * Find out the hashed HostID for the client cache and try to
++ * load the session from the cache.
++ */
++ strncpy(TLScontext->peername_save, peername, ID_MAXLENGTH + 1);
++ TLScontext->peername_save[ID_MAXLENGTH] = '\0'; /* just in case */
++ (void)lowercase(TLScontext->peername_save);
++ if (scache_db) {
++ old_session = load_clnt_session(peername, enforce_peername);
++ if (old_session) {
++ SSL_set_session(TLScontext->con, old_session);
++#if (OPENSSL_VERSION_NUMBER < 0x00906011L) || (OPENSSL_VERSION_NUMBER == 0x00907000L)
++ /*
++ * Ugly Hack: OpenSSL before 0.9.6a does not store the verify
++ * result in sessions for the client side.
++ * We modify the session directly which is version specific,
++ * but this bug is version specific, too.
++ *
++ * READ: 0-09-06-01-1 = 0-9-6-a-beta1: all versions before
++ * beta1 have this bug, it has been fixed during development
++ * of 0.9.6a. The development version of 0.9.7 can have this
++ * bug, too. It has been fixed on 2000/11/29.
++ */
++ SSL_set_verify_result(TLScontext->con, old_session->verify_result);
++#endif
++
++ }
++ }
++
++ /*
++ * Before really starting anything, try to seed the PRNG a little bit
++ * more.
++ */
++ pfixtls_stir_seed();
++ pfixtls_exchange_seed();
++
++ /*
++ * Initialize the SSL connection to connect state. This should not be
++ * necessary anymore since 0.9.3, but the call is still in the library
++ * and maintaining compatibility never hurts.
++ */
++ SSL_set_connect_state(TLScontext->con);
++
++ /*
++ * Connect the SSL-connection with the postfix side of the BIO-pair for
++ * reading and writing.
++ */
++ SSL_set_bio(TLScontext->con, TLScontext->internal_bio,
++ TLScontext->internal_bio);
++
++ /*
++ * If the debug level selected is high enough, all of the data is
++ * dumped: 3 will dump the SSL negotiation, 4 will dump everything.
++ *
++ * We do have an SSL_set_fd() and now suddenly a BIO_ routine is called?
++ * Well there is a BIO below the SSL routines that is automatically
++ * created for us, so we can use it for debugging purposes.
++ */
++ if (var_smtp_tls_loglevel >= 3)
++ BIO_set_callback(SSL_get_rbio(TLScontext->con), bio_dump_cb);
++
++
++ /* Dump the negotiation for loglevels 3 and 4 */
++ if (var_smtp_tls_loglevel >= 3)
++ do_dump = 1;
++
++ /*
++ * Now we expect the negotiation to begin. This whole process is like a
++ * black box for us. We totally have to rely on the routines build into
++ * the OpenSSL library. The only thing we can do we already have done
++ * by choosing our own callback certificate verification.
++ *
++ * Error handling:
++ * If the SSL handhake fails, we print out an error message and remove
++ * everything that might be there. A session has to be removed anyway,
++ * because RFC2246 requires it.
++ */
++ sts = do_tls_operation(vstream_fileno(stream), timeout, TLScontext,
++ SSL_connect, NULL, NULL, NULL, 0);
++ if (sts <= 0) {
++ msg_info("SSL_connect error to %s: %d", peername, sts);
++ pfixtls_print_errors();
++ session = SSL_get_session(TLScontext->con);
++ if (session) {
++ SSL_CTX_remove_session(ctx, session);
++ if (var_smtp_tls_loglevel >= 2)
++ msg_info("SSL session removed");
++ }
++ if ((old_session) && (!SSL_session_reused(TLScontext->con)))
++ SSL_SESSION_free(old_session); /* Must also be removed */
++ SSL_free(TLScontext->con);
++ myfree((char *)TLScontext);
++ return (-1);
++ }
++
++ if (!SSL_session_reused(TLScontext->con)) {
++ SSL_SESSION_free(old_session); /* Remove unused session */
++ }
++ else if (var_smtp_tls_loglevel >= 3)
++ msg_info("Reusing old session");
++
++ /* Only loglevel==4 dumps everything */
++ if (var_smtp_tls_loglevel < 4)
++ do_dump = 0;
++
++ /*
++ * Lets see, whether a peer certificate is available and what is
++ * the actual information. We want to save it for later use.
++ */
++ peer = SSL_get_peer_certificate(TLScontext->con);
++ if (peer != NULL) {
++ if (SSL_get_verify_result(TLScontext->con) == X509_V_OK)
++ tls_info->peer_verified = 1;
++
++ tls_info->hostname_matched = TLScontext->hostname_matched;
++ TLScontext->peer_CN[0] = '\0';
++ if (!X509_NAME_get_text_by_NID(X509_get_subject_name(peer),
++ NID_commonName, TLScontext->peer_CN, CCERT_BUFSIZ)) {
++ msg_info("Could not parse server's subject CN");
++ pfixtls_print_errors();
++ }
++ tls_info->peer_CN = TLScontext->peer_CN;
++
++ TLScontext->issuer_CN[0] = '\0';
++ if (!X509_NAME_get_text_by_NID(X509_get_issuer_name(peer),
++ NID_commonName, TLScontext->issuer_CN, CCERT_BUFSIZ)) {
++ msg_info("Could not parse server's issuer CN");
++ pfixtls_print_errors();
++ }
++ if (!TLScontext->issuer_CN[0]) {
++ /* No issuer CN field, use Organization instead */
++ if (!X509_NAME_get_text_by_NID(X509_get_issuer_name(peer),
++ NID_organizationName, TLScontext->issuer_CN, CCERT_BUFSIZ)) {
++ msg_info("Could not parse server's issuer Organization");
++ pfixtls_print_errors();
++ }
++ }
++ tls_info->issuer_CN = TLScontext->issuer_CN;
++
++ if (var_smtp_tls_loglevel >= 1) {
++ if (tls_info->peer_verified)
++ msg_info("Verified: subject_CN=%s, issuer=%s",
++ TLScontext->peer_CN, TLScontext->issuer_CN);
++ else
++ msg_info("Unverified: subject_CN=%s, issuer=%s",
++ TLScontext->peer_CN, TLScontext->issuer_CN);
++ }
++ X509_free(peer);
++ }
++
++ /*
++ * Finally, collect information about protocol and cipher for logging
++ */
++ tls_info->protocol = SSL_get_version(TLScontext->con);
++ cipher = SSL_get_current_cipher(TLScontext->con);
++ tls_info->cipher_name = SSL_CIPHER_get_name(cipher);
++ tls_info->cipher_usebits = SSL_CIPHER_get_bits(cipher,
++ &(tls_info->cipher_algbits));
++
++ pfixtls_clientactive = 1;
++
++ /*
++ * The TLS engine is active, switch to the pfixtls_timed_read/write()
++ * functions.
++ */
++ vstream_control(stream,
++ VSTREAM_CTL_READ_FN, pfixtls_timed_read,
++ VSTREAM_CTL_WRITE_FN, pfixtls_timed_write,
++ VSTREAM_CTL_CONTEXT, (void *)TLScontext,
++ VSTREAM_CTL_END);
++
++ if (var_smtp_tls_loglevel >= 1)
++ msg_info("TLS connection established to %s: %s with cipher %s (%d/%d bits)",
++ peername, tls_info->protocol, tls_info->cipher_name,
++ tls_info->cipher_usebits, tls_info->cipher_algbits);
++
++ pfixtls_stir_seed();
++
++ return (0);
++}
++
++ /*
++ * Shut down the TLS connection, that does mean: remove all the information
++ * and reset the flags! This is needed if the actual running smtp is to
++ * be restarted. We do not give back any value, as there is nothing to
++ * be reported.
++ * Since our session cache is external, we will remove the session from
++ * memory in any case. The SSL_CTX_flush_sessions might be redundant here,
++ * I however want to make sure nothing is left.
++ * RFC2246 requires us to remove sessions if something went wrong, as
++ * indicated by the "failure" value,so we remove it from the external
++ * cache, too.
++ */
++int pfixtls_stop_clienttls(VSTREAM *stream, int timeout, int failure,
++ tls_info_t *tls_info)
++{
++ TLScontext_t *TLScontext;
++ int retval;
++
++ if (pfixtls_clientactive) {
++ TLScontext = (TLScontext_t *)vstream_context(stream);
++ /*
++ * Perform SSL_shutdown() twice, as the first attempt may return
++ * to early: it will only send out the shutdown alert but it will
++ * not wait for the peer's shutdown alert. Therefore, when we are
++ * the first party to send the alert, we must call SSL_shutdown()
++ * again.
++ * On failure we don't want to resume the session, so we will not
++ * perform SSL_shutdown() and the session will be removed as being
++ * bad.
++ */
++ if (!failure) {
++ retval = do_tls_operation(vstream_fileno(stream), timeout,
++ TLScontext, SSL_shutdown, NULL, NULL, NULL, 0);
++ if (retval == 0)
++ do_tls_operation(vstream_fileno(stream), timeout, TLScontext,
++ SSL_shutdown, NULL, NULL, NULL, 0);
++ }
++ /*
++ * Free the SSL structure and the BIOs. Warning: the internal_bio is
++ * connected to the SSL structure and is automatically freed with
++ * it. Do not free it again (core dump)!!
++ * Only free the network_bio.
++ */
++ SSL_free(TLScontext->con);
++ BIO_free(TLScontext->network_bio);
++ myfree((char *)TLScontext);
++ vstream_control(stream,
++ VSTREAM_CTL_READ_FN, (VSTREAM_FN) NULL,
++ VSTREAM_CTL_WRITE_FN, (VSTREAM_FN) NULL,
++ VSTREAM_CTL_CONTEXT, (void *) NULL,
++ VSTREAM_CTL_END);
++ SSL_CTX_flush_sessions(ctx, time(NULL));
++
++ pfixtls_stir_seed();
++ pfixtls_exchange_seed();
++
++ *tls_info = tls_info_zero;
++ pfixtls_clientactive = 0;
++
++ }
++
++ return (0);
++}
++
++
++#endif /* USE_SSL */
++#endif
+diff -urNad postfix-release/src/global/pfixtls.h /tmp/dpep.cXJuVH/postfix-release/src/global/pfixtls.h
+--- postfix-release/src/global/pfixtls.h 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/pfixtls.h 2005-02-03 10:22:13.060096687 -0700
+@@ -0,0 +1,81 @@
++/*++
++/* NAME
++/* pfixtls 3h
++/* SUMMARY
++/* TLS routines
++/* SYNOPSIS
++/* include "pfixtls.h"
++/* DESCRIPTION
++/* .nf
++/*--*/
++
++#ifndef PFIXTLS_H_INCLUDED
++#define PFIXTLS_H_INCLUDED
++
++#if defined(HAS_SSL) && !defined(USE_SSL)
++#define USE_SSL
++#endif
++
++typedef struct {
++ int peer_verified;
++ int hostname_matched;
++ char *peer_subject;
++ char *peer_issuer;
++ char *peer_fingerprint;
++ char *peer_CN;
++ char *issuer_CN;
++ const char *protocol;
++ const char *cipher_name;
++ int cipher_usebits;
++ int cipher_algbits;
++} tls_info_t;
++
++extern const tls_info_t tls_info_zero;
++
++#ifdef USE_SSL
++
++typedef struct {
++ long scache_db_version;
++ long openssl_version;
++ time_t timestamp; /* We could add other info here... */
++ int enforce_peername;
++} pfixtls_scache_info_t;
++
++extern const long scache_db_version;
++extern const long openssl_version;
++
++int pfixtls_timed_read(int fd, void *buf, unsigned len, int timout,
++ void *unused_timeout);
++int pfixtls_timed_write(int fd, void *buf, unsigned len, int timeout,
++ void *unused_timeout);
++
++extern int pfixtls_serverengine;
++int pfixtls_init_serverengine(int verifydepth, int askcert);
++int pfixtls_start_servertls(VSTREAM *stream, int timeout,
++ const char *peername, const char *peeraddr,
++ tls_info_t *tls_info, int require_cert);
++int pfixtls_stop_servertls(VSTREAM *stream, int timeout, int failure,
++ tls_info_t *tls_info);
++
++extern int pfixtls_clientengine;
++int pfixtls_init_clientengine(int verifydepth);
++int pfixtls_start_clienttls(VSTREAM *stream, int timeout,
++ int enforce_peername,
++ const char *peername,
++ tls_info_t *tls_info);
++int pfixtls_stop_clienttls(VSTREAM *stream, int timeout, int failure,
++ tls_info_t *tls_info);
++
++#endif /* PFIXTLS_H_INCLUDED */
++#endif
++
++/* LICENSE
++/* .ad
++/* .fi
++/* AUTHOR(S)
++/* Lutz Jaenicke
++/* BTU Cottbus
++/* Allgemeine Elektrotechnik
++/* Universitaetsplatz 3-4
++/* D-03044 Cottbus, Germany
++/*--*/
+diff -urNad postfix-release/src/global/resolve_local.c /tmp/dpep.cXJuVH/postfix-release/src/global/resolve_local.c
+--- postfix-release/src/global/resolve_local.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/resolve_local.c 2005-02-03 10:22:13.060096687 -0700
+@@ -43,6 +43,7 @@
+ #include <netinet/in.h>
+ #include <arpa/inet.h>
+ #include <string.h>
++#include <netdb.h>
+
+ #ifndef INADDR_NONE
+ #define INADDR_NONE 0xffffffff
+@@ -80,7 +81,12 @@
+ {
+ char *saved_addr = mystrdup(addr);
+ char *dest;
++#ifdef INET6
++ struct addrinfo hints, *res, *res0;
++ int error;
++#else
+ struct in_addr ipaddr;
++#endif
+ int len;
+
+ #define RETURN(x) { myfree(saved_addr); return(x); }
+@@ -118,9 +124,28 @@
+ if (*dest == '[' && dest[len - 1] == ']') {
+ dest++;
+ dest[len -= 2] = 0;
++#ifdef INET6
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = PF_UNSPEC;
++ hints.ai_socktype = SOCK_DGRAM;
++ hints.ai_flags = AI_NUMERICHOST;
++ error = getaddrinfo(dest, NULL, &hints, &res0);
++ if (!error) {
++ for (res = res0; res; res = res->ai_next) {
++ if (own_inet_addr(res->ai_addr) ||
++ (res->ai_family == AF_INET &&
++ proxy_inet_addr((struct in_addr *)&res->ai_addr))) {
++ freeaddrinfo(res0);
++ RETURN(1);
++ }
++ }
++ freeaddrinfo(res0);
++ }
++#else
+ if ((ipaddr.s_addr = inet_addr(dest)) != INADDR_NONE
+ && (own_inet_addr(&ipaddr) || proxy_inet_addr(&ipaddr)))
+ RETURN(1);
++#endif
+ }
+
+ /*
+diff -urNad postfix-release/src/global/wildcard_inet_addr.c /tmp/dpep.cXJuVH/postfix-release/src/global/wildcard_inet_addr.c
+--- postfix-release/src/global/wildcard_inet_addr.c 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/wildcard_inet_addr.c 2005-02-03 10:22:13.060096687 -0700
+@@ -0,0 +1,81 @@
++/* System library. */
++
++#include <sys_defs.h>
++#include <netinet/in.h>
++#include <arpa/inet.h>
++#include <string.h>
++#ifdef INET6
++#include <sys/socket.h>
++#endif
++#include <netdb.h>
++
++#ifdef STRCASECMP_IN_STRINGS_H
++#include <strings.h>
++#endif
++
++/* Utility library. */
++
++#include <msg.h>
++#include <mymalloc.h>
++#include <inet_addr_list.h>
++#include <inet_addr_local.h>
++#include <inet_addr_host.h>
++#include <stringops.h>
++
++/* Global library. */
++
++#include <mail_params.h>
++#include <wildcard_inet_addr.h>
++
++/* Application-specific. */
++static INET_ADDR_LIST addr_list;
++
++/* wildcard_inet_addr_init - initialize my own address list */
++
++static void wildcard_inet_addr_init(INET_ADDR_LIST *addr_list, int addr_family)
++{
++#ifdef INET6
++ struct addrinfo hints, *res, *res0;
++ char hbuf[NI_MAXHOST];
++ int error;
++ const int niflags = NI_NUMERICHOST | NI_WITHSCOPEID;
++
++ inet_addr_list_init(addr_list);
++
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = PF_UNSPEC;
++ hints.ai_socktype = SOCK_STREAM;
++ hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
++ error = getaddrinfo(NULL, "0", &hints, &res0);
++ if (error)
++ msg_fatal("could not get list of wildcard addresses");
++ for (res = res0; res; res = res->ai_next) {
++ if (addr_family > 0 && res->ai_family != addr_family)
++ continue;
++ if (addr_family <= 0 && res->ai_family != AF_INET
++ && res->ai_family != AF_INET6)
++ continue;
++ if (getnameinfo(res->ai_addr, res->ai_addrlen, hbuf, sizeof(hbuf),
++ NULL, 0, niflags) != 0)
++ continue;
++ if (inet_addr_host(addr_list, hbuf) == 0)
++ continue; /* msg_fatal("config variable %s: host not found: %s",
++ VAR_INET_INTERFACES, hbuf); */
++ }
++ freeaddrinfo(res0);
++#else
++ if (inet_addr_host(addr_list, "0.0.0.0") == 0)
++ msg_fatal("config variable %s: host not found: %s",
++ VAR_INET_INTERFACES, "0.0.0.0");
++#endif
++}
++
++/* wildcard_inet_addr_list - return list of addresses */
++
++INET_ADDR_LIST *wildcard_inet_addr_list(int addr_family)
++{
++ if (addr_list.used == 0)
++ wildcard_inet_addr_init(&addr_list, addr_family);
++
++ return (&addr_list);
++}
+diff -urNad postfix-release/src/global/wildcard_inet_addr.h /tmp/dpep.cXJuVH/postfix-release/src/global/wildcard_inet_addr.h
+--- postfix-release/src/global/wildcard_inet_addr.h 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/wildcard_inet_addr.h 2005-02-03 10:22:13.061096464 -0700
+@@ -0,0 +1,36 @@
++#ifndef _WILDCARD_INET_ADDR_H_INCLUDED_
++#define _WILDCARD_INET_ADDR_H_INCLUDED_
++
++/*++
++/* NAME
++/* wildcard_inet_addr_list 3h
++/* SUMMARY
++/* grab the list of wildcard IP addresses.
++/* SYNOPSIS
++/* #include <own_inet_addr.h>
++/* DESCRIPTION
++/* .nf
++/*--*/
++
++ /*
++ * System library.
++ */
++#include <netinet/in.h>
++#ifdef INET6
++#include <sys/socket.h>
++#endif
++
++ /*
++ * External interface.
++ */
++extern struct INET_ADDR_LIST *wildcard_inet_addr_list(int);
++
++/* LICENSE
++/* .ad
++/* .fi
++/* foo
++/* AUTHOR(S)
++/* Jun-ichiro itojun Hagino
++/*--*/
++
++#endif
+diff -urNad postfix-release/src/lmtp/lmtp_addr.c /tmp/dpep.cXJuVH/postfix-release/src/lmtp/lmtp_addr.c
+--- postfix-release/src/lmtp/lmtp_addr.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/lmtp/lmtp_addr.c 2005-02-03 10:22:13.061096464 -0700
+@@ -166,7 +166,11 @@
+ /*
+ * Append the addresses for this host to the address list.
+ */
++#ifdef INET6
++ switch (dns_lookup_types(host, RES_DEFNAMES, &addr, (VSTRING *) 0, why, T_AAAA, T_A, NULL)) {
++#else
+ switch (dns_lookup(host, T_A, RES_DEFNAMES, &addr, (VSTRING *) 0, why)) {
++#endif
+ case DNS_OK:
+ for (rr = addr; rr; rr = rr->next)
+ rr->pref = pref;
+diff -urNad postfix-release/src/lmtp/lmtp.c /tmp/dpep.cXJuVH/postfix-release/src/lmtp/lmtp.c
+--- postfix-release/src/lmtp/lmtp.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/lmtp/lmtp.c 2005-02-03 10:22:13.061096464 -0700
+@@ -163,6 +163,12 @@
+ /* .IP "\fBlmtp_quit_timeout (300s)\fR"
+ /* The LMTP client time limit for sending the QUIT command, and for
+ /* receiving the server response.
++/* .IP "\fBlmtp_bind_address ()\fR"
++/* Numerical source network address (IPv4) to bind to when making
++/* a connection.
++/* .IP "\fBlmtp_bind_address6 ()\fR"
++/* Numerical source network address (IPv6) to bind to when making
++/* a connection.
+ /* MISCELLANEOUS CONTROLS
+ /* .ad
+ /* .fi
+@@ -293,6 +299,8 @@
+ char *var_lmtp_sasl_passwd;
+ bool var_lmtp_sasl_enable;
+ bool var_lmtp_send_xforward;
++char *var_lmtp_bind_addr;
++char *var_lmtp_bind_addr6;
+
+ /*
+ * Global variables.
+@@ -554,6 +562,8 @@
+ VAR_ERROR_RCPT, DEF_ERROR_RCPT, &var_error_rcpt, 1, 0,
+ VAR_LMTP_SASL_PASSWD, DEF_LMTP_SASL_PASSWD, &var_lmtp_sasl_passwd, 0, 0,
+ VAR_LMTP_SASL_OPTS, DEF_LMTP_SASL_OPTS, &var_lmtp_sasl_opts, 0, 0,
++ VAR_LMTP_BIND_ADDR, DEF_LMTP_BIND_ADDR, &var_lmtp_bind_addr, 0, 0,
++ VAR_LMTP_BIND_ADDR6, DEF_LMTP_BIND_ADDR6, &var_lmtp_bind_addr6, 0, 0,
+ 0,
+ };
+ static CONFIG_INT_TABLE int_table[] = {
+diff -urNad postfix-release/src/lmtp/lmtp_connect.c /tmp/dpep.cXJuVH/postfix-release/src/lmtp/lmtp_connect.c
+--- postfix-release/src/lmtp/lmtp_connect.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/lmtp/lmtp_connect.c 2005-02-03 10:22:13.062096241 -0700
+@@ -94,16 +94,23 @@
+ #include <stringops.h>
+ #include <host_port.h>
+ #include <sane_connect.h>
++#include <inet_addr_list.h>
+
+ /* Global library. */
+
+ #include <mail_params.h>
+ #include <mail_proto.h>
++#include <own_inet_addr.h>
+
+ /* DNS library. */
+
+ #include <dns.h>
+
++#ifdef INET6
++#define GAI_STRERROR(error) \
++ ((error == EAI_SYSTEM) ? strerror(errno) : gai_strerror(error))
++#endif
++
+ /* Application-specific. */
+
+ #include "lmtp.h"
+@@ -162,19 +169,221 @@
+ addr, addr, destination, why));
+ }
+
++/* lmtp_force_bind: bind() address */
++
++static void lmtp_force_bind(const char *bind_addr,
++ const char *bind_var,
++ int sock,
++ int af)
++{
++ /*
++ * If the bind() call fails, this is considered a non-fatal error.
++ * All address conversion errors are fatal.
++ */
++ char *myname = "lmtp_force_bind";
++#ifdef INET6
++ char hbuf[NI_MAXHOST];
++ int aierr;
++ struct addrinfo hints, *res;
++
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = af;
++ hints.ai_socktype = SOCK_STREAM;
++ hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
++ snprintf(hbuf, sizeof(hbuf), "%s", bind_addr);
++ aierr = getaddrinfo(hbuf, NULL, &hints, &res);
++ if (aierr == EAI_NONAME)
++ msg_fatal("%s: bad %s parameter: \"%s\"",
++ myname, bind_var, bind_addr);
++ if (aierr != 0) {
++ if (msg_verbose)
++ msg_warn("%s: getaddrinfo(%s): %s",
++ myname, hbuf, GAI_STRERROR(aierr));
++ return;
++ }
++ aierr = getnameinfo(res->ai_addr, res->ai_addrlen, hbuf, sizeof(hbuf),
++ NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID);
++ if (aierr != 0) {
++ msg_warn("%s: getnameinfo(): %s",
++ myname, GAI_STRERROR(aierr));
++ freeaddrinfo(res);
++ return;
++ }
++ if (bind(sock, res->ai_addr, res->ai_addrlen) < 0)
++ msg_warn("%s: bind %s: %m", myname, hbuf);
++ else if (msg_verbose)
++ msg_info("%s: bind %s", myname, hbuf);
++ freeaddrinfo(res);
++#else /* INET6 */
++ struct sockaddr_in sin;
++
++ memset(&sin, 0, sizeof(sin));
++ sin.sin_family = AF_INET;
++#ifdef HAS_SA_LEN
++ sin.sin_len = sizeof(sin);
++#endif
++ sin.sin_addr.s_addr = inet_addr(bind_addr);
++ if (sin.sin_addr.s_addr == INADDR_NONE) {
++ msg_fatal("%s: bad %s parameter: \"%s\"",
++ myname, bind_var, bind_addr);
++ return;
++ }
++ if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
++ msg_warn("%s: bind %s: %m", myname, inet_ntoa(sin.sin_addr));
++ else if (msg_verbose)
++ msg_info("%s: bind %s", myname, inet_ntoa(sin.sin_addr));
++#endif /* INET6 */
++}
++
++/* lmtp_virtual_bind - bind() when acting as virtual host */
++
++static void lmtp_virtual_bind(int sock, int af)
++{
++ char *myname = "lmtp_virtual_bind";
++ INET_ADDR_LIST *addr_list;
++ int count;
++
++#ifdef INET6
++ int i;
++ char hbuf[NI_MAXHOST];
++ int aierr;
++ struct sockaddr *sa;
++ struct addrinfo hints, *loopback = NULL, *res = NULL;
++
++ /*
++ * Check whether we are acting as a virtual host
++ */
++ count = 0;
++ addr_list = own_inet_addr_list();
++ for (i = 0; count < 2 && i < addr_list->used; i++)
++ if (((struct sockaddr *)&addr_list->addrs[i])->sa_family == af)
++ count++;
++ if (count != 1)
++ return;
++
++ /*
++ * Bind the source address.
++ */
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = af;
++ hints.ai_socktype = SOCK_STREAM;
++ aierr = getaddrinfo(NULL, "0", &hints, &loopback);
++ if (aierr != 0) {
++ loopback = NULL;
++ msg_warn("%s: getaddrinfo(\"0\"): %s",
++ myname, GAI_STRERROR(aierr));
++ }
++
++ sa = (struct sockaddr *)&addr_list->addrs[i - 1];
++ aierr = getnameinfo(sa, SA_LEN(sa), hbuf, sizeof(hbuf),
++ NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID);
++ if (aierr != 0)
++ msg_fatal("%s: getnameinfo() (AF=%d): %s",
++ myname, af, GAI_STRERROR(aierr));
++
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = af;
++ hints.ai_socktype = SOCK_STREAM;
++ hints.ai_flags = AI_NUMERICHOST | AI_PASSIVE;
++ aierr = getaddrinfo(hbuf, NULL, &hints, &res);
++ if (aierr != 0)
++ msg_fatal("%s: getaddrinfo(\"%s\"): %s",
++ myname, hbuf, GAI_STRERROR(aierr));
++
++ if (res->ai_addrlen != loopback->ai_addrlen
++ || memcmp(res->ai_addr, loopback->ai_addr, res->ai_addrlen) != 0) {
++ if (bind(sock, res->ai_addr, res->ai_addrlen) < 0)
++ msg_warn("%s: bind %s: %m", myname, hbuf);
++ else if (msg_verbose)
++ msg_info("%s: bind %s", myname, hbuf);
++ } else if (msg_verbose) {
++ msg_info("%s: not calling bind(): unusable source "
++ "address from \"%s\"", myname, hbuf);
++ }
++ if (res)
++ freeaddrinfo(res);
++ if (loopback)
++ freeaddrinfo(loopback);
++
++#else /* INET6 */
++
++ struct sockaddr_in sin;
++ unsigned long inaddr; /*XXX BAD!*/
++
++ /*
++ * Check whether we are acting as a virtual host
++ */
++ addr_list = own_inet_addr_list();
++ count = addr_list->used;
++ if (count != 1)
++ return;
++
++ /*
++ * Bind the source address.
++ */
++ memset(&sin, 0, sizeof(sin));
++ sin.sin_family = AF_INET;
++#ifdef HAS_SA_LEN
++ sin.sin_len = sizeof(sin);
++#endif
++ memcpy((char *) &sin.sin_addr, addr_list->addrs, sizeof(sin.sin_addr));
++ inaddr = (unsigned long)ntohl(sin.sin_addr.s_addr);
++ if (!IN_CLASSA(inaddr)
++ || !(((inaddr & IN_CLASSA_NET) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)) {
++ if (bind(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0)
++ msg_warn("%s: bind %s: %m", myname, inet_ntoa(sin.sin_addr));
++ else if (msg_verbose)
++ msg_info("%s: bind %s", myname, inet_ntoa(sin.sin_addr));
++ }
++#endif /* INET6 */
++}
++
+ /* lmtp_connect_addr - connect to explicit address */
+
+ static LMTP_SESSION *lmtp_connect_addr(DNS_RR *addr, unsigned port,
+ const char *destination, VSTRING *why)
+ {
+ char *myname = "lmtp_connect_addr";
+- struct sockaddr_in sin;
+- int sock;
++#ifdef INET6
++ struct sockaddr_storage ss;
++#else
++ struct sockaddr ss;
++#endif
++ struct sockaddr *sa;
++ struct sockaddr_in *sin;
++#ifdef INET6
++ struct sockaddr_in6 *sin6;
++#endif
++ SOCKADDR_SIZE salen;
++#ifdef INET6
++ char hbuf[NI_MAXHOST];
++#else
++ char hbuf[sizeof("255.255.255.255") + 1];
++#endif
++ int sock = -1;
++ INET_ADDR_LIST *addr_list;
++ char *bind_addr;
++ char *bind_var;
++#ifdef INET6
++ char *addr6_ptr = NULL;
++#endif
++
++ sa = (struct sockaddr *)&ss;
++ sin = (struct sockaddr_in *)&ss;
++#ifdef INET6
++ sin6 = (struct sockaddr_in6 *)&ss;
++#endif
+
+ /*
+ * Sanity checks.
+ */
+- if (addr->data_len > sizeof(sin.sin_addr)) {
++#ifdef INET6
++ if (((addr->type==T_A) && (addr->data_len > sizeof(sin->sin_addr))) ||
++ ((addr->type==T_AAAA) && (addr->data_len > sizeof(sin6->sin6_addr))))
++#else
++ if (addr->data_len > sizeof(sin->sin_addr))
++#endif
++ {
+ msg_warn("%s: skip address with length %d", myname, addr->data_len);
+ lmtp_errno = LMTP_RETRY;
+ return (0);
+@@ -183,25 +392,93 @@
+ /*
+ * Initialize.
+ */
+- memset((char *) &sin, 0, sizeof(sin));
+- sin.sin_family = AF_INET;
++ switch (addr->type) {
++#ifdef INET6
++ case T_AAAA:
++ bind_addr = "";
++ bind_var = VAR_LMTP_BIND_ADDR6;
++ if (*var_lmtp_bind_addr6) {
++ addr6_ptr = mystrdup(var_lmtp_bind_addr6);
++ if (*addr6_ptr == '[' && addr6_ptr[strlen(addr6_ptr) - 1] == ']') {
++ addr6_ptr[strlen(addr6_ptr) - 1] = 0;
++ bind_addr = addr6_ptr + 1;
++ } else {
++ msg_warn("%s: skip incorrectly bracketed IPv6 address in %s",
++ myname, VAR_LMTP_BIND_ADDR6);
++ }
++ }
++ memset(sin6, 0, sizeof(*sin6));
++ sin6->sin6_family = AF_INET6;
++ salen = sizeof(*sin6);
++ break;
++#endif
++ default: /* T_A: */
++ bind_addr = var_lmtp_bind_addr;
++ bind_var = VAR_SMTP_BIND_ADDR;
++ memset(sin, 0, sizeof(*sin));
++ sin->sin_family = AF_INET;
++ salen = sizeof(*sin);
++ break;
++ };
++#ifdef HAS_SALEN
++ sa->sa_len = salen;
++#endif
+
+- if ((sock = socket(sin.sin_family, SOCK_STREAM, 0)) < 0)
++ if ((sock = socket(sa->sa_family, SOCK_STREAM, 0)) < 0)
+ msg_fatal("%s: socket: %m", myname);
+
+ /*
++ * Allow the sysadmin to specify the source address
++ */
++
++ if (bind_addr && *bind_addr) {
++ lmtp_force_bind(bind_addr, bind_var, sock, sa->sa_family);
++#ifdef INET6
++ if (addr6_ptr)
++ myfree(addr6_ptr);
++#endif
++ } else {
++ /*
++ * When running as a virtual host, bind to the virtual interface so that
++ * the mail appears to come from the "right" machine address.
++ */
++ lmtp_virtual_bind(sock, sa->sa_family);
++ }
++
++ /*
+ * Connect to the LMTP server.
+ */
+- sin.sin_port = port;
+- memcpy((char *) &sin.sin_addr, addr->data, sizeof(sin.sin_addr));
++ switch (addr->type) {
++#ifdef INET6
++ case T_AAAA:
++ /* XXX scope-unfriendly */
++ memset(sin6, 0, sizeof(*sin6));
++ sin6->sin6_port = port;
++ sin6->sin6_family = AF_INET6;
++ salen = sizeof(*sin6);
++ memcpy(&sin6->sin6_addr, addr->data, sizeof(sin6->sin6_addr));
++ inet_ntop(AF_INET6, &sin6->sin6_addr, hbuf, sizeof(hbuf));
++ break;
++#endif
++ default: /* T_A: */
++ memset(sin, 0, sizeof(*sin));
++ sin->sin_port = port;
++ sin->sin_family = AF_INET;
++ salen = sizeof(*sin);
++ memcpy(&sin->sin_addr, addr->data, sizeof(sin->sin_addr));
++ inet_ntop(AF_INET, &sin->sin_addr, hbuf, sizeof(hbuf));
++ break;
++ }
++#ifdef HAS_SA_LEN
++ sa->sa_len = salen;
++#endif
+
+ if (msg_verbose)
+ msg_info("%s: trying: %s[%s] port %d...",
+- myname, addr->name, inet_ntoa(sin.sin_addr), ntohs(port));
++ myname, addr->name, hbuf, ntohs(port));
+
+- return (lmtp_connect_sock(sock, (struct sockaddr *) & sin, sizeof(sin),
+- addr->name, inet_ntoa(sin.sin_addr),
+- destination, why));
++ return (lmtp_connect_sock(sock, (struct sockaddr *)sa, salen,
++ addr->name, hbuf, destination, why));
+ }
+
+ /* lmtp_connect_sock - connect a socket over some transport */
+diff -urNad postfix-release/src/lmtp/lmtp_sasl_glue.c /tmp/dpep.cXJuVH/postfix-release/src/lmtp/lmtp_sasl_glue.c
+--- postfix-release/src/lmtp/lmtp_sasl_glue.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/lmtp/lmtp_sasl_glue.c 2005-02-03 10:22:13.062096241 -0700
+@@ -197,6 +197,16 @@
+ return (SASL_OK);
+ }
+
++static int lmtp_sasl_getpath(void * context, char ** path)
++{
++#if SASL_VERSION_MAJOR >= 2
++ *path = strdup("/etc/postfix/sasl:/usr/lib/sasl2");
++#else
++ *path = strdup("/etc/postfix/sasl:/usr/lib/sasl");
++#endif
++ return SASL_OK;
++}
++
+ /* lmtp_sasl_get_user - username lookup call-back routine */
+
+ static int lmtp_sasl_get_user(void *context, int unused_id, const char **result,
+@@ -298,6 +308,7 @@
+ */
+ static sasl_callback_t callbacks[] = {
+ {SASL_CB_LOG, &lmtp_sasl_log, 0},
++ {SASL_CB_GETPATH,&lmtp_sasl_getpath, 0},
+ {SASL_CB_LIST_END, 0, 0}
+ };
+
+diff -urNad postfix-release/src/master/master_ent.c /tmp/dpep.cXJuVH/postfix-release/src/master/master_ent.c
+--- postfix-release/src/master/master_ent.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/master/master_ent.c 2005-02-03 10:22:13.063096018 -0700
+@@ -86,6 +86,10 @@
+ #include <inet_addr_list.h>
+ #include <inet_util.h>
+ #include <inet_addr_host.h>
++#include <inet_interfaces_to_af.h>
++#ifdef INET6
++#include <wildcard_inet_addr.h>
++#endif
+
+ /* Global library. */
+
+@@ -235,6 +239,7 @@
+ char *bufp;
+ char *atmp;
+ static char *saved_interfaces = 0;
++ int af;
+
+ if (master_fp == 0)
+ msg_panic("get_master_ent: config file not open");
+@@ -308,11 +313,12 @@
+ VSTREAM_PATH(master_fp), master_line, host);
+ inet_addr_list_uniq(MASTER_INET_ADDRLIST(serv));
+ serv->listen_fd_count = MASTER_INET_ADDRLIST(serv)->used;
+- } else if (strcasecmp(saved_interfaces, DEF_INET_INTERFACES) == 0) {
+- MASTER_INET_ADDRLIST(serv) = 0; /* wild-card */
+- serv->listen_fd_count = 1;
+ } else {
+- MASTER_INET_ADDRLIST(serv) = own_inet_addr_list(); /* virtual */
++ af = inet_interfaces_to_af(var_inet_interfaces);
++ MASTER_INET_ADDRLIST(serv) =
++ strcasecmp(saved_interfaces, INET_INTERFACES_ALL) ?
++ own_inet_addr_list() : /* virtual */
++ wildcard_inet_addr_list(af); /* wild-card */
+ inet_addr_list_uniq(MASTER_INET_ADDRLIST(serv));
+ serv->listen_fd_count = MASTER_INET_ADDRLIST(serv)->used;
+ }
+diff -urNad postfix-release/src/master/master_listen.c /tmp/dpep.cXJuVH/postfix-release/src/master/master_listen.c
+--- postfix-release/src/master/master_listen.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/master/master_listen.c 2005-02-03 10:22:13.063096018 -0700
+@@ -64,13 +64,22 @@
+
+ #include "master.h"
+
++#ifdef INET6
++#include <netdb.h>
++#include <stdio.h>
++#endif
++
+ /* master_listen_init - enable connection requests */
+
+ void master_listen_init(MASTER_SERV *serv)
+ {
+ char *myname = "master_listen_init";
+ char *end_point;
+- int n;
++ int n,m,tmpfd;
++#ifdef INET6
++ char hbuf[NI_MAXHOST];
++ SOCKADDR_SIZE salen;
++#endif
+
+ /*
+ * Find out what transport we should use, then create one or more
+@@ -111,18 +120,31 @@
+ serv->listen_fd[0] =
+ inet_listen(MASTER_INET_PORT(serv),
+ serv->max_proc > var_proc_limit ?
+- serv->max_proc : var_proc_limit, NON_BLOCKING);
++ serv->max_proc : var_proc_limit, NON_BLOCKING, 1);
+ close_on_exec(serv->listen_fd[0], CLOSE_ON_EXEC);
+ } else { /* virtual or host:port */
+- for (n = 0; n < serv->listen_fd_count; n++) {
++ for (m = n = 0; n < serv->listen_fd_count; n++) {
++#ifdef INET6
++ if (getnameinfo((struct sockaddr *)&MASTER_INET_ADDRLIST(serv)->addrs[n],
++ SA_LEN((struct sockaddr *)&MASTER_INET_ADDRLIST(serv)->addrs[n]),
++ hbuf, sizeof(hbuf), NULL, 0, NI_NUMERICHOST)) {
++ strncpy(hbuf, "?????", sizeof(hbuf));
++ }
++ end_point = concatenate(hbuf, ":", MASTER_INET_PORT(serv), (char *) 0);
++#else
+ end_point = concatenate(inet_ntoa(MASTER_INET_ADDRLIST(serv)->addrs[n]),
+ ":", MASTER_INET_PORT(serv), (char *) 0);
+- serv->listen_fd[n]
++#endif
++ tmpfd
+ = inet_listen(end_point, serv->max_proc > var_proc_limit ?
+- serv->max_proc : var_proc_limit, NON_BLOCKING);
+- close_on_exec(serv->listen_fd[n], CLOSE_ON_EXEC);
++ serv->max_proc : var_proc_limit, NON_BLOCKING, 0);
++ if (tmpfd >= 0) {
++ serv->listen_fd[m] = tmpfd;
++ close_on_exec(serv->listen_fd[m++], CLOSE_ON_EXEC);
++ }
+ myfree(end_point);
+ }
++ serv->listen_fd_count=m;
+ }
+ break;
+ default:
+diff -urNad postfix-release/src/qmqpd/qmqpd_peer.c /tmp/dpep.cXJuVH/postfix-release/src/qmqpd/qmqpd_peer.c
+--- postfix-release/src/qmqpd/qmqpd_peer.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/qmqpd/qmqpd_peer.c 2005-02-03 10:22:13.064095795 -0700
+@@ -70,16 +70,23 @@
+ )
+ #endif
+
++#ifdef INET6
++#define GAI_STRERROR(error) \
++ ((error = EAI_SYSTEM) ? gai_strerror(error) : strerror(errno))
++#endif
++
+ /* Utility library. */
+
+ #include <msg.h>
+ #include <mymalloc.h>
+ #include <valid_hostname.h>
+ #include <stringops.h>
++#ifdef INET6
++#include <inet_addr_list.h> /* for NI_WITHSCOPEID */
++#endif
+
+ /* Global library. */
+
+-
+ /* Application-specific. */
+
+ #include "qmqpd.h"
+@@ -88,16 +95,24 @@
+
+ void qmqpd_peer_init(QMQPD_STATE *state)
+ {
+- struct sockaddr_in sin;
+- SOCKADDR_SIZE len = sizeof(sin);
++ char *myname = "qmqpd_peer_init";
++#ifdef INET6
++ struct sockaddr_storage ss;
++#else
++ struct sockaddr ss;
++ struct in_addr *in;
+ struct hostent *hp;
+- int i;
++#endif
++ struct sockaddr *sa;
++ SOCKADDR_SIZE len;
++
++ sa = (struct sockaddr *)&ss;
++ len = sizeof(ss);
+
+ /*
+ * Look up the peer address information.
+ */
+- if (getpeername(vstream_fileno(state->client),
+- (struct sockaddr *) & sin, &len) >= 0) {
++ if (getpeername(vstream_fileno(state->client), sa, &len) >= 0) {
+ errno = 0;
+ }
+
+@@ -112,16 +127,71 @@
+ /*
+ * Look up and "verify" the client hostname.
+ */
+- else if (errno == 0 && sin.sin_family == AF_INET) {
+- state->addr = mystrdup(inet_ntoa(sin.sin_addr));
+- hp = gethostbyaddr((char *) &(sin.sin_addr),
+- sizeof(sin.sin_addr), AF_INET);
+- if (hp == 0) {
++ else if (errno == 0 && (sa->sa_family == AF_INET
++#ifdef INET6
++ || sa->sa_family == AF_INET6
++#endif
++ )) {
++#ifdef INET6
++ char hbuf[NI_MAXHOST];
++ char abuf[NI_MAXHOST];
++ char rabuf[NI_MAXHOST];
++ struct addrinfo hints, *res0 = NULL, *res;
++ char *colonp;
++#else
++ char abuf[sizeof("255.255.255.255") + 1];
++ char *hbuf;
++#endif
++ int error = -1;
++
++#ifdef INET6
++ error = getnameinfo(sa, len, abuf, sizeof(abuf), NULL, 0,
++ NI_NUMERICHOST | NI_WITHSCOPEID);
++ if (error)
++ msg_fatal("%s: numeric getnameinfo lookup for peer: error %s",
++ myname, GAI_STRERROR(error));
++ /*
++ * Convert IPv4-mapped IPv6 address to 'true' IPv4 address
++ * early on. We have no need for the mapped form in logging
++ * or access checks.
++ */
++ if (sa->sa_family == AF_INET6
++ && IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)sa)->sin6_addr)
++ && (colonp = strrchr(abuf, ':')) != NULL) {
++ if (msg_verbose > 1)
++ msg_info("%s: rewriting V4-mapped address \"%s\" to \"%s\"",
++ myname, abuf, colonp + 1);
++ state->addr = mystrdup(colonp + 1);
++ } else {
++ state->addr = mystrdup(abuf);
++ }
++
++ error = getnameinfo(sa, len, hbuf, sizeof(hbuf), NULL, 0, NI_NAMEREQD);
++#else
++ in = &((struct sockaddr_in *)sa)->sin_addr;
++ inet_ntop(AF_INET, in, abuf, sizeof(abuf));
++ state->addr = mystrdup(abuf);
++ hbuf = NULL;
++ hp = gethostbyaddr((char *)in, sizeof(*in), AF_INET);
++ if (hp) {
++ error = 0;
++ hbuf = mystrdup(hp->h_name);
+ state->name = mystrdup(CLIENT_ATTR_UNKNOWN);
+- } else if (!valid_hostname(hp->h_name, DONT_GRIPE)) {
++ } else {
++ error = 1;
++ }
++#endif
++ if (error) {
++ state->name = mystrdup(CLIENT_ATTR_UNKNOWN);
++#ifdef INET6
++ if (error != EAI_NONAME)
++ msg_warn("%s: getnameinfo(%s,,,,,,NI_NAMEREQD) error %s",
++ myname, abuf, GAI_STRERROR(error));
++#endif
++ } else if (!valid_hostname(hbuf, DONT_GRIPE)) {
+ state->name = mystrdup(CLIENT_ATTR_UNKNOWN);
+ } else {
+- state->name = mystrdup(hp->h_name); /* hp->name is clobbered!! */
++ state->name = mystrdup(hbuf);
+
+ /*
+ * Reject the hostname if it does not list the peer address.
+@@ -131,16 +201,52 @@
+ state->name = mystrdup(CLIENT_ATTR_UNKNOWN); \
+ }
+
++#ifdef INET6
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = AF_UNSPEC;
++ hints.ai_socktype = SOCK_STREAM;
++ error = getaddrinfo(state->name, NULL, &hints, &res0);
++ if (error) {
++ msg_warn("%s: hostname %s verification failed: %s",
++ state->addr, state->name, GAI_STRERROR(error));
++ REJECT_PEER_NAME(state);
++ } else {
++ for (res = res0; res; res = res->ai_next) {
++ if (res->ai_family != sa->sa_family)
++ continue;
++ error = getnameinfo(res->ai_addr, res->ai_addrlen,
++ rabuf, sizeof(rabuf), NULL, 0,
++ NI_NUMERICHOST | NI_WITHSCOPEID);
++ if (error) {
++ msg_warn("%s: %s: hostname %s verification failed: %s",
++ myname, state->addr, state->name,
++ GAI_STRERROR(error));
++ REJECT_PEER_NAME(state);
++ break;
++ }
++ if (strcmp(state->addr, rabuf) == 0)
++ break; /* keep peer name */
++ }
++ if (res == NULL) {
++ msg_warn("%s: %s: address not listed for hostname %s",
++ myname, state->addr, state->name);
++ REJECT_PEER_NAME(state);
++ }
++ }
++ if (res0)
++ freeaddrinfo(res0);
++#else
+ hp = gethostbyname(state->name); /* clobbers hp->name!! */
+ if (hp == 0) {
+ msg_warn("%s: hostname %s verification failed: %s",
+ state->addr, state->name, HSTRERROR(h_errno));
+ REJECT_PEER_NAME(state);
+- } else if (hp->h_length != sizeof(sin.sin_addr)) {
++ } else if (hp->h_length != sizeof(*in)) {
+ msg_warn("%s: hostname %s verification failed: bad address size %d",
+ state->addr, state->name, hp->h_length);
+ REJECT_PEER_NAME(state);
+ } else {
++ int i;
+ for (i = 0; /* void */ ; i++) {
+ if (hp->h_addr_list[i] == 0) {
+ msg_warn("%s: address not listed for hostname %s",
+@@ -148,12 +254,12 @@
+ REJECT_PEER_NAME(state);
+ break;
+ }
+- if (memcmp(hp->h_addr_list[i],
+- (char *) &sin.sin_addr,
+- sizeof(sin.sin_addr)) == 0)
++ if (memcmp(hp->h_addr_list[i], (char *)in,
++ sizeof(*in)) == 0)
+ break; /* keep peer name */
+ }
+ }
++#endif
+ }
+ }
+
+diff -urNad postfix-release/src/smtp/Makefile.in /tmp/dpep.cXJuVH/postfix-release/src/smtp/Makefile.in
+--- postfix-release/src/smtp/Makefile.in 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtp/Makefile.in 2005-02-03 10:22:13.064095795 -0700
+@@ -77,6 +77,7 @@
+ smtp.o: ../../include/debug_peer.h
+ smtp.o: ../../include/flush_clnt.h
+ smtp.o: ../../include/mail_server.h
++smtp.o: ../../include/pfixtls.h
+ smtp.o: smtp.h
+ smtp.o: smtp_sasl.h
+ smtp_addr.o: smtp_addr.c
+@@ -96,6 +97,7 @@
+ smtp_addr.o: ../../include/argv.h
+ smtp_addr.o: ../../include/deliver_request.h
+ smtp_addr.o: ../../include/recipient_list.h
++smtp_addr.o: ../../include/pfixtls.h
+ smtp_addr.o: smtp_addr.h
+ smtp_chat.o: smtp_chat.c
+ smtp_chat.o: ../../include/sys_defs.h
+@@ -116,6 +118,7 @@
+ smtp_chat.o: ../../include/cleanup_user.h
+ smtp_chat.o: ../../include/mail_error.h
+ smtp_chat.o: ../../include/name_mask.h
++smtp_chat.o: ../../include/pfixtls.h
+ smtp_chat.o: smtp.h
+ smtp_connect.o: smtp_connect.c
+ smtp_connect.o: ../../include/sys_defs.h
+@@ -142,8 +145,12 @@
+ smtp_connect.o: ../../include/mail_error.h
+ smtp_connect.o: ../../include/name_mask.h
+ smtp_connect.o: ../../include/dns.h
++smtp_connect.o: ../../include/pfixtls.h
++smtp_connect.o: ../../include/get_port.h
+ smtp_connect.o: smtp.h
+ smtp_connect.o: ../../include/argv.h
++smtp_connect.o: ../../include/deliver_request.h
++smtp_connect.o: ../../include/recipient_list.h
+ smtp_connect.o: smtp_addr.h
+ smtp_proto.o: smtp_proto.c
+ smtp_proto.o: ../../include/sys_defs.h
+@@ -168,12 +175,14 @@
+ smtp_proto.o: ../../include/rec_type.h
+ smtp_proto.o: ../../include/off_cvt.h
+ smtp_proto.o: ../../include/mark_corrupt.h
++smtp_proto.o: ../../include/pfixtls.h
+ smtp_proto.o: ../../include/quote_821_local.h
+ smtp_proto.o: ../../include/quote_flags.h
+ smtp_proto.o: ../../include/mail_proto.h
+ smtp_proto.o: ../../include/attr.h
+ smtp_proto.o: ../../include/mime_state.h
+ smtp_proto.o: ../../include/header_opts.h
++smtp_proto.o: ../../include/pfixtls.h
+ smtp_proto.o: smtp.h
+ smtp_proto.o: ../../include/argv.h
+ smtp_proto.o: smtp_sasl.h
+@@ -231,9 +240,12 @@
+ smtp_session.o: ../../include/stringops.h
+ smtp_session.o: ../../include/vstring.h
+ smtp_session.o: smtp.h
++smtp_session.o: ../../include/mail_params.h
++smtp_session.o: ../../include/pfixtls.h
+ smtp_session.o: ../../include/argv.h
+ smtp_session.o: ../../include/deliver_request.h
+ smtp_session.o: ../../include/recipient_list.h
++smtp_session.o: ../../include/maps.h
+ smtp_state.o: smtp_state.c
+ smtp_state.o: ../../include/sys_defs.h
+ smtp_state.o: ../../include/mymalloc.h
+@@ -247,6 +259,7 @@
+ smtp_state.o: ../../include/argv.h
+ smtp_state.o: ../../include/deliver_request.h
+ smtp_state.o: ../../include/recipient_list.h
++smtp_state.o: ../../include/pfixtls.h
+ smtp_state.o: smtp_sasl.h
+ smtp_trouble.o: smtp_trouble.c
+ smtp_trouble.o: ../../include/sys_defs.h
+@@ -266,6 +279,7 @@
+ smtp_trouble.o: ../../include/name_mask.h
+ smtp_trouble.o: smtp.h
+ smtp_trouble.o: ../../include/argv.h
++smtp_trouble.o: ../../include/pfixtls.h
+ smtp_unalias.o: smtp_unalias.c
+ smtp_unalias.o: ../../include/sys_defs.h
+ smtp_unalias.o: ../../include/htable.h
+@@ -278,3 +292,4 @@
+ smtp_unalias.o: ../../include/argv.h
+ smtp_unalias.o: ../../include/deliver_request.h
+ smtp_unalias.o: ../../include/recipient_list.h
++smtp_unalias.o: ../../include/pfixtls.h
+diff -urNad postfix-release/src/smtp/smtp_addr.c /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_addr.c
+--- postfix-release/src/smtp/smtp_addr.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_addr.c 2005-02-03 10:22:13.065095572 -0700
+@@ -46,11 +46,11 @@
+ /*
+ /* All routines either return a DNS_RR pointer, or return a null
+ /* pointer and set the \fIsmtp_errno\fR global variable accordingly:
+-/* .IP SMTP_RETRY
++/* .IP SMTP_ERR_RETRY
+ /* The request failed due to a soft error, and should be retried later.
+-/* .IP SMTP_FAIL
++/* .IP SMTP_ERR_FAIL
+ /* The request attempt failed due to a hard error.
+-/* .IP SMTP_LOOP
++/* .IP SMTP_ERR_LOOP
+ /* The local machine is the best mail exchanger.
+ /* .PP
+ /* In addition, a textual description of the problem is made available
+@@ -132,18 +132,74 @@
+ static void smtp_print_addr(char *what, DNS_RR *addr_list)
+ {
+ DNS_RR *addr;
+- struct in_addr in_addr;
++#ifdef INET6
++ struct sockaddr_storage ss;
++#else
++ struct sockaddr ss;
++#endif
++ struct sockaddr_in *sin;
++#ifdef INET6
++ struct sockaddr_in6 *sin6;
++ char hbuf[NI_MAXHOST];
++#else
++ char hbuf[sizeof("255.255.255.255") + 1];
++#endif
+
+ msg_info("begin %s address list", what);
+ for (addr = addr_list; addr; addr = addr->next) {
+- if (addr->data_len > sizeof(addr)) {
+- msg_warn("skipping address length %d", addr->data_len);
+- } else {
+- memcpy((char *) &in_addr, addr->data, sizeof(in_addr));
+- msg_info("pref %4d host %s/%s",
+- addr->pref, addr->name,
+- inet_ntoa(in_addr));
++ if (
++#ifdef INET6
++ addr->class && addr->class != C_IN
++#else
++ addr->class != C_IN
++#endif
++ ) {
++ msg_warn("skipping unsupported address (class=%u)", addr->class);
++ continue;
+ }
++ switch (addr->type) {
++ case T_A:
++ if (addr->data_len != sizeof(sin->sin_addr)) {
++ msg_warn("skipping invalid address (AAAA, len=%u)",
++ addr->data_len);
++ continue;
++ }
++ sin = (struct sockaddr_in *)&ss;
++ memset(sin, 0, sizeof(*sin));
++ sin->sin_family = AF_INET;
++#ifdef HAS_SA_LEN
++ sin->sin_len = sizeof(*sin);
++#endif
++ memcpy(&sin->sin_addr, addr->data, sizeof(sin->sin_addr));
++ break;
++#ifdef INET6
++ case T_AAAA:
++ if (addr->data_len != sizeof(sin6->sin6_addr)) {
++ msg_warn("skipping invalid address (AAAA, len=%u)",
++ addr->data_len);
++ continue;
++ }
++ sin6 = (struct sockaddr_in6 *)&ss;
++ memset(sin6, 0, sizeof(*sin6));
++ sin6->sin6_family = AF_INET6;
++#ifdef HAS_SA_LEN
++ sin6->sin6_len = sizeof(*sin6);
++#endif
++ memcpy(&sin6->sin6_addr, addr->data, sizeof(sin6->sin6_addr));
++ break;
++#endif
++ default:
++ msg_warn("skipping unsupported address (type=%u)", addr->type);
++ continue;
++ }
++
++#ifdef INET6
++ (void)getnameinfo((struct sockaddr *)&ss, SS_LEN(ss),
++ hbuf, sizeof(hbuf), NULL, 0, NI_NUMERICHOST);
++#else
++ (void)inet_ntop(AF_INET, &sin->sin_addr, hbuf, sizeof(hbuf));
++#endif
++ msg_info("pref %4d host %s/%s", addr->pref, addr->name, hbuf);
+ }
+ msg_info("end %s address list", what);
+ }
+@@ -153,15 +209,23 @@
+ static DNS_RR *smtp_addr_one(DNS_RR *addr_list, char *host, unsigned pref, VSTRING *why)
+ {
+ char *myname = "smtp_addr_one";
++#ifndef INET6
+ struct in_addr inaddr;
+- DNS_FIXED fixed;
+ DNS_RR *addr = 0;
+ DNS_RR *rr;
+ struct hostent *hp;
++#else
++ struct addrinfo hints, *res0, *res;
++ int error = -1;
++ char *addr;
++ size_t addrlen;
++#endif
++ DNS_FIXED fixed;
+
+ if (msg_verbose)
+ msg_info("%s: host %s", myname, host);
+
++#ifndef INET6
+ /*
+ * Interpret a numerical name as an address.
+ */
+@@ -228,6 +292,49 @@
+ /*
+ * No further alternatives for host lookup.
+ */
++#else
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = PF_UNSPEC;
++ hints.ai_socktype = SOCK_STREAM;
++ error = getaddrinfo(host, NULL, &hints, &res0);
++ if (error) {
++ switch (error) {
++ case EAI_AGAIN:
++ smtp_errno = SMTP_ERR_RETRY;
++ break;
++ default:
++ vstring_sprintf(why, "[%s]: %s", host,gai_strerror(error));
++ if (smtp_errno != SMTP_ERR_RETRY)
++ smtp_errno = SMTP_ERR_FAIL;
++ break;
++ }
++ return (addr_list);
++ }
++ for (res = res0; res; res = res->ai_next) {
++ memset((char *) &fixed, 0, sizeof(fixed));
++ switch (res->ai_family) {
++ case AF_INET6:
++ /* XXX not scope friendly */
++ fixed.type = T_AAAA;
++ addr = (char *)&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
++ addrlen = sizeof(struct in6_addr);
++ break;
++ case AF_INET:
++ fixed.type = T_A;
++ addr = (char *)&((struct sockaddr_in *)res->ai_addr)->sin_addr;
++ addrlen = sizeof(struct in_addr);
++ break;
++ default:
++ msg_warn("%s: unknown address family %d for %s",
++ myname, res->ai_family, host);
++ continue;
++ }
++ addr_list = dns_rr_append(addr_list,
++ dns_rr_create(host, &fixed, pref, addr, addrlen));
++ }
++ if (res0)
++ freeaddrinfo(res0);
++#endif
+ return (addr_list);
+ }
+
+@@ -265,6 +372,9 @@
+ INET_ADDR_LIST *proxy;
+ DNS_RR *addr;
+ int i;
++#ifdef INET6
++ struct sockaddr *sa;
++#endif
+
+ #define INADDRP(x) ((struct in_addr *) (x))
+
+@@ -272,27 +382,75 @@
+ proxy = proxy_inet_addr_list();
+
+ for (addr = addr_list; addr; addr = addr->next) {
+-
+ /*
+ * Find out if this mail system is listening on this address.
+ */
+- for (i = 0; i < self->used; i++)
++ for (i = 0; i < self->used; i++) {
++#ifdef INET6
++ sa = (struct sockaddr *)&self->addrs[i];
++ switch(addr->type) {
++ case T_AAAA:
++ /* XXX scope */
++ if (sa->sa_family != AF_INET6)
++ break;
++ if (memcmp(&((struct sockaddr_in6 *)sa)->sin6_addr,
++ addr->data, sizeof(struct in6_addr)) == 0) {
++ return(addr);
++ }
++ break;
++ case T_A:
++ if (sa->sa_family != AF_INET)
++ break;
++ if (memcmp(&((struct sockaddr_in *)sa)->sin_addr,
++ addr->data, sizeof(struct in_addr)) == 0) {
++ return(addr);
++ }
++ break;
++ }
++#else
+ if (INADDRP(addr->data)->s_addr == self->addrs[i].s_addr) {
+ if (msg_verbose)
+ msg_info("%s: found self at pref %d", myname, addr->pref);
+ return (addr);
+ }
++#endif
++ }
++ }
+
++ for (addr = addr_list; addr; addr = addr->next) {
+ /*
+ * Find out if this mail system has a proxy listening on this
+ * address.
+ */
+ for (i = 0; i < proxy->used; i++)
++#ifdef INET6
++ sa = (struct sockaddr *)&proxy->addrs[i];
++ switch(addr->type) {
++ case T_AAAA:
++ /* XXX scope */
++ if (sa->sa_family != AF_INET6)
++ break;
++ if (memcmp(&((struct sockaddr_in6 *)sa)->sin6_addr,
++ addr->data, sizeof(struct in6_addr)) == 0) {
++ return(addr);
++ }
++ break;
++ case T_A:
++ if (sa->sa_family != AF_INET)
++ break;
++ if (memcmp(&((struct sockaddr_in *)sa)->sin_addr,
++ addr->data, sizeof(struct in_addr)) == 0) {
++ return(addr);
++ }
++ break;
++ }
++#else
+ if (INADDRP(addr->data)->s_addr == proxy->addrs[i].s_addr) {
+ if (msg_verbose)
+ msg_info("%s: found proxy at pref %d", myname, addr->pref);
+ return (addr);
+ }
++#endif
+ }
+
+ /*
+@@ -333,6 +491,29 @@
+ return (a->pref - b->pref);
+ }
+
++#ifdef INET6
++static int smtp_compare_pref_aaaa_first(DNS_RR *a, DNS_RR *b)
++{
++ if (a->pref != b->pref)
++ return (a->pref - b->pref);
++ if (a->type == T_AAAA)
++ return -1;
++ else if (b->type == T_AAAA)
++ return 1;
++ return 0;
++}
++
++static int smtp_compare_host_aaaa_first(DNS_RR *a, DNS_RR *b)
++{
++ if (a->type == b->type)
++ return 0;
++ if (a->type == T_AAAA)
++ return -1;
++ return 1;
++}
++
++#endif
++
+ /* smtp_domain_addr - mail exchanger address lookup */
+
+ DNS_RR *smtp_domain_addr(char *name, int misc_flags, VSTRING *why)
+@@ -440,7 +621,11 @@
+ }
+ if (addr_list && addr_list->next && var_smtp_rand_addr) {
+ addr_list = dns_rr_shuffle(addr_list);
++#ifdef INET6
++ addr_list = dns_rr_sort(addr_list, smtp_compare_pref_aaaa_first);
++#else
+ addr_list = dns_rr_sort(addr_list, smtp_compare_pref);
++#endif
+ }
+ break;
+ case DNS_NOTFOUND:
+@@ -478,6 +663,10 @@
+ }
+ if (addr_list && addr_list->next && var_smtp_rand_addr)
+ addr_list = dns_rr_shuffle(addr_list);
++#ifdef INET6
++ if (addr_list && addr_list->next)
++ addr_list = dns_rr_sort(addr_list, smtp_compare_host_aaaa_first);
++#endif
+ if (msg_verbose)
+ smtp_print_addr(host, addr_list);
+ return (addr_list);
+diff -urNad postfix-release/src/smtp/smtp.c /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp.c
+--- postfix-release/src/smtp/smtp.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp.c 2005-02-03 10:22:13.065095572 -0700
+@@ -225,6 +225,9 @@
+ /* .IP "\fBsmtp_bind_address (empty)\fR"
+ /* An optional numerical network address that the SMTP client should
+ /* bind to when making a connection.
++/* .IP "\fBsmtp_bind_address6 (empty)\fR"
++/* An optional numerical IPv6 network address that the SMTP client should
++/* bind to when making a connection.
+ /* .IP "\fBsmtp_helo_name ($myhostname)\fR"
+ /* The hostname to send in the SMTP EHLO or HELO command.
+ /* .IP "\fBsmtp_host_lookup (dns)\fR"
+@@ -284,6 +287,9 @@
+ #include <mail_conf.h>
+ #include <debug_peer.h>
+ #include <flush_clnt.h>
++#ifdef USE_TLS
++#include <pfixtls.h>
++#endif
+
+ /* Single server skeleton. */
+
+@@ -322,6 +328,7 @@
+ char *var_smtp_sasl_passwd;
+ bool var_smtp_sasl_enable;
+ char *var_smtp_bind_addr;
++char *var_smtp_bind_addr6;
+ bool var_smtp_rand_addr;
+ int var_smtp_pix_thresh;
+ int var_smtp_pix_delay;
+@@ -333,6 +340,19 @@
+ bool var_smtp_send_xforward;
+ int var_smtp_mxaddr_limit;
+ int var_smtp_mxsess_limit;
++#ifdef USE_TLS
++bool var_smtp_use_tls;
++bool var_smtp_enforce_tls;
++char *var_smtp_tls_per_site;
++#ifdef USE_SSL
++int var_smtp_starttls_tmout;
++char *var_smtp_sasl_tls_opts;
++char *var_smtp_sasl_tls_verified_opts;
++bool var_smtp_tls_enforce_peername;
++int var_smtp_tls_scert_vd;
++bool var_smtp_tls_note_starttls_offer;
++#endif
++#endif
+
+ /*
+ * Global variables. smtp_errno is set by the address lookup routines and by
+@@ -453,6 +473,18 @@
+ msg_warn("%s is true, but SASL support is not compiled in",
+ VAR_SMTP_SASL_ENABLE);
+ #endif
++#ifdef USE_TLS
++ /*
++ * Initialize the TLS data before entering the chroot jail
++ */
++ if (var_smtp_use_tls || var_smtp_enforce_tls || var_smtp_tls_per_site[0])
++#ifdef USE_SSL
++ pfixtls_init_clientengine(var_smtp_tls_scert_vd);
++#else
++ msg_warn("TLS has been selected, but TLS support is not compiled in");
++#endif
++ smtp_tls_list_init();
++#endif
+
+ /*
+ * Flush client.
+@@ -493,9 +525,19 @@
+ VAR_ERROR_RCPT, DEF_ERROR_RCPT, &var_error_rcpt, 1, 0,
+ VAR_SMTP_SASL_PASSWD, DEF_SMTP_SASL_PASSWD, &var_smtp_sasl_passwd, 0, 0,
+ VAR_SMTP_SASL_OPTS, DEF_SMTP_SASL_OPTS, &var_smtp_sasl_opts, 0, 0,
++#ifdef USE_TLS
++#ifdef USE_SSL
++ VAR_SMTP_SASL_TLS_OPTS, DEF_SMTP_SASL_TLS_OPTS, &var_smtp_sasl_tls_opts, 0, 0,
++ VAR_SMTP_SASL_TLSV_OPTS, DEF_SMTP_SASL_TLSV_OPTS, &var_smtp_sasl_tls_verified_opts, 0, 0,
++#endif
++#endif
+ VAR_SMTP_BIND_ADDR, DEF_SMTP_BIND_ADDR, &var_smtp_bind_addr, 0, 0,
++ VAR_SMTP_BIND_ADDR6, DEF_SMTP_BIND_ADDR6, &var_smtp_bind_addr6, 0, 0,
+ VAR_SMTP_HELO_NAME, DEF_SMTP_HELO_NAME, &var_smtp_helo_name, 1, 0,
+ VAR_SMTP_HOST_LOOKUP, DEF_SMTP_HOST_LOOKUP, &var_smtp_host_lookup, 1, 0,
++#ifdef USE_TLS
++ VAR_SMTP_TLS_PER_SITE, DEF_SMTP_TLS_PER_SITE, &var_smtp_tls_per_site, 0, 0,
++#endif
+ 0,
+ };
+ static CONFIG_TIME_TABLE time_table[] = {
+@@ -511,12 +553,22 @@
+ VAR_SMTP_QUIT_TMOUT, DEF_SMTP_QUIT_TMOUT, &var_smtp_quit_tmout, 1, 0,
+ VAR_SMTP_PIX_THRESH, DEF_SMTP_PIX_THRESH, &var_smtp_pix_thresh, 0, 0,
+ VAR_SMTP_PIX_DELAY, DEF_SMTP_PIX_DELAY, &var_smtp_pix_delay, 1, 0,
++#ifdef USE_TLS
++#ifdef USE_SSL
++ VAR_SMTP_STARTTLS_TMOUT, DEF_SMTP_STARTTLS_TMOUT, &var_smtp_starttls_tmout, 1, 0,
++#endif
++#endif
+ 0,
+ };
+ static CONFIG_INT_TABLE int_table[] = {
+ VAR_SMTP_LINE_LIMIT, DEF_SMTP_LINE_LIMIT, &var_smtp_line_limit, 0, 0,
+ VAR_SMTP_MXADDR_LIMIT, DEF_SMTP_MXADDR_LIMIT, &var_smtp_mxaddr_limit, 0, 0,
+ VAR_SMTP_MXSESS_LIMIT, DEF_SMTP_MXSESS_LIMIT, &var_smtp_mxsess_limit, 0, 0,
++#ifdef USE_TLS
++#ifdef USE_SSL
++ VAR_SMTP_TLS_SCERT_VD, DEF_SMTP_TLS_SCERT_VD, &var_smtp_tls_scert_vd, 0, 0,
++#endif
++#endif
+ 0,
+ };
+ static CONFIG_BOOL_TABLE bool_table[] = {
+@@ -530,6 +582,14 @@
+ VAR_SMTP_QUOTE_821_ENV, DEF_SMTP_QUOTE_821_ENV, &var_smtp_quote_821_env,
+ VAR_SMTP_DEFER_MXADDR, DEF_SMTP_DEFER_MXADDR, &var_smtp_defer_mxaddr,
+ VAR_SMTP_SEND_XFORWARD, DEF_SMTP_SEND_XFORWARD, &var_smtp_send_xforward,
++#ifdef USE_TLS
++ VAR_SMTP_USE_TLS, DEF_SMTP_USE_TLS, &var_smtp_use_tls,
++ VAR_SMTP_ENFORCE_TLS, DEF_SMTP_ENFORCE_TLS, &var_smtp_enforce_tls,
++#ifdef USE_SSL
++ VAR_SMTP_TLS_ENFORCE_PN, DEF_SMTP_TLS_ENFORCE_PN, &var_smtp_tls_enforce_peername,
++ VAR_SMTP_TLS_NOTEOFFER, DEF_SMTP_TLS_NOTEOFFER, &var_smtp_tls_note_starttls_offer,
++#endif
++#endif
+ 0,
+ };
+
+diff -urNad postfix-release/src/smtp/smtp_connect.c /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_connect.c
+--- postfix-release/src/smtp/smtp_connect.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_connect.c 2005-02-03 10:22:13.066095349 -0700
+@@ -46,6 +46,7 @@
+ /* System library. */
+
+ #include <sys_defs.h>
++#include <stdlib.h>
+ #include <sys/socket.h>
+ #include <netinet/in.h>
+ #include <arpa/inet.h>
+@@ -86,37 +87,246 @@
+ #include <debug_peer.h>
+ #include <deliver_pass.h>
+ #include <mail_error.h>
++#ifdef USE_TLS
++#include <pfixtls.h>
++#endif
+
+ /* DNS library. */
+
+ #include <dns.h>
+
++#ifdef INET6
++#define GAI_STRERROR(error) \
++ ((error == EAI_SYSTEM) ? strerror(errno) : gai_strerror(error))
++#endif
++
+ /* Application-specific. */
+
+ #include "smtp.h"
+ #include "smtp_addr.h"
+
++/* smtp_force_bind: bind() address */
++
++static void smtp_force_bind(const char *bind_addr,
++ const char *bind_var,
++ int sock,
++ int af)
++{
++ /*
++ * If the bind() call fails, this is considered a non-fatal error.
++ * All address conversion errors are fatal.
++ */
++ char *myname = "smtp_force_bind";
++#ifdef INET6
++ char hbuf[NI_MAXHOST];
++ int aierr;
++ struct addrinfo hints, *res;
++
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = af;
++ hints.ai_socktype = SOCK_STREAM;
++ hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
++ snprintf(hbuf, sizeof(hbuf), "%s", bind_addr);
++ aierr = getaddrinfo(hbuf, NULL, &hints, &res);
++ if (aierr == EAI_NONAME)
++ msg_fatal("%s: bad %s parameter: \"%s\"",
++ myname, bind_var, bind_addr);
++ if (aierr != 0) {
++ if (msg_verbose)
++ msg_warn("%s: getaddrinfo(%s): %s",
++ myname, hbuf, GAI_STRERROR(aierr));
++ return;
++ }
++ aierr = getnameinfo(res->ai_addr, res->ai_addrlen, hbuf, sizeof(hbuf),
++ NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID);
++ if (aierr != 0) {
++ msg_warn("%s: getnameinfo(): %s",
++ myname, GAI_STRERROR(aierr));
++ freeaddrinfo(res);
++ return;
++ }
++ if (bind(sock, res->ai_addr, res->ai_addrlen) < 0)
++ msg_warn("%s: bind %s: %m", myname, hbuf);
++ else if (msg_verbose)
++ msg_info("%s: bind %s", myname, hbuf);
++ freeaddrinfo(res);
++#else /* INET6 */
++ struct sockaddr_in sin;
++
++ memset(&sin, 0, sizeof(sin));
++ sin.sin_family = AF_INET;
++#ifdef HAS_SA_LEN
++ sin.sin_len = sizeof(sin);
++#endif
++ sin.sin_addr.s_addr = inet_addr(bind_addr);
++ if (sin.sin_addr.s_addr == INADDR_NONE) {
++ msg_fatal("%s: bad %s parameter: \"%s\"",
++ myname, bind_var, bind_addr);
++ return;
++ }
++ if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
++ msg_warn("%s: bind %s: %m", myname, inet_ntoa(sin.sin_addr));
++ else if (msg_verbose)
++ msg_info("%s: bind %s", myname, inet_ntoa(sin.sin_addr));
++#endif /* INET6 */
++}
++
++/* smtp_virtual_bind - bind() when acting as virtual host */
++
++static void smtp_virtual_bind(int sock, int af)
++{
++ char *myname = "smtp_virtual_bind";
++ INET_ADDR_LIST *addr_list;
++ int count;
++
++#ifdef INET6
++ int i, pos;
++ char hbuf[NI_MAXHOST];
++ int aierr;
++ struct sockaddr *sa;
++ struct addrinfo hints, *loopback = NULL, *res = NULL;
++
++ /*
++ * Check whether we are acting as a virtual host
++ */
++ count = 0;
++ pos = 0;
++ addr_list = own_inet_addr_list();
++ for (i = 0; count < 2 && i < addr_list->used; i++)
++ if (((struct sockaddr *)&addr_list->addrs[i])->sa_family == af)
++ count++, pos = i;
++ if (count != 1)
++ return;
++
++ /*
++ * Bind the source address.
++ */
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = af;
++ hints.ai_socktype = SOCK_STREAM;
++ aierr = getaddrinfo(NULL, "0", &hints, &loopback);
++ if (aierr != 0) {
++ loopback = NULL;
++ msg_warn("%s: getaddrinfo(\"0\"): %s",
++ myname, GAI_STRERROR(aierr));
++ }
++
++ sa = (struct sockaddr *)&addr_list->addrs[pos];
++ aierr = getnameinfo(sa, SA_LEN(sa), hbuf, sizeof(hbuf),
++ NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID);
++ if (aierr != 0)
++ msg_fatal("%s: getnameinfo() (AF=%d): %s",
++ myname, af, GAI_STRERROR(aierr));
++
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = af;
++ hints.ai_socktype = SOCK_STREAM;
++ hints.ai_flags = AI_NUMERICHOST | AI_PASSIVE;
++ aierr = getaddrinfo(hbuf, NULL, &hints, &res);
++ if (aierr != 0)
++ msg_fatal("%s: getaddrinfo(\"%s\"): %s",
++ myname, hbuf, GAI_STRERROR(aierr));
++
++ if (res->ai_addrlen != loopback->ai_addrlen
++ || memcmp(res->ai_addr, loopback->ai_addr, res->ai_addrlen) != 0) {
++ if (bind(sock, res->ai_addr, res->ai_addrlen) < 0)
++ msg_warn("%s: bind %s: %m", myname, hbuf);
++ else if (msg_verbose)
++ msg_info("%s: bind %s", myname, hbuf);
++ } else if (msg_verbose) {
++ msg_info("%s: not calling bind(): unusable source "
++ "address from \"%s\"", myname, hbuf);
++ }
++ if (res)
++ freeaddrinfo(res);
++ if (loopback)
++ freeaddrinfo(loopback);
++
++#else /* INET6 */
++
++ struct sockaddr_in sin;
++ unsigned long inaddr; /*XXX BAD!*/
++
++ /*
++ * Check whether we are acting as a virtual host
++ */
++ addr_list = own_inet_addr_list();
++ count = addr_list->used;
++ if (count != 1)
++ return;
++
++ /*
++ * Bind the source address.
++ */
++ memset(&sin, 0, sizeof(sin));
++ sin.sin_family = AF_INET;
++#ifdef HAS_SA_LEN
++ sin.sin_len = sizeof(sin);
++#endif
++ memcpy((char *) &sin.sin_addr, addr_list->addrs, sizeof(sin.sin_addr));
++ inaddr = (unsigned long)ntohl(sin.sin_addr.s_addr);
++ if (!IN_CLASSA(inaddr)
++ || !(((inaddr & IN_CLASSA_NET) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)) {
++ if (bind(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0)
++ msg_warn("%s: bind %s: %m", myname, inet_ntoa(sin.sin_addr));
++ else if (msg_verbose)
++ msg_info("%s: bind %s", myname, inet_ntoa(sin.sin_addr));
++ }
++#endif /* INET6 */
++}
++
+ /* smtp_connect_addr - connect to explicit address */
+
+-static SMTP_SESSION *smtp_connect_addr(DNS_RR *addr, unsigned port,
++static SMTP_SESSION *smtp_connect_addr(char *dest, DNS_RR *addr, unsigned port,
+ VSTRING *why)
+ {
+ char *myname = "smtp_connect_addr";
+- struct sockaddr_in sin;
+- int sock;
++#ifdef INET6
++ struct sockaddr_storage ss;
++#else
++ struct sockaddr ss;
++#endif
++ struct sockaddr *sa;
++ struct sockaddr_in *sin;
++#ifdef INET6
++ struct sockaddr_in6 *sin6;
++#endif
++ SOCKADDR_SIZE salen;
++#ifdef INET6
++ char hbuf[NI_MAXHOST];
++#else
++ char hbuf[sizeof("255.255.255.255") + 1];
++#endif
++ int sock = -1;
+ INET_ADDR_LIST *addr_list;
+ int conn_stat;
+ int saved_errno;
+ VSTREAM *stream;
+ int ch;
+- unsigned long inaddr;
++ char *bind_addr;
++ char *bind_var;
++#ifdef INET6
++ char *addr6_ptr = NULL;
++#endif
++
++ sa = (struct sockaddr *)&ss;
++ sin = (struct sockaddr_in *)&ss;
++#ifdef INET6
++ sin6 = (struct sockaddr_in6 *)&ss;
++#endif
+
+ smtp_errno = SMTP_ERR_NONE; /* Paranoia */
+
+ /*
+ * Sanity checks.
+ */
+- if (addr->data_len > sizeof(sin.sin_addr)) {
++#ifdef INET6
++ if (((addr->type==T_A) && (addr->data_len > sizeof(sin->sin_addr))) ||
++ ((addr->type==T_AAAA) && (addr->data_len > sizeof(sin6->sin6_addr))))
++#else
++ if (addr->data_len > sizeof(sin->sin_addr))
++#endif
++ {
+ msg_warn("%s: skip address with length %d", myname, addr->data_len);
+ smtp_errno = SMTP_ERR_RETRY;
+ return (0);
+@@ -125,65 +335,111 @@
+ /*
+ * Initialize.
+ */
+- memset((char *) &sin, 0, sizeof(sin));
+- sin.sin_family = AF_INET;
+-
+- if ((sock = socket(sin.sin_family, SOCK_STREAM, 0)) < 0)
+- msg_fatal("%s: socket: %m", myname);
+-
++ switch (addr->type) {
++#ifdef INET6
++ case T_AAAA:
++ bind_addr = "";
++ bind_var = VAR_SMTP_BIND_ADDR6;
++ if (*var_smtp_bind_addr6) {
++ addr6_ptr = mystrdup(var_smtp_bind_addr6);
++ if (*addr6_ptr == '[' && addr6_ptr[strlen(addr6_ptr) - 1] == ']') {
++ addr6_ptr[strlen(addr6_ptr) - 1] = 0;
++ bind_addr = addr6_ptr + 1;
++ } else {
++ msg_warn("%s: skip incorrectly bracketed IPv6 address in %s",
++ myname, VAR_SMTP_BIND_ADDR6);
++ }
++ }
++ memset(sin6, 0, sizeof(*sin6));
++ sin6->sin6_family = AF_INET6;
++ salen = sizeof(*sin6);
++ break;
++#endif
++ default: /* T_A: */
++ bind_addr = var_smtp_bind_addr;
++ bind_var = VAR_SMTP_BIND_ADDR;
++ memset(sin, 0, sizeof(*sin));
++ sin->sin_family = AF_INET;
++ salen = sizeof(*sin);
++ break;
++ }
++#ifdef HAS_SA_LEN
++ sa->sa_len = salen;
++#endif
++ if ((sock = socket(sa->sa_family, SOCK_STREAM, 0)) < 0) {
++#ifdef INET6
++ if (addr6_ptr)
++ myfree(addr6_ptr);
++ vstring_sprintf(why, "socket to %s[%s]: %m",
++ addr->name, hbuf);
++ if (errno != EAFNOSUPPORT)
++#endif
++ msg_warn("%s: socket: %m", myname);
++ smtp_errno = SMTP_ERR_RETRY;
++ return (0);
++ }
++
+ /*
+ * Allow the sysadmin to specify the source address, for example, as "-o
+ * smtp_bind_address=x.x.x.x" in the master.cf file.
+ */
+- if (*var_smtp_bind_addr) {
+- sin.sin_addr.s_addr = inet_addr(var_smtp_bind_addr);
+- if (sin.sin_addr.s_addr == INADDR_NONE)
+- msg_fatal("%s: bad %s parameter: %s",
+- myname, VAR_SMTP_BIND_ADDR, var_smtp_bind_addr);
+- if (bind(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0)
+- msg_warn("%s: bind %s: %m", myname, inet_ntoa(sin.sin_addr));
+- if (msg_verbose)
+- msg_info("%s: bind %s", myname, inet_ntoa(sin.sin_addr));
+- }
+-
+- /*
+- * When running as a virtual host, bind to the virtual interface so that
+- * the mail appears to come from the "right" machine address.
+- */
+- else if ((addr_list = own_inet_addr_list())->used == 1) {
+- memcpy((char *) &sin.sin_addr, addr_list->addrs, sizeof(sin.sin_addr));
+- inaddr = ntohl(sin.sin_addr.s_addr);
+- if (!IN_CLASSA(inaddr)
+- || !(((inaddr & IN_CLASSA_NET) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)) {
+- if (bind(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0)
+- msg_warn("%s: bind %s: %m", myname, inet_ntoa(sin.sin_addr));
+- if (msg_verbose)
+- msg_info("%s: bind %s", myname, inet_ntoa(sin.sin_addr));
+- }
++ if (bind_addr && *bind_addr) {
++ smtp_force_bind(bind_addr, bind_var, sock, sa->sa_family);
++#ifdef INET6
++ if (addr6_ptr)
++ myfree(addr6_ptr);
++#endif
++ } else {
++ /*
++ * When running as a virtual host, bind to the virtual interface so that
++ * the mail appears to come from the "right" machine address.
++ */
++ smtp_virtual_bind(sock, sa->sa_family);
+ }
+
+ /*
+ * Connect to the SMTP server.
+ */
+- sin.sin_port = port;
+- memcpy((char *) &sin.sin_addr, addr->data, sizeof(sin.sin_addr));
++ switch (addr->type) {
++#ifdef INET6
++ case T_AAAA:
++ /* XXX scope unfriendly */
++ memset(sin6, 0, sizeof(*sin6));
++ sin6->sin6_port = port;
++ sin6->sin6_family = AF_INET6;
++ salen = sizeof(*sin6);
++ memcpy(&sin6->sin6_addr, addr->data, sizeof(sin6->sin6_addr));
++ inet_ntop(AF_INET6, &sin6->sin6_addr, hbuf, sizeof(hbuf));
++ break;
++#endif
++ default: /* T_A */
++ memset(sin, 0, sizeof(*sin));
++ sin->sin_port = port;
++ sin->sin_family = AF_INET;
++ salen = sizeof(*sin);
++ memcpy(&sin->sin_addr, addr->data, sizeof(sin->sin_addr));
++ inet_ntop(AF_INET, &sin->sin_addr, hbuf, sizeof(hbuf));
++ break;
++ }
++#ifdef HAS_SA_LEN
++ sa->sa_len = salen;
++#endif
+
+ if (msg_verbose)
+ msg_info("%s: trying: %s[%s] port %d...",
+- myname, addr->name, inet_ntoa(sin.sin_addr), ntohs(port));
++ myname, addr->name, hbuf, ntohs(port));
+ if (var_smtp_conn_tmout > 0) {
+ non_blocking(sock, NON_BLOCKING);
+- conn_stat = timed_connect(sock, (struct sockaddr *) & sin,
+- sizeof(sin), var_smtp_conn_tmout);
++ conn_stat = timed_connect(sock, sa, salen, var_smtp_conn_tmout);
+ saved_errno = errno;
+ non_blocking(sock, BLOCKING);
+ errno = saved_errno;
+ } else {
+- conn_stat = sane_connect(sock, (struct sockaddr *) & sin, sizeof(sin));
++ conn_stat = sane_connect(sock, sa, salen);
+ }
+ if (conn_stat < 0) {
+ vstring_sprintf(why, "connect to %s[%s]: %m",
+- addr->name, inet_ntoa(sin.sin_addr));
++ addr->name, hbuf);
+ smtp_errno = SMTP_ERR_RETRY;
+ close(sock);
+ return (0);
+@@ -193,8 +449,8 @@
+ * Skip this host if it takes no action within some time limit.
+ */
+ if (read_wait(sock, var_smtp_helo_tmout) < 0) {
+- vstring_sprintf(why, "connect to %s[%s]: read timeout",
+- addr->name, inet_ntoa(sin.sin_addr));
++ vstring_sprintf(why, "connect to %s [%s]: read timeout",
++ addr->name, hbuf);
+ smtp_errno = SMTP_ERR_RETRY;
+ close(sock);
+ return (0);
+@@ -206,13 +462,17 @@
+ stream = vstream_fdopen(sock, O_RDWR);
+ if ((ch = VSTREAM_GETC(stream)) == VSTREAM_EOF) {
+ vstring_sprintf(why, "connect to %s[%s]: server dropped connection without sending the initial SMTP greeting",
+- addr->name, inet_ntoa(sin.sin_addr));
++ addr->name, hbuf);
+ smtp_errno = SMTP_ERR_RETRY;
+ vstream_fclose(stream);
+ return (0);
+ }
+ vstream_ungetc(stream, ch);
+- return (smtp_session_alloc(stream, addr->name, inet_ntoa(sin.sin_addr)));
++#ifndef USE_TLS
++ return (smtp_session_alloc(stream, addr->name, hbuf));
++#else
++ return (smtp_session_alloc(dest, stream, addr->name, hbuf));
++#endif
+ }
+
+ /* smtp_parse_destination - parse destination */
+@@ -247,6 +507,7 @@
+ msg_fatal("unknown service: %s/%s", service, protocol);
+ *portp = sp->s_port;
+ }
++
+ return (buf);
+ }
+
+@@ -348,7 +609,7 @@
+ next = addr->next;
+ if (++addr_count == var_smtp_mxaddr_limit)
+ next = 0;
+- if ((state->session = smtp_connect_addr(addr, port, why)) != 0) {
++ if ((state->session = smtp_connect_addr(host, addr, port, why)) != 0) {
+ state->features = 0; /* XXX should be SESSION info */
+ if (++sess_count == var_smtp_mxsess_limit)
+ next = 0;
+diff -urNad postfix-release/src/smtp/smtp.h /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp.h
+--- postfix-release/src/smtp/smtp.h 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp.h 2005-02-03 10:22:13.066095349 -0700
+@@ -27,6 +27,9 @@
+ * Global library.
+ */
+ #include <deliver_request.h>
++#ifdef USE_TLS
++#include <pfixtls.h>
++#endif
+
+ /*
+ * State information associated with each SMTP delivery. We're bundling the
+@@ -113,9 +116,20 @@
+ char *addr; /* mail exchanger */
+ char *namaddr; /* mail exchanger */
+ int best; /* most preferred host */
++#ifdef USE_TLS
++ int tls_use_tls; /* can do TLS */
++ int tls_enforce_tls; /* must do TLS */
++ int tls_enforce_peername; /* cert must match */
++ tls_info_t tls_info; /* TLS connection state */
++#endif
+ } SMTP_SESSION;
+
++#ifndef USE_TLS
+ extern SMTP_SESSION *smtp_session_alloc(VSTREAM *, char *, char *);
++#else
++extern void smtp_tls_list_init(void);
++extern SMTP_SESSION *smtp_session_alloc(char *, VSTREAM *, char *, char *);
++#endif
+ extern void smtp_session_free(SMTP_SESSION *);
+
+ /*
+diff -urNad postfix-release/src/smtp/smtp_proto.c /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_proto.c
+--- postfix-release/src/smtp/smtp_proto.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_proto.c 2005-02-03 10:22:13.067095126 -0700
+@@ -102,6 +102,9 @@
+ #include <quote_821_local.h>
+ #include <mail_proto.h>
+ #include <mime_state.h>
++#ifdef USE_TLS
++#include <pfixtls.h>
++#endif
+
+ /* Application-specific. */
+
+@@ -184,6 +187,10 @@
+ XFORWARD_HELO, SMTP_FEATURE_XFORWARD_HELO,
+ 0, 0,
+ };
++#ifdef USE_TLS
++ int oldfeatures;
++ int rval;
++#endif
+
+ /*
+ * Prepare for disaster.
+@@ -257,6 +264,10 @@
+ return (0);
+ }
+
++#ifdef USE_TLS
++ if (var_smtp_always_ehlo)
++ state->features |= SMTP_FEATURE_ESMTP;
++#endif
+ /*
+ * Pick up some useful features offered by the SMTP server. XXX Until we
+ * have a portable routine to convert from string to off_t with proper
+@@ -268,6 +279,9 @@
+ * MicroSoft implemented AUTH based on an old draft.
+ */
+ lines = resp->str;
++#ifdef USE_TLS
++ oldfeatures = state->features; /* remember */
++#endif
+ while ((words = mystrtok(&lines, "\n")) != 0) {
+ if (mystrtok(&words, "- ") && (word = mystrtok(&words, " \t=")) != 0) {
+ if (strcasecmp(word, "8BITMIME") == 0)
+@@ -288,6 +302,10 @@
+ state->size_limit = off_cvt_string(word);
+ }
+ }
++#ifdef USE_TLS
++ else if (strcasecmp(word, "STARTTLS") == 0)
++ state->features |= SMTP_FEATURE_STARTTLS;
++#endif
+ #ifdef USE_SASL_AUTH
+ else if (var_smtp_sasl_enable && strcasecmp(word, "AUTH") == 0)
+ smtp_sasl_helo_auth(state, words);
+@@ -307,6 +325,130 @@
+ msg_info("server features: 0x%x size %.0f",
+ state->features, (double) state->size_limit);
+
++#ifdef USE_TLS
++#ifdef USE_SSL
++ if ((state->features & SMTP_FEATURE_STARTTLS) &&
++ (var_smtp_tls_note_starttls_offer) &&
++ (!(session->tls_enforce_tls || session->tls_use_tls)))
++ msg_info("Host offered STARTTLS: [%s]", session->host);
++ if ((session->tls_enforce_tls) &&
++ !(state->features & SMTP_FEATURE_STARTTLS))
++ {
++ /*
++ * We are enforced to use TLS but it is not offered, so we will give
++ * up on this host. We won't even try STARTTLS, because we could
++ * receive a "500 command unrecognized" which would bounce the
++ * message. We instead want to delay until STARTTLS becomes
++ * available.
++ */
++ return (smtp_site_fail(state, 450, "Could not start TLS: not offered"));
++ }
++ if ((session->tls_enforce_tls) && !pfixtls_clientengine) {
++ /*
++ * We would like to start client TLS, but our own TLS-engine is
++ * not running.
++ */
++ return (smtp_site_fail(state, 450,
++ "Could not start TLS: our TLS-engine not running"));
++ }
++ if ((state->features & SMTP_FEATURE_STARTTLS) &&
++ ((session->tls_use_tls && pfixtls_clientengine) ||
++ (session->tls_enforce_tls))) {
++ /*
++ * Try to use the TLS feature
++ */
++ smtp_chat_cmd(state, "STARTTLS");
++ if ((resp = smtp_chat_resp(state))->code / 100 != 2) {
++ state->features &= ~SMTP_FEATURE_STARTTLS;
++ /*
++ * At this point a political decision is necessary. If we
++ * enforce usage of tls, we have to close the connection
++ * now.
++ */
++ if (session->tls_enforce_tls)
++ return (smtp_site_fail(state, resp->code,
++ "host %s refused to start TLS: %s",
++ session->host,
++ translit(resp->str, "\n", " ")));
++ } else {
++ if (rval = pfixtls_start_clienttls(session->stream,
++ var_smtp_starttls_tmout,
++ session->tls_enforce_peername,
++ session->host,
++ &(session->tls_info)))
++ return (smtp_site_fail(state, 450,
++ "Could not start TLS: client failure"));
++
++
++ /*
++ * Now the connection is established and maybe we do have a
++ * validated cert with a CommonName in it.
++ * In enforce_peername state, the handshake would already have
++ * been terminated so the check here is for logging only!
++ */
++ if (session->tls_info.peer_CN != NULL) {
++ if (!session->tls_info.peer_verified) {
++ msg_info("Peer certificate could not be verified");
++ if (session->tls_enforce_tls) {
++ pfixtls_stop_clienttls(session->stream,
++ var_smtp_starttls_tmout, 1,
++ &(session->tls_info));
++ return(smtp_site_fail(state, 450, "TLS-failure: Could not verify certificate"));
++ }
++ }
++ } else if (session->tls_enforce_tls) {
++ pfixtls_stop_clienttls(session->stream,
++ var_smtp_starttls_tmout, 1,
++ &(session->tls_info));
++ return (smtp_site_fail(state, 450, "TLS-failure: Cannot verify hostname"));
++ }
++
++ /*
++ * At this point we have to re-negotiate the "EHLO" to reget
++ * the feature-list
++ */
++ state->features = oldfeatures;
++#ifdef USE_SASL_AUTH
++ if (state->sasl_mechanism_list) {
++ myfree(state->sasl_mechanism_list);
++ state->sasl_mechanism_list = 0;
++ }
++#endif
++ if (state->features & SMTP_FEATURE_ESMTP) {
++ smtp_chat_cmd(state, "EHLO %s", var_myhostname);
++ if ((resp = smtp_chat_resp(state))->code / 100 != 2)
++ state->features &= ~SMTP_FEATURE_ESMTP;
++ }
++ lines = resp->str;
++ (void) mystrtok(&lines, "\n");
++ while ((words = mystrtok(&lines, "\n")) != 0) {
++ if (mystrtok(&words, "- ") &&
++ (word = mystrtok(&words, " \t=")) != 0) {
++ if (strcasecmp(word, "8BITMIME") == 0)
++ state->features |= SMTP_FEATURE_8BITMIME;
++ else if (strcasecmp(word, "PIPELINING") == 0)
++ state->features |= SMTP_FEATURE_PIPELINING;
++ else if (strcasecmp(word, "SIZE") == 0)
++ state->features |= SMTP_FEATURE_SIZE;
++ else if (strcasecmp(word, "STARTTLS") == 0)
++ state->features |= SMTP_FEATURE_STARTTLS;
++#ifdef USE_SASL_AUTH
++ else if (var_smtp_sasl_enable &&
++ strcasecmp(word, "AUTH") == 0)
++ smtp_sasl_helo_auth(state, words);
++#endif
++ }
++ }
++ /*
++ * Actually, at this point STARTTLS should not be offered
++ * anymore, so we could check for a protocol violation, but
++ * what should we do then?
++ */
++
++ }
++ }
++#endif
++#endif
+ #ifdef USE_SASL_AUTH
+ if (var_smtp_sasl_enable && (state->features & SMTP_FEATURE_AUTH))
+ return (smtp_sasl_helo_login(state));
+diff -urNad postfix-release/src/smtp/smtp_sasl_glue.c /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_sasl_glue.c
+--- postfix-release/src/smtp/smtp_sasl_glue.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_sasl_glue.c 2005-02-03 10:22:13.068094903 -0700
+@@ -197,6 +197,16 @@
+ return (SASL_OK);
+ }
+
++static int smtp_sasl_getpath(void * context, char ** path)
++{
++#if SASL_VERSION_MAJOR >= 2
++ *path = strdup("/etc/postfix/sasl:/usr/lib/sasl2");
++#else
++ *path = strdup("/etc/postfix/sasl:/usr/lib/sasl");
++#endif
++ return SASL_OK;
++}
++
+ /* smtp_sasl_get_user - username lookup call-back routine */
+
+ static int smtp_sasl_get_user(void *context, int unused_id, const char **result,
+@@ -298,6 +308,7 @@
+ */
+ static sasl_callback_t callbacks[] = {
+ {SASL_CB_LOG, &smtp_sasl_log, 0},
++ {SASL_CB_GETPATH,&smtp_sasl_getpath, 0},
+ {SASL_CB_LIST_END, 0, 0}
+ };
+
+diff -urNad postfix-release/src/smtp/smtp_session.c /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_session.c
+--- postfix-release/src/smtp/smtp_session.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_session.c 2005-02-03 10:22:13.068094903 -0700
+@@ -42,15 +42,50 @@
+ #include <vstream.h>
+ #include <stringops.h>
+
++#ifdef USE_TLS
++#include <mail_params.h>
++#include <maps.h>
++#include <pfixtls.h>
++#endif
++
+ /* Application-specific. */
+
+ #include "smtp.h"
+
++#ifdef USE_TLS
++/* static lists */
++static MAPS *tls_per_site;
++
++/* smtp_tls_list_init - initialize lists */
++
++void smtp_tls_list_init(void)
++{
++ tls_per_site = maps_create(VAR_SMTP_TLS_PER_SITE, var_smtp_tls_per_site,
++ DICT_FLAG_LOCK);
++}
++
++#endif
+ /* smtp_session_alloc - allocate and initialize SMTP_SESSION structure */
+
++#ifndef USE_TLS
+ SMTP_SESSION *smtp_session_alloc(VSTREAM *stream, char *host, char *addr)
++#else
++SMTP_SESSION *smtp_session_alloc(char *dest, VSTREAM *stream, char *host, char *addr)
++#endif
+ {
+ SMTP_SESSION *session;
++#ifdef USE_TLS
++ const char *lookup;
++ char *lookup_key;
++ int host_dont_use = 0;
++ int host_use = 0;
++ int host_enforce = 0;
++ int host_enforce_peername = 0;
++ int recipient_dont_use = 0;
++ int recipient_use = 0;
++ int recipient_enforce = 0;
++ int recipient_enforce_peername = 0;
++#endif
+
+ session = (SMTP_SESSION *) mymalloc(sizeof(*session));
+ session->stream = stream;
+@@ -58,6 +93,63 @@
+ session->addr = mystrdup(addr);
+ session->namaddr = concatenate(host, "[", addr, "]", (char *) 0);
+ session->best = 1;
++#ifdef USE_TLS
++ session->tls_use_tls = session->tls_enforce_tls = 0;
++ session->tls_enforce_peername = 0;
++#ifdef USE_SSL
++ lookup_key = lowercase(mystrdup(host));
++ if (lookup = maps_find(tls_per_site, lookup_key, 0)) {
++ if (!strcasecmp(lookup, "NONE"))
++ host_dont_use = 1;
++ else if (!strcasecmp(lookup, "MAY"))
++ host_use = 1;
++ else if (!strcasecmp(lookup, "MUST"))
++ host_enforce = host_enforce_peername = 1;
++ else if (!strcasecmp(lookup, "MUST_NOPEERMATCH"))
++ host_enforce = 1;
++ else
++ msg_warn("Unknown TLS state for receiving host %s: '%s', using default policy", session->host, lookup);
++ }
++ myfree(lookup_key);
++ lookup_key = lowercase(mystrdup(dest));
++ if (lookup = maps_find(tls_per_site, dest, 0)) {
++ if (!strcasecmp(lookup, "NONE"))
++ recipient_dont_use = 1;
++ else if (!strcasecmp(lookup, "MAY"))
++ recipient_use = 1;
++ else if (!strcasecmp(lookup, "MUST"))
++ recipient_enforce = recipient_enforce_peername = 1;
++ else if (!strcasecmp(lookup, "MUST_NOPEERMATCH"))
++ recipient_enforce = 1;
++ else
++ msg_warn("Unknown TLS state for recipient domain %s: '%s', using default policy", dest, lookup);
++ }
++ myfree(lookup_key);
++
++ if ((var_smtp_enforce_tls && !host_dont_use && !recipient_dont_use) || host_enforce ||
++ recipient_enforce)
++ session->tls_enforce_tls = session->tls_use_tls = 1;
++
++ /*
++ * Set up peername checking. We want to make sure that a MUST* entry in
++ * the tls_per_site table always has precedence. MUST always must lead to
++ * a peername check, MUST_NOPEERMATCH must always disable it. Only when
++ * no explicit setting has been found, the default will be used.
++ * There is the case left, that both "host" and "recipient" settings
++ * conflict. In this case, the "host" setting wins.
++ */
++ if (host_enforce && host_enforce_peername)
++ session->tls_enforce_peername = 1;
++ else if (recipient_enforce && recipient_enforce_peername)
++ session->tls_enforce_peername = 1;
++ else if (var_smtp_enforce_tls && var_smtp_tls_enforce_peername)
++ session->tls_enforce_peername = 1;
++
++ else if ((var_smtp_use_tls && !host_dont_use && !recipient_dont_use) || host_use || recipient_use)
++ session->tls_use_tls = 1;
++#endif
++ session->tls_info = tls_info_zero;
++#endif
+ return (session);
+ }
+
+@@ -65,6 +157,13 @@
+
+ void smtp_session_free(SMTP_SESSION *session)
+ {
++#ifdef USE_TLS
++#ifdef USE_SSL
++ vstream_fflush(session->stream);
++ pfixtls_stop_clienttls(session->stream, var_smtp_starttls_tmout, 0,
++ &(session->tls_info));
++#endif
++#endif
+ vstream_fclose(session->stream);
+ myfree(session->host);
+ myfree(session->addr);
+diff -urNad postfix-release/src/smtp/smtp_unalias.c /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_unalias.c
+--- postfix-release/src/smtp/smtp_unalias.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_unalias.c 2005-02-03 10:22:13.068094903 -0700
+@@ -86,7 +86,11 @@
+ if ((result = htable_find(cache, name)) == 0) {
+ fqdn = vstring_alloc(10);
+ if (dns_lookup_types(name, smtp_unalias_flags, (DNS_RR **) 0,
+- fqdn, (VSTRING *) 0, T_MX, T_A, 0) != DNS_OK)
++ fqdn, (VSTRING *) 0, T_MX, T_A,
++#ifdef INET6
++ T_AAAA,
++#endif
++ 0) != DNS_OK)
+ vstring_strcpy(fqdn, name);
+ htable_enter(cache, name, result = vstring_export(fqdn));
+ }
+diff -urNad postfix-release/src/smtpd/Makefile.in /tmp/dpep.cXJuVH/postfix-release/src/smtpd/Makefile.in
+--- postfix-release/src/smtpd/Makefile.in 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtpd/Makefile.in 2005-02-03 10:22:13.069094680 -0700
+@@ -150,6 +150,7 @@
+ smtpd.o: ../../include/namadr_list.h
+ smtpd.o: ../../include/input_transp.h
+ smtpd.o: ../../include/mail_server.h
++smtpd.o: ../../include/pfixtls.h
+ smtpd.o: smtpd_token.h
+ smtpd.o: smtpd.h
+ smtpd.o: smtpd_check.h
+@@ -179,6 +180,7 @@
+ smtpd_chat.o: ../../include/cleanup_user.h
+ smtpd_chat.o: ../../include/mail_error.h
+ smtpd_chat.o: ../../include/name_mask.h
++smtpd_chat.o: ../../include/pfixtls.h
+ smtpd_chat.o: smtpd.h
+ smtpd_chat.o: ../../include/mail_stream.h
+ smtpd_chat.o: smtpd_chat.h
+@@ -233,6 +235,7 @@
+ smtpd_check.o: ../../include/is_header.h
+ smtpd_check.o: smtpd.h
+ smtpd_check.o: ../../include/mail_stream.h
++smtpd_check.o: ../../include/pfixtls.h
+ smtpd_check.o: smtpd_sasl_glue.h
+ smtpd_check.o: smtpd_check.h
+ smtpd_peer.o: smtpd_peer.c
+@@ -247,6 +250,7 @@
+ smtpd_peer.o: ../../include/vstream.h
+ smtpd_peer.o: ../../include/iostuff.h
+ smtpd_peer.o: ../../include/attr.h
++smtpd_peer.o: ../../include/pfixtls.h
+ smtpd_peer.o: smtpd.h
+ smtpd_peer.o: ../../include/argv.h
+ smtpd_peer.o: ../../include/mail_stream.h
+@@ -329,6 +333,7 @@
+ smtpd_state.o: ../../include/vstring.h
+ smtpd_state.o: ../../include/argv.h
+ smtpd_state.o: ../../include/mail_stream.h
++smtpd_state.o: ../../include/pfixtls.h
+ smtpd_state.o: smtpd_chat.h
+ smtpd_state.o: smtpd_sasl_glue.h
+ smtpd_token.o: smtpd_token.c
+@@ -338,6 +343,7 @@
+ smtpd_token.o: smtpd_token.h
+ smtpd_token.o: ../../include/vstring.h
+ smtpd_token.o: ../../include/vbuf.h
++smtpd_token.o: ../../include/pfixtls.h
+ smtpd_xforward.o: smtpd_xforward.c
+ smtpd_xforward.o: ../../include/sys_defs.h
+ smtpd_xforward.o: ../../include/mymalloc.h
+diff -urNad postfix-release/src/smtpd/smtpd.c /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd.c
+--- postfix-release/src/smtpd/smtpd.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd.c 2005-02-03 10:22:13.072094011 -0700
+@@ -652,6 +652,9 @@
+ #include <anvil_clnt.h>
+ #endif
+ #include <flush_clnt.h>
++#ifdef USE_TLS
++#include <pfixtls.h>
++#endif
+
+ /* Single-threaded server skeleton. */
+
+@@ -677,6 +680,9 @@
+ */
+ int var_smtpd_rcpt_limit;
+ int var_smtpd_tmout;
++#ifdef USE_TLS
++char *var_relay_ccerts;
++#endif
+ int var_smtpd_soft_erlim;
+ int var_smtpd_hard_erlim;
+ int var_queue_minfree; /* XXX use off_t */
+@@ -759,7 +765,21 @@
+ int var_smtpd_crate_limit;
+ int var_smtpd_cconn_limit;
+ char *var_smtpd_hoggers;
++#endif
+
++#ifdef USE_TLS
++bool var_smtpd_use_tls;
++bool var_smtpd_enforce_tls;
++bool var_smtpd_tls_wrappermode;
++#ifdef USE_SSL
++int var_smtpd_starttls_tmout;
++bool var_smtpd_tls_auth_only;
++bool var_smtpd_tls_ask_ccert;
++bool var_smtpd_tls_req_ccert;
++int var_smtpd_tls_ccert_vd;
++bool var_smtpd_tls_received_header;
++char *var_smtpd_sasl_tls_opts;
++#endif
+ #endif
+
+ /*
+@@ -943,11 +963,27 @@
+ if (var_disable_vrfy_cmd == 0)
+ smtpd_chat_reply(state, "250-VRFY");
+ smtpd_chat_reply(state, "250-ETRN");
++#ifdef USE_TLS
++#ifdef USE_SSL
++ if ((state->tls_use_tls || state->tls_enforce_tls) && (!state->tls_active))
++ smtpd_chat_reply(state, "250-STARTTLS");
++#endif
++#endif
+ #ifdef USE_SASL_AUTH
+ if (var_smtpd_sasl_enable && !sasl_client_exception(state)) {
++#ifdef USE_TLS
++#ifdef USE_SSL
++ if (!state->tls_auth_only || state->tls_active) {
++#endif
++#endif
+ smtpd_chat_reply(state, "250-AUTH %s", state->sasl_mechanism_list);
+ if (var_broken_auth_clients)
+ smtpd_chat_reply(state, "250-AUTH=%s", state->sasl_mechanism_list);
++#ifdef USE_TLS
++#ifdef USE_SSL
++ }
++#endif
++#endif
+ }
+ #endif
+ if (namadr_list_match(verp_clients, state->name, state->addr))
+@@ -1505,12 +1541,81 @@
+ state->rcpt_overshoot = 0;
+ }
+
++#ifdef USE_TLS
++/* CN_sanitize - make sure, the CN-string is well behaved */
++
++static void CN_sanitize(char *CNstring)
++{
++ int i;
++ int len;
++ int parencount;
++
++ /*
++ * The information included in the CN (CommonName) of the peer and its
++ * issuer can be included into the Received: header line. The characters
++ * allowed as well as comment nesting are limited by RFC822.
++ */
++
++ len = strlen(CNstring);
++ /*
++ * The Received: header can only contain characters. Make sure that only
++ * acceptable characters are printed. Maybe we could allow more, but
++ * not everything makes sense inside a CommonName.
++ */
++ for (i = 0; i < len; i++)
++ if (!((CNstring[i] >= 'A') && (CNstring[i] <='Z')) &&
++ !((CNstring[i] >= 'a') && (CNstring[i] <='z')) &&
++ !((CNstring[i] >= '0') && (CNstring[i] <='9')) &&
++ (CNstring[i] != '(') && (CNstring[i] != ')') &&
++ (CNstring[i] != '[') && (CNstring[i] != ']') &&
++ (CNstring[i] != '{') && (CNstring[i] != '}') &&
++ (CNstring[i] != '<') && (CNstring[i] != '>') &&
++ (CNstring[i] != '?') && (CNstring[i] != '!') &&
++ (CNstring[i] != ';') && (CNstring[i] != ':') &&
++ (CNstring[i] != '"') && (CNstring[i] != '\'') &&
++ (CNstring[i] != '/') && (CNstring[i] != '|') &&
++ (CNstring[i] != '+') && (CNstring[i] != '&') &&
++ (CNstring[i] != '~') && (CNstring[i] != '@') &&
++ (CNstring[i] != '#') && (CNstring[i] != '$') &&
++ (CNstring[i] != '%') && (CNstring[i] != '&') &&
++ (CNstring[i] != '^') && (CNstring[i] != '*') &&
++ (CNstring[i] != '_') && (CNstring[i] != '-') &&
++ (CNstring[i] != '.') && (CNstring[i] != ' '))
++ CNstring[i] = '?';
++
++ /*
++ * This information will go into the Received: header inside a comment.
++ * Since comments can be nested, parentheses '(' and ')' must match.
++ */
++ parencount = 0;
++ for (i = 0; i < len; i++) {
++ if (CNstring[i] == '(')
++ parencount++;
++ else if (CNstring[i] == ')')
++ parencount--;
++ }
++ /*
++ * The necessary condition is violated. Do YOU know, where to correct?
++ * I don't know, so I will practically remove all parentheses.
++ */
++ if (parencount != 0) {
++ for (i = 0; i < len; i++)
++ if ((CNstring[i] == '(') || (CNstring[i] == ')'))
++ CNstring[i] = '/';
++ }
++}
++
++#endif
+ /* data_cmd - process DATA command */
+
+ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
+ {
+ char *err;
+ char *start;
++#ifdef USE_TLS
++ char *peer_CN;
++ char *issuer_CN;
++#endif
+ int len;
+ int curr_rec_type;
+ int prev_rec_type;
+@@ -1601,9 +1706,42 @@
+ */
+ if (!state->proxy || state->xforward.flags == 0) {
+ out_fprintf(out_stream, REC_TYPE_NORM,
+- "Received: from %s (%s [%s])",
++ "Received: from %s (%s [%s%s])",
+ state->helo_name ? state->helo_name : state->name,
+- state->name, state->addr);
++ state->name, state->addr_tag, state->addr);
++#ifdef USE_TLS
++#ifdef USE_SSL
++ if (var_smtpd_tls_received_header && state->tls_active) {
++ out_fprintf(out_stream, REC_TYPE_NORM,
++ "\t(using %s with cipher %s (%d/%d bits))",
++ state->tls_info.protocol, state->tls_info.cipher_name,
++ state->tls_info.cipher_usebits,
++ state->tls_info.cipher_algbits);
++ if (state->tls_info.peer_CN) {
++ peer_CN = mystrdup(state->tls_info.peer_CN);
++ CN_sanitize(peer_CN);
++ issuer_CN = mystrdup(state->tls_info.issuer_CN);
++ CN_sanitize(issuer_CN);
++ if (state->tls_info.peer_verified)
++ out_fprintf(out_stream, REC_TYPE_NORM,
++ "\t(Client CN \"%s\", Issuer \"%s\" (verified OK))",
++ peer_CN, issuer_CN);
++ else
++ out_fprintf(out_stream, REC_TYPE_NORM,
++ "\t(Client CN \"%s\", Issuer \"%s\" (not verified))",
++ peer_CN, issuer_CN);
++ myfree(issuer_CN);
++ myfree(peer_CN);
++ }
++ else if (var_smtpd_tls_ask_ccert)
++ out_fprintf(out_stream, REC_TYPE_NORM,
++ "\t(Client did not present a certificate)");
++ else
++ out_fprintf(out_stream, REC_TYPE_NORM,
++ "\t(No client certificate requested)");
++ }
++#endif
++#endif
+ if (state->rcpt_count == 1 && state->recipient) {
+ out_fprintf(out_stream, REC_TYPE_NORM,
+ state->cleanup ? "\tby %s (%s) with %s id %s" :
+@@ -2310,6 +2448,92 @@
+ }
+ }
+
++#ifdef USE_TLS
++static int starttls_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
++{
++ char *err;
++
++#ifdef USE_SSL
++ if (argc != 1) {
++ state->error_mask |= MAIL_ERROR_PROTOCOL;
++ smtpd_chat_reply(state, "501 Syntax: STARTTLS");
++ return (-1);
++ }
++ if (state->tls_active != 0) {
++ state->error_mask |= MAIL_ERROR_PROTOCOL;
++ smtpd_chat_reply(state, "554 Error: TLS already active");
++ return (-1);
++ }
++ if (state->tls_use_tls == 0) {
++ state->error_mask |= MAIL_ERROR_PROTOCOL;
++ smtpd_chat_reply(state, "502 Error: command not implemented");
++ return (-1);
++ }
++ if (!pfixtls_serverengine) {
++ smtpd_chat_reply(state, "454 TLS not available due to temporary reason");
++ return (0);
++ }
++ smtpd_chat_reply(state, "220 Ready to start TLS");
++ vstream_fflush(state->client);
++ /*
++ * When deciding about continuing the handshake, we will stop when a
++ * client certificate was _required_ and none was presented or the
++ * verification failed. This however does only make sense when TLS is
++ * enforced. Otherwise we would happily perform perform the SMTP
++ * transaction without any STARTTLS at all! So only have the handshake
++ * fail when TLS is also enforced.
++ */
++ if (pfixtls_start_servertls(state->client, var_smtpd_starttls_tmout,
++ state->name, state->addr, &(state->tls_info),
++ (var_smtpd_tls_req_ccert && state->tls_enforce_tls))) {
++ /*
++ * Typically the connection is hanging at this point, so
++ * we should try to shut it down by force! Unfortunately this
++ * problem is not addressed in postfix!
++ */
++ return (-1);
++ }
++ state->tls_active = 1;
++ helo_reset(state);
++#ifdef USE_SASL_AUTH
++ if (var_smtpd_sasl_enable) {
++ /*
++ * When TLS is enabled, another set of AUTH methods may be offered,
++ * for example plain text methods that would not be offered without
++ * encryption protection. Reconnect with a different set of options.
++ */
++ smtpd_sasl_disconnect(state);
++ smtpd_sasl_connect(state, VAR_SMTPD_SASL_TLS_OPTS,
++ var_smtpd_sasl_tls_opts);
++ smtpd_sasl_auth_reset(state);
++ }
++#endif
++ mail_reset(state);
++ rcpt_reset(state);
++ return (0);
++#else
++ state->error_mask |= MAIL_ERROR_PROTOCOL;
++ smtpd_chat_reply(state, "502 Error: command not implemented");
++ return (-1);
++#endif
++}
++
++static void tls_reset(SMTPD_STATE *state)
++{
++ int failure = 0;
++
++ if (state->reason && state->where && strcmp(state->where, SMTPD_AFTER_DOT))
++ failure = 1;
++#ifdef USE_SSL
++ vstream_fflush(state->client);
++ if (state->tls_active)
++ pfixtls_stop_servertls(state->client, var_smtpd_starttls_tmout,
++ failure, &(state->tls_info));
++#endif
++ state->tls_active = 0;
++}
++
++#endif
+ /*
+ * The table of all SMTP commands that we know. Set the junk limit flag on
+ * any command that can be repeated an arbitrary number of times without
+@@ -2328,6 +2552,12 @@
+ "HELO", helo_cmd, SMTPD_CMD_FLAG_LIMIT,
+ "EHLO", ehlo_cmd, SMTPD_CMD_FLAG_LIMIT,
+
++#ifdef USE_TLS
++#ifdef USE_SSL
++ "STARTTLS", starttls_cmd, 0,
++#endif
++#endif
++
+ #ifdef USE_SASL_AUTH
+ "AUTH", smtpd_sasl_auth_cmd, 0,
+ #endif
+@@ -2488,9 +2718,36 @@
+ state->error_count++;
+ continue;
+ }
++#ifdef USE_TLS
++ if (state->tls_enforce_tls &&
++ !state->tls_active &&
++ cmdp->action != starttls_cmd &&
++ cmdp->action != noop_cmd &&
++ cmdp->action != ehlo_cmd &&
++ cmdp->action != quit_cmd) {
++ smtpd_chat_reply(state,
++ "530 Must issue a STARTTLS command first");
++ state->error_count++;
++ continue;
++ }
++#endif
+ state->where = cmdp->name;
++#ifndef USE_TLS
+ if (cmdp->action(state, argc, argv) != 0)
++#else
++ if (cmdp->action(state, argc, argv) != 0) {
++#endif
+ state->error_count++;
++#ifdef USE_TLS
++ /*
++ * Die after TLS negotiation failure, as there is no
++ * stable way to recover from a possible mixture of
++ * TLS and SMTP protocol from the client.
++ */
++ if (cmdp->action == starttls_cmd)
++ break;
++ }
++#endif
+ if ((cmdp->flags & SMTPD_CMD_FLAG_LIMIT)
+ && state->junk_cmds++ > var_smtpd_junk_cmd_limit)
+ state->error_count++;
+@@ -2530,6 +2787,9 @@
+ * Cleanup whatever information the client gave us during the SMTP
+ * dialog.
+ */
++#ifdef USE_TLS
++ tls_reset(state);
++#endif
+ helo_reset(state);
+ #ifdef USE_SASL_AUTH
+ if (var_smtpd_sasl_enable)
+@@ -2562,6 +2822,60 @@
+ * machines.
+ */
+ smtpd_state_init(&state, stream);
++#ifdef USE_TLS
++
++#ifdef USE_SSL
++ if (SMTPD_STAND_ALONE((&state))) {
++ state.tls_use_tls = 0;
++ state.tls_enforce_tls = 0;
++ state.tls_auth_only = 0;
++ }
++ else {
++ state.tls_use_tls = var_smtpd_use_tls | var_smtpd_enforce_tls;
++ state.tls_enforce_tls = var_smtpd_enforce_tls;
++ if (var_smtpd_tls_wrappermode) {
++ /*
++ * TLS has been set to wrapper mode, meaning that we run on a
++ * seperate port and we must switch to TLS layer before actually
++ * performing the SMTP protocol. This implies enforce-mode.
++ */
++ state.tls_use_tls = state.tls_enforce_tls = 1;
++ if (pfixtls_start_servertls(state.client, var_smtpd_starttls_tmout,
++ state.name, state.addr, &state.tls_info,
++ var_smtpd_tls_req_ccert)) {
++ /*
++ * Typically the connection is hanging at this point, so
++ * we should try to shut it down by force! Unfortunately this
++ * problem is not addressed in postfix!
++ */
++ return;
++ }
++ state.tls_active = 1;
++#ifdef USE_SASL_AUTH
++ if (var_smtpd_sasl_enable) {
++ /*
++ * When TLS is enabled, another set of AUTH methods may be
++ * offered, for example plain text methods that would not be
++ * offered without encryption protection. Reconnect with a
++ * different set of options.
++ */
++ smtpd_sasl_disconnect(&state);
++ smtpd_sasl_connect(&state, VAR_SMTPD_SASL_TLS_OPTS,
++ var_smtpd_sasl_tls_opts);
++ smtpd_sasl_auth_reset(&state);
++ }
++#endif
++ }
++ if (var_smtpd_tls_auth_only || state.tls_enforce_tls)
++ state.tls_auth_only = 1;
++ }
++#else
++ state.tls_use_tls = 0;
++ state.tls_enforce_tls = 0;
++ state.tls_auth_only = 0;
++#endif
++
++#endif
+ msg_info("connect from %s[%s]", state.name, state.addr);
+
+ /*
+@@ -2611,7 +2925,9 @@
+
+ static void pre_jail_init(char *unused_name, char **unused_argv)
+ {
++#ifndef USE_TLS
+
++#endif
+ /*
+ * Initialize blacklist/etc. patterns before entering the chroot jail, in
+ * case they specify a filename pattern.
+@@ -2639,6 +2955,23 @@
+ msg_warn("%s is true, but SASL support is not compiled in",
+ VAR_SMTPD_SASL_ENABLE);
+ #endif
++#ifdef USE_TLS
++ /*
++ * Keys can only be loaded when running with superuser permissions.
++ * When called from "sendmail -bs" this is not the case, but STARTTLS
++ * is not used in this scenario anyhow.
++ */
++ if (geteuid() == 0) {
++ if (var_smtpd_use_tls || var_smtpd_enforce_tls
++ || var_smtpd_tls_wrappermode)
++#ifdef USE_SSL
++ pfixtls_init_serverengine(var_smtpd_tls_ccert_vd,
++ var_smtpd_tls_ask_ccert);
++#else
++ msg_warn("TLS has been selected but TLS support is not compiled in");
++#endif
++ }
++#endif
+
+ /*
+ * flush client.
+@@ -2677,6 +3010,9 @@
+ if (var_smtpd_crate_limit || var_smtpd_cconn_limit)
+ anvil_clnt = anvil_clnt_create();
+ #endif
++#ifdef USE_TLS
++
++#endif
+ }
+
+ /* main - the main program */
+@@ -2713,6 +3049,11 @@
+ VAR_SMTPD_CRATE_LIMIT, DEF_SMTPD_CRATE_LIMIT, &var_smtpd_crate_limit, 0, 0,
+ VAR_SMTPD_CCONN_LIMIT, DEF_SMTPD_CCONN_LIMIT, &var_smtpd_cconn_limit, 0, 0,
+ #endif
++#ifdef USE_TLS
++#ifdef USE_SSL
++ VAR_SMTPD_TLS_CCERT_VD, DEF_SMTPD_TLS_CCERT_VD, &var_smtpd_tls_ccert_vd, 0, 0,
++#endif
++#endif
+ 0,
+ };
+ static CONFIG_TIME_TABLE time_table[] = {
+@@ -2723,6 +3064,11 @@
+ VAR_SMTPD_POLICY_TMOUT, DEF_SMTPD_POLICY_TMOUT, &var_smtpd_policy_tmout, 1, 0,
+ VAR_SMTPD_POLICY_IDLE, DEF_SMTPD_POLICY_IDLE, &var_smtpd_policy_idle, 1, 0,
+ VAR_SMTPD_POLICY_TTL, DEF_SMTPD_POLICY_TTL, &var_smtpd_policy_ttl, 1, 0,
++#ifdef USE_TLS
++#ifdef USE_SSL
++ VAR_SMTPD_STARTTLS_TMOUT, DEF_SMTPD_STARTTLS_TMOUT, &var_smtpd_starttls_tmout, 1, 0,
++#endif
++#endif
+ 0,
+ };
+ static CONFIG_BOOL_TABLE bool_table[] = {
+@@ -2736,6 +3082,17 @@
+ VAR_SHOW_UNK_RCPT_TABLE, DEF_SHOW_UNK_RCPT_TABLE, &var_show_unk_rcpt_table,
+ VAR_SMTPD_REJ_UNL_FROM, DEF_SMTPD_REJ_UNL_FROM, &var_smtpd_rej_unl_from,
+ VAR_SMTPD_REJ_UNL_RCPT, DEF_SMTPD_REJ_UNL_RCPT, &var_smtpd_rej_unl_rcpt,
++#ifdef USE_TLS
++ VAR_SMTPD_USE_TLS, DEF_SMTPD_USE_TLS, &var_smtpd_use_tls,
++ VAR_SMTPD_ENFORCE_TLS, DEF_SMTPD_ENFORCE_TLS, &var_smtpd_enforce_tls,
++ VAR_SMTPD_TLS_WRAPPER, DEF_SMTPD_TLS_WRAPPER, &var_smtpd_tls_wrappermode,
++#ifdef USE_SSL
++ VAR_SMTPD_TLS_AUTH_ONLY, DEF_SMTPD_TLS_AUTH_ONLY, &var_smtpd_tls_auth_only,
++ VAR_SMTPD_TLS_ACERT, DEF_SMTPD_TLS_ACERT, &var_smtpd_tls_ask_ccert,
++ VAR_SMTPD_TLS_RCERT, DEF_SMTPD_TLS_RCERT, &var_smtpd_tls_req_ccert,
++ VAR_SMTPD_TLS_RECHEAD, DEF_SMTPD_TLS_RECHEAD, &var_smtpd_tls_received_header,
++#endif
++#endif
+ 0,
+ };
+ static CONFIG_STR_TABLE str_table[] = {
+@@ -2777,6 +3134,12 @@
+ #ifdef SNAPSHOT
+ VAR_SMTPD_HOGGERS, DEF_SMTPD_HOGGERS, &var_smtpd_hoggers, 0, 0,
+ #endif
++#ifdef USE_TLS
++#ifdef USE_SSL
++ VAR_RELAY_CCERTS, DEF_RELAY_CCERTS, &var_relay_ccerts, 0, 0,
++ VAR_SMTPD_SASL_TLS_OPTS, DEF_SMTPD_SASL_TLS_OPTS, &var_smtpd_sasl_tls_opts, 0, 0,
++#endif
++#endif
+ 0,
+ };
+ static CONFIG_RAW_TABLE raw_table[] = {
+@@ -2799,3 +3162,6 @@
+ MAIL_SERVER_POST_INIT, post_jail_init,
+ 0);
+ }
++#ifdef USE_TLS
++
++#endif
+diff -urNad postfix-release/src/smtpd/smtpd_check.c /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_check.c
+--- postfix-release/src/smtpd/smtpd_check.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_check.c 2005-02-03 10:22:13.074093565 -0700
+@@ -151,6 +151,7 @@
+ #include <setjmp.h>
+ #include <stdlib.h>
+ #include <unistd.h>
++#include <errno.h>
+
+ #ifdef STRCASECMP_IN_STRINGS_H
+ #include <strings.h>
+@@ -185,6 +186,9 @@
+ #include <string_list.h>
+ #include <namadr_list.h>
+ #include <domain_list.h>
++#ifdef USE_TLS
++#include <string_list.h>
++#endif
+ #include <mail_params.h>
+ #include <canon_addr.h>
+ #include <resolve_clnt.h>
+@@ -269,6 +273,11 @@
+ static DOMAIN_LIST *relay_domains;
+ static NAMADR_LIST *mynetworks;
+ static NAMADR_LIST *perm_mx_networks;
++#ifdef USE_TLS
++#ifdef USE_SSL
++static MAPS *relay_ccerts;
++#endif
++#endif
+
+ /*
+ * How to do parent domain wildcard matching, if any.
+@@ -352,6 +361,8 @@
+ defer_if(&(state)->defer_if_reject, (class), (fmt), (a1), (a2))
+ #define DEFER_IF_REJECT3(state, class, fmt, a1, a2, a3) \
+ defer_if(&(state)->defer_if_reject, (class), (fmt), (a1), (a2), (a3))
++#define DEFER_IF_REJECT4(state, class, fmt, a1, a2, a3, a4) \
++ defer_if(&(state)->defer_if_reject, (class), (fmt), (a1), (a2), (a3), (a4))
+ #define DEFER_IF_PERMIT2(state, class, fmt, a1, a2) do { \
+ if ((state)->warn_if_reject == 0) \
+ defer_if(&(state)->defer_if_permit, (class), (fmt), (a1), (a2)); \
+@@ -563,6 +574,12 @@
+ perm_mx_networks =
+ namadr_list_init(match_parent_style(VAR_PERM_MX_NETWORKS),
+ var_perm_mx_networks);
++#ifdef USE_TLS
++#ifdef USE_SSL
++ relay_ccerts = maps_create(VAR_RELAY_CCERTS, var_relay_ccerts,
++ DICT_FLAG_LOCK);
++#endif
++#endif
+
+ /*
+ * Pre-parse and pre-open the recipient maps.
+@@ -1056,6 +1073,38 @@
+
+ static int permit_auth_destination(SMTPD_STATE *state, char *recipient);
+
++#ifdef USE_TLS
++/* permit_tls_clientcerts - OK/DUNNO for message relaying */
++
++#ifdef USE_SSL
++static int permit_tls_clientcerts(SMTPD_STATE *state, int permit_all_certs)
++{
++ char *low_name;
++ const char *found;
++
++ if (state->tls_info.peer_verified && permit_all_certs) {
++ if (msg_verbose)
++ msg_info("Relaying allowed for all verified client certificates");
++ return(SMTPD_CHECK_OK);
++ }
++
++ if (state->tls_info.peer_verified && state->tls_info.peer_fingerprint) {
++ low_name = lowercase(mystrdup(state->tls_info.peer_fingerprint));
++ found = maps_find(relay_ccerts, low_name, DICT_FLAG_FIXED);
++ myfree(low_name);
++ if (found) {
++ if (msg_verbose)
++ msg_info("Relaying allowed for certified client: %s", found);
++ return (SMTPD_CHECK_OK);
++ } else if (msg_verbose)
++ msg_info("relay_clientcerts: No match for fingerprint '%s'",
++ state->tls_info.peer_fingerprint);
++ }
++ return (SMTPD_CHECK_DUNNO);
++}
++#endif
++
++#endif
+ /* check_relay_domains - OK/FAIL for message relaying */
+
+ static int check_relay_domains(SMTPD_STATE *state, char *recipient,
+@@ -1196,8 +1245,16 @@
+ static int all_auth_mx_addr(SMTPD_STATE *state, char *host,
+ const char *reply_name, const char *reply_class)
+ {
++ size_t len;
+ char *myname = "all_auth_mx_addr";
+- struct in_addr addr;
++ char *addr;
++ struct in_addr addr4;
++#ifdef INET6
++ struct in6_addr addr6;
++ char hbuf[NI_MAXHOST];
++#else
++ char *hbuf;
++#endif
+ DNS_RR *rr;
+ DNS_RR *addr_list;
+ int dns_status;
+@@ -1214,7 +1271,9 @@
+ /*
+ * Verify that all host addresses are within permit_mx_backup_networks.
+ */
+- dns_status = dns_lookup(host, T_A, 0, &addr_list, (VSTRING *) 0, (VSTRING *) 0);
++ dns_status = dns_lookup_types(host, 0, (DNS_RR **) &addr_list,
++ (VSTRING *) 0,
++ (VSTRING *) 0, RR_ADDR_TYPES, 0);
+ if (dns_status != DNS_OK) {
+ DEFER_IF_REJECT3(state, MAIL_ERROR_POLICY,
+ "450 <%s>: %s rejected: Unable to look up host %s as mail exchanger",
+@@ -1222,16 +1281,28 @@
+ return (NOPE);
+ }
+ for (rr = addr_list; rr != 0; rr = rr->next) {
+- if (rr->data_len > sizeof(addr)) {
++#ifdef INET6
++ if (rr->type == T_AAAA)
++ len = sizeof(addr6), addr = (char *) &addr6;
++ else /* T_A */
++#endif
++ len = sizeof(addr4), addr = (char *) &addr4;
++ if (rr->data_len > len) {
+ msg_warn("%s: skipping address length %d for host %s",
+ state->queue_id, rr->data_len, host);
+ continue;
+ }
+- memcpy((char *) &addr, rr->data, sizeof(addr));
++ memcpy(addr, rr->data, len);
++#ifdef INET6
++ inet_ntop(rr->type == T_AAAA ? AF_INET6 : AF_INET,
++ addr, hbuf, sizeof(hbuf));
++#else
++ hbuf = inet_ntoa(*(struct in_addr *)addr);
++#endif
+ if (msg_verbose)
+- msg_info("%s: checking: %s", myname, inet_ntoa(addr));
++ msg_info("%s: checking: %s", myname, hbuf);
+
+- if (!namadr_list_match(perm_mx_networks, host, inet_ntoa(addr))) {
++ if (!namadr_list_match(perm_mx_networks, host, hbuf)) {
+
+ /*
+ * Reject: at least one IP address is not listed in
+@@ -1239,7 +1310,7 @@
+ */
+ if (msg_verbose)
+ msg_info("%s: address %s for %s does not match %s",
+- myname, inet_ntoa(addr), host, VAR_PERM_MX_NETWORKS);
++ myname, hbuf, host, VAR_PERM_MX_NETWORKS);
+ dns_rr_free(addr_list);
+ return (NOPE);
+ }
+@@ -1253,6 +1324,50 @@
+ static int has_my_addr(SMTPD_STATE *state, const char *host,
+ const char *reply_name, const char *reply_class)
+ {
++#ifdef INET6
++ char *myname = "has_my_addr";
++ struct addrinfo hints, *res, *res0;
++ int error;
++ char hbuf[NI_MAXHOST];
++
++ if (msg_verbose)
++ msg_info("%s: host %s", myname, host);
++
++ /*
++ * If we can't lookup the host, defer rather than reject
++ */
++#define YUP 1
++#define NOPE 0
++
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = PF_UNSPEC;
++ hints.ai_socktype = SOCK_DGRAM;
++ error = getaddrinfo(host, NULL, &hints, &res0);
++ if (error) {
++ DEFER_IF_REJECT4(state, MAIL_ERROR_POLICY,
++ "450 <%s>: %s rejected: Mail exchanger lookup error for %s: %s",
++ reply_name, reply_class, host, gai_strerror(error));
++ return (NOPE);
++ }
++ for (res = res0; res; res = res->ai_next) {
++ if (msg_verbose) {
++ if (getnameinfo(res->ai_addr, res->ai_addrlen, hbuf, sizeof(hbuf),
++ NULL, 0, NI_NUMERICHOST)) {
++ strncpy(hbuf, "???", sizeof(hbuf));
++ }
++ msg_info("%s: addr %s", myname, hbuf);
++ }
++ if (own_inet_addr(res->ai_addr)) {
++ freeaddrinfo(res0);
++ return (YUP);
++ }
++ }
++ freeaddrinfo(res0);
++ if (msg_verbose)
++ msg_info("%s: host %s: no match", myname, host);
++
++ return (NOPE);
++#else
+ char *myname = "has_my_addr";
+ struct in_addr addr;
+ char **cpp;
+@@ -1291,6 +1406,7 @@
+ msg_info("%s: host %s: no match", myname, host);
+
+ return (NOPE);
++#endif
+ }
+
+ /* i_am_mx - is this machine listed as MX relay */
+@@ -2029,6 +2145,10 @@
+ char *addr;
+ const char *value;
+ DICT *dict;
++ int delim;
++#ifdef INET6
++ struct in6_addr a6;
++#endif
+
+ if (msg_verbose)
+ msg_info("%s: %s", myname, address);
+@@ -2039,6 +2159,12 @@
+ #define CHK_ADDR_RETURN(x,y) { *found = y; return(x); }
+
+ addr = STR(vstring_strcpy(error_text, address));
++#ifdef INET6
++ if (inet_pton(AF_INET6, addr, &a6) == 1)
++ delim = ':';
++ else
++#endif
++ delim = '.';
+
+ if ((dict = dict_handle(table)) == 0)
+ msg_panic("%s: dictionary not found: %s", myname, table);
+@@ -2052,7 +2178,7 @@
+ msg_fatal("%s: table lookup problem", table);
+ }
+ flags = PARTIAL;
+- } while (split_at_right(addr, '.'));
++ } while (split_at_right(addr, delim));
+
+ CHK_ADDR_RETURN(SMTPD_CHECK_DUNNO, MISSED);
+ }
+@@ -2110,11 +2236,17 @@
+ DNS_RR *server_list;
+ DNS_RR *server;
+ int found = 0;
++#ifdef INET6
++ int error;
++ char *addr;
++ struct addrinfo hints, *res, *res0;
++#else
+ struct in_addr addr;
+ struct hostent *hp;
++ char **cpp;
++#endif
+ char *addr_string;
+ int status;
+- char **cpp;
+ static DNS_FIXED fixed;
+
+ /*
+@@ -2175,6 +2307,50 @@
+ /*
+ * Check the hostnames first, then the addresses.
+ */
++#ifdef INET6
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = PF_UNSPEC;
++ hints.ai_socktype = SOCK_DGRAM;
++ hints.ai_flags = AI_CANONNAME;
++ for (server = server_list; server != 0; server = server->next) {
++ error = getaddrinfo((char *)server->data, NULL, &hints, &res0);
++ if (error) {
++ msg_warn("Unable to look up %s host %s for %s %s: %s",
++ dns_strtype(type), (char *) server->data,
++ reply_class, reply_name, GAI_STRERROR(error));
++ continue;
++ }
++ if (msg_verbose)
++ msg_info("%s: %s hostname check: %s",
++ myname, dns_strtype(type), (char *) server->data);
++ if ((status = check_domain_access(state, table, (char *) server->data,
++ FULL, &found, reply_name, reply_class,
++ def_acl)) != 0 || found)
++ CHECK_SERVER_RETURN(status);
++ for (res = res0; res; res = res->ai_next) {
++ switch (res->ai_family) {
++ case AF_INET6:
++ addr = (char *)&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
++ break;
++ case AF_INET:
++ addr = (char *)&((struct sockaddr_in *)res->ai_addr)->sin_addr;
++ break;
++ default:
++ msg_warn("%s: unknown address family %d for %s",
++ myname, res->ai_family, (char *) server->data);
++ continue;
++ }
++ addr_string = mymalloc(NI_MAXHOST);
++ inet_ntop(res->ai_family, addr, addr_string, NI_MAXHOST);
++ status = check_addr_access(state, table, addr_string, FULL,
++ &found, reply_name, reply_class,
++ def_acl);
++ myfree(addr_string);
++ if (status != 0 || found)
++ CHECK_SERVER_RETURN(status);
++ }
++ }
++#else
+ for (server = server_list; server != 0; server = server->next) {
+ if (msg_verbose)
+ msg_info("%s: %s hostname check: %s",
+@@ -2210,6 +2386,7 @@
+ CHECK_SERVER_RETURN(status);
+ }
+ }
++#endif
+ CHECK_SERVER_RETURN(SMTPD_CHECK_DUNNO);
+ }
+
+@@ -2475,6 +2652,7 @@
+ * Do the query. If the DNS lookup produces no definitive reply, give the
+ * requestor the benefit of the doubt. We can't block all email simply
+ * because an RBL server is unavailable.
++ * Don't do this for AAAA records. Yet.
+ */
+ why = vstring_alloc(10);
+ dns_status = dns_lookup(query, T_A, 0, &addr_list, (VSTRING *) 0, why);
+@@ -2644,12 +2822,15 @@
+ int i;
+ SMTPD_RBL_STATE *rbl;
+ const char *reply_addr;
++#ifdef INET6
++ struct in_addr a;
++#endif
+
+ if (msg_verbose)
+ msg_info("%s: %s %s", myname, reply_class, addr);
+
+ /*
+- * IPv4 only for now
++ * IPv4 / IPv6-mapped IPv4 (if supported) only for now
+ */
+ #ifdef INET6
+ if (inet_pton(AF_INET, addr, &a) != 1)
+@@ -3238,6 +3419,14 @@
+ #else
+ msg_warn("restriction `%s' ignored: no SASL support", name);
+ #endif
++#ifdef USE_TLS
++#ifdef USE_SSL
++ } else if (strcasecmp(name, PERMIT_TLS_ALL_CLIENTCERTS) == 0) {
++ status = permit_tls_clientcerts(state, 1);
++ } else if (strcasecmp(name, PERMIT_TLS_CLIENTCERTS) == 0) {
++ status = permit_tls_clientcerts(state, 0);
++#endif
++#endif
+ } else if (strcasecmp(name, REJECT_UNKNOWN_RCPTDOM) == 0) {
+ if (state->recipient)
+ status = reject_unknown_address(state, state->recipient,
+@@ -3948,6 +4137,9 @@
+ char *var_etrn_checks = "";
+ char *var_data_checks = "";
+ char *var_relay_domains = "";
++#ifdef USE_TLS
++char *var_relay_ccerts = "";
++#endif
+ char *var_mynetworks = "";
+ char *var_notify_classes = "";
+
+diff -urNad postfix-release/src/smtpd/smtpd.h /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd.h
+--- postfix-release/src/smtpd/smtpd.h 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd.h 2005-02-03 10:22:13.075093342 -0700
+@@ -32,6 +32,9 @@
+ * Global library.
+ */
+ #include <mail_stream.h>
++#ifdef USE_TLS
++#include <pfixtls.h>
++#endif
+
+ /*
+ * Variables that keep track of conversation state. There is only one SMTP
+@@ -62,6 +65,7 @@
+ time_t time; /* start of MAIL FROM transaction */
+ char *name; /* client hostname */
+ char *addr; /* client host address string */
++ char *addr_tag; /* address family prefix */
+ char *namaddr; /* combined name and address */
+ int peer_code; /* 2=ok, 4=soft, 5=hard */
+ int error_count; /* reset after DOT */
+@@ -136,6 +140,13 @@
+ * XFORWARD server state.
+ */
+ SMTPD_XFORWARD_ATTR xforward; /* up-stream logging info */
++#ifdef USE_TLS
++ int tls_active;
++ int tls_use_tls;
++ int tls_enforce_tls;
++ int tls_auth_only;
++ tls_info_t tls_info;
++#endif
+ } SMTPD_STATE;
+
+ #define SMTPD_STATE_XFORWARD_INIT (1<<0) /* xforward preset done */
+diff -urNad postfix-release/src/smtpd/smtpd_peer.c /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_peer.c
+--- postfix-release/src/smtpd/smtpd_peer.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_peer.c 2005-02-03 10:22:13.076093119 -0700
+@@ -63,6 +63,20 @@
+ #include <netdb.h>
+ #include <string.h>
+
++/* Utility library. */
++
++#include <msg.h>
++#include <mymalloc.h>
++#include <valid_hostname.h>
++#include <stringops.h>
++#ifdef INET6
++#include <inet_addr_list.h> /* for NI_WITHSCOPEID */
++#endif
++
++/* Global library. */
++
++#include <mail_proto.h>
++
+ /*
+ * Older systems don't have h_errno. Even modern systems don't have
+ * hstrerror().
+@@ -84,17 +98,11 @@
+ )
+ #endif
+
+-/* Utility library. */
+-
+-#include <msg.h>
+-#include <mymalloc.h>
+-#include <valid_hostname.h>
+-#include <stringops.h>
+-
+-/* Global library. */
+-
+-#include <mail_proto.h>
+-
++#ifdef INET6
++#define GAI_STRERROR(error) \
++ ((error == EAI_SYSTEM) ? strerror(errno) : gai_strerror(error))
++#endif
++
+ /* Application-specific. */
+
+ #include "smtpd.h"
+@@ -103,21 +111,24 @@
+
+ void smtpd_peer_init(SMTPD_STATE *state)
+ {
+- struct sockaddr_in sin;
+- SOCKADDR_SIZE len = sizeof(sin);
++ char *myname = "smtpd_peer_init";
++#ifdef INET6
++ struct sockaddr_storage ss;
++#else
++ struct sockaddr ss;
++ struct in_addr *in;
+ struct hostent *hp;
+- int i;
++#endif
++ struct sockaddr *sa;
++ SOCKADDR_SIZE len;
+
+- /*
+- * Avoid suprious complaints from Purify on Solaris.
+- */
+- memset((char *) &sin, 0, len);
++ sa = (struct sockaddr *)&ss;
++ len = sizeof(ss);
+
+ /*
+ * Look up the peer address information.
+ */
+- if (getpeername(vstream_fileno(state->client),
+- (struct sockaddr *) & sin, &len) >= 0) {
++ if (getpeername(vstream_fileno(state->client), sa, &len) >= 0) {
+ errno = 0;
+ }
+
+@@ -133,24 +144,111 @@
+ /*
+ * Look up and "verify" the client hostname.
+ */
+- else if (errno == 0 && sin.sin_family == AF_INET) {
+- state->addr = mystrdup(inet_ntoa(sin.sin_addr));
+- hp = gethostbyaddr((char *) &(sin.sin_addr),
+- sizeof(sin.sin_addr), AF_INET);
+- if (hp == 0) {
++ else if (errno == 0 && (sa->sa_family == AF_INET
++#ifdef INET6
++ || sa->sa_family == AF_INET6
++#endif
++ )) {
++#ifdef INET6
++ char hbuf[NI_MAXHOST];
++ char abuf[NI_MAXHOST];
++ char rabuf[NI_MAXHOST];
++ struct addrinfo hints, *res0 = NULL, *res;
++ char *colonp;
++#else
++ char abuf[sizeof("255.255.255.255") + 1];
++ char *hbuf;
++#endif
++ int error = -1;
++
++#ifdef INET6
++ error = getnameinfo(sa, len, abuf, sizeof(abuf), NULL, 0,
++ NI_NUMERICHOST | NI_WITHSCOPEID);
++ if (error)
++ msg_fatal("%s: numeric getnameinfo lookup for peer: error %s",
++ myname, GAI_STRERROR(error));
++
++ /*
++ * Convert an IPv4-mapped IPv6-address to 'true' IPv4 address
++ * early on. We have no need for the mapped form in logging,
++ * hostname verification and access checks.
++ */
++ if (sa->sa_family == AF_INET6
++ && IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)sa)->sin6_addr)
++ && (colonp = strrchr(abuf, ':')) != NULL) {
++ struct addrinfo hints, *res0;
++ if (msg_verbose > 1)
++ msg_info("%s: rewriting V4-mapped address \"%s\" to \"%s\"",
++ myname, abuf, colonp + 1);
++ state->addr = mystrdup(colonp + 1);
++ /*
++ * We create new socket information so getnameinfo() will be
++ * performed on the rewritten IPv4 address.
++ */
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = AF_INET;
++ hints.ai_socktype = SOCK_STREAM;
++ hints.ai_flags = AI_NUMERICHOST;
++ error = getaddrinfo(state->addr, NULL, &hints, &res0);
++ if (error)
++ msg_panic("%s: getaddrinfo(\"%s\", NULL, "
++ "{AF_INET,SOCK_STREAM,AI_NUMERICHOST}, "
++ "&res0): %s", myname, state->addr,
++ GAI_STRERROR(error));
++ len = res0->ai_addrlen;
++ memcpy((char *)sa, res0->ai_addr, len);
++ } else {
++ state->addr = mystrdup(abuf);
++ }
++
++ /*
++ * RFC 2821 section 4.1.3: IPv6 address literals in SMTP
++ * mail headers are prepended with tag 'IPv6' and a colon.
++ */
++ if (sa->sa_family == AF_INET6)
++ state->addr_tag = "IPv6:";
++
++ error = getnameinfo(sa, len, hbuf, sizeof(hbuf), NULL, 0, NI_NAMEREQD);
++#else
++ in = &((struct sockaddr_in *)sa)->sin_addr;
++ inet_ntop(AF_INET, in, abuf, sizeof(abuf));
++ state->addr = mystrdup(abuf);
++ hbuf = NULL;
++ hp = gethostbyaddr((char *)in, sizeof(*in), AF_INET);
++ if (hp) {
++ error = 0;
++ hbuf = mystrdup(hp->h_name);
++ } else
++ error = 1;
++#endif
++ if (error) {
+ state->name = mystrdup(CLIENT_NAME_UNKNOWN);
++#ifdef INET6
++ if (error != EAI_NONAME)
++ msg_warn("%s: getnameinfo(%s,,,,,,NI_NAMEREQD) error %s",
++ myname, abuf, GAI_STRERROR(error));
++ /*
++ * XXX: There are other error codes from GAI that should
++ * result in only a temporary error code from this daemon.
++ * This also applies to get{addr,name}info() results
++ * below.
++ */
++ state->peer_code = (error == EAI_AGAIN ?
++ SMTPD_PEER_CODE_TEMP : SMTPD_PEER_CODE_PERM);
++#else
+ state->peer_code = (h_errno == TRY_AGAIN ?
+ SMTPD_PEER_CODE_TEMP : SMTPD_PEER_CODE_PERM);
+- } else if (valid_hostaddr(hp->h_name, DONT_GRIPE)) {
++#endif
++ } else if (valid_hostaddr(hbuf, DONT_GRIPE)) {
+ msg_warn("numeric result %s in address->name lookup for %s",
+- hp->h_name, state->addr);
++ hbuf, state->addr);
+ state->name = mystrdup(CLIENT_NAME_UNKNOWN);
+ state->peer_code = SMTPD_PEER_CODE_PERM;
+- } else if (!valid_hostname(hp->h_name, DONT_GRIPE)) {
++ } else if (!valid_hostname(hbuf, DONT_GRIPE)) {
+ state->name = mystrdup(CLIENT_NAME_UNKNOWN);
+ state->peer_code = SMTPD_PEER_CODE_PERM;
+ } else {
+- state->name = mystrdup(hp->h_name); /* hp->name is clobbered!! */
++ state->name = mystrdup(hbuf);
+ state->peer_code = SMTPD_PEER_CODE_OK;
+
+ /*
+@@ -162,17 +260,55 @@
+ state->peer_code = code; \
+ }
+
+- hp = gethostbyname(state->name); /* clobbers hp->name!! */
++#ifdef INET6
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = AF_UNSPEC;
++ hints.ai_socktype = SOCK_STREAM;
++ error = getaddrinfo(state->name, NULL, &hints, &res0);
++ if (error) {
++ msg_warn("%s: %s: hostname %s verification failed: %s",
++ myname, state->addr, state->name,
++ GAI_STRERROR(error));
++ REJECT_PEER_NAME(state, (error == EAI_AGAIN ?
++ SMTPD_PEER_CODE_TEMP : SMTPD_PEER_CODE_PERM));
++ } else {
++ for (res = res0; res; res = res->ai_next) {
++ if (res->ai_family != sa->sa_family)
++ continue;
++ error = getnameinfo(res->ai_addr, res->ai_addrlen,
++ rabuf, sizeof(rabuf), NULL, 0,
++ NI_NUMERICHOST | NI_WITHSCOPEID);
++ if (error) {
++ msg_warn("%s: %s: hostname %s verification failed: %s",
++ myname, state->addr, state->name,
++ GAI_STRERROR(error));
++ REJECT_PEER_NAME(state, SMTPD_PEER_CODE_TEMP);
++ break;
++ }
++ if (strcmp(state->addr, rabuf) == 0)
++ break; /* keep peer name */
++ }
++ if (res == NULL) {
++ msg_warn("%s: %s: address not listed for hostname %s",
++ myname, state->addr, state->name);
++ REJECT_PEER_NAME(state, SMTPD_PEER_CODE_PERM);
++ }
++ }
++ if (res0)
++ freeaddrinfo(res0);
++#else
++ hp = gethostbyname(state->name);
+ if (hp == 0) {
+ msg_warn("%s: hostname %s verification failed: %s",
+ state->addr, state->name, HSTRERROR(h_errno));
+ REJECT_PEER_NAME(state, (h_errno == TRY_AGAIN ?
+- SMTPD_PEER_CODE_TEMP : SMTPD_PEER_CODE_PERM));
+- } else if (hp->h_length != sizeof(sin.sin_addr)) {
++ SMTPD_PEER_CODE_TEMP : SMTPD_PEER_CODE_PERM));
++ } else if (hp->h_length != sizeof(*in)) {
+ msg_warn("%s: hostname %s verification failed: bad address size %d",
+ state->addr, state->name, hp->h_length);
+ REJECT_PEER_NAME(state, SMTPD_PEER_CODE_PERM);
+ } else {
++ int i;
+ for (i = 0; /* void */ ; i++) {
+ if (hp->h_addr_list[i] == 0) {
+ msg_warn("%s: address not listed for hostname %s",
+@@ -180,12 +316,11 @@
+ REJECT_PEER_NAME(state, SMTPD_PEER_CODE_PERM);
+ break;
+ }
+- if (memcmp(hp->h_addr_list[i],
+- (char *) &sin.sin_addr,
+- sizeof(sin.sin_addr)) == 0)
++ if (memcmp(hp->h_addr_list[i], (char *)in, sizeof(*in)) == 0)
+ break; /* keep peer name */
+ }
+ }
++#endif
+ }
+ }
+
+diff -urNad postfix-release/src/smtpd/smtpd_sasl_glue.c /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_sasl_glue.c
+--- postfix-release/src/smtpd/smtpd_sasl_glue.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_sasl_glue.c 2005-02-03 10:22:13.076093119 -0700
+@@ -181,6 +181,16 @@
+ return SASL_OK;
+ }
+
++static int smtpd_sasl_getpath(void * context, char ** path)
++{
++#if SASL_VERSION_MAJOR >= 2
++ *path = strdup("/etc/postfix/sasl:/usr/lib/sasl2");
++#else
++ *path = strdup("/etc/postfix/sasl:/usr/lib/sasl");
++#endif
++ return SASL_OK;
++}
++
+ /*
+ * SASL callback interface structure. These call-backs have no per-session
+ * context.
+@@ -189,6 +199,7 @@
+
+ static sasl_callback_t callbacks[] = {
+ {SASL_CB_LOG, &smtpd_sasl_log, NO_CALLBACK_CONTEXT},
++ {SASL_CB_GETPATH,&smtpd_sasl_getpath, NO_CALLBACK_CONTEXT},
+ {SASL_CB_LIST_END, 0, 0}
+ };
+
+diff -urNad postfix-release/src/smtpd/smtpd_sasl_proto.c /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_sasl_proto.c
+--- postfix-release/src/smtpd/smtpd_sasl_proto.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_sasl_proto.c 2005-02-03 10:22:13.076093119 -0700
+@@ -129,6 +129,15 @@
+ smtpd_chat_reply(state, "503 Error: authentication not enabled");
+ return (-1);
+ }
++#ifdef USE_TLS
++#ifdef USE_SSL
++ if (state->tls_auth_only && !state->tls_active) {
++ state->error_mask |= MAIL_ERROR_PROTOCOL;
++ smtpd_chat_reply(state, "538 Encryption required for requested authentication mechanism");
++ return (-1);
++ }
++#endif
++#endif
+ if (state->sasl_username) {
+ state->error_mask |= MAIL_ERROR_PROTOCOL;
+ smtpd_chat_reply(state, "503 Error: already authenticated");
+diff -urNad postfix-release/src/smtpd/smtpd_state.c /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_state.c
+--- postfix-release/src/smtpd/smtpd_state.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_state.c 2005-02-03 10:22:13.076093119 -0700
+@@ -77,6 +77,7 @@
+ state->notify_mask = name_mask(VAR_NOTIFY_CLASSES, mail_error_masks,
+ var_notify_classes);
+ state->helo_name = 0;
++ state->addr_tag = "";
+ state->queue_id = 0;
+ state->cleanup = 0;
+ state->dest = 0;
+@@ -111,6 +112,13 @@
+ state->saved_flags = 0;
+ state->instance = vstring_alloc(10);
+ state->seqno = 0;
++#ifdef USE_TLS
++ state->tls_active = 0;
++ state->tls_use_tls = 0;
++ state->tls_enforce_tls = 0;
++ state->tls_info = tls_info_zero;
++ state->tls_auth_only = 0;
++#endif
+
+ #ifdef USE_SASL_AUTH
+ if (SMTPD_STAND_ALONE(state))
+diff -urNad postfix-release/src/smtpstone/Makefile.in /tmp/dpep.cXJuVH/postfix-release/src/smtpstone/Makefile.in
+--- postfix-release/src/smtpstone/Makefile.in 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtpstone/Makefile.in 2005-02-03 10:22:13.077092896 -0700
+@@ -33,7 +33,7 @@
+
+ tests: test
+
+-update: ../../bin/smtp-source ../../bin/smtp-sink ../../bin/qmqp-source
++update: ../../bin/smtp-source ../../bin/smtp-sink ../../bin/qmqp-source ../../bin/qmqp-sink
+
+ ../../bin/smtp-source: smtp-source
+ cp $? $@
+diff -urNad postfix-release/src/smtpstone/qmqp-sink.c /tmp/dpep.cXJuVH/postfix-release/src/smtpstone/qmqp-sink.c
+--- postfix-release/src/smtpstone/qmqp-sink.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtpstone/qmqp-sink.c 2005-02-03 10:22:13.077092896 -0700
+@@ -275,7 +275,7 @@
+ } else {
+ if (strncmp(argv[optind], "inet:", 5) == 0)
+ argv[optind] += 5;
+- sock = inet_listen(argv[optind], backlog, BLOCKING);
++ sock = inet_listen(argv[optind], backlog, BLOCKING, 1);
+ }
+
+ /*
+diff -urNad postfix-release/src/smtpstone/smtp-sink.c /tmp/dpep.cXJuVH/postfix-release/src/smtpstone/smtp-sink.c
+--- postfix-release/src/smtpstone/smtp-sink.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtpstone/smtp-sink.c 2005-02-03 10:22:13.077092896 -0700
+@@ -692,7 +692,7 @@
+ } else {
+ if (strncmp(argv[optind], "inet:", 5) == 0)
+ argv[optind] += 5;
+- sock = inet_listen(argv[optind], backlog, BLOCKING);
++ sock = inet_listen(argv[optind], backlog, BLOCKING, 1);
+ }
+
+ /*
+diff -urNad postfix-release/src/tlsmgr/Makefile.in /tmp/dpep.cXJuVH/postfix-release/src/tlsmgr/Makefile.in
+--- postfix-release/src/tlsmgr/Makefile.in 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/tlsmgr/Makefile.in 2005-02-03 10:22:13.077092896 -0700
+@@ -0,0 +1,94 @@
++SHELL = /bin/sh
++SRCS = ../global/pfixtls.c tlsmgr.c
++OBJS = tlsmgr.o
++HDRS =
++TESTSRC =
++WARN = -W -Wformat -Wimplicit -Wmissing-prototypes \
++ -Wparentheses -Wstrict-prototypes -Wswitch -Wuninitialized \
++ -Wunused
++DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE)
++CFLAGS = $(DEBUG) $(OPT) $(DEFS)
++TESTPROG=
++PROG = tlsmgr
++INC_DIR = ../../include
++LIBS = ../../lib/libmaster.a ../../lib/libglobal.a ../../lib/libutil.a ../../lib/pfixtls.o
++TLSO = pfixtls.o
++
++$(TLSO):; $(CC) $(CFLAGS) -c ../global/pfixtls.c
++
++.c.o:; $(CC) $(CFLAGS) -c $*.c
++
++$(PROG): $(OBJS) $(LIBS)
++ $(CC) $(CFLAGS) -o $@ $(OBJS) $(LIBS) $(SYSLIBS)
++
++Makefile: Makefile.in
++ (set -e; echo "# DO NOT EDIT"; $(OPTS) $(SHELL) ../../makedefs; cat $?) >$@
++
++test: $(TESTPROG)
++
++update: ../../lib/$(TLSO) ../../libexec/$(PROG)
++
++../../lib/$(TLSO): $(TLSO)
++ cp $(TLSO) ../../lib
++
++../../libexec/$(PROG): $(PROG)
++ cp $(PROG) ../../libexec
++
++printfck: $(OBJS) $(PROG)
++ rm -rf printfck
++ mkdir printfck
++ cp *.h printfck
++ sed '1,/^# do not edit/!d' Makefile >printfck/Makefile
++ set -e; for i in *.c; do printfck -f .printfck $$i >printfck/$$i; done
++ cd printfck; make "INC_DIR=../../../../include" `cd ../..; ls *.o`
++
++lint:
++ lint $(DEFS) $(SRCS) $(LINTFIX)
++
++clean:
++ rm -f *.o *core $(PROG) $(TESTPROG) junk pfixtls.c
++ rm -rf printfck
++
++tidy: clean
++
++depend: $(MAKES)
++ (sed '1,/^# do not edit/!d' Makefile.in; \
++ set -e; for i in [a-z][a-z0-9]*.c; do \
++ $(CC) -E $(DEFS) $(INCL) $$i | sed -n -e '/^# *1 *"\([^"]*\)".*/{' \
++ -e 's//'`echo $$i|sed 's/c$$/o/'`': \1/' -e 'p' -e '}'; \
++ done) | grep -v '[.][o][:][ ][/]' >$$$$ && mv $$$$ Makefile.in
++ @make -f Makefile.in Makefile
++
++# do not edit below this line - it is generated by 'make depend'
++tlsmgr.o: tlsmgr.c
++tlsmgr.o: ../../include/sys_defs.h
++tlsmgr.o: ../../include/msg.h
++tlsmgr.o: ../../include/events.h
++tlsmgr.o: ../../include/vstream.h
++tlsmgr.o: ../../include/vbuf.h
++tlsmgr.o: ../../include/dict.h
++tlsmgr.o: ../../include/argv.h
++tlsmgr.o: ../../include/vstring.h
++tlsmgr.o: ../../include/stringops.h
++tlsmgr.o: ../../include/mymalloc.h
++tlsmgr.o: ../../include/connect.h
++tlsmgr.o: ../../include/myflock.h
++tlsmgr.o: ../../include/mail_conf.h
++tlsmgr.o: ../../include/mail_params.h
++tlsmgr.o: ../../include/iostuff.h
++tlsmgr.o: ../../include/master_proto.h
++tlsmgr.o: ../../include/mail_server.h
++tlsmgr.o: ../../include/pfixtls.h
++pfixtls.o: ../global/pfixtls.c
++pfixtls.o: ../../include/sys_defs.h
++pfixtls.o: ../../include/iostuff.h
++pfixtls.o: ../../include/mymalloc.h
++pfixtls.o: ../../include/vstring.h
++pfixtls.o: ../../include/vstream.h
++pfixtls.o: ../../include/dict.h
++pfixtls.o: ../../include/myflock.h
++pfixtls.o: ../../include/stringops.h
++pfixtls.o: ../../include/msg.h
++pfixtls.o: ../../include/connect.h
++pfixtls.o: ../../include/mail_params.h
++pfixtls.o: ../../include/pfixtls.h
+diff -urNad postfix-release/src/tlsmgr/tlsmgr.c /tmp/dpep.cXJuVH/postfix-release/src/tlsmgr/tlsmgr.c
+--- postfix-release/src/tlsmgr/tlsmgr.c 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/tlsmgr/tlsmgr.c 2005-02-03 10:22:13.078092673 -0700
+@@ -0,0 +1,600 @@
++#ifdef USE_TLS
++/*++
++/* NAME
++/* tlsmgr 8
++/* SUMMARY
++/* Postfix TLS session cache and PRNG handling manager
++/* SYNOPSIS
++/* \fBtlsmgr\fR [generic Postfix daemon options]
++/* DESCRIPTION
++/* The tlsmgr process does housekeeping on the session cache database
++/* files. It runs through the databases and removes expired entries
++/* and entries written by older (incompatible) versions.
++/*
++/* The tlsmgr is responsible for the PRNG handling. The used internal
++/* OpenSSL PRNG has a pool size of 8192 bits (= 1024 bytes). The pool
++/* is initially seeded at startup from an external source (EGD or
++/* /dev/urandom) and additional seed is obtained later during program
++/* run at a configurable period. The exact time of seed query is
++/* using random information and is equally distributed in the range of
++/* [0-\fBtls_random_reseed_period\fR] with a \fBtls_random_reseed_period\fR
++/* having a default of 1 hour.
++/*
++/* Tlsmgr can be run chrooted and with dropped privileges, as it will
++/* connect to the entropy source at startup.
++/*
++/* The PRNG is additionally seeded internally by the data found in the
++/* session cache and timevalues.
++/*
++/* Tlsmgr reads the old value of the exchange file at startup to keep
++/* entropy already collected during previous runs.
++/*
++/* From the PRNG random pool a cryptographically strong 1024 byte random
++/* sequence is written into the PRNG exchange file. The file is updated
++/* periodically with the time changing randomly from
++/* [0-\fBtls_random_prng_update_period\fR].
++/* STANDARDS
++/* SECURITY
++/* .ad
++/* .fi
++/* Tlsmgr is not security-sensitive. It only deals with external data
++/* to be fed into the PRNG, the contents is never trusted. The session
++/* cache housekeeping will only remove entries if expired and will never
++/* touch the contents of the cached data.
++/* DIAGNOSTICS
++/* Problems and transactions are logged to the syslog daemon.
++/* BUGS
++/* There is no automatic means to limit the number of entries in the
++/* session caches and/or the size of the session cache files.
++/* CONFIGURATION PARAMETERS
++/* .ad
++/* .fi
++/* The following \fBmain.cf\fR parameters are especially relevant to
++/* this program. See the Postfix \fBmain.cf\fR file for syntax details
++/* and for default values. Use the \fBpostfix reload\fR command after
++/* a configuration change.
++/* .SH Session Cache
++/* .ad
++/* .fi
++/* .IP \fBsmtpd_tls_session_cache_database\fR
++/* Name of the SDBM file (type sdbm:) containing the SMTP server session
++/* cache. If the file does not exist, it is created.
++/* .IP \fBsmtpd_tls_session_cache_timeout\fR
++/* Expiry time of SMTP server session cache entries in seconds. Entries
++/* older than this are removed from the session cache. A cleanup-run is
++/* performed periodically every \fBsmtpd_tls_session_cache_timeout\fR
++/* seconds. Default is 3600 (= 1 hour).
++/* .IP \fBsmtp_tls_session_cache_database\fR
++/* Name of the SDBM file (type sdbm:) containing the SMTP client session
++/* cache. If the file does not exist, it is created.
++/* .IP \fBsmtp_tls_session_cache_timeout\fR
++/* Expiry time of SMTP client session cache entries in seconds. Entries
++/* older than this are removed from the session cache. A cleanup-run is
++/* performed periodically every \fBsmtp_tls_session_cache_timeout\fR
++/* seconds. Default is 3600 (= 1 hour).
++/* .SH Pseudo Random Number Generator
++/* .ad
++/* .fi
++/* .IP \fBtls_random_source\fR
++/* Name of the EGD socket or device or regular file to obtain entropy
++/* from. The type of entropy source must be specified by preceding the
++/* name with the appropriate type: egd:/path/to/egd_socket,
++/* dev:/path/to/devicefile, or /path/to/regular/file.
++/* tlsmgr opens \fBtls_random_source\fR and tries to read
++/* \fBtls_random_bytes\fR from it.
++/* .IP \fBtls_random_bytes\fR
++/* Number of bytes to be read from \fBtls_random_source\fR.
++/* Default value is 32 bytes. If using EGD, a maximum of 255 bytes is read.
++/* .IP \fBtls_random_exchange_name\fR
++/* Name of the file written by tlsmgr and read by smtp and smtpd at
++/* startup. The length is 1024 bytes. Default value is
++/* /etc/postfix/prng_exch.
++/* .IP \fBtls_random_reseed_period\fR
++/* Time in seconds until the next reseed from external sources is due.
++/* This is the maximum value. The actual point in time is calculated
++/* with a random factor equally distributed between 0 and this maximum
++/* value. Default is 3600 (= 60 minutes).
++/* .IP \fBtls_random_prng_update_period\fR
++/* Time in seconds until the PRNG exchange file is updated with new
++/* pseude random values. This is the maximum value. The actual point
++/* in time is calculated with a random factor equally distributed
++/* between 0 and this maximum value. Default is 60 (= 1 minute).
++/* SEE ALSO
++/* smtp(8) SMTP client
++/* smtpd(8) SMTP server
++/* LICENSE
++/* .ad
++/* .fi
++/* The Secure Mailer license must be distributed with this software.
++/* AUTHOR(S)
++/*--*/
++
++/* System library. */
++
++#include <sys_defs.h>
++#include <stdlib.h>
++#include <unistd.h>
++#include <ctype.h>
++#include <errno.h>
++#include <string.h>
++#include <sys/time.h> /* gettimeofday, not POSIX */
++
++/* OpenSSL library. */
++#ifdef USE_SSL
++#include <openssl/rand.h> /* For the PRNG */
++#endif
++
++/* Utility library. */
++
++#include <msg.h>
++#include <events.h>
++#include <dict.h>
++#include <stringops.h>
++#include <mymalloc.h>
++#include <connect.h>
++#include <myflock.h>
++
++/* Global library. */
++
++#include <mail_conf.h>
++#include <mail_params.h>
++#include <pfixtls.h>
++
++/* Master process interface */
++
++#include <master_proto.h>
++#include <mail_server.h>
++
++/* Application-specific. */
++
++#ifdef USE_SSL
++ /*
++ * Tunables.
++ */
++char *var_tls_rand_source;
++int var_tls_rand_bytes;
++int var_tls_reseed_period;
++int var_tls_prng_upd_period;
++
++static int rand_exch_fd;
++static int rand_source_dev_fd = -1;
++static int rand_source_socket_fd = -1;
++static int srvr_scache_db_active;
++static int clnt_scache_db_active;
++static DICT *srvr_scache_db = NULL;
++static DICT *clnt_scache_db = NULL;
++
++static void tlsmgr_prng_upd_event(int unused_event, char *dummy)
++{
++ struct timeval tv;
++ unsigned char buffer[1024];
++ int next_period;
++
++ /*
++ * It is time to update the PRNG exchange file. Since other processes might
++ * have added entropy, we do this in a read_stir-back_write cycle.
++ */
++ GETTIMEOFDAY(&tv);
++ RAND_seed(&tv, sizeof(struct timeval));
++
++ if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) != 0)
++ msg_fatal("Could not lock random exchange file: %s",
++ strerror(errno));
++
++ lseek(rand_exch_fd, 0, SEEK_SET);
++ if (read(rand_exch_fd, buffer, 1024) < 0)
++ msg_fatal("reading exchange file failed");
++ RAND_seed(buffer, 1024);
++
++ RAND_bytes(buffer, 1024);
++ lseek(rand_exch_fd, 0, SEEK_SET);
++ if (write(rand_exch_fd, buffer, 1024) != 1024)
++ msg_fatal("Writing exchange file failed");
++
++ if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) != 0)
++ msg_fatal("Could not unlock random exchange file: %s",
++ strerror(errno));
++
++ /*
++ * Make prediction difficult for outsiders and calculate the time for the
++ * next execution randomly.
++ */
++ next_period = (var_tls_prng_upd_period * buffer[0]) / 255;
++ event_request_timer(tlsmgr_prng_upd_event, dummy, next_period);
++}
++
++
++static void tlsmgr_reseed_event(int unused_event, char *dummy)
++{
++ int egd_success;
++ int next_period;
++ int rand_bytes;
++ char buffer[255];
++ struct timeval tv;
++ unsigned char randbyte;
++
++ /*
++ * It is time to reseed the PRNG.
++ */
++
++ GETTIMEOFDAY(&tv);
++ RAND_seed(&tv, sizeof(struct timeval));
++ if (rand_source_dev_fd != -1) {
++ rand_bytes = read(rand_source_dev_fd, buffer, var_tls_rand_bytes);
++ if (rand_bytes > 0)
++ RAND_seed(buffer, rand_bytes);
++ else if (rand_bytes < 0) {
++ msg_fatal("Read from entropy device %s failed",
++ var_tls_rand_source);
++ }
++ } else if (rand_source_socket_fd != -1) {
++ egd_success = 0;
++ buffer[0] = 1;
++ buffer[1] = var_tls_rand_bytes;
++ if (write(rand_source_socket_fd, buffer, 2) != 2)
++ msg_info("Could not talk to %s", var_tls_rand_source);
++ else if (read(rand_source_socket_fd, buffer, 1) != 1)
++ msg_info("Could not read info from %s", var_tls_rand_source);
++ else {
++ rand_bytes = buffer[0];
++ if (read(rand_source_socket_fd, buffer, rand_bytes) != rand_bytes)
++ msg_info("Could not read data from %s", var_tls_rand_source);
++ else {
++ egd_success = 1;
++ RAND_seed(buffer, rand_bytes);
++ }
++ }
++ if (!egd_success) {
++ msg_info("Lost connection to EGD-device, exiting to reconnect.");
++ exit(0);
++ }
++ } else if (*var_tls_rand_source) {
++ rand_bytes = RAND_load_file(var_tls_rand_source, var_tls_rand_bytes);
++ }
++
++ /*
++ * Make prediction difficult for outsiders and calculate the time for the
++ * next execution randomly.
++ */
++ RAND_bytes(&randbyte, 1);
++ next_period = (var_tls_reseed_period * randbyte) / 255;
++ event_request_timer(tlsmgr_reseed_event, dummy, next_period);
++}
++
++
++static int tlsmgr_do_scache_check(DICT *scache_db, int scache_timeout,
++ int start)
++{
++ int func;
++ int len;
++ int n;
++ int delete = 0;
++ int result;
++ struct timeval tv;
++ const char *member;
++ const char *value;
++ char *member_copy;
++ unsigned char nibble, *data;
++ pfixtls_scache_info_t scache_info;
++
++ GETTIMEOFDAY(&tv);
++ RAND_seed(&tv, sizeof(struct timeval));
++
++ /*
++ * Run through the given dictionary and check the stored sessions.
++ * If "start" is set to 1, a new run is initiated, otherwise the next
++ * item is accessed. The state is internally kept in the DICT.
++ */
++ if (start)
++ func = DICT_SEQ_FUN_FIRST;
++ else
++ func = DICT_SEQ_FUN_NEXT;
++ result = dict_seq(scache_db, func, &member, &value);
++
++ if (result > 0)
++ return 0; /* End of list reached */
++ else if (result < 0)
++ msg_fatal("Database fault, should already be caught.");
++ else {
++ member_copy = mystrdup(member);
++ len = strlen(value);
++ RAND_seed(value, len); /* Use it to increase entropy */
++ if (len < 2 * sizeof(pfixtls_scache_info_t))
++ delete = 1; /* Messed up, delete */
++ else if (len > 2 * sizeof(pfixtls_scache_info_t))
++ len = 2 * sizeof(pfixtls_scache_info_t);
++ if (!delete) {
++ data = (unsigned char *)(&scache_info);
++ memset(data, 0, len / 2);
++ for (n = 0; n < len; n++) {
++ if ((value[n] >= '0') && (value[n] <= '9'))
++ nibble = value[n] - '0';
++ else
++ nibble = value[n] - 'A' + 10;
++ if (n % 2)
++ data[n / 2] |= nibble;
++ else
++ data[n / 2] |= (nibble << 4);
++ }
++
++ if ((scache_info.scache_db_version != scache_db_version) ||
++ (scache_info.openssl_version != openssl_version) ||
++ (scache_info.timestamp + scache_timeout < time(NULL)))
++ delete = 1;
++ }
++ if (delete)
++ result = dict_del(scache_db, member_copy);
++ myfree(member_copy);
++ }
++
++ if (delete && result)
++ msg_info("Could not delete %s", member);
++ return 1;
++
++}
++
++static void tlsmgr_clnt_cache_run_event(int unused_event, char *dummy)
++{
++
++ /*
++ * This routine runs when it is time for another tls session cache scan.
++ * Make sure this routine gets called again in the future.
++ */
++ clnt_scache_db_active = tlsmgr_do_scache_check(clnt_scache_db,
++ var_smtp_tls_scache_timeout, 1);
++ event_request_timer(tlsmgr_clnt_cache_run_event, dummy,
++ var_smtp_tls_scache_timeout);
++}
++
++
++static void tlsmgr_srvr_cache_run_event(int unused_event, char *dummy)
++{
++
++ /*
++ * This routine runs when it is time for another tls session cache scan.
++ * Make sure this routine gets called again in the future.
++ */
++ srvr_scache_db_active = tlsmgr_do_scache_check(srvr_scache_db,
++ var_smtpd_tls_scache_timeout, 1);
++ event_request_timer(tlsmgr_srvr_cache_run_event, dummy,
++ var_smtpd_tls_scache_timeout);
++}
++
++
++static DICT *tlsmgr_cache_open(const char *dbname)
++{
++ DICT *retval;
++ char *dbpagname;
++ char *dbdirname;
++
++ /*
++ * First, try to find out the real name of the database file, so that
++ * it can be removed.
++ */
++ if (!strncmp(dbname, "sdbm:", 5)) {
++ dbpagname = concatenate(dbname + 5, ".pag", NULL);
++ REMOVE(dbpagname);
++ myfree(dbpagname);
++ dbdirname = concatenate(dbname + 5, ".dir", NULL);
++ REMOVE(dbdirname);
++ myfree(dbdirname);
++ }
++ else {
++ msg_warn("Only type sdbm: supported: %s", dbname);
++ return NULL;
++ }
++
++ /*
++ * Now open the dictionary. Do it with O_EXCL, so that we only open a
++ * fresh file. If we cannot open it with a fresh file, then we won't
++ * touch it.
++ */
++ retval = dict_open(dbname, O_RDWR | O_CREAT | O_EXCL,
++ DICT_FLAG_DUP_REPLACE | DICT_FLAG_LOCK | DICT_FLAG_SYNC_UPDATE);
++ if (!retval)
++ msg_warn("Could not create dictionary %s", dbname);
++ return retval;
++}
++
++/* tlsmgr_trigger_event - respond to external trigger(s) */
++
++static void tlsmgr_trigger_event(char *buf, int len,
++ char *unused_service, char **argv)
++{
++ /*
++ * Sanity check. This service takes no command-line arguments.
++ */
++ if (argv[0])
++ msg_fatal("unexpected command-line argument: %s", argv[0]);
++
++}
++
++/* tlsmgr_loop - queue manager main loop */
++
++static int tlsmgr_loop(char *unused_name, char **unused_argv)
++{
++ /*
++ * This routine runs as part of the event handling loop, after the event
++ * manager has delivered a timer or I/O event (including the completion
++ * of a connection to a delivery process), or after it has waited for a
++ * specified amount of time. The result value of qmgr_loop() specifies
++ * how long the event manager should wait for the next event.
++ */
++#define DONT_WAIT 0
++#define WAIT_FOR_EVENT (-1)
++
++ if (clnt_scache_db_active)
++ clnt_scache_db_active = tlsmgr_do_scache_check(clnt_scache_db,
++ var_smtp_tls_scache_timeout, 0);
++ if (srvr_scache_db_active)
++ srvr_scache_db_active = tlsmgr_do_scache_check(srvr_scache_db,
++ var_smtpd_tls_scache_timeout, 0);
++ if (clnt_scache_db_active || srvr_scache_db_active)
++ return (DONT_WAIT);
++ return (WAIT_FOR_EVENT);
++}
++
++/* pre_accept - see if tables have changed */
++
++static void pre_accept(char *unused_name, char **unused_argv)
++{
++ if (dict_changed()) {
++ msg_info("table has changed -- exiting");
++ exit(0);
++ }
++}
++
++/* tlsmgr_pre_init - pre-jail initialization */
++
++static void tlsmgr_pre_init(char *unused_name, char **unused_argv)
++{
++ int rand_bytes;
++ unsigned char buffer[255];
++
++ /*
++ * Access the external sources for random seed. We may not be able to
++ * access them again if we are sent to chroot jail, so we must leave
++ * dev: and egd: type sources open.
++ */
++ if (*var_tls_rand_source) {
++ if (!strncmp(var_tls_rand_source, "dev:", 4)) {
++ /*
++ * Source is a random device
++ */
++ rand_source_dev_fd = open(var_tls_rand_source + 4, 0, 0);
++ if (rand_source_dev_fd == -1)
++ msg_fatal("Could not open entropy device %s",
++ var_tls_rand_source);
++ if (var_tls_rand_bytes > 255)
++ var_tls_rand_bytes = 255;
++ rand_bytes = read(rand_source_dev_fd, buffer, var_tls_rand_bytes);
++ RAND_seed(buffer, rand_bytes);
++ } else if (!strncmp(var_tls_rand_source, "egd:", 4)) {
++ /*
++ * Source is a EGD compatible socket
++ */
++ rand_source_socket_fd = unix_connect(var_tls_rand_source +4,
++ BLOCKING, 10);
++ if (rand_source_socket_fd == -1)
++ msg_fatal("Could not connect to %s", var_tls_rand_source);
++ if (var_tls_rand_bytes > 255)
++ var_tls_rand_bytes = 255;
++ buffer[0] = 1;
++ buffer[1] = var_tls_rand_bytes;
++ if (write(rand_source_socket_fd, buffer, 2) != 2)
++ msg_fatal("Could not talk to %s", var_tls_rand_source);
++ if (read(rand_source_socket_fd, buffer, 1) != 1)
++ msg_fatal("Could not read info from %s", var_tls_rand_source);
++ rand_bytes = buffer[0];
++ if (read(rand_source_socket_fd, buffer, rand_bytes) != rand_bytes)
++ msg_fatal("Could not read data from %s", var_tls_rand_source);
++ RAND_seed(buffer, rand_bytes);
++ } else {
++ rand_bytes = RAND_load_file(var_tls_rand_source,
++ var_tls_rand_bytes);
++ }
++ }
++
++ /*
++ * Now open the PRNG exchange file
++ */
++ if (*var_tls_rand_exch_name) {
++ rand_exch_fd = open(var_tls_rand_exch_name, O_RDWR | O_CREAT, 0600);
++ }
++
++ /*
++ * Finally, open the session cache files. Remove old files, if still there.
++ * If we could not remove the old files, something is pretty wrong and we
++ * won't touch it!!
++ */
++ if (*var_smtp_tls_scache_db)
++ clnt_scache_db = tlsmgr_cache_open(var_smtp_tls_scache_db);
++ if (*var_smtpd_tls_scache_db)
++ srvr_scache_db = tlsmgr_cache_open(var_smtpd_tls_scache_db);
++}
++
++/* qmgr_post_init - post-jail initialization */
++
++static void tlsmgr_post_init(char *unused_name, char **unused_argv)
++{
++ unsigned char buffer[1024];
++
++ /*
++ * This routine runs after the skeleton code has entered the chroot jail.
++ * Prevent automatic process suicide after a limited number of client
++ * requests or after a limited amount of idle time.
++ */
++ var_use_limit = 0;
++ var_idle_limit = 0;
++
++ /*
++ * Complete thie initialization by reading the additional seed from the
++ * PRNG exchange file. Don't care how many bytes were actually read, just
++ * seed buffer into the PRNG, regardless of its contents.
++ */
++ if (rand_exch_fd >= 0) {
++ if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_SHARED) == -1)
++ msg_fatal("Could not lock random exchange file: %s",
++ strerror(errno));
++ read(rand_exch_fd, buffer, 1024);
++ if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) == -1)
++ msg_fatal("Could not unlock random exchange file: %s",
++ strerror(errno));
++ RAND_seed(buffer, 1024);
++ tlsmgr_prng_upd_event(0, (char *) 0);
++ tlsmgr_reseed_event(0, (char *) 0);
++ }
++
++ clnt_scache_db_active = 0;
++ srvr_scache_db_active = 0;
++ if (clnt_scache_db)
++ tlsmgr_clnt_cache_run_event(0, (char *) 0);
++ if (srvr_scache_db)
++ tlsmgr_srvr_cache_run_event(0, (char *) 0);
++}
++
++
++/* main - the main program */
++
++int main(int argc, char **argv)
++{
++ static CONFIG_STR_TABLE str_table[] = {
++ VAR_TLS_RAND_SOURCE, DEF_TLS_RAND_SOURCE, &var_tls_rand_source, 0, 0,
++ 0,
++ };
++ static CONFIG_TIME_TABLE time_table[] = {
++ VAR_TLS_RESEED_PERIOD, DEF_TLS_RESEED_PERIOD, &var_tls_reseed_period, 0, 0,
++ VAR_TLS_PRNG_UPD_PERIOD, DEF_TLS_PRNG_UPD_PERIOD, &var_tls_prng_upd_period, 0, 0,
++ 0,
++ };
++ static CONFIG_INT_TABLE int_table[] = {
++ VAR_TLS_RAND_BYTES, DEF_TLS_RAND_BYTES, &var_tls_rand_bytes, 0, 0,
++ 0,
++ };
++
++ /*
++ * Use the trigger service skeleton, because no-one else should be
++ * monitoring our service port while this process runs, and because we do
++ * not talk back to the client.
++ */
++ trigger_server_main(argc, argv, tlsmgr_trigger_event,
++ MAIL_SERVER_TIME_TABLE, time_table,
++ MAIL_SERVER_INT_TABLE, int_table,
++ MAIL_SERVER_STR_TABLE, str_table,
++ MAIL_SERVER_PRE_INIT, tlsmgr_pre_init,
++ MAIL_SERVER_POST_INIT, tlsmgr_post_init,
++ MAIL_SERVER_LOOP, tlsmgr_loop,
++ MAIL_SERVER_PRE_ACCEPT, pre_accept,
++ 0);
++ trigger_server_main(argc, argv, tlsmgr_trigger_event,
++ MAIL_SERVER_PRE_INIT, tlsmgr_pre_init,
++ 0);
++}
++
++#else
++int main(int argc, char **argv)
++{
++ msg_fatal("Do not run tlsmgr with TLS support compiled in\n");
++}
++#endif
++#endif
+diff -urNad postfix-release/src/util/dict_cidr.c /tmp/dpep.cXJuVH/postfix-release/src/util/dict_cidr.c
+--- postfix-release/src/util/dict_cidr.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/dict_cidr.c 2005-02-03 10:22:13.079092450 -0700
+@@ -27,6 +27,13 @@
+ /* IBM T.J. Watson Research
+ /* P.O. Box 704
+ /* Yorktown Heights, NY 10598, USA
++/*
++/* Dean C. Strik
++/* Department ICT Services
++/* Eindhoven University of Technology
++/* P.O. Box 513
++/* 5600 MB Eindhoven, Netherlands
++/* E-mail: <dean at ipnet6.org>
+ /*--*/
+
+ /* System library. */
+@@ -39,6 +46,11 @@
+ #include <netinet/in.h>
+ #include <arpa/inet.h>
+
++#include <errno.h>
++#include <sys/types.h>
++#include <sys/socket.h>
++#include <netdb.h>
++
+ #ifndef INADDR_NONE
+ #define INADDR_NONE 0xffffffff
+ #endif
+@@ -53,17 +65,15 @@
+ #include <readlline.h>
+ #include <dict.h>
+ #include <dict_cidr.h>
+-#include <split_at.h>
++#include <match_ops.h>
+
+ /* Application-specific. */
+
+ /*
+ * Each rule in a CIDR table is parsed and stored in a linked list.
+- * Obviously all this is IPV4 specific and needs to be redone for IPV6.
+ */
+ typedef struct DICT_CIDR_ENTRY {
+- unsigned long net_bits; /* network portion of address */
+- unsigned long mask_bits; /* network mask */
++ ADDR_PATTERN *pattern; /* address pattern structure */
+ char *value; /* lookup result */
+ struct DICT_CIDR_ENTRY *next; /* next entry */
+ } DICT_CIDR_ENTRY;
+@@ -73,27 +83,72 @@
+ DICT_CIDR_ENTRY *head; /* first entry */
+ } DICT_CIDR;
+
+-#define BITS_PER_ADDR 32
++#define BITS_PER_ADDR_V4 32
++#define BITS_PER_ADDR_V6 128
+
+ /* dict_cidr_lookup - CIDR table lookup */
+
+ static const char *dict_cidr_lookup(DICT *dict, const char *key)
+ {
++ char *myname = "dict_cidr_lookup";
++
+ DICT_CIDR *dict_cidr = (DICT_CIDR *) dict;
+ DICT_CIDR_ENTRY *entry;
+- unsigned long addr;
++#ifdef INET6
++ struct addrinfo hints, *res0;
++ int aierr;
++#else
++ struct sockaddr_in sin;
++#endif
+
+ if (msg_verbose)
+- msg_info("dict_cidr_lookup: %s: %s", dict_cidr->dict.name, key);
++ msg_info("%s: %s: %s", myname, dict_cidr->dict.name, key);
+
+- if ((addr = inet_addr(key)) == INADDR_NONE)
++#ifdef INET6
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = PF_UNSPEC;
++ hints.ai_socktype = SOCK_STREAM;
++ hints.ai_flags = AI_NUMERICHOST;
++ /*
++ * Since access maps call the CIDR map first with the
++ * hostname and only then with the addresses, we just
++ * return 0 when an entry isn't numeric, as expressed
++ * by the EAI_NONAME error.
++ */
++ aierr = getaddrinfo(key, NULL, &hints, &res0);
++ if (aierr == EAI_NONAME) {
++ if (msg_verbose)
++ msg_info("%s: non-address key \"%s\"",
++ myname, key);
+ return (0);
+-
++ }
++ if (aierr != 0)
++ msg_fatal("%s: getaddrinfo(%s): %s",
++ myname, key, GAI_STRERROR(aierr));
+ for (entry = dict_cidr->head; entry; entry = entry->next)
+- if ((addr & entry->mask_bits) == entry->net_bits)
++ if (match_sockaddr(res0->ai_addr,
++ entry->pattern->addr,
++ entry->pattern->masklen)) {
++ freeaddrinfo(res0);
+ return (entry->value);
++ }
++ freeaddrinfo(res0);
++ return (0);
++
++#else /* INET6 */
+
++ memset(&sin, 0, sizeof(sin));
++ sin.sin_family = AF_INET;
++ sin.sin_addr.s_addr = inet_addr(key);
++ if (sin.sin_addr.s_addr == INADDR_NONE)
++ return (0);
++ for (entry = dict_cidr->head; entry; entry = entry->next)
++ if (match_sockaddr((struct sockaddr *)&sin, entry->pattern->addr,
++ entry->pattern->masklen))
++ return (entry->value);
+ return (0);
++
++#endif
+ }
+
+ /* dict_cidr_close - close the CIDR table */
+@@ -106,6 +161,7 @@
+
+ for (entry = dict_cidr->head; entry; entry = next) {
+ next = entry->next;
++ addr_pattern_free(entry->pattern);
+ myfree(entry->value);
+ myfree((char *) entry);
+ }
+@@ -120,11 +176,9 @@
+ DICT_CIDR_ENTRY *rule;
+ char *key;
+ char *value;
+- char *mask;
+- int mask_shift;
+- unsigned long net_bits;
+- unsigned long mask_bits;
+- struct in_addr net_addr;
++ ADDR_PATTERN *pattern;
++ VSTRING *lookup_err;
++ int lookup_res;
+
+ /*
+ * Split the rule into key and value. We already eliminated leading
+@@ -152,53 +206,35 @@
+ }
+
+ /*
+- * Parse the key into network and mask, and destroy the key. Treat a bare
+- * network address as /32.
+- *
+- * We need explicit code for /0. The result of << is undefined when the
+- * shift is greater or equal to the number of bits in the shifted
+- * operand.
++ * We rewrite the key to standard notation, and check the validity of
++ * the pattern.
++ * We cannot use MATCH_FLAG_STRICT_ADDR since access checks try not only
++ * the numerical address but the resolved hostname as well.
+ */
+- if ((mask = split_at(key, '/')) != 0) {
+- if (!alldig(mask) || (mask_shift = atoi(mask)) > BITS_PER_ADDR
+- || (net_bits = inet_addr(key)) == INADDR_NONE) {
+- msg_warn("cidr map %s, line %d: bad net/mask pattern: \"%s/%s\": "
+- "skipping this rule", mapname, lineno, key, mask);
+- return (0);
+- }
+- mask_bits = mask_shift > 0 ?
+- htonl((0xffffffff) << (BITS_PER_ADDR - mask_shift)) : 0;
+- if (net_bits & ~mask_bits) {
+- net_addr.s_addr = (net_bits & mask_bits);
+- msg_warn("cidr map %s, line %d: net/mask pattern \"%s/%s\" with "
+- "non-null host portion: skipping this rule",
+- mapname, lineno, key, mask);
+- msg_warn("specify \"%s/%d\" if this is really what you want",
+- inet_ntoa(net_addr), mask_shift);
+- return (0);
+- }
+- } else {
+- if ((net_bits = inet_addr(key)) == INADDR_NONE) {
+- msg_warn("cidr map %s, line %d: bad address pattern: \"%s\": "
+- "skipping this rule", mapname, lineno, key);
+- return (0);
+- }
+- mask_shift = 32;
+- mask_bits = htonl(0xffffffff);
++ lookup_err = vstring_alloc(100);
++ lookup_res = std_addr_pattern(MATCH_FLAG_NOLOOKUP |
++ MATCH_FLAG_NONNULL_HOST,
++ key, &pattern, lookup_err);
++ if (pattern == NULL) {
++ if (lookup_res == 0 && VSTRING_LEN(lookup_err) != 0)
++ msg_warn("cidr map %s, line %d: %s: skipping this rule",
++ mapname, lineno, vstring_str(lookup_err));
++ vstring_free(lookup_err);
++ return (0);
+ }
++ vstring_free(lookup_err);
+
+ /*
+ * Bundle up the result.
+ */
+ rule = (DICT_CIDR_ENTRY *) mymalloc(sizeof(DICT_CIDR_ENTRY));
+- rule->net_bits = net_bits;
+- rule->mask_bits = mask_bits;
++ rule->pattern = pattern;
+ rule->value = mystrdup(value);
+ rule->next = 0;
+
+ if (msg_verbose)
+- msg_info("dict_cidr_open: %s: %lu/%d %s",
+- mapname, rule->net_bits, mask_shift, rule->value);
++ msg_info("dict_cidr_open: %s: %s/%d %s",
++ mapname, pattern->pattern, pattern->masklen, rule->value);
+
+ return (rule);
+ }
+diff -urNad postfix-release/src/util/get_port.c /tmp/dpep.cXJuVH/postfix-release/src/util/get_port.c
+--- postfix-release/src/util/get_port.c 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/get_port.c 2005-02-03 10:22:13.079092450 -0700
+@@ -0,0 +1,65 @@
++/*++
++/* NAME
++/* get_port 3
++/* SUMMARY
++/* trivial host and port extracter
++/* SYNOPSIS
++/* #include <get_port.h>
++/*
++/* char *get_port(data)
++/* char *data;
++/*
++/* DESCRIPTION
++/* get_port() extract host name or ip address from
++/* strings such as [3ffe:902:12::10]:25, [::1]
++/* or 192.168.0.1:25, and null-terminates the
++/* \fIdata\fR at the first occurrence of port separator.
++/* DIAGNOSTICS
++/* If port not found return null pointer.
++/* LICENSE
++/* .ad
++/* .fi
++/* BSD Style (or BSD like) license.
++/* AUTHOR(S)
++/* Arkadiusz Mi¶kiewicz <misiek at pld.org.pl>
++/* Wroclaw, POLAND
++/*--*/
++
++/* System libraries */
++
++#include <sys_defs.h>
++#include <string.h>
++
++/* Utility library. */
++
++#include "get_port.h"
++
++/* get_port - extract port number from string */
++
++char *get_port(char *data)
++{
++ const char *escl=strchr(data,'[');
++ const char *sepl=strchr(data,':');
++ char *escr=strrchr(data,']');
++ char *sepr=strrchr(data,':');
++
++ /* extract from "[address]:port" or "[address]"*/
++ if (escl && escr)
++ {
++ memmove(data, data + 1, strlen(data) - strlen(escr));
++ data[strlen(data) - strlen(escr) - 1] = 0;
++ *escr++ = 0;
++ if (*escr == ':')
++ escr++;
++ return (*escr ? escr : NULL);
++ }
++ /* extract from "address:port" or "address" */
++ if ((sepl == sepr) && sepr && sepl)
++ {
++ *sepr++ = 0;
++ return sepr;
++ }
++
++ /* return empty string */
++ return NULL;
++}
+diff -urNad postfix-release/src/util/get_port.h /tmp/dpep.cXJuVH/postfix-release/src/util/get_port.h
+--- postfix-release/src/util/get_port.h 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/get_port.h 2005-02-03 10:22:13.079092450 -0700
+@@ -0,0 +1,28 @@
++#ifndef _GET_PORT_H_INCLUDED_
++#define _GET_PORT_H_INCLUDED_
++
++/*++
++/* NAME
++/* get_port 3h
++/* SUMMARY
++/* trivial host and port extracter
++/* SYNOPSIS
++/* #include <get_port.h>
++/* DESCRIPTION
++/* .nf
++
++ /* External interface. */
++
++extern char *get_port(char *);
++
++
++/* LICENSE
++/* .ad
++/* .fi
++/* BSD Style (or BSD like) license.
++/* AUTHOR(S)
++/* Arkadiusz Mi¶kiewicz <misiek at pld.org.pl>
++/* Wroclaw, POLAND
++/*--*/
++
++#endif
+diff -urNad postfix-release/src/util/inet_addr_host.c /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_host.c
+--- postfix-release/src/util/inet_addr_host.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_host.c 2005-02-03 10:22:13.080092227 -0700
+@@ -38,7 +38,10 @@
+ #include <sys_defs.h>
+ #include <netinet/in.h>
+ #include <arpa/inet.h>
++#include <sys/socket.h>
+ #include <netdb.h>
++#include <stdlib.h>
++#include <string.h>
+
+ #ifndef INADDR_NONE
+ #define INADDR_NONE 0xffffffff
+@@ -46,17 +49,68 @@
+
+ /* Utility library. */
+
++#include <mymalloc.h>
+ #include <inet_addr_list.h>
+ #include <inet_addr_host.h>
++#ifdef TEST
++#include <msg.h>
++#endif
+
+ /* inet_addr_host - look up address list for host */
+
+ int inet_addr_host(INET_ADDR_LIST *addr_list, const char *hostname)
+ {
++#ifdef INET6
++ int s;
++ struct addrinfo hints, *res0, *res;
++ int error;
++ char *hbuf, *hname;
++#else
+ struct hostent *hp;
+ struct in_addr addr;
++#endif
+ int initial_count = addr_list->used;
+
++#ifdef INET6
++
++ /*
++ * The use of square brackets around an IPv6 addresses is
++ * required, even though we don't enforce it as it'd make
++ * the code unnecessarily complicated.
++ */
++ hbuf = mystrdup(hostname);
++ if (*hbuf == '[' && hbuf[strlen(hbuf) - 1] == ']') {
++ hbuf[strlen(hbuf) - 1] = '\0';
++ hname = hbuf + 1;
++ } else {
++ hname = hbuf;
++ }
++
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = PF_UNSPEC;
++ hints.ai_socktype = SOCK_DGRAM;
++ error = getaddrinfo(hname, NULL, &hints, &res0);
++
++ if (error == 0) {
++ for (res = res0; res; res = res->ai_next) {
++ if (res->ai_family != AF_INET && res->ai_family != AF_INET6)
++ continue;
++ /*
++ * filter out address families that are not supported
++ * XXX is this socket necessary? --dean
++ */
++ s = socket(res->ai_family, SOCK_DGRAM, 0);
++ if (s < 0)
++ continue;
++ if (close(s))
++ msg_warn("inet_addr_host: close(): %m");
++
++ inet_addr_list_append(addr_list, res->ai_addr);
++ }
++ freeaddrinfo(res0);
++ }
++ myfree(hbuf);
++#else
+ if ((addr.s_addr = inet_addr(hostname)) != INADDR_NONE) {
+ inet_addr_list_append(addr_list, &addr);
+ } else {
+@@ -65,9 +119,12 @@
+ inet_addr_list_append(addr_list,
+ (struct in_addr *) * hp->h_addr_list++);
+ }
++#endif
++
+ return (addr_list->used - initial_count);
+ }
+
++
+ #ifdef TEST
+
+ #include <msg.h>
+@@ -78,6 +135,8 @@
+ {
+ INET_ADDR_LIST addr_list;
+ int i;
++ struct sockaddr *sa;
++ char hbuf[NI_MAXHOST];
+
+ msg_vstream_init(argv[0], VSTREAM_ERR);
+
+@@ -89,8 +148,12 @@
+ if (inet_addr_host(&addr_list, *argv) == 0)
+ msg_fatal("not found: %s", *argv);
+
+- for (i = 0; i < addr_list.used; i++)
+- vstream_printf("%s\n", inet_ntoa(addr_list.addrs[i]));
++ for (i = 0; i < addr_list.used; i++) {
++ sa = (struct sockaddr *)&addr_list.addrs[i];
++ getnameinfo(sa, SA_LEN(sa), hbuf, sizeof(hbuf), NULL, 0,
++ NI_NUMERICHOST);
++ vstream_printf("%s\n", hbuf);
++ }
+ vstream_fflush(VSTREAM_OUT);
+ }
+ inet_addr_list_free(&addr_list);
+diff -urNad postfix-release/src/util/inet_addr_list.c /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_list.c
+--- postfix-release/src/util/inet_addr_list.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_list.c 2005-02-03 10:22:13.080092227 -0700
+@@ -51,6 +51,13 @@
+ #include <arpa/inet.h>
+ #include <stdlib.h>
+
++#include <netdb.h>
++
++#ifdef INET6
++#include <string.h>
++#include <sys/socket.h>
++#endif
++
+ /* Utility library. */
+
+ #include <msg.h>
+@@ -64,14 +71,43 @@
+ int init_size;
+
+ list->used = 0;
+- list->size = 0;
+ init_size = 2;
+- list->addrs = (struct in_addr *) mymalloc(sizeof(*list->addrs) * init_size);
++#ifdef INET6
++ list->addrs = (struct sockaddr_storage *)
++#else
++ list->addrs = (struct in_addr *)
++#endif
++ mymalloc(sizeof(*list->addrs) * init_size);
+ list->size = init_size;
+ }
+
+ /* inet_addr_list_append - append address to internet address list */
+
++#ifdef INET6
++void inet_addr_list_append(INET_ADDR_LIST *list,
++ struct sockaddr * addr)
++{
++ char *myname = "inet_addr_list_append";
++ char hbuf[NI_MAXHOST];
++ int new_size;
++
++ if (msg_verbose > 1) {
++ if (getnameinfo(addr, SA_LEN(addr), hbuf, sizeof(hbuf), NULL, 0,
++ NI_NUMERICHOST)) {
++ strncpy(hbuf, "??????", sizeof(hbuf));
++ }
++ msg_info("%s: %s", myname, hbuf);
++ }
++
++ if (list->used >= list->size) {
++ new_size = list->size * 2;
++ list->addrs = (struct sockaddr_storage *)
++ myrealloc((char *)list->addrs, sizeof(*list->addrs) * new_size);
++ list->size = new_size;
++ }
++ memcpy(&list->addrs[list->used++], addr, SA_LEN(addr));
++}
++#else
+ void inet_addr_list_append(INET_ADDR_LIST *list, struct in_addr * addr)
+ {
+ char *myname = "inet_addr_list_append";
+@@ -83,20 +119,39 @@
+ if (list->used >= list->size) {
+ new_size = list->size * 2;
+ list->addrs = (struct in_addr *)
+- myrealloc((char *) list->addrs, sizeof(*list->addrs) * new_size);
++ myrealloc((char *)list->addrs, sizeof(*list->addrs) * new_size);
+ list->size = new_size;
+ }
+ list->addrs[list->used++] = *addr;
+ }
++#endif
+
+ /* inet_addr_list_comp - compare addresses */
+
+ static int inet_addr_list_comp(const void *a, const void *b)
+ {
++#ifdef INET6
++ char ha[NI_MAXHOST], hb[NI_MAXHOST];
++ int nierr;
++ int niflags = NI_NUMERICHOST | NI_WITHSCOPEID;
++ struct sockaddr *sa, *sb;
++
++ sa = (struct sockaddr *)a, sb = (struct sockaddr *)b;
++ if (sa->sa_family != sb->sa_family)
++ return (sa->sa_family - sb->sa_family);
++ nierr = getnameinfo(sa, SA_LEN(sa), ha, sizeof(ha), NULL, 0, niflags);
++ if (nierr)
++ msg_fatal("inet_addr_list_comp: getnameinfo(ha) error %d", nierr);
++ nierr = getnameinfo(sb, SA_LEN(sb), hb, sizeof(hb), NULL, 0, niflags);
++ if (nierr)
++ msg_fatal("inet_addr_list_comp: getnameinfo(hb) error %d", nierr);
++ return strcmp(ha, hb);
++#else
+ const struct in_addr *a_addr = (const struct in_addr *) a;
+ const struct in_addr *b_addr = (const struct in_addr *) b;
+
+ return (a_addr->s_addr - b_addr->s_addr);
++#endif
+ }
+
+ /* inet_addr_list_uniq - weed out duplicates */
+@@ -141,7 +196,9 @@
+ */
+ #include <inet_addr_host.h>
+
+-static void inet_addr_list_print(INET_ADDR_LIST *list)
++#ifndef DEBUG6
++static
++#endif void inet_addr_list_print(INET_ADDR_LIST *list)
+ {
+ int n;
+
+diff -urNad postfix-release/src/util/inet_addr_list.h /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_list.h
+--- postfix-release/src/util/inet_addr_list.h 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_list.h 2005-02-03 10:22:13.080092227 -0700
+@@ -16,19 +16,55 @@
+ */
+ #include <netinet/in.h>
+
++#ifndef SA_LEN
++# ifndef HAS_SA_LEN
++# define SA_LEN(x) (((x)->sa_family == AF_INET6) ? sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in))
++# define SS_LEN(x) (((x).ss_family == AF_INET6) ? sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in))
++# else
++# define SA_LEN(x) ((x)->sa_len)
++# define SS_LEN(x) ((x).ss_len)
++# endif
++#else
++# ifndef SS_LEN
++# define SS_LEN(x) (((x).ss_family == AF_INET6) ? sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in))
++# endif
++#endif
++
+ /*
+ * External interface.
+ */
+ typedef struct INET_ADDR_LIST {
+ int used; /* nr of elements in use */
+ int size; /* actual list size */
++#ifdef INET6
++ struct sockaddr_storage *addrs; /* payload */
++#else
+ struct in_addr *addrs; /* payload */
++#endif
+ } INET_ADDR_LIST;
+
+ extern void inet_addr_list_init(INET_ADDR_LIST *);
+ extern void inet_addr_list_free(INET_ADDR_LIST *);
+ extern void inet_addr_list_uniq(INET_ADDR_LIST *);
++#ifdef INET6
++struct sockaddr;
++extern void inet_addr_list_append(INET_ADDR_LIST *, struct sockaddr *);
++#else
+ extern void inet_addr_list_append(INET_ADDR_LIST *, struct in_addr *);
++#endif
++
++/*
++ * NI_WITHSCOPEID is defined on most systems, but usually not implemented.
++ * Only on KAME? Use without implementation will result in EAI_BADFLAGS.
++ */
++#ifdef INET6
++# ifndef INET6_KAME
++# ifdef NI_WITHSCOPEID
++# undef NI_WITHSCOPEID
++# endif
++# define NI_WITHSCOPEID 0
++# endif
++#endif
+
+ /* LICENSE
+ /* .ad
+diff -urNad postfix-release/src/util/inet_addr_local.c /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_local.c
+--- postfix-release/src/util/inet_addr_local.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_local.c 2005-02-03 10:22:13.081092004 -0700
+@@ -6,9 +6,10 @@
+ /* SYNOPSIS
+ /* #include <inet_addr_local.h>
+ /*
+-/* int inet_addr_local(addr_list, mask_list)
++/* int inet_addr_local(addr_list, mask_list, addr_family)
+ /* INET_ADDR_LIST *addr_list;
+ /* INET_ADDR_LIST *mask_list;
++/* int addr_family;
+ /* DESCRIPTION
+ /* inet_addr_local() determines all active IP interface addresses
+ /* of the local system. Any address found is appended to the
+@@ -17,6 +18,9 @@
+ /*
+ /* The mask_list is either a null pointer, or it is a list that
+ /* receives the netmasks of the interface addresses that were found.
++/*
++/* The addr_family is ether AF_UNSPEC, AF_INET or AF_INET6
++/*
+ /* DIAGNOSTICS
+ /* Fatal errors: out of memory.
+ /* SEE ALSO
+@@ -30,6 +34,13 @@
+ /* IBM T.J. Watson Research
+ /* P.O. Box 704
+ /* Yorktown Heights, NY 10598, USA
++/*
++/* Dean C. Strik
++/* Department ICT
++/* Eindhoven University of Technology
++/* P.O. Box 513
++/* 5600 MB Eindhoven, Netherlands
++/* E-mail: <dean at ipnet6.org>
+ /*--*/
+
+ /* System library. */
+@@ -47,6 +58,13 @@
+ #endif
+ #include <errno.h>
+ #include <string.h>
++#ifdef INET6
++#include <netdb.h>
++#include <stdio.h>
++#endif
++#ifdef HAVE_GETIFADDRS
++#include <ifaddrs.h>
++#endif
+
+ /* Utility library. */
+
+@@ -57,39 +75,300 @@
+ #include <inet_addr_local.h>
+
+ /*
++ * IF IPV6 SUPPORT IS ENABLED:
++ *
++ * In the non-getifaddrs() version, we determine the interface addresses
++ * using the SIOCG(L)IFCONF. However, it is operating system dependent
++ * whether this also results in IPv6 addresses configuration. Another
++ * issue is that there is no good method to determine the netmask /
++ * prefixlen for IPv6 addresses.
++ * We will therefore use OS dependent methods. An overview:
++ * - Use SIOCGLIFCONF when available -> this supports both IPv4/IPv6
++ * addresses. Also, with SIOCGLIFNETMASK we can obtain the netmask /
++ * prefixlen for either address family.
++ * - On Linux, read IPv6 addresses / prefixlengths from a file in the
++ * /proc filesystem. Linux does not return IPv6 addresses in
++ * SIOCGIFCONF.
++ * - On other systems without getifaddrs(), we expect SIOCGIFCONF
++ * to return IPv6 addresses. Since SIOCGIFNETMASK does not work for
++ * IPv6 addresses, we will always set the prefixlen to 64 (subnet)
++ * However, it is suggested you set the mynetworks variable(s)
++ * manually then.
++ * XXX: We duplicate some code. In this case, I think this is better
++ * than really drowning in the #ifdefs...
++ * -- Dean Strik (dcs)
++ */
++
++ /*
+ * Support for variable-length addresses.
+ */
++#ifdef HAS_SIOCGLIF
++#else /* HAS_SIOCGLIF */
++#endif /* HAS_SIOCGLIF */
++
++/* decode_scope - separate scope ID from IPv6 address */
++
++#ifdef INET6
++static struct sockaddr *decode_scope(struct sockaddr *sa,
++ struct sockaddr_in6 *sin6)
++{
++#ifdef INET6_KAME
++ memcpy(sin6, sa, sa->sa_len); /* size sin6 >> size sa */
++ /* decode scoped address notation */
++ if ((IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr) ||
++ IN6_IS_ADDR_SITELOCAL(&sin6->sin6_addr)) &&
++ sin6->sin6_scope_id == 0) {
++ sin6->sin6_scope_id = ntohs(*(u_int16_t *)&sin6->sin6_addr.s6_addr[2]);
++ sin6->sin6_addr.s6_addr[2] = sin6->sin6_addr.s6_addr[3] = 0;
++ }
++ return (struct sockaddr *)sin6;
++#else
++ return (sa);
++#endif
++}
++#endif
++
++/* ial_socket - make socket for ioctl() operations */
++
++static int ial_socket(int af)
++{
++ char *myname = "inet_addr_local[socket]";
++ int sock;
++
++ /*
++ * The host may not be actually configured with IPv6. When
++ * IPv6 support is not actually in the kernel, don't consider
++ * failure to create an IPv6 socket as fatal. This could be
++ * tuned better though. For other families, the error is fatal.
++ */
++ if ((sock = socket(af, SOCK_DGRAM, 0)) < 0) {
++#ifdef INET6
++ if (af == AF_INET6) {
++ if (msg_verbose)
++ msg_warn("%s: socket: %m", myname);
++ return (-1);
++ }
++#endif
++ msg_fatal("%s: socket: %m", myname);
++ }
++ return (sock);
++}
++
++
++#ifdef HAVE_GETIFADDRS
++
++/*
++ * The getifaddrs(3) function, introduced by BSD/OS, provides a
++ * platform-independent way of requesting interface addresses,
++ * including IPv6 addresses. The implementation however is not
++ * present in all major operating systems.
++ */
++
++/* ial_getifaddrs - determine IP addresses using getifaddrs(3) */
++
++static int ial_getifaddrs(INET_ADDR_LIST *addr_list,
++ INET_ADDR_LIST *mask_list,
++ int af)
++{
++ char *myname = "inet_addr_local[getifaddrs]";
++ struct ifaddrs *ifap, *ifa;
++ struct sockaddr *sa, *sam;
++#ifdef INET6
++ struct sockaddr_in6 addr6;
++#else
++ void *addr,*addrm;
++#endif
++
++ if (getifaddrs(&ifap) < 0)
++ msg_fatal("%s: getifaddrs: %m", myname);
++
++ /*
++ * Get the address of each IP network interface. According to BIND we
++ * must include interfaces that are down because the machine may still
++ * receive packets for that address (yes, via some other interface).
++ * Having no way to verify this claim on every machine, I will give them
++ * the benefit of the doubt.
++ */
++
++ for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
++ if (!(ifa->ifa_flags & IFF_RUNNING) || ifa->ifa_addr == NULL)
++ continue;
++ sa = ifa->ifa_addr;
++ sam = ifa->ifa_netmask;
++ if (af != AF_UNSPEC && sa->sa_family != af)
++ continue;
++ switch (sa->sa_family) {
++ case AF_INET:
++#ifndef INET6
++ addr = (void *)&((struct sockaddr_in *)sa)->sin_addr;
++ addrm = (void *)&((struct sockaddr_in *)ifa->ifa_netmask)->sin_addr;
++#endif
++ break;
++#ifdef INET6
++ case AF_INET6:
++ sa = decode_scope(sa, &addr6);
++ break;
++#endif
++ default:
++ continue;
++ }
++
++#ifdef INET6
++ inet_addr_list_append(addr_list, sa);
++ if (mask_list != NULL) {
++ /*
++ * Unfortunately, sa_len/sa_family may be broken in
++ * the netmask sockaddr structure. We must fix this
++ * manually to have correct addresses. --dcs
++ */
++#ifdef HAS_SA_LEN
++ sam->sa_len = sa->sa_family == AF_INET6 ?
++ sizeof(struct sockaddr_in6) :
++ sizeof(struct sockaddr_in);
++#endif
++ sam->sa_family = sa->sa_family;
++ inet_addr_list_append(mask_list, sam);
++ }
++#else
++ inet_addr_list_append(addr_list, (struct in_addr *)addr);
++ if (mask_list != NULL)
++ inet_addr_list_append(mask_list, (struct in_addr *)addrm);
++#endif
++ }
++
++ freeifaddrs(ifap);
++ return (0);
++}
++#endif /* HAVE_GETIFADDRS */
++
++
++#ifdef HAS_SIOCGLIF
++
++/*
++ * The SIOCLIF* ioctls are the successors of SIOCGIF* on the Solaris
++ * and HP/UX operating systems. The data is stored in sockaddr_storage
++ * structure. Both IPv4 and IPv6 addresses are returned though these
++ * calls.
++ */
++#define NEXT_INTERFACE(lifr) (lifr + 1)
++#define LIFREQ_SIZE(lifr) sizeof(lifr[0])
++#define ial_generic ial_siocglif
++
++/* ial_siocglif - determine IP addresses using ioctl(SIOCGLIF*) */
++
++static int ial_siocglif(INET_ADDR_LIST *addr_list,
++ INET_ADDR_LIST *mask_list,
++ int af)
++{
++ char *myname = "inet_addr_local[siocglif]";
++ struct lifconf lifc;
++ struct lifreq *lifr;
++ struct lifreq *lifr_mask;
++ struct lifreq *the_end;
++ struct sockaddr *sa;
++ struct sockaddr_in6 addr6;
++ int sock;
++ VSTRING *buf;
++
++ if (af != AF_INET && af != AF_INET6)
++ msg_fatal("%s: address family was %d, must be AF_INET (%d) or "
++ "AF_INET6 (%d)", myname, af, AF_INET, AF_INET6);
++ sock = ial_socket(af);
++ if (sock < 0)
++ return (0);
++ buf = vstring_alloc(1024);
++ for (;;) {
++ memset(&lifc, 0, sizeof(lifc));
++ lifc.lifc_family = AF_UNSPEC;
++ lifc.lifc_len = vstring_avail(buf);
++ lifc.lifc_buf = vstring_str(buf);
++ if (ioctl(sock, SIOCGLIFCONF, (char *) &lifc) < 0) {
++ if (errno != EINVAL)
++ msg_fatal("%s: ioctl SIOCGLIFCONF: %m", myname);
++ } else if (lifc.lifc_len < vstring_avail(buf) / 2)
++ break;
++ VSTRING_SPACE(buf, vstring_avail(buf) * 2);
++ }
++
++ the_end = (struct lifreq *) (lifc.lifc_buf + lifc.lifc_len);
++ for (lifr = lifc.lifc_req; lifr < the_end;) {
++ if (((struct sockaddr *)&lifr->lifr_addr)->sa_family != af) {
++ lifr = NEXT_INTERFACE(lifr);
++ continue;
++ }
++ if (af == AF_INET) {
++ if (((struct sockaddr_in *)&lifr->lifr_addr)->sin_addr.s_addr
++ == INADDR_ANY) {
++ lifr = NEXT_INTERFACE(lifr);
++ continue;
++ }
++ sa = (struct sockaddr *)&lifr->lifr_addr;
++ } else if (af == AF_INET6) {
++ sa = decode_scope((struct sockaddr *)&lifr->lifr_addr, &addr6);
++ if (IN6_IS_ADDR_UNSPECIFIED(&addr6.sin6_addr)) {
++ lifr = NEXT_INTERFACE(lifr);
++ continue;
++ }
++ }
++ inet_addr_list_append(addr_list, sa);
++ if (mask_list) {
++ lifr_mask = (struct lifreq *) mymalloc(sizeof(struct lifreq));
++ memcpy((char *)lifr_mask, (char *)lifr, sizeof(struct lifreq));
++ if (ioctl(sock, SIOCGLIFNETMASK, lifr_mask) < 0)
++ msg_fatal("%s: ioctl(SIOCGLIFNETMASK): %m", myname);
++ /* XXX: Check whether sa_len/family are honoured --dcs */
++ inet_addr_list_append(mask_list,
++ (struct sockaddr *)&lifr_mask->lifr_addr);
++ myfree((char *)lifr_mask);
++ }
++ lifr = NEXT_INTERFACE(lifr);
++ }
++ vstring_free(buf);
++ (void) close(sock);
++ return (0);
++}
++
++#else /* HAVE_SIOCGLIF */
++
++/*
++ * The classic SIOCGIF* ioctls. Modern BSD operating systems will
++ * also return IPv6 addresses through these structure. Note however
++ * that recent versions of these operating systems have getifaddrs.
++ */
++#define ial_generic ial_siocgif
+ #ifdef _SIZEOF_ADDR_IFREQ
+ #define NEXT_INTERFACE(ifr) ((struct ifreq *) \
+ ((char *) ifr + _SIZEOF_ADDR_IFREQ(*ifr)))
+ #define IFREQ_SIZE(ifr) _SIZEOF_ADDR_IFREQ(*ifr)
+-#else
++#else /* _SIZEOF_ADDR_IFREQ */
+ #ifdef HAS_SA_LEN
+ #define NEXT_INTERFACE(ifr) ((struct ifreq *) \
+ ((char *) ifr + sizeof(ifr->ifr_name) + ifr->ifr_addr.sa_len))
+ #define IFREQ_SIZE(ifr) (sizeof(ifr->ifr_name) + ifr->ifr_addr.sa_len)
+-#else
++#else /* HAS_SA_LEN */
+ #define NEXT_INTERFACE(ifr) (ifr + 1)
+ #define IFREQ_SIZE(ifr) sizeof(ifr[0])
+-#endif
+-#endif
++#endif /* HAS_SA_LEN */
++#endif /* _SIZEOF_ADDR_IFREQ */
+
+-/* inet_addr_local - find all IP addresses for this host */
++/* ial_siocgif - determine IP addresses using ioctl(SIOCGIF*) */
+
+-int inet_addr_local(INET_ADDR_LIST *addr_list, INET_ADDR_LIST *mask_list)
++static int ial_siocgif(INET_ADDR_LIST *addr_list,
++ INET_ADDR_LIST *mask_list,
++ int af)
+ {
+- char *myname = "inet_addr_local";
++ char *myname = "inet_addr_local[siocgif]";
++ struct in_addr addr;
+ struct ifconf ifc;
+ struct ifreq *ifr;
+- struct ifreq *the_end;
+- int sock;
+- VSTRING *buf = vstring_alloc(1024);
+- int initial_count = addr_list->used;
+- struct in_addr addr;
+ struct ifreq *ifr_mask;
+-
+- if ((sock = socket(PF_INET, SOCK_DGRAM, 0)) < 0)
+- msg_fatal("%s: socket: %m", myname);
++ struct ifreq *the_end;
++#ifdef INET6
++ struct sockaddr *sa;
++ struct sockaddr_in6 addr6;
++#endif
++ int sock;
++ VSTRING *buf;
+
+ /*
+ * Get the network interface list. XXX The socket API appears to have no
+@@ -106,6 +385,11 @@
+ * that the program can run out of memory due to a non-memory problem,
+ * making it more difficult than necessary to diagnose the real problem.
+ */
++
++ sock = ial_socket(af);
++ if (sock < 0)
++ return (0);
++ buf = vstring_alloc(1024);
+ for (;;) {
+ ifc.ifc_len = vstring_avail(buf);
+ ifc.ifc_buf = vstring_str(buf);
+@@ -117,39 +401,199 @@
+ VSTRING_SPACE(buf, vstring_avail(buf) * 2);
+ }
+
+- /*
+- * Get the address of each IP network interface. According to BIND we
+- * must include interfaces that are down because the machine may still
+- * receive packets for that address (yes, via some other interface).
+- * Having no way to verify this claim on every machine, I will give them
+- * the benefit of the doubt.
+- */
+ the_end = (struct ifreq *) (ifc.ifc_buf + ifc.ifc_len);
+ for (ifr = ifc.ifc_req; ifr < the_end;) {
+- if (ifr->ifr_addr.sa_family == AF_INET) { /* IP interface */
+- addr = ((struct sockaddr_in *) & ifr->ifr_addr)->sin_addr;
+- if (addr.s_addr != INADDR_ANY) { /* has IP address */
++ if (ifr->ifr_addr.sa_family != af) {
++ ifr = NEXT_INTERFACE(ifr);
++ continue;
++ }
++ if (af == AF_INET) {
++ addr = ((struct sockaddr_in *) &ifr->ifr_addr)->sin_addr;
++ if (addr.s_addr != INADDR_ANY) {
++#ifdef INET6
++ inet_addr_list_append(addr_list, &ifr->ifr_addr);
++#else
+ inet_addr_list_append(addr_list, &addr);
++#endif
+ if (mask_list) {
+ ifr_mask = (struct ifreq *) mymalloc(IFREQ_SIZE(ifr));
+ memcpy((char *) ifr_mask, (char *) ifr, IFREQ_SIZE(ifr));
+ if (ioctl(sock, SIOCGIFNETMASK, ifr_mask) < 0)
+ msg_fatal("%s: ioctl SIOCGIFNETMASK: %m", myname);
+- addr = ((struct sockaddr_in *) & ifr_mask->ifr_addr)->sin_addr;
++#ifdef INET6
++ /*
++ * Note that this SIOCGIFNETMASK has truly screwed up
++ * the contents of sa_len/sa_family. We must fix this
++ * manually to have correct addresses. --dcs
++ */
++#ifdef HAS_SA_LEN
++ ifr_mask->ifr_addr.sa_len = sizeof(struct sockaddr_in);
++#endif
++ ifr_mask->ifr_addr.sa_family = af;
++ inet_addr_list_append(mask_list, &ifr_mask->ifr_addr);
++#else
++ addr = ((struct sockaddr_in *) &ifr_mask->ifr_addr)->sin_addr;
+ inet_addr_list_append(mask_list, &addr);
++#endif
+ myfree((char *) ifr_mask);
+ }
+ }
+ }
++#ifdef INET6
++ else if (af == AF_INET6) {
++ sa = decode_scope(&ifr->ifr_addr, &addr6);
++ if (!(IN6_IS_ADDR_UNSPECIFIED(&addr6.sin6_addr))) {
++ inet_addr_list_append(addr_list, sa);
++ if (mask_list) {
++ /* We can't know, and assume /64 for everything */
++ struct sockaddr_in6 mask6;
++ struct in6_addr *maddr6;
++ memcpy((char *)&mask6, (char *)&addr6,
++ sizeof(struct sockaddr_in6));
++ maddr6 = &mask6.sin6_addr;
++ maddr6->s6_addr[0] = maddr6->s6_addr[1] =
++ maddr6->s6_addr[2] = maddr6->s6_addr[3] =
++ maddr6->s6_addr[4] = maddr6->s6_addr[5] =
++ maddr6->s6_addr[6] = maddr6->s6_addr[7] = 0xff;
++ maddr6->s6_addr[8] = maddr6->s6_addr[9] =
++ maddr6->s6_addr[10] = maddr6->s6_addr[11] =
++ maddr6->s6_addr[12] = maddr6->s6_addr[13] =
++ maddr6->s6_addr[14] = maddr6->s6_addr[15] = 0x0;
++ inet_addr_list_append(mask_list,
++ (struct sockaddr *)&mask6);
++ }
++ }
++ }
++#endif /* INET6 */
+ ifr = NEXT_INTERFACE(ifr);
+ }
+ vstring_free(buf);
+ (void) close(sock);
++ return (0);
++}
++#endif /* HAVE_SIOCGLIF */
++
++
++#ifdef HAS_PROCNET_IFINET6
++
++/*
++ * Linux does not provide proper calls to retrieve IPv6 interface
++ * addresses. Instead, the addresses can be read from a file in the
++ * /proc tree. The most important issue with this approach however
++ * is that the /proc tree may not always be available, for example
++ * in a chrooted environment or in "hardened" (sic) installations.
++ */
++
++/* ial_procnet_ifinet6 - determine IPv6 addresses using /proc/net/if_inet6 */
++
++static int ial_procnet_ifinet6(INET_ADDR_LIST *addr_list,
++ INET_ADDR_LIST *mask_list)
++{
++ char *myname = "inet_addr_local[procnet_ifinet6]";
++ FILE *f;
++ char addr6p[8][5], addr6res[40], devname[20];
++ int plen, scope, dad_status, if_idx, gaierror;
++ struct addrinfo hints, *res, *res0;
++
++ if ((f = fopen(_PATH_PROCNET_IFINET6, "r")) != NULL) {
++ while (fscanf(f, "%4s%4s%4s%4s%4s%4s%4s%4s %02x %02x %02x %02x %20s\n",
++ addr6p[0], addr6p[1], addr6p[2], addr6p[3], addr6p[4],
++ addr6p[5], addr6p[6], addr6p[7],
++ &if_idx, &plen, &scope, &dad_status, devname) != EOF) {
++ sprintf(addr6res, "%s:%s:%s:%s:%s:%s:%s:%s",
++ addr6p[0], addr6p[1], addr6p[2], addr6p[3],
++ addr6p[4], addr6p[5], addr6p[6], addr6p[7]);
++ addr6res[sizeof(addr6res) - 1] = 0;
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_flags = AI_NUMERICHOST;
++ hints.ai_family = AF_INET6;
++ hints.ai_socktype = SOCK_DGRAM;
++ gaierror = getaddrinfo(addr6res, NULL, &hints, &res0);
++ if (!gaierror) {
++ for (res = res0; res; res = res->ai_next) {
++ struct sockaddr_in6 mask;
++ int i, rest;
++ inet_addr_list_append(addr_list, res->ai_addr);
++ memcpy((char *)&mask, res->ai_addr, res->ai_addrlen);
++ /* s6_addr32 is available on linux */
++ mask.sin6_addr.s6_addr32[0] =
++ mask.sin6_addr.s6_addr32[1] =
++ mask.sin6_addr.s6_addr32[2] =
++ mask.sin6_addr.s6_addr32[3] = ~0;
++ for (i = 3, rest = 128 - plen; i > -1; i--)
++ if (rest > 31) {
++ mask.sin6_addr.s6_addr32[i] = htonl(0);
++ rest -= 32;
++ } else {
++ mask.sin6_addr.s6_addr32[i] =
++ htonl(~((1 << rest) - 1));
++ break;
++ }
++ inet_addr_list_append(mask_list, (struct sockaddr *)&mask);
++ }
++ freeaddrinfo(res0);
++ }
++ }
++ } else if (msg_verbose) {
++ msg_warn("%s: Couldn't open " _PATH_PROCNET_IFINET6
++ " for reading: %m", myname);
++ }
++ return (0);
++}
++#endif /* HAS_PROCNET_IFINET6 */
++
++
++/* inet_addr_local - find all IP addresses for this host */
++
++int inet_addr_local(INET_ADDR_LIST *addr_list, INET_ADDR_LIST *mask_list,
++ int addr_family)
++{
++ char *myname = "inet_addr_local";
++ int initial_count = addr_list->used;
++ int count;
++
++ /*
++ * IP Version 4
++ */
++ if (addr_family == AF_INET || addr_family == AF_UNSPEC) {
++ count = addr_list->used;
++#if defined(HAVE_GETIFADDRS)
++ ial_getifaddrs(addr_list, mask_list, AF_INET);
++#else
++ ial_generic(addr_list, mask_list, AF_INET);
++#endif
++ if (msg_verbose)
++ msg_info("%s: configured %d IPv4 addresses",
++ myname, addr_list->used - count);
++ }
++
++ /*
++ * IP Version 6
++ */
++ if (addr_family == AF_INET6 || addr_family == AF_UNSPEC) {
++ count = addr_list->used;
++#ifdef INET6
++#if defined(HAS_PROCNET_IFINET6)
++ ial_procnet_ifinet6(addr_list, mask_list);
++#elif defined(HAVE_GETIFADDRS)
++ ial_getifaddrs(addr_list, mask_list, AF_INET6);
++#else
++ ial_generic(addr_list, mask_list, AF_INET6);
++#endif
++ if (msg_verbose)
++ msg_info("%s: configured %d IPv6 addresses", myname,
++ addr_list->used - count);
++#endif
++ }
++
+ return (addr_list->used - initial_count);
+ }
+
++
+ #ifdef TEST
++/* XXX: Requires INET6 for now */
+
++#include <string.h>
+ #include <vstream.h>
+ #include <msg_vstream.h>
+
+@@ -158,12 +602,14 @@
+ INET_ADDR_LIST addr_list;
+ INET_ADDR_LIST mask_list;
+ int i;
++ char abuf[NI_MAXHOST], mbuf[NI_MAXHOST];
++ struct sockaddr *sa;
+
+ msg_vstream_init(argv[0], VSTREAM_ERR);
+
+ inet_addr_list_init(&addr_list);
+ inet_addr_list_init(&mask_list);
+- inet_addr_local(&addr_list, &mask_list);
++ inet_addr_local(&addr_list, &mask_list, AF_UNSPEC);
+
+ if (addr_list.used == 0)
+ msg_fatal("cannot find any active network interfaces");
+@@ -172,8 +618,17 @@
+ msg_warn("found only one active network interface");
+
+ for (i = 0; i < addr_list.used; i++) {
+- vstream_printf("%s/", inet_ntoa(addr_list.addrs[i]));
+- vstream_printf("%s\n", inet_ntoa(mask_list.addrs[i]));
++ sa = (struct sockaddr *)&addr_list.addrs[i];
++ if (getnameinfo(sa, SA_LEN(sa), abuf, sizeof(abuf), NULL, 0,
++ NI_NUMERICHOST)) {
++ strncpy(abuf, "???", sizeof(abuf));
++ }
++ sa = (struct sockaddr *)&mask_list.addrs[i];
++ if (getnameinfo(sa, SA_LEN(sa), mbuf, sizeof(mbuf), NULL, 0,
++ NI_NUMERICHOST)) {
++ strncpy(mbuf, "???", sizeof(mbuf));
++ }
++ vstream_printf("%s/%s\n", abuf, mbuf);
+ }
+ vstream_fflush(VSTREAM_OUT);
+ inet_addr_list_free(&addr_list);
+diff -urNad postfix-release/src/util/inet_addr_local.h /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_local.h
+--- postfix-release/src/util/inet_addr_local.h 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_local.h 2005-02-03 10:22:13.081092004 -0700
+@@ -19,7 +19,7 @@
+ /*
+ * External interface.
+ */
+-extern int inet_addr_local(INET_ADDR_LIST *, INET_ADDR_LIST *);
++extern int inet_addr_local(INET_ADDR_LIST *, INET_ADDR_LIST *, int);
+
+ /* LICENSE
+ /* .ad
+diff -urNad postfix-release/src/util/inet_connect.c /tmp/dpep.cXJuVH/postfix-release/src/util/inet_connect.c
+--- postfix-release/src/util/inet_connect.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/inet_connect.c 2005-02-03 10:22:13.082091781 -0700
+@@ -55,6 +55,9 @@
+ #include <string.h>
+ #include <unistd.h>
+ #include <errno.h>
++#ifdef INET6
++#include <netdb.h>
++#endif
+
+ /* Utility library. */
+
+@@ -74,7 +77,12 @@
+ char *buf;
+ char *host;
+ char *port;
++#ifdef INET6
++ struct addrinfo hints, *res, *res0;
++ int error;
++#else
+ struct sockaddr_in sin;
++#endif
+ int sock;
+
+ /*
+@@ -82,14 +90,58 @@
+ * the local host.
+ */
+ buf = inet_parse(addr, &host, &port);
++#ifdef INET6
++ if (*host == 0)
++ host = NULL;
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = PF_UNSPEC;
++ hints.ai_socktype = SOCK_STREAM;
++ hints.ai_flags = AI_NUMERICHOST; /* find_inet_addr is numeric only */
++ if (getaddrinfo(host, port, &hints, &res0))
++ msg_fatal("host not found: %s", host);
++#else
+ if (*host == 0)
+ host = "localhost";
+ memset((char *) &sin, 0, sizeof(sin));
+ sin.sin_family = AF_INET;
+ sin.sin_addr.s_addr = find_inet_addr(host);
+ sin.sin_port = find_inet_port(port, "tcp");
++#endif
+ myfree(buf);
+
++#ifdef INET6
++ sock = -1;
++ for (res = res0; res; res = res->ai_next) {
++ if ((res->ai_family != AF_INET) && (res->ai_family != AF_INET6))
++ continue;
++
++ sock = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
++ if (sock < 0)
++ continue;
++ if (timeout > 0) {
++ non_blocking(sock, NON_BLOCKING);
++ if (timed_connect(sock, res->ai_addr, res->ai_addrlen, timeout) < 0) {
++ close(sock);
++ sock = -1;
++ continue;
++ }
++ if (block_mode != NON_BLOCKING)
++ non_blocking(sock, block_mode);
++ break;
++ } else {
++ non_blocking(sock, block_mode);
++ if (connect(sock, res->ai_addr, res->ai_addrlen) < 0
++ && errno != EINPROGRESS) {
++ close(sock);
++ sock = -1;
++ continue;
++ }
++ break;
++ }
++ }
++ freeaddrinfo(res0);
++ return sock;
++#else
+ /*
+ * Create a client socket.
+ */
+@@ -122,4 +174,5 @@
+ }
+ return (sock);
+ }
++#endif
+ }
+diff -urNad postfix-release/src/util/inet_listen.c /tmp/dpep.cXJuVH/postfix-release/src/util/inet_listen.c
+--- postfix-release/src/util/inet_listen.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/inet_listen.c 2005-02-03 10:22:13.082091781 -0700
+@@ -6,7 +6,7 @@
+ /* SYNOPSIS
+ /* #include <listen.h>
+ /*
+-/* int inet_listen(addr, backlog, block_mode)
++/* int inet_listen(addr, backlog, block_mode, addinuse_fatal)
+ /* const char *addr;
+ /* int backlog;
+ /* int block_mode;
+@@ -51,11 +51,17 @@
+ #include <sys_defs.h>
+ #include <sys/socket.h>
+ #include <netinet/in.h>
++#ifdef INET6
++#if (! __GLIBC__ >= 2 && __GLIBC_MINOR__ >=1 )
++#include <netinet6/in6.h>
++#endif
++#endif
+ #include <arpa/inet.h>
+ #include <netdb.h>
+ #ifndef MAXHOSTNAMELEN
+ #include <sys/param.h>
+ #endif
++#include <errno.h>
+ #include <string.h>
+ #include <unistd.h>
+
+@@ -77,35 +83,116 @@
+
+ /* inet_listen - create inet-domain listener */
+
+-int inet_listen(const char *addr, int backlog, int block_mode)
++int inet_listen(const char *addr, int backlog, int block_mode, int addrinuse_fatal)
+ {
++#ifdef INET6
++ struct addrinfo *res, *res0, hints;
++ int error;
++#else
++ struct ai {
++ int ai_family;
++ int ai_socktype;
++ int ai_protocol;
++ struct sockaddr *ai_addr;
++ SOCKADDR_SIZE ai_addrlen;
++ struct ai *ai_next;
++ } *res, *res0, resbody;
+ struct sockaddr_in sin;
++#endif
+ int sock;
+ int t = 1;
++ int addrinuse = 0;
+ char *buf;
+ char *host;
+ char *port;
++#ifdef INET6
++ char hbuf[NI_MAXHOST], pbuf[NI_MAXSERV];
++#else
++ char hbuf[sizeof("255.255.255.255") + 1];
++ char pbuf[sizeof("255.255.255.255") + 1];
++#endif
++ char *cause = "unknown";
+
+ /*
+ * Translate address information to internal form.
+ */
+ buf = inet_parse(addr, &host, &port);
+- memset((char *) &sin, 0, sizeof(sin));
++#ifdef INET6
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
++ hints.ai_family = AF_UNSPEC;
++ hints.ai_socktype = SOCK_STREAM;
++ error = getaddrinfo(*host ? host : NULL, *port ? port : "0", &hints, &res0);
++ if (error) {
++ msg_fatal("getaddrinfo: %s", gai_strerror(error));
++ }
++ myfree(buf);
++#else
++ memset(&sin, 0, sizeof(sin));
+ sin.sin_family = AF_INET;
++#ifdef HAS_SA_LEN
++ sin.sin_len = sizeof(sin);
++#endif
+ sin.sin_port = find_inet_port(port, "tcp");
+ sin.sin_addr.s_addr = (*host ? find_inet_addr(host) : INADDR_ANY);
+- myfree(buf);
+
+- /*
+- * Create a listener socket.
+- */
+- if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+- msg_fatal("socket: %m");
+- if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (char *) &t, sizeof(t)) < 0)
+- msg_fatal("setsockopt: %m");
+- if (bind(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0)
+- msg_fatal("bind %s port %d: %m", sin.sin_addr.s_addr == INADDR_ANY ?
+- "INADDR_ANY" : inet_ntoa(sin.sin_addr), ntohs(sin.sin_port));
++ memset(&resbody, 0, sizeof(resbody));
++ resbody.ai_socktype = SOCK_STREAM;
++ resbody.ai_family = AF_INET;
++ resbody.ai_addr = (struct sockaddr *)&sin;
++ resbody.ai_addrlen = sizeof(sin);
++
++ res0 = &resbody;
++#endif
++
++ sock = -1;
++ for (res = res0; res; res = res->ai_next) {
++ if ((res->ai_family != AF_INET) && (res->ai_family != AF_INET6))
++ continue;
++
++ /*
++ * Create a listener socket.
++ */
++ if ((sock = socket(res->ai_family, res->ai_socktype, 0)) < 0) {
++ cause = "socket";
++ continue;
++ }
++#ifdef IPV6_V6ONLY
++ if (res->ai_family == AF_INET6 && setsockopt(sock,
++ IPPROTO_IPV6, IPV6_V6ONLY, (char *)&t, sizeof(t)) < 0) {
++#ifdef DEBUG6
++ cause = "setsockopt(IPV6_V6ONLY)";
++ close(sock);
++ sock = -1;
++ continue;
++#endif
++ ;
++ }
++#endif
++ if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (char *) &t, sizeof(t)) < 0) {
++ cause = "setsockopt(SO_REUSEADDR)";
++ close(sock);
++ sock = -1;
++ continue;
++ }
++
++ if (bind(sock, res->ai_addr, res->ai_addrlen) < 0) {
++ cause = "bind";
++ if (errno == EADDRINUSE)
++ addrinuse = 1;
++ close(sock);
++ sock = -1;
++ continue;
++ }
++ break;
++ }
++ if (sock < 0 && (addrinuse_fatal || !addrinuse))
++ msg_fatal("%s: %m", cause);
++#ifdef INET6
++ freeaddrinfo(res0);
++#endif
++ if (sock < 0)
++ return -1;
+ non_blocking(sock, block_mode);
+ if (listen(sock, backlog) < 0)
+ msg_fatal("listen: %m");
+diff -urNad postfix-release/src/util/inet_util.c /tmp/dpep.cXJuVH/postfix-release/src/util/inet_util.c
+--- postfix-release/src/util/inet_util.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/inet_util.c 2005-02-03 10:22:13.082091781 -0700
+@@ -37,6 +37,7 @@
+ /* System libraries. */
+
+ #include <sys_defs.h>
++#include <string.h>
+
+ /* Utility library. */
+
+@@ -48,14 +49,26 @@
+
+ char *inet_parse(const char *addr, char **hostp, char **portp)
+ {
+- char *buf;
+-
+- buf = mystrdup(addr);
+- if ((*portp = split_at_right(buf, ':')) != 0) {
++ char *buf, *brk;
++#ifdef INET6
++ if (*addr == '[') {
++ buf = mystrdup(addr + 1);
++ brk = strchr(buf, ']');
++ if (brk == NULL)
++ brk = buf;
++ } else
++#endif
++ brk = buf = mystrdup(addr);
++ if ((*portp = split_at_right(brk, ':')) != 0) {
+ *hostp = buf;
++#ifdef INET6
++ if (brk > buf)
++ *brk = '\0';
++#endif
+ } else {
+ *portp = buf;
+ *hostp = "";
+ }
+ return (buf);
+ }
++
+diff -urNad postfix-release/src/util/listen.h /tmp/dpep.cXJuVH/postfix-release/src/util/listen.h
+--- postfix-release/src/util/listen.h 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/listen.h 2005-02-03 10:22:13.083091558 -0700
+@@ -20,7 +20,7 @@
+ * Listener external interface.
+ */
+ extern int unix_listen(const char *, int, int);
+-extern int inet_listen(const char *, int, int);
++extern int inet_listen(const char *, int, int, int);
+ extern int fifo_listen(const char *, int, int);
+ extern int stream_listen(const char *, int, int);
+
+diff -urNad postfix-release/src/util/Makefile.in /tmp/dpep.cXJuVH/postfix-release/src/util/Makefile.in
+--- postfix-release/src/util/Makefile.in 2005-02-03 10:22:12.225282899 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/Makefile.in 2005-02-03 10:22:13.083091558 -0700
+@@ -29,7 +29,8 @@
+ vstream_popen.c vstring.c vstring_vstream.c watchdog.c writable.c \
+ write_buf.c write_wait.c auto_clnt.c attr_clnt.c attr_scan_plain.c \
+ attr_print_plain.c sane_connect.c neuter.c name_code.c \
+- uppercase.c
++ uppercase.c \
++ get_port.c sock_addr.c
+ OBJS = alldig.o argv.o argv_split.o attr_print0.o attr_print64.o \
+ attr_scan0.o attr_scan64.o base64_code.o basename.o binhash.o \
+ chroot_uid.o clean_env.o close_on_exec.o concatenate.o ctable.o \
+@@ -59,7 +60,7 @@
+ vstream_popen.o vstring.o vstring_vstream.o watchdog.o writable.o \
+ write_buf.o write_wait.o auto_clnt.o attr_clnt.o attr_scan_plain.o \
+ attr_print_plain.o sane_connect.o $(STRCASE) neuter.o name_code.o \
+- uppercase.o load_lib.o
++ uppercase.o load_lib.o get_port.o sock_addr.o
+ HDRS = argv.h attr.h base64_code.h binhash.h chroot_uid.h clean_env.h \
+ connect.h ctable.h dict.h dict_db.h dict_dbm.h dict_env.h \
+ dict_cidr.h dict_ht.h dict_ni.h dict_nis.h \
+@@ -79,7 +80,8 @@
+ split_at.h stat_as.h stringops.h sys_defs.h timed_connect.h \
+ timed_wait.h trigger.h username.h valid_hostname.h vbuf.h \
+ vbuf_print.h vstream.h vstring.h vstring_vstream.h watchdog.h \
+- auto_clnt.h attr_clnt.h sane_connect.h name_code.h
++ auto_clnt.h attr_clnt.h sane_connect.h name_code.h \
++ get_port.h sock_addr.h
+ TESTSRC = fifo_open.c fifo_rdwr_bug.c fifo_rdonly_bug.c select_bug.c \
+ stream_test.c dup2_pass_on_exec.c
+ DEFS = -I. -D$(SYSTYPE)
+@@ -854,6 +856,7 @@
+ get_domainname.o: mymalloc.h
+ get_domainname.o: get_hostname.h
+ get_domainname.o: get_domainname.h
++get_port.o: sys_defs.h
+ get_hostname.o: get_hostname.c
+ get_hostname.o: sys_defs.h
+ get_hostname.o: mymalloc.h
+@@ -975,6 +978,7 @@
+ match_list.o: stringops.h
+ match_list.o: argv.h
+ match_list.o: dict.h
++match_list.o: inet_util.h
+ match_list.o: match_ops.h
+ match_list.o: match_list.h
+ match_ops.o: match_ops.c
+@@ -1192,6 +1196,8 @@
+ skipblanks.o: stringops.h
+ skipblanks.o: vstring.h
+ skipblanks.o: vbuf.h
++sock_addr.o: msg.h
++sock_addr.o: sock_addr.h
+ spawn_command.o: spawn_command.c
+ spawn_command.o: sys_defs.h
+ spawn_command.o: msg.h
+diff -urNad postfix-release/src/util/match_list.c /tmp/dpep.cXJuVH/postfix-release/src/util/match_list.c
+--- postfix-release/src/util/match_list.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/match_list.c 2005-02-03 10:22:13.084091335 -0700
+@@ -125,7 +125,7 @@
+ list = match_list_parse(list, vstring_str(buf));
+ if (vstream_fclose(fp))
+ msg_fatal("%s: read file %s: %m", myname, pattern);
+- } else if (strchr(pattern, ':') != 0) { /* type:table */
++ } else if ((strchr(pattern, ']') == 0) && (strchr(pattern, ':') != 0)) { /* type:table */
+ if (buf == 0)
+ buf = vstring_alloc(10);
+ #define OPEN_FLAGS O_RDONLY
+diff -urNad postfix-release/src/util/match_ops.c /tmp/dpep.cXJuVH/postfix-release/src/util/match_ops.c
+--- postfix-release/src/util/match_ops.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/match_ops.c 2005-02-03 10:22:13.085091112 -0700
+@@ -54,6 +54,15 @@
+ /* IBM T.J. Watson Research
+ /* P.O. Box 704
+ /* Yorktown Heights, NY 10598, USA
++/*
++/* Takahiro Igarashi
++/*
++/* Dean C. Strik
++/* Department ICT Services
++/* Eindhoven University of Technology
++/* P.O. Box 513
++/* 5600 MB Eindhoven, Netherlands
++/* E-mail: <dean at ipnet6.org>
+ /*--*/
+
+ /* System library. */
+@@ -63,6 +72,11 @@
+ #include <arpa/inet.h>
+ #include <string.h>
+ #include <stdlib.h>
++#include <errno.h>
++
++#ifdef INT_MAX_IN_LIMITS_H
++#include <limits.h>
++#endif
+
+ #ifdef STRCASECMP_IN_STRINGS_H
+ #include <strings.h>
+@@ -75,12 +89,42 @@
+ /* Utility library. */
+
+ #include <msg.h>
++#include <msg_output.h>
+ #include <mymalloc.h>
+ #include <split_at.h>
+ #include <dict.h>
+ #include <match_ops.h>
+ #include <stringops.h>
+
++#define BITS_PER_ADDR_V4 32
++#define BITS_PER_ADDR_V6 128
++
++#ifdef INET6
++
++/*
++ * IPv6-enabled code was written by Takahiro Igarashi and Dean Strik.
++ */
++
++#endif /* INET6 */
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <unistd.h>
++#include <syslog.h>
++#include <fcntl.h>
++#include <sys/socket.h>
++#include <netinet/in.h>
++#include <string.h>
++#include <netdb.h>
++#include <arpa/inet.h>
++#include <resolv.h>
++
++/* prototypes */
++static PRINTFLIKE(2,3) void warning_msg(VSTRING *, const char *, ...);
++#ifdef INET6
++static int mask_comp(void *, void *, int);
++#endif /* INET6 */
++
+ /* match_string - match a string literal */
+
+ int match_string(int unused_flags, const char *string, const char *pattern)
+@@ -177,6 +221,7 @@
+ return (0);
+ }
+
++#ifndef INET6
+ /* match_parse_mask - parse net/mask pattern */
+
+ static int match_parse_mask(const char *pattern, unsigned long *net_bits,
+@@ -185,11 +230,9 @@
+ char *saved_pattern;
+ char *mask;
+
+-#define BITS_PER_ADDR 32
+-
+ saved_pattern = mystrdup(pattern);
+ if ((mask = split_at(saved_pattern, '/')) != 0) {
+- if (!alldig(mask) || (*mask_shift = atoi(mask)) > BITS_PER_ADDR
++ if (!alldig(mask) || (*mask_shift = atoi(mask)) > BITS_PER_ADDR_V4
+ || (*net_bits = inet_addr(saved_pattern)) == INADDR_NONE) {
+ msg_fatal("bad net/mask pattern: %s", pattern);
+ }
+@@ -198,11 +241,357 @@
+ return (mask != 0);
+ }
+
++#endif
++
++static void PRINTFLIKE(2,3) warning_msg(VSTRING *vp, const char *fmt,...)
++{
++ va_list ap;
++ if (vp) {
++ va_start(ap, fmt);
++ vstring_vsprintf(vp, fmt, ap);
++ va_end(ap);
++ } else {
++ va_start(ap, fmt);
++ msg_vprintf(MSG_WARN, fmt, ap);
++ va_end(ap);
++ }
++}
++
++/* v6addr_literal - copy IPv6 literal address from bracketed version */
++/* Supports both plain addresses and addr/plen's */
++
++static char *v6addr_literal(const char *pattern)
++{
++ size_t patlen;
++ char *mypattern, *ptr;
++
++ if (pattern == NULL)
++ msg_panic("v6_addr_literal: called with NULL pattern pointer");
++ if (msg_verbose > 1)
++ msg_info("v6addr_literal: input pattern %s", pattern);
++
++ patlen = strlen(pattern);
++
++ /*
++ * Note that we allow two different presentation/configuration
++ * formats for literal IPv6 (address/prefixlen) combinations.
++ * These are [v6addr]/plen and [v6addr/plen]. The second should
++ * be avoided and will be deprecated in later Postfix/v6 versions.
++ */
++ if (*pattern == '[') {
++ mypattern = mystrdup(pattern + 1);
++ if (pattern[patlen - 1] == ']') {
++ /*
++ * Format: "[v6addr]" or "[v6addr/plen]".
++ */
++ mypattern[patlen - 2] = '\0';
++ } else if ((ptr = strchr(mypattern + 1, '/')) != NULL
++ && *--ptr == ']') {
++ /*
++ * Format: "[v6addr]/plen".
++ */
++ while (*ptr)
++ ptr++[0] = ptr[1];
++ }
++ } else {
++ mypattern = mystrdup(pattern);
++ }
++
++ if (msg_verbose > 1)
++ msg_info("v6addr_literal: debracketed to %s", mypattern);
++
++ return (mypattern);
++}
++
++/* std_addr_pattern - standardize address pattern */
++
++int std_addr_pattern(int flags, const char *pattern,
++ ADDR_PATTERN **result, VSTRING *warnings)
++{
++ char *myname = "std_addr_pattern";
++ ADDR_PATTERN *res;
++ int mask;
++#ifdef INET6
++ int pf;
++ char *mypattern, *plenp;
++ int bits_per_addr, aierr;
++ struct addrinfo hints, *res0;
++ struct sockaddr_storage *ss_pattern;
++
++ pf = PF_UNSPEC;
++ *result = NULL;
++
++ if (pattern == NULL)
++ msg_panic("%s: pattern may not be NULL!", myname);
++
++ /*
++ * IPv6 addresses passed as pattern to match_hostaddr should start
++ * with a bracket '[' and have a ']' closing. This is as specific
++ * as it can get.
++ */
++ mypattern = v6addr_literal(pattern);
++ if (*pattern == '[') {
++ pf = PF_INET6;
++ } else if (!(flags & (MATCH_FLAG_STRICT_ADDR|MATCH_FLAG_NOLOOKUP))) {
++ /*
++ * Return if we find what appears to be a maptype:file entry.
++ * It's up to the caller of this function to handle this.
++ */
++ if (strchr(pattern, ':') != NULL) {
++ myfree(mypattern);
++ return (1);
++ }
++ }
++ plenp = split_at(mypattern, '/');
++
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = pf;
++ hints.ai_socktype = SOCK_STREAM;
++ hints.ai_flags = AI_NUMERICHOST;
++ aierr = getaddrinfo(mypattern, NULL, &hints, &res0);
++ /*
++ * EAI_NONAME happens when the pattern was not supplied in a
++ * valid printable form. This is a non-fatal error in strict
++ * address pattern maps like the CIDR dictionary.
++ */
++ if (aierr == EAI_NONAME) {
++ if (msg_verbose || (flags & MATCH_FLAG_STRICT_ADDR))
++ warning_msg(warnings,
++ "%s: invalid address pattern \"%s\"",
++ myname, mypattern);
++ myfree(mypattern);
++ return (0);
++ }
++ if (aierr != 0 && aierr != EAI_NONAME)
++ msg_fatal("%s: getaddrinfo(%s): %s", myname, mypattern,
++ GAI_STRERROR(aierr));
++ pf = res0->ai_family;
++ switch (pf) {
++ case AF_INET:
++ bits_per_addr = BITS_PER_ADDR_V4;
++ break;
++ case AF_INET6:
++ bits_per_addr = BITS_PER_ADDR_V6;
++ break;
++ default:
++ warning_msg(warnings,
++ "%s: unsupported address family %d in lookup result "
++ "of \"%s\"", myname, pf, pattern);
++ freeaddrinfo(res0);
++ myfree(mypattern);
++ return (0);
++ }
++ ss_pattern = (struct sockaddr_storage *)
++ mymalloc(sizeof(struct sockaddr_storage));
++ memcpy(ss_pattern, (const void *)res0->ai_addr, res0->ai_addrlen);
++ freeaddrinfo(res0);
++
++ if (plenp != NULL) {
++ /*
++ * Split the pattern into an address and a prefix length
++ * We explicitly allow "/0"
++ */
++ if (strcmp(plenp, "0")) {
++ mask = atoi(plenp);
++ if (mask <= 0 || mask > bits_per_addr) {
++ warning_msg(warnings, "%s: bad net/mask pattern: %s",
++ myname, pattern);
++ myfree(mypattern);
++ myfree((char *)ss_pattern);
++ return (0);
++ }
++ } else {
++ mask = 0;
++ }
++ } else {
++ /*
++ * A single address is considered a prefix with maximum prefix length.
++ */
++ switch (pf) {
++ case AF_INET:
++ mask = BITS_PER_ADDR_V4;
++ break;
++ case AF_INET6:
++ mask = BITS_PER_ADDR_V6;
++ break;
++ default:
++ msg_panic("%s: address family %d should not occur here",
++ myname, pf);
++ }
++ }
++
++ if (flags & MATCH_FLAG_NONNULL_HOST) {
++ /*
++ * We require that the host portion of (address/plen) pairs be zero
++ * to reduce the impact of configuration errors.
++ */
++ int non_null = 0;
++
++ if (mask != 0 && mask != bits_per_addr) {
++ int bytesl, bits;
++ char *addr = NULL;
++ unsigned char ac;
++
++ switch (ss_pattern->ss_family) {
++ case AF_INET6:
++ addr = (char *)(&((struct sockaddr_in6 *)ss_pattern)->sin6_addr);
++ bits_per_addr = BITS_PER_ADDR_V6;
++ break;
++ case AF_INET:
++ addr = (char *)(&((struct sockaddr_in *)ss_pattern)->sin_addr);
++ bits_per_addr = BITS_PER_ADDR_V4;
++ break;
++ default:
++ msg_panic("%s: address family %d should not occur here",
++ myname, pf);
++ }
++ bytesl = mask / 8;
++ bits = (bits_per_addr - mask) % 8;
++ if (bytesl == bits_per_addr / 8)
++ non_null = 1;
++ else
++ ac = addr[bytesl];
++ if (bits == 0)
++ bits = 8;
++ if (!non_null && ac != (ac & 0xff << bits))
++ non_null = 1;
++ while (!non_null && ++bytesl < bits_per_addr / 8)
++ non_null = addr[bytesl] != 0;
++ }
++ if (non_null) {
++ warning_msg(warnings,
++ "%s: net/mask pattern \"%s/%s\" "
++ "with non-null host pattern",
++ myname, mypattern, plenp);
++ myfree(mypattern);
++ return (0);
++ }
++ }
++
++#else /* INET6 */
++
++ char *mypattern, *plenp;
++ int bits;
++ unsigned long addr, addr0;
++ struct sockaddr_in *ss_pattern;
++
++ *result = NULL;
++
++ if (!(flags & MATCH_FLAG_STRICT_ADDR) && strchr(pattern, ':') != 0)
++ return (1);
++
++ mypattern = mystrdup(pattern);
++ plenp = split_at(mypattern, '/');
++ if (plenp == NULL) {
++ bits = BITS_PER_ADDR_V4;
++ } else {
++ bits = atoi(plenp);
++ if (bits <= 0 || bits > BITS_PER_ADDR_V4)
++ warning_msg(warnings,
++ "%s: bad net/mask pattern: %s",
++ myname, pattern);
++ myfree(mypattern);
++ myfree((char *)ss_pattern);
++ return (0);
++ }
++
++ addr = inet_addr(mypattern);
++ addr0 = htonl(0xffffffff << (BITS_PER_ADDR_V4 - bits));
++ if ((flags & MATCH_FLAG_NONNULL_HOST) && (addr & ~addr0)) {
++ warning_msg(warnings,
++ "%s: net/mask pattern \"%s/%s\" with "
++ "non-null host portion",
++ myname, mypattern, plenp);
++ myfree(mypattern);
++ return (0);
++ }
++
++ /*
++ * We make a sockaddr_in, but we don't use any of the fields
++ * except the sin_addr member. Sockaddrs are used to create
++ * an API that's closer to AF-independence.
++ */
++ ss_pattern = (struct sockaddr_in *)mymalloc(sizeof(struct sockaddr_in));
++ memset(ss_pattern, 0, sizeof(*ss_pattern));
++ ss_pattern->sin_family = AF_INET;
++ ss_pattern->sin_addr.s_addr = addr;
++
++#endif /* INET6 */
++
++ res = addr_pattern_init();
++ res->addr = (struct sockaddr *)ss_pattern;
++ res->masklen = mask;
++ res->opattern = mystrdup(pattern);
++ res->pattern = mypattern;
++ *result = res;
++
++ return (1);
++}
++
+ /* match_hostaddr - match host by address */
+
++/* XXX: the IPv4-only version does not yet use std_addr_pattern --dean */
++
+ int match_hostaddr(int unused_flags, const char *addr, const char *pattern)
+ {
+ char *myname = "match_hostaddr";
++#ifdef INET6
++ size_t patlen;
++ char *plenp;
++ int aierr, res, ret, mask;
++ struct addrinfo hints, *res0;
++ struct sockaddr_storage ss_addr, ss_mask;
++ ADDR_PATTERN *mask_info;
++
++ ret = 0;
++ if (msg_verbose)
++ msg_info("%s: %s ~? %s", myname, addr, pattern);
++
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = PF_UNSPEC;
++ hints.ai_socktype = SOCK_STREAM;
++ hints.ai_flags = AI_NUMERICHOST;
++ aierr = getaddrinfo(addr, NULL, &hints, &res0);
++ /*
++ * The access maps checks run both hostname and address through this.
++ * E.g. the CIDR map checks both the hostname and address. Checking the
++ * hostname in a CIDR map will yield no result but may not give an
++ * EAI_NONAME error since it is correct that the hostname cannot be
++ * interpreted numerically.
++ */
++ if (aierr != 0 && aierr != EAI_NONAME)
++ msg_fatal("%s: getaddrinfo(%s): %s", myname, addr, GAI_STRERROR(aierr));
++ memcpy(&ss_addr, (const void *)res0->ai_addr, res0->ai_addrlen);
++ freeaddrinfo(res0);
++
++ res = std_addr_pattern(MATCH_FLAG_NONE, pattern, &mask_info, NULL);
++ if (mask_info == NULL) {
++ /*
++ * Try dictionary lookup. This can be case insensitive.
++ */
++ if (res && strchr(pattern, ':') != 0) {
++ if (dict_lookup(pattern, addr) != NULL)
++ return 1;
++ }
++ return 0;
++ }
++
++ /*
++ * Try an exact match with the host address (IPv4 only)
++ */
++ if (mask_info->addr->sa_family == AF_INET &&
++ strcasecmp(pattern, addr) == 0) {
++ addr_pattern_free(mask_info);
++ return 1;
++ }
++
++ res = match_sockaddr((struct sockaddr *)&ss_addr,
++ mask_info->addr, mask_info->masklen);
++ addr_pattern_free(mask_info);
++ return (res != 0);
++
++
++#else
+ unsigned int mask_shift;
+ unsigned long mask_bits;
+ unsigned long net_bits;
+@@ -219,7 +608,8 @@
+ * Try dictionary lookup. This can be case insensitive. XXX Probably
+ * should also try again after stripping least significant octets.
+ */
+- if (strchr(pattern, ':') != 0) {
++ if (strchr(pattern, ':') != 0)
++ {
+ if (dict_lookup(pattern, addr) != 0)
+ return (1);
+ if (dict_errno != 0)
+@@ -238,14 +628,15 @@
+ * In a net/mask pattern, the mask is specified as the number of bits of
+ * the network part.
+ */
++
+ if (match_parse_mask(pattern, &net_bits, &mask_shift)) {
+ addr_bits = inet_addr(addr);
+ if (addr_bits == INADDR_NONE)
+ msg_fatal("%s: bad address argument: %s", myname, addr);
+ mask_bits = mask_shift > 0 ?
+- htonl((0xffffffff) << (BITS_PER_ADDR - mask_shift)) : 0;
++ htonl((0xffffffff) << (BITS_PER_ADDR_V4 - mask_shift)) : 0;
+ if ((addr_bits & mask_bits) == net_bits)
+- return (1);
++ return 1;
+ if (net_bits & ~mask_bits) {
+ net_addr.s_addr = (net_bits & mask_bits);
+ msg_fatal("net/mask pattern %s has a non-null host portion; "
+@@ -254,4 +645,120 @@
+ }
+ }
+ return (0);
++#endif
+ }
++
++int
++match_sockaddr(const struct sockaddr *addr, const struct sockaddr *mask,
++ int masklen)
++{
++ /*
++ * I generally hate to do so, but this function just asks for
++ * #ifdef INET6... address comparison in the IPv4 only case is
++ * utterly trivial, completely unlike the mixed AF case.
++ */
++#ifdef INET6
++ if (addr->sa_family == AF_INET) {
++ if (mask->sa_family == AF_INET6) {
++ if (IN6_IS_ADDR_V4MAPPED(
++ &((struct sockaddr_in6 *)mask)->sin6_addr)) {
++ /* IPv4 address but IPv4-mapped-IPv6 netmask... */
++ if (masklen < 0 || masklen > BITS_PER_ADDR_V4)
++ return 0;
++ return mask_comp(&((struct sockaddr_in *)addr)->sin_addr.s_addr,
++ &((struct sockaddr_in6 *)mask)->sin6_addr.s6_addr[12],
++ masklen);
++ }
++ /* IPv4 address yet IPv6 mask. No match */
++ return 0;
++ }
++ /* IPv4 address, IPv4 netmask */
++ if (masklen < 0 || masklen > BITS_PER_ADDR_V4)
++ return 0;
++ return mask_comp(&((struct sockaddr_in *)addr)->sin_addr.s_addr,
++ &((struct sockaddr_in *)mask)->sin_addr.s_addr,
++ masklen);
++ } else if (addr->sa_family == AF_INET6) {
++ /* IPv6 address, IPv6 netmask */
++ struct sockaddr_in6 *addr6, *mask6;
++ addr6 = (struct sockaddr_in6 *)addr;
++ mask6 = (struct sockaddr_in6 *)mask;
++
++ if (IN6_IS_ADDR_V4MAPPED(&addr6->sin6_addr)) {
++ /* V4-mapped IPv6 address */
++ struct sockaddr_in addr4;
++ memset(&addr4, 0, sizeof(addr4));
++#ifdef HAS_SA_LEN
++ addr4.sin_len = sizeof(addr4);
++#endif
++ addr4.sin_family = AF_INET;
++ memcpy(&addr4.sin_addr.s_addr, &addr6->sin6_addr.s6_addr[12], 4);
++ if (masklen > BITS_PER_ADDR_V4 && masklen <= BITS_PER_ADDR_V6)
++ masklen -= BITS_PER_ADDR_V6 - BITS_PER_ADDR_V4;
++ return match_sockaddr((struct sockaddr *)&addr4, mask, masklen);
++ }
++ /* True IPv6, finally... */
++ if (masklen < 0 || masklen > BITS_PER_ADDR_V6)
++ return 0;
++ if (mask->sa_family != AF_INET6 ||
++ IN6_IS_ADDR_V4MAPPED(&mask6->sin6_addr))
++ return 0;
++#ifdef INET6_KAME
++ if (IN6_IS_ADDR_SITELOCAL(&addr6->sin6_addr))
++ if (!IN6_IS_ADDR_SITELOCAL(&mask6->sin6_addr) ||
++ addr6->sin6_scope_id != mask6->sin6_scope_id)
++ return 0;
++ if (IN6_IS_ADDR_LINKLOCAL(&addr6->sin6_addr))
++ if (!IN6_IS_ADDR_LINKLOCAL(&mask6->sin6_addr) ||
++ addr6->sin6_scope_id != mask6->sin6_scope_id)
++ return 0;
++#endif
++ return mask_comp(&addr6->sin6_addr.s6_addr,
++ &mask6->sin6_addr.s6_addr,
++ masklen);
++ }
++ /* Unsupported address family */
++ return 0;
++#else /* INET6 */
++ /*
++ * Trivial for IPv4...
++ */
++ return (addr->sa_family == mask->sa_family &&
++ ((struct sockaddr_in *)addr)->sin_addr.s_addr ==
++ ((struct sockaddr_in *)mask)->sin_addr.s_addr);
++#endif /* INET6 */
++}
++
++static int
++mask_comp(void *addr, void *mask, int masklen)
++{
++ int bytes, bit;
++
++ bytes = masklen / 8;
++ bit = 8 - masklen % 8;
++ if (memcmp(addr, mask, bytes) != 0)
++ return 0;
++ if (bit != 8) {
++ char *a = addr, *b = mask;
++ if ((a[bytes] & (0xff << bit)) != (b[bytes] & (0xff << bit)))
++ return 0;
++ }
++ return 1;
++}
++
++ADDR_PATTERN *
++addr_pattern_init() {
++ ADDR_PATTERN *p;
++ p = (ADDR_PATTERN *)mymalloc(sizeof(ADDR_PATTERN));
++ memset(p, 0, sizeof(ADDR_PATTERN));
++ return p;
++}
++
++void
++addr_pattern_free(ADDR_PATTERN *p) {
++ if (p->addr) myfree((char *)p->addr);
++ if (p->pattern) myfree(p->pattern);
++ if (p->opattern) myfree(p->opattern);
++ myfree((char *)p);
++}
++
+diff -urNad postfix-release/src/util/match_ops.h /tmp/dpep.cXJuVH/postfix-release/src/util/match_ops.h
+--- postfix-release/src/util/match_ops.h 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/match_ops.h 2005-02-03 10:22:13.085091112 -0700
+@@ -11,15 +11,40 @@
+ /* DESCRIPTION
+ /* .nf
+
++ /*
++ * Utility library.
++ */
++#include <vstring.h>
++
+ /* External interface. */
+
+ #define MATCH_FLAG_NONE 0
+ #define MATCH_FLAG_PARENT (1<<0)
+-#define MATCH_FLAG_ALL (MATCH_FLAG_PARENT)
++#define MATCH_FLAG_STRICT_ADDR (1<<1)
++#define MATCH_FLAG_NOLOOKUP (1<<2)
++#define MATCH_FLAG_NONNULL_HOST (1<<3)
++#define MATCH_FLAG_ALL (MATCH_FLAG_PARENT | MATCH_FLAG_NOLOOKUP | MATCH_FLAG_NONNULL_HOST)
++
++#define GAI_STRERROR(error) \
++ ((error == EAI_SYSTEM) ? strerror(errno) : gai_strerror(error))
++
++ /* Data structures. */
++
++typedef struct ADDR_PATTERN {
++ struct sockaddr *addr; /* pointer to sockaddr(_storage) address */
++ size_t masklen; /* prefix length */
++ char *pattern; /* modified pattern */
++ char *opattern; /* original string pattern */
++} ADDR_PATTERN;
+
+ extern int match_string(int, const char *, const char *);
+ extern int match_hostname(int, const char *, const char *);
+ extern int match_hostaddr(int, const char *, const char *);
++extern int std_addr_pattern(int, const char *, ADDR_PATTERN **, VSTRING *);
++extern int match_sockaddr(const struct sockaddr *, const struct sockaddr *, int);
++
++extern ADDR_PATTERN * addr_pattern_init(void);
++extern void addr_pattern_free(ADDR_PATTERN *);
+
+ /* LICENSE
+ /* .ad
+@@ -30,6 +55,13 @@
+ /* IBM T.J. Watson Research
+ /* P.O. Box 704
+ /* Yorktown Heights, NY 10598, USA
++/*
++/* Dean C. Strik
++/* Department ICT Services
++/* Eindhoven University of Technology
++/* P.O. Box 513
++/* 5600 MB Eindhoven, Netherlands
++/* E-mail: <dean at ipnet6.org>
+ /*--*/
+
+ #endif
+diff -urNad postfix-release/src/util/sock_addr.c /tmp/dpep.cXJuVH/postfix-release/src/util/sock_addr.c
+--- postfix-release/src/util/sock_addr.c 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/sock_addr.c 2005-02-03 10:22:13.085091112 -0700
+@@ -0,0 +1,169 @@
++/*++
++/* NAME
++/* sock_addr 3
++/* SUMMARY
++/* sockaddr utilities
++/* SYNOPSIS
++/* #include <sock_addr.h>
++/*
++/* int sock_addr_cmp_addr(sa, sb)
++/* const struct sockaddr *sa;
++/* const struct sockaddr *sb;
++/*
++/* int sock_addr_cmp_port(sa, sb)
++/* const struct sockaddr *sa;
++/* const struct sockaddr *sb;
++/*
++/* int SOCK_ADDR_EQ_ADDR(sa, sb)
++/* const struct sockaddr *sa;
++/* const struct sockaddr *sb;
++/*
++/* int SOCK_ADDR_EQ_PORT(sa, sb)
++/* const struct sockaddr *sa;
++/* const struct sockaddr *sb;
++/*
++/* int sock_addr_in_loopback(sa)
++/* const struct sockaddr *sa;
++/* AUXILIARY MACROS
++/* struct sockaddr *SOCK_ADDR_PTR(ptr)
++/* unsigned char SOCK_ADDR_FAMILY(ptr)
++/* unsigned char SOCK_ADDR_LEN(ptr)
++/*
++/* struct sockaddr_in *SOCK_ADDR_IN_PTR(ptr)
++/* unsigned char SOCK_ADDR_IN_FAMILY(ptr)
++/* unsigned short SOCK_ADDR_IN_PORT(ptr)
++/* struct in_addr SOCK_ADDR_IN_ADDR(ptr)
++/* struct in_addr IN_ADDR(ptr)
++/*
++/* struct sockaddr_in6 *SOCK_ADDR_IN6_PTR(ptr)
++/* unsigned char SOCK_ADDR_IN6_FAMILY(ptr)
++/* unsigned short SOCK_ADDR_IN6_PORT(ptr)
++/* struct in6_addr SOCK_ADDR_IN6_ADDR(ptr)
++/* struct in6_addr IN6_ADDR(ptr)
++/* DESCRIPTION
++/* These utilities take protocol-independent address structures
++/* and perform protocol-dependent operations on structure members.
++/* Some of the macros described here are called unsafe,
++/* because they evaluate one or more arguments multiple times.
++/*
++/* sock_addr_cmp_addr() or sock_addr_cmp_port() compare the
++/* address family and network address or port fields for
++/* equality, and return indication of the difference between
++/* their arguments: < 0 if the first argument is "smaller",
++/* 0 for equality, and > 0 if the first argument is "larger".
++/*
++/* The unsafe macros SOCK_ADDR_EQ_ADDR() or SOCK_ADDR_EQ_PORT()
++/* compare compare the address family and network address or
++/* port fields for equality, and return non-zero when their
++/* arguments differ.
++/*
++/* sock_addr_in_loopback() determines if the argument specifies
++/* a loopback address.
++/*
++/* The SOCK_ADDR_PTR() macro casts a generic pointer to (struct
++/* sockaddr *). The name is upper case for consistency not
++/* safety. SOCK_ADDR_FAMILY() and SOCK_ADDR_LEN() return the
++/* address family and length of the real structure that hides
++/* inside a generic sockaddr structure. On systems where struct
++/* sockaddr has no sa_len member, SOCK_ADDR_LEN() cannot be
++/* used as lvalue.
++/*
++/* The macros SOCK_ADDR_IN{,6}_{PTR,FAMILY,PORT,ADDR}() cast
++/* a generic pointer to a specific socket address structure
++/* pointer, or access a specific socket address structure
++/* member. These can be used as lvalues.
++/*
++/* The unsafe INADDR() and IN6_ADDR() macros dereference a
++/* generic pointer to a specific address structure.
++/* DIAGNOSTICS
++/* Panic: unsupported address family.
++/* LICENSE
++/* .ad
++/* .fi
++/* The Secure Mailer license must be distributed with this software.
++/* AUTHOR(S)
++/* Wietse Venema
++/* IBM T.J. Watson Research
++/* P.O. Box 704
++/* Yorktown Heights, NY 10598, USA
++/*--*/
++
++/* System library. */
++
++#include <sys_defs.h>
++#include <sys/socket.h>
++#include <netinet/in.h>
++#include <string.h>
++
++/* Utility library. */
++
++#include <msg.h>
++#include <sock_addr.h>
++
++/* sock_addr_cmp_addr - compare addresses for equality */
++
++int sock_addr_cmp_addr(const struct sockaddr * sa,
++ const struct sockaddr * sb)
++{
++ if (sa->sa_family != sb->sa_family)
++ return (sa->sa_family - sb->sa_family);
++
++ /*
++ * With IPv6 address structures, assume a non-hostile implementation that
++ * stores the address as a contiguous sequence of bits. Any holes in the
++ * sequence would invalidate the use of memcmp().
++ */
++ if (sa->sa_family == AF_INET) {
++ return (SOCK_ADDR_IN_ADDR(sa).s_addr - SOCK_ADDR_IN_ADDR(sb).s_addr);
++#ifdef INET6
++ } else if (sa->sa_family == AF_INET6) {
++ return (memcmp((char *) &(SOCK_ADDR_IN6_ADDR(sa)),
++ (char *) &(SOCK_ADDR_IN6_ADDR(sb)),
++ sizeof(SOCK_ADDR_IN6_ADDR(sa))));
++#endif
++ } else {
++ msg_panic("sock_addr_cmp_addr: unsupported address family %d",
++ sa->sa_family);
++ }
++}
++
++/* sock_addr_cmp_port - compare ports for equality */
++
++int sock_addr_cmp_port(const struct sockaddr * sa,
++ const struct sockaddr * sb)
++{
++ if (sa->sa_family != sb->sa_family)
++ return (sa->sa_family - sb->sa_family);
++
++ if (sa->sa_family == AF_INET) {
++ return (SOCK_ADDR_IN_PORT(sa) - SOCK_ADDR_IN_PORT(sb));
++#ifdef INET6
++ } else if (sa->sa_family == AF_INET6) {
++ return (SOCK_ADDR_IN6_PORT(sa) - SOCK_ADDR_IN6_PORT(sb));
++#endif
++ } else {
++ msg_panic("sock_addr_cmp_port: unsupported address family %d",
++ sa->sa_family);
++ }
++}
++
++/* sock_addr_in_loopback - determine if address is loopback */
++
++int sock_addr_in_loopback(const struct sockaddr * sa)
++{
++ unsigned long inaddr;
++
++ if (sa->sa_family == AF_INET) {
++ inaddr = ntohl(SOCK_ADDR_IN_ADDR(sa).s_addr);
++ return (IN_CLASSA(inaddr)
++ && ((inaddr & IN_CLASSA_NET) >> IN_CLASSA_NSHIFT)
++ == IN_LOOPBACKNET);
++#ifdef INET6
++ } else if (sa->sa_family == AF_INET6) {
++ return (IN6_IS_ADDR_LOOPBACK(&SOCK_ADDR_IN6_ADDR(sa)));
++#endif
++ } else {
++ msg_panic("sock_addr_in_loopback: unsupported address family %d",
++ sa->sa_family);
++ }
++}
+diff -urNad postfix-release/src/util/sock_addr.h /tmp/dpep.cXJuVH/postfix-release/src/util/sock_addr.h
+--- postfix-release/src/util/sock_addr.h 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/sock_addr.h 2005-02-03 10:22:13.085091112 -0700
+@@ -0,0 +1,95 @@
++#ifndef _SOCK_ADDR_EQ_H_INCLUDED_
++#define _SOCK_ADDR_EQ_H_INCLUDED_
++
++/*++
++/* NAME
++/* sock_addr 3h
++/* SUMMARY
++/* socket address utilities
++/* SYNOPSIS
++/* #include <sock_addr.h>
++/* DESCRIPTION
++/* .nf
++
++ /*
++ * System library.
++ */
++#include <sys/socket.h>
++#include <netinet/in.h>
++#include <string.h>
++
++ /*
++ * External interface.
++ */
++#define SOCK_ADDR_PTR(ptr) ((struct sockaddr *)(ptr))
++#define SOCK_ADDR_FAMILY(ptr) SOCK_ADDR_PTR(ptr)->sa_family
++#ifdef HAS_SA_LEN
++#define SOCK_ADDR_LEN(ptr) SOCK_ADDR_PTR(ptr)->sa_len
++#endif
++
++#define SOCK_ADDR_IN_PTR(sa) ((struct sockaddr_in *)(sa))
++#define SOCK_ADDR_IN_FAMILY(sa) SOCK_ADDR_IN_PTR(sa)->sin_family
++#define SOCK_ADDR_IN_PORT(sa) SOCK_ADDR_IN_PTR(sa)->sin_port
++#define SOCK_ADDR_IN_ADDR(sa) SOCK_ADDR_IN_PTR(sa)->sin_addr
++#define IN_ADDR(ia) (*((struct in_addr *) (ia)))
++
++extern int sock_addr_cmp_addr(const struct sockaddr *, const struct sockaddr *);
++extern int sock_addr_cmp_port(const struct sockaddr *, const struct sockaddr *);
++extern int sock_addr_in_loopback(const struct sockaddr *);
++
++#ifdef INET6
++
++#ifndef HAS_SA_LEN
++#define SOCK_ADDR_LEN(sa) \
++ (SOCK_ADDR_PTR(sa)->sa_family == AF_INET6 ? \
++ sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in))
++#endif
++
++#define SOCK_ADDR_IN6_PTR(sa) ((struct sockaddr_in6 *)(sa))
++#define SOCK_ADDR_IN6_FAMILY(sa) SOCK_ADDR_IN6_PTR(sa)->sin6_family
++#define SOCK_ADDR_IN6_PORT(sa) SOCK_ADDR_IN6_PTR(sa)->sin6_port
++#define SOCK_ADDR_IN6_ADDR(sa) SOCK_ADDR_IN6_PTR(sa)->sin6_addr
++#define IN6_ADDR(ia) (*((struct in6_addr *) (ia)))
++
++#define SOCK_ADDR_EQ_ADDR(sa, sb) \
++ ((SOCK_ADDR_FAMILY(sa) == AF_INET && SOCK_ADDR_FAMILY(sb) == AF_INET \
++ && SOCK_ADDR_IN_ADDR(sa).s_addr == SOCK_ADDR_IN_ADDR(sb).s_addr) \
++ || (SOCK_ADDR_FAMILY(sa) == AF_INET6 && SOCK_ADDR_FAMILY(sb) == AF_INET6 \
++ && memcmp((char *) &(SOCK_ADDR_IN6_ADDR(sa)), \
++ (char *) &(SOCK_ADDR_IN6_ADDR(sb)), \
++ sizeof(SOCK_ADDR_IN6_ADDR(sa))) == 0))
++
++#define SOCK_ADDR_EQ_PORT(sa, sb) \
++ ((SOCK_ADDR_FAMILY(sa) == AF_INET && SOCK_ADDR_FAMILY(sb) == AF_INET \
++ && SOCK_ADDR_IN_PORT(sa) == SOCK_ADDR_IN_PORT(sb)) \
++ || (SOCK_ADDR_FAMILY(sa) == AF_INET6 && SOCK_ADDR_FAMILY(sb) == AF_INET6 \
++ && SOCK_ADDR_IN6_PORT(sa) == SOCK_ADDR_IN6_PORT(sb)))
++
++#else
++
++#ifndef HAS_SA_LEN
++#define SOCK_ADDR_LEN(sa) sizeof(struct sockaddr_in)
++#endif
++
++#define SOCK_ADDR_EQ_ADDR(sa, sb) \
++ (SOCK_ADDR_FAMILY(sa) == AF_INET && SOCK_ADDR_FAMILY(sb) == AF_INET \
++ && SOCK_ADDR_IN_ADDR(sa).s_addr == SOCK_ADDR_IN_ADDR(sb).s_addr)
++
++#define SOCK_ADDR_EQ_PORT(sa, sb) \
++ (SOCK_ADDR_FAMILY(sa) == AF_INET && SOCK_ADDR_FAMILY(sb) == AF_INET \
++ && SOCK_ADDR_IN_PORT(sa) == SOCK_ADDR_IN_PORT(sb))
++
++#endif
++
++/* LICENSE
++/* .ad
++/* .fi
++/* The Secure Mailer license must be distributed with this software.
++/* AUTHOR(S)
++/* Wietse Venema
++/* IBM T.J. Watson Research
++/* P.O. Box 704
++/* Yorktown Heights, NY 10598, USA
++/*--*/
++
++#endif
+diff -urNad postfix-release/src/util/sys_defs.h /tmp/dpep.cXJuVH/postfix-release/src/util/sys_defs.h
+--- postfix-release/src/util/sys_defs.h 2005-02-03 10:22:12.228282230 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/sys_defs.h 2005-02-03 10:22:13.086090889 -0700
+@@ -108,6 +108,14 @@
+ #define SOCKOPT_SIZE socklen_t
+ #endif
+
++#if !defined(NOGETIFADDRS) && ( \
++ (defined(__NetBSD_Version__) && __NetBSD_Version__ >= 105000000) \
++ || (defined(__FreeBSD__) && __FreeBSD__ >= 4) \
++ || (defined(OpenBSD) && OpenBSD >= 200003) \
++ || defined(USAGI_LIBINET6))
++#define HAVE_GETIFADDRS
++#endif
++
+ /*
+ * UNIX on MAC.
+ */
+@@ -293,6 +301,7 @@
+ #define FIONREAD_IN_SYS_FILIO_H
+ #define USE_STATVFS
+ #define STATVFS_IN_SYS_STATVFS_H
++#define INT_MAX_IN_LIMITS_H
+ #define STREAM_CONNECTIONS /* avoid UNIX-domain sockets */
+ #define LOCAL_LISTEN stream_listen
+ #define LOCAL_ACCEPT stream_accept
+@@ -300,6 +309,9 @@
+ #define LOCAL_TRIGGER stream_trigger
+ #define HAS_VOLATILE_LOCKS
+ #define BROKEN_READ_SELECT_ON_TCP_SOCKET
++#ifdef INET6
++#define HAS_SIOCGLIF
++#endif
+
+ /*
+ * Allow build environment to override paths.
+@@ -573,6 +585,10 @@
+ #define SOCKADDR_SIZE socklen_t
+ #define SOCKOPT_SIZE socklen_t
+ #endif
++#ifdef INET6
++#define HAS_PROCNET_IFINET6
++#define _PATH_PROCNET_IFINET6 "/proc/net/if_inet6"
++#endif
+ #endif
+
+ #ifdef LINUX1
+@@ -601,6 +617,10 @@
+ #define NATIVE_NEWALIAS_PATH "/usr/bin/newaliases"
+ #define NATIVE_COMMAND_DIR "/usr/sbin"
+ #define NATIVE_DAEMON_DIR "/usr/libexec/postfix"
++#ifdef INET6
++#define HAS_PROCNET_IFINET6
++#define _PATH_PROCNET_IFINET6 "/proc/net/if_inet6"
++#endif
+ #endif
+
+ /*
+diff -urNad postfix-release/src/util/valid_hostname.c /tmp/dpep.cXJuVH/postfix-release/src/util/valid_hostname.c
+--- postfix-release/src/util/valid_hostname.c 2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/valid_hostname.c 2005-02-03 10:22:13.086090889 -0700
+@@ -53,6 +53,13 @@
+ #include <string.h>
+ #include <ctype.h>
+
++#ifdef INET6
++#include <netinet/in.h>
++#include <sys/socket.h>
++#include <arpa/inet.h>
++#include <netdb.h>
++#endif
++
+ /* Utility library. */
+
+ #include "msg.h"
+@@ -109,7 +116,23 @@
+ msg_warn("%s: misplaced hyphen: %.100s", myname, name);
+ return (0);
+ }
+- } else {
++ }
++#ifdef INET6
++ else if (ch == ':') {
++ struct addrinfo hints, *res;
++
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = AF_INET6;
++ hints.ai_socktype = SOCK_STREAM; /*dummy*/
++ hints.ai_flags = AI_NUMERICHOST;
++ if (getaddrinfo(name, "0", &hints, &res) == 0) {
++ freeaddrinfo(res);
++ return 1;
++ } else
++ return 0;
++ }
++#endif
++ else {
+ if (gripe)
+ msg_warn("%s: invalid character %d(decimal): %.100s",
+ myname, ch, name);
+@@ -131,6 +154,12 @@
+ return (1);
+ }
+
++#ifdef INET6_KAME
++#define INET6_ADDR_PRES_CHARS ":./0123456789abcdefABCDEF%"
++#else
++#define INET6_ADDR_PRES_CHARS ":./0123456789abcdefABCDEF"
++#endif
++
+ /* valid_hostaddr - test dotted quad string for correctness */
+
+ int valid_hostaddr(const char *addr, int gripe)
+@@ -141,6 +170,9 @@
+ int byte_count = 0;
+ int byte_val = 0;
+ int ch;
++#ifdef INET6
++ struct addrinfo hints, *res;
++#endif
+
+ #define BYTES_NEEDED 4
+
+@@ -153,11 +185,22 @@
+ return (0);
+ }
+
++#ifdef INET6
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = AF_INET6;
++ hints.ai_socktype = SOCK_STREAM; /*dummy*/
++ hints.ai_flags = AI_NUMERICHOST;
++ if (getaddrinfo(addr, "0", &hints, &res) == 0) {
++ freeaddrinfo(res);
++ return 1;
++ }
++#endif
++
+ /*
+ * Preliminary IPV6 support.
+ */
+ if (strchr(addr, ':')) {
+- if (*(cp = addr + strspn(addr, ":./0123456789abcdefABCDEF")) != 0) {
++ if (*(cp = addr + strspn(addr, INET6_ADDR_PRES_CHARS)) != 0) {
+ if (gripe)
+ msg_warn("%s: invalid character %d(decimal): %.100s",
+ myname, *cp, addr);
+diff -urNad postfix-release/tls/ACKNOWLEDGEMENTS /tmp/dpep.cXJuVH/postfix-release/tls/ACKNOWLEDGEMENTS
+--- postfix-release/tls/ACKNOWLEDGEMENTS 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/ACKNOWLEDGEMENTS 2005-02-03 10:22:13.087090666 -0700
+@@ -0,0 +1,56 @@
++- Walcir Fontanini <walcir at densis.fee.unicamp.br>
++ * tested on Solaris 2.5 and and reported missing "snprintf()"
++ -> was fixed in pfixtls-0.1.2
++ * contributed the script to add fingerprints
++ contributed/fp.csh
++
++- Matti Aarnio <matti.aarnio at sonera.fi> (www.zmailer.org)
++ * updated pfixtls_dump to need fewer strcat and strcpy calls.
++
++- Cerebus <cerebus at sackheads.org>
++ * Missing variable initialization in client mode enable STARTTLS
++ negotiation even when not wanted.
++ -> fixed in pfixtls-0.2.8
++
++- Bodo Moeller <bode at openssl.org>
++ * The SSL connection was not shut down at the end of the session, because
++ SSL_CTX_set_quiet_shutdown() was set. This however did not mean "do a
++ quiet shutdown" but "do not shutdown SSL".
++ -> fixed in pfixtls-0.3.3
++
++- Jeff Johnson <jeff at websitefactory.net>
++ * noted that the patch code will not compile with SSL disabled anymore,
++ because a ´#ifdef HAS_SSL #endif´ encapsulation was missing in
++ smtp/smtp_connect.c. This must have been in since the very beginning
++ of client mode support (0.2.x).
++ -> fixed in 0.3.6
++
++- Craig Sanders <craig at taz.net.au>
++ * noted that the Received: header does not contain sufficient information
++ whether a client certificate was not requested or not presented.
++ He also reminded me that the session cache must be cleared when
++ experimenting with the setup and certificates, what is not explained
++ in the documenation.
++ -> fixed in 0.4.4
++
++- Claus Assmann <ca+tls at esmtp.org>
++ * pointed out that the Received: header logging about the TLS state violated
++ RFC822. The TLS information must be in comment form "(info)".
++ -> fixed in 0.6.3
++
++- Wietse Venema <wietse at porcupine.org>
++ * uncounted important suggestions to start the integration into the Postfix
++ mainstream code.
++ * code adjustments in the dict_*() database code to allow easier inclusion
++ and use for session caching, and this is only the beginning :-)
++ -> started reprogramming Postfix/TLS to fit both Wietse's and my
++ requirements as of 0.6.0
++
++- Damien Miller <djm at mindrot.org>
++ * Found mismatch between documentation and code with regard to logging.
++ -> fixed in 0.6.6
++
++- Deti Fliegl <fliegl at cs.tum.edu>
++ * Provided an initial patch to support SubjectAlternativeName/dNSName
++ checks.
++ -> added in 0.8.14
+diff -urNad postfix-release/tls/CHANGES /tmp/dpep.cXJuVH/postfix-release/tls/CHANGES
+--- postfix-release/tls/CHANGES 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/CHANGES 2005-02-03 10:22:13.091089774 -0700
+@@ -0,0 +1,2401 @@
++2004/04/27 = Re-release 0.8.18 ==
++
++2004/04/27
++ - Postfix 2.1.0 has been released. Some minor patch conflicts with respect
++ to the actual code and build environment.
++ - Due to the restructuring of the documentation the old sample-*.cf
++ files are no longer available.
++ Took documentation already adopted by Wietse for the 2.1-RC2-IPV6+TLS
++ snapshot.
++
++2004/02/09 == Re-release 0.8.18 ==
++
++2004/02/09
++ - Postfix 2.0.18-20040205 is available, patchkit applies without
++ problems.
++
++2004/02/02 == Release 0.8.18 ==
++
++2004/02/02
++ - Incorporated Luca Berra's information into the patchkit and ran tests
++ with my own versions.
++
++2004/02/01
++ - Reports about server side SMTP failure with Carsten's patch can be
++ found on postfix-users.
++ 'Luca Berra' <bluca at comedia.it> informs, that he discoverd another
++ failure of the GNU patch program with a misplaced patch hunk in
++ smtpd.c
++
++2004/01/30
++ - Edited in additional #ifdef USE_SSL conditionals. If the TLS patch
++ is applied but not activated (USE_SSL is not defined), a warning is
++ printed as soon as TLS shall be used.
++
++2004/01/23
++ - Postfix 2.0.18-20040122 is now available. Several patch conflicts occur.
++ Even more: one hunk of the patch (which is provided in unified diff)
++ fails in smtp.c and causes a segmentation violation.
++ Carsten Hoeger <choeger at suse.de> provides an adapted patch kit.
++
++2004/01/02 == Released 0.8.17 ==
++
++2004/01/02
++ - Postfix-2.0.16-20031231 is released. No patch conflicts.
++ - Changed autoresponder for TLS tests to "The Postfix Book" echo
++ responder (provided by Patrick Koetter and Ralf Hildebrandt).
++
++2003/12/30
++ - Postfix-2.0.16-20031226 is released. No patch conflicts.
++
++2003/12/26
++ - Postfix-2.0.16-20031224 is released. Resolved patch conflicts.
++
++2003/12/16
++ - Postfix-2.0.16-20031215 is released. Resolved patch conflicts.
++ - src/global/pfixtls.c: changed occurance of "ssize_t" to "size_t"
++ as some quite old operating systems do no have ssize_t
++ (Reported by Klaus Jaehne <kj at uue.org> for SunOS 4.1.4).
++ - src/global/pfixtls.c: both the client and the server engine did
++ print out messages even when tls_loglevel was set to 0 (reported
++ by Florian Effenberger <florian at effenberger.org>): evaluate loglevel
++ before printing any message.
++
++2003/11/17 == Re-released 0.8.16 ==
++
++2003/11/17
++ - Postfix 2.0.16-20031113 is released. Some minor patch conflicts.
++
++2003/10/27 == Re-released 0.8.16 ==
++
++2003/10/24
++ - Postfix 2.0.16-20031022 is released. Some minor patch conflicts.
++
++2003/09/23 == Re-released 0.8.16 ==
++
++2003/09/23
++ - Postfix 2.0.16 and 2.0.16-20030921 are now available.
++ Resolved some minor patch conflicts.
++
++2003/09/10 == Released 0.8.16 ==
++
++2003/09/09
++ - Postfix 2.0.15 has been released including another workaround for
++ select() on Solaris problems. It contains additional code to catch
++ EAGAIN on read() in the timed_read() routine (and the respective
++ precautions in timed_write()
++ - Note: this fix is not yet part of Postfix 2.0.14-20030812.
++ - Added corresponding code to pfixtls_timed_read()/_write().
++ - Changed SSL wrappermode behaviour: use smtpd_sasl_tls_security_options
++ instead of smtpd_sasl_security_options as is to be expected because TLS
++ is active. (Bug reported by Bob Snyder <rsnyder at toontown.erial.nj.us>.)
++
++2003/08/29 == Re-released 0.8.15 ==
++
++2003/08/29
++ - Adapted patchkit to Postfix 2.0.14. No patch conflicts.
++
++2003/07/17 == Re-released 0.8.15a (-20030715 only) ==
++
++2003/07/16
++ - Experimental version Postfix 2.0.14-20030715 is released, including
++ the SASL changes. Resolved some minor patch conflicts.
++
++2003/07/11 == Released 0.8.15a (-20030706 only) ==
++
++2003/07/11
++ - Received error report about about TLS failing with the new smtpd_proxy
++ feature including instructions on how to reproduce.
++ (Did receive an earlier report on 2003/07/09, that however indicated other
++ setup problems, so that the actual problem was not visible.)
++ - Analysis: when introducing the new smtpd_proxy feature, different mechnisms
++ where introduced to either write to the cleanup daemon (as before) or to
++ the smtpd_proxy connection. Functions and streams are now expressed in
++ out_fprintf() function pointers etc. being assigned accordingly.
++ When updating to 0.8.15/2.0.13-20030706 this change was missed and the
++ routine adding the TLS information to the Received: headers did use the
++ older rec_fprintf() functions etc. This did work fine for the traditional
++ connection to the cleanup service, but naturally failed for smtpd_proxy
++ (with a segmentation violation).
++ Solution: access out_stream via the according pointers.
++ - The 2.0.13 stable version is not affected.
++
++2003/07/08 == Released 0.8.15 ==
++
++2003/07/07
++ - Postfix 2.0.13 and 2.0.13-20030706 are released.
++ Patchkit for 2.0.13 applies cleanly.
++ Patchkit for 2.0.13-20030607 requires several adaptations (patch conflicts,
++ no functional changes).
++ - Slightly modified SASL interface code (smpt[d]_sasl_glue layer) to
++ allow setting the security policy during session setup instead of
++ process start. This allows to actually choose SASL mechanisms available
++ depending on the availability of TLS encryption and authentication.
++ New parameters: smtpd_sasl_tls_security_options,
++ smtp_sasl_tls_security_options, smtp_sasl_tls_verified_security_options
++ - Submitted change to SASL interface to Wietse, who accepted the change
++ as part of the Snapshot line.
++
++2003/06/19 == Released 0.8.14 ==
++
++2003/06/19
++ - Add support for SubjectAlternativeName "dNSName" entries in certificate
++ checking (applies for client mode only).
++ If the client connects to the server, it does check the list of dNSName
++ entries against the expected hostname (therefore allowing the server to
++ have multiple identities). As described in RFC2818 (HTTP over TLS),
++ CommonName (CN) entries are only checked, if no dNSName entries are found
++ at all.
++ Initial patch proposed by Deti Fliegl <fliegl at cs.tum.edu>, reworked to
++ follow the RFC2818 rules and some cleanup.
++
++2003/06/18
++ - Checked out similar settings, found another missing entry:
++ var_smtp_scert_vd was missing src/smtp/smtp.c.
++ - Renamed HAS_SSL to USE_SSL for compilation (have to use -DUSE_SSL
++ in the future). Currently pfixtls.h will take care of setting
++ USE_SSL, when HAS_SSL has been defined.
++
++2003/06/17
++ - Received bug reports about Postfix/TLS failing (connection closing)
++ after having finished the "STARTTLS"/"220 Ready to start TLS"
++ dialogue. (Actually the first report came in via private mail on
++ 2003/06/12, but the information was too diffuse to track down).
++ Tracking down became possible after it became clear, that only Solaris
++ systems are affected.
++ Analysis:
++ * As of 2003/06/09 postfix uses non-blocking socket I/O for the SMTP
++ connection on Solaris platforms. This requires using "select()" style
++ waiting before read() or write() access (which are not prepared EAGAIN
++ or EWOULDBLOCK in the Postfix case and therefore indicate error).
++ * As the var_smtpd_starttls_tmout variable is not correctly initialized
++ (value is 0), the select() style function is not called, therefore
++ read() fails with EAGAIN and the connection is closed due to a
++ presumed error condition.
++ * The initialization of the variable should be done in the time_table[]
++ list during main().
++ The entry however was lost during the patch adaptation from 0.7.13e
++ to 0.7.14-snap20020107 on 2002/01/07.
++ Impact:
++ * On Solaris systems, STARTTLS fails during handshake (server only).
++ * On other systems, the TLS negotiation phase is not protected by the
++ smtpd_starttls_tmout (default 300s) value and may hang until the
++ watchdog kills smtpd, if the client does not continue the handshake.
++ Restored var_smtpd_starttls_tmout variable initialization.
++
++2003/06/12 == Re-released 0.8.13 ==
++
++2003/06/11
++ - Adapted to snapshot 2.0.12-20030611. No patch conflicts.
++
++2003/06/11
++ - Adapted to snapshot 2.0.11-20030609. One minor patch conflict.
++
++2003/05/23 == Re-released 0.8.13 ==
++
++2003/05/23
++ - First release against snapshot 2.0.10-20030523.
++
++2003/04/26 == Re-released 0.8.13 ==
++
++2003/04/26
++ - Updated patchkit to apply to Postfix 2.0.9.
++ - Updated patchkit-name to reflect the release of OpenSSL 0.9.7b.
++
++2003/03/06 == Re-released 0.8.13 ==
++
++2003/03/06
++ - Postfix 2.0.6 has been released. No patch conflicts.
++
++2003/03/02 == Re-released 0.8.13 ==
++
++2003/03/02
++ - Postfix 2.0.4 has been released. "patch" should work with some warnings
++ about moved line numbers.
++ - OpenSSL 0.9.7a has been released. No visible changes with respect to
++ Postfix/TLS.
++
++2003/01/26 == Re-released 0.8.13 ==
++
++2003/01/26
++ - Postfix 2.0.3 has been released. One minor patch-conflict.
++
++2003/01/13 == Released 0.8.13 ==
++
++2003/01/13
++ - Postfix 2.0.1 has been released. Some minor patch conflicts resolved.
++ - Added HOWTO documents contributed by Justin Davies <justin at palmcoder.net>
++ to the contribution area.
++ - Added RFC3207 (SMTP Service Extension for Secure SMTP over Transport Layer
++ Security) to the documentation. RFC3207 is the successor of RFC2487.
++ - Updated TODO list to reflect release ideas up to the release of
++ Postfix/TLS 0.9.0. (Or will it finally be 1.0.0? :-)
++
++2002/12/30
++ - OpenSSL 0.9.7 has been released. Postfix/TLS works best with the new
++ 0.9.7 release.
++
++2002/12/24 == Re-released 0.8.12 ==
++
++2002/12/24
++ - Postfix 2.0.0.1 has been released. Resolved one minor patch conflict.
++
++2002/12/20 == Re-released 0.8.12 ==
++
++2002/12/20
++ - Postfix snapshot 1.1.12-20021214 has been released. Resolved minor
++ patch conflicts.
++
++2002/12/15 == Re-released 0.8.12 ==
++
++2002/12/15
++ - Postfix snapshot 1.1.12-20021214 has been released. Two minor patch
++ conflicts.
++
++2002/12/06 == Released 0.8.12 ==
++
++2002/12/06
++ - OpenSSL 0.9.6h has been released. Update documentation and filenames
++ to reflect this new release.
++ - Minor bug fix: when calling "sendmail -bs", smtpd is not run with
++ superuser permissions, therefore the loading of the private key fails.
++ STARTTLS is not used anyway, so the key is not needed anyway, but the
++ failure to load creates a misleading warning.
++ Do not initialize TLS engine at all when not started with superuser
++ permissions.
++
++2002/12/03
++ - Postfix snapshot 1.1.12-20021203 has been released. Resolved one patch
++ conflict.
++
++2002/11/01 == Re-released 0.8.11a ==
++
++2002/11/01
++ - Postfix snapshot 1.1.11-20021031 has been released. No patch conflicts.
++
++2002/10/30 == Re-released 0.8.11a ==
++
++2002/10/30
++ - Postfix snapshot 1.1.11-20021029 has been released. No patch conflicts.
++
++2002/09/30 == Re-released 0.8.11a ==
++
++2002/09/30
++ - Postfix snapshot 1.1.11-20020928 has been released. No patch conflices.
++
++2002/09/24
++ - Postfix snapshot 1.1.11-20020923 has been released. Adapt patchkit.
++
++2002/09/19 == Re-released 0.8.11a ==
++
++2002/09/18
++ - Postfix snapshot 1.1.11-20020917 has been released. Adapt patchkit.
++
++2002/08/23 == Re-released 0.8.11a ==
++
++2002/08/23
++ - Postfix snapshot 1.1.11-20020822 has been released. Adapt patchkit.
++
++2002/08/20
++ - Postfix snapshot 1.1.11-20020819 has been released with several
++ enhancements and changes. Adapt patchkit (minor issues).
++
++2002/08/12
++ - OpenSSL has experienced several (security critical) updates.
++
++2002/07/26 == Re-released 0.8.11a ==
++
++2002/07/26
++ - On popular demand, a new diff for the snapshot version of Postfix
++ is created: postfix-1.1.11-20020719.
++
++2002/06/18 == Re-released 0.8.11a ==
++
++2002/06/18
++ - On popular demand, a new diff for the snapshot versions of Postfix
++ is created: postfix-1.1.11-20020613.
++
++2002/06/03 == Released 0.8.11a ==
++
++2002/06/03
++ - When compiling with SSL but without SASL, compilation fails due to
++ the modification of state->sasl_mechanism_list that is not part of the
++ "state" structure when SASL is not compiled in.
++ This bug was introduced in version 0.8.11.
++ Bug reported and patch supplied by Bernd Matthes
++ <bernd.matthes at gemplus.com>.
++
++2002/05/29 == Released 0.8.11 ==
++
++2002/05/29
++ - Postfix 1.1.11 is released.
++
++2002/05/25
++ - Fix processing of options after STARTTLS handshaking: AUTH= was not
++ handled, as the "=" was not recognized as for the extension list for
++ the case without TLS. (The TLS case was a copy of an older version
++ of the code not yet containing the "=" and the change in the main
++ code slipped through without noting the difference, hence the option
++ as not added to the TLS part.
++ Found by "Christoph Vogel" <Christoph.Vogel at Corbach.de>.
++
++2002/05/24
++ - Bug reported by "Christoph Vogel" <Christoph.Vogel at Corbach.de>:
++ Client side AUTH does not work, if STARTTLS is used: if a server
++ announces AUTH and STARTTLS, AUTH is being used if TLS is disabled.
++ Once TLS is enabled, AUTH is still offered by the server, but the
++ client does not use it any longer.
++ Reason: when AUTH is offered, not only the SMTP_REATURE_AUTH flag
++ is set in state->features, but also the available mechanisms are
++ remembered in state->sasl_mechanism_list. As AUTH may be offered
++ twice by some hosts (in the correct "AUTH mech" form and the older
++ and deprecated "AUTH=mech" form), a check against processing the
++ line twice is included in smtp_sasl_helo_auth(). This check now
++ prevented the correct processing in the second evaluation of the
++ ESMTP extensions offered after the STARTTLS activation.
++ Solution: reset state->sasl_mechanism_list before processing the
++ extension list just like state->features.
++
++2002/05/15 == Released 0.8.10 ==
++
++2002/05/15
++ - Postfix 1.1.10 has been released. No changes.
++
++2002/05/14 == Released 0.8.9 ==
++
++2002/05/14
++ - Postfix 1.1.9 has been released. Patchkit requires a small adjustment
++ (supplied by Tuomo Soini <tis at foobar.fi>).
++
++2002/05/10 == Released 0.8.8 ==
++
++2002/05/10
++ - OpenSSL 0.9.6d has been released. Release the unchanged patchkit
++ with a new version number and under a new filename to indicate
++ that it should be built against 0.9.6d (it has the session caching
++ failure of 0.9.6c fixed). Update documentation accordingly.
++
++2002/05/05
++ - Postfix 1.1.8 has been released, the patchkit applies cleanly.
++
++2002/04/03 == Re-released 0.8.7 ==
++
++2002/04/03
++ - Postfix 1.1.7 has been released, the patchkit applies cleanly.
++ Re-released the patchkit.
++
++2002/03/29 == Released 0.8.7 ==
++
++2002/03/29
++ - Postfix/TLS did not honor the per-recipient-switching-off in SMTP
++ client mode via tls_per_site (per-host-switching off was honored).
++ Patch by Will Day <wd at hpgx.net>.
++
++2002/03/27 == Released 0.8.6 ==
++
++2002/03/27
++ - Postfix 1.1.6 has been released. Adapted patchkit to resolve minor
++ patch conflict. (Template provided by Simon Matter
++ <simon.matter at ch.sauter-bc.com>)
++
++2002/03/13 == Released 0.8.5 ==
++
++2002/03/13
++ - Postfix 1.1.5 has been released. The patchkit would apply cleanly, but
++ obviously the "lock_fd" change that applies to dict_dbm.c (Wietse)
++ also has to be applied to dict_sdbm.c. Tuomo Soini <tis at foobar.fi>
++ kindly provided this change.
++
++2002/02/25 == Released 0.8.4 ==
++
++2002/02/25
++ - Postfix 1.1.4 became visible. One patch conflict in a Makefile
++ (Carsten Hoeger <choeger at suse.de>).
++
++2002/02/21
++ - Dates in this CHANGES document were showing 2001 even though 2002 already
++ began :-). Fixed. (Marvin Solomon <solomon at conceptshopping.com>)
++
++2002/02/07
++ - Bug in the documentation (setup.html): the main.cf variables for the
++ SMTP server process have to be named smtpd_* instead of smtp_*.
++ Found by Andreas Piesk <a.piesk at gmx.net>.
++
++2002/02/03 == Released 0.8.3 ==
++
++2002/02/03
++ - Patch from Andreas Piesk <a.piesk at gmx.net>: remove some compiler warnings
++ by using explicit type casts in hexdump print statements.
++ - Re-released otherwise unchanged patchkit against Postfix-1.1.3.
++
++2002/01/30 == Released 0.8.2 ==
++
++2002/01/30
++ - Re-released unchanged patchkit against Postfix-1.1.2.
++
++2002/01/24 == Released 0.8.1 ==
++
++2002/01/24
++ - Postfix-1.1.1 has been released. The patchkit needed some small adjustment.
++ - Both Tuomo Soini <tis at foobar.fi> and Carsten Hoeger <choeger at suse.de>
++ helped out with this small adjustment. As a side effect of Carsten's
++ complete pfixtls.diff, which I compared after applying Tuomo's adjustment,
++ I found that pfixtls.c contained several wrong "'" characters: on the
++ german keyboard there is an accent looking like the apostroph but producing
++ a different binary code. Obviously on Carsten's machine the code was
++ changed which became obvious during the comparison.
++ (Conclusion: I wrote the comments affected on my SuSE-Linux PC at home with
++ german keyboard. In my university-office I do have HP-UX workstations
++ with US keyboards.)
++
++2002/01/22 == Released 0.8.0 ==
++
++2002/01/22
++ - Received a comment from Wietse on the mailing list, that it is better
++ to resolve the "standalone" issue by using the already available
++ SMTPD_STAND_ALONE() macro in smtpd. Undid 0.7.16 change and made
++ new change in smtpd.c.
++ - Updated links in the References section of the documentation.
++
++2002/01/21 == Released 0.7.16 ==
++
++2002/01/21
++ - When calling "sendmail -bs" and STARTTLS is enabled, smtpd tries to
++ read the private key and fails due to insufficient permissions (smtpd
++ is run with the privileges of the user). This case is caught since
++ version 0.6.18 of the Postfix/TLS patchkit: STARTTLS is still being
++ offered but a "465 temporary failure" message is issued. Some mailers
++ (read this: PINE) will then refuse to continue. (And an irritating
++ error message indicating the failure to read the key will be logged.)
++ Experienced by "Lucky Green" <shamrock at cypherpunks.to> .
++ - Solution: Disable STARTTLS when running "sendmail -bs" by adding
++ "-o smtpd_use_tls=no -o smtpd_enforce_tls=no" to smtpd's arguments
++ upon startup. Using STARTTLS does not make sense in simulated
++ SMTP mode.
++
++2002/01/18 == Released 0.7.15 ==
++
++2002/01/18
++ - Postfix 1.1.0 has been released. The patchkit for the former snapshot
++ version applied cleanly and now becomes the patchkit for the stable
++ version.
++
++2002/01/16 == Released 0.7.14a ==
++
++2002/01/16
++ - Snapshot-20020115 is released. Adapted patchkit.
++ - Add Postfix/TLS entries into the new conf/postfix-files
++ (Tuomo Soini <tis at s.foobar.fi>, Carsten Hoeger <choeger at suse.de>).
++
++2002/01/14
++ - OpenSSL: a user reported that session caching stopped working for him
++ with OpenSSL 0.9.6c. I found that this is also true for my own
++ Postfix/TLS installation.
++ Solution: server side session caching is broken in OpenSSL 0.9.6c when
++ using non-blocking semantics (Postfix/TLS is affected as it uses
++ BIO-pairs); sessions are simply not added to the cache. This bug
++ is not security relevant. A fix has been applied to the OpenSSL source
++ tree for the next release.
++
++2002/01/08 == Released 0.7.14 ==
++
++2002/01/07
++ - New snapshots released as release candidates. Adapted the patchkit
++ to snapshot-20020107. Moved our production servers from 20010228-pl08
++ to snapshot-20020107 with the adapted patchkit.
++ - Fix documentation: tlsmgr can be run chrooted since a long time.
++
++2001/12/21
++ - OpenSSL 0.9.6c is released. Postfix/TLS is fully compatible.
++
++2001/12/19 == Released 0.7.13e ==
++
++2001/12/19
++ - Adapted patchkit to snapshot-20011217.
++
++2001/12/12 == Released 0.7.13d ==
++
++2001/12/12
++ - Adapted patchkit to snapshot-20011210. Adaption provided by
++ Tuomo Soini <tis at foobar.fi>.
++
++2001/11/28 == Released 0.7.13c ==
++
++2001/11/28
++ - Adapted patchkit to snapshot-20011127.
++
++2001/11/26 == Released 0.7.13b ==
++
++2001/11/26
++ - Adapted patchkit to snapshot-20011125.
++
++2001/11/22 == Released 0.7.13a ==
++
++2001/11/22
++ - Adapted patchkit to snapshot-20011121.
++
++2001/11/15 == Released 0.7.13 ==
++
++2001/11/15
++ - Adapted patchkit to postfix-20010228-pl08 and snapshot-20011115.
++
++2001/11/06 == Re-released 0.7.12 ==
++
++2001/11/06
++ - Snapshot-20011105 released. No patch conflicts, but in order to have
++ the pfixtls-* filename and home page entry reflect the new version,
++ I'll re-release 0.7.12.
++
++2001/11/05 == Released 0.7.12 ==
++
++2001/11/05
++ - Release of Postfix-20010228-pl06 and snapshot-20011104. The snapshot
++ version had some minor patch conflicts to be resolved.
++
++2001/10/14 == Released 0.7.11 ==
++
++2001/10/14
++ - Bug fix (client mode): when the peername is checked against the CommonName
++ in the certificate, the comparison does not correclty ignore the case
++ (the peername as returned by DNS query or set in the transport map
++ is not transformed to lower case). This bug was introduced in 0.7.5.
++
++2001/10/09 == Released 0.7.10 ==
++
++2001/10/09
++ - Snapshot-20011008 is released. Some minor adaptions are required to
++ sort out patch conflicts.
++
++2001/09/28
++ - Received patch from Uwe Ohse <use at ohse.de>: There is a bug in sdbm's
++ handling of the .dir file, that also applies to Postfix/TLS.
++ The problem only appears for large databases.
++ - The example entries in conf/master.cf for the submission and smtps services
++ use "chroot=y" flags, while the Postfix default is "chroot=n". This could
++ lead to hardly explainable problems when users did not note this fact
++ during setup.
++ Fixed example entries to also use "chroot=n" default.
++
++2001/09/18
++ - Wietse releases Postfix-20010228-pl05. The patch applies cleanly with
++ "patch -p1 ...", so it is not necessary to release a new patchkit.
++
++2001/09/04 == Released 0.7.9 ==
++
++2001/09/04
++ - Due to unititialized variable in smtpd_state.c, AUTH may not be offered
++ without TLS even though smtpd_tls_auth_only was not enabled.
++ (Patch from Nick Simicich <njs at scifi.squawk.com>.)
++
++2001/08/29
++ - In the snapshot-20010808 version of 0.7.9, the "tlsmgr" line in the sample
++ conf/master.cf is missing (reported by Will Day <wd at hpgx.net>). Fixed.
++
++2001/08/27 == Released 0.7.8 ==
++
++2001/08/27
++ - Received bugreport about issuer_CN imprints consisting of long strings
++ of nonsense. This only appeard with certificates issued from a certain
++ CA (RSA Data Security Inc., Secure Server Certification Authority).
++ (Will Day <wd at hpgx.net>)
++ - The problem: the issuer data of this certificate is:
++ Issuer
++ C=US
++ O=RSA Data Security, Inc.
++ OU=Secure Server Certification Authority
++ It does not contain a CN (CommonName) field. OpenSSL's
++ X509_NAME_get_text_by_NID() function does not catch this condition
++ (no error flag set), but it also does not set the name in the memory
++ location specified.
++ - Solution:
++ 1. Preset the memory for the string to '\0', so that a string of length
++ 0 is obtained on the failure described above.
++ 2. When no CN data is available, use the O (Organization) field
++ instead. The data are used for logging only (it is the issuer, not
++ the subject name), so this change does not affect functionality.
++
++2001/08/22 == Released 0.7.7 ==
++
++2001/08/22
++ - Found one more bug: erronously called SSL_get_ex_new_index() instead
++ of SSL_SESSION_get_ex_new_index() (note the _SESSION missing). This
++ could be responsible for the failure at the locations found during
++ debugging. Works fine on HP-UX (did also before), must cross check
++ at home...
++
++2001/08/21
++ - Received report, that smtp (client) fails with signal 11 (platform:
++ linux redhat). Cannot reproduce any problem on HP-UX (did run 1
++ week in production before release). But malloc() and stack strategies
++ are different between platforms.
++ - Can reproduce the failure on my Linux PC at home :-(.
++ - Found one bug in new_session_cb(): on successfull external caching,
++ success is reported by a return value of 1. This however must be another
++ bug, as it has nothing to do with the locations of the failure, when
++ analyzing the core dumps/running under debugger.
++ Still getting SIGSEGV...
++
++2001/08/20 == Released 0.7.6 ==
++
++2001/08/20
++ - Following "popular demand" implemented new feature and configuration option
++ "smtpd_tls_auth_only": Only allow authentication using the AUTH protocol,
++ when the TLS encryption layer is active. Default is "no" in order to
++ keep compatiblity to postfix without TLS patch.
++ This option does not distinguish between different AUTH mechanisms.
++
++2001/08/16 == Released 0.7.5 ==
++
++2001/08/15
++ - The new session cache handling is working now at my site for quite some
++ time.
++ - Client side: modified peername matching code, such that wildcard
++ certificates can be used. Matching is done as in HTTP/TLS: only the
++ leftmost part of the hostname may be replaced by a '*'.
++
++2001/08/09
++ - Further debugged the CRYPTO_set_ex_data() functionality.
++ - Unified "external cache write" and "external cache remove" callbacks
++ for client and server side. The "external cache read" functions are not
++ that easy to combine, as the lookup keys are quite different and do not
++ match the fixed interface to the callback function.
++ - Change shutdown behaviour according to SSL_shutdown(). When SSL_shutdown()
++ returns, the shutdown handshake may not be complete, if we were the first
++ party to send the shutdown alert. We must call SSL_shutdown() again,
++ to wait for the peer's alert.
++
++2001/08/08
++ - Postfix snapshot 20010808 is being released.
++
++2001/08/08
++ - Rewrite server side to remove externally cached sessions via callback.
++ - Rewrite client side to remove externally cached sessions via callback.
++ This turns out to be more difficult as expected, as the client side
++ session cache is sorted by hostnames, but the callbacks are called
++ with the SSL_SESSION objects. The information must be stored into the
++ SSL_SESSION objects by using the CRYPTO_set_ex_data() functionality,
++ the documentation of which, ahem, ...
++ - Reloading sessions stays separate, as the functionality is different.
++
++2001/08/07
++ - Started reworking the session cache code.
++ * On the server side the retrieval from the external cache and the writing
++ to the cache are handled by callback functions. The removal is handled
++ directly.
++ * On the client side, all session cache operations are performed explicitly.
++ * The explicit handling is on the client side is bad, as it requires a
++ quite complicated logic to detect session reuse and the appropriate
++ handling.
++ * The explicit handling of session removal on both sides is bad, as
++ the OpenSSL library will remove sessions (on session failure) according
++ to the TLS specifications automatically, so we want to take advantage
++ of this feature and have the externally cached sessions removed as
++ required via callback.
++ - First step: on the client side, also use the new_session_cb(), so that
++ new sessions are automatically saved to the external cache on creation.
++
++2001/08/01
++ - Postfix-20010228-pl04 is being released.
++
++2001/07/11 == Released 0.7.4 ==
++
++2001/07/10
++ - Postfix snapshot 20010709 was released. Resolved some minor patch
++ conflicts.
++
++2001/07/10
++ - OpenSSL 0.9.6b has been released including a security fix for the
++ libraries internal pseudo random number generator.
++ * Note: to exploit the weakness, an attacker must be able to retrieve
++ single random bytes. As in Postfix/TLS random bytes are only used
++ indirectly during the SSL handshake, an attacker could never access
++ the PRNG in the way required to exploit the weakness.
++ * Postfix/TLS is therefore not vulnerable (as are most (all?) applications
++ utilizing the SSL layer).
++ * The OpenSSL team however recommends to upgrade or install the bugfix
++ included in the announcement in any case.
++ * Details can be found at http://www.openssl.org/
++
++2001/05/31 == Released 0.7.3a ==
++
++2001/05/30
++ - Report from <Andre.Konopka at Presse-Data.de>: TLS logging does not work.
++ Reason: parameters are not evaluated in mail_params.c, as the corresponding
++ lines for other_int_defaults[] were missing from the patch. This
++ only affected the 0.7.3-snapshot version, the version for "stable"
++ is correct.
++ I will release 0.7.3a with this fix only for the snapshot version to keep
++ version numbering consistent with the "stable" version.
++
++2001/05/28 == Released 0.7.3 ==
++
++2001/05/28
++ - Upgraded to snapshot-20010425: resolved some minor patch conflicts.
++ No functional changes.
++
++2001/05/16
++ - Received french documentation (doc_french/) contributed by
++ Etienne Roulland <Etienne.Roulland at univ-poitiers.fr>.
++
++2001/05/03 == Released 0.7.2 ==
++
++2001/05/03
++ - Postfix-Snapshot 20010502 is released. Bernhard Rosenkraenzer
++ <bero at redhat.de> supplies an adapted patch for Postfix/TLS, as the
++ normal patch has several rejections because of code changes;
++ functionality has not changed.
++
++2001/05/01
++ - Patchlevel 02 of Postfix 20010228 is being released. The Postfix/TLS
++ patchkit applies cleanly when using the "-p1" switch to patch.
++
++2001/04/09 == Released 0.7.1 ==
++
++2001/04/06
++ - OpenSSL 0.9.6a is released. It contains several bugfixes and will become
++ the recommended version to be used with Postfix/TLS.
++ I will run some more test and then re-release Postfix/TLS (without
++ additional changes to the source) as 0.7.1 to make people aware of the
++ new versions of Postfix and OpenSSL.
++
++2001/04/05
++ - Hint from Bodo Moeller <moeller at cdc.informatik.tu-darmstadt.de>:
++ the "Known Bugs" section in doc/test.html actually contains bugs
++ of clients and/or interoperatbility problems. Better name it
++ "Known interoperability problems" and rename the entries
++ "Postfix/TLS server" and "Postfix/TLS client" to improve clarity.
++
++2001/03/29
++ - Patchlevel 01 of Postfix 20010228 is being released. The Postfix/TLS
++ patchkit applies cleanly when using the "-p1" switch to patch.
++ OpenSSL 0.9.6a will be out within the next handful of days, so I will
++ delay the release of a new patchlevel until then.
++
++2001/03/01 == Released 0.7.0 ==
++ - IMPORTANT: If you are upgrading from a much older version, you will find
++ that some configuration options have changed over time (fingerprints are
++ now handled with ':'. check_relay_ccerts is now permit_tls_clientcerts.
++ Session caching has been reworked.)
++ It is recommended to re-read the sample-tls.cf file or the html version
++ in the documentation.
++
++2001/03/01
++ - Wietse has announced the _release_ version (non-beta) or postfix:
++ 20010228!
++ - Applied the Patchkit to the _release_ version (not the snapshot version).
++ Resolved one minor patch conflict.
++ - So, it's time to call this Postfix/TLS 0.7.0.
++
++2001/02/26 == Released 0.6.38 ==
++
++2001/02/26
++ - Snapshot-20010225 has been released. Resolved one minor patch conflict.
++
++2001/02/23 == Released 0.6.37 ==
++
++2001/02/23
++ - Snapshot-20010222 has been announced as RELEASE CANDIDAT. Resolved one
++ minor patch conflict.
++ - Removed "check_relay_ccerts" restriction which has been replaced
++ by "permit_tls_clientcerts" in 0.6.24. (Was left in until now for
++ transition.)
++ - Do not try to save session data > 8kB, since this cannot be handled
++ by SDBM. (This is more or less academical, since I have never met a
++ session even half that large.)
++
++2001/02/19 == Released 0.6.36 ==
++
++2001/02/05
++ - Snapshot-20010204 has been released. Resolved one minor patch conflict.
++
++2001/02/03 == Released 0.6.35 ==
++
++2001/02/03
++ - Snapshot-20010202 has been released. Resolved one minor patch conflict.
++
++2001/01/29 == Released 0.6.34 ==
++
++2001/01/29
++ - Snapshot-20010128 has been released. Resolved some minor patch conflicts.
++
++2001/01/11 == Released 0.6.33 ==
++
++2001/01/10
++ - Discussion in Thread "When to get peer certificate?" continues and it
++ comes out, that cross references between datastructures are well maintained
++ inside OpenSSL. A fact not well known due to lack of documentation
++ (seems I am facing some more work on the OpenSSL manpages :-).
++ - Moved around data needed for the certificate verification: a lot of
++ "static" entries globally needed inside pfixtls.c could now be moved
++ into the connection specific TLScontext.
++
++2001/01/07 == Released 0.6.32 ==
++
++2001/01/07
++ - Since now the checks at handshake stage (in pfixtls.c) are more strict,
++ some of the checks in smptd.c and smtp_proto.c could be removed.
++ At a later point I can probably move even more checks into pfixtls.c...
++
++2001/01/05
++ - Had a discussion with Ari Pirinen <aripirin at europe.com> on openssl-users
++ (Thread: When to get peer certificate?) about the earliest possible
++ place to check the CommonName of the peer against the expected name.
++ (This is what smtp does when enforcing the peername of the server it
++ is connecting to.)
++ The final result was, that the check can already been done inside the
++ verifiy_callback() routine even before the handshake is completed.
++ The positive side effect is, that since the session is never completly
++ established, it is also not cached on either client or server.
++ - Since this is a good idea, I have extended the verify_callback in
++ src/global/pfixtls.c to check the CommonName of the peer (if applicable)
++ and have the handshake shut down immediatly on failure. I have also
++ changed the behaviour so that whenever a positive certificate verification
++ is required, the handshake is shut down immediatly.
++ (The versions up to now did delay these checks until the session was
++ established and then shut down the connection. I had established this
++ practice while working on BIO-pairs and running into a bug in
++ OpenSSL 0.9.5 (fixed now) and with the verify depth.)
++
++2000/12/23 == Released 0.6.31 ==
++
++2000/12/23
++ - Bug: When only enabling smtpd_tls_wrappermode and not additionally setting
++ smtpd_use_tls or smtpd_enforce_tls, the TLS engine was not fired up on
++ startup of smtpd
++ Fixed: also start TLS engine when only smtpd_tls_wrappermode is enabled.
++ (Experienced by "Fiamingo, Frank" <FiamingF at strsoh.org>)
++
++2000/12/18 == Released 0.6.30 ==
++
++2000/12/18
++ - New snapshot 20001217 has been released. Due to the change of "timeout"
++ parameters now being its own class and table, the old patchkit does not
++ apply cleanly!
++ - Checked out Postfix/TLS parameters being timeout values and put them into
++ the new style time parameter table. This allows to specify time values
++ like 3600s or 1h. Updated sample configuration to reflect this new style.
++ - "Fiamingo, Frank" <FiamingF at strsoh.org> pointed out to me, that there are
++ three parameters in src/global/mail_params.h (namely DEF_TLS_RAND_EXCH_NAME,
++ DEF_SMTPD_TLS_CERT_FILE, DEF_SMTPD_TLS_CA_FILE) that are hardcoded as
++ "/etc/postfix/something".
++ This does not match the usual style of postfix, where no paths are
++ hardcoded this way. I have removed the defaults for CERT_FILE and CA_FILE.
++ The RAND_EXCH is needed for good PRNG seeding on systems without
++ /dev/urandom, I however don't know yet, how to rearrange this requirement.
++ I could use the Postfix internal mechanisms to enforce a parameter, but
++ this would annoy people having compiled in TLS but not activated.
++
++2000/12/13 == Released 0.6.29 ==
++
++2000/12/13
++ - Snapshot-20001212 has been released.
++ - Undid bugfixes for 20001210 which now are included in the new snapshot.
++
++2000/12/12 == Released 0.6.28 ==
++
++2000/12/12
++ - Added bugfix provided by Wietse on postfix-users at postfix.org for
++ "postconf -m" behaviour.
++
++2000/12/11
++ - New snapshot-20001210 released. Some patch conflicts occur. Additionally
++ * adjusted calls to myflock() to changed interface,
++ * fixed bug in smtpd_sasl_glue(), where a change to the name_mask()
++ call was not applied in the original snapshot.
++
++2000/12/05 == Released 0.6.27 ==
++
++2000/12/04
++ - Print informational message "SSL session removed" only when
++ var_smtp[d]_loglevel >= 2. (Proposed by Craig Sanders <cas at taz.net.au>.)
++ - Extend logging of "setting up TLS connection from/to" and corresponding
++ success/failure messages so that they include the hostname/ip address.
++ This way it is much easier to automatically analyze errors by simply
++ grepping for e.g. "SSL_accept error" and immediately get the peer
++ causing the problem without further logfile processing.
++ (Proposed by Craig Sanders <cas at taz.net.au>.)
++ - When experiencing a TLS failure due to TLS-enforced failure in client mode
++ (no certificate or hostname/certificate mismatch etc), immediately shut
++ down the TLS mode with "failure" indication, so that the SSL session is
++ removed immediately. This way a new session is always enforced in the
++ case the peer has fixed the problem; no need to wait for the timeout.
++
++2000/11/29 == Released 0.6.26 ==
++
++2000/11/29
++ - Found security relevant bug in the OpenSSL library: the verify_result
++ stating whether or not the certificate verification succeeded is not
++ stored in the session data to be cached and reused.
++ - This bug was found during the development of Postfix/TLS around one
++ year ago, the bug in the library was however only fixed for the server
++ side. At that time I also tested the server side behaviour but ommitted
++ to check the client side, too.
++ - Versions before Postfix/TLS 0.4.4 experienced this problem for both
++ server and client side. Before 0.6.0 a workaround was active for both
++ sides, which has been removed at 0.6.0 in the believe that the bug
++ was gone (I only tested the server side, which was fixed).
++ - Fixed that bug in OpenSSL also for the client side (I can do this myelf
++ now that I have been invited to join the OpenSSL developers team :-).
++ The fix is availabe as of today and will be part of the 0.9.7 release
++ of OpenSSL (or 0.9.6a, if this release will be published).
++ - Included a workaround inside Postfix/TLS for OpenSSL library versions
++ before 0.9.6a or 0.9.7, respectively.
++
++********************** Begin Description
++
++ - By not caching the verify_result for the client side, the following
++ behaviour could appear:
++ * The problem can only appear when smtp_tls_session_cache_database
++ is activated.
++ * smtp_use_tls = yes
++ X On the first connection, the certificate fails verification, failure
++ is logged:
++ smtp[*]: Unverified: subject_CN=serv01.aet.tu-cottbus.de, issuer_CN=BTU-CA
++ For any following connections until the session times out (default 1 hour),
++ the peer certificate seems to pass verification:
++ smtp[*]: Verified: subject_CN=serv01.aet.tu-cottbus.de, issuer_CN=BTU-CA
++ X Security Impact:
++ Unverified certificates are logged as if verification had succeeded.
++ * smtp_enforce_tls = yes
++ X After the verification failure, the session is never correctly established
++ and hence not reused.
++ X Security impact:
++ None, as the session is never reused.
++ * smtp_enforce_tls = yes after smtp_tls_enforce_tls = yes for a server.
++ X If the session has been recorded with use_tls and then for this server
++ enforce_tls is set, the wrong verify_result could be used within the
++ session cache timeout (default = 1 hour).
++ X Security impact:
++ If TLS shall be enforced for a recipient, there is a window of approx.
++ one hour from setting the "enforce_tls" switch until a verification
++ failure is noted. For this to happen, a TLS session to that server must
++ have been used with use_tls set and the not-verifiable certificate must
++ have been recorded in that session.
++ - Evaluation:
++ Even though this _is_ a security problem, I consider risk to be *low*,
++ given the conditions under which the problem might occur.
++
++********************** End Description
++
++2000/11/27 == Released 0.6.25 ==
++
++2000/11/26
++ - Added "permit_tls_all_clientcerts" for smtpd_recipient_restrictions.
++ When this option is enabled, any valid client certificate allows relaying.
++ This can be practical, if e.g. a company has a special CA to create
++ these certificates and only this CA is "trusted". It however does not
++ allow finer control, so if e.g. an employee leaves, he could still
++ relay. Postfix/TLS does not (yet) allow CRL (certificate revocation lists).
++ (Added on popular demand.)
++ - Make the client behaviour more configurabe: when enforcing TLS connections,
++ the peer's name is checked against the CommonName in its certificate.
++ New configuration variable "smtp_tls_enforce_peername" (default=yes)
++ can now be used to accept peername!=CommonName. The server's certificate
++ must still pass the verifcation process against a trusted CA!
++ In tls_per_site, the according key is MUST_NOPEERMATCH.
++ (Added on demand.)
++
++2000/11/24
++ - If the server requires a client certificate and no certificate is presented
++ or the certificate fails verification, the connection is shut down but
++ no information is logged.
++ -> add according msg_info() in smtpd/smtpd.c:startls_cmd().
++ - If TLS is not enforced, it does not make sense for a server to require a
++ client certificate. If no STARTTLS is issued, the SMTP would continue
++ anyway, so why shut down when TLS is activated without verifyable client
++ certificate?
++ -> ignore smtpd_tls_req_ccert=yes, if TLS is not enforced and only treat
++ like smtpd_tls_ask_ccert = yes with an according information logged.
++
++2000/11/22 == Released 0.6.24 ==
++
++2000/11/22
++ - Installed on my own servers and changed configuration to use the new
++ "permit_tls_clientcerts" option name. Patchkit will be released after
++ some hours of successfull operation.
++
++2000/11/21
++ - New snapshot-20001121 is being released. The patch applies without any
++ conflict when applied with "patch -p1", so no need to rush out an updated
++ patchkit.
++ - Rename the smtpd_recipient_restrictions option from "check_relay_ccerts"
++ to "permit_tls_clientcerts" to better match the naming scheme.
++ Leave in the old option for now to not break existing configurations.
++ The final incompatible removing is scheduled of release 0.7.0 of the
++ patchkit which will be matching the next "stable" release of postfix.
++ - There is no manual page for tlsmgr.8 (pointed out by Terje Elde
++ <terje at thinksec.com>).
++ Fix the comments at the beginning of tlsmgr.c and create tlsmgr.8.
++ - In the session cache code an additional 20 bytes were allocated when
++ converting SSL_SESSION data to binary using i2d_SSL_SESSION().
++ In adding these 20 bytes to the size listed by i2d_SSL_SESSION() I followed
++ the example in the OpenSSL source (PEM_ASN1_write()). These 20 bytes are
++ only added since when writing the PEM, a 20 byte checksum is added, so
++ we don't need it in our case -> removed.
++ (Researched after Carlos Vicente <cvicente at mat.upc.es> asked what these
++ 20 bytes are good for :-)
++
++2000/10/30 == Re-Released 0.6.23 ==
++
++2000/10/30
++ - Postfix snapshot-20001030 with an important bug fix is made available.
++ The patchkit applies without any problem (patch -p1).
++ Hence, I re-release the 0.66.23 release for the new snapshot.
++
++2000/10/30 == Released 0.6.23 ==
++
++2000/10/30
++ - New Postfix snapshot 20001029 available with some important bug fix.
++ Adjusted patchkit (only minor conflicts).
++
++2000/10/27
++ - The CN_sanitize function (src/smtpd/smtpd.c) that shall make sure that
++ no illegal sign is included into the Received: header does not work
++ on systems were "char" is unsigned by default.
++ (Linux on s390, found by Carsten Hoeger <choeger at suse.de>)
++ -> Worked out a more precise (even though not looking elegant) solution
++ that checks out all acceptable characters.
++ - Sent new smptd.c to Carsten Hoeger for testing, will wait with new
++ Postfix/TLS release.
++
++2000/10/06 == Released 0.6.22 ==
++
++2000/10/06
++ - snapshot-20001005 has been released, featuring fast ETRN. Only some minor
++ patch conflicts needed to be resolved.
++
++2000/09/28 == Released 0.6.21 ==
++
++2000/09/28
++ - snapshot-20000924 seems to be somewhat longer lasting. I have been asked
++ for a new Postfix/TLS release against snapshot-20000924, hence I will
++ create one.
++ - Running OpenSSL 0.9.6 for a week now to my full satisfaction. I will bump
++ bump up the Postfix/TLS version counting to include "0.9.6", even though
++ it will still run fine with 0.9.5a.
++
++2000/09/25/
++ - snapshot-20000924 is available; only small adjustments.
++ - Wietse seems to release new snaphots on a daily basis, it doesn't make
++ sense to follow with a new Postfix/TLS release every day.
++
++2000/09/23 == Released 0.6.20 ==
++
++2000/09/23
++ - Recompile OpenSSL-0.9.6-beta3 with the change and reinstall old pfixtls.c:
++ works again. Hence, all versions of Postfix/TLS working against 0.9.5a
++ will also work again 0.9.6-final, which shall be released on 2000/09/24!
++ - Wietse releases snapshot-20000923, patchkit adapted.
++ - Went through the "install.html" document to add a remark about
++ OpenSSL-0.9.6. This document is of historic quality but did not fit
++ actual versions of Postfix/TLS, we are far beyond OpenSSL 0.9.2: Updated.
++
++2000/09/22
++ - Wietse releases snapshot-20000922. The source directory hierarchie has
++ changed, so the patch needs to be adjusted at several places.
++ - Run tests against OpenSSL 0.9.6-beta3: problems occur!
++ * Certificates are no longer verified, since an informationa flag about the
++ CA certificate search process is written into the error storage and
++ thus misinterpreted as verification failure.
++ * Changed Postfix/TLS source to maintain its own error storage based on
++ the verify_callback, send out according warning to Postfix/TLS mailing
++ list.
++ * Unfortunately, this will break all older versions of Postfix/TLS.
++ Sent out analysis to OpenSSL-bugs at openssl.org.
++ * Additional change is made to OpenSSL: the new behaviour is only activated
++ when a special flag is set, so compatibility is restored!
++
++2000/09/21
++ - Wietse releases snapshot-20000921. Some minor patch conflicts resolved.
++
++2000/09/14 == Released 0.6.19 ==
++
++2000/09/14
++ - Received a bug report: Postfix/TLS will accept a mail even though
++ smtpd_req_ccert=yes (require use of client certificate) and no
++ client certificate is presented.
++ Reason: when no client certificate is presented SSL_get_verify_result()
++ will return X509_V_OK, since this is the default value.
++ Solution: only set "peer_verified" internal information, if the
++ verify_result is X509_V_OK _and_ a peer certificate is available.
++ Remark: This default value does not make too much sense. I will file
++ a bug report/patch before the next release of OpenSSL...
++
++2000/09/03 == Released 0.6.18 ==
++
++2000/09/03
++ - When calling "sendmail -bs", smtpd is started without root privileges,
++ hence it cannot open the private key file and the session cache database.
++ Since the database routines do not offer a graceful return (only fatal
++ and abort), this leads to a failure when TLS and session caching is
++ activated.
++ This affects PINE users (noted by Craig Sanders <cas at taz.net.au>).
++ Solution: Try to read the private key first; if that fails, we can
++ gracefully recover and won't touch the session cache database at all.
++ - When STARTTLS is configured for smtpd but does not work (e.g. because of
++ unaccessible keys), smtpd answers with "465 TLS not available due to
++ temporary reasons". After that the connection was closed, this is however
++ not necessary, as the client may decide to continue without TLS activated.
++ - Craig Sanders <cas at taz.net.au> contributes a script to automatically
++ generate the keys and certificates for Postfix/TLS usage. Added
++ "make-postfix-cert.sh" to the contributed/ directory.
++
++2000/09/02 == Released 0.6.17 ==
++
++2000/09/02
++ - Craig Sanders <cas at taz.net.au> reports that he has connection problems
++ with a site; the message in the log is:
++ SSL_connect error 0
++ 8847:error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message:s3_pkt.c:956:SSL alert number 10:
++ * This is the error caused by the faulty TLS implementation with
++ CommunigatePro. The bug is fixed in later versions of CommunigatePro,
++ The site shall be contacted, they should update.
++ - More important, he reports a segmentation fault immediately after this
++ problem.
++ - Bug: when not using session caching and an error occurs during the TLS
++ handshake, pfixtls_start_clienttls() tried to remove the erronous
++ session from a non-existant session cache.
++ Fix: check the existence of the session cache before trying to access it.
++ Comment: at all other places in the code this condition was already
++ caught.
++ - Remark: actually session caching was configured, but the configuration
++ variable was mistyped because...
++ it was wrong in conf/sample-tls.cf and doc/conf.html.
++ The correct values are "smtp[d]_tls_session_cache_database" instead of
++ "smtp[d]_tls_use_session_cache_database".
++ Unfortunately this is not flagged by Postfix...
++
++2000/08/25 == Released 0.6.16 ==
++
++2000/08/25
++ - Make sure, that the smtp[d] processes will try to access the "daemon"
++ entropy sources, but will only print an info when not available. Using
++ the PRNG-exchange file, they can happily run without.
++ - Moved HAS_SSL checks, such that the package compiles also when configured
++ without -DHAS_SSL.
++
++2000/08/24
++ - Changed the handling of the PRNG-exchange file. Until now it was written
++ by tlsmgr and read by the smtp[d] daemons. This had the disadvantage, that
++ until tlsmgr rewrote new bytes to the file, all starting daemons read the
++ same seed (to which some more bits, but not too much were added).
++ - Now the file is handled in read->stir into pool->write back mode, so that
++ every daemon will add its own entropy bits.
++ - The smtp[d] processes will do so when starting, when opening a TLS
++ connection and when closing.
++ - The tlsmgr will also read back the file and add it to its pool, so that
++ no entropy is lost.
++ - This change significantly increases the "self seeding" capability of
++ the TLS service.
++
++2000/08/09
++ - Cleaned up the new PRNG-seeding.
++ - When tlsmgr looses connection to an EGD-source (because it was restarted),
++ tlsmgr performes an exit(0), so that a newly started tlsmgr can reconnect.
++ [chroot/dropped privileges].
++
++2000/08/04
++ - Introduced new entropy sources for single daemons:
++ * tls_daemon_random_source
++ Using this source (same style as for tlsmgr), each starting daemon can
++ obtain additional entropy (32 bytes by default). The PRNG-exchange file
++ is still read.
++ - I am not sure about the policy for this feature. If such a source is
++ given, should a failure be considered fatal?
++
++2000/07/23
++ - Started reworking the PRNG seeding:
++ * tlsmgr now recognizes tls_random_source as
++ dev:/dev/urandom /* Direct read from device file */
++ egd:/path/to/socket /* Connection via EGD-socket */
++ /path/of/plain-file
++ * If a dev: or egd: is given, tlsmgr will connect and keep the connection
++ open, so that it now can run in chroot-mode with dropped privileges.
++ - Since EGD can be drained, but the connection is permanently open, only
++ suck a small number of bytes (default 32) at a time, but do it more
++ often.
++
++2000/08/09 == Released 0.6.15 ==
++
++2000/08/09
++ - Traced through OpenSSL to learn more about the verify_callback-feature.
++ The callback is called several times. When it returns "1", the handshake
++ will continue, when it calls "0", the handshake will immediately fail
++ (and Postfix/TLS will also close the TCP connection).
++ - Following the sample in the OpenSSL-apps, the verification chain depth
++ was the only property triggering this effect, so this stood hidden until
++ now. Obviously, users having longer chains did set the verifcation
++ depth accordingly or they gave up, since this was never reported...
++ - Changed the behaviour of verify_callback() to never return "0", such that
++ we can deal with the verification result later in a more consistent manner.
++ If we only enable and not enforce, we simply want to ignore problems with
++ the certificate.
++ - verify_callback() did not print out all information, since the wrong
++ state variables (pfixtls_*active instead of pfixtls_*engine) were
++ checked. The *active state variables are only set later.
++ As the verify process now became rather narrative, the normal logging
++ is only done in loglevel 2!
++ - Arrrghhh. The conf/sample-tls.cf _and_ the html-docu (which is actually
++ copied from conf/sample-tls.cf) has wrong names for the verification-
++ depth parameters. *_vd instead of *_verifydepth and ccert<->scert.
++ [Wondering, why this never popped up before...]
++ - Changed the default-verifydepth to "5" which should suffice for most
++ cases. Maybe the limit could also be completely removed, but we should
++ at least receive a warning hint when something goes wild.
++ Since OpenSSL>=0.9.5 is required for Postfix/TLS anyway, certificate chain
++ verification can now be used, so the caution applied before is no longer
++ necessary.
++
++2000/08/08
++ - Tracked down the double-free() call in smtp with Efence. SSL_free()
++ does call SSL_SESSION_free() on the negotiated session. Hence, I must
++ not call SSL_SESSION_free() on the session in question, it will be
++ removed anyway.
++ - Also tracked down the certificate chain feature. Reason is the
++ verify_callback() in global/pfixtls.c. It flags a chain depth that
++ is too long as fatal, hence the connection is immediately closed.
++
++2000/08/04
++ - Received information from Alain Thivillon <Alain.Thivillon at hsc.fr>:
++ FreeBSD-CURRENT offers malloc() with additional checks enabled.
++ After successfully delivering, smtp dumps core with free() called
++ twice in TLS mode.
++ - I noted, that there is a communication problem with his site an my new
++ certificate issued by the universities computer center (which has a chain
++ depth of 2). Step back to the old self certificate for the time being.
++
++2000/07/27 == Released 0.6.14 ==
++
++2000/07/27
++ - Introduced new configuration parameter "smtpd_tls_wrappermode" that
++ enables the (deprecated) old style SSL-wrapping around SMTP. It could
++ be run on a different port (once smtps=465) was recommended for this
++ services.
++ This method is used by old versions of Outlook (Express), the Mac versions
++ and even actual versions, when not run on port 25.
++ [Actually it was only a handful of lines, so it doesn't hurt too much,
++ even though it does not follow any RFC.]
++ - I recommend using this option only from master.cf. Example lines added
++ to conf/master.cf and description added to Postfix/TLS-doc/conf.html.
++ - When having SASL enabled and TLS-enforce mode in "smtpd", only offer
++ AUTH, when TLS has been activated. Otherwise the client might simply
++ send the unencrypted credentials before it receives
++ 530 Must issue a STARTTLS command first
++ and an eavesdropper already has what he was looking for.
++
++2000/07/19 == Released 0.6.13 ==
++
++2000/07/19
++ - Changed the library-initializaton call to new naming scheme
++ (SSLeay_add_ssl_algorithms() to OpenSSL_add_ssl_algorithms() :-).
++ - Updated documentation to reflect the use of chain certificates with
++ CAfile and smtp[d]_tls_cert_file (see 2000/07/06).
++ - Documentation: the interoperability problem with CommunigatePro has been
++ solved: CommunigatePro violated the TLS-RFC and has been fixed.
++ - Typo: It is "to stir" not "to stirl" :-)
++
++2000/07/06
++ - Received certificate for our site from our computer center. It's a chain
++ certificate. Now load the cert with SSL_CTX_use_certificate_chain_file(),
++ in order to better load the chain CA certificates.
++
++2000/07/04
++ - Reported Wietse about a possible problem in the SASL code, a relay check
++ may also be performed if sasl was not enabled and might lead to unwanted
++ relay.
++ As the fix is in my own codebase, I will leave it Postfix/TLS until a
++ new snapshot (or final release) is available.
++
++2000/06/02 == Released 0.6.12 ==
++
++2000/06/02
++ - Adapted to Snapshot-20000531 (minor patch conflict).
++ - Cleaned up some old header file dependencies in global/pfixtls.c and
++ global/Makefile.in that are no longer needed due to the interface changes
++ (timed_read()/write()) in 0.6.7.
++
++2000/05/29 == Released 0.6.11 ==
++
++2000/05/29
++ - Following Bodo Moeller's analysis, the error is due to a mismatch between
++ the CA certificate accessible in the smtp[d]_tls_CAfile and the one used
++ in the actual certificate (smtp[d]_tls_cert_file).
++ Daniel Miller fixed his setup and the problem is gone.
++ - Introduced a workaround into Postfix/TLS: if the padding error is found,
++ it is removed from the error-queue by Postfix/TLS, in order to protect
++ more sites from experiencing this problem.
++ - Added a warning to conf/sample-tls.cf
++ - Updated to the latest snapshot-20000528.
++
++2000/05/27
++ - After some fiddling around working through the binary certificate data to
++ see where it is modified at 0.6.10, I actually note, that both 0.6.9 and
++ 0.6.10 choke on the data. Now going back up through the functions very
++ fast reveals the problem:
++ * The certificate supplied triggers the "RSA-padding" error in any case.
++ Since the certificate authencity is not enforced on OpenSSL-library level
++ but inside postfix later, the error is not enforced.
++ The error messages generated stay however in the error queue.
++ - For blocking sockets, the SSL_accept()/connect() calls return
++ "success", so the error-queue is never checked.
++ - With BIO-pairs, the error queue is checked to find out, whether the
++ function has just to be called again to continue the handshake, so
++ the error messages are found and the connection is shut down due to
++ the error condition.
++ - Submitted bug report to Bodo Moeller. Bug fix is checked into the OpenSSL
++ CVS archive: if the error is ignored during the handshake, clear the
++ error-queue.
++ * The next release of OpenSSL will behave consistently.
++ - This leaves open the question, why the RSA-padding error is issued in the
++ first place. Sent a query to the OpenSSL-* mailing lists.
++
++2000/05/26
++ - A second site experiencing this problem pops up.
++ -> Issued a warning to the postfix_tls mailing list.
++
++2000/05/24
++ - Contacted Damien Miller <djm at mindrot.org>. He did not change his TLS setup
++ in the last time. He is running Postfix/TLS-0.6.6.
++ - Contacted Bodo Moeller <moeller at cdc.informatik.tu-darmstadt.de>, the author
++ of the BIO-pair part of OpenSSL for some debugging hints. Received several
++ worthful remarks on what to look for.
++ - Checked byte-for-byte the data fed into the OpenSSL-library. It does not
++ differ between 0.6.9 and 0.6.10, so my handling seems to be actually
++ correct.
++
++2000/05/23
++ - A communication error occurs when talking to mail.mindrot.org:
++ SSL_accept error -1
++ 10264:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
++ 10264:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:396:
++ 10264:error:0D079006:asn1 encoding routines:ASN1_verify:bad get asn1 object call:a_verify.c:109:
++ - The error occurs both in client and server mode. 0.6.9 does not show
++ this problem.
++ - Tried to connect with several other sites, all connections are fine,
++ this includes sendmail and qmail peers; hence decided to not recall 0.6.10.
++
++2000/05/23 == Released 0.6.10 ==
++
++2000/05/23
++ - Sent a note to openssl-dev at openssl.org about the behaviour of SSL_free()
++ and BIO_free(), hoping for some clarification whether my way of doing
++ it is the recommended way.
++ - Run the software in production mode on my own servers...
++ - Finished writing the in-source documentation.
++ - Updated sample-tls.cf and sample-smtp[d].cf to reflect the new timeout
++ parameters.
++
++2000/05/21
++ - Removed error messages produced by the now non-blocking behaviour of the
++ TLS layer [apps_ssl_info_callback()].
++
++2000/05/20
++ - Took results home and tried to run it on my Linux-box: SEGV after
++ successfully handling the SMTP session!!
++ * It seems that the SSL_free() and BIO_free() functions interact.
++ SSL_free() releases the underlying BIO and it will bomb out when
++ it is then explicitely BIO_free()'ed again and vice versa.
++ * It did not bomb out on HP-UX, but such things happen. I however want to
++ know, why the example program does not fail...
++ * With respect to the bevaviour as is, SSL_free(TLScontext->con);
++ BIO_free(TLScontext->network_bio) and not touching
++ TLScontext->internal_bio works.
++ - Introduced special timeout values for the TLS negotiation stage, as the
++ timeout values may change with protocol state (suggested by Wietse).
++ - Started writing a full description of the BIO-pair concept and its
++ special treatment into the pfixtls.c sourcecode.
++
++2000/05/19
++ - Systematicly implemented a generalized layer handling:
++ * do_tls_operation() is the generic handler for all SSL_*() input/output
++ functions. It deals with the non-blocking behaviour of this functions,
++ requiring appropriate retrys.
++ * network_biopair_interop() handles the interaction between the socket/fd
++ and the buffering BIO-pair.
++
++2000/05/18
++ - Based on the example in openssl-0.9.5a/ssl/ssltest.c realized the first
++ usage of BIO-pairs. (Can do server handshaking.)
++ - Learned, that the BIO-pair has its own buffering that needs its own
++ flushing. It is not enough to relay on the SSL_ERROR_WANT_READ/WRITE
++ state information.
++
++2000/05/17 == Released 0.6.9 ==
++ - Important: the seperator in the relay-fingerprints is now ':'!!!
++ Don't forget to change your relay_clientcerts databases.
++
++2000/05/16
++ - Changed pfixtls.c to only use the interface described in util/vstream.c
++ for handling the VSTREAM.
++ * Added vstream_context() macro to the VSTREAM-interface.
++ - Introduce TLScontext to identify the connection instead of the file
++ descriptor. Move all static data (SSL structure and information gathered
++ about the connection) into the context.
++ The TLScontext is allocated on TLS-start for a connection and saved with
++ the VSTREAM, so several streams can be used at the same time.
++ - Removed "pfixtls_setfd()" as it is no longer needed.
++ - Changed the relay_clientcerts list from string_list_* to maps_* interface
++ to allow usage of ":" in the list.
++ THIS IS AN INCOMPATIBLE CHANGE!!!!
++ - Updated documentation accordingly.
++
++2000/05/12 == Re-released 0.6.8 ==
++
++2000/05/12
++ - Wietse announces snapshot-20000511 with an important bugfix.
++ - Since upgrading from 20000507 to 20000511 is highly recommended,
++ Postfix/TLS 0.6.8 is re-released for this snapshot (the patch applied
++ cleanly, just the name of the toplevel directory has changed).
++
++2000/05/11 == Released 0.6.8 ==
++
++2000/05/11
++ - Unlike expected I found some time to install the latest cyrus-sasl-1.5.21
++ and test some parts the integration. It does, well, work as advertised
++ (and the advertisement in SASL_README is not too optimistic).
++ - When checking all of the rejected patch-snippets for 0.6.6->0.6.7
++ I missed the parameter "smtpd_enforce_tls" (noted since I wanted to
++ enforce TLS encryption while playing around with plaintext passwords)
++ in the static CONFIG_BOOL_TABLE bool_table[] = {..} in smtpd/smtpd.c
++ -> I will immediately release a corrected version 0.6.8.
++
++2000/05/11 == Released 0.6.7 ==
++
++2000/05/11
++ - The latest sendmail.8.11.0.Beta1 includes STARTTLS support; it is available
++ in source code and also uses OpenSSL.
++
++2000/05/10
++ - After having it running at home (Linux) I also install it at work for
++ the field test.
++ - No time to install the SASL kit, so this part stays untested as of now.
++
++2000/05/09
++ - Downloaded snaphot and apply the patchkit.
++ - Straightened out the rejected parts of the patch.
++ - Due to the new layering with timed_read() and timed_write() functions
++ the integration of the TLS layer needed special adjustment.
++ * When TLS is active, the timed_read() and timed_write() functions are
++ replaced by the corresponding pfixtls_timed_read() and
++ pfixtls_timed_write() functions. When the TLS functionality is stopped,
++ the old functions are restored.
++ * The names of the pfixtls_timed_*() functions are looking into the future,
++ because they are working as before, the timeout functionality is not
++ in, yet.
++
++2000/05/08
++ - Wietse announces snapshot-20000507 with a lot of changes. Especially
++ important: the I/O handling of the smtp-stream has been changed to
++ a more layered technique that allows easier integration of the TLS layer.
++
++2000/04/27 == Released 0.6.6 ==
++
++2000/04/27
++ - Fixed inconsistency between documentation and actual behaviour: peer
++ certificate information was not logged at level 1 (found by
++ Damien Miller <djm at mindrot.org>).
++ * While at it: the logged information did not say whether the certificate
++ data logged passed verification or not: fixed. (The information logged
++ in the Received: header already contained that information.)
++ - Backported dict_dbm.c from snapshot-20000309 with the updated
++ dict_delete() behaviour (key not found is not considered fatal).
++ Maintained dict_sdbm.c accordingly.
++
++2000/04/18 == Released 0.6.5 ==
++ - Important:
++ * New session cache mechanism SDBM. Please adapt your main.cf and delete
++ any old ".db" session cache files manually.
++
++2000/04/18
++ - I am using the SDBM session cache for a week right now and did not have
++ any trouble, so I think its worth pushing it out.
++ - I am not completely happy with the dict_del() behaviour of considering
++ a not-found key fatal. It might happen when the smtp[d] processes would
++ be allowed to delete themselves. They are not as of now, so I accept it
++ for now but will reconsider it.
++ - Updated documentation accordingly.
++
++2000/04/17
++ - Received corrections for the HTML-docs from Ralf Hildebrandt
++ <R.Hildebrandt at tu-bs.de>.
++
++2000/04/11
++ - Transfered SDBM from home (Linux-testbed :-) to work [found and fixed some
++ small items when compiling on HP-UX]. Started running it under
++ "real life" conditions.
++
++2000/04/07
++ - Implemented "SDBM" Simple Database Management routines as also utilized in
++ ModSSL. Of course, it requires reopening of the databases, so the
++ routines are changed, that the _file_descriptors_ are left open, but
++ the _in_memory_ database stuff (especially the cached data) is closed
++ and reopened on access. This is what is really needed. The pagesize
++ is increased from standard DBM compatibility to hold the session
++ information.
++ Additionally, this software is in the public domain, so no additional
++ license problems arise.
++ - The access goes through the dict_* interface, hence the locking is
++ performed by myflock().
++
++2000/04/01 == Released 0.6.4 ==
++
++2000/04/01
++ - Updated to the new patchlevel of Postfix (19991231-pl06), some parts of
++ the patch were rejected due to changes in smtpd.
++ - Changed patch name with respect of today's release of OpenSSL-0.9.5a.
++ The code remained unchanged.
++
++2000/03/25-31
++ - The cached informations are not deleted by "tlsmgr" even though stored
++ and retrieved by the smtp[d] processess. Strange.
++ - Spend some large amount of time digging through the Berkeley DB
++ documentation and code.
++ * It claims that Berkeley DB is multi-process capable. Caveat: it takes
++ the very complicated "transaction model", that I did not use until now.
++ Hence the session cache does not work as is.
++ * Even with transaction model, Berkeley DB requires re-opening of the
++ databases to get rid of cached information. F*ck.
++ - Finally, I give up on Berkeley DB for session caching. It will never
++ work for us. Even if it would, it requires a large amount of helper files
++ and it seems, that the transaction environment is somewhat fragile when it
++ comes to some problem. I won't rely on it.
++
++2000/03/28 == Released 0.6.3 ==
++
++2000/03/28
++ - As has been pointed out to me, the TLS information in the Received:
++ header is not conform to RFC822.
++ - The TLS protocol and peer CN information is now included in '()', so
++ that it is a comment.
++
++2000/03/21 == Released 0.6.2 ==
++
++2000/03/21
++ - I have been running DB based session caching with the changes for some
++ more time now without problems. Am I really confident? No, not really.
++ I remember the trouble I had with Berkeley DB and sendmail on HP-UX.
++ I don't think I really trust it.
++ - Realized single "smtp_tls_per_site" lookup. I cannot use the more or
++ less comfortable "domain_list" lookups as before, since these do not
++ return the value, just found or not :-(.
++ Hence the lookup is realized with maps and exact lookup. I never tried
++ regexp. But if I understand the docs correctly, it should be possible to
++ use it here to realize wildcard lookups, if it would not have been
++ disabled :-(.
++ - Summary:
++ * Session Cache will be cleaned at "postfix reload" or "postfix start"
++ * New table "smtp_tls_per_site"
++ * Gone: "smtp_tls_[use/enforce]_[recipients/sites]"
++
++
++2000/03/16
++ - Changed pfixtls.c, so that it will only open Session Cache databases,
++ that are already available. tlsmgr is responsible for creation.
++ - Change tlsmgr.c, such that session cache databases will be removed before
++ opening, so that fresh databases are used whenever postfix is restarted.
++ This means, that session information is not kept over a postfix stop/start
++ or reload sequence, but it also means, that issuing a postfix reload will
++ clean the session cache.
++ I don't use simple dict_open with O_TRUNC, because this would not help
++ against database files, that are locked by hanging smtp[d] processes.
++ If you think it will also solve the "hang" problem described for
++ 2000/03/15: in a certain sense it can, since tlsmgr will be killed by
++ the watchdog and new, fresh cache files are installed, but that is not
++ more than an ugly hack. It must be solved in a clean manner.
++
++2000/03/15
++ - Experienced some strange problem with Berkeley DB based session cache.
++ The DB routines hang while trying to delete an entry. I did save the
++ corresponding "hash:" file and could reproduce it (and walk through
++ the endless loop with a debugger), but I didn't find the reason why.
++ Since during "db->del" the database is exclusively locked all other
++ processes hang however, so this is really bad!!!!!!!!
++
++2000/03/12 == Released 0.6.1 ==
++
++2000/03/12
++ - Created tls_info_t structure to hold all information about the active
++ TLS connection. Remove all global variables except those for the
++ running client/server engines (those might be replaced with global
++ variables in smtpd/smtp, though).
++ - Added field "dNSName" to the structure (still unused). This will be
++ used with X503v3 extensions.
++ - Cleaned up TODO, since some items are now done...
++
++2000/03/11
++ - Added missing #include <sys/time.h> to tlsmgr.c. (Worked without on HP-UX,
++ showed up on Linux.)
++ - Bug: removal of server side sessions from the cache in case of trouble
++ failed, because uppercase hex was used instead of lowercase for the key.
++ This does not affect removal of expired sessions by tlsmgr.
++ - Stepped up to postfix-19991231-pl05.
++
++2000/03/09 == Released 0.6.0 ==
++ - Important:
++ * This release features an additional daemon, the "tlsmgr", please update
++ your master.cf accordingly.
++ * This release does not use the /var/spool/postfix/TLS* directories
++ anymore. Remove them and re-install the original postfix-script.
++ * Check the new/changed configuration parameters tls_random* and
++ smtp[d]_tls_session_cache*.
++ * This release will only work with OpenSSL >= 0.9.5!!!!!
++
++2000/03/09
++ - Testcompilation of Postfix/TLS without -DSSL and the OpenSSL includes and
++ libraries passed.
++ - Worked through tlsmgr.c to remove unneeded header files.
++ - Wrote documentation for tlsmgr.c.
++ - Updated documentation on top of pfixtls.c.
++ - Put (char *) casts into the myfree() calls, where necessary, to make the
++ HP compiler happy.
++ - Updated html PRNG documentation in Postfix/TLS.
++
++2000/03/08
++ - Finished first version of "tlsmgr". Does run through session cache
++ databases and detects and deletes (*) old sessions.
++ * Had to realize SYNC_UPDATES for the dict_db_delete() function and patch
++ the flag handling within the function. Changes sent to Wietse.
++ - Restored qmgr to its original state.
++ - Extended pfixtls.c to need an additional "needs_095_or_later()" function
++ when compiled with an older version of postfix.
++ - The session cache is now enabled, when a database filename is given.
++ smtp[d]_tls_use_session_cache configuration parameters removed,
++ updated documenation accordingly.
++ - Moved the PRNG handling to tlsmgr, applying the new model. tlsmgr will
++ query external sources at startup and will then feed a PRNG exchange
++ file with random data in intervals of configurable (but random driven)
++ length.
++ If running outside chroot, tlsmgr can query the entropy source (e.g.
++ EGD or /dev/urandom) again and so increase entropy with time. If the
++ entropy sources don't limit access, the tlsmgr can run with "postfix"
++ privileges. Mine does.
++ -> master.cf became a new entry.
++ - tlsmgr is realized as a trigger server and has the "fifo" entry. Actually,
++ it does not take any input. One could utilize it to feed back some entropy
++ from running smtp[d] processes, but I think this would overload the
++ issue.
++ - I will release a 0.6.0 pre-version as is. tlsmgr still lacks the detailed
++ information in the header and the interface description in pfixtls.c
++ probably is also not longer up do date.
++
++2000/03/07
++ - Since defective session data can cause SEGFAULTs, it is now armored
++ by a leading structure that does contain a session cache version and
++ the postfix library version before the timestamp. If a session does
++ not match exactly the version numbers, it is immediately discarded
++ and deleted to avoid harm.
++ - Removed the seperate storage of the peer's certificate verify_result,
++ so starting from this moment, Postfix/TLS will only work safely with
++ OpenSSL >= 0.9.5!!!
++ - Ported server side session cache routines to the client side; works.
++ - Analyzed structure of "qmgr" to understand consequences for the planned
++ "tlsmgr" daemon. Transferred the sceleton.
++ - Received word from sendmail, a (at least preliminary) TLS enabled test
++ address is "bounce at esmtp.org".
++
++2000/03/06
++ - Wietse supplied a change to the dict/dict_db mechanism to allow for
++ synchronous updates.
++ Session cache updates for the server side seem to work now, removal of
++ old sessions (when called from the client) integrated.
++
++2000/03/05
++ - Got the database style session cache to run for the server side (at least
++ partial). The removal of old sessions is not yet realized.
++ [There are several man pages for OpenSSL as of 0.9.5, but the i2d etc
++ interfaces are not belong them, so I had to study the source code instead.]
++ * What is not working by now is the synchronization of the memory database
++ to disk. It only is synchronized automatically upon close. It would be
++ necessary to sync after each update or delete, but this is not implemented
++ in Wietse's dict library. I will post an according proposal.
++
++2000/03/04
++ - Wietse posts a patch to select "EHLO" negotiation even if ESMTP is
++ not recognized from the 220 greeting. Activating this flag will however
++ break compatibility with mailers, that simply close the connection
++ upon EHLO. I don't know how the large the number of these broken mailers
++ is, but activating "smtp_always_send_ehlo" is a tradeoff.
++ - Integrated Wietse's patch into Postfix/TLS.
++
++2000/03/03
++ - Received update from Matti Aarnio (Zmailer) is now for some time able
++ to do server _and_ client side TLS. Updated documenation accordingly.
++ When testing, Postfix client to Zmailer server failed, because
++ Zmailer announces with "ESMTP+IDENT" and Postfix does not recognize
++ the ESMTP token (must be seperate), so only HELO is used and STARTTLS
++ is not offered by the Zmailer server. Informed Matti accordingly,
++ will wait until the problem is resolved before actually publishing
++ the update.
++ - Enhanced the documentation by listing automatic reply services at which
++ interoperability can be tested.
++
++2000/03/02
++ - Went through the Postfix source to check out the database routines.
++ It should be possible to move session caching from directory/file-
++ based to database. Since DBM only allows blocks (key+contents) of
++ 1024 bytes and a session is larger, only Berkeley DB can be used.
++ Put some first bits into Postfix/TLS.
++
++2000/02/29 == Released 0.5.5 ==
++
++2000/02/29
++ - OpenSSL 0.9.5 has been released. Since I want to promote 0.9.5, as it
++ contains several bugfixes and enhancements, I release a new version
++ of Postfix/TLS. My personal highlights:
++ * The bug with Win32 Netscape not commencing after certificate storage
++ unlocking should be fixed. (I will leave the not in however, as long
++ as I have not positively checked it myself. Reproducibility...)
++ * The bug, that the certificate verifiation result is not stored in the
++ session cache (discovered for Postfix/TLS 0.4.4) is fixed. I will leave
++ the Postfix/TLS workaround in as long as it will run with older versions
++ of OpenSSL.
++ * The OpenSSL commandline tools like "openssl gendh" now support EGD, so
++ that the examples for generating the DH parameters now will really work
++ with high quality random data :-)
++ * The support of 56bit ciphers has lost its importance since 128bit
++ versions of Netscape etc are now easily available...
++ - This version does not feature source code changes but updated documenation
++ when compared with 0.5.4:
++ * List examples on how to generate good entropy for the PRNG seed in
++ /etc/postfix/random_file.
++ - Update the TODO document with respect to the discussion about session
++ caching and other security items. This document is a very short summary,
++ for the full discussion check the mail archive at
++ http://www.aet.tu-cottbus.de/mailman/listinfo/postfix_tls/
++
++2000/02/26-28
++ - Wietse considers including Postfix/TLS into the main release. A discussion
++ about security relevant features, especially the session cache inside
++ the chroot jail takes place.
++ The discussion will definetely lead to some changes; I have however not
++ decided on the first step, yet :-)
++
++2000/02/21 == RELEASED 0.5.4 ==
++ - Important: Another directoy is created in /var/spool/postfix, so don't
++ forget to install the new versions of conf/postfix-script-*sgid.
++
++2000/02/21
++ - Finished the seed-exchange architecture by saving the random seed at exit
++ of smtp and smtpd.
++ - Wrote documentation for the PRNG handling to the documentation.
++ - Tested on HP-UX (with a current OpenSSL-pre-0.9.5 snapshot and 0.9.4)
++ and on SuSE-Linux (with 0.9.4).
++ * THIS VERSION WILL STILL RUN WITH OPENSSL-0.9.4, but it will also run
++ with OpenSSL-0.9.5. Older versions of Postfix/TLS will not, because the
++ PRNG is not seeded!
++
++2000/02/19
++ - Start to implement my own model of collecting entropy. All smtp and smtpd
++ processes will record some items (mainly the time of actions) to add
++ some entropy into the PRNG. The state is saved and used to re-seed by the
++ smtp and smtpd processes, so that entropy adds up into the pool.
++ The seeding by external file is additionally kept in order to be able
++ to inject additional entropy.
++
++2000/02/18
++ - Included routines to add random seed from a configurable file
++ "rand_file_name". I don't want to retrieve the entropy from a real
++ random system source, because the amount of entropy that can be collected
++ is limited. We might hence stall. Let's think about this problem.
++ - The SSL_CTX_load_verify_locations() has been fixed in the latest
++ OpenSSL snapshot.
++
++2000/02/17
++ - Tracked down the SSL_CTX_load_verify_locations() problem in the OpenSSL
++ library. If more than one CA-certificate is loaded, a bogus return value 0
++ is created, because the count of certs is checked to be "1" instead of
++ allowing ">=1". Reported to openssl-dev.
++
++2000/02/16
++ - Downloaded the latest openssl-SNAPSHOT-20000215 and installed it on
++ my development machine, then recompiled Postfix/TLS and try to run it.
++ * Failure: SSL_CTX_load_verify_locations() fails on reading the CAfile with
++ return value 0, but no actual error is displayed.
++ If the return value is not checked, the CA-certificates work, so that
++ they are loaded and the error indicator seems to be bogus.
++ Reported to openssl-dev mailing list.
++ * Failure: OpenSSL has become picky about correct seeding of the PRNG
++ Pseudo Random Number Generator. Installed some "testseed" that is
++ actually not random, but then Postfix/TLS starts to work again. We
++ will need some good random seed setup, probably reading from either
++ /dev/random (if available) or from EGD.
++ Found out during the experiments, that EGD is not that simple to use
++ as described in some of my Postfix/TLS docs. Must be upgraded.
++ Asked in the openssl-dev mailing list about the recommended amount
++ of random data needed for seeding the PRNG. Ulf Moeller recommends
++ a minimum of 128bit.
++
++2000/02/14 == Released 0.5.3 ==
++
++2000/02/14
++ - OpenSSL 0.9.5 is to be released within the next hours/days. Since I intend
++ to use some of its new features soon, I will re-release 0.5.2 as the last
++ version that will run with 0.9.4 but for the latest postfix patchlevel.
++ - No functional changes.
++ - Updated patch for postfix-19991231-pl04.
++
++2000/01/28 == Released 0.5.2 ==
++
++2000/01/28
++ - Stepped up the next postfix patchlevel postfix-19991231-pl03.
++ No functional changes.
++
++2000/01/03 == Released 0.5.1 ==
++
++2000/01/03
++ - Bug fixed: Don't specify a default value for "smtpd_tls_dcert_file",
++ assuming that typically a DSA certificate is not used.
++ Otherwise smtpd will try to read it on startup and the TLS engine won't
++ start since it is not found.
++ I didn't note this bug before today, because I could not install this
++ release in a larger scale on my own servers due to a network failure
++ of our campus backbone lastring from Dec 31 until today.
++ - Stepped up to the just released postfix-19991231-pl01.
++
++2000/01/01 == Released 0.5.0 ==
++
++2000/01/01
++ - Upgraded to the new postfix release 19991231.
++
++1999/12/30
++ - Enabled support for DSA certificate and key for the server side. One
++ can have both at the same time, the selected cipher decides which one
++ is used. OpenSSL clients (like Postfix/TLS) will prefer the RSA cipher
++ suites, if not especially changed in the cipher selection list.
++ Netscape will only use the RSA cert.
++ - The client side can only have one certificate. There is a way out by using
++ a callback function, that will receive the list of acceptable CAs and
++ then do some clever selection: SSL_CTX_set_client_cert_cb().
++ I will however have to figure out, how it has to be prepared, it seems,
++ that there is no example available.
++ - I have been able to successfully generate a DSA CA and certificates for
++ some Postfix hosts and to do authentication and relaying as expected.
++ So now I have to document how it is done in a practical manner...
++ - Moved up prerelease 0.5.0pre02 to the download site.
++
++1999/12/28
++ - Moved up to SNAPSHOT-19991227.
++ - Don't forget to check the return value when calling
++ SSL_CTX_set_cipherlist().
++ - Add code to load DH-parameters from disk.
++ - Add configuration information for the new functionality: DH paramter
++ support, possibility to influence the cipherlist.
++ - Moved up prerelease 0.5.0pre01 to the download site.
++
++1999/12/25
++ - Found some minutes to relax from the christmas business.
++ - Applied the 0.4.7 patch to SNAPSHOT-19991223 and included the new changes
++ of 1999/12/19.
++ Once the new stable release of postfix is out, this minimum state will be
++ the new Postfix/TLS patch: the new functionality will not influence
++ stability, so it can stay in even if still unfinished.
++
++1999/12/23
++ - Wietse announces SNAPSHOT-19991223: if no severe bugs are found, it will
++ be promoted as next stable release soon. Good to have kept everything
++ from yesterday.
++
++1999/12/22
++ - Got a query from a Postfix/TLS user: the patch does not apply cleanly to
++ SNAPSHOT-19991216 and he somehow messed up to integrate the rejected
++ parts (it later turned out he just forgot on reject).
++ Applied the patch myself and generated a diff, sent it to the user
++ and of course kept a copy for myself, since I will have to apply it
++ myself eventually once the next "stable" release of postfix is out.
++
++1999/12/19
++ - Began modifications for 0.5.x:
++ * Added configuration variables for specifying the cipherlist to be used
++ smtpd_tls_cipherlist and smtp_tls_cipherlist. For the format, there
++ is some (however sparse) documentation in the openssl package.
++ * Call SSL_CTX_set_cipherlist() with these data.
++ * Added default temporary DH parameters to pfixtls.c (only server side is
++ necessary) and configuration variables to specify user generated
++ parameters; they are however not used, yet.
++ The default parameters were generated using the presumably good
++ /dev/random source.
++
++1999/12/13 == Released 0.4.7 ==
++
++1999/12/13
++ - Addendum to the last change: do also remove sessions, that could _not_
++ be reused.
++ - Updated configuration information:
++ * As of OpenSSL 0.9.4, certificate chain verification is not sufficient,
++ since the certificate purpose is not checked, so I recommend to add
++ all intermediate CAs the the list of CAs and stay with a verification
++ depth of 1.
++ Work is in progress for 0.9.5.
++ - Stepped up to the just released new patchlevel postfix-19990906-pl09.
++
++1999/12/10 == Released 0.4.6 ==
++
++1999/12/10
++ - Realized changes implied below: Removed SSL_CTX_add_session() in the
++ client startup; remove session on stop with SSL_SESSION_free().
++ - In the morning there is a mail on the list, that Postfix might be
++ crashed with a single "\" on the "CC:" line. Hence, we should expect
++ a new patchlevel soon. Release the actual change anyway.
++
++1999/12/09
++ - Read in the "openssl-users" mailing list, that SSL_CTX_add_session()
++ is only intended for servers. On the client side, SSL_set_session()
++ is sufficient.
++ Additionally, the session should be explicitely freed, since
++ SSL_set_session() will increment the usage count for the session.
++ Explained by Bodo Moeller.
++
++1999/12/xx
++ - Had a discussion (by email) with Bodo Moeller about DH/DSS. It seems
++ I understand better now (after the discussion) how it works :-).
++ Implementing it should not be too difficult but might take some more
++ hours. Mentally scheduled it for Version "0.5.0" whenever this might
++ be (rough guess: christmas vacation).
++ Decided to hence not discuss this topic in the docs, since it might
++ change in the near future anyway.
++
++1999/11/23
++ - Discussion with rch at writeme.com (Richard) about implementing DH ciphers
++ and DSA keys and certificates on the Postfix/TLS list: It does not work
++ as of now.
++
++1999/11/15 == Released 0.4.5 ==
++
++1999/11/15
++ - Applied patch to postfix-19990906-pl07 without problems. Well, let's
++ release new version of Postfix/TLS, so that we look up to date.
++ - Add the "DO NOT EDIT THIS FILE" to conf/sample-tls.cf.
++
++1999/11/08
++ - Applied patch to the fresh release of postfix-19990906-pl06 without
++ problems. Nothing else, so no new release of Postfix/TLS.
++
++1999/11/07 == Released 0.4.4 ==
++
++1999/11/07
++ - Played around some more with the X509_verify_cert() function: when saving
++ a session, neither the verify_result is saved nor the certificate chain
++ necessary to re-verify. So there were two possibilities left: do a full
++ renegotiation negating the benefit of session caching or
++ - save the verify_result into to the session cache file and set the value
++ when rereading from disk. This way the positive result of session caching
++ is kept.
++ - Make sure, the verify_result value is propagated as pfixtls_peer_verified
++ and used where needed.
++ - After experiencing some failures at TLS connection setup, the SSL_sessions
++ are now freed again when closing. It seems, something is left over in the
++ session structures, even though SSL_clear() is called.
++
++1999/11/06
++ - When not asking for a client certificate, the "Received:" header will show
++ the protocol and cipher, but silently omit the client CN (because they
++ where not supplied). Noted by Craig Sanders <craig at taz.net.au>.
++ The same holds, if a certificate is asked for, but none supplied.
++ Now, in any case an appropriate information is added in the "Received:"
++ header.
++ - Added a hint to remove sessions from the cache during testing, since
++ old information may still be in the cache. Also proposed by Craig
++ Sanders <craig at taz.net.au>.
++ - While at it: client CN and issuer CN are printed, but the verification
++ state is not, so that the trust value of this data is not known.
++ * Added (verify OK/not verified) to the Received: header.
++ * Obtained information using the SSL_get_verify_result(SSL *con) call.
++ * Learned, that the state is not saved in the session information, so
++ that a recalled old session will always return "OK" even if the
++ certificate failed the verification! Call it a bug in OpenSSL.
++ Still investigating on a good way to work around this problem.
++ - Fixed a bug in the syslog entries: The client CN is logged, but the
++ issuer CN is not, because of a missing "%s" in the format string.
++
++1999/11/03 == Released 0.4.3 ==
++
++1999/11/03
++ - Added some hints about security to the html documentation.
++ - Tested the changes made two weeks ago at home in the large university
++ setup. I was to a conference in between and didn't want to release
++ the new version without having done some more tests.
++
++1999/10/17
++ - Added another half a ton of comments (this time for the client side),
++ yielding one ton alltogether...
++
++1999/10/16
++ - Rearranged some of the TLS-engine initialization to improve readability.
++ - Do not "free" the SSL connection, when it is not really necessary. Do only
++ reset information about the TLS connection, when there was one. This is
++ the better way instead of the quick fix applied for 0.4.2.
++ - Added half a ton of comments to the TLS code (server side) to document
++ what is done when and why, since there is no real documentation about
++ the OpenSSL library.
++
++1999/10/11 == Released 0.4.2 ==
++
++1999/10/11
++ - Fixed a severe bug introduced in 0.4.0: smtpd and smtp tried to flush
++ old session from the session cache even when TLS was not enabled. Since
++ no SSL-context was allocated, smtp would segfault on connection close.
++
++1999/10/10 == Released 0.4.1 ==
++
++1999/10/10
++ - Added a long description of the session cache handling to the top of
++ global/pfixtls.c.
++ - There is a race condition when cleaning up the session cache in qmgr, that
++ might lead to lost sessions in client mode. The worst consequence is an
++ additional session negotiation, so we can live with it as of now.
++ Bug described in qmgr/qmgr_tls.c.
++ - Implemented immediate removal of session cache files with expired sessions
++ when these are called. No need to first load and then discard them.
++ - Implemented the requirement from RFC2246 to remove sessions, when
++ connection failures occure (well actually, when TLS layer failures
++ occur, but I cannot seperate this from another) for the server side.
++ the client side is under work.
++
++1999/10/09
++ - Set an absolut maximum length of 32 for the IDs used for session caching.
++ This matches the default in OpenSSL, but I don´t want to see surprises
++ when somebody sometimes will run into a longer session id.
++
++1999/10/05 == Released 0.4.0 ==
++ - The new disk based session cache is a major step, so the minor release
++ number is pushed to 0.4.
++ - By now I think all necessary bells and whistles are in the code. What
++ is left is a big code cleanup and some more testing before calling this
++ patchkit "1.0.0".
++ - Initiated Mailing List at
++ http://www.aet.tu-cottbus.de/mailman/listinfo/postfix_tls
++
++1999/10/05
++ - Some code cleanup.
++ - Added new options to the documentation and the hint to update
++ "postfix-script", because otherwise qmgr might fail!
++
++1999/10/03
++ - Realized disc based session caching also for the Postfix/TLS client.
++ Must go to real world testing now between hosts.
++ And, of course, tune up the documentation, because users will have to
++ install a new postfix-script, too.
++
++1999/10/02
++ - The old sessions must be removed once they have timed out, so a process
++ is needed that will scan through the list of old sessions and remove
++ once they have expired.
++ Lucky me: this is what qmgr usually does with deferred messages, so
++ qmgr is extended only a little bit and will now also clean up the
++ old sessions from the cache directory.
++ And hey: it is good to see how easily this thing can be extended and
++ functions can easily be reused. Postfix is an excellent peace of
++ software engineering and there is no line of C++ or other "object
++ oriented modern junk" in it. It should be recommended as an example
++ to computer sience students.
++
++1999/09/28
++ - I cannot use the mod_ssl way for session caching and I don´t want to
++ spend an extra "gcache" daemon as ApacheSSL does. So I follow Wietse´s
++ idea realized for his mail queues and create hash level based subdirectory
++ structures. The good thing: I can cannibalize the mail_queue code.
++ The bad thing: there is a path length of 100 chars fix coded in Wietse´s
++ routines. It does hold for 32byte session ideas.
++ Status: can save sessions to disk and recall them (server side).
++
++1999/09/26
++ - Created new call backs for external session caching for the server side.
++ In a first step, they can print out the session ids for the newly created
++ session and when recalling a session.
++ As the OpenSSL documentation on this is pretty sparse, Ben Laurie´s
++ ApacheSSL code is very helpful, Ralph Engelschall´s Mod_SSL code for
++ session caching is far more complicated.
++
++1999/09/23 == Released 0.3.10 ==
++
++1999/09/23
++ - Debugging for 0.3.8/0.3.9 would have been so much easier, if the error
++ messages put onto the error message stack from the OpenSSL library would
++ have been printed out. The error was clearly stated from the library, I
++ just didn't print it. Added pfixtls_print_errors() calls where missing
++ after calls to the OpenSSL library.
++ Sometimes I feel so old...
++ - Used opportunity to upgrade to the latest postfix patchlevel 05:
++ postfix-19990906-pl05.
++
++1999/09/19 == Released 0.3.9 ==
++
++1999/09/19
++ - Added a "smtp_no_tls_sites" table to allow people to enable TLS negotiation
++ globally and only omit it on a per site basis.
++
++1999/09/18
++ - Finally found the bug described for 0.3.8: In the server setup, the
++ SSL_CTX_set_session_id_context() call was missing. To find this, I
++ had to trace through the OpenSSL library and when I finally found it
++ in ssl/ssl_sess.c, there was an appropriate comment about this. I however
++ have to find out why I didn´t receive the appropriate error message...
++ - This bug was hidden during the first developing stages, as the shutdown
++ sequence was not working correct, so the session was not cached.
++
++1999/09/17 == Released 0.3.8 ==
++
++1999/09/17
++ - Something is strange with the session caching in smtpd server mode
++ with Netscape 4.61 client. The first connection is fine, the next
++ one hangs after the server fails with errors while reading the
++ SSLv3 client hello C. (Found by Michael Stroeder <x_mst at propack-data.de>)
++ Reproducable with OpenSSL 0.9.3a, 0.9.4 and SNAPSHOT 19990915, so
++ the problem seems to be persistent. I will try to figure out the
++ problem myself before reporting it to the developers. If I don't find
++ it, maybe they do :-)
++ Workaround: the cached session is removed after connection is closed.
++ This will impose some time penalty on the negotiation. As the caching
++ is local in the smtp processes and they time out anyway, the penalty
++ should not be significant.
++ The problem does not occure with Postfix/TLS clients.
++
++1999/09/13 == Released 0.3.7 ==
++
++1999/09/13
++ - Ran tests, seems no further conflicts between Wietse's changes and my
++ extensions.
++
++1999/09/09
++ - Applied the patchkit 0.3.6 to postfix-19990906-pl02 and worked out
++ the rejected part of the patch. From this point of view the patch
++ is included. Now everything has to be retested.
++
++1999/09/09 == Released 0.3.6 ==
++
++1999/09/09
++ - Added a missing ´#ifdef HAS_SSL #endif´ in smtp_connect.c.
++ Noted by Jeff Johnson <jeff at websitefactory.net>.
++ - HINT:
++ On 1999/09/06 a new "stable" version of postfix was released.
++ Future Postfix/TLS enhancements will be against this new version 19990906.
++
++1999/08/25 == Released 0.3.5 ==
++
++1999/08/25
++ - Added Wietse's patch for postfix-19990601 to prevent crashing smtpd when
++ VRFY is called without setting the sender with "MAIL FROM:" first.
++
++1999/08/13
++ - Small changes to global/pfixtls.[ch]: Since we also support client STARTLS,
++ we check the peers certificate, which may also be a "server" certificate
++ (not just client). Hence I renamed "*ccert*" to "*peer*".
++ - global/pfixtls.c: add some "const" to "char *" for OpenSSL library calls,
++ to make gcc happy.
++ - Extended comments in pfixtls.[ch] to better match Wietse's style.
++
++1999/08/12 == Released 0.3.4 ==
++
++1999/08/12
++ - Enabled workarounds for known bugs in SSL-engines.
++ - Tested with OpenSSL 0.9.4.
++ - Windows95/NT: Problem with Netscape hanging on first connection when
++ the client certificate database has to be unlocked cannot be reproduced
++ anymore.
++ I am happy, but I am also not sure what caused the problem to go away
++ and I cannot figure out the security settings manually from the files...
++
++1999/08/11
++ - Corrected loglevel handling: At some points smtpd_tls_loglevel was used
++ instead of smtp_tls_loglevel (only noted at loglevels >= 2).
++
++1999/08/09 == Released 0.3.3 ==
++
++1999/08/09
++ - Removed SSL_CTX_set_quiet_shutdown() as it does prevent the shutdown
++ from actually being performed. In order to remove the annoying
++ "SSL3 alert write:warning:close notify" it is now explicitly handled
++ in apps_ssl_info_callback().
++ Bug found by Bodo Moeller <bodo at openssl.org>.
++
++1999/08/06 == Released 0.3.2 ==
++
++1999/08/06
++ - Add option "smtp_tls_note_starttls_offer" to collect information about
++ hosts, that offered the STARTTLS feature without using it.
++ - Shut up smtpd. Only print information about relaying based on certs
++ when msg_verbose is true.
++
++1999/07/20
++ - Added missing "const" in pfixtls.h (found by Juergen Scheiderer
++ <jnschei at suse.de>). HP-UX ANSI-C didn't complain.
++
++1999/07/08 == Released 0.3.1 ==
++
++1999/07/08
++ - New config variable "smtpd_tls_received_header". When "true", the protocol
++ and cipher data as well as subject and issuer CN of the client certificate
++ are included into the "Received:" header.
++
++1999/07/07
++ - "starting TLS engine" message will only be printed when loglevel >=2
++ to reduce unnecessary noise in the log files.
++ - Added code to fetch the protocol (e.g. TLSv1) and the cipher used (by name
++ and bits). Information is printed to the logfile.
++
++1999/07/01 == Released 0.3.0 ==
++
++1999/07/01
++ - (Client mode) Bug fix: Don't try to use STARTTLS if it is not offered. The
++ server we are connected to might not understand it and respond with a
++ "500 command not understood", causing the email to bounce back, even
++ when the lack of STARTTLS is just a temporary problem.
++ - Updated documentation for the new per recipient/site TLS decisions.
++
++1999/06/30
++ - Client mode: Added variables and routines to decide "per recipient" or
++ "per host/site" whether to use/enforce TLS or not.
++
++1999/06/18 == Released 0.2.8 ==
++
++1999/06/18
++ - In client mode the "use_tls" and "enforce_tls" internal variables were
++ not initialized correctly, such that the client could try to use the
++ STARTTLS negotiation even if not wanted. This error was introduced
++ in 0.2.7.
++ Noted by "Cerebus" <cerebus at sackheads.org>.
++
++1999/06/08 == Released 0.2.7 ==
++
++1999/06/08
++ - Studied discussions in the IETF-apps-TLS mailing list: MS Exchange
++ seems to offer STARTTLS even if not configured. Added this info to the
++ documentation.
++ - Updated Documentation regarding the changes made.
++
++1999/06/03
++ - The subject-CommonName (CN) of the server certificate is extracted when
++ connecting to a TLS server.
++ - In "smtp_*_tls" mode, this subject-CommonName is matched against the
++ hostname of the server. In "enforce" mode, the connection is droppend
++ when the certified server name and the real hostname differ.
++ - Added missing dependencies in smtp/Makefile.in (missing pfixtls.h since
++ 0.2.0).
++
++1999/06/02 == Released 0.2.6 ==
++
++1999/06/02
++ - Adapted patchkit to postfix-19990601.
++
++1999/06/01 == Released 0.2.5 ==
++
++1999/06/01
++ - Updated OpenSSL API to 0.9.3a -> position of include files has changed
++ from <xxx.h> to <openssl/xxx.h>. No functional changes.
++ - pkcs12 utility is now part of OpenSSL -> changed documentation
++ accordingly.
++
++1999/05/20 == Released 0.2.4 ==
++
++1999/05/20
++ - Updated postfix base 19990317 from pl04 to pl05.
++
++1999/05/14 == Released 0.2.3 ==
++
++1999/05/14
++ - Fixed a bug in pfixtls_stop_*(): there was a ";" to much directly
++ after "if (con);". This check is only done as a safety measure:
++ When SSL is not started you should not stop it. This case could however
++ only happen when the code in smtp[d] would be wrong, so it should never
++ be necessary. (Bug found by Uwe Ohse <uwe at ohse.de>)
++
++1999/05/11 == Released 0.2.2 ==
++
++1999/05/11
++ - Matti Aarnio: Reworked pfixtls_dump() to use fewer strcpy and strcat calls.
++ - Added information about Matti Aarnio (author/maintainer of ZMailer)
++ working on RFC2487 for ZMailer.
++
++1999/05/04 == Released 0.2.1 ==
++
++1999/05/04
++ - Stuffed up the documenation to reflect the actual status. No change
++ in functionality.
++
++1999/04/30 == Released 0.2.0 ==
++
++1999/04/30
++ - Adjusted the changes in smtp*.c to Wietse's indentation style.
++ - Sorry, the documentation about the client side has by now to be
++ taken from sample-tls.conf. The documenation has to be rearranged
++ in a larger scale.
++
++1999/04/29
++ - Finished client support for STARTTLS in smtp; some testing done.
++ - Fixed a race condition in smtpd: When in PIPELINE mode, the connection
++ was switched back from SSL to normal mode before the buffers were
++ flashed.
++ - Adjusted the code in pfixtls.[ch] and additions in smtpd*.c to
++ Wietse's indentation style.
++
++1999/04/28
++ - Incorporated skeleton of STARTTLS support into smtp.
++ - Introduced variables to control client STARTTLS to configuration.
++
++1999/04/15 == Released 0.1.5 ==
++
++1999/04/15
++ - Adjusted pfixtls.diff to postfix-19990317-pl04.
++
++1999/04/14
++ - Ported from OpenSSL the BIO_callback functions to dump out the negotiation
++ and transmission for debugging purposes. The functions are triggered
++ by the the new loglevels 3 and 4.
++ - Call SSL_free() to get rid of the SSL connection structure not used
++ anymore.
++
++1999/04/13 == Released 0.1.4 ==
++
++1999/04/13
++ - Based on a hint in the openssl-users list added an SSL_set_accept_state()
++ before the actual SSL_accept(). I don't really understand why, but the
++ documentation of SSL is a bit short anyway.
++
++1999/04/11
++ - Some more comments on certificates in the documentation.
++
++1999/04/10
++ - Moved initialization of the pfixtls_server_engine to the pre_jail_init()
++ section of smtpd, so that it is called with root privileges to read the
++ key and cert information. The secret key of the server can now be protected
++ by "chown root secretkey.pem; chmod 400 secretkey.pem".
++ Additionally, this makes it possible to run smtpd in chroot jail, even
++ though I didn't test that, yet. All information is read at smtpd startup
++ time except the CAcerts in tls_CApath, which are checked at runtime.
++ I have to look into that.
++ - Updated documentation accordingly.
++ - Rewrote the documentation with regard to the certificate setup and
++ explaining the different types of certificates.
++
++1999/04/09
++ - Introduced pfixtls_print_errors() which imitates BIO_print_errors()
++ (the typical way to print error information in OpenSSL) but writes
++ to syslog instead of a file handle.
++ Hence we can get more informative error information.
++
++1999/04/08 == Released 0.1.3 ==
++
++1999/04/08
++ - Stuffed up the documentation by reworking the references.
++ - Added contributed script for automatic addition of fingerprints.
++ - Added ACKNOWLEDGEMENTS file
++
++1999/04/06 == Released 0.1.2 ==
++
++1999/04/06
++ - Portability: removed call of "snprintf()", as it is not available on
++ some (older) UNIX versions (in this case Solaris 2.5).
++ - Removed calls to "select()" when in TLS mode: Even though no new bytes
++ arrive, there might be bytes left in the SSL buffer -> possible hang.
++
++1999/03/30 == Released 0.1.1 ==
++
++1999/03/30
++ - Added disclaimer about export restrictions.
++ - Fixed a bug in util/match_ops.c:
++ When using dictionary lookup the compare was case sensitive by accident.
++ Effect: Fingerprint matching did not work with databases, only for plain
++ file.
++ Bug report submitted to postfix author.
++
++1999/03/29 == Released first version 0.1.0 ==
+diff -urNad postfix-release/tls/contributed/00README /tmp/dpep.cXJuVH/postfix-release/tls/contributed/00README
+--- postfix-release/tls/contributed/00README 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/contributed/00README 2005-02-03 10:22:13.091089774 -0700
+@@ -0,0 +1,22 @@
++All entries in this directory have been contributed from other sources:
++
++- Frederic J. Hirsch <f.hirsch at opengroup.org>
++ * loadcacert.pl:
++ I "took" this one from his excellent introduction
++ "Introducing SSL and Certificates using SSLeay"
++ http://www.camb.opengroup.org/RI/www/prism/wwwj/index.html
++
++- Walcir Fontanini <walcir at densis.fee.unicamp.br>
++ * fp.csh:
++ add fingerprints to the list of client certs;
++ be carefull to a adjust filenames and maptype as necessary
++
++- Craig Sanders <cas at taz.net.au>
++ * make-postfix-cert.sh:
++ automatically create certificates for postfix usage.
++
++- Justin Davies <justin at palmcoder.net>
++ * SSL_CA-HOWTO.pdf/sgml
++ SSL CA howto
++ * Postfix_SSL-HOWTO.pdf/sgml
++ Postfix/TLS howto
+diff -urNad postfix-release/tls/contributed/fp.csh /tmp/dpep.cXJuVH/postfix-release/tls/contributed/fp.csh
+--- postfix-release/tls/contributed/fp.csh 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/contributed/fp.csh 2005-02-03 10:22:13.091089774 -0700
+@@ -0,0 +1,20 @@
++#!/bin/csh -f
++
++## fp.csh <username>
++# Generate a fingerprint from a X509 certificate
++# and updates /etc/postfix/relay_clientcerts
++# It presumes a user certificate in /etc/postfix/certs/
++# with name <username>-cert.pem
++# author: walcir fontanini (walcir at densis.fee.unicamp.br) Apr-08-1999
++
++set USER=$1
++set FP=`/usr/local/ssl/bin/openssl x509 -fingerprint -in /etc/postfix/certs/$USER-cert.pem | grep Fingerprint | awk -F= '{print $2}' | tr ":" "_"`
++
++cat >> /etc/postfix/relay_clientcerts <<EOT
++$FP $USER
++EOT
++
++postmap dbm:/etc/postfix/relay_clientcerts
++
++exit
++#
+diff -urNad postfix-release/tls/contributed/loadCAcert.pl /tmp/dpep.cXJuVH/postfix-release/tls/contributed/loadCAcert.pl
+--- postfix-release/tls/contributed/loadCAcert.pl 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/contributed/loadCAcert.pl 2005-02-03 10:22:13.091089774 -0700
+@@ -0,0 +1,23 @@
++#!/usr/local/bin/perl -T
++
++require 5.003;
++use strict;
++use CGI;
++
++my $cert_dir = "/usr/local/ssl/certs";
++my $cert_file = "CAcert.pem";
++
++my $query = new CGI;
++
++my $kind = $query->param('FORMAT');
++if($kind eq 'DER') { $cert_file = "CAcert.der"; }
++
++my $cert_path = "$cert_dir/$cert_file";
++
++open(CERT, "<$cert_path");
++my $data = join '', <CERT>;
++close(CERT);
++print "Content-Type: application/x-x509-ca-cert\n";
++print "Content-Length: ", length($data), "\n\n$data";
++
++1;
+diff -urNad postfix-release/tls/contributed/make-postfix-cert.sh /tmp/dpep.cXJuVH/postfix-release/tls/contributed/make-postfix-cert.sh
+--- postfix-release/tls/contributed/make-postfix-cert.sh 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/contributed/make-postfix-cert.sh 2005-02-03 10:22:13.092089551 -0700
+@@ -0,0 +1,78 @@
++#! /bin/sh
++
++# make-postfix-cert.sh
++# by Craig Sanders <cas at taz.net.au> 2000-09-02
++# this script is hereby placed in the public domain.
++
++# this script assumes that you already have a CA set up, as the openssl
++# default "demoCA" under the current directory. if you haven't done it
++# already, run "/usr/lib/ssl/misc/CA.pl -newca" (or where the path to
++# openssl's CA.pl script is on your system).
++#
++# then run this script like so:
++#
++# ./make-postfix-cert.sh hostname.your.domain.com
++#
++# it will create the certificate and key files for that host and put
++# them into a subdirectory.
++
++site="$1"
++
++# edit these values to suit your site.
++
++COUNTRY="??" # ISO country code
++PROVINCE="YOUR STATE OR PROVINCE"
++LOCALITY="YOUR CITY"
++ORGANISATION="YOUR ORG NAME"
++ORG_UNIT=""
++COMMON_NAME=$site
++EMAIL="someone at your.domain.com"
++
++OPTIONAL_COMPANY_NAME=""
++
++# leave challenge password blank
++CHALLENGE_PASSWORD=""
++
++# generate a certificate valid for 10 years
++# (probably not a good idea if you care about authentication, but should
++# be fine if you only care about encryption of the smtp session)
++DAYS="-days 1825"
++
++# alternatively, make one valid for one year
++#DAYS="-days 365"
++
++# create the certificate request
++cat <<__EOF__ | openssl req -new -nodes -keyout newreq.pem -out newreq.pem $DAYS
++$COUNTRY
++$PROVINCE
++$LOCALITY
++$ORGANISATION
++$ORG_UNIT
++$COMMON_NAME
++$EMAIL
++$CHALLENGE_PASSWORD
++$OPTIONAL_COMPANY_NAME
++__EOF__
++
++# sign it
++openssl ca -policy policy_anything -out newcert.pem -infiles newreq.pem
++
++# move it
++mkdir -p $site
++mv newreq.pem $site/key.pem
++chmod 400 $site/key.pem
++mv newcert.pem $site/cert.pem
++cd $site
++
++# create server.pem for smtpd
++cat cert.pem ../demoCA/cacert.pem key.pem >server.pem
++chmod 400 server.pem
++
++# create fingerprint file
++openssl x509 -fingerprint -in cert.pem -noout > fingerprint
++
++# create pkcs12 certificate for netscape (probably not needed)
++#openssl pkcs12 -export -in cert.pem -inkey key.pem \
++# -certfile ../demoCA/cacert.pem -name "$site" -out cert.p12
++
++cd ..
+diff -urNad postfix-release/tls/contributed/Postfix_SSL-HOWTO.pdf /tmp/dpep.cXJuVH/postfix-release/tls/contributed/Postfix_SSL-HOWTO.pdf
+--- postfix-release/tls/contributed/Postfix_SSL-HOWTO.pdf 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/contributed/Postfix_SSL-HOWTO.pdf 2005-02-03 10:22:13.092089551 -0700
+@@ -0,0 +1,310 @@
++%PDF-1.3
++%âãÏÓ
++1 0 obj<</Producer(htmldoc 1.8.21 Copyright 1997-2002 Easy Software Products, All Rights Reserved.)/CreationDate(D:20021210121659+0000)/Title(Postfix SSL HOWTO)/Creator(SGML-Tools 1.0.9)>>endobj
++2 0 obj<</Type/Encoding/Differences[ 32/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quotesingle/parenleft/parenright/asterisk/plus/comma/minus/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/asciicircum/underscore/grave/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde 128/Euro 130/quotesinglbase/florin/quotedblbase/ellipsis/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE 145/quoteleft/quoteright/quotedblleft/quotedblright/bullet/endash/emdash/tilde/trademark/scaron/guilsinglright/oe 159/Ydieresis/space/exclamdown/cent/sterling/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]>>endobj
++3 0 obj<</Type/Font/Subtype/Type1/BaseFont/Courier/Encoding 2 0 R>>endobj
++4 0 obj<</Type/Font/Subtype/Type1/BaseFont/Times-Roman/Encoding 2 0 R>>endobj
++5 0 obj<</Type/Font/Subtype/Type1/BaseFont/Times-Bold/Encoding 2 0 R>>endobj
++6 0 obj<</Type/Font/Subtype/Type1/BaseFont/Times-Italic/Encoding 2 0 R>>endobj
++7 0 obj<</Type/Font/Subtype/Type1/BaseFont/Helvetica/Encoding 2 0 R>>endobj
++8 0 obj<</Type/Font/Subtype/Type1/BaseFont/Helvetica-Bold/Encoding 2 0 R>>endobj
++9 0 obj<</Type/Font/Subtype/Type1/BaseFont/Symbol>>endobj
++10 0 obj<</S/URI/URI(mailto:justin at palmcoder.net)>>endobj
++11 0 obj<</Subtype/Link/Rect[72.0 680.2 174.1 698.0]/Border[0 0 0]/A 10 0 R>>endobj
++12 0 obj<</Subtype/Link/Rect[85.2 551.5 182.0 569.4]/Border[0 0 0]/Dest[96 0 R/XYZ 0 268 0]>>endobj
++13 0 obj<</Subtype/Link/Rect[85.2 519.3 265.7 537.2]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
++14 0 obj<</Subtype/Link/Rect[108.0 492.0 237.2 505.0]/Border[0 0 0]/Dest[98 0 R/XYZ 0 600 0]>>endobj
++15 0 obj<</Subtype/Link/Rect[108.0 478.8 179.8 491.8]/Border[0 0 0]/Dest[98 0 R/XYZ 0 368 0]>>endobj
++16 0 obj<</Subtype/Link/Rect[85.2 447.5 257.8 465.4]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
++17 0 obj<</Subtype/Link/Rect[108.0 420.2 221.7 433.2]/Border[0 0 0]/Dest[100 0 R/XYZ 0 501 0]>>endobj
++18 0 obj<</Subtype/Link/Rect[108.0 407.0 239.4 420.0]/Border[0 0 0]/Dest[100 0 R/XYZ 0 300 0]>>endobj
++19 0 obj<</Subtype/Link/Rect[85.2 375.7 474.3 393.6]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
++20 0 obj<</Subtype/Link/Rect[108.0 348.4 240.0 361.4]/Border[0 0 0]/Dest[102 0 R/XYZ 0 594 0]>>endobj
++21 0 obj<</Subtype/Link/Rect[85.2 317.1 185.5 335.0]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
++22 0 obj<</Subtype/Link/Rect[85.2 284.9 131.0 302.7]/Border[0 0 0]/Dest[102 0 R/XYZ 0 125 0]>>endobj
++23 0 obj<</Subtype/Link/Rect[72.0 255.5 93.4 268.5]/Border[0 0 0]/Dest[96 0 R/XYZ 0 268 0]>>endobj
++24 0 obj<</Subtype/Link/Rect[176.5 255.5 200.6 268.5]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
++25 0 obj<</Subtype/Link/Rect[241.9 255.5 283.8 268.5]/Border[0 0 0]/Dest[96 0 R/XYZ 0 569 0]>>endobj
++26 0 obj<</Subtype/Link/Rect[72.0 74.1 93.4 87.1]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
++27 0 obj<</Subtype/Link/Rect[134.6 74.1 176.5 87.1]/Border[0 0 0]/Dest[96 0 R/XYZ 0 569 0]>>endobj
++28 0 obj<</Subtype/Link/Rect[176.5 74.1 200.6 87.1]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
++29 0 obj<</Subtype/Link/Rect[200.6 74.1 241.9 87.1]/Border[0 0 0]/Dest[96 0 R/XYZ 0 268 0]>>endobj
++30 0 obj<</Subtype/Link/Rect[241.9 74.1 283.8 87.1]/Border[0 0 0]/Dest[96 0 R/XYZ 0 537 0]>>endobj
++31 0 obj[11 0 R
++12 0 R
++13 0 R
++14 0 R
++15 0 R
++16 0 R
++17 0 R
++18 0 R
++19 0 R
++20 0 R
++21 0 R
++22 0 R
++23 0 R
++24 0 R
++25 0 R
++26 0 R
++27 0 R
++28 0 R
++29 0 R
++30 0 R]endobj
++32 0 obj<</Subtype/Link/Rect[72.0 721.0 93.4 734.0]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
++33 0 obj<</Subtype/Link/Rect[93.4 721.0 134.6 734.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 268 0]>>endobj
++34 0 obj<</Subtype/Link/Rect[134.6 721.0 176.5 734.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 537 0]>>endobj
++35 0 obj<</Subtype/Link/Rect[176.5 721.0 200.6 734.0]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
++36 0 obj<</Subtype/Link/Rect[200.6 721.0 241.9 734.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
++37 0 obj<</Subtype/Link/Rect[241.9 721.0 283.8 734.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 465 0]>>endobj
++38 0 obj<</Subtype/Link/Rect[72.0 61.6 93.4 74.6]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
++39 0 obj<</Subtype/Link/Rect[93.4 61.6 134.6 74.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
++40 0 obj<</Subtype/Link/Rect[134.6 61.6 176.5 74.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 465 0]>>endobj
++41 0 obj<</Subtype/Link/Rect[176.5 61.6 200.6 74.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
++42 0 obj<</Subtype/Link/Rect[200.6 61.6 241.9 74.6]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
++43 0 obj<</Subtype/Link/Rect[241.9 61.6 283.8 74.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 393 0]>>endobj
++44 0 obj[32 0 R
++33 0 R
++34 0 R
++35 0 R
++36 0 R
++37 0 R
++38 0 R
++39 0 R
++40 0 R
++41 0 R
++42 0 R
++43 0 R]endobj
++45 0 obj<</Subtype/Link/Rect[72.0 267.6 93.4 280.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
++46 0 obj<</Subtype/Link/Rect[93.4 267.6 134.6 280.6]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
++47 0 obj<</Subtype/Link/Rect[134.6 267.6 176.5 280.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 393 0]>>endobj
++48 0 obj<</Subtype/Link/Rect[176.5 267.6 200.6 280.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 125 0]>>endobj
++49 0 obj<</Subtype/Link/Rect[200.6 267.6 241.9 280.6]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
++50 0 obj<</Subtype/Link/Rect[241.9 267.6 283.8 280.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 334 0]>>endobj
++51 0 obj<</Subtype/Link/Rect[72.0 112.6 93.4 125.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 125 0]>>endobj
++52 0 obj<</Subtype/Link/Rect[93.4 112.6 134.6 125.6]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
++53 0 obj<</Subtype/Link/Rect[134.6 112.6 176.5 125.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 334 0]>>endobj
++54 0 obj<</Subtype/Link/Rect[200.6 112.6 241.9 125.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
++55 0 obj<</Subtype/Link/Rect[241.9 112.6 283.8 125.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 302 0]>>endobj
++56 0 obj[45 0 R
++46 0 R
++47 0 R
++48 0 R
++49 0 R
++50 0 R
++51 0 R
++52 0 R
++53 0 R
++54 0 R
++55 0 R]endobj
++57 0 obj<</S/URI/URI(http://www.postfix.org)>>endobj
++58 0 obj<</Subtype/Link/Rect[108.0 688.8 168.8 701.8]/Border[0 0 0]/A 57 0 R>>endobj
++59 0 obj<</S/URI/URI(http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls)>>endobj
++60 0 obj<</Subtype/Link/Rect[108.0 675.6 191.4 688.6]/Border[0 0 0]/A 59 0 R>>endobj
++61 0 obj<</S/URI/URI(http://www.palmcoder.net)>>endobj
++62 0 obj<</Subtype/Link/Rect[108.0 662.4 269.3 675.4]/Border[0 0 0]/A 61 0 R>>endobj
++63 0 obj<</Subtype/Link/Rect[93.4 634.0 134.6 647.0]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
++64 0 obj<</Subtype/Link/Rect[134.6 634.0 176.5 647.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 302 0]>>endobj
++65 0 obj[58 0 R
++60 0 R
++62 0 R
++63 0 R
++64 0 R]endobj
++66 0 obj<</Dests 67 0 R>>endobj
++67 0 obj<</Kids[68 0 R]>>endobj
++68 0 obj<</Limits[(postfix_ssl-howto-1.html)(toc6)]/Names[(postfix_ssl-howto-1.html)69 0 R(postfix_ssl-howto-2.html)70 0 R(postfix_ssl-howto-3.html)71 0 R(postfix_ssl-howto-4.html)72 0 R(postfix_ssl-howto-5.html)73 0 R(postfix_ssl-howto-6.html)74 0 R(postfix_ssl-howto.html)75 0 R(s1)76 0 R(s2)77 0 R(s3)78 0 R(s4)79 0 R(s5)80 0 R(s6)81 0 R(ss2.1)82 0 R(ss2.2)83 0 R(ss3.1)84 0 R(ss3.2)85 0 R(ss4.1)86 0 R(toc1)87 0 R(toc2)88 0 R(toc3)89 0 R(toc4)90 0 R(toc5)91 0 R(toc6)92 0 R]>>endobj
++69 0 obj<</D[96 0 R/XYZ 0 268 0]>>endobj
++70 0 obj<</D[96 0 R/XYZ 0 87 0]>>endobj
++71 0 obj<</D[98 0 R/XYZ 0 61 0]>>endobj
++72 0 obj<</D[100 0 R/XYZ 0 74 0]>>endobj
++73 0 obj<</D[102 0 R/XYZ 0 280 0]>>endobj
++74 0 obj<</D[102 0 R/XYZ 0 125 0]>>endobj
++75 0 obj<</D[96 0 R/XYZ 0 734 0]>>endobj
++76 0 obj<</D[96 0 R/XYZ 0 240 0]>>endobj
++77 0 obj<</D[98 0 R/XYZ 0 733 0]>>endobj
++78 0 obj<</D[100 0 R/XYZ 0 705 0]>>endobj
++79 0 obj<</D[102 0 R/XYZ 0 718 0]>>endobj
++80 0 obj<</D[102 0 R/XYZ 0 252 0]>>endobj
++81 0 obj<</D[104 0 R/XYZ 0 733 0]>>endobj
++82 0 obj<</D[98 0 R/XYZ 0 600 0]>>endobj
++83 0 obj<</D[98 0 R/XYZ 0 368 0]>>endobj
++84 0 obj<</D[100 0 R/XYZ 0 501 0]>>endobj
++85 0 obj<</D[100 0 R/XYZ 0 300 0]>>endobj
++86 0 obj<</D[102 0 R/XYZ 0 594 0]>>endobj
++87 0 obj<</D[96 0 R/XYZ 0 569 0]>>endobj
++88 0 obj<</D[96 0 R/XYZ 0 537 0]>>endobj
++89 0 obj<</D[96 0 R/XYZ 0 465 0]>>endobj
++90 0 obj<</D[96 0 R/XYZ 0 393 0]>>endobj
++91 0 obj<</D[96 0 R/XYZ 0 334 0]>>endobj
++92 0 obj<</D[96 0 R/XYZ 0 302 0]>>endobj
++93 0 obj<</Type/Pages/Count 6/Kids[94 0 R
++96 0 R
++98 0 R
++100 0 R
++102 0 R
++104 0 R
++]>>endobj
++94 0 obj<</Type/Page/Parent 93 0 R/Contents 95 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F8 7 0 R/F9 8 0 R>>/XObject<<>>>>>>endobj
++95 0 obj<</Filter/FlateDecode/Length 90 >>stream
++x�
ÂÁ
++@@��àû<Åä²fhV{Uä ÐNy R”$��Ÿ¾ï"�ÿ�eŽÂc>¨2Êš °�¢â¼(
++U'Aa�Ø13lN†ó~ÖíEŒ�Ú~²>µj£‘>!š�ëendstream
++endobj
++96 0 obj<</Type/Page/Parent 93 0 R/Contents 97 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F4 4 0 R/F6 6 0 R/F8 7 0 R/F9 8 0 R/Fc 9 0 R>>/XObject<<>>>>/Annots 31 0 R>>endobj
++97 0 obj<</Filter/FlateDecode/Length 1533 >>stream
++x�¥VM“Û6�½ï¯À›�¯¢/ëãÐCÛ4i:i“vÉ%�Ú¦b6úp%Ù›ý÷} %‘v·{é¬×cè� ð >êBüE”Ç”d´kn ēåëÏ7ü„²t�ÄÔPš�ÙdÔtã™
Ea�D�(~a�ï´Èñ�ã¿×TIÀõ:AÀ+ âgë(�ÖØ*Š8€µx/�Ó"
�€y�¤ðfƒ1Ïl¨Œ/0Ïä�×Aî9ú6Д·ta}�h™\ø&�/^si ¦�ŠÉ�bœÉ•¤\«¬”J<�hÆÔ:Ô†M�ěÊáÂNX±�Oé‚y&‚†9ç³€–¼(�f-[b8ò&̲µ`žÉA…¼�ôm –<‡z6P¤‡„�TªLðP¦ŠÙ²ÆRåŒEa†&;з�6æ’<Ô³9¥��s¨Ý4çAœ¨MÄp›NX�F˜!�ú6ÂF9N‡z6Ð,¿ôå¡N at FÎs�q1b�õÎÄÜ®q|�æ™\§‹ÂŽ¾
4g�«o�-SæhÙÔ·�Š“uPz¨o�-²‹¤|»¡$,/|}��C�üb-û˜Äta_�Çþ„��W³`ž‰b0ƒHw�}�hÆrã¡ÌZ\°.5T0f
ÞÒ3ሀk�„ GŒO ÇuÉŽb°#kDœ”ˆy%_�Ä¡œ±˜�(�Cú�r�¬Ýâ��ä¡�o4£q�á88TÂB�Y·þ£ùÓÏ%?ôOæ˜så,²˜ç–-&R¦b†<sÎO�Jò’îì'¹:Ì™¼�g¾`’x‰�¸ÊûÇÍÍË×%æ’6�.Ÿ,/‚²Œi³—{'¤ÍîöC7Œ•ùF÷÷ïè—÷Ÿ6ï_lþ²N,#âv—ÄA‘²Ûí¯§a4-½Rg£�»2EK§uq�$�œö·ç(�WôJït³Õ=Åa�ÛÕ™·º@ã°vs0�á£Z2íØwûÓn4]KcGãAÓiÐÔU´ywÿ’s|0ãAžÏ‰ÿ¶ù! ƒi¿ð�Ú!̱ïÎf¯g÷Þ:)Î ¤;™8ìÛhÕ�¼‹nwýãq”å25íº¶Õ’ÄÊǵB‚úÛHê„ÌÚÑì�gêm¿¢Çî$9¨zè®6ô¼4).¬§�ôžPBÖæ¬FM_õ#ïªêº{ ɧ׵zDå�
u½Á‹A*4F�½õè›öFëâPZ��4S¦@¶u¯û³îmÔ¹x9¹sä�ýS×VæË©—bé¨zÕ Ï~êÿnêè�îA~Ç�³Ÿã,§Ë¨�.Ô#)Úh�%iš]ú| Wô�� &ú.xIåÉ�•íjƒ�]æpYYâUÆyð¬ù^ϧ3³uY�kÙ�Ýj¦j
++Yá‡îÑÛ9›çã>Sf�н�%ðé(éb€Ð>��™�7LÞ¦W§ô’ƒ��Ø�˜"`ò]«ÿg[Ö�½6��LÅÇ#GÃés�™�ôδ_¯�Ä’�Jfeäw>l�z}6Ýià9�ÑÔž~lÓu�òfhÈ�Ž—¯ç�ò–‹r-g¤Ý‹&Î6�ªkE‰xP�¨&�»ã©V=é;9¥¶�8Z���hm÷ü�§r¤-f¢2ȼê»Æ:wÕDÈ,G³ÃwX¥Õxêõ°¢íi�i¤º�I«ÁØv›v�¡�Ì=+D;â? O�·þ9�ëË@MJ•©ñ£êzÖ5×ÝÕÕþs¡âÆ5Vª1µQ“<ÌÂ}ËúôýYÕ'm ŸY¼½�o·ÅÈB³'=fÕyP"n³ä*Ok—ñ½Jl§ûÑT¬µzÀH¡Ž¦C¦EI�"¾*ðá}˜�õ
++ä|Õ4€KÑå^«ý…HòÑaG¾mPñ`F-�‹‰˜Û2Ó±y©¿,åXžeÚvyÿØ‚À�½ý@j¿G7¹�Ÿoû�9<¨¾7]?|~aÇC1†ù¸ª|¯wf˜ê{8h¤(‡ÝîÆ [½r�`*+cŽ1\�¦bO[ðî<0ͽþb�L*0Üèj¾�®R8¨�×ÚÖZ2å[m¾/qwrÀƒÂeYcÄÇ�-SZL�/±�c5�F5RmƱִ5#ßï8éýõ
=èÝ©7ããÜ��¿œæ§Ïÿ³²P¸÷�¼žGqÆ÷ÔÜ[îëòî“�aP�©½É"¦ãçÍÍ�7ÿ .Ý�>endstream
++endobj
++98 0 obj<</Type/Page/Parent 93 0 R/Contents 99 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F0 3 0 R/F4 4 0 R/F5 5 0 R/F6 6 0 R/F8 7 0 R/F9 8 0 R>>/XObject<<>>>>>>endobj
++99 0 obj<</Filter/FlateDecode/Length 1220 >>stream
++x�•VÛnÛF�}×W�Ò��°V$uu€�u�¹�à[-�E‹´Æš\Z�“»ìîÒ®úÐoïÌ’ŒHYIS���r®gfÎÌŸƒ��ü„°ˆ`2‡¤��,€IÈ–0].ðo„_# �¼�ã‹S�gø*ÎPg¾ŒX8‡8�T �ˆ“aÄàV[—É¿€[à�_n`#̳0oãO¨>…0¬•GÑ‚Mæh)�¶�ZÁ¦Ú¬ Ñ…°ðPÉÜÁ‹t[°UYjã Ó�6›Ë1Z=�«ç9¸-w -(!R‘Ò¿D«L>V†;‰�u†"�¬��œ¦8��…��‘o4¡_È(©)‘Že�£J&u¨,Õ#ìtå= �Hµ÷b�w¢k;�ÆÉL&ô�“O…ã2§�I�ø]+gtZyd�#`ðkÇK¢Ë]×ú“Ø�Wi÷Q×!š 4ÇÂ%㲩@*
&¤ÍŽÁÚ�øGœ°(;�!Ë�%Š@RžÉ–«Ç:³R˜BZK˜ bÙ�²4ò™�Å°ÞÕ¥
à” Í¨‹FÑ”Íæ��8Ùê��FkÇè§)�£tÚ°#H®Ð)L±êRy /Òmº��Ÿ�l¹˜�ö�œ÷Ê]rÃ��ÌØ:ª£
·J%åÛ‡k\p©X’5QEs6%�giy¦©S¨�r©°=�À�–¤i±T'U!”cŒ}�‘ïà�}›}Ÿ>ä�|Ü‚âf}\láÊôÞåö�!»Ï°£àû^™Ç�E`õÐÜkQ“|Q�Å—¼Ÿ�óu~Fö�ê�qWYAb|;ÑÀ?kæÝ×
!
&¾nûðÚ¤jÄÚj
i¨@¹Æqz=Æîk°n�uF{ïä3�ÿÏKg¾¾ÅKØ7º8ïÅYå¶ÚH·ƒŽGø8l(
;
GUf5�tDìÇ·ÿ�WS’à ˆ–‰3q�9R㈇��VÆ«ÜõiÈ–"ñ¤–çè_xÂ�Ÿ9¾eUÏÁ8Û[]å)9ë–¡!oôÙDÛÝ!#Ü4‘�´ˆØCXG#†²ýÑÞ~_ܨ¤O¼=�ð� (s�¦�\\ÖqÜ�íŠ!�M¶"yªéŽpØ"W?�¡j$:Ò¯�Ú§Šbü�§îÝ??�$J8@îÈ™E´Y¢Yõ�ѬEÁ“[lv”V�° ®S�"Eôç�IŒ–�n�¬ö1¶² /�ñ²Áj!s`ŠüÞ8ˆü�‹¢àPï`µ¹Šo[�z±>\Þ qÈ>üÞûh�Œ�"zõþv}»º\_¯¯ê{%ÝÍú·�f�!µ��=XÅw×GÄâ³»¸©;uÇ
Åaù~�_¯V}•ÍQqDáNð�;UC]øWtÀD1’LÓÅØ+%.:|N Ž/ZN�Â�Â÷µå7µÜžµxV—ÇVTn$°CCÝ°÷×Ð�¬|T8f´Wh–ˆúš¨¤gÒÎ<½È�7�Z×t(�•ª/��AsãgŒÆ¥Ý_þ„±Pj©Ü �ª~�î¯ñżaç!ŒŸ¹�çú‘–`~˜�)�HIá)Èé«v ŒÑ¸¯H¼��Í�Å�/Ü(P "ïQ[•çž�"xŽgÛ àe‡b¤‹/‰—免�}�oBœfnµjXdÙ��žFl:‡ù��®™¤�vºê>Üü�ßP„£Fn´�NëÓ¡†c—êt‰7ÆrŠG.]�¤¿Š�?�þ�fÉi«endstream
++endobj
++100 0 obj<</Type/Page/Parent 93 0 R/Contents 101 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F0 3 0 R/F4 4 0 R/F5 5 0 R/F6 6 0 R/F8 7 0 R/F9 8 0 R>>/XObject<<>>>>/Annots 44 0 R>>endobj
++101 0 obj<</Filter/FlateDecode/Length 1602 >>stream
++x�•W]oÛ6�}ϯ¸ÈËR VümGoi»v�Ú5k<��
++�ŒDÙ\$Ò�¥8ޯ߹$%3ž—bh›T"ï×¹ç�Rhˆ?#ZŒi2§¬:�&C¼é|ýÈoh¾œãgEãQ2
�%ÝŸE�ÍÇÉ<Z‹�+�
§É,ZŒŸ±:^¾0Ÿ±:¿N®cÛè™3�%ËhÕe»˜'cš.�ÈyŒµ¤Â•1~?ž#~¨Îý¿/.¬¸bú•ÃSWY¿ä��V¾ŽÃš+³[sU�Ö�]MýÚÛÕÙÕ‡)F´*ЬùrA«ÜõhH«ìâgùÜÐ]-Ÿ”i-½3º‘º±túõ›ÕŸpvM£�Psî�“I2žÂãÅ$¡;c›B=“°$hõéž²RÁ›·:¤0�/’É��ò‹Î"�šDÖxKoE—JØFÖø¥J²²~’uB«²„¿»Doîï?]q¬�™™JZ´K”åžZ+‹¶L’„£�i <\š·�D¥¨×’r�·ú�Îõ>Ž`ñ°‡?ö‘Saj’"ÛP.·¢n*�”Ð'¥�•^S³‘V†Ä,µ[âB�dˆ9�6\¥ÈÚ¶Tv��{Z«§`ÜCf÷¨³Bj¹,D[6´�–�A-K$ãêoLB¿›ÖÅ@`Í©e’sèÜ�Å€lÙ Q™h$‰5Êfï0�øzhQ0ç%Bß(“u£
++gÔÁØ•ô«Û�m°®_q�ûÏ«» �¡1fgi�°he�À�~g-úèJtÕr���Tx²&�XÐ5�¼àŽi‰l•(™�ÚÅ�ðœƒ�ìs§š
×Fä´�uLmÏ/™r}Ô�Á�7 ˆ¦Û»£È"Ïki�ó´ihk¬U�%Ü·èqh�Ìáf#<¶·wÔ٘‡†T “Ò’²ÐkPVºô�Uùf‚vÇUç(
++‘µ£jº½¿;Ý’SÍCåeéÑïÀ�q§^�¢Ÿ4×Qn™›©= LèFçG° uæ�£nU.I�…�
++®b?§��ôž0�U«™O
++��Ì¢Ñæ¡–:«÷Û&��S4okoàA<
++oÑ�xs`�KÓ¨—¦�+[¡ÖmÍD`¯ß•¦�×éBTªT¢æl+7’èÜ�èFîÒyëç�Ý�´�vC`r°z”Æ<¶[ë!é"SÔ�äTU.�‘�²�²ÝA�8ëN/�äD²�õÈ°�îLý�Ydš×r-êÜ
eÏn { øQÀ�UÉz°�>¡w}¢Ñ‡©�sÌ …Â�X‹Ò}�æ-#f¥$Uàµw�{?Š�&#Š�¸
++è{Τ Ü��^�º-H5xé�vØã’Âv„=h¦ÛΦH`€�}�Ø >Ê 0ÎB©!$ì µ(ÙäêÃ,�¦�tþÕ©3ô…!Ç$ÈüÜoꎻ�¡d�Ž›¢6UD�ÆR�¯0
'É�Ã�“JYÊú@ó>›+ÙdW%>ƒ¯��xxÂÎ>%��Ô¬ TAš
++ï3õN‡tÍGWÁ׺Á�·¯9ß�.â|žD á{YìÀmÇeo2áí\à¹ÛwNrOâÁ<qâ×}ã戂à�µc¶–ÒÓv#°7ÌÒV@òÐXœÉnªðßÌh¨¦�Z††�Á1ßOØÁ—�æ�“�–þ8e–r;ùxÕ�‚�Ê�<
++Ê��¼�–+Û`@ZœàÎÚì4.%'[�38‚ë;ú4¦8¼Xç‚<E¦/!æ«L}Z�Z{;_UdÕ�v8Ã/©n=™�òαX’…Î_o»ÙJmmIϳá5
â �Lfr�Õœlq‹y™ñ¿Hv¸�i[›¼
�˜Ïïg'D‚Y“@º·^ýâÈh�÷‘iëÃýÿ9ˆèòí"ý�w#–�'0¹‘VÿÐ|F�ñ7/»1m™CßAM‹Û¦'q©��~e_Gñz–¾¦�gér‘¾_¤“iúî&}7MÇ‹ôí0ý0I—�Òù<]Þ¤‹Eº|OKXð5ÉLÒ>¾�ê�íp�²˜��¢•�-/_Œ‰�ñn0^Ï•U„5ü?%…[n_ω§?�”ø: ¸ =™©q£Ú�í'žûé%"n´£J4ø^Ü›MmÚµŸF�u×!|&¹‹þé/˜W?l–AJG×ãdÊ_£ø^õ�7:ácƒ~úòÛê�sn�ö
���ÈÝë_@Óå0Y.§ø�ãlÿãêì—³ •�»bendstream
++endobj
++102 0 obj<</Type/Page/Parent 93 0 R/Contents 103 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F0 3 0 R/F4 4 0 R/F5 5 0 R/F6 6 0 R/F8 7 0 R/F9 8 0 R>>/XObject<<>>>>/Annots 56 0 R>>endobj
++103 0 obj<</Filter/FlateDecode/Length 1758 >>stream
++x�¥WÛŽÛF�}Ÿ¯(ø%2 áè6�i�?8�; �¬³±�#ØY�=dSê�ÉVØMµ_¿§ªy�É���Û¢š]uêrN•þ¼šÓ�æt· eLIq5‹f�¯7ÑŠVë;|^ào¥)“ƒÅí<Z\8€hÖüóë�áÕå"Š© Å�¦�òÓÇ«ÁcA1¿ÒŸ
��šÏVÑíàpøŒÓÅúìêð�§ñ&Ú�ï�ž�Ñ<Z�N9âÅbï.D¼‰/�Lww}tò¹�®9‘`º“þ©¬;
++Л[�y&À›³€»;“BÝ}úûíÕÍû
Íoq´ÍPÜ8Ž£MLÛTŠ4£m2YEôQ{oÊ�Õ�ò{MNWG]‘·(v®Nô¨œNÉ–”á%]�*Sz÷zû�l¯h>�–¯�wÑ2†›tòi¯Ëp�ïOé�ë|f¾PU—�ö+[ïö¤àÅ“Íðm®ñµ¥T{]�¦Ôd2‘äF—ž
++•ìå[G*Ïí3 tÈ
++er�2£ëù�ÅóÖA�HDŸ4•:Üó:Ï;D~¯<�¥�!;r�˜ÌàES
++� ÿsÀ‘èÊ;d פÀ�ÊÈH��‹h‹¨,,�Gϸ’¦tà�ýgŸ»3³��xCJo›”NÈ�þ~® êÀ™À'ç+“xcËQúñ®W^�œ/S�;qg�`Ê(ÉÂ×mÅ&Ñ�øv¯�� ªÒ�LÕ�ß�Ø�à!U‰*éQs¶¤�’ƒ®Ð£²q¾Ì�°Ú{hªÞ‡I°4Bà«Úy˜>�…þ¸ûð:¢÷¶â^)¸J¦D”y®�Д�Bu€ãÑ6Ü�@u)‰—3>ÊÅ }ʱe M’<h-S¦æhÒZå”ØÒW6'ËD‘î‘tž“íz …\qS®¢9H&¬
++ýû™ÙÕ•Är���{*¡(-��liŸ™6LS� öÙç¤
s®j�±ô\ ¤K8à¼A�[&4†à 4ø¨�g�Ù�Rÿ$ÿw¦h•”�Ž¸5XG�˜Ò°w |èœ5a &·7GŸF �èZHƒ‹èw[C}òS�™¤(ÓÏ”C�D=�lHãÿk{¡p@�2 �aÔ„Mº#z—¢�¾Õì KD"„1mf[ ƒ×4�OÈCfYÌøIbøG@?£
ËXÆ�øz©�ßqÿ°�ˆh<éÓgqð†n´On�A[oþ«Ë�gm
++¡ÉƒK\ƒ�o�tA—¯Ý¿½äéþ-›‹píë[ �£¤7tÒ#…º–€âh¶\2¶·ŽN¨*Ë€Óº%3Èt"g
++“+¡4²ß”ƒ ×��‰<¨ÊSVÙ‚KD™J¸V(Ô¬Ò�«9ÊùŠóöj
++Þø�l3%ä$}�Zò¨ò�]Th Ñ_`
++&®UÁ’Â5‚*¼�&hTÛES‰k¯Ž¸ùlG^ƒ–6�-±ËÄ9¡™S©:�x[C03V=p•ÇˆÈ!œ³›÷ýt�{Ô?�tºNH
€³*~ë(˜�üõõ€ÀŒ€sì¾R¥;X¤½P"@�*®U�g·&4Ô—É�ÑO\eT€dô²�¶öˆYFÏX.P¦ååBƤ-õx.}`æ‡Úf�’ǯÈÁÎ6´•™ÄŸq=`Ù×ÓfžŸdR|ãPl“�t•³Û§�¡È��p£á¹S tæ€Õ ~�=L
++Už�M¼�Òj§JãD…�Ö‡×ÓvT§´{�cI�Exò�–Gr‰v(Ä ©Gô‡$ð¬�ˆU�¦_¯Ý[�“Û‡×ãN�L„·Óˆ¬$®c‚MoÊ»Ê3OŠdoí¥¡:HÀ‹MXèdÏqƒŸí�Ù5t»¢ñ�È3ñ¯µ¯s�Yù·ìUÔF‰ê§ÿœG�ÄfÝŠÍ?õ�O¿Túhlíè�£�ƒÑÑ寃¥áÎ|½„hHInÁuƒ D�~�’¼°�o-�«@G€ÌA8@*T º��ô%º¼Éhå…uŽ-´[tH�ïì<{A*´¨È�Ïâ£ÁLä·s»“AwîlP¸›£ªnðÖ
ß=ÏÞ$L\··už¶�|H-à ìð=õÑö�Ýïu‚
aà=к§$÷��•Ý
4ë¾�ñ�¡uu’`îgu�â;”Š‰Ç�>EG¶.Ü «bñBœ�êÃ%tøh�!Ä6ŸÒ霮����ò`�ð¾
�Jh½_A¥B^�…ƒ�1^�g,ïxNÚ•`QØj¥�Α‡ñÁD�yÿšö
ä)V±'üœ@ðö‰0óØjKe�—í [º¯åG‹³�høÍÅ�D€"žT#Ǩ�öEXÁ\‚ü$¹Æ4æîÂ�N��D¡žd(�²�?Ú¾sô‡}�Lž´rFWžƒž]¦Û_²pÝü„™o�Ñ*¦x9‹V‰mõP4úñçí�Žáºyïún¶a�ý�¿lWëY´^¯ð‹™í°ñwÛ«]ý�±–Iÿendstream
++endobj
++104 0 obj<</Type/Page/Parent 93 0 R/Contents 105 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F4 4 0 R/F8 7 0 R/F9 8 0 R/Fc 9 0 R>>/XObject<<>>>>/Annots 65 0 R>>endobj
++105 0 obj<</Filter/FlateDecode/Length 362 >>stream
++x�¥QËNÃ0�¼û+öX�qmÇñã
++�z¨h!–¸pkSQ h�êç3NLë��Š�e<³»³ãO&Ià‘d�•†V-�\àäôyºg¥á‚LUrG-�ËU��T³�¶ä
$£0rc�Ü ÎùÈ
r�lIJÏuFŽ…Êâ���÷øD0�<Ö¬ŽMO\�aFF×'.ƒ�¨-¯22Ç`½åeÆ"�2Òb
í,þ�Þ}C�¦$LUÞ��>M�Éç/DG¡1oTFò:°é'YÁ~Ø ã�—†ÂzH^PXM�§ùv÷~¸
++o�k„�¥¸£�;•�…ëɲ;ô›í‘f]ÛŒºUÒ�–»xµ�½(cé²Ë@�²ÄUž»Lüþg§èƒº
õ¯
%oc×ÅsXÔqX(ǥǮ��ÃãCsìi¹o¾·Ý×nº]ßìú”K;K¯¸6���".ò©ë9Í¢‡h¡HºÂ
++�[çAk'¸sz�®ŠêÛÀ�Ù��þ¶ªendstream
++endobj
++106 0 obj<</Type/Catalog/Pages 93 0 R/PageLayout/SinglePage/OpenAction[96 0 R/XYZ null null 0]/PageMode/UseOutlines/PageLabels<</Nums[0<</P(title)>>1<</S/D/St 1/P()>>]>>>>endobj
++xref
++0 107
++0000000000 65535 f
++0000000015 00000 n
++0000000210 00000 n
++0000001776 00000 n
++0000001850 00000 n
++0000001928 00000 n
++0000002005 00000 n
++0000002084 00000 n
++0000002160 00000 n
++0000002241 00000 n
++0000002299 00000 n
++0000002357 00000 n
++0000002441 00000 n
++0000002541 00000 n
++0000002640 00000 n
++0000002741 00000 n
++0000002842 00000 n
++0000002941 00000 n
++0000003043 00000 n
++0000003145 00000 n
++0000003245 00000 n
++0000003347 00000 n
++0000003448 00000 n
++0000003549 00000 n
++0000003648 00000 n
++0000003748 00000 n
++0000003849 00000 n
++0000003945 00000 n
++0000004044 00000 n
++0000004142 00000 n
++0000004241 00000 n
++0000004340 00000 n
++0000004496 00000 n
++0000004594 00000 n
++0000004694 00000 n
++0000004795 00000 n
++0000004896 00000 n
++0000004996 00000 n
++0000005097 00000 n
++0000005194 00000 n
++0000005291 00000 n
++0000005390 00000 n
++0000005490 00000 n
++0000005588 00000 n
++0000005687 00000 n
++0000005787 00000 n
++0000005887 00000 n
++0000005986 00000 n
++0000006087 00000 n
++0000006189 00000 n
++0000006290 00000 n
++0000006391 00000 n
++0000006491 00000 n
++0000006591 00000 n
++0000006692 00000 n
++0000006794 00000 n
++0000006895 00000 n
++0000006988 00000 n
++0000007041 00000 n
++0000007126 00000 n
++0000007211 00000 n
++0000007296 00000 n
++0000007351 00000 n
++0000007436 00000 n
++0000007537 00000 n
++0000007638 00000 n
++0000007689 00000 n
++0000007721 00000 n
++0000007753 00000 n
++0000008240 00000 n
++0000008281 00000 n
++0000008321 00000 n
++0000008361 00000 n
++0000008402 00000 n
++0000008444 00000 n
++0000008486 00000 n
++0000008527 00000 n
++0000008568 00000 n
++0000008609 00000 n
++0000008651 00000 n
++0000008693 00000 n
++0000008735 00000 n
++0000008777 00000 n
++0000008818 00000 n
++0000008859 00000 n
++0000008901 00000 n
++0000008943 00000 n
++0000008985 00000 n
++0000009026 00000 n
++0000009067 00000 n
++0000009108 00000 n
++0000009149 00000 n
++0000009190 00000 n
++0000009231 00000 n
++0000009321 00000 n
++0000009474 00000 n
++0000009637 00000 n
++0000009831 00000 n
++0000011437 00000 n
++0000011626 00000 n
++0000012919 00000 n
++0000013124 00000 n
++0000014800 00000 n
++0000015005 00000 n
++0000016837 00000 n
++0000017024 00000 n
++0000017460 00000 n
++trailer
++<</Size 107/Root 106 0 R/Info 1 0 R/ID[<c567b3b845f93fff5790763fa9931d35><c567b3b845f93fff5790763fa9931d35>]>>
++startxref
++17638
++%%EOF
+diff -urNad postfix-release/tls/contributed/Postfix_SSL-HOWTO.sgml /tmp/dpep.cXJuVH/postfix-release/tls/contributed/Postfix_SSL-HOWTO.sgml
+--- postfix-release/tls/contributed/Postfix_SSL-HOWTO.sgml 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/contributed/Postfix_SSL-HOWTO.sgml 2005-02-03 10:22:13.093089328 -0700
+@@ -0,0 +1,349 @@
++%PDF-1.3
++%âãÏÓ
++1 0 obj<</Producer(htmldoc 1.8.21 Copyright 1997-2002 Easy Software Products, All Rights Reserved.)/CreationDate(D:20021211094503+0000)/Title(Postfix SSL HOWTO)/Creator(SGML-Tools 1.0.9)>>endobj
++2 0 obj<</Type/Encoding/Differences[ 32/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quotesingle/parenleft/parenright/asterisk/plus/comma/minus/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/asciicircum/underscore/grave/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde 128/Euro 130/quotesinglbase/florin/quotedblbase/ellipsis/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE 145/quoteleft/quoteright/quotedblleft/quotedblright/bullet/endash/emdash/tilde/trademark/scaron/guilsinglright/oe 159/Ydieresis/space/exclamdown/cent/sterling/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]>>endobj
++3 0 obj<</Type/Font/Subtype/Type1/BaseFont/Courier/Encoding 2 0 R>>endobj
++4 0 obj<</Type/Font/Subtype/Type1/BaseFont/Times-Roman/Encoding 2 0 R>>endobj
++5 0 obj<</Type/Font/Subtype/Type1/BaseFont/Times-Bold/Encoding 2 0 R>>endobj
++6 0 obj<</Type/Font/Subtype/Type1/BaseFont/Times-Italic/Encoding 2 0 R>>endobj
++7 0 obj<</Type/Font/Subtype/Type1/BaseFont/Helvetica/Encoding 2 0 R>>endobj
++8 0 obj<</Type/Font/Subtype/Type1/BaseFont/Helvetica-Bold/Encoding 2 0 R>>endobj
++9 0 obj<</Type/Font/Subtype/Type1/BaseFont/Symbol>>endobj
++10 0 obj<</S/URI/URI(mailto:justin at palmcoder.net)>>endobj
++11 0 obj<</Subtype/Link/Rect[72.0 680.2 174.1 698.0]/Border[0 0 0]/A 10 0 R>>endobj
++12 0 obj<</Subtype/Link/Rect[85.2 551.5 182.0 569.4]/Border[0 0 0]/Dest[96 0 R/XYZ 0 268 0]>>endobj
++13 0 obj<</Subtype/Link/Rect[85.2 519.3 265.7 537.2]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
++14 0 obj<</Subtype/Link/Rect[108.0 492.0 237.2 505.0]/Border[0 0 0]/Dest[98 0 R/XYZ 0 600 0]>>endobj
++15 0 obj<</Subtype/Link/Rect[108.0 478.8 179.8 491.8]/Border[0 0 0]/Dest[98 0 R/XYZ 0 368 0]>>endobj
++16 0 obj<</Subtype/Link/Rect[85.2 447.5 257.8 465.4]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
++17 0 obj<</Subtype/Link/Rect[108.0 420.2 221.7 433.2]/Border[0 0 0]/Dest[100 0 R/XYZ 0 501 0]>>endobj
++18 0 obj<</Subtype/Link/Rect[108.0 407.0 239.4 420.0]/Border[0 0 0]/Dest[100 0 R/XYZ 0 300 0]>>endobj
++19 0 obj<</Subtype/Link/Rect[85.2 375.7 474.3 393.6]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
++20 0 obj<</Subtype/Link/Rect[108.0 348.4 240.0 361.4]/Border[0 0 0]/Dest[102 0 R/XYZ 0 594 0]>>endobj
++21 0 obj<</Subtype/Link/Rect[85.2 317.1 185.5 335.0]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
++22 0 obj<</Subtype/Link/Rect[85.2 284.9 131.0 302.7]/Border[0 0 0]/Dest[102 0 R/XYZ 0 125 0]>>endobj
++23 0 obj<</Subtype/Link/Rect[72.0 255.5 93.4 268.5]/Border[0 0 0]/Dest[96 0 R/XYZ 0 268 0]>>endobj
++24 0 obj<</Subtype/Link/Rect[176.5 255.5 200.6 268.5]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
++25 0 obj<</Subtype/Link/Rect[241.9 255.5 283.8 268.5]/Border[0 0 0]/Dest[96 0 R/XYZ 0 569 0]>>endobj
++26 0 obj<</Subtype/Link/Rect[72.0 74.1 93.4 87.1]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
++27 0 obj<</Subtype/Link/Rect[134.6 74.1 176.5 87.1]/Border[0 0 0]/Dest[96 0 R/XYZ 0 569 0]>>endobj
++28 0 obj<</Subtype/Link/Rect[176.5 74.1 200.6 87.1]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
++29 0 obj<</Subtype/Link/Rect[200.6 74.1 241.9 87.1]/Border[0 0 0]/Dest[96 0 R/XYZ 0 268 0]>>endobj
++30 0 obj<</Subtype/Link/Rect[241.9 74.1 283.8 87.1]/Border[0 0 0]/Dest[96 0 R/XYZ 0 537 0]>>endobj
++31 0 obj[11 0 R
++12 0 R
++13 0 R
++14 0 R
++15 0 R
++16 0 R
++17 0 R
++18 0 R
++19 0 R
++20 0 R
++21 0 R
++22 0 R
++23 0 R
++24 0 R
++25 0 R
++26 0 R
++27 0 R
++28 0 R
++29 0 R
++30 0 R]endobj
++32 0 obj<</Subtype/Link/Rect[72.0 721.0 93.4 734.0]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
++33 0 obj<</Subtype/Link/Rect[93.4 721.0 134.6 734.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 268 0]>>endobj
++34 0 obj<</Subtype/Link/Rect[134.6 721.0 176.5 734.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 537 0]>>endobj
++35 0 obj<</Subtype/Link/Rect[176.5 721.0 200.6 734.0]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
++36 0 obj<</Subtype/Link/Rect[200.6 721.0 241.9 734.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
++37 0 obj<</Subtype/Link/Rect[241.9 721.0 283.8 734.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 465 0]>>endobj
++38 0 obj<</Subtype/Link/Rect[72.0 61.6 93.4 74.6]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
++39 0 obj<</Subtype/Link/Rect[93.4 61.6 134.6 74.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
++40 0 obj<</Subtype/Link/Rect[134.6 61.6 176.5 74.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 465 0]>>endobj
++41 0 obj<</Subtype/Link/Rect[176.5 61.6 200.6 74.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
++42 0 obj<</Subtype/Link/Rect[200.6 61.6 241.9 74.6]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
++43 0 obj<</Subtype/Link/Rect[241.9 61.6 283.8 74.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 393 0]>>endobj
++44 0 obj[32 0 R
++33 0 R
++34 0 R
++35 0 R
++36 0 R
++37 0 R
++38 0 R
++39 0 R
++40 0 R
++41 0 R
++42 0 R
++43 0 R]endobj
++45 0 obj<</Subtype/Link/Rect[72.0 267.6 93.4 280.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
++46 0 obj<</Subtype/Link/Rect[93.4 267.6 134.6 280.6]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
++47 0 obj<</Subtype/Link/Rect[134.6 267.6 176.5 280.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 393 0]>>endobj
++48 0 obj<</Subtype/Link/Rect[176.5 267.6 200.6 280.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 125 0]>>endobj
++49 0 obj<</Subtype/Link/Rect[200.6 267.6 241.9 280.6]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
++50 0 obj<</Subtype/Link/Rect[241.9 267.6 283.8 280.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 334 0]>>endobj
++51 0 obj<</Subtype/Link/Rect[72.0 112.6 93.4 125.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 125 0]>>endobj
++52 0 obj<</Subtype/Link/Rect[93.4 112.6 134.6 125.6]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
++53 0 obj<</Subtype/Link/Rect[134.6 112.6 176.5 125.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 334 0]>>endobj
++54 0 obj<</Subtype/Link/Rect[200.6 112.6 241.9 125.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
++55 0 obj<</Subtype/Link/Rect[241.9 112.6 283.8 125.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 302 0]>>endobj
++56 0 obj[45 0 R
++46 0 R
++47 0 R
++48 0 R
++49 0 R
++50 0 R
++51 0 R
++52 0 R
++53 0 R
++54 0 R
++55 0 R]endobj
++57 0 obj<</S/URI/URI(http://www.postfix.org)>>endobj
++58 0 obj<</Subtype/Link/Rect[108.0 688.8 168.8 701.8]/Border[0 0 0]/A 57 0 R>>endobj
++59 0 obj<</S/URI/URI(http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls)>>endobj
++60 0 obj<</Subtype/Link/Rect[108.0 675.6 191.4 688.6]/Border[0 0 0]/A 59 0 R>>endobj
++61 0 obj<</S/URI/URI(http://www.palmcoder.net)>>endobj
++62 0 obj<</Subtype/Link/Rect[108.0 662.4 269.3 675.4]/Border[0 0 0]/A 61 0 R>>endobj
++63 0 obj<</Subtype/Link/Rect[93.4 634.0 134.6 647.0]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
++64 0 obj<</Subtype/Link/Rect[134.6 634.0 176.5 647.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 302 0]>>endobj
++65 0 obj[58 0 R
++60 0 R
++62 0 R
++63 0 R
++64 0 R]endobj
++66 0 obj<</Dests 67 0 R>>endobj
++67 0 obj<</Kids[68 0 R]>>endobj
++68 0 obj<</Limits[(postfix_ssl-howto-1.html)(toc6)]/Names[(postfix_ssl-howto-1.html)69 0 R(postfix_ssl-howto-2.html)70 0 R(postfix_ssl-howto-3.html)71 0 R(postfix_ssl-howto-4.html)72 0 R(postfix_ssl-howto-5.html)73 0 R(postfix_ssl-howto-6.html)74 0 R(postfix_ssl-howto.html)75 0 R(s1)76 0 R(s2)77 0 R(s3)78 0 R(s4)79 0 R(s5)80 0 R(s6)81 0 R(ss2.1)82 0 R(ss2.2)83 0 R(ss3.1)84 0 R(ss3.2)85 0 R(ss4.1)86 0 R(toc1)87 0 R(toc2)88 0 R(toc3)89 0 R(toc4)90 0 R(toc5)91 0 R(toc6)92 0 R]>>endobj
++69 0 obj<</D[96 0 R/XYZ 0 268 0]>>endobj
++70 0 obj<</D[96 0 R/XYZ 0 87 0]>>endobj
++71 0 obj<</D[98 0 R/XYZ 0 61 0]>>endobj
++72 0 obj<</D[100 0 R/XYZ 0 74 0]>>endobj
++73 0 obj<</D[102 0 R/XYZ 0 280 0]>>endobj
++74 0 obj<</D[102 0 R/XYZ 0 125 0]>>endobj
++75 0 obj<</D[96 0 R/XYZ 0 734 0]>>endobj
++76 0 obj<</D[96 0 R/XYZ 0 240 0]>>endobj
++77 0 obj<</D[98 0 R/XYZ 0 733 0]>>endobj
++78 0 obj<</D[100 0 R/XYZ 0 705 0]>>endobj
++79 0 obj<</D[102 0 R/XYZ 0 718 0]>>endobj
++80 0 obj<</D[102 0 R/XYZ 0 252 0]>>endobj
++81 0 obj<</D[104 0 R/XYZ 0 733 0]>>endobj
++82 0 obj<</D[98 0 R/XYZ 0 600 0]>>endobj
++83 0 obj<</D[98 0 R/XYZ 0 368 0]>>endobj
++84 0 obj<</D[100 0 R/XYZ 0 501 0]>>endobj
++85 0 obj<</D[100 0 R/XYZ 0 300 0]>>endobj
++86 0 obj<</D[102 0 R/XYZ 0 594 0]>>endobj
++87 0 obj<</D[96 0 R/XYZ 0 569 0]>>endobj
++88 0 obj<</D[96 0 R/XYZ 0 537 0]>>endobj
++89 0 obj<</D[96 0 R/XYZ 0 465 0]>>endobj
++90 0 obj<</D[96 0 R/XYZ 0 393 0]>>endobj
++91 0 obj<</D[96 0 R/XYZ 0 334 0]>>endobj
++92 0 obj<</D[96 0 R/XYZ 0 302 0]>>endobj
++93 0 obj<</Type/Pages/Count 6/Kids[94 0 R
++96 0 R
++98 0 R
++100 0 R
++102 0 R
++104 0 R
++]>>endobj
++94 0 obj<</Type/Page/Parent 93 0 R/Contents 95 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F8 7 0 R/F9 8 0 R>>/XObject<<>>>>>>endobj
++95 0 obj<</Filter/FlateDecode/Length 90 >>stream
++x�
++ÂÁ
++@@��àû<Åä²fhV{Uä ÐNy R”$��Ÿ¾ï"�ÿ�eŽÂc>¨2Êš °�¢â¼(
++U'Aa�Ø13lN†ó~ÖíEŒ�Ú~²>µj£‘>!š�ëendstream
++endobj
++96 0 obj<</Type/Page/Parent 93 0 R/Contents 97 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F4 4 0 R/F6 6 0 R/F8 7 0 R/F9 8 0 R/Fc 9 0 R>>/XObject<<>>>>/Annots 31 0 R>>endobj
++97 0 obj<</Filter/FlateDecode/Length 1533 >>stream
++x�¥VM“Û6�½ï¯À›�¯¢/ëãÐCÛ4i:i“vÉ%�Ú¦b6úp%Ù›ý÷} %‘v·{é¬×cè� ð >êBüE”Ç”d´kn ēåëÏ7ü„²t�ÄÔPš�ÙdÔtã™
++Ea�D�(~a�ï´Èñ�ã¿×TIÀõ:AÀ+ âgë(�ÖØ*Š8€µx/�Ó"
++�€y�¤ðfƒ1Ïl¨Œ/0Ïä�×Aî9ú6Д·ta}�h™\ø&�/^si ¦�ŠÉ�bœÉ•¤\«¬”J<�hÆÔ:Ô†M�ěÊáÂNX±�Oé‚y&‚†9ç³€–¼(�f-[b8ò&̲µ`žÉA…¼�ôm –<‡z6P¤‡„�TªLðP¦ŠÙ²ÆRåŒEa†&;з�6æ’<Ô³9¥��s¨Ý4çAœ¨MÄp›NX�F˜!�ú6ÂF9N‡z6Ð,¿ôå¡N at FÎs�q1b�õÎÄÜ®q|�æ™\§‹ÂŽ¾
++4g�«o�-SæhÙÔ·�Š“uPz¨o�-²‹¤|»¡$,/|}��C�üb-û˜Äta_�Çþ„��W³`ž‰b0ƒHw�}�hÆrã¡ÌZ\°.5T0f
++ÞÒ3ሀk�„ GŒO ÇuÉŽb°#kDœ”ˆy%_�Ä¡œ±˜�(�Cú�r�¬Ýâ��ä¡�o4£q�á88TÂB�Y·þ£ùÓÏ%?ôOæ˜så,²˜ç–-&R¦b†<sÎO�Jò’îì'¹:Ì™¼�g¾`’x‰�¸ÊûÇÍÍË×%æ’6�.Ÿ,/‚²Œi³—{'¤ÍîöC7Œ•ùF÷÷ïè—÷Ÿ6ï_lþ²N,#âv—ÄA‘²Ûí¯§a4-½Rg£�»2EK§uq�$�œö·ç(�WôJït³Õ=Åa�ÛÕ™·º@ã°vs0�á£Z2íØwûÓn4]KcGãAÓiÐÔU´ywÿ’s|0ãAžÏ‰ÿ¶ù! ƒi¿ð�Ú!̱ïÎf¯g÷Þ:)Î ¤;™8ìÛhÕ�¼‹nwýãq”å25íº¶Õ’ÄÊǵB‚úÛHê„ÌÚÑì�gêm¿¢Çî$9¨zè®6ô¼4).¬§�ôžPBÖæ¬FM_õ#ïªêº{ ɧ׵zDå�
++u½Á‹A*4F�½õè›öFëâPZ��4S¦@¶u¯û³îmÔ¹x9¹sä�ýS×VæË©—bé¨zÕ Ï~êÿnêè�îA~Ç�³Ÿã,§Ë¨�.Ô#)Úh�%iš]ú| Wô�� &ú.xIåÉ�•íjƒ�]æpYYâUÆyð¬ù^ϧ3³uY�kÙ�Ýj¦j
++Yá‡îÑÛ9›çã>Sf�н�%ðé(éb€Ð>��™�7LÞ¦W§ô’ƒ��Ø�˜"`ò]«ÿg[Ö�½6��LÅÇ#GÃés�™�ôδ_¯�Ä’�Jfeäw>l�z}6Ýià9�ÑÔž~lÓu�òfhÈ�Ž—¯ç�ò–‹r-g¤Ý‹&Î6�ªkE‰xP�¨&�»ã©V=é;9¥¶�8Z���hm÷ü�§r¤-f¢2ȼê»Æ:wÕDÈ,G³ÃwX¥Õxêõ°¢íi�i¤º�I«ÁØv›v�¡�Ì=+D;â? O�·þ9�ëË@MJ•©ñ£êzÖ5×ÝÕÕþs¡âÆ5Vª1µQ“<ÌÂ}ËúôýYÕ'm ŸY¼½�o·ÅÈB³'=fÕyP"n³ä*Ok—ñ½Jl§ûÑT¬µzÀH¡Ž¦C¦EI�"¾*ðá}˜�õ
++ä|Õ4€KÑå^«ý…HòÑaG¾mPñ`F-�‹‰˜Û2Ó±y©¿,åXžeÚvyÿØ‚À�½ý@j¿G7¹�Ÿoû�9<¨¾7]?|~aÇC1†ù¸ª|¯wf˜ê{8h¤(‡ÝîÆ [½r�`*+cŽ1\�¦bO[ðî<0ͽþb�L*0Üèj¾�®R8¨�×ÚÖZ2å[m¾/qwrÀƒÂeYcÄÇ�-SZL�/±�c5�F5RmƱִ5#ßï8éýõ
++=èÝ©7ããÜ��¿œæ§Ïÿ³²P¸÷�¼žGqÆ÷ÔÜ[îëòî“�aP�©½É"¦ãçÍÍ�7ÿ .Ý�>endstream
++endobj
++98 0 obj<</Type/Page/Parent 93 0 R/Contents 99 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F0 3 0 R/F4 4 0 R/F5 5 0 R/F6 6 0 R/F8 7 0 R/F9 8 0 R>>/XObject<<>>>>>>endobj
++99 0 obj<</Filter/FlateDecode/Length 1220 >>stream
++x�•VÛnÛF�}×W�Ò��°V$uu€�u�¹�à[-�E‹´Æš\Z�“»ìîÒ®úÐoïÌ’ŒHYIS���r®gfÎÌŸƒ��ü„°ˆ`2‡¤��,€IÈ–0].ðo„_# �¼�ã‹S�gø*ÎPg¾ŒX8‡8�T �ˆ“aÄàV[—É¿€[à�_n`#̳0oãO¨>…0¬•GÑ‚Mæh)�¶�ZÁ¦Ú¬ Ñ…°ðPÉÜÁ‹t[°UYjã Ó�6›Ë1Z=�«ç9¸-w -(!R‘Ò¿D«L>V†;‰�u†"�¬��œ¦8��…��‘o4¡_È(©)‘Že�£J&u¨,Õ#ìtå= �Hµ÷b�w¢k;�ÆÉL&ô�“O…ã2§�I�ø]+gtZyd�#`ðkÇK¢Ë]×ú“Ø�Wi÷Q×!š 4ÇÂ%㲩@*
++&¤ÍŽÁÚ�øGœ°(;�!Ë�%Š@RžÉ–«Ç:³R˜BZK˜ bÙ�²4ò™�Å°ÞÕ¥
++à” Í¨‹FÑ”Íæ��8Ùê��FkÇè§)�£tÚ°#H®Ð)L±êRy /Òmº��Ÿ�l¹˜�ö�œ÷Ê]rÃ��ÌØ:ª£
++·J%åÛ‡k\p©X’5QEs6%�giy¦©S¨�r©°=�À�–¤i±T'U!”cŒ}�‘ïà�}›}Ÿ>ä�|Ü‚âf}\láÊôÞåö�!»Ï°£àû^™Ç�E`õÐÜkQ“|Q�Å—¼Ÿ�óu~Fö�ê�qWYAb|;ÑÀ?kæÝ×
++!
++&¾nûðÚ¤jÄÚj
++i¨@¹Æqz=Æîk°n�uF{ïä3�ÿÏKg¾¾ÅKØ7º8ïÅYå¶ÚH·ƒŽGø8l(
++;
++GUf5�tDìÇ·ÿ�WS’à ˆ–‰3q�9R㈇��VÆ«ÜõiÈ–"ñ¤–çè_xÂ�Ÿ9¾eUÏÁ8Û[]å)9ë–¡!oôÙDÛÝ!#Ü4‘�´ˆØCXG#†²ýÑÞ~_ܨ¤O¼=�ð� (s�¦�\\ÖqÜ�íŠ!�M¶"yªéŽpØ"W?�¡j$:Ò¯�Ú§Šbü�§îÝ??�$J8@îÈ™E´Y¢Yõ�ѬEÁ“[lv”V�° ®S�"Eôç�IŒ–�n�¬ö1¶² /�ñ²Áj!s`ŠüÞ8ˆü�‹¢àPï`µ¹Šo[�z±>\Þ qÈ>üÞûh�Œ�"zõþv}»º\_¯¯ê{%ÝÍú·�f�!µ��=XÅw×GÄâ³»¸©;uÇ
++Åaù~�_¯V}•ÍQqDáNð�;UC]øWtÀD1’LÓÅØ+%.:|N Ž/ZN�Â�Â÷µå7µÜžµxV—ÇVTn$°CCÝ°÷×Ð�¬|T8f´Wh–ˆúš¨¤gÒÎ<½È�7�Z×t(�•ª/��AsãgŒÆ¥Ý_þ„±Pj©Ü �ª~�î¯ñżaç!ŒŸ¹�çú‘–`~˜�)�HIá)Èé«v ŒÑ¸¯H¼��Í�Å�/Ü(P "ïQ[•çž�"xŽgÛ àe‡b¤‹/‰—免�}�oBœfnµjXdÙ��žFl:‡ù��®™¤�vºê>Üü�ßP„£Fn´�NëÓ¡†c—êt‰7ÆrŠG.]�¤¿Š�?�þ�fÉi«endstream
++endobj
++100 0 obj<</Type/Page/Parent 93 0 R/Contents 101 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F0 3 0 R/F4 4 0 R/F5 5 0 R/F6 6 0 R/F8 7 0 R/F9 8 0 R>>/XObject<<>>>>/Annots 44 0 R>>endobj
++101 0 obj<</Filter/FlateDecode/Length 1598 >>stream
++x�•W]oÛ6�}ϯ¸ÈËR VümGoi»v�Ú5k<��
++�ŒDÙ\$Ò�¥8ޯ߹$%3®—ah›T"ï×¹ç�Rhˆ?#ZŒi2§¬:�&C¼é|ýÈoh¾œãgEãQ2
++�%ÝŸE�ÍÇÉ<Z‹�+�
++§É,ZŒŸ±:^¾0Ÿ±:¿N®cÛè™3�%ËhÕe»˜'cš.�ÈyŒµ¤Â•1~?ž#~¨Îý¿/.¬¸bú•ÃSWY¿ä��V¾ŽÃš+³[sU�Ö�]MýÚÛÕÙÕ‡)F´*ЬùrA«ÜõhH«ìâgùÜÐ]-Ÿ”i-½3º‘º±túõ›ÕŸpvM£�Psî�“I2žÂãÅ$¡;c›B=“°$hõéž²RÁ›·:¤0�/’É��ò‹Î"�šDÖxKoE—JØFÖø¥J²²~’uB«²„¿»Doîï?]q¬�™™JZ´K”åžZ+‹¶L’„£�i <\š·�D¥¨×’r�·ú�Îõ>Ž`ñ°‡?ö‘Saj’"ÛP.·¢n*�”Ð'¥�•^S³‘V†Ä,µ[âB�dˆ9�6\¥ÈÚ¶Tv��{Z«§`ÜCf÷¨³Bj¹,D[6´�–�A-K$ãêoLB¿›ÖÅ@`Í©e’sèÜ�Å€lÙ Q™h$‰5Êfï0�øzhQ0ç%Bß(“u£
++gÔÁØ•ô«Û�m°®_q�ûÏ«» �¡1fgi�°he�À�~g-úèJtÕr���Tx²&�XÐ5�¼àŽi‰l•(™�ÚÅ�ðœƒ�ìs§š
++×Fä´�uLmÏ/™r}Ô�Á�7 ˆ¦Û»£È"Ïki�ó´ihk¬U�%Ü·èqh�Ìáf#<¶·wÔ٘‡†T “Ò’²ÐkPVºô�Uùf‚vÇUç(
++‘µ£jº½¿;Ý’SÍCåeéÑïÀ�q§^�¢Ÿ4×Qn™›©= LèFçG° uæ�£nU.I�…�
++®b?§��ôž0�U«™O
++��Ì¢Ñæ¡–:«÷Û&��S4okoàA<
++oÑ�xs`�KÓ¨—¦�+[¡ÖmÍD`¯ÿ)M7®Ó…¨T©DÍÙVn$ѹ5:ÑÜ¥óÖÏ�º)h#ì†�Áä`õ(yl·ÖCÒE¦¨�Èÿ¨ª\4"!?d+d»ƒ�pÖ^*ȉd)ê‘a Ü™ú�²È4¯åZÔ¹�ÊžÝ@÷@ð£€�ª’õ�ð„ÖõyF3�†.Œ1ç�ê�8 -*÷¥b–·�˜•’T×ß{?
++��#Š�´
++È{Îœ Ú��^�º-H5xéq�vØã’Âv„=H¦ÛΦH`ÐׇÝ�à£�
++ÓêüØ)„�:Â�ZÛŠ’M®>ÌÂYzAç_8CÞY�r�‚ÌÏý¦î´» œIVà´)jSE\a,%ð
++Ãp’Û1l1§�ˆ¥¬�4ï³¹’Mv�Uâ#øÊað‡‡'ììSò¡ÁÌ
++B�”©ð>SïtH×|r�|«�Œqùšó¥á"ÎçI”н—Å�ÜvÜõ&�ÞÎ�ž»}çô(÷$�Ì�'�uÝ7nŒø$Ø >P;bk)=k7�{Ã(m���Å‘ì†
++ÿÍŒ†hzeh8�œòÝñ„�|w`¾0Y`éOSf)·“OW- ·¡üÀ£ Ì Á‹`¹²
++æ£Å�î¬ÍNãNr²e1ƒ#¸þCžÆô�g�Ë\P§Èô%Ä|“éoO+Ckoç«Š¬úÂ�Gø%Õ'saXÕ9�+²Ðùëm7[©-éy6¼¦A�d€ÉL®¢š“-.1/3þŽ�h‡;¶µÉÛpùü~vB$˜5 ”{ëÅ/ŽŒ�q�™¶>ÜÿŸƒˆ.ß.2\�q5biq�“�iõ�
++ÉgôþÛ�ñ²�Ó–9ä�Ô´¸lz�—ê‘áWöu�¯géÛiúq–.�éûE:™¦ïnÒwÓt¼Hß�Ó�“tù!ÏÓåMºX¤Ë÷ô·Ô‰�_“Ì$íãë ~Ñ�G ‹Y Ù!Z¹Ñòòظ�ï�ãõ\YEXÃÿUR¸åöõœxúãA‰o“€�Ò“™��ªÑ~⹟^"âF;ªDƒïŽÙÔ¦]ûiôgPw�ÂW’»çŸþ€yõ»f�¤tt=N¦ü1ŠÏUÿmÓ©�¾5è§/¿¾0ç�aß`±€Ü½þ�4]�“årŠ/0ÞÊö?®Î~9û�ã7»5endstream
++endobj
++102 0 obj<</Type/Page/Parent 93 0 R/Contents 103 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F0 3 0 R/F4 4 0 R/F5 5 0 R/F6 6 0 R/F8 7 0 R/F9 8 0 R>>/XObject<<>>>>/Annots 56 0 R>>endobj
++103 0 obj<</Filter/FlateDecode/Length 1758 >>stream
++x�¥WÛŽÛF�}Ÿ¯(ø%2 áè6�i�?8�; �¬³±�#ØY�=dSê�ÉVØMµ_¿§ªy�É���Û¢š]uêrN•þ¼šÓ�æt· eLIq5‹f�¯7ÑŠVë;|^ào¥)“ƒÅí<Z\8€hÖüóë�áÕå"Š© Å�¦�òÓÇ«ÁcA1¿ÒŸ
++��šÏVÑíàpøŒÓÅúìêð�§ñ&Ú�ï�ž�Ñ<Z�N9âÅbï.D¼‰/�Lww}tò¹�®9‘`º“þ©¬;
++Л[�y&À›³€»;“BÝ}úûíÕÍû
++Íoq´ÍPÜ8Ž£MLÛTŠ4£m2YEôQ{oÊ�Õ�ò{MNWG]‘·(v®Nô¨œNÉ–”á%]�*Sz÷zû�l¯h>�–¯�wÑ2†›tòi¯Ëp�ïOé�ë|f¾PU—�ö+[ïö¤àÅ“Íðm®ñµ¥T{]�¦Ôd2‘äF—ž
++•ìå[G*Ïí3 tÈ
++er�2£ëù�ÅóÖA�HDŸ4•:Üó:Ï;D~¯<�¥�!;r�˜ÌàES
++� ÿsÀ‘èÊ;d פÀ�ÊÈH��‹h‹¨,,�Gϸ’¦tà�ýgŸ»3³��xCJo›”NÈ�þ~® êÀ™À'ç+“xcËQúñ®W^�œ/S�;qg�`Ê(ÉÂ×mÅ&Ñ�øv¯�� ªÒ�LÕ�ß�Ø�à!U‰*éQs¶¤�’ƒ®Ð£²q¾Ì�°Ú{hªÞ‡I°4Bà«Úy˜>�…þ¸ûð:¢÷¶â^)¸J¦D”y®�Д�Bu€ãÑ6Ü�@u)‰—3>ÊÅ }ʱe M’<h-S¦æhÒZå”ØÒW6'ËD‘î‘tž“íz …\qS®¢9H&¬
++ýû™ÙÕ•Är���{*¡(-��liŸ™6LS� öÙç¤
++s®j�±ô\ ¤K8à¼A�[&4†à 4ø¨�g�Ù�Rÿ$ÿw¦h•”�Ž¸5XG�˜Ò°w |èœ5a &·7GŸF �èZHƒ‹èw[C}òS�™¤(ÓÏ”C�D=�lHãÿk{¡p@�2 �aÔ„Mº#z—¢�¾Õì KD"„1mf[ ƒ×4�OÈCfYÌøIbøG@?£
++ËXÆ�øz©�ßqÿ°�ˆh<éÓgqð†n´On�A[oþ«Ë�gm
++¡ÉƒK\ƒ�o�tA—¯Ý¿½äéþ-›‹píë[ �£¤7tÒ#…º–€âh¶\2¶·ŽN¨*Ë€Óº%3Èt"g
++“+¡4²ß”ƒ ×��‰<¨ÊSVÙ‚KD™J¸V(Ô¬Ò�«9ÊùŠóöj
++Þø�l3%ä$}�Zò¨ò�]Th Ñ_`
++&®UÁ’Â5‚*¼�&hTÛES‰k¯Ž¸ùlG^ƒ–6�-±ËÄ9¡™S©:�x[C03V=p•ÇˆÈ!œ³›÷ýt�{Ô?�tºNH
++€³*~ë(˜�üõõ€ÀŒ€sì¾R¥;X¤½P"@�*®U�g·&4Ô—É�ÑO\eT€dô²�¶öˆYFÏX.P¦ååBƤ-õx.}`æ‡Úf�’ǯÈÁÎ6´•™ÄŸq=`Ù×ÓfžŸdR|ãPl“�t•³Û§�¡È��p£á¹S tæ€Õ ~�=L
++Už�M¼�Òj§JãD…�Ö‡×ÓvT§´{�cI�Exò�–Gr‰v(Ä ©Gô‡$ð¬�ˆU�¦_¯Ý[�“Û‡×ãN�L„·Óˆ¬$®c‚MoÊ»Ê3OŠdoí¥¡:HÀ‹MXèdÏqƒŸí�Ù5t»¢ñ�È3ñ¯µ¯s�Yù·ìUÔF‰ê§ÿœG�ÄfÝŠÍ?õ�O¿Túhlíè�£�ƒÑÑ寃¥áÎ|½„hHInÁuƒ D�~�’¼°�o-�«@G€ÌA8@*T º��ô%º¼Éhå…uŽ-´[tH�ïì<{A*´¨È�Ïâ£ÁLä·s»“AwîlP¸›£ªnðÖ
++ß=ÏÞ$L\··už¶�|H-à ìð=õÑö�Ýïu‚
++aà=к§$÷��•Ý
++ 4ë¾�ñ�¡uu’`îgu�â;”Š‰Ç�>EG¶.Ü «bñBœ�êÃ%tøh�!Ä6ŸÒ霮����ò`�ð¾
++�Jh½_A¥B^�…ƒ�1^�g,ïxNÚ•`QØj¥�Α‡ñÁD�yÿšö
++ä)V±'üœ@ðö‰0óØjKe�—í [º¯åG‹³�høÍÅ�D€"žT#Ǩ�öEXÁ\‚ü$¹Æ4æîÂ�N��D¡žd(�²�?Ú¾sô‡}�Lž´rFWžƒž]¦Û_²pÝü„™o�Ñ*¦x9‹V‰mõP4úñçí�Žáºyïún¶a�ý�¿lWëY´^¯ð‹™í°ñwÛ«]ý�±–Iÿendstream
++endobj
++104 0 obj<</Type/Page/Parent 93 0 R/Contents 105 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F4 4 0 R/F8 7 0 R/F9 8 0 R/Fc 9 0 R>>/XObject<<>>>>/Annots 65 0 R>>endobj
++105 0 obj<</Filter/FlateDecode/Length 362 >>stream
++x�¥QËNÃ0�¼û+öX�qmÇñã
++�z¨h!–¸pkSQ h�êç3NLë��Š�e<³»³ãO&Ià‘d�•†V-�\àäôyºg¥á‚LUrG-�ËU��T³�¶ä
++$£0rc�Ü ÎùÈ
++ r�lIJÏuFŽ…Êâ���÷øD0�<Ö¬ŽMO\�aFF×'.ƒ�¨-¯22Ç`½åeÆ"�2Òb
++í,þ�Þ}C�¦$LUÞ��>M�Éç/DG¡1oTFò:°é'YÁ~Ø ã�—†ÂzH^PXM�§ùv÷~¸
++o�k„�¥¸£�;•�…ëɲ;ô›í‘f]ÛŒºUÒ�–»xµ�½(cé²Ë@�²ÄUž»Lüþg§èƒº
++õ¯
++%oc×ÅsXÔqX(ǥǮ��ÃãCsìi¹o¾·Ý×nº]ßìú”K;K¯¸6���".ò©ë9Í¢‡h¡HºÂ
++�[çAk'¸sz�®ŠêÛÀ�Ù��þ¶ªendstream
++endobj
++106 0 obj<</Type/Catalog/Pages 93 0 R/PageLayout/SinglePage/OpenAction[96 0 R/XYZ null null 0]/PageMode/UseOutlines/PageLabels<</Nums[0<</P(title)>>1<</S/D/St 1/P()>>]>>>>endobj
++xref
++0 107
++0000000000 65535 f
++0000000015 00000 n
++0000000210 00000 n
++0000001776 00000 n
++0000001850 00000 n
++0000001928 00000 n
++0000002005 00000 n
++0000002084 00000 n
++0000002160 00000 n
++0000002241 00000 n
++0000002299 00000 n
++0000002357 00000 n
++0000002441 00000 n
++0000002541 00000 n
++0000002640 00000 n
++0000002741 00000 n
++0000002842 00000 n
++0000002941 00000 n
++0000003043 00000 n
++0000003145 00000 n
++0000003245 00000 n
++0000003347 00000 n
++0000003448 00000 n
++0000003549 00000 n
++0000003648 00000 n
++0000003748 00000 n
++0000003849 00000 n
++0000003945 00000 n
++0000004044 00000 n
++0000004142 00000 n
++0000004241 00000 n
++0000004340 00000 n
++0000004496 00000 n
++0000004594 00000 n
++0000004694 00000 n
++0000004795 00000 n
++0000004896 00000 n
++0000004996 00000 n
++0000005097 00000 n
++0000005194 00000 n
++0000005291 00000 n
++0000005390 00000 n
++0000005490 00000 n
++0000005588 00000 n
++0000005687 00000 n
++0000005787 00000 n
++0000005887 00000 n
++0000005986 00000 n
++0000006087 00000 n
++0000006189 00000 n
++0000006290 00000 n
++0000006391 00000 n
++0000006491 00000 n
++0000006591 00000 n
++0000006692 00000 n
++0000006794 00000 n
++0000006895 00000 n
++0000006988 00000 n
++0000007041 00000 n
++0000007126 00000 n
++0000007211 00000 n
++0000007296 00000 n
++0000007351 00000 n
++0000007436 00000 n
++0000007537 00000 n
++0000007638 00000 n
++0000007689 00000 n
++0000007721 00000 n
++0000007753 00000 n
++0000008240 00000 n
++0000008281 00000 n
++0000008321 00000 n
++0000008361 00000 n
++0000008402 00000 n
++0000008444 00000 n
++0000008486 00000 n
++0000008527 00000 n
++0000008568 00000 n
++0000008609 00000 n
++0000008651 00000 n
++0000008693 00000 n
++0000008735 00000 n
++0000008777 00000 n
++0000008818 00000 n
++0000008859 00000 n
++0000008901 00000 n
++0000008943 00000 n
++0000008985 00000 n
++0000009026 00000 n
++0000009067 00000 n
++0000009108 00000 n
++0000009149 00000 n
++0000009190 00000 n
++0000009231 00000 n
++0000009321 00000 n
++0000009474 00000 n
++0000009637 00000 n
++0000009831 00000 n
++0000011437 00000 n
++0000011626 00000 n
++0000012919 00000 n
++0000013124 00000 n
++0000014796 00000 n
++0000015001 00000 n
++0000016833 00000 n
++0000017020 00000 n
++0000017456 00000 n
++trailer
++<</Size 107/Root 106 0 R/Info 1 0 R/ID[<52b46cb37099c08d5166c89ce7f49956><52b46cb37099c08d5166c89ce7f49956>]>>
++startxref
++17634
++%%EOF
+diff -urNad postfix-release/tls/contributed/README /tmp/dpep.cXJuVH/postfix-release/tls/contributed/README
+--- postfix-release/tls/contributed/README 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/contributed/README 2005-02-03 10:22:13.093089328 -0700
+@@ -0,0 +1,16 @@
++All entries in this directory have been contributed from other sources:
++
++- Frederic J. Hirsch <f.hirsch at opengroup.org>
++ * loadcacert.pl:
++ I "took" this one from his excellent introduction
++ "Introducing SSL and Certificates using SSLeay"
++ http://www.camb.opengroup.org/RI/www/prism/wwwj/index.html
++
++- Walcir Fontanini <walcir at densis.fee.unicamp.br>
++ * fp.csh:
++ add fingerprints to the list of client certs;
++ be carefull to a adjust filenames and maptype as necessary
++
++- Craig Sanders <cas at taz.net.au>
++ * make-postfix-cert.sh:
++ automatically create certificates for postfix usage.
+diff -urNad postfix-release/tls/contributed/SSL_CA-HOWTO.pdf /tmp/dpep.cXJuVH/postfix-release/tls/contributed/SSL_CA-HOWTO.pdf
+--- postfix-release/tls/contributed/SSL_CA-HOWTO.pdf 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/contributed/SSL_CA-HOWTO.pdf 2005-02-03 10:22:13.094089105 -0700
+@@ -0,0 +1,252 @@
++%PDF-1.3
++%âãÏÓ
++1 0 obj<</Producer(htmldoc 1.8.21 Copyright 1997-2002 Easy Software Products, All Rights Reserved.)/CreationDate(D:20021210121816+0000)/Title(TLS CA and server key HOWTO)/Creator(SGML-Tools 1.0.9)>>endobj
++2 0 obj<</Type/Encoding/Differences[ 32/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quotesingle/parenleft/parenright/asterisk/plus/comma/minus/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/asciicircum/underscore/grave/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde 128/Euro 130/quotesinglbase/florin/quotedblbase/ellipsis/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE 145/quoteleft/quoteright/quotedblleft/quotedblright/bullet/endash/emdash/tilde/trademark/scaron/guilsinglright/oe 159/Ydieresis/space/exclamdown/cent/sterling/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]>>endobj
++3 0 obj<</Type/Font/Subtype/Type1/BaseFont/Courier/Encoding 2 0 R>>endobj
++4 0 obj<</Type/Font/Subtype/Type1/BaseFont/Times-Roman/Encoding 2 0 R>>endobj
++5 0 obj<</Type/Font/Subtype/Type1/BaseFont/Times-Bold/Encoding 2 0 R>>endobj
++6 0 obj<</Type/Font/Subtype/Type1/BaseFont/Times-Italic/Encoding 2 0 R>>endobj
++7 0 obj<</Type/Font/Subtype/Type1/BaseFont/Helvetica/Encoding 2 0 R>>endobj
++8 0 obj<</Type/Font/Subtype/Type1/BaseFont/Helvetica-Bold/Encoding 2 0 R>>endobj
++9 0 obj<</Type/Font/Subtype/Type1/BaseFont/Symbol>>endobj
++10 0 obj<</S/URI/URI(mailto:justin at palmcoder.net)>>endobj
++11 0 obj<</Subtype/Link/Rect[72.0 680.2 174.1 698.0]/Border[0 0 0]/A 10 0 R>>endobj
++12 0 obj<</Subtype/Link/Rect[85.2 551.5 182.0 569.4]/Border[0 0 0]/Dest[77 0 R/XYZ 0 379 0]>>endobj
++13 0 obj<</Subtype/Link/Rect[85.2 519.3 190.8 537.2]/Border[0 0 0]/Dest[77 0 R/XYZ 0 132 0]>>endobj
++14 0 obj<</Subtype/Link/Rect[85.2 487.1 336.9 505.0]/Border[0 0 0]/Dest[79 0 R/XYZ 0 620 0]>>endobj
++15 0 obj<</Subtype/Link/Rect[85.2 454.9 249.9 472.8]/Border[0 0 0]/Dest[79 0 R/XYZ 0 137 0]>>endobj
++16 0 obj<</Subtype/Link/Rect[108.0 427.6 159.3 440.6]/Border[0 0 0]/Dest[83 0 R/XYZ 0 707 0]>>endobj
++17 0 obj<</Subtype/Link/Rect[85.2 396.3 131.0 414.2]/Border[0 0 0]/Dest[83 0 R/XYZ 0 534 0]>>endobj
++18 0 obj<</Subtype/Link/Rect[72.0 366.9 93.4 379.9]/Border[0 0 0]/Dest[77 0 R/XYZ 0 379 0]>>endobj
++19 0 obj<</Subtype/Link/Rect[176.5 366.9 200.6 379.9]/Border[0 0 0]/Dest[77 0 R/XYZ 0 132 0]>>endobj
++20 0 obj<</Subtype/Link/Rect[241.9 366.9 283.8 379.9]/Border[0 0 0]/Dest[77 0 R/XYZ 0 569 0]>>endobj
++21 0 obj<</Subtype/Link/Rect[72.0 119.5 93.4 132.5]/Border[0 0 0]/Dest[77 0 R/XYZ 0 132 0]>>endobj
++22 0 obj<</Subtype/Link/Rect[134.6 119.5 176.5 132.5]/Border[0 0 0]/Dest[77 0 R/XYZ 0 569 0]>>endobj
++23 0 obj<</Subtype/Link/Rect[176.5 119.5 200.6 132.5]/Border[0 0 0]/Dest[79 0 R/XYZ 0 620 0]>>endobj
++24 0 obj<</Subtype/Link/Rect[200.6 119.5 241.9 132.5]/Border[0 0 0]/Dest[77 0 R/XYZ 0 379 0]>>endobj
++25 0 obj<</Subtype/Link/Rect[241.9 119.5 283.8 132.5]/Border[0 0 0]/Dest[77 0 R/XYZ 0 537 0]>>endobj
++26 0 obj[11 0 R
++12 0 R
++13 0 R
++14 0 R
++15 0 R
++16 0 R
++17 0 R
++18 0 R
++19 0 R
++20 0 R
++21 0 R
++22 0 R
++23 0 R
++24 0 R
++25 0 R]endobj
++27 0 obj<</Subtype/Link/Rect[72.0 607.6 93.4 620.6]/Border[0 0 0]/Dest[79 0 R/XYZ 0 620 0]>>endobj
++28 0 obj<</Subtype/Link/Rect[93.4 607.6 134.6 620.6]/Border[0 0 0]/Dest[77 0 R/XYZ 0 379 0]>>endobj
++29 0 obj<</Subtype/Link/Rect[134.6 607.6 176.5 620.6]/Border[0 0 0]/Dest[77 0 R/XYZ 0 537 0]>>endobj
++30 0 obj<</Subtype/Link/Rect[176.5 607.6 200.6 620.6]/Border[0 0 0]/Dest[79 0 R/XYZ 0 137 0]>>endobj
++31 0 obj<</Subtype/Link/Rect[200.6 607.6 241.9 620.6]/Border[0 0 0]/Dest[77 0 R/XYZ 0 132 0]>>endobj
++32 0 obj<</Subtype/Link/Rect[241.9 607.6 283.8 620.6]/Border[0 0 0]/Dest[77 0 R/XYZ 0 504 0]>>endobj
++33 0 obj<</Subtype/Link/Rect[72.0 124.8 93.4 137.8]/Border[0 0 0]/Dest[79 0 R/XYZ 0 137 0]>>endobj
++34 0 obj<</Subtype/Link/Rect[93.4 124.8 134.6 137.8]/Border[0 0 0]/Dest[77 0 R/XYZ 0 132 0]>>endobj
++35 0 obj<</Subtype/Link/Rect[134.6 124.8 176.5 137.8]/Border[0 0 0]/Dest[77 0 R/XYZ 0 504 0]>>endobj
++36 0 obj<</Subtype/Link/Rect[176.5 124.8 200.6 137.8]/Border[0 0 0]/Dest[83 0 R/XYZ 0 534 0]>>endobj
++37 0 obj<</Subtype/Link/Rect[200.6 124.8 241.9 137.8]/Border[0 0 0]/Dest[79 0 R/XYZ 0 620 0]>>endobj
++38 0 obj<</Subtype/Link/Rect[241.9 124.8 283.8 137.8]/Border[0 0 0]/Dest[77 0 R/XYZ 0 472 0]>>endobj
++39 0 obj[27 0 R
++28 0 R
++29 0 R
++30 0 R
++31 0 R
++32 0 R
++33 0 R
++34 0 R
++35 0 R
++36 0 R
++37 0 R
++38 0 R]endobj
++40 0 obj<</Subtype/Link/Rect[72.0 521.8 93.4 534.8]/Border[0 0 0]/Dest[83 0 R/XYZ 0 534 0]>>endobj
++41 0 obj<</Subtype/Link/Rect[93.4 521.8 134.6 534.8]/Border[0 0 0]/Dest[79 0 R/XYZ 0 620 0]>>endobj
++42 0 obj<</Subtype/Link/Rect[134.6 521.8 176.5 534.8]/Border[0 0 0]/Dest[77 0 R/XYZ 0 472 0]>>endobj
++43 0 obj<</Subtype/Link/Rect[200.6 521.8 241.9 534.8]/Border[0 0 0]/Dest[79 0 R/XYZ 0 137 0]>>endobj
++44 0 obj<</Subtype/Link/Rect[241.9 521.8 283.8 534.8]/Border[0 0 0]/Dest[77 0 R/XYZ 0 414 0]>>endobj
++45 0 obj<</S/URI/URI(http://www.openssl.org)>>endobj
++46 0 obj<</Subtype/Link/Rect[108.0 461.2 180.4 474.2]/Border[0 0 0]/A 45 0 R>>endobj
++47 0 obj<</S/URI/URI(http://www.suse.com)>>endobj
++48 0 obj<</Subtype/Link/Rect[108.0 448.0 162.1 461.0]/Border[0 0 0]/A 47 0 R>>endobj
++49 0 obj<</S/URI/URI(http://www.palmcoder.net)>>endobj
++50 0 obj<</Subtype/Link/Rect[108.0 434.8 269.3 447.8]/Border[0 0 0]/A 49 0 R>>endobj
++51 0 obj<</Subtype/Link/Rect[93.4 406.4 134.6 419.4]/Border[0 0 0]/Dest[79 0 R/XYZ 0 137 0]>>endobj
++52 0 obj<</Subtype/Link/Rect[134.6 406.4 176.5 419.4]/Border[0 0 0]/Dest[77 0 R/XYZ 0 414 0]>>endobj
++53 0 obj[40 0 R
++41 0 R
++42 0 R
++43 0 R
++44 0 R
++46 0 R
++48 0 R
++50 0 R
++51 0 R
++52 0 R]endobj
++54 0 obj<</Dests 55 0 R>>endobj
++55 0 obj<</Kids[56 0 R]>>endobj
++56 0 obj<</Limits[(s1)(toc5)]/Names[(s1)57 0 R(s2)58 0 R(s3)59 0 R(s4)60 0 R(s5)61 0 R(ss4.1)62 0 R(ssl_ca-howto-1.html)63 0 R(ssl_ca-howto-2.html)64 0 R(ssl_ca-howto-3.html)65 0 R(ssl_ca-howto-4.html)66 0 R(ssl_ca-howto-5.html)67 0 R(ssl_ca-howto.html)68 0 R(toc1)69 0 R(toc2)70 0 R(toc3)71 0 R(toc4)72 0 R(toc5)73 0 R]>>endobj
++57 0 obj<</D[77 0 R/XYZ 0 351 0]>>endobj
++58 0 obj<</D[79 0 R/XYZ 0 733 0]>>endobj
++59 0 obj<</D[79 0 R/XYZ 0 592 0]>>endobj
++60 0 obj<</D[81 0 R/XYZ 0 733 0]>>endobj
++61 0 obj<</D[83 0 R/XYZ 0 506 0]>>endobj
++62 0 obj<</D[83 0 R/XYZ 0 707 0]>>endobj
++63 0 obj<</D[77 0 R/XYZ 0 379 0]>>endobj
++64 0 obj<</D[77 0 R/XYZ 0 132 0]>>endobj
++65 0 obj<</D[79 0 R/XYZ 0 620 0]>>endobj
++66 0 obj<</D[79 0 R/XYZ 0 137 0]>>endobj
++67 0 obj<</D[83 0 R/XYZ 0 534 0]>>endobj
++68 0 obj<</D[77 0 R/XYZ 0 734 0]>>endobj
++69 0 obj<</D[77 0 R/XYZ 0 569 0]>>endobj
++70 0 obj<</D[77 0 R/XYZ 0 537 0]>>endobj
++71 0 obj<</D[77 0 R/XYZ 0 504 0]>>endobj
++72 0 obj<</D[77 0 R/XYZ 0 472 0]>>endobj
++73 0 obj<</D[77 0 R/XYZ 0 414 0]>>endobj
++74 0 obj<</Type/Pages/Count 5/Kids[75 0 R
++77 0 R
++79 0 R
++81 0 R
++83 0 R
++]>>endobj
++75 0 obj<</Type/Page/Parent 74 0 R/Contents 76 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F8 7 0 R/F9 8 0 R>>/XObject<<>>>>>>endobj
++76 0 obj<</Filter/FlateDecode/Length 101 >>stream
++x�+ä2T0 BC�s#�c3…ä\.§�.}7K�CK…4�C��=K� ”©©ž¡¥©BHŠ‚žBH²FˆO°‚³£Bb^ŠBqjQYj‘Bvj¥‚‡xˆ¿fH�—k�W � ö��ïendstream
++endobj
++77 0 obj<</Type/Page/Parent 74 0 R/Contents 78 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F4 4 0 R/F6 6 0 R/F8 7 0 R/F9 8 0 R/Fc 9 0 R>>/XObject<<>>>>/Annots 26 0 R>>endobj
++78 0 obj<</Filter/FlateDecode/Length 1408 >>stream
++x�}VÛnÛF�}÷WÌ£�H�o¢¨GU©{3�·�Z�ð�E-I.Ë]JÑßçÌ.iÒŒ���4šÛ™™3³þï& �ÿ�Z‡�%”W7¾çã—×?â_(‰W^H�ʼn—ôBI7�±¢À�½`¢´~~
++ï8]ã3ÄÿVPa�®V��Î��ÿ¶
++�o…TAÀ�œÄ¹¬2Nc/b�©�ãƒ�‹c�+”b#�º‰ÈAS/8º +��Ç áb+pЉXÑf�“Q7�¹ðôãT†vã¿qÊ�…Iìm&� `ƒ�+J�ÖY�MÄ�ЫÎ�êý‚˜û=:Ne Z¯ß„��G›�“Ec7è�lcG�pÖ(sÔY¨QÂM«hµá V`?�]´ò1ÈÙˆ"âºP{€!FV`ŸÀaïd �S šh�îÉ
ƒ€q¾úÚ°!ñ|�½¯ ˜i�‡ýÎ0�nD¯q^U�q 8ê,ÞÁÏ‚�u£ÈÙ�ú«Ž‘¯co=�þÃþæãÝ�ì¡}
MÖ©·Ù„´?ÚåôiŸßîï�i·¥¬>’�íY´ô"®ôóç¿÷Ÿ?ìÿuî+ä²�–Qè¥1�¸ýµÓFÖô);K¡eŒÍèíBL9Óñö�xþ‚>‰\T���}?tÖÉÄš7�¶"ï°Ü*�†î³+�¤¦ŒrUU]-óÌHUk�uÞ^�þNúª¨<úÅ°%Û©º¼R§Å‘Œ�,�âdLC¥¬_¨P-#ðiiɇ¼ÚåUõ��‚L›Õ:Ëm®��:CyVÓA¸¨pG·®sLM«ŒÊU¹ Ýå'Ê€rYe�²�e-Ì‚îö�³¼Âä�=>Þs`€�‘�� aŠ�£Á\dqµ¨ka¡a\Z£�žk'¦<Ž '5¶�
ЙڴêØYŸ>?¦�úv:¡ËFÞ˺ûò>‚^��ú™º�éw#FÚvæ¤Zi®ßxÅ�íZaÁ-›ÐÊ!�h‚§b9ò$Æví²3¼z6å=?–k/å��sz
++“5¹ c¹Kì��¾Ä�‡¶æ•Çż¼CÊÍ@ÊßÅ�C�8KÕiÚ©ÚˆÚhzÿçyB�'Â�óýýx7��ñ>�ó› �ª,Õ…ÌIÐÃÃoT©£(ééö¡;”2ÿøÐÊ3ˆÀËøôÁ£=¨¬M�•�·À½��Hu±+Ü8·~"�¿'yyK†å�H�~õ�e§åXÅ){�@Ôâ
xÎú.�PÀnûô�Yf�†œZ>×\3VvËwÇ®÷K.µÅoZœ�^Ý“lÔd¹â{fˆýf+Â'+ã�b[ÐÄ“ÒŽ:“Åæ 2—£"Î��ÎŽ 6
«Ž�ò��¸t°Ã¶á��”AÃ�Óù¦�x µ@`ž�ìÁ�
ûYÁÜ�»šÌ�¬#ów��Éa3*Ä�õkÂê1(l©hí™`©B-Ô¨¦+³�èxþÂ�°Í{º½\.�†E�ÕX‚Àë�G�sÙ2i�38WÕQ…ÞRÖ4¸(ÚZr�Ñ�›/Ïø
++†¥V˜ ÷_pP¾{ø*[»Ð2��ýƒ ¶šC‰«É}�šy#�°%žïn» ËIâ8V��ÖfâÃj«ªÅ�°r¾�èò„°Ö®Õ¢,°�'Ð…�“ç¢ám�$�ðfV«jŸ³ZjûX°¹*
++t�=ä��ÀÝušR]��œj;eK�V2�‡ªíhi�‘»}‡^ô[‡½ž¥×’�¸´�Rv<�ˆm�³˜›ë�`_�në¤T*ZUa.ý:�ç•0�»�ØûR2E¹kM‹¥´t7¼Æ§Q"s˜éšó x¤�£ÇV¶üBØ�ÜAâ>5Ù³Ð�– ‹,Ë~*è^YØaÍ�4+ÿ ��™Ö¼'ð�fºÛ¾®CÿÜ¿n¿{…Óñ†tå"·Vßÿ�&N}/Mc÷„�ŒöÇýÍ�7_�~½ ¥endstream
++endobj
++79 0 obj<</Type/Page/Parent 74 0 R/Contents 80 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F0 3 0 R/F4 4 0 R/F6 6 0 R/F8 7 0 R/F9 8 0 R>>/XObject<<>>>>/Annots 39 0 R>>endobj
++80 0 obj<</Filter/FlateDecode/Length 1577 >>stream
++x�V[WÛ8�~çWÌc8Kœ����{š¥ôrJ�Û„åô,<�[NTlÉ•äÐô×ï7²ØY^viK£Hsÿæ›ùq0¢!þŒèlLÇ�Šóƒa4¤ÓóQ4¦“é�>ñÏJJù�O·¿¾¾¯žž£ å4�E't���Í�ZÇœ&üdw×:æ4�žD§Ëö�·ãiG´}Æíä<:o˶ÎìÑ(š¶nC`°=}%0¸1…ÿÿŽ˜¦ç�¨Ã�Ÿ·ÑÕ7!šíÍîÔ„¶½ª"«¥ª@vw!Îæ.„±»Û�› ¶w�Ó”íyþÇâ`ðîœF§p~‘¢À“é8�Mh‘„
++�i�÷Æ�Íç×d4]+]þ<\|‡Ì F•D|��O žô�+I¹qž
++S”™°d
++©É™ÒÆ2èPy‘É\j/¼‚>åè�/ =¢žJ“‡�M�=-ý‹±ÏJ/��ÉI«¤#“†ëy9¿b7†Ô���€0(çz*Yï��A׋Ê2z’”¨4•�F)5p ú-¾Û=w$�«�›Ôõ¨�ñ³XÊÚv7ì�;�C§U1yCìQÔU çÆ�`�Î}1^^4¡²¤ÑÙ†ÄZ¨L<e²‰úª´H˜ÐA[×ň���þ&¥dƒ³��‰ñ�)5ÖïeÃJ�/æd°1ÊK¡ö±]=Æ3û(zºµrLéèÒhè�½þu�i�7ýc�"(:�\¤÷¨�•� º”Ö«�¾zI³Ò¯ŒU~ÓÍ&§j�¢�
°lLI+±æÔ8/²L&¡ð5ZšÒ�Q¼��%J”•±7vé�”Î�œË�¹r1€$–B��¹Øtа—²'á`�¹‚é.>��#�vc»
�*¬Y«�È�TH›‘‹*<|�ž–V
++:;F=2€WŒí˜¿Faöì�ÚÈÕ�!µòeå�¥„zt.œZjd�mS5L�u—�ùSÆ%òÍöR“eæ�/ª¤�éœ[&e�ïAª“3®¿5Æ¿ù%õE7}¿S4¸œEEF}-_bÑxæOz—³à”�¹DžÑ\€�š�5�AʇÃÎóÏ‚»�AvB‰¢ Jîå ôÎñ£ØèT-K[�EjM¾«+šD£¾Q¬Sê�x/µd È�05ðø¤<}ÏP'µf >Ë
ìý�~�Ÿê�-/ («@¼m9�+�¼•¹¹œ
j}ƒX°ÆBæ]G®B�n¯>�©ÎQ±²@WÈÿ6̿пé†íð�0]Býÿ d�X¯Ï?µóÕ7ßÐ8�cX<™�84�yáž¹L]�¥Áƒy•Ø Ô†(•Ž�› Q ���¡�Ú€ì$ªFg·|÷�}nߎ��0 at _/|ÿ㪩�½��#�¥r+XýÂP�ðý�æ<ðvPô£T¨žè&(EÐVYâ�Ä�Œ2#f’‰Ã�hzÊ„~îøü�ÊÃU-ˆ�‰&�‚�™Š2ó´�Y)èc�ÔVîWíÄ�·�™L}e¥›…va*X_š�ÓbSEøÐ�ÃMÏÍ�›�}Bß}z¼¸ûÔñuŽ1�²qË,ô�ÒóÐKKL6î:�œ#Ð~xúxñ�ÜáºIº6H5�·‘•KP�Î,úxqmt²£¢Ð7v)´úUá£6�„L^��ä>2¼1Ÿé^%K�‹·Ðí“Ç�žƒÕš@wŸø«®3mÝ"£;L¥¶_�$�f¬\›ßͯö�riò��ÝrêÛÍÝ×m&öÍw’ùê�¢«�3˜fI‚‰é8!ßK†ã�W:�Å&*ŸC »}§�Xs�
™�ÃT®È®b÷=rcÞÆhh±O½è¬%°PÍnÍ�½�‹xº4&9�B3•´¹#¬.Àj�R½õ´[�K�Êc4м2�ž8Æ1G�Ý<�Úo¹MRP�$H`&�ßØcÚ/�ã†ö�ûs#îYnú$�¼¸fÍj†øS•aÔñ¶Rͦ†4wS�
++1"ªÑ�V5æ‹ÐƒZÖL• �ìu˜={¶›!k0Ó�CõŒ¡}·»Þv�Ft_7øÒÀˆ_�ÆÿŠa૧•Ì
++‡ !�¼ %9Ò
++=‡�îÛ�klÓðØÈÿï�5wÍÑä�€šÐd4Æaûî-®ç<(�?Ø}��]ôáæ~qÃÞô�‘þÙðœøÊ’~‚…:=ÁRÏ÷,uµ8øóà��õ/þendstream
++endobj
++81 0 obj<</Type/Page/Parent 74 0 R/Contents 82 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F0 3 0 R/F4 4 0 R/F5 5 0 R/F6 6 0 R/F8 7 0 R/F9 8 0 R>>/XObject<<>>>>>>endobj
++82 0 obj<</Filter/FlateDecode/Length 1815 >>stream
++x�W]SÛ8�}çWÜÇì,1IH�åa§”†]¦�´$ÙN§åA±åD‹-¥–œ”þú=W²�ÛL»›Â�Ǻßçž{õíhH�ü�ÒÙˆN'�çGoçG'ׯiø*:§yŠw“óQ4œÐ<¡A4��h�÷Æ�]�R8¥W$ÈÊb+�z’Ï¿Íÿð˜†Ã Ú�E§�èIz÷:–´“´�[I1�Ë„ÜZÒÕå1¯%?›ê�´Æ²p*U1�Rj
++vo�Ï8‘)©�}í±šxfñ\<Iöb@ýái4bËxk%)Kò»ˆ]†c8nE.¿þ�UGG“hÌG?ý‡�…üVJë"š¯¡/Da;¾ºµpT�´ìÒ�ÖÔJ#<ö�røÑÆ‘Ð�GEéLŽ¤Æ´)L,=Æ™„¯ñ��ËÊy¨«ÏP†��dôËhn´�5W6¦D�2v¦xF�d\:y�j5 ל¥”‹ß�£W“3NDaŒ{óCê‹“Ò�'Öf'^Ë��\]F›ŒúZî�d��êô�–ñ��ªUY �£)-LN{%f#5”E±N©%ú§Ô’%<ž†ƒÑ˜–ÊÑÃì�aª-C èŠ~þù݈�„?[Úw…òªásS��'„�mdÞv¨ÏŸ–’Ϧ$QH�KSºª®Â>�Ô�‡(‚Ò *W�{�ìT–qý•ŽM±1ˆ�Ç•†ÝgS�-ˆ·lÕ8k}ù‰�¹¶�•eK;~ͨ��CEÐ;e9êRÙ5žï xòmóîŽñ+9�ü~+�²+ÚѧHTªd–XZ"X6��M™äæµ�š–™ÐO×Ð矪³h,h¬ƒ�”ÈT”™£ÈJyL7©×�<n�ä–ôJöÒ™L]°R7)“JÒk�fäûûÊ”Ú�Ø>¯½�Üt\Ø$hqú²xÿx±xßJåÌ1¤àý‡ÂlQ�Y�§%
++¦=7З��íû£�lÛç[ƒT+·7,WÇ�ã™m>^Ü�˜}‡{×ï‹•ÐêGÀGå�2ùFh/wÃ8ÒÒÑ'•¬�,~€þ[—<^ÌJ;¥[¥Ëï´xÏ_µiê��-4Ú§a¢ùÊàÚl1›.Þ÷gÓ‡¿§�¼\™<�v�‚Ÿï��û„<^äBe‘-Œb�•Om�¦ü–.“¤ wq�6ƺ\X„ôæg2�€)°sÀ„GÉ2³c"ß]!H8W(€�´�¨�G��·~ÙBU×´º¤xÍ�¡W’6ÂÚ)�ö�÷¥&³á�!uq¨†�š�Ò‹OKô!Œ�p;suƒkæzÝ¥˜Ã|ì{ÎDƒÓSFö�õKOÙ¾a�iNö£¯Qšˆn|§sº®?¾»#“�¢�ñZiÖÀ4Ð�ŸuGz…FC>cØÏHöÕ�“‚GZ5Ôó óØ�¨�®W—�óTnü×k”9¤k¥¶R×Sªé�jg%x0%àRÙŽu¥�žþ˜�šqŠÚã<GWY�Æ›�ÁÅ\$~1¨†1œ÷Cu³É°3,3¤Át&3o�¢cº
++ ú¼cTêL=ÉjIàÀ˜�º f.�«�æ&Ûʤ&¨z‹�Õ�ÉVÙÚ�01ˆ�ùï$¬ª\åEHÏ�Î�.£7
++��¼Q `¯Ò0þ›‰U{Š©+Y�m±ç Ì–�½Ÿ�¥ŸÎœÕ¶<v�ª6�®ß©NêêƒB³ã*5œÞ•©ªƒðÑÝV!ÑŒúR;@Cø~£Íºà�¯W¸†qÀ���;T��ÔƒÔ²�?31´ýÀ�½ƒWø 7pÓ´”²�¿g�Ô„G\;R˜Ë°%b�Ôqñ¼áQ�r�G�K�ì„9
++¾)p�
ÜÍYÅ3¸�„uE�³Þ�,Å'N®'Õ:ÜêÛY�\ÐcÞÉA!�ñ¢á[¬^‰íFÆuíy…©yîk/�xU�8,3áE½ˆ÷ÀE!Õ�Ÿ[q�n¼'�
€j…H0ð�M°»�Eâ�Ða˜š‘Z˜/¤ï�ÏF©ò
Ù1Ï»�^£ßs‰É¨W�¿ÄýçS~ •�¿…N]J�¬(
ô�Çógà�1ÜÔKr!�u �·�,·A�½¸¼ g¡�Üì"³¸™�Í—�Í«C��ÌýPž]!"¿
++¢�¸‹QS±’ž�8 À¥¡Ät�Á9:¦J𨲶�úÓý$¬ ñë•�¾ñ¨áþòëì��ô�u¢×Ý�þ:³ˆ1¨Í.ÜÖ8�_@?v9ô&n8ôn:P�å"VÂÙ“ *ÆG�¼^‘—ÁMü*��¥Q›D8Þv;´7�†"îaNo§ÞÜÑÕôa~s}su9ŸÒÃôãb:›‡ƒ{Øóõ©+;½{÷$±�f`�¬»îE±TòLÕè�%½ä†9Œ'Ì&®$8¬º÷áÚ†�º@ÿ3©ãr·�ŸûŒ€x×Ìì(�_�êqÐÔ�É�ÃyÕæÃÉ�+Ä&gãh2ð—ëù팕sZ�—qúëþÓüžeûµHÿlðšW_ÝßÇçƒèü|Œ‹?�ž²øt~ôñè_�F/
endstream
++endobj
++83 0 obj<</Type/Page/Parent 74 0 R/Contents 84 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F0 3 0 R/F4 4 0 R/F8 7 0 R/F9 8 0 R/Fc 9 0 R>>/XObject<<>>>>/Annots 53 0 R>>endobj
++84 0 obj<</Filter/FlateDecode/Length 819 >>stream
++x�¥TMoÓ@�½çWÌ1�²þŒ?*Q�¥P¤Š�b‰��rœMc�{ƒwÝ6�øí¼Y;‰���¡ªVfgÞÌ›7³ûmä‘‹?bŸ‚ˆŠjä
++—¦îT„�&1~ûøo$-ÙÐÃçã[��&‘H¨"ß³�664�
ÌŠ"_Dȶ÷
ÌŠ<7�ÓÓó“C0¼Q*Ò¡w`sM�厉™z�3é�êAÄg~$|0��Yƒ™�Lf“p��g�ô�ÀцËLÁÀYQê
++o೸ M4è7¥Î°¸£ 2!BŽ¾‰œ�Ê�}��DÃ�dŽÎ¡
o�‹`àea�PüE�;¦ æÙõcꌞgD{_7¦£óU6rÞ„äy”-±?Q�S¶°ÛáRVŒ[-©¬i§Ú†ôN�Y‰gÙW at Rò¦èØ‚&'ü�¸q�ñ.ò{™�Ý…�3O|´��±�ßԒ̪¬ïðÍ
•šPfÙnÈ(Z×êO¬çf+ëÙìšm*iÊJj’Õ�¨² |®ZC+ă�Õy%)§B6¦\–En¤ w†Y¸4Á¬}®¼PH€Òø(.
++À*×+¶6JÛíÓ�ÜzN‹²‘…QÍNP¶’� �îd-�”YÐ|�†ºí�’T|i$g=©íls³rŒr��5�ªªòzÁ©�9û~F›r-Ï:5]J¹%ßð‰û�ñ´ÆRæÅwYŸý óCurZÝ8ZoœªÔ…³'ƒ9/Ư�sýC at -�˜¥ØÊŠžŸS�ÍåtîçØ»ŽÈ~¬�K�—2�8¯í¡h0~Èœcaª¹Ú`R›²^³Æ�ò
º§‡Ò@{�Ú€¹Ü+˜@RÓ+–§°^+Èõ€EØ7ÖO˜³í×fSΛ¼ÙÙÑjZª� YSip’/x�žÐ±›eÁÃe—ù½|4tÛÈûRµš.Tmdm4ýþ¸Óåé %›h*è�
++œ\ +ÝñNô«~…=ïr�ý¥œÄ"áÇ�ú~ö1ð§�°ÎÃ~ÏÚÙ%ý_
++FS/úÒfY>:ÙõŒ®n>e7³¡ÆBzéßôì2&}³^�b™ð\áá¼È.�Š_¼$\�Ò²¹—
宣ÃØÉ�2‰Ý”ãOÞ 0qE’„€!#.³Ñ‡ÑO„¢ê|endstream
++endobj
++85 0 obj<</Type/Catalog/Pages 74 0 R/PageLayout/SinglePage/OpenAction[77 0 R/XYZ null null 0]/PageMode/UseOutlines/PageLabels<</Nums[0<</P(title)>>1<</S/D/St 1/P()>>]>>>>endobj
++xref
++0 86
++0000000000 65535 f
++0000000015 00000 n
++0000000220 00000 n
++0000001786 00000 n
++0000001860 00000 n
++0000001938 00000 n
++0000002015 00000 n
++0000002094 00000 n
++0000002170 00000 n
++0000002251 00000 n
++0000002309 00000 n
++0000002367 00000 n
++0000002451 00000 n
++0000002551 00000 n
++0000002651 00000 n
++0000002751 00000 n
++0000002851 00000 n
++0000002952 00000 n
++0000003052 00000 n
++0000003151 00000 n
++0000003252 00000 n
++0000003353 00000 n
++0000003452 00000 n
++0000003553 00000 n
++0000003654 00000 n
++0000003755 00000 n
++0000003856 00000 n
++0000003977 00000 n
++0000004076 00000 n
++0000004176 00000 n
++0000004277 00000 n
++0000004378 00000 n
++0000004479 00000 n
++0000004580 00000 n
++0000004679 00000 n
++0000004779 00000 n
++0000004880 00000 n
++0000004981 00000 n
++0000005082 00000 n
++0000005183 00000 n
++0000005283 00000 n
++0000005382 00000 n
++0000005482 00000 n
++0000005583 00000 n
++0000005684 00000 n
++0000005785 00000 n
++0000005838 00000 n
++0000005923 00000 n
++0000005973 00000 n
++0000006058 00000 n
++0000006113 00000 n
++0000006198 00000 n
++0000006298 00000 n
++0000006399 00000 n
++0000006485 00000 n
++0000006517 00000 n
++0000006549 00000 n
++0000006878 00000 n
++0000006919 00000 n
++0000006960 00000 n
++0000007001 00000 n
++0000007042 00000 n
++0000007083 00000 n
++0000007124 00000 n
++0000007165 00000 n
++0000007206 00000 n
++0000007247 00000 n
++0000007288 00000 n
++0000007329 00000 n
++0000007370 00000 n
++0000007411 00000 n
++0000007452 00000 n
++0000007493 00000 n
++0000007534 00000 n
++0000007575 00000 n
++0000007655 00000 n
++0000007808 00000 n
++0000007982 00000 n
++0000008176 00000 n
++0000009657 00000 n
++0000009851 00000 n
++0000011501 00000 n
++0000011690 00000 n
++0000013578 00000 n
++0000013772 00000 n
++0000014664 00000 n
++trailer
++<</Size 86/Root 85 0 R/Info 1 0 R/ID[<aaedfd305bb7c3684a776fbbbf827de8><aaedfd305bb7c3684a776fbbbf827de8>]>>
++startxref
++14841
++%%EOF
+diff -urNad postfix-release/tls/contributed/SSL_CA-HOWTO.sgml /tmp/dpep.cXJuVH/postfix-release/tls/contributed/SSL_CA-HOWTO.sgml
+--- postfix-release/tls/contributed/SSL_CA-HOWTO.sgml 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/contributed/SSL_CA-HOWTO.sgml 2005-02-03 10:22:13.095088882 -0700
+@@ -0,0 +1,168 @@
++<!-- This is a comment. It's ignored when this source file gets converted to other formats. -->
++<!-- The next required tag implies that this file is in LinuxDoc format -->
++<!doctype linuxdoc system>
++
++<article>
++<title>TLS CA and server key HOWTO
++<author><url url="mailto:justin at palmcoder.net" name="Justin Davies">
++<date>v1.0, December 2002
++<abstract>
++Secure Socket Layer is a communications encryption system.
++It is commonly used to encrypt a http link for secure on-line transactions, but can be used for any
++communications protocol, such as e-mail, telnet, FTP etc.
++SSL uses certificates to encrypt and verify a connection session.
++</abstract>
++
++<!-- The "toc" = Table of Contents. It will be created here. -->
++<toc>
++
++<!-- Begin the main part of the article (or document) here. The part
++above this is sort of a long header. -->
++
++<sect>Introduction
++<p>SSL certificates follow the PPK model (Public/Private key). To establish a
++connection, a public and private certificate is used to verify and encrypt a session.
++To verify these certificates, a Certificate Authority (CA) is used to sign them. A CA is a
++known and trusted third party that signs certificates and allows the hosts participating in
++the communications to be confident that they are both authorised by a separate entity (the CA).
++
++There are a few CAs on the Internet, the most popular being Verisign (www.verisign.com).
++The get a CA key, you must apply to a CA and in most cases you must also pay the CA for
++their service. You are able to become your own CA, which means you can sign newly created
++certificates yourself. This is acceptable if an organisation is offering services to employees as
++both parties trust the CA (the organisation). For public SSL sites it is advisable that you apply
++for a CA certificate from a known authority so that a client can present the server certificate as
++authentic to the end user. In the following pages, we will create self signed certificates
++based on a self created CA.
++
++<sect>SSL on Linux
++<p>The most popular open source SSL implementation is OpenSSL. It is in the n (networking) series
++of the SuSE distribution, this will be different for other distributions as the <it>package series</it> is
++centric to SuSE.
++<p>
++<it>Note: OpenSSL is only available in the European SuSE distributions. This is due to
++American import restrictions on munitions.</it>
++
++
++<sect>Setting up a Certificate Authority
++<p>Once you have installed the OpenSSL package, change directory to /usr/ssl/misc (again, may be different based
++on your distribution).The OpenSSL distribution provides a perl script that greatly simplifies the creation of a
++CA, certificate requests and certificate signing. In the misc directory execute the following:
++
++<tscreen><verb>
++root at zen:/usr/ssl/misc > ./CA.pl -newca
++CA certname (or enter to create)
++Making CA certificate ...
++Using configuration from /usr/ssl/openssl.cnf
++Generating a 1024 bit RSA private key...++++++ ....++++++
++writing new private key to ./DemoCA/private/cakey.pem
++Enter PEM pass phrase:
++Verifying password -
++Enter PEM pass phrase:
++
++-----
++
++You are about to be asked to enter information that will be incorporated into your certificate
++request.
++What you are about to enter is what is called a Distinguished Name or a DN. There are quite a
++few fields but you can leave some blank
++For some fields there will be a default value, If you enter the field will be left blank.
++-----
++Country Name (2 letter code) [UK]:UK
++State or Province Name (full name) [Some-State]:Herts
++Locality Name (eg, city) []:London
++Organization Name (eg, company) [Internet Widgits Pty Ltd]:SuSE Linux UK Ltd
++Organizational Unit Name (eg, section) []:SUSEUK
++Common Name (eg, YOUR name) []:SuSE Linux UK
++Certificate Authority Email Address []:justin at suse.co.uk
++</verb></tscreen>
++
++This creates the CA certificate and a private key. It is very important to use a good, solid pass
++phrase for the certificate as anyone who has access to the certificate can fake an authentic
++certificate from your CA. The default location of the CA files is in the ./DemoCA directory. To change
++this you will need to edit the CA.pl script to make the CA in a different directory. We will go
++with the default here as it helps keep things nice and simple.
++
++<sect>Creating a server key
++<p>Once we have created the CA, we need to create a certificate for the a server or a client
++(the way to make these is exactly the same).
++
++We need to create a certificate request. This creates a certificate that requests to be signed
++(this is not an automatic process, and is handled by the sign process later on).
++
++In the misc directory execute:
++
++<tscreen><verb>
++root at zen:/usr/ssl/misc > ./CA.pl -newreq
++Using configuration from /usr/ssl/openssl.cnf
++Generating a 1024 bit RSA private key...........................++++++ ....++++++
++writing new private key to newreq.pem
++-----
++You are about to be asked to enter information that will be incorporated into your certificate
++request.
++What you are about to enter is what is called a Distinguished Name or a DN. There are quite a
++few fields but you can leave some blankFor some fields there will be a default value, If you enter
++the field will be left blank.
++-----
++
++Country Name (2 letter code) [UK]:UK
++State or Province Name (full name) [Some-State]:Herts
++Locality Name (eg, city) []:London
++Organization Name (eg, company) [Internet Widgits Pty Ltd]:SusE Linux UK Ltd
++Organizational Unit Name (eg, section) []:SUSEUK-SERVER
++Common Name (eg, YOUR name) []:mail.suse.co.uk
++Email Address []:postmaster at suse.co.uk
++Please enter the following extra attributesto be sent with your certificate request
++A challenge password []:
++An optional company name []:
++Request (and private key) is in newreq.pem
++</verb></tscreen>
++
++Notice the value used for the Common Name. It is the FQDN of the machine this certificate will be
++used on. If this is used as a server machine, the client will lookup the host name given by the
++certificate to see if it is indeed connecting to the machine the certificate was made for. This
++is not applicable to a certificate for a client as it is unlikely the hostname of the machine can
++be resolved.
++<p>
++It is advisable to still use the host name of the
++client if it has one to uniquely identify the certificate in transactions. If you are using the
++certificate in an automated client/server model, it is not going to be possible to setup a pass
++phrase for the certificates as the connection cannot be initiated until the pass phrase has been
++entered. The certificate is always encrypted using a private key that is stored in the certificate
++request constructed via the <it>CA.pl -newreq</it> command. You will need to specify the new request (<bf>newreq.pem</bf>)
++as the private key to use in all client transactions regarding this certificate. It is advisable to
++rename this file to something meaningful like the host name of the machine it is being used on (in my
++case I called it <it>zen.suse.co.uk.key</it>). You can also concatenate the certificate and key together into
++one manageable file. To do this, just issue the following command:
++
++<tscreen><verb>
++cat newcert.pem newreq.pem > zen.suse.co.uk.pem
++</verb></tscreen>
++
++You now have one file with the private key and the certificate in it.You can edit the new file and take
++out the data between the <bf>BEGIN CERTIFICATE REQUEST</bf> and <bf>END CERTIFICATE REQUEST</bf> inclusive to tidy up the
++file. All certificates must be signed by your CA to provide the authentication of the certificates you use
++in your system.
++
++<sect1>Caveats
++<p>One thing that is useful to know is that OpenSSL is sometimes emphatic about how you name a certificate.
++It does this to use a hash to lookup a certificate in a directory. The hash is generated by issuing
++the c_rehash /path/to/certificates command. This generates something like:
++
++<tscreen><verb>
++root at zen:~ > c_rehash /usr/ssl/misc/
++Doing /usr/ssl/misc/
++newcert.pem => 66be5b2a.0
++</verb></tscreen>
++
++This creates a symbolic link to the certificate with the link being the 8 byte hash of the certificate.
++This is what the OpenSSL library looks for when it loads the certificate.
++
++<sect>Links
++<p>
++<itemize>
++<item><url url="http://www.openssl.org" name="OpenSSL Home">
++<item><url url="http://www.suse.com" name="SuSE Home">
++<item><url url="http://www.palmcoder.net" name="Home of the Postfix/TLS HOWTOS">
++</itemize>
++</article>
+diff -urNad postfix-release/tls/doc/conf.html /tmp/dpep.cXJuVH/postfix-release/tls/doc/conf.html
+--- postfix-release/tls/doc/conf.html 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc/conf.html 2005-02-03 10:22:13.096088659 -0700
+@@ -0,0 +1,604 @@
++<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
++<html>
++<head>
++<meta name="generator" content="HTML Tidy, see www.w3.org">
++<title>Postfix/TLS - Configuring main.cf and master.cf</title>
++</head>
++<body>
++<h1>Postfix/TLS - Configuring main.cf and master.cf</h1>
++
++To use the TLS extension you need to feed some information to
++postfix. Please see also the <code>conf/sample-tls.cf</code> file.
++
++<h2>main.cf: smtpd (server) specific variables</h2>
++
++<pre>
++# To use TLS we do need a certificate and a private key. Both must be in
++# "pem" format, the private key must not be encrypted, that does mean:
++# it must be accessable without password. Both parts (certificate and
++# private key) may be in the same file.
++#
++# Both RSA and DSA are certificates are supported. Typically you will only
++# have RSA certificates issued by a commercial CA, also the tools supplied
++# with OpenSSL will by default issue RSA certificates.
++# You can have both at the same time, in this case the cipher used decides,
++# which certificate is presented. For Netscape and OpenSSL clients without
++# special cipher choices, the RSA certificate is preferred.
++#
++# In order to check the certificates, the CA-certificate (in case of a
++# certificate chain, all CA-certificates) must be available.
++# You should add these certificates to the server certificate, the server
++# certificate first, then the issuing CA(s).
++#
++# Example: the certificate for "server.dom.ain" was issued by "intermediate CA"
++# which itself has a certificate of "root CA". Create the server.pem file by
++# 'cat server_cert.pem intemediate_CA.pem root_CA.pem > server.pem'
++#
++# If you want to accept certificates issued by these CAs yourself, you can
++# also add the CA-certificates to the smtpd_tls_CAfile, in which case it is
++# not necessary to have them in the smtpd_tls_[d]cert_file.
++#
++# A certificate supplied here must be useable as SSL server certificate and
++# hence pass the "openssl verify -purpose sslserver ..." test.
++#
++smtpd_tls_cert_file = /etc/postfix/server.pem
++smtpd_tls_key_file = $smtpd_tls_cert_file
++#
++# Its DSA counterparts:
++smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
++smtpd_tls_dkey_file = $smtpd_tls_dcert_file
++
++# The certificate was issued by a certification authority (CA), the CA-cert
++# of which must be available, if not in the certificate file.
++# This file may also contain the the CA certificates of other trusted CAs.
++# You must use this file for the list of trusted CAs if you want to use
++# chroot-mode. No default is supplied for this value as of now.
++#
++# smtpd_tls_CAfile = /etc/postfix/CAcert.pem
++
++# To verify the peer certificate, we need to know the certificates of
++# certification authorities. These certificates in "pem" format are
++# collected in a directory. The same CAs are offered to clients for
++# client verification. Don't forget to create the necessary "hash"
++# links with $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs. A typical
++# place for the CA-certs may also be $OPENSSL_HOME/certs, so there is
++# no default and you explicitly have to set the value here!
++#
++# To use this option in chroot mode, this directory itself or a copy of it
++# must be inside the chroot jail. Please note also, that the CAs in this
++# directory are not listed to the client, so that e.g. Netscape might not
++# offer certificates issued by them.
++#
++# I therefore discourage the use of this option.
++#
++smtpd_tls_CApath = /etc/postfix/certs
++
++# To get additional information during the TLS setup and negotiations
++# you can increase the loglevel from 0..4:
++# 0: No output about the TLS subsystem
++# 1: Printout startup and certificate information
++# 2: 1 + Printout of levels during negotiation
++# 3: 2 + Hex and ASCII dump of negotiation process
++# 4: 3 + Hex and ASCII dump of complete transmission after STARTTLS
++# Use loglevel 3 only in case of problems. Use of loglevel 4 is strongly
++# discouraged.
++#
++# smtpd_tls_loglevel = 0
++
++# To include information about the protocol and cipher used as well as the
++# client and issuer CommonName into the "Received:" header, set the
++# smtpd_tls_received_header variable to true. The default is no, as the
++# information is not necessarily authentic. Only the final destination
++# is reliable, since the headers might have been changed in between.
++#
++#smtpd_tls_received_header = yes
++
++# By default TLS is disabled, so no difference to plain postfix is visible.
++# Explicitely switch it on using "smtpd_use_tls". (Note: when invoked
++# via "sendmail -bs", STARTTLS is never offered due to insufficient
++# privileges to access the private key. This is intended behaviour.)
++#
++smtpd_use_tls = yes
++
++# You can ENFORCE the use of TLS, so that no commands (except QUIT of course)
++# are allowed without TLS. According to RFC2487 this MUST NOT be applied
++# in case of a publicly-referenced SMTP server. So this option is off
++# by default and should only seldom be used. Using this option implies
++# smtpd_use_tls = yes. (Note: when invoked via "sendmail -bs", STARTTLS
++# is never offered due to insufficient privileges to access the private key.
++# This is intended behaviour.)
++#
++# smtpd_enforce_tls = no
++
++# Besides RFC2487 some clients, namely Outlook [Express] prefer to run the
++# non-standard "wrapper" mode, not the STARTTLS enhancement to SMTP.
++# This is true for OE (Win32 < 5.0 and Win32 >=5.0 when run on a port!=25
++# and OE (5.01 Mac on all ports).
++# It is strictly discouraged to use this mode from main.cf. If you want to
++# support this service, enable a special port in master.cf. Port 465 (smtps)
++# was once chosen for this feature.
++#
++# smtpd_tls_wrappermode = no
++
++# To receive a client certificate, the server must explicitly ask for one.
++# Hence netscape will either complain if no certificate is available (for
++# the list of CAs in /etc/postfix/certs) or will offer you client certificates
++# to choose from. This might be annoying, so this option is "off" by default.
++# You will however need the certificate if you want to to e.g. certificate
++# based relaying.
++#
++# smtpd_tls_ask_ccert = no
++
++# You may also decide to REQUIRE a client certificate to allow TLS connections.
++# I don't think it will be necessary often, it is however included here for
++# completeness. This option implies smtpd_tls_ask_ccert = yes
++#
++# Please be aware, that this will inhibit TLS connections without a proper
++# certificate and only makes sense, when normal submission is disabled and
++# TLS is enforced (smtpd_enforce_tls). Otherwise clients may bypass by simply
++# not using STARTTLS at all. When TLS is not enforced, the connection will be
++# handled, as if only smtpd_tls_ask_ccert = yes would be set and an information
++# is logged.
++#
++# smtpd_tls_req_ccert = no
++
++# The verification depth for client certificates. A depth of 1 is sufficient,
++# if the certificate ist directly issued by a CA listed in the CA locations.
++# The default value (5) should also suffice for longer chains (root CA issues
++# special CA which then issues the actual certificate...)
++#
++# smtpd_tls_ccert_verifydepth = 5
++
++# The server and client negotiate a session, which takes some computer time
++# and network bandwidth. The session is cached only in the smtpd process
++# actually using this session and is lost when the process dies.
++# To share the session information between the smtpd processes, a disc based
++# session cache can be used based on the SDBM databases (routines included
++# in Postfix/TLS). Since concurrent writing must be supported, only SDBM
++# can be used.
++#
++smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache
++
++# The cached sessions time out after a certain amount of time. For Postfix/TLS
++# I do not use the OpenSSL default of 300sec, but a longer time of 3600sec
++# (=1 hour). RFC2246 recommends a maximum of 24 hours.
++#
++# smtpd_tls_session_cache_timeout = 3600s
++
++# Two additional options has been added for relay control to the UCE rules:
++# permit_tls_clientcerts (a)
++# and
++# permit_tls_all_clientcerts. (b)
++#
++# If one of these options is added to
++# smtpd_recipient_restrictions,
++# postfix will relay if
++# (a) a valid (it passed the verification) client certificate is presented
++# and its fingerprint is listed in the list of client certs
++# (relay_clientcerts),
++# (b) any valid (it passed the verification) client certificate is presented.
++#
++# Option (b) must only be used, if a special CA issues the certificates and
++# only this CA is listed as trusted CA. If other CAs are trusted, any owner
++# of a valid (SSL client)-certificate can relay. Option (b) can be practical
++# for a specically created email relay. It is however recommended to stay with
++# option (a) and list all certificates, as (b) does not permit any control
++# when a certificate must no longer be used (e.g. an employee leaving).
++#
++# smtpd_recipient_restrictions = ... permit_tls_clientcerts ...
++
++# The list of client certificates for which relaying will be allowed.
++# Unfortunately the routines for lists in postfix use whitespaces as
++# seperators and choke on special chars. So using the certificate
++# X509ONELINES is quite impractical. We will use the fingerprints at
++# this point, as they are difficult to fake but easy to use for lookup.
++# As postmap (when using e.g. db) insists of having a pair of key and value,
++# but we only need the key, the value can be chosen freely, e.g. the name
++# of the user or host:
++# D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home
++#
++# relay_clientcerts = hash:/etc/postfix/relay_clientcerts
++
++# To influence the cipher selection scheme, you can give cipherlist-string.
++# A detailed description would go to far here, please refer to the openssl
++# documentation.
++# If you don't know what to do with it, simply don't touch it and leave the
++# (openssl-)compiled in default!
++#
++# DO NOT USE " to enclose the string, just the string!!!
++#
++# smtpd_tls_cipherlist = DEFAULT
++
++# If you want to take advantage of ciphers with EDH, DH parameters are needed.
++# There are built in DH parameters for both 1025bit and 512bit available. It
++# is however better to have "own" parameters, since otherwise it would "pay"
++# for a possible attacker to start a brute force attack against these
++# parameters commonly used by everybody. For this reason, the parameters
++# chosen are already different from those distributed with other TLS packages.
++#
++# To generate your own set of parameters, use
++# openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024
++# openssl gendh -out /etc/postfix/dh_512.pem -2 -rand /var/run/egd-pool 512
++# (your source for "entropy" might vary; on Linux there is /dev/random, on
++# other system, you might consider the "Entropy Gathering Daemon EGD",
++# available at http://www.lothar.com/tech/crypto/.
++#
++smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
++smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
++
++# The smtpd_starttls_timeout parameter limits the time in seconds to write and
++# read operations during TLS start and stop handhake procedures.
++#
++# smtpd_starttls_timeout = 300s
++</pre>
++
++<h2>main.cf: smtp (client) specific variables</h2>
++
++<pre>
++# During the startup negotiation we might present a certificate to the server.
++# Netscape is rather clever here and lets the user select between only those
++# certs that will match the CAs accepted from the server. As I simply use
++# the integrated "SSL_connect()" from the OpenSSL package, this is not
++# possible by now and we have to chose just one cert.
++# So for now the default is to use _no_ cert and key unless explictly
++# set here. It is possible to use the same key/cert pair as for the server.
++# If a cert is to be presented, it must be in "pem" format, the private key
++# must not be encrypted, that does mean: it must be accessable without
++# password. Both parts (certificate and private key) may be in the
++# same file.
++#
++# In order to check the certificates, the CA-certificate (in case of a
++# certificate chain, all CA-certificates) must be available.
++# You should add these certificates to the server certificate, the server
++# certificate first, then the issuing CA(s).
++#
++# Example: the certificate for "client.dom.ain" was issued by "intermediate CA"
++# which itself has a certificate of "root CA". Create the client.pem file by
++# 'cat client_cert.pem intemediate_CA.pem root_CA.pem > client.pem'
++#
++# If you want to accept certificates issued by these CAs yourself, you can
++# also add the CA-certificates to the smtp_tls_CAfile, in which case it is
++# not necessary to have them in the smtp_tls_[d]cert_file.
++#
++# A certificate supplied here must be useable as SSL client certificate and
++# hence pass the "openssl verify -purpose sslclient ..." test.
++#
++smtp_tls_cert_file = /etc/postfix/client.pem
++smtp_tls_key_file = $smtp_tls_cert_file
++
++# The certificate was issued by a certification authority (CA), the CA-cert
++# of which must be available, if not in the certificate file.
++# This file may also contain the the CA certificates of other trusted CAs.
++# You must use this file for the list of trusted CAs if you want to use
++# chroot-mode. No default is supplied for this value as of now.
++#
++smtp_tls_CAfile = /etc/postfix/CAcert.pem
++
++# To verify the peer certificate, we need to know the certificates of
++# certification authorities. These certificates in "pem" format are
++# collected in a directory. Don't forget to create the necessary "hash"
++# links with $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs. A typical
++# place for the CA-certs may also be $OPENSSL_HOME/certs, so there is
++# no default and you explicitly have to set the value here!
++#
++# To use this option in chroot mode, this directory itself or a copy of it
++# must be inside the chroot jail.
++#
++smtp_tls_CApath = /etc/postfix/certs
++
++# To get additional information during the TLS setup and negotiations
++# you can increase the loglevel from 0..4:
++# 0: No output about the TLS subsystem
++# 1: Printout startup and certificate information
++# 2: 1 + Printout of levels during negotiation
++# 3: 2 + Hex and ASCII dump of negotiation process
++# 4: 3 + Hex and ASCII dump of complete transmission after STARTTLS
++# Use loglevel 3 only in case of problems. Use of loglevel 4 is strongly
++# discouraged.
++#
++smtp_tls_loglevel = 0
++
++# The server and client negotiate a session, which takes some computer time
++# and network bandwidth. The session is cached only in the smtpd process
++# actually using this session and is lost when the process dies.
++# To share the session information between the smtp processes, a disc based
++# session cache can be used based on the SDBM databases (routines included
++# in Postfix/TLS). Since concurrent writing must be supported, only SDBM
++# can be used.
++#
++smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache
++
++# The cached sessions time out after a certain amount of time. For Postfix/TLS
++# I do not use the OpenSSL default of 300sec, but a longer time of 3600sec
++# (=1 hour). RFC2246 recommends a maximum of 24 hours.
++#
++# smtp_tls_session_cache_timeout = 3600s
++
++# By default TLS is disabled, so no difference to plain postfix is visible.
++# If you enable TLS it will be used when offered by the server.
++# WARNING: I didn't have access to other software (except those explicitely
++# listed) to test the interaction. On corresponding mailing list
++# there was a discussion going on about MS exchange servers offering
++# STARTTLS even if it is not configured, so it might be wise to not
++# use this option on your central mail hub, as you don't know in advance
++# whether you are going to hit such host. Use the recipient/site specific
++# options instead.
++# HINT: I have it switched on on my mailservers and did experience one
++# single failure since client side TLS is implemented. (There was one
++# misconfired MS Exchange server; I contacted ths admin.) Hence, I am happy
++# with it running all the time, but I am interested in testing anyway.
++# You have been warned, however :-)
++#
++# In case of failure, a "4xx" code is issued and the mail stays in the queue.
++#
++# Explicitely switch it on here, if you want it.
++#
++smtp_use_tls = yes
++
++# You can ENFORCE the use of TLS, so that only connections with TLS will
++# be accepted. Additionally, the hostname of the receiving host is matched
++# against the CommonName in the certificate. Also, the certificate must
++# be verified "Ok", so that a CA trusted by the client must have issued
++# the certificate. If the certificate doesn't verify or the hostname doesn't
++# match, a "4xx" will be issued and the mail stays in the queue.
++# The hostname used in the check is beyond question, as it must be the
++# principle hostname (no CNAME allowed here). Checks are performed against
++# all names provided as dNSNames in the SubjectAlternativeName. If no
++# dNSNames are specified, the CommonName is checked.
++# The behaviour may be changed with the smtp_tls_enforce_peername option
++#
++# This option is useful only if you are definitely sure that you will only
++# connect to servers supporting RFC2487 _and_ with valid certificates.
++# I use it for my clients which will only send email to one mailhub, which
++# does offer the necessary STARTTLS support.
++#
++# smtp_enforce_tls = no
++
++# As of RFC2487 the requirements for hostname checking for MTA clients are
++# not set. When in smtp_enforce_tls mode, the option smtp_tls_enforce_peername
++# can be set to "no" to disable strict peername checking. In this case, the
++# mail delivery will be continued, if a TLS connection was established
++# _and_ the peer certificate passed verification _but_ regardless of the
++# CommonName listed in the certificate. This option only applies to the
++# default setting smtp_enforce_tls_mode, special settings in the
++# smtp_tls_per_site table override smtp_tls_enforce_peername.
++#
++# This can make sense in closed environment where special CAs are created.
++# If not used carefully, this option opens the danger of a "man-in-the-middle"
++# attack (the CommonName of this attacker is logged).
++#
++# smtp_tls_enforce_peername = yes
++
++# As generally trying TLS can be a bad idea (some hosts offer STARTTLS but
++# the negotiation will fail leading to unexplainable failures, it may be
++# a good idea to decide based on the recipient or the mailhub to which you are
++# connecting.
++#
++# Deciding per recipient may be difficult, since a singe email can have
++# several recipients. We use the "nexthop" mechanism inside postfix.
++# When an email is to be delivered, the "nexthop" is obtained. If it matches
++# an entry in the smtp_tls_per_site list, appropriate action is taken.
++# Since entries in the transport table or the use of a relay_host override
++# the nexthop setting, in these cases the relay_host etc must be listed
++# in the table. In any case, the hostname of the peer to be contacted is
++# looked up (that is: the MX or the name of the host, if no MX is given).
++#
++# Special hint for enforcement mode:
++# Since there is no secure mechanism for DNS lookups available, the
++# recommended setup is: put the sensible domains with their mailhost
++# into the transport table (since you can asure security of this table
++# unlike DNS), then set MUST mode for this mailhost.
++#
++# Format of the table:
++# The keys entries are on the left hand side, no wildcards allowed. On the
++# right hand side the keywords NONE (don't use TLS at all), MAY (try to use
++# STARTTLS if offered, no problem if not), MUST (enforce usage of STARTTLS,
++# check server certificate CommonName against server FQDN), MUST_NOPEERMATCH
++# (enforce usage of STARTTLS and verify certificate, but ignore differences
++# between CommonName and server FQDN).
++# dom.ain NONE
++# host.dom.ain MAY
++# important.host MUST
++# some.host.dom.ain MUST_NOPEERMATCH
++#
++# If an entry is not matched, the default policy is applied; if the default
++# policy is "enforce", NONE explicitely switches it off, otherwise the
++# "enforce" mode is used even for MAY entries.
++#
++smtp_tls_per_site = hash:/etc/postfix/tls_per_site
++
++# The verification depth for server certificates. A depth of 1 is sufficient,
++# if the certificate ist directly issued by a CA listed in the CA locations.
++# The default value (5) should also suffice for longer chains (root CA issues
++# special CA which then issues the actual certificate...)
++#
++# smtp_tls_scert_verifydepth = 5
++
++# As we decide on a "per site" basis, wether to use TLS or not, it would be
++# good to have a list of sites, that offered "STARTTLS'. We can collect it
++# ourselves with this option.
++#
++# If activated and TLS is not already enabled for this host, a line is added
++# to the logfile:
++# postfix/smtp[pid]: Host offered STARTTLS: [name.of.host]
++#
++smtp_tls_note_starttls_offer = yes
++
++# To influence the cipher selection scheme, you can give cipherlist-string.
++# A detailed description would go to far here, please refer to the openssl
++# documentation.
++# If you don't know what to do with it, simply don't touch it and leave the
++# (openssl-)compiled in default!
++#
++# DO NOT USE " to enclose the string, just the string!!!
++#
++# smtp_tls_cipherlist = DEFAULT
++
++# The smtp_starttls_timeout parameter limits the time in seconds to write and
++# read operations during TLS start and stop handhake procedures.
++#
++# In case of problems the client does NOT try the next address on
++# the mail exchanger list.
++#
++# smtp_starttls_timeout = 300s
++</pre>
++
++<h2>SASL related variables</h2>
++
++<pre>
++# The smtpd_sasl_tls_security_options parameter controls what authentication
++# mechanism the Postfix SMTP server will offer to the client, in case the
++# connection is protected by a TLS encrypted session.
++# This parameter allows to provide for example plaintext authentication that
++# otherwise would not be allowed without encryption.
++# The default is to use the same settings as in the unencrypted case.
++#
++# Warning: this option only works against passive (eavesdropping) attackes.
++# An active attacker (man in the middle) may modify the AUTH options offered
++# and/or remove the STARTTLS offer from the EHLO response. Protection against
++# active attackers is only possible by enforcing TLS at the client side.
++#
++#smtpd_sasl_tls_security_options = noanonymous
++smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
++
++# Sending AUTH data over an unencrypted channel poses a security risk. When
++# smtpd_tls_enforce_tls is set, AUTH will only be announced and accepted,
++# once the TLS layer has been activated via the STARTTLS protocol. If
++# TLS layer encryption is optional, it may however still be useful to only
++# offer AUTH, if TLS is active. To not break compatiblity with unpatched
++# postfix versions, the default is to accept AUTH without encryption. In
++# order to change this behaviour, set smtpd_tls_auth_only = yes.
++# THIS OPTION ONLY WORKS WITH SSL/TLS SUPPORT COMPILED IN.
++#
++#smtpd_tls_auth_only = yes
++smtpd_tls_auth_only = no
++
++# The smtp_sasl_tls_security_options parameter controls, what authentication
++# mechanisms the local Postfix SMTP client is allowed to use, if the session
++# is encrypted via TLS. This provides the option to permit plaintext passwords
++# that otherwise could not be used.
++#
++# The settings allowed are the same as for the non-encrypted sessions
++# (smtp_sasl_security_options).
++#
++# Warning, Warning, Warning: This option only works against passive
++# (eavesdropping) attacks. An active attacker (man in the middle) may provide
++# a TLS capabable server (proxy) and in such way obtain the password
++# information. The only way to prevent a man in the middle attack is to check
++# the hostname of the server presented in the certificate. This is assured
++# in the (preferrably used) smtp_sasl_tls_verified_security_options case.
++#
++#smtp_sasl_tls_security_options =
++smtp_sasl_tls_security_options = $smtp_sasl_security_options
++
++# The smtp_sasl_tls_verified_security_options parameter controls, what
++# authentication mechanisms the local Postfix SMTP client is allowed to use,
++# if the session is encrypted via TLS _and_ the server has proven its
++# identity (expected hostname matches certificate, verification successfull).
++# This provides the option to permit plaintext passwords that otherwise could
++# not be used.
++#
++# The settings allowed are the same as for the non-encrypted sessions
++# (smtp_sasl_security_options).
++#
++#smtp_sasl_tls_verified_security_options =
++smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
++</pre>
++
++<h2>main.cf: general variables</h2>
++
++<pre>
++# In order to seed the PRNG Pseude Random Number Generator, random data is
++# needed. The PRNG pool is maintained by the "tlsmgr" daemon and is used
++# (read) by the smtp[d] processes after adding some more entropy by stirring
++# in time and process id.
++# The file, which is from time to time rewritten by the tlsmgr, is created
++# if not existant. A default value is given; the default should probably
++# be on the /var partition but _not_ inside chroot jail.
++#
++# tls_random_exchange_name = /etc/postfix/prng_exch
++
++# To feed the PRNG pool, entropy is being read from an external source,
++# both at startup and during run.
++# Specify a good entropy source here, like EGD or /dev/urandom; make sure
++# to only use non-blocking sources.
++# In both cases, 32 bytes are read at each re-seeding event (which is an
++# amount of 256bits and hence good enough for 128bit symmetric keys).
++# You must specify the type of source: "dev:" for a device special file
++# or "egd:" for a source with EGD compatible socket interface. A maximum
++# 255 bytes is read from these sources in each step.
++# If you specify a normal file, a larger amount of data can be read.
++#
++# The entropy source is queried again after a certain amount of time. The
++# time is calculated using the PRNG, it is between 0 and the time specified,
++# default is a maximum of 1 hour.
++#
++# tls_random_source = dev:/dev/urandom
++tls_random_source = egd:/var/run/egd-pool
++# tls_random_bytes = 32
++# tls_random_reseed_period = 3600s
++
++# The PRNG pool inside tlsmgr is used to re-generate the 1024 byte file
++# being read by smtp[d]. The time, after which the exchange file is
++# rewritten is calculated using the PRNG, it is between 0 and the time
++# specified, default is a maximum of 60 seconds.
++#
++# tls_random_upd_period = 60s
++
++# If you have a entropy source available, that is not easily drained (like
++# /dev/urandom), the daemons can also load additional entropy on startup from
++# the source specified. By default an amount of 32 bytes is read, the
++# equivalent to 256 bits. This is more than enough to generate a 128bit
++# (or 168bit) session key, but we may have to generate more than one.
++# Usage of this option may drain EGD (consider the case of 50 smtp starting
++# up with a full queue and "postfix start", which will request 1600bytes
++# of entropy). This is however not fatal, as long as "entropy" data could
++# be read from the exchange file.
++#
++# tls_daemon_random_source = dev:/dev/urandom
++tls_daemon_random_source = egd:/var/run/egd-pool
++# tls_daemon_random_bytes = 32
++</pre>
++
++<h2>master.cf: tlsmgr daemon</h2>
++
++If you don't have a /dev/urandom device and/or use session caching,
++you must run the "tlsmgr" daemon (see conf/master.cf). The tlsmgr
++will contact entropy sources on startup and keep the connection open,
++so that it can be chrooted and can drop privileges.
++
++<pre>
++# ==========================================================================
++# service type private unpriv chroot wakeup maxproc command + args
++# (yes) (yes) (yes) (never) (50)
++# ==========================================================================
++tlsmgr fifo - - y 300 1 tlsmgr
++</pre>
++
++<h2>master.cf: additional services</h2>
++
++It can be useful to have postfix listen on additional ports, namely
++"submission"=587 for email submission as defined in RFC2476; this
++is especially useful if you want to allow AUTH with plaintext
++passwords (PLAIN, LOGIN) and hence run on a port with encryption
++enforcement. Another useful port may be "smtps"=465 which was
++intended with TLS-wrapping and is still used by Outlook (Express).
++
++<p>Both example entries already contain the flags to enable SASL
++authentication (which may be disabled on the normal port). Since
++the actual service names are used, smtps and submission must be
++defined in /etc/services (and probably also in
++/var/spool/postfix/etc/services if chrooted)!!! (Use the port
++numbers otherwise.)</p>
++
++<pre>
++# ==========================================================================
++# service type private unpriv chroot wakeup maxproc command + args
++# (yes) (yes) (yes) (never) (50)
++# ==========================================================================
++smtps inet n - y - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
++submission inet n - y - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
++</pre>
++</body>
++</html>
++
+diff -urNad postfix-release/tls/doc/index.html /tmp/dpep.cXJuVH/postfix-release/tls/doc/index.html
+--- postfix-release/tls/doc/index.html 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc/index.html 2005-02-03 10:22:13.096088659 -0700
+@@ -0,0 +1,53 @@
++<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
++<html>
++<head>
++<meta name="generator" content="HTML Tidy, see www.w3.org">
++<title>Postfix/TLS - A TLS extension for POSTFIX</title>
++</head>
++<body>
++<h1>Postfix/TLS - A TLS extension for POSTFIX</h1>
++
++<h2>Contents</h2>
++
++<ul>
++<li><a href="intro.html">Introduction</a></li>
++
++<li><a href="install.html">Installing the patchkit</a></li>
++
++<li><a href="setup.html">Setting up the certificates</a></li>
++
++<li><a href="conf.html">Configuring main.cf</a></li>
++
++<li><a href="security.html">Security considerations</a></li>
++
++<li><a href="test.html">Testing</a></li>
++
++<li><a href="prng.html">PRNG - Pseudo Random Number
++Generator</a></li>
++
++<li><a href="references.html">References</a></li>
++</ul>
++
++Please check also the contents of the <tt>contributions</tt> folder
++including useful scripts and some <b>HOWTO</b> documents.
++
++<pre>
++PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG
++CRYPTOGRAPHY SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST
++COMMUNICATING TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS
++ILLEGAL IN SOME PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE
++TO YOUR COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL
++TECHNICAL SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR
++OTHER PEOPLE YOU ARE STRONGLY ADVICED TO PAY CLOSE ATTENTION TO ANY
++EXPORT/IMPORT AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHOR OF
++POSTFIX/TLS IS NOT LIABLE FOR ANY VIOLATIONS YOU MAKE HERE. SO BE
++CAREFULLY YOURSELF, IT IS YOUR RESPONSIBILITY.
++</pre>
++
++Lutz Jänicke, <a href=
++"http://www.aet.tu-cottbus.de/personen/jaenicke/">Homepage</a>,
++Email: <a href="mailto:Lutz.Jaenicke at aet.TU-Cottbus.DE"><em>
++Lutz.Jaenicke at aet.TU-Cottbus.DE</em></a>
++</body>
++</html>
++
+diff -urNad postfix-release/tls/doc/install.html /tmp/dpep.cXJuVH/postfix-release/tls/doc/install.html
+--- postfix-release/tls/doc/install.html 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc/install.html 2005-02-03 10:22:13.096088659 -0700
+@@ -0,0 +1,93 @@
++<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
++<html>
++<head>
++<meta name="generator" content="HTML Tidy, see www.w3.org">
++<title>Postfix/TLS - Installation</title>
++</head>
++<body>
++<h1>Postfix/TLS - Installing the patchkit</h1>
++
++<h2>Prerequisits</h2>
++
++This patchkit is prepared for
++
++<ul>
++<li>Postfix Version 2.1.0<br>
++ <a href="http://www.postfix.org/">http://www.postfix.org/</a> [<a
++href="references.html#postfix">POSTFIX</a>]<br>
++ The use of other versions might lead to patch conflicts or silent
++failures, as we directly change the source code.</li>
++
++<li>OpenSSL Version 0.9.7d (>=0.9.5)<br>
++ <a href="http://www.openssl.org/">http://www.openssl.org/</a> [<a
++href="references.html#openssl">OPENSSL</a>]<br>
++We use OpenSSL as library (and some command line tools to create
++the certificates, if necessary). OpenSSL is the successor of
++SSLeay.
++<p>Postfix/TLS uses properties that are only available starting with
++version 0.9.5 of the OpenSSL library. 0.9.5a and 0.9.6x have proven
++stability over several months.
++
++The release 0.9.7 contains several enhancemants and bugfixes.
++
++OpenSSL 0.9.7d is the latest release and the recommended version.
++</li>
++</ul>
++
++You may also need to update your "patch" utility (see below).
++
++<h2>Patching</h2>
++
++The changes to the postfix source code as well as the additional
++files are included in the "<code>pfixtls.diff</code>" in the main
++directory of the patch kit. It is a unified diff.
++
++<p>To apply the patches, go to the directory one level below the
++original postfix source tree (you should see
++"<code>postfix-xxxxxxx</code>" or "<code>snapshot-xxxxxxx</code>"
++when doing an "<code>ls -al</code>"
++at this point. The patch is then applied with:</p>
++
++<pre>
++patch -p0 < path-to/pfixtls.diff
++</pre>
++
++If you experience problems during the patch process (e.g. with the
++HP-UX 10.20 or Solaris included patch), you might need to update your patch
++program, e.g. to an actual GNU-patch.
++
++<p>If you need to apply the patchkit to a different version of
++patchlevel of postfix, you might try the following:</p>
++
++<pre>
++cd postfix-directory ; patch -p1 < path-to/pfixtls.diff
++</pre>
++
++Since the patch is in unified form, it might also apply to a mildly
++changed source, as long as no conflicts appear.
++
++<h2>Compiling</h2>
++
++After patching postfix will configure and compile as before. In
++order to enable the TLS functions, you must specify the path to the
++OpenSSL header files as well as the appropriate libraries, and you
++must define <code>USE_SSL</code>. Your command for configuration
++might then be:
++
++<pre>
++make makefiles CCARGS="-DUSE_SSL -I/usr/local/ssl/include" AUXLIBS="-L/usr/local/ssl/lib -lssl -lcrypto"
++</pre>
++
++You might need additional customization e.g. for using Berkeley-DB
++as listed in the postfix INSTALL instructions. You can then
++continue in the usual way with:
++
++<pre>
++make
++</pre>
++
++and then follow the instructions in the postfix INSTALL file.
++
++</body>
++</html>
++
+diff -urNad postfix-release/tls/doc/intro.html /tmp/dpep.cXJuVH/postfix-release/tls/doc/intro.html
+--- postfix-release/tls/doc/intro.html 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc/intro.html 2005-02-03 10:22:13.097088436 -0700
+@@ -0,0 +1,194 @@
++<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
++<html>
++<head>
++<meta name="generator" content="HTML Tidy, see www.w3.org">
++<title>Postfix/TLS - Introduction</title>
++</head>
++<body>
++<h1>Postfix/TLS - Introduction</h1>
++
++Postfix/TLS is an extension of the Postfix [<a href=
++"references.html#postfix">POSTFIX</a>] MTA software to support the
++TLS protocol.
++
++<h2>A note about the start of the project</h2>
++
++When I started writing this software, I had a sophisticated way to
++allow <a href="relaycert.html">relaying for roaming users</a> in
++mind. In the meantime, this project is living on its own.
++
++<h2>RFC2246: The TLS (former SSL) protocol</h2>
++
++By default all communication on the Internet is done without
++encryption and without strong authentication. That does mean that
++everybody with physical access to the communication line along
++which a network packet will travel can eavesdrop on your
++communication. Even worse, it might be possible to redirect or
++alter your communication so that information, that you want to send
++to a party can be lost or changed without your notice.
++
++<p>In order to solve these security issues, the SSL protocol
++(Secure Socket Layers) was introduced by Netscape, Inc., which now
++has evolved into the standardised TLS protocol (Transportation
++Layer Security) as <a href="rfc2246.txt">RFC2246</a>. It offers
++both encryption of the communication (stopping eavesdropping) and
++strong authentication (making sure that both parties of a
++communication are correctly identified and that the communication
++cannot be altered).</p>
++
++<p>Postfix/TLS does not realize the TLS protocol itself; it rather
++uses the OpenSSL package [<a href=
++"references.html#openssl">OPENSSL</a>] for this task. At the
++OpenSSL WWW-site you can also find links to in-depth documentation
++of the protocol and its features, so that it is not necessary to
++included them here. (And, of course, there is no use of re-writing
++what other people already wrote down, it just introduces additional
++errors.)</p>
++
++<h2>RFC2487: Introducing TLS to SMTP</h2>
++
++The integration of the TLS protocol to Internet mail, SMTP (Simple
++Mail Transport Protocol) is described in <a href="rfc2487.txt">
++RFC2487</a>.
++
++<p>Unlike the first incarnations of SSL as a <em>wrapper</em>
++around normal network communications [<a href=
++"references.html#stunnel">STUNNEL</a>] [<a href=
++"references.html#jonama">JONAMA</a>], the TLS protocol is now
++completely <em>integrated</em> into the ESMTP: during the startup
++negotiation (EHLO) the server offers the support of TLS by
++advertising the <strong>STARTTLS</strong> feature. The client can
++now send the <strong>STARTTLS</strong> command to do authentication
++and switch to encrypted communication.</p>
++
++<h2>Postfix/TLS: what can it do for you</h2>
++
++The list of features presented here should be understood as a list
++of ideas. Not all of them are realized yet, please see the notes at
++each feature.
++
++<ul>
++<li>Encrypted email transfer from one host to another.<br>
++Status: realized.<br>
++Comment: Once the STARTTLS negotiation is finished, the
++communication between both parties is encrypted.
++This also includes the MAIL FROM: and RCPT TO: envelop sender
++and recipient negotiation, so that an eavesdropper will not be able
++to get these informations.</li>
++
++<li>Authentication of the receiving host to prevent
++interception.<br>
++Status: realized.<br>
++Comment: This is a quite important feature that is not difficult to
++implement. The problem lies in the fact, that not all hosts (read
++this: by now nearly no one) support this protocol. The sender must
++hence maintain a list of receivers which must identify by TLS,
++otherwise one could just intercept the communication and not offer
++STARTTLS, so that no authentication is done. One must also be
++careful to use the correct name of the host (see CNAMEs), but this
++problem is the same for http-servers.</li>
++
++<li>Authentication of the sending host to prevent forgery.<br>
++Status: Difficult to do.<br>
++Comment: The transmission of emails is just a connection to the
++SMTP port (25) of the receiving host. This is done by either
++another MTA (Mail Transport Agent) or a MUA (Mail User Agent). In
++the first case, the sending MTA should present a client certificate
++issued on the name of the sending host. In the latter case however,
++the user has no access to the host's certificate and will (or not)
++present his own personal certificate. At this point I think that a
++satisfying <em>and</em> reliable solution is hardly possible (do
++you want your users' email bounce without reason?), so it has least
++priority.</li>
++
++<li>Authentication of the sending host to allow relaying.<br>
++Status: realized.<br>
++Comment: This was the intention I had in mind when starting this
++project, so it was realized first. Based on the certificate the
++client MTA or MUA presents to the server, relaying can be
++allowed.</li>
++
++<li>Any more ideas???<br>
++Status: Send me an email.</li>
++</ul>
++
++<h2>Postfix/TLS: what it cannot do for you</h2>
++
++There is one thing that I explicitly want to point out:
++
++<ul>
++<li>Securing the privacy of your email.<br>
++Status: Cannot be done.<br>
++Comment: RFC2487 only takes care of the transportation between mail
++servers. To assure that nobody can eavesdrop on your private email
++communication, it would be necessary that
++
++<ul>
++<li>all of the mailhubs in between are enforcing TLS.</li>
++
++<li>all mailhubs themselves are trustworthy, as the email is only
++encrypted during transport, not when queued or spooled.</li>
++
++<li>the destination is trustworthy, as the mail is spooled in clear
++and everybody who can access your mailbox (read this: at least the
++superuser) can read your mail!</li>
++</ul>
++
++Hence, if you want privacy, you have to <em>send out</em> your
++email encrypted, e.g. using S/MIME or the traditional PGP
++package.</li>
++
++<li>Authenticate the sender of an email.<br>
++Status: Cannot be done.<br>
++Comment: A lot of MUAs send out emails by just connecting the SMTP
++port of the sending host or nearest mailhub. There is no way to
++assure that the sender listed in the email is the real sender of
++the email. And even if it would be possible to identify the sender,
++the contents of the email might have been altered in between.<br>
++To ensure the identity of the sender and the integrity of the
++email, you can again use S/MIME or PGP.</li>
++</ul>
++
++<h2>Support by Mail User Agents</h2>
++
++The following MUAs are known to work with RFC2487:
++<ul>
++<li>Netscape >= 4.5 supports STARTTLS and client certificates.
++<li>Outlook (Express) >= 5 supports STARTTLS (only on port 25) and traditional
++SSL-wrapping style (on all other ports). No support for client certificates.
++<li>Eudora >= 5.1 supports STARTTLS. Client certificate status unknown.
++</ul>
++
++<h2>Other OpenSource packages</h2>
++
++As of version sendmail-8.11, sendmail includes RFC2487 support [<a
++href="references.html#sendmail">SENDMAIL</a>].
++
++<p>Frederik Vermeulen has realized an RFC2487 extension [<a href=
++"references.html#qmailtls">QMAILTLS</a>] for the Qmail [<a href=
++"references.html#qmail">QMAIL</a>] MTA.</p>
++
++<p>Matti Aarnio has integrated RFC2487 into ZMailer [<a href=
++"references.html#zmailer">ZMAILER</a>].</p>
++
++<p>Michal Trojnara is currently integrating basic SMTP support into
++his stunnel software, starting with stunnel-3.3 [<a href=
++"references.html#stunnel">STUNNEL</a>].</p>
++
++<p>Trey Childs is also working on a "wrapper" solution [<a href=
++"references.html#smtps">SMTPS</a>].</p>
++
++<h2>Commercial implementations</h2>
++
++The commercial version of sendmail includes RFC2487 support [<a
++href="references.html#sendmail.inc">SENDMAIL.INC</a>].
++
++<p>Netscape Enterprise Server and Microsoft Exchange Server do offer
++RFC2487 functionality.</p>
++
++<p>The CommunigatePro mailserver software also supports RFC2487
++[<a href="references.html#communigate">COMMUNIGATE</a>].</p>
++
++</body>
++</html>
++
+diff -urNad postfix-release/tls/doc/loadCAcert.pl /tmp/dpep.cXJuVH/postfix-release/tls/doc/loadCAcert.pl
+--- postfix-release/tls/doc/loadCAcert.pl 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc/loadCAcert.pl 2005-02-03 10:22:13.097088436 -0700
+@@ -0,0 +1,23 @@
++#!/usr/local/bin/perl -T
++
++require 5.003;
++use strict;
++use CGI;
++
++my $cert_dir = "/usr/local/ssl/certs";
++my $cert_file = "CAcert.pem";
++
++my $query = new CGI;
++
++my $kind = $query->param('FORMAT');
++if($kind eq 'DER') { $cert_file = "CAcert.der"; }
++
++my $cert_path = "$cert_dir/$cert_file";
++
++open(CERT, "<$cert_path");
++my $data = join '', <CERT>;
++close(CERT);
++print "Content-Type: application/x-x509-ca-cert\n";
++print "Content-Length: ", length($data), "\n\n$data";
++
++1;
+diff -urNad postfix-release/tls/doc/myownca.html /tmp/dpep.cXJuVH/postfix-release/tls/doc/myownca.html
+--- postfix-release/tls/doc/myownca.html 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc/myownca.html 2005-02-03 10:22:13.097088436 -0700
+@@ -0,0 +1,175 @@
++<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
++<html>
++<head>
++<meta name="generator" content="HTML Tidy, see www.w3.org">
++<title>Postfix/TLS - Being your on CA</title>
++</head>
++<body>
++<h1>Postfix/TLS - Lutz's very short course on being your own
++CA</h1>
++
++This section is kept quite short as there are already a lot of
++pages explaining these things (e.g. [<a href=
++"references.html#introcert">INTROCERT</a>]). There are also
++projects under way to make this task easier [<a href=
++"references.html#openca">OPENCA</a>], so I wont't waste your time
++(and mine) by writing a book about it.
++
++<h2>Be your own CA</h2>
++
++If you want to do relaying based on client certificates you may
++want to issue your own client certificates; hence you want to be
++your own certificate authority (CA). Of course nobody else will
++accept your certificates, so the damage you do is not so high (the
++requirements for a good "professional" CA are very high, as you
++should have the CA key on a private host without network for
++security, be strict about checking the identity of requesters etc).
++
++
++<p>For laziness, we also don't care about the (worthful)
++possibility to generate certificates for specific purposes (e.g.
++for servers, clients, email-signing) and simply generate "unlimited
++general purpose" certificates. So a certificate issued for the
++person "John Doe" is also valid for the "John Doe"-server.</p>
++
++<p>Using OpenSSL it is quite simple to become your own CA. Just
++run</p>
++
++<pre>
++CA.pl -newca
++</pre>
++
++and you are done. Just make sure, that you select a useful CN
++(Common Name)! By just using your name, you might create a lot of
++confusion, as the CA certificate for "Lutz Jaenicke" looks quite
++the same as the personal client certificate for "Lutz Jaenicke" (I
++can tell you). Of course you can further improve this private CA by
++editing the <code>openssl.cnf</code> file, especially the comment.
++
++<p>If you want the full comfort of being your own CA, you must
++import your CA certificate to Netscape. Unfortunately Netscape does
++not offer an explicit function to perform this task (unlike for
++client certificates). If you have an http-server available (and I
++think you do), you can add the <a href="loadCAcert.pl">
++loadCAcert.pl</a> script to your <code>cgi-bin</code> directory. If
++you call it from Netscape (or Internet Explorer), you can load the
++certificate! (Taken from [<a href=
++"references.html/#introcert">6</a>])</p>
++
++<h2>Create your site certificate</h2>
++
++Ok, you now must create a site certificate for your postfix server.
++As your clients will use it for verification, it must contain the
++name of your host as common name (CN): host.in.domain.
++
++<p>You want your postfix system to start up at boot time without
++trouble? Then your server private key must not be encrypted. So
++when you create the key you must add the <code>-nodes</code> option
++in <code>CA.pl</code> to the line with the <code>-newcert</code>
++and/or <code>-newreq</code> command:</p>
++
++<pre>
++*** CA.pl Wed Mar 24 10:30:38 1999
++--- CA1.pl Sat Mar 27 19:36:47 1999
++***************
++*** 56,67 ****
++ exit 0;
++ } elsif (/^-newcert$/) {
++ # create a certificate
++! system ("$REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS");
++ $RET=$?;
++ print "Certificate (and private key) is in newreq.pem\n"
++ } elsif (/^-newreq$/) {
++ # create a certificate request
++! system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS");
++ $RET=$?;
++ print "Request (and private key) is in newreq.pem\n";
++ } elsif (/^-newca$/) {
++--- 56,67 ----
++ exit 0;
++ } elsif (/^-newcert$/) {
++ # create a certificate
++! system ("$REQ -new -x509 -nodes -keyout newreq.pem -out newreq.pem $DAYS");
++ $RET=$?;
++ print "Certificate (and private key) is in newreq.pem\n"
++ } elsif (/^-newreq$/) {
++ # create a certificate request
++! system ("$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS");
++ $RET=$?;
++ print "Request (and private key) is in newreq.pem\n";
++ } elsif (/^-newca$/) {
++</pre>
++
++For sslwrap or stunnel the authors propose to use self signed certs
++created with <code>-newcert</code>. I rather propose to create an
++ordinary certificate request with
++
++<pre>
++CA.pl -newreq
++</pre>
++
++and then sign it with your CA:
++
++<pre>
++CA.pl -sign
++</pre>
++
++Now you can install the cert from <code>cacert.pem</code> to <code>
++/etc/postfix/CAcert.pem</code>, the created certificate from <code>
++newcert.pem</code> to <code>/etc/postfix/cert.pem</code> and the
++key part form <code>newreq.pem</code> to <code>
++/etc/postfix/key.pem</code>. Please be aware, that the <code>
++key.pem</code> is not protected by password, so you have to protect
++it by file access privileges. As the information is read before
++smtpd changes to chroot jail, it still has root privileges, so you
++should
++
++<pre>
++chown root /etc/postfix/key.pem ; chmod 400 /etc/postfix/key.pem
++</pre>
++
++<h2>Create a client certificate</h2>
++
++Creating a client certificate is as easy as a site certificate. At
++least, if you are doing it as a CA. First you create and sign a
++pair of key and certificate. Be sure to add the correct common name
++(CN) for the client:
++
++<pre>
++CA.pl -newreq
++CA.pl -sign
++</pre>
++
++If you want to do client certificate based relaying, you do need
++the fingerprint of the certificate, which can be obtained with
++
++<pre>
++openssl x509 -fingerprint -in newcert.pem
++</pre>
++
++Now this certificate must be imported into netscape. Therefore the
++data you just created must be converted to a ".p12" file in PKCS#12
++format. You do need the <code>pkcs12</code> utility [<a href=
++"references.html#pkcs12">PKCS12</a>], which is included in the
++OpenSSL package as of version 0.9.3. The necessary command is:
++
++<pre>
++pkcs12 -export -in newcert.pem -inkey newreq.pem \
++ -certfile /usr/local/ssl/CAcert.pem -name "Name" -out newcert.p12
++</pre>
++
++Of course your filenames may vary. Please take special care to
++supply a good name to your certificate. First: The name will be
++listed every time when a client certificate is to be send by
++netcape. As a person may have several certificates, the name might
++include a hint on the CA (e.g. "Lutz Jaenicke (Lutz CA)"). <strong>
++If you want to have a lot of fun, you can just omit the name.
++Netscape will happily import the certificate, but you won't see it
++in the list of user certificates. And as you don't see it, you
++cannot select it. And as Netscape will not overwrite it, if you
++offer the same (corrected) certificate with a name, you want to
++delete it, but as you cannot select it, you cannot delete it. You
++got the point?</strong>
++</body>
++</html>
++
+diff -urNad postfix-release/tls/doc/prng.html /tmp/dpep.cXJuVH/postfix-release/tls/doc/prng.html
+--- postfix-release/tls/doc/prng.html 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc/prng.html 2005-02-03 10:22:13.097088436 -0700
+@@ -0,0 +1,97 @@
++<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
++<html>
++<head>
++<meta name="generator" content="HTML Tidy, see www.w3.org">
++<title>Postfix/TLS - PRNG Pseudo Random Number Generator</title>
++</head>
++<body>
++<h1>Postfix/TLS - PRNG Pseudo Random Number Generator</h1>
++
++One of the crucial points of encryption is the generation of the
++keys, for which random numbers are required. As of OpenSSL 0.9.5,
++the seeding of the included PRNG Pseudo Random Number Generator is
++checked. Starting with Postfix/TLS 0.5.4, an architecture to
++collect entropy is included.
++
++<h2>Included PRNG</h2>
++
++OpenSSL features a quite sophisticated PRNG. In order to generate
++random numbers of lengths of more then 1024bit, a 8192bit (=1kB)
++pool is kept and used to generate these random numbers. To achieve
++full complexity for an attacker, it is necessary to have the full
++range of random numbers available and not restrict the search space
++used for searching keys, hence an according amount of entropy is
++necessary.
++
++<h2>Obtaining Entropy</h2>
++
++To get entropy, unpredictable events are needed. Unfortunately,
++computers and software tend to be very predictable, so that a lot
++of effort is necessary to collect unpredictable events. The
++mathematical techniques are discussed in the excellent book of
++Schneier "Applied Cryptography".
++
++<p>We use at least one feature: if you have collected a pool of
++data with entropy in it, you can add up more data without losing
++the entropy already there, so that we can mix external sources and
++internal bits to only increase the entropy.</p>
++
++<h2>External sources</h2>
++
++Only few operating systems provide good entropy collection.
++
++<h3>/dev/random and /dev/urandom</h3>
++
++Linux offers the <tt>/dev/random</tt> and <tt>/dev/urandom</tt>
++devices, some BSD derivatives as well.
++
++<p><tt>/dev/random</tt> will provide high quality random data, but
++it will block until enough entropy is available, if too much random
++data is requested to fast. <tt>/dev/urandom</tt> will fill up the
++real entropy data with data from an internal PRNG and will never
++block. For a system with automated startup /dev/urandom should be
++used. Reading from /dev/urandom will however trigger kernel
++activity to satisfy the demands. Imagine starting up postfix with a
++large number of emails in the queue. 50 (default) smtp processes
++want to start at the same time and access <tt>
++/dev/urandom</tt>.</p>
++
++<h3>Entropy Gathering Daemon</h3>
++
++A replacement for operating systems without good random number
++collection is the <a href="references.html#egd">EGD</a> Entropy
++Gathering Daemon. It will also extract entropy from a lot of
++sources.
++
++<p>EGD has a command driven interface, there is a command for
++blocking and one for non-blocking read. Unlike <tt>
++/dev/urandom</tt> the non-blocking command will not trigger an
++internal PRNG to fill up, but will simply return a smaller number
++of bytes than requested, even 0 if totally drained.</p>
++
++<p>EGD should hence not be used for direct feeding of smtp[d]
++processes. Again, imagine 50 smtp processes starting delivery at
++the same time.</p>
++
++<p><em>To circumvent this problem, I have witten my own daemon,
++that has a EGD compatible interface but can never run dry, just
++like <tt>/dev/urandom</tt>. Check out <a href=
++"references.html#prngd">PRNGD</a> for details.</em></p>
++
++<h3>Intermediate File</h3>
++
++Hence, Postfix/TLS maintains its own pool of entropy by means
++of the <em>tlsmgr</em> daemon. It will collect entropy from an
++external source at startup and periodically during runtime to ever
++increase the entropy in the pool. The smtp[d] processes are fed
++from an PRNG exchange file that is updated in short periods. Upon
++restart, tlsmgr will also read entropy from this file, so that the
++large entropy pool is fully utilized.
++
++<p>The single smtp[d] daemons can also access an external source. Their
++collected entropy is also stirred into the intermediate file, so that
++a significant amount of entropy is available alltogether.
++
++</body>
++</html>
++
+diff -urNad postfix-release/tls/doc/references.html /tmp/dpep.cXJuVH/postfix-release/tls/doc/references.html
+--- postfix-release/tls/doc/references.html 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc/references.html 2005-02-03 10:22:13.098088213 -0700
+@@ -0,0 +1,105 @@
++<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
++<html>
++<head>
++<meta name="generator" content="HTML Tidy, see www.w3.org">
++<title>Postfix/TLS - References</title>
++</head>
++<body>
++<h1>Postfix/TLS - References</h1>
++
++<ol>
++<li>[<a name="postfix">POSTFIX] The Postfix (formerly VMailer) Home
++Page: <a href="http://www.postfix.org/">
++http://www.postfix.org/</a>.</a></li>
++
++<li>[<a name="openssl">OPENSSL</a>] OpenSSL: The Open Source
++toolkit for SSL/TLS: <a href="http://www.openssl.org/">
++http://www.openssl.org/</a>.</li>
++
++<li>[<a name="pkcs12">PKCS12</a>]OpenSSL PKCS#12 Program FAQ: <a
++href="http://www.drh-consultancy.demon.co.uk/pkcs12faq.html">
++http://www.drh-consultancy.demon.co.uk/pkcs12faq.html</a>.</li>
++
++<li>[<a name="sslwrap">SSLWRAP</a>] SSLwrap Homepage: <a href=
++"http://www.rickk.com/sslwrap/">
++http://www.rickk.com/sslwrap/</a>.</li>
++
++<li>[<a name="stunnel">STUNNEL</a>] Stunnel Homepage: <a href=
++"http://stunnel.mirt.net/">
++http://stunnel.mirt.net/</a>.</li>
++
++<li>[<a name="introcert">INTROCERT</a>] Introducing SSL and
++Certificates using SSLeay: <a href=
++"http://www.ultranet.com/~fhirsch/Papers/wwwj/">
++http://www.ultranet.com/~fhirsch/Papers/wwwj/</a>.</li>
++
++<li>[<a name="imcorg">IMC</a>] Internet Mail Consortium: <a href=
++"http://www.imc.org/">http://www.imc.org/</a>.</li>
++
++<li>[<a name="imcorgappstls">IETF-APPS-TLS</a>] ietf-apps-tls
++mailing list: <a href="http://www.imc.org/ietf-apps-tls/">
++http://www.imc.org/ietf-apps-tls/</a></li>
++
++<li>[<a name="openca">OPENCA</a>] The OpenCA Project: <a href=
++"http://www.openca.org/">http://www.openca.org/</a>.</li>
++
++<li>[<a name="dfnpca">DFNPCA</a>] DFN-PCA: <a href=
++"http://www.dfn-pca.de/">http://www.dfn-pca.de/</a>.</li>
++
++<li>[<a name="sendmail">SENDMAIL</a>] Sendmail: <a href=
++"http://www.sendmail.org/">http://www.sendmail.org/</a>.</li>
++
++<li>[<a name="sendmail.inc">SENDMAIL.INC</a>] Sendmail Inc: <a
++href="http://www.sendmail.com/">http://www.sendmail.com/</a>.</li>
++
++<li>[<a name="qmail">QMAIL</a>] Qmail: <a href=
++"http://www.qmail.org/">http://www.qmail.org/</a>.</li>
++
++<li>[<a name="qmailtls">QMAILTLS</a>] Qmail/TLS: <a href=
++"http://www.esat.kuleuven.ac.be/~vermeule/qmail/tls.patch">
++http://www.esat.kuleuven.ac.be/~vermeule/qmail/tls.patch</a>.</li>
++
++<li>[<a name="zmailer">ZMAILER</a>] ZMailer: <a href=
++"http://www.zmailer.org/">http://www.zmailer.org/</a>.</li>
++
++<li>[<a name="jonama">JONAMA</a>] Jonama: <a href=
++"http://www.multimania.com/jonama/">
++http://www.multimania.com/jonama/</a>.</li>
++
++<li>[<a name="smtps">SMTPS</a>] Trey Child's STARTTLS wrapper: <a
++href="http://blueice.shopkeeper.de/~tchilds/">
++http://blueice.shopkeeper.de/~tchilds/</a>.</li>
++
++<li>[<a name="safegossip">SAFEGOSSIP</a>] Safegossip universal
++TLS-wrapper: <a href="http://www.skygate.co.uk/safegossip/">
++http://www.skygate.co.uk/safegossip/</a>.</li>
++
++<li>[<a name="sendmailtls">SENDMAIL-TLS</a>] Jeremy Beker's
++sendmail-tls wrapper: <a href="http://opensource.3gi.com/">
++http://opensource.3gi.com/</a>.</li>
++
++<li>[<a name="communigate">COMMUNIGATE</a>] Stalker Software's
++CommunigatePro mailserver product: <a href="http://www.stalker.com/">
++http://www.stalker.com/</a>.</li>
++
++<li>[<a name="egd">EGD</a>] Entropy Gathering Daemon: <a href=
++"http://www.lothar.com/tech/crypto/">
++http://www.lothar.com/tech/crypto/</a>.</li>
++
++<li>[<a name="prngd">PRNGD</a>] Pseudo Random Number Generator
++Daemon: <a href=
++"http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html">
++http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html</a>.</li>
++
++<li>[<a name="oe_ssl">Outlook/SSL</a>] Outlook (Express) and
++STARTTLS info: <a href=
++"http://support.microsoft.com/support/kb/articles/Q218/4/30.ASP">
++http://support.microsoft.com/support/kb/articles/Q218/4/30.ASP</a>.</li>
++
++<li>[<a name="justinhowto">TLS/CA Howto</a>] Justin Davis TLS and CA Howtos:
++<a href="http://palmcoder.net/files/howtos/">
++http://palmcoder.net/files/howtos/</a>.</li>
++</ol>
++</body>
++</html>
++
+diff -urNad postfix-release/tls/doc/relaycert.html /tmp/dpep.cXJuVH/postfix-release/tls/doc/relaycert.html
+--- postfix-release/tls/doc/relaycert.html 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc/relaycert.html 2005-02-03 10:22:13.098088213 -0700
+@@ -0,0 +1,124 @@
++<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
++<html>
++<head>
++<meta name="generator" content="HTML Tidy, see www.w3.org">
++<title>Postfix/TLS - Initial Motivation</title>
++</head>
++<body>
++<h1>Postfix/TLS - Initial Motivation</h1>
++
++This introduction shall point out the motivation, why I spend my
++time writing this TLS extension for postfix.
++
++<h2>Roaming users problem</h2>
++
++It quite often happens that my users want to access their mailboxes
++and to send emails from hosts outside our network. The main reasons
++are the access from home via Internet service providers (ISP) or
++from abroad during business trips (in our case typically to other
++universities around the world). Sending and accessing leads to two
++loosely coupled problems.
++
++<h2>UCE control</h2>
++
++One problem is sending emails, because from abroad it is seldom
++possible to predict the sending hostname we will have and when
++using an ISP the assigned hostname is typically random. As we of
++course must have UCE control in effect, I either must open up
++relaying complete ISP domains on my users request (Arrgghh!) or
++must introduce an authentication beside the hostname or IP address.
++
++
++<h2>Passwords and insecure networks</h2>
++
++This directly leads to the second problem. Recent versions of
++Netscape do offer password based authentication. This solves the
++UCE problem but introduces another one, which I consider far more
++severe: The users have to send a password in plain text over the
++network. Of course I could solve this problem by issuing special
++passwords just for this reasons, but some of my users don't have a
++clue of what is going on between the keyboard and the screen, so
++they would happily try their real password.
++
++<p>The same problem of course also applies to the POP and IMAP
++services. I tackled them first, because they are typically attacked
++by port scanners, so I closed them down by tcpwrappers (Hi Wietse!)
++to only allow my local hosts to access them.</p>
++
++<h2>Encryption via SSL</h2>
++
++The solution to the plain text password problem was easily found
++with the use of SSL. You just tunnel the POP or IMAP connection
++through SSL, using either <strong>SSLwrap</strong> [<a href=
++"references.html#sslwrap">SSLWRAP</a>] or <strong>stunnel</strong>
++[<a href="references.html#stunnel">STUNNEL</a>].
++
++<p>Netscape supports IMAP with SSL tunneling since version 4, I
++have one user with Outlook Express, who uses POP3 with SSL
++tunneling, so this solves the plain text password problem by
++encryption.</p>
++
++<h2>Netscape 4.5</h2>
++
++Starting with Netscape 4.5, also sending with SSL encryption is
++supported. As Netscape also supports client certificates, this
++seemed to be an easy solution for the UCE control problem. So I
++happily added an "smtps" service with SSL wrapper and client
++certificate verification. Unfortunately it didn't work and the
++connection just hung! After some digging around I found out, that
++Netscape 4.5 seems to realize the protocol described in <a href=
++"rfc2487.txt">RFC 2487</a> [<a href=
++"references.html#imcorg">IMC</a>].
++
++<h2>RFC 2487 - SMTP Service Extension for Secure SMTP over TLS</h2>
++
++RFC 2487 describes how to include TLS (the successor of SSL) into
++the normal Extended SMTP protocol. During the normal EHLO start
++negotiation the server offers the STARTTLS option to the client,
++which then issues the STARTTLS command. After the server accepts
++the command (220), the normal SSL handshake will start.
++
++<p>Unfortunately it is impossible to handle this situation with a
++normal tunneling software, as they are not prepared to do clear
++text negotiation before running SSL and don't have the slightest
++idea on the SMTP protocol. Therefore the way to go was to extend a
++given mail server software. The first candidate was sendmail-8.9.3,
++as I was a long term sendmail user. After digging around some I
++came to the conclusion, that even though possible, the source code
++was quite difficult to understand and adding the necessary
++configuration options didn't look inviting.</p>
++
++<h2>Postfix</h2>
++
++At this point (February 1999) I checked other mail servers and was
++immedideately fascinated by postfix source. It was very good to
++read and understand, so I decided that if I would take the time,
++then postfix would be the way to go.
++
++<p>I then started to first change our site to postfix. It took some
++hours to do this, because our mail system is running on a common
++network I administrate for several chairs, each of them with its
++own mail server and domain, but a common user base, so a lot of
++rewriting takes place, we need virtual services for symbolic names
++like "webmaster" etc.</p>
++
++<h2>Postfix/TLS</h2>
++
++Some time after having done this I finally found the time to write
++my TLS extensions for postfix. I took the source of the <code>
++s_server</code> of the OpenSSL package and added a simplified
++version of it to postfix, so that by now we can run the SMTP
++protocol encrypted on the server side. This would also allow us to
++use plain text password authentication, but as it is available
++without cost, I rather decided to go with client certificates. If
++you can offer a client certificate to our server, that is included
++in a list on our server, you can relay your emails through our
++server!
++
++<h2>Summary</h2>
++
++Postfix/TLS is an addition to the smtpd server, which implements the RFC 2487
++ TLS Service Extension and allows UCE control based on client certificates.
++</body>
++</html>
++
+diff -urNad postfix-release/tls/doc/security.html /tmp/dpep.cXJuVH/postfix-release/tls/doc/security.html
+--- postfix-release/tls/doc/security.html 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc/security.html 2005-02-03 10:22:13.099087990 -0700
+@@ -0,0 +1,78 @@
++<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
++<html>
++<head>
++<meta name="generator" content="HTML Tidy, see www.w3.org">
++<title>Postfix/TLS - Security Considerations</title>
++</head>
++<body>
++<h1>Postfix/TLS - Security Considerations</h1>
++
++The following sections cover some (possible) security issues with
++regard to Postfix/TLS.
++
++<h2>Server/Client private key file</h2>
++
++Postfix/TLS uses authentication for the server side (mandatory) and
++the client side (optional). In order to authenticate itself, the
++according process (smptd/smtp) must be able to access the private
++key, which must however be kept secret. As these processes are
++started from 'master' without the possibility of user interaction, it is not
++possible to supply a password, so that the private key can not be
++encrypted.
++
++<p>The only protection can therefore come from filesystem access
++rights, which should be set to 'owner root' and 'readable for owner
++only':</p>
++
++<pre>
++-rw------- 1 root sys 887 Apr 29 1999 /etc/postfix/key.pem
++</pre>
++
++<p>This protection is only as good as your host is protected
++against root exploits.</p>
++
++<p>You also should be aware, that people having physical access to
++your system might be able to 'steal' the private key if they can
++boot into single user mode without password protection or can move
++the disk to another computer, on which they have root rights. (Yes,
++I know there are such things as encrypted filesystems, but they are
++not in wide spread use today.)</p>
++
++<h2>Disk based session cache</h2>
++
++If you run disk based session caching (the default) people being
++able to get hold of the files might be able to figure out security
++relevant communication parameters. The security situation is
++however not more dramatic than the private key issue explained
++above, so I don't consider any additional danger coming from saving
++session information to stable storage.
++
++<p>As breaking the code with public key cryptography is just a
++matter of time (even though it might be a very long time), sessions
++should not be used for an infinite duration. The default value for
++Postfix/TLS is 1h; RFC2246 (TLSv1) recommends to not use sessions
++for more than 24h.</p>
++
++<h2>DNS issues</h2>
++
++One weak point in authentication is the use of the DNS to find out
++the MX information. Since we do (E)SMTP, we must use the MX
++information!
++
++<p>As we have to authenticate the server retrieved via MX, somebody
++able to spoof a wrong MX entry might be able to receive the email,
++if his host can present a certificate issued by an acceptable CA.
++The last part is not too difficult if 'standard' CAs like Verisign,
++Thawte,... are included.</p>
++
++<p>The only way to protect against this problem is that for those
++recipients, for which we want to <strong>enforce</strong>
++encryption and authentication, the MX lookup must be overridden
++with an appropriate entry in the /etc/postfix/transport table:</p>
++
++<pre>
++important.dom.ain smtp:[mailserver.important.dom.ain]
++</pre>
++</body>
++</html>
++
+diff -urNad postfix-release/tls/doc/setup.html /tmp/dpep.cXJuVH/postfix-release/tls/doc/setup.html
+--- postfix-release/tls/doc/setup.html 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc/setup.html 2005-02-03 10:22:13.099087990 -0700
+@@ -0,0 +1,220 @@
++<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
++<html>
++<head>
++<meta name="generator" content="HTML Tidy, see www.w3.org">
++<title>Postfix/TLS - Setting up the certificates</title>
++</head>
++<body>
++<h1>Postfix/TLS - Setting up the certificates</h1>
++
++This section explains what kind of certificates are needed to run
++postfix with TLS. The certificates (and maybe keys) can be obtained
++from a third party, that might be a commercial certification
++authority or your internet service provider. On the long run you do
++need certificates that are accepted by other Internet parties, so
++you have to agree with them on certification authorities, of which
++type they might be.
++
++<h2>Server certificate</h2>
++
++To run SMTP with TLS in server mode, your server <strong>
++must</strong> have a pair of <em>private key</em> and <em>public
++key</em>.
++
++<p>As the public key must be distributed to the client somehow, it
++is sent from the server to the client during the startup
++negotiation. The client however cannot know from just the
++negotiation, that the public key really belongs to the server and
++is not faked. Therefore a third component is necessary, a <em>
++certificate</em> from a certificate authority (CA), that is sent
++combined with the public key. This <em>server certificate</em>
++contains the <code>name.of.your.host</code>. The client will then
++check the <em>signature</em> of the CA on the public key to decide,
++whether the certificate (and public key) are authentic.</p>
++
++<p>So for the server we do need:</p>
++
++<ul>
++<li>1 <em>server private key</em></li>
++
++<li>1 server public key signed by a CA, a <em>server
++certificate</em>, certifying that the public key belongs to <code>
++name.of.your.host</code>.</li>
++
++<li>1 <em>CA certificate</em> with the public key of the CA</li>
++</ul>
++
++For this list I definitely want point out the number of components
++used to be <strong>1</strong>, because you must have <strong>
++1</strong>, you cannot have less, you cannot have more!
++
++<h3>Server certificate policy</h3>
++
++At this point you have to decide about policy. The client which is
++going to connect to your host will check the names in the <em>server
++certificate</em>, the dNSName entries in the SubjectAlternativeName
++or the CN (Common Name) if no dNSName is found, against the FQDN (Fully
++Qualified Domain Name) of your server. If both agree, your server's
++identity is proved.
++
++<p>To see, whether the certificate itself is authentic, the client
++itself <em>must have</em> the <em>CA certificate</em>. So, if you
++want to make it easily accessible to other, unknown parties, you
++should have your server certificate issued by a well known and well
++trusted CA. Remember, that your server can only have one server
++certificate at a time.</p>
++
++<p>There are commercial providers (Thawte, Verisign, just to name
++some), the CA certificats of which are well distributed. Not
++knowing of other countries, at least in Germany the
++Research Network (DFN) has started a program for universities [<a
++href="references.html#dfnpca">DFNPCA</a>].</p>
++
++<p>If you do not care about that for know (you can change that
++later), you can just become your own CA and distribute your CA cert
++to those parties who should know it, and you are set. It is not
++difficult to do.<br>
++<a href="myownca.html">Lutz's very short course on being your own
++CA</a>.</p>
++
++<h3>Using the certificates with Postfix/TLS</h3>
++
++To make the key and certificates available to Postfix/TLS, they
++must be in "PEM" format. Then you have to tell postfix in main.cf
++where to find them:
++
++<ul>
++<li>The private key:
++
++<pre>
++smtpd_tls_key_file = /etc/postfix/key.pem
++</pre>
++
++As the public key is public including the certificate (everybody
++can get a copy), everybody who has a copy of the private key can
++fake your identity. It is not too easy, as he must be able to
++redirect or intercept the IP packages sent to your server, but I
++have seen a lot of things happening. So protect this key with:
++
++<pre>
++chown root /etc/postfix/key.pem ; chmod 400 /etc/postfix/key.pem
++</pre>
++
++One more possibility for protection is a passphrase. This is
++however a problem, as you have to enter it everytime the server has
++to be started. This has to drawbacks: firstly you would have to
++enter it to postfix everytime you restart it, which I find quite
++impractical for an unattended server which might restart
++automatically after a power outage. Secondly the smtpd processes
++are independently started from master, so that master would have to
++pass the passphrase to the clients somehow. Alltogether I think
++this is impractical and so I don't support by software.</li>
++
++<li>The server certificate: This certificate is not secret, as it
++will be presented to every client anyhow, so you just name it to
++postfix:
++
++<pre>
++smtpd_tls_cert_file = /etc/postfix/cert.pem
++</pre>
++
++If you like, you can put private key and cert into one file.</li>
++
++<li>The CA certificate: To also have the CA certificate available,
++you put it into a file and name it to Postfix/TLS. We will come
++back to this file later.
++
++<pre>
++smtpd_tls_CAfile = /etc/postfix/CAcert.pem
++</pre>
++</li>
++</ul>
++
++With these certificates you should already have enough to get
++Postfix/TLS running.
++
++<h3>Postfix/TLS client mode</h3>
++
++When connecting to a server offering TLS, postfix can present a
++client certificate of its own. As realized by now, only one
++certificate can be managed, so it should be issued on your own
++hostname. No default is supplied (no certificate is presented),
++unless you explicitly set the certificate in the configuration. You
++can use the same certificate as for the server side:
++
++<pre>
++smtp_tls_key_file = /etc/postfix/key.pem
++chown root /etc/postfix/key.pem ; chmod 400 /etc/postfix/key.pem
++</pre>
++
++<pre>
++smtp_tls_cert_file = /etc/postfix/cert.pem
++</pre>
++
++<pre>
++smtp_tls_CAfile = /etc/postfix/CAcert.pem
++</pre>
++
++<h2>Client certificates</h2>
++
++One reason to do all of this work is that I want to do relaying
++based on client certificates. The clients present a certificate
++from a CA, that is unique and cannot be faked.
++
++<p>Some clients can have several certificates issued by different
++CAs. Upon connection the server will pass the client the list of
++CAs he knows (has the CA certificates) and the client can then pass
++back a certificate of choice. With Netscape this means, a window is
++opened and only those client certificates compatible with the
++server are listed for selection.</p>
++
++<p>So if your clients already have certificates from trustable
++sources, it is not necessary to create a lot of problems. You just
++have to collect the CA certificates and make them available to
++Postfix/TLS. If that is not enough, you can still become your own
++CA to easily create client certificates for your users (which are
++of course of no use outside your scope).</p>
++
++<h3>Listing CA certificates</h3>
++
++<p>You have two possibilities to perform this task.</p>
++
++<ol>
++<li>You just add the CA certificates to the <code>
++smtp[d]_tls_CAfile</code> you already have created, one after the
++other. This file is probably not very readable, but it has the
++advantage that it is read at smtpd before switching to chroot jail
++and hence works in chroot mode.</li>
++
++<li>You can add the CA certificates in single files with adequate
++names to a certificate directory specified in:
++
++<pre>
++smtpd_tls_CApath = /etc/postfix/certs
++</pre>
++
++Please don't forget to issue a <code>$OPENSSL_HOME/bin/c_rehash
++/etc/postfix/certs</code> after you have made changes, as the
++hashes are use to find the right CA certificate. This method should
++not work in chroot mode.</li>
++</ol>
++
++<h3>Adding client certificates</h3>
++
++The client certificates are issued for a DN (Distinguished Name)
++made up of company, department, name, email... As they may contain
++blanks, @ signs and colons, it is quite difficult to handle them
++with standard postfix tools.
++
++<p>A quite practical thing is that every client certificate has a
++"fingerprint" that is extremely difficult to fake (read this: from
++my knowledge, it might take years even on fast computers). I have
++to do some more research about the security of the fingerprint, but
++at least for relaying it should be secure enough. I will much
++easier find a host with worse security to send out my SPAM than to
++fake a client certificate with a matching fingerprint (which I also
++don't know to from the outside, even from the inside you might
++protect the fingerprint data with a <code>chmod 400</code>).</p>
++</body>
++</html>
++
+diff -urNad postfix-release/tls/doc/test.html /tmp/dpep.cXJuVH/postfix-release/tls/doc/test.html
+--- postfix-release/tls/doc/test.html 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc/test.html 2005-02-03 10:22:13.100087767 -0700
+@@ -0,0 +1,167 @@
++<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
++<html>
++<head>
++<meta name="generator" content="HTML Tidy, see www.w3.org">
++<title>Postfix/TLS - Testing</title>
++</head>
++<body>
++<h1>Postfix/TLS - Testing</h1>
++
++Testing the package is a little bit difficult, as the communication
++is encrypted, so that you cannot "imitate" the conversation just by
++telnetting to the SMTP port. You also cannot capture the packets
++(well, you can, but if everything is working as advertised, it
++won't help you :-).
++
++<h2>Included debugging aids</h2>
++
++As all of the messages generated by Postfix are sent to the syslog
++facility, debugging must be done using your normal system logfiles.
++Postfix/TLS supports the logging levels 0 (very quiet) up to 4 (a
++dump of the complete conversation, not recommended).
++
++<p>As a first step set <code>smpt[d]_tls_loglevel=2</code> and
++watch the logfile. Typically you will have problems with the access
++to the keys or certificates, so you will find error messages
++here.</p>
++
++<p>You can always try to send an email to <tt>
++postfix_tls-bounce at serv01.aet.tu-cottbus.de</tt> with TLS enabled
++at your side and watch, what is going to happen :-)</p>
++
++<p>While testing the interoperability with ZMailer we learned, that
++an incorrect certificate type (must be server for the server :-)
++can lead to connection failures without clear symptoms. It helps to
++use Netscape 4.5x as a client and carefully study the message boxes
++and certificate information. I have yet to find out how to identify
++this problem from postfix to print a suitable warning to the
++logfile. Hopefully it will be possible without changes in the
++OpenSSL library.</p>
++
++<h2>Platforms</h2>
++
++<ul>
++<li>Development Platform:
++
++<ul>
++<li>OS: HP-UX 10.20</li>
++
++<li>OS: Linux 2.x (SuSE Linux)</li>
++</ul>
++</li>
++
++<li>Test Client:
++
++<ul>
++<li>Software: Netscape 4.5x, Netscape 4.6x, Netscape 4.7x</li>
++
++<li>OS: HP-UX 10.20, Linux 2.x, Win95</li>
++</ul>
++</li>
++</ul>
++
++Please don't comment on the stability of Netscape, especially not
++on HP-UX...
++
++<h2>Interoperability</h2>
++
++Besides support by generic wrapper solutions, there exist specially
++crafted extensions for other MTAs:
++
++<ul>
++<li><strong>Qmail</strong> There is an OpenSource patch available,
++extending the Qmail [<a href="references.html#qmail">QMAIL</a>] MTA
++to support RFC2487, written by Frederik Vermeulen [<a href=
++"references.html#qmailtls">QMAILTLS</a>]. Sending and receiving is
++working from both sides.
++
++<p>Testing: send mail to <tt>ping at linux.student.kuleuven.ac.be</tt>
++(will send back complete email including headers).</p>
++</li>
++
++<li><strong>Zmailer</strong> The author/maintainer of ZMailer,
++Matti Aarnio, has incorporated both server and client side TLS
++support [<a href="references.html#zmailer">ZMAILER</a>].
++
++<p>Zmailer -> Postfix works fine,<br>
++Postfix -> Zmailer does not work, since ESMTP is not recognized
++(problem reported).</p>
++
++<p>Testing: send mail to <tt>autoanswer at mea.tmt.tele.fi</tt> (will
++send back headers).</p>
++</li>
++
++<li><strong>Sendmail</strong> The commercial verson of sendmail
++supports client and server TLS, both sides interoperating with
++Postfix/TLS. As of sendmail-8.11, TLS is also included with the
++opensource version [<a href=
++"references.html#sendmail">SENDMAIL</a>].
++
++<p>Testing: send mail to <tt>bounce at esmtp.org</tt> (will bounce
++error message including old headers).</p>
++</li>
++
++<li><strong>Postfix</strong> Can send emails to itself :-).
++
++<p>Testing: send mail to <tt>
++postfix_tls-bounce at serv01.aet.tu-cottbus.de</tt> (will bounce back,
++includes old headers).</p>
++</li>
++</ul>
++
++Other reports are welcome.
++
++<h2>Known interoperability problems</h2>
++
++<ul>
++<li>Postfix/TLS server: Under Win95/NT I have some problems with the
++client certificates. When opening the first connection (and
++Netscape asks for the password to access the certificate database),
++the connection hangs. This seems to be caused by Netscape: a dump
++of the communication shows, that Netscape just does not resume the
++TLS handshake.<br>
++<strong>Remark:</strong>I could not reproduce this bug recently
++after upgrading OpenSSL 0.9.4. I hope it has vanished, but maybe it
++is just a consequence of playing around with Netscape's security
++options. More testing required...<br>
++Workarounds: kill this connection, the next one will work
++immediately <strong>or</strong> use SSLv2 only (second workaround
++not recommended).
++
++<p><strong>Should finally be fixed with OpenSSL 0.9.5.</strong></p>
++</li>
++
++<li>Postfix/TLS server: Outlook Express as of Internet Explorer 5 will
++work with Postfix/TLS, but it will not present any client
++certificate. So you can encrypt your email transfer but you cannot
++authenticate (and relay) with client certificates. It only works on
++port 25 (smtp); on other ports you must use smtpd_tls_wrappermode
++instead. [<a href="references.html#oe_ssl">Microsoft
++Knowledgebase</a>]</li>
++
++<li>Postfix/TLS server: Outlook Express as of Internet Explorer 4 does not
++support RFC2487. Use smtpd_tls_wrappermode=yes on a different
++port(!) (465=smpts?) instead.</li>
++
++<li>Postfix/TLS server: Outlook Express (Mac) seems not to support
++RFC2487, you must use smtpd_tls_wrappermode on a different port(!)
++(465=smtps?) instead.</li>
++
++<li>Postfix/TLS client: MS Exchange also in recent versions (5.5) offers
++STARTTLS even if not configured (from the mailing list [<a href=
++"references.html#imcorgappstls">IETF-APPS-TLS</a>]). I could not
++test this without access to such server, so I cannot predict what
++is going to happen.</li>
++
++<li>Postfix/TLS client: TLS connections to a CommunigatePro server fail
++with a handshake error with older versions of CommunigatePro.
++Reason is a protocol violation of the CommunigatePro server with
++respect to SSL-protocol version numbering. The respective part of
++the protocol is the specification of the client_version in section
++7.4.7.1. of RFC2246.<br>
++This problem has been fixed in CommunigatePro 3.3b?? (don't know
++the exact numbering) around June 09, 2000.</li>
++</ul>
++</body>
++</html>
++
+diff -urNad postfix-release/tls/doc_french/conf.html /tmp/dpep.cXJuVH/postfix-release/tls/doc_french/conf.html
+--- postfix-release/tls/doc_french/conf.html 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc_french/conf.html 2005-02-03 10:22:13.101087544 -0700
+@@ -0,0 +1,600 @@
++<html>
++<head>
++<title>Untitled Document</title>
++<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
++</head>
++
++<body bgcolor="#FFFFFF">
++<p>Postfix/TLS - Configurer main.cf et master.cf </p>
++<p>Afin d'utiliser les extensions TLS vous devez renseigner quelques informations
++ a Postfix. Regardez également le fichier conf/sample-tls.cf</p>
++<p>main.cf: smtpd (serveur) variables spécifiques<br>
++ # pour utiliser TLS nous avons besoin d'un certificat et d'une clef privée. Tous
++ les deux doivent être <br>
++ # au format "PEM ",la clé privée ne doit pas être chiffrée, ce qui signifie:
++ <br>
++ # elle doit être accessible sans mot de passe. Les deux pièces (certificat et<br>
++ # clé privée) peuvent être dans le même fichier <br>
++ # <br>
++ # RSA et DSA sont des formats de certificats supportées <br>
++ # Typiquement vous pouvez seulement vous faire délivrer des certificats de RSA
++ par un CA commercial<br>
++ # Les outils OpenSSL vont, par defaut, générer des certificats
++ RSA<br>
++ # Vous pouvez avoir les deux en même temps, dans ce cas-ci le chiffrage du client
++ utilisé décide<br>
++ # Pour les clients Netscape et OpenSSL le certificat
++ de RSA est préféré.<br>
++ #<br>
++ # Afin de contrôler les certificats, le certificat CA (dans le cas d'une chaine
++ de certificats, tous les certificats CA) doit être disponible<br>
++ # Vous devez ajouter ces certificats aux certificat du serveur, ce dernier en
++ premier puis ceux émis par par le(s) CA(s)<br>
++ #<br>
++ # exemple: le certificat pour "serveur.chez.moi" a été
++ émis par "Intermediate CA"<br>
++ # qui lui même a un certificat de "root CA". Creez le fichier
++ server.pem en faisant 'cat server_cert.pem intermediate.pem > server.pem'<br>
++ #<br>
++ # Si vous voulez accepter des certificats délivrés par ces derniers en tant
++ que vous-même, vous pouvez aussi ajouter les certificats CA <br>
++ # au fichier smtpd_tls_CAfile, dans ce cas ce n'et pas nécessaire de les
++ avoir dans le fichier smtpd_tls_[d]cert_file<br>
++ #<br>
++ # Un certificat fourni ici doit être utilisable comme SSL certificat serveur
++ et par conséquent passer le test<br>
++ # "openssl verify -purpose sslserver ..." <br>
++ #<br>
++ smtpd_tls_cert_file = /etc/postfix/server.pem <br>
++ smtpd_tls_key_file = $smtpd_tls_cert_file <br>
++ # <br>
++ # Les équivalents DSA<br>
++ smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem <br>
++ smtpd_tls_dkey_file = $smtpd_tls_dcert_file <br>
++ #<br>
++ # le certificat a été délivré par une autorité de certification (CA) le certificat
++ CA de celui-ci doit être disponible<br>
++ # si il n'est pas dans le fichier de certificats.<br>
++ # Ce fichier peut également contenir les les certificats de CA d'autres CA de
++ confiance.<br>
++ # Vous devez utiliser ce fichier pour la liste de CA de confiance si vous voulez
++ utiliser le mode chroot.<br>
++ # Il n'y a pas de valeurs par defaut<br>
++ #<br>
++ # smtpd_tls_CAfile = /etc/postfix/CAcert.pem <br>
++ <br>
++ # pour vérifier le certificat de pair, nous devons connaître les certificats des
++ autorités de certification. Ces certificats sont au format PEM<br>
++ # et sont rassemblés dans un répertoire. Les mêmes CA sont offerts aux
++ clients pour la vérification. N'oubliez pas de créer<br>
++ # les tables de hachages nécessaires avec $OPENSSL_HOME/bin/c_rehash
++ /etc/postfix/certs. Une place classique<br>
++ # pour les certificats CA peut être aussi $OPENSSL_HOME/certs, il n'y
++ a donc aucune valeur par défaut et vous avez à<br>
++ # le spécifier ici<br>
++ #<br>
++ # Pour utiliser cette option en mode chrooté, ce répertoire ou
++ une copie de celui-ci doit être dans la 'cage'. Veuillez noter également<br>
++ # que les CA listés dans ce répertoire ne sont pas listés
++ aux clients, Netscape ne peut donc pas offrir de certificats émis par
++ ceux ci.<br>
++ #<br>
++ # Je n'encourage pas à l'utilisation de cette option<br>
++ <br>
++ smtpd_tls_CApath = /etc/postfix/certs <br>
++ <br>
++ # Pour obtenir des informations supplémentaires pendant la mise en place
++ et les négociations TLS<br>
++ # vous pouvez augmenter le niveau de journalisation de 0 à 4:<br>
++ # 0 : rien a propos du TLS<br>
++ # 1 : Notification de mise en route et information de certificat <br>
++ # 2 : 1 + impression des niveaux pendant la négociation <br>
++ # 3 : 2 + hexa et vidage mémoire Ascii du processus de négociation <br>
++ # 4 : 4: 3 + hexa et vidage mémoire Ascii de transmission complète après STARTTLS
++ <br>
++ # utilisez le niveau 3 uniquement en cas de problémes. L'utilisation
++ du niveau 4 est fortement déconseillée.<br>
++ #<br>
++ # smtpd_tls_loglevel = 0 <br>
++ # Afin d'inclure des informations sur le protocole et le cryptage utilisé
++ aussi bien que le client et l'émetteur <br>
++ # dans l'entête "Received:", positionnez la variable smtpd_tls_received_header
++ à true. Par défaut elle est a no, <br>
++ # du fait que cette information n'est pas forcément authentique. Seulement
++ la destination finale est fiable, <br>
++ # puisque les en-têtes pourraient avoir été modifiées entre temps.<br>
++ #<br>
++ # smtpd_tls_received_header = yes<br>
++ <br>
++ # Vous pouvez IMPOSER l'utilisation de TLS, de sorte qu'on ne permette aucune
++ commande (excepté QUIT naturellement) <br>
++ # sans TLS. Selon la RFC2487 ceci NE DOIT PAS être appliquée dans le cas d'un
++ serveur SMTP public. Cette option est <br>
++ # donc inactive par defaut et ne doit être utilisée que rarement.
++ Cette fonction implique<br>
++ # smtpd_use_tls = yes <br>
++ #<br>
++ #smtpd_enforce_tls = no <br>
++ # <br>
++ # Sans compter que quelques clients, comme outlook express prefère utiliser
++ un mode d'emballage non-standard et non les<br>
++ # améliorations STARTTLS de SMTP.<br>
++ # Ceci est vrai pour outlook express ( Win32 < 5.0 et Win 32 >= 5.0 quand
++ on l'utilise sur un port differents de 25<br>
++ # et sur 5.01 pour Mac sur tous les ports<br>
++ # Il est strictement découragé d'utiliser utiliser ce mode depuis main.cf. Si
++ vous voulez <br>
++ # supporter ce service, rajoutez un port spécial dans master.cf. Le port 465
++ (smtps) a été choisi pour ce dispositif. <br>
++ # smtpd_tls_wrappermode = no<br>
++ <br>
++ # Pour recevoir un certificat de client, le serveur doit explicitement en demander
++ un. Par conséquent Netscape se plaindra <br>
++ # si aucun certificat n'est disponible (pour la liste des CA dans /etc/postfix/certs)
++ ou vous offrira des certificats clients<br>
++ # pour choisir. Ceci peut être ennuyeux, ainsi cette option est "Off" par défaut
++ . <br>
++ # Vous aurez peut être besoin du certificat si vous voulez faire du relayage
++ à partir des certificats<br>
++ #<br>
++ # smtpd_tls_ask_ccert = no <br>
++ <br>
++ # Vous pouvez également décider D'EXIGER d'un certificat de client afin de permettre
++ des connexions de TLS. <br>
++ # Je ne pense pas que ce sera nécessaire souvent, il est cependant inclus ici.
++ Cette option smtpd_tls_ask_ccert = yes<br>
++ # <br>
++ # Notez bien que ceci empêchera des connexions TLS sans un certificat approprié,
++ et n'a de sens que dans le cas<br>
++ # de soumission normal desactivée (smtpd_enforce_tls). Autrement les
++ clients peuvent éviter ceci en n'utilisant pas du tout <br>
++ # STARTTLS. Quand TLS n'est pas imposé, la connexion ne sera traitée comme
++ si smtpd_tls_ask_ccert = yes <br>
++ # était activé et une information est journalisée.<br>
++ <br>
++ # smtpd_tls_req_ccert = no<br>
++ <br>
++ # la profondeur de vérification pour des certificats de client. Une profondeur
++ de 1 est suffisante si le certificat<br>
++ # est émis directement par un CA listé dans la liste des CA.<br>
++ # La valeur par defaut (5) suffit également pour de plus longues chaînes (le
++ root CA émet le CA spécial <br>
++ # qui délivre alors le certificat réel...)<br>
++ <br>
++ # smtpd_tls_ccert_verifydepth = 5 <br>
++ <br>
++ # le serveur et le client négocient une session, qui prend un certain temps
++ machine et une largeur de bande passante.<br>
++ # La session est cachée seulement dans le processus de smtpd réellement en utilisant
++ cette session et est détruite <br>
++ # quand le processus meurt pour partager l'information de session entre les
++ processus de smtpd, <br>
++ # antémémoire de session peut être utilisée avec des bases de données
++ SDBM (sous-programmes inclus dans Postfix/TLS)<br>
++ # Puisque l'écriture concourante doit être supportée seulement SDBM peut être
++ utilisé. <br>
++ <br>
++ smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache <br>
++ <br>
++ # les sessions cachées ont un delais d'attente. Je n'utilise pas le défaut d'OpenSSL
++ de 300sec, mais un plus long temps <br>
++ # de 3600sec (= 1 heure). RFC2246 recommande un maximum de 24 heures <br>
++ <br>
++ # smtpd_tls_session_cache_timeout = 3600s <br>
++ <br>
++ # deux options supplémentaires a été ajoutées pour la commande de relais aux
++ règles d'UCE<br>
++ # permit_tls_clientcerts (a) <br>
++ # et <br>
++ # permit_tls_all_clientcerts. (b) <br>
++ # <br>
++ # Si une de ces options est ajoutée <br>
++ # smtpd_recipient_restrictions<br>
++ # postfix va relayer si<br>
++ # (a) Un client valide (vérification faite) est présenté
++ et que son empreinte est inscrite dans la liste des certificats clients<br>
++ # (relay_clientcerts), <br>
++ # (b) n'importe quel client valide (vérification faite) est présenté.<br>
++ #<br>
++ # L'option (b) doit seulement être utilisée, si un CA spécial délivre les certificats
++ et seulement ce CA <br>
++ # est énuméré en tant que CA de confiance. Si on fait confiance à d'autres
++ CA tout propriétaire d'un certificat client valide <br>
++ # peut être relayé. L'option (b) peut être pratique pour un relais
++ spécialement créé. Il est recommande cependant de rester
++ <br>
++ # avec l'option (a) et d'énumérer tous les certificats, car (b) ne permet aucun
++ contrôle quand un certificat ne doit<br>
++ # plus être utilisé (par exemple un employé partant). <br>
++ <br>
++ # smtpd_recipient_restrictions = ... permit_tls_clientcerts ...<br>
++ <br>
++ # La liste de certificats de client pour lesquels le relais sera permis.<br>
++ # Malheureusement les sous-programmes pour des listes utilise des espaces comme
++ séparateurs <br>
++ # et s'emmèle sur les caractères spéciaux<br>
++ # Ainsi l'utilisation du certificat # du X509ONELINES est tout à fait impraticable.
++ Nous utiliserons donc <br>
++ # les empreintes digitales à ce point, car il est difficile de les truquer mais
++ facile à utiliser pour la consultation <br>
++ # pendant que le postmap (en utilisant par exemple le DB) exige d'avoir une
++ paire de clé et de valeur, <br>
++ # mais nous avons besoin seulement de la clef, la valeur pouvant être choisie
++ librement, par exemple le nom <br>
++ # de l'utilisateur ou de l'hôte: <br>
++ # D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home<br>
++ <br>
++ # relay_clientcerts = hash:/etc/postfix/relay_clientcerts <br>
++ <br>
++ # Pour influencer la sélection du cryptage, vous pouvez donner une liste
++ de cryptage.<br>
++ # Une description complète irait troin loin ici, allez voir la documentation
++ sur le site d'OpenSSL<br>
++ # Si vous ne savez pas quoi faire avec, n'y touchez pas et laissez celui d'openssl
++ par defaut <br>
++ # N'UTILISEZ PAS " pour entourer la chaîne de caractères, juste la chaîne de
++ caractères!!! <br>
++ #<br>
++ # smtpd_tls_cipherlist = default<br>
++ <br>
++ # Si vous voulez tirer profit du chiffrage avec EDH, les paramètres de DH sont
++ nécessaires.<br>
++ # Ils sont construits dans les paramètres DH pour à la fois le
++ 1025éme et le 512éme bit disponible<br>
++ # Il vaut mieux cependant avoir ses "propres" paramètres, puisqu'autrement
++ ce serait "payant" pour un<br>
++ # 'pirates' d'attaquer en brute force ces paramètres qui sont utilisés
++ communément.<br>
++ # Pour cette raison, les paramètres choisis sont déjà différents de ceux distribués
++ avec le package TLS<br>
++ <br>
++ # Pour produire de votre propre ensemble de paramètres, faites :<br>
++ # openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024
++ <br>
++ # openssl gendh -out /etc/postfix/dh_512.pem -2 -rand /var/run/egd-pool 512
++ <br>
++ # Votre source pour la génération aléatoire peut varier;
++ sur des ystèmes linux c'est /dev/random<br>
++ # Pour d'autres systèmes vous pouvez consulter "Entropy Gathering Daemon
++ EGD", <br>
++ # disponible sur http://www.lothar.com/tech/crypto/. <br>
++ <br>
++ smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem <br>
++ smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem <br>
++ <br>
++ # le smtpd_starttls_timeout paramètre la limite de temps en secondes pour
++ lire et écrire<br>
++ # les opérations pendant les procédures de 'serrages de mains'
++ (SSL handshake) <br>
++ # <br>
++ # smtpd_starttls_timeout = 300s <br>
++ <br>
++ # Main.cf smtp (client) variables spécifiques<br>
++ # Pendant la négociation de démarrage nous pourrions présenter un certificat
++ au serveur. Netscape <br>
++ # est plutôt intelligent ici et laisse l'utilisateur choisi entre seulement
++ ceux qui corresipondront à ceux reçus du serveur<br>
++ # Comme j'utilise simplement la commande "SSL_connect()" du package OpenSSL,
++ ceci n'est pas encore possible<br>
++ # et nous ne devons choisir qu'un certificat.<br>
++ # Le paramètre par defaut est de n'utiliser aucun certificat/clef a moins
++ de de le définir ici.<br>
++ # Si un certificat est présent il doit être au format PEM, la clef
++ privée ne doit pas être encryptée : concrétement<br>
++ # cela veut dire qu'elle doit être accessible sans mot de passe. LA clef
++ et le certificats peuvent être dans le même fichier.<br>
++ <br>
++ # Afin de contrôler les certificats, le certificat CA doit être
++ disponible (dans le cas d'une chaine de certificats, tous les <br>
++ # certificats CA).<br>
++ # Exemple: le certificat pour "moi.chez.moi.fr" a été
++ émis par "intermedaire CA" qui lui-même<br>
++ # a un certificat de "racine CA". Créez le client.pem par :
++ <br>
++ # 'cat client_cert.pem intermediaire_CA.pem racine_CA.pem > client.pem'<br>
++ # <br>
++ # Si vous voulez accepter vous mêmes les certificats émis par ces
++ CA, vous pouvez également ajouter<br>
++ # les certificats CA au fichier smtp_tls_CAfile, dans ce cas il n'est pas nécessaire
++ de les avoir <br>
++ # dans le fichier smtp_tls_[d]cert_file<br>
++ <br>
++ # Un certificat fourni ici doit être utilisable en tant que certificat de client
++ de SSL et passer le test<br>
++ # "openssl verify -purpose sslclient ..." <br>
++ <br>
++ smtp_tls_cert_file = /etc/postfix/client.pem <br>
++ smtp_tls_key_file = $smtp_tls_cert_file <br>
++ <br>
++ # Le certificat a été délivré par une autorité de certification (CA), son certificat
++ CA doit être disponible, si il n'est<br>
++ # pas dans le fichier de certificat<br>
++ # Ce fichier peut aussi contenir les certificats CA d'autres CA de confiance.<br>
++ # Vous devez utiliser ce fichier pour lister les CA de confiance si voulez utiiser
++ le mode chroot<br>
++ # Cette variable n'a aucune valeur fixèe par défaut<br>
++ <br>
++ smtp_tls_CAfile = /etc/postfix/CAcert.pem <br>
++ <br>
++ # Pour vérifier le certificat de pair, nous devons connaître les certificats des
++ autorités de certification. Ces certificats <br>
++ # au format PEM sont rassemblés en répertoire. N'oubliez pas de créer
++ les tables de hachage nécessaires avec<br>
++ # un $OPENSSL_RACINE/bin/c_rehash /etc/postfix/certs, il n'y a pas de valeurs
++ par defaut et vous devez en <br>
++ # renseigner une ici<br>
++ # Pour utiliser cette option en mode chroot, ce repertoire ou une copie de celui-ci
++ doit être dans la cage<br>
++ <br>
++ smtp_tls_CApath = /etc/postfix/certs <br>
++ <br>
++ # Pour obtenir des informations suplémentaires pendant la mise en place
++ et les négociations TLS<br>
++ # vous pouvez augmenter le niveau de journalisation de 0 à 4:<br>
++ # 0 : rien a propos du TLS<br>
++ # 1 : Notification de mise en route et information de certificat <br>
++ # 2 : 1 + impression des niveaux pendant la négociation <br>
++ # 3 : 2 + hexa et vidage mémoire Ascii du processus de négociation <br>
++ # 4 : 4: 3 + hexa et vidage mémoire Ascii de transmission complète après STARTTLS
++ <br>
++ # utilisez le niveau 3 uniquement en cas de problémes. L'utilisation
++ du niveau 4 est fortement déconseillée.<br>
++ <br>
++ smtp_tls_loglevel = 0 <br>
++ <br>
++ # le serveur et le client négocient une session, qui prend un certain temps
++ machine machine et une certaine bande passante.<br>
++ # La session est cachée seulement dans le processus de smtpd réellement en utilisant
++ cette session et est détruite <br>
++ # quand le processus meurt pour partager l'information de session entre les
++ processus de smtpd, <br>
++ # antémémoire de session peut être utilisée avec des bases de données
++ SDBM (sous-programmes inclus dans Postfix/TLS)<br>
++ # Puisque l'écriture concourante doit être supportée, seulement SDBM peut être
++ utilisé. <br>
++ <br>
++ smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache <br>
++ <br>
++ # les sessions cachées ont un delais d'attente. Je n'utilise pas le défaut d'OpenSSL
++ de 300sec, mais un plus long temps <br>
++ # de 3600sec (= 1 heure). RFC2246 recommande un maximum de 24 heures <br>
++ <br>
++ # Par defaut TLS est désactivé, ainsi aucune différence au Postfix
++ ordinaire n'est visible. Si vous l'activez <br>
++ # TLS sera utilisé quand le serveur l'offrira.<br>
++ # ATTENTION : Je n'ai pas eu accès à d'autres logiciels (autres que ceux énumérés)
++ pour tester l'interaction.<br>
++ # Sur certaines listes de diffusions il y a eu une discussion a propos des serveurs
++ MS EXCHANGE qui offre TLS<br>
++ # même si il n'est pas configuré, ainsi il pourrait être sage de
++ ne pas utiliser ceci sur votre serveur central de messagerie<br>
++ # car vous ne savez pas à l'avance si vous allez rencontrer ce genre
++ de serveur. Utilisez les options de recipient/site à la place .<br>
++ # Conseil: je l'ai activé sur mes serveurs de courrier et je n'a eu qu'une
++ panne depuis que la version client de TLS <br>
++ # est implémentée (c'était un serveur EXCHANGE mal configuré,
++ j'ai contacté l'administrateur).<br>
++ # Par conséquent j'en suis satisfait de l'utiliser tout le temps, mais
++ je suis toutefois intéressé par des tests.<br>
++ # Cependant vous aurez été prévenu ;-)<br>
++ <br>
++ # Dans le cas d'un echec, un code "4xx" (ndt: erreur temporaire) est
++ émis et le message reste dans la file d'attente<br>
++ # Spécifiez le ici si vous le voulez<br>
++ <br>
++ smtp_use_tls = yes <br>
++ <br>
++ # Vous pouvez IMPOSER l'utilisation de TLS, de sorte que seulement des connexions
++ avec TLS soient acceptées<br>
++ # De plus, le nom de l'hôte doit être identique au nom contenu dans
++ le certificat. En outre, le certtificat doit <br>
++ # passer avec succès la vérification, le client doit faire confiance
++ à l'entité de certification qui a émis le certificat.<br>
++ # Si le certificat ne correspond pas au nom de la machine ou si le test de vérification
++ échoue un code "4xx" <br>
++ # va être envoyé et le message va rester en file d'attente.<br>
++ # Le nom d'hôte utilisé est évident, en effet il doit être
++ le nom principal de la machine (pas de CNAME ici).<br>
++ # Le comportement peut être changé avec l'option de smtp_tls_enforce_peername
++ <br>
++ <br>
++ # smtp_tls_enforce_peername = yes <br>
++ <br>
++ # Comme offrir TLS par défaut peut être une mauvaise idéee
++ (quelques machines offre STARTTLS mais<br>
++ # la négociation va échouer avec des erreurs inexpliquables, il
++ peut être une bonne idée de décider selon<br>
++ # le destinataire ou la machine distante sur laquelle vous vous connectez<br>
++ <br>
++ # Décider par destinataire peut être difficile, car un seul message
++ peut avoir plusieurs destinataires.<br>
++ # Nous allons utiliser le mécanisme "nexthop" (prochain saut)
++ interne de Postfix.<br>
++ # Quand un message va être délivré, the "nexthop"
++ est obtenu. Si il correspond à une entrée<br>
++ # dans la liste smtp_tls_per_site, une action appropriée est effectuée<br>
++ # Une entrée dans la table de transport ou l'utilisation de relay_host
++ réecrivent le paramètre "nexthop"<br>
++ # dans ce cas l'hôte de relayage doit être indiqué dans la
++ liste. Dans tous les cas le nom <br>
++ # de l'hote à contacter est résolu (en fait l'enregistrement MX
++ ou le nom de la machine si il n'y a pas de MX)<br>
++ # Conseil spécial pour le renforcement: <br>
++ # puisqu'il n'y a aucun moyen disponible pour sécuriser les résolutions
++ DNS , le paramètrage recommandé est:<br>
++ # mettez les domaines sensibles dans une table de transport (vous pouvez ainsi
++ vous assurer de la sécurité<br>
++ # de cette table à la différence de DNS), puis paramétrez
++ à MUST cet hôte de messagerie.<br>
++ <br>
++ # Format de la table:<br>
++ # Le entrées clefs sont sur le coté gauche, les jokers ne sont
++ pas autorisés. Sur la partie droite<br>
++ # les mots clefs NONE (n'utilise pas TLS), MAY (essaye d'utiliser TLS si il
++ est offert, sinon pas de problèmes)<br>
++ # MUST (force l'usage de TLS, vérifie le nom du certificat server avec
++ le nom du serveur), MUST_NOPEERMATCH<br>
++ # (force l'usage de TLS et vérifie le certificat, mais ignore les différences
++ entre le nom commun du certificat et le nom<br>
++ # de la machine).<br>
++ # dom.ain NONE <br>
++ # host.dom.ain MAY <br>
++ # important.host MUST <br>
++ # some.host.dom.ain MUST_NOPEERMATCH </p>
++<p># Si une entrée ne correspond pas la politique par défaut est
++ appliquée; si la politique par défaut est "enforce",<br>
++ # NONE la désactive explicitement, sinon le mode "enforce"
++ est utilisé même pour les entrées "MAY"<br>
++ # <br>
++ smtp_tls_per_site = hash:/etc/postfix/tls_per_site <br>
++ <br>
++ # la profondeur de vérification pour des certificats de client. Une profondeur
++ de 1 est suffisante si le certificat<br>
++ # est émis directement par un CA listé dans la liste des CA.<br>
++ # La valeur par defaut (5) suffit également pour de plus longues chaînes (le
++ root CA émet le CA spécial <br>
++ # qui délivre alors le certificat réel...) <br>
++ <br>
++ # smtp_tls_scert_verifydepth = 5 <br>
++ <br>
++ # Comme nous avons décidé d'opter pour une politique "par site"
++ afin d'utiliser ou non TLS, il serait interessant<br>
++ # d'avoir une liste de sites offrant STARTTLS. Nous pouvons la récupérer
++ nous mêmes avec cette option:<br>
++ # Si ce paramètre est activé et que TLS n'est pas activé
++ pour cet hôte, une ligne est ajouté dans le fichier<br>
++ # de journalisation:<br>
++ # postfix/smtp[pid]: Host offered STARTTLS: [nom.de.la.machine] <br>
++ # smtp_tls_note_starttls_offer = yes <br>
++ <br>
++ # Pour influencer la sélection du cryptage, vous pouvez donner une liste
++ de cryptage.<br>
++ # Une description complète irait troin loin ici, allez voir la documentation
++ sur le site d'OpenSSL<br>
++ # Si vous ne savez pas quoi faire avec, n'y touchez pas et laissez celui d'openssl
++ par defaut <br>
++ # N'UTILISEZ PAS " pour entourer la chaîne de caractères, juste la chaîne de
++ caractères!!! <br>
++ #<br>
++ # smtp_tls_cipherlist = DEFAULT <br>
++ <br>
++ # le smtp_starttls_timeout paramètre limite le temps en secondes pour
++ lire et écrire<br>
++ # les opérations pendant les procédures de 'serrages de mains'
++ (SSL handshake) <br>
++ # <br>
++ # smtp_starttls_timeout = 300s <br>
++</p>
++<p>main.cf : variables générales</p>
++<p># Afin d'alimenter le PRNG Pseude Random Number Generator (pseudo générateur
++ de nombres aléatoires),<br>
++ # des données aléatoires sont nécéssaires. Le 'stock'
++ de PRNG est mis à jour par le démon "tlsmgr" et est
++ utilisé (lu) <br>
++ # par les process smtp(d) après avoir ajouté encore plus d'entropie par l'agitation
++ du temps et de l'identifiant du process.<br>
++ # le fichier, qui est de temps en temps réécrit par tlsmgr, est
++ créé si il n'existe pas. Une valeur par défaut est donnée<br>
++ # et doit sûrement être dans la partition /var mais PAS dans la
++ cage de chroot.<br>
++ <br>
++ # tls_random_exchange_name = /etc/postfix/prng_exch <br>
++ <br>
++ # Pour alimenter le stock PRNG, l'entropie est lue depuis une source externe,
++ à la fois au démarrage et pendant l'éxecution<br>
++ # Spécifiez ici une bonne source, comme EGD ou /dev/urandom, soyez certains
++ de ne pas utiliser des sources bloquantes<br>
++ # Dans les deux cas, 32 octets sont lus à chaque 'alimentation' (qui
++ est une quantité de 256 bits et par conséquent <br>
++ # assez bon pour des clefs symétriques de 128bits)<br>
++ # Vous devez spécifier la type de sources : "dev:" pour un
++ pour un fichier spécial de périphérique ou "egd:" pour<br>
++ # une source avec un port de communication (socket) compatible avec l'interface
++ EGD. Un maximum de 255 octets<br>
++ # est lu depuis ces sources à chaque étape.<br>
++ # Si vous spécifiez un fichier normal, un plus grand nombre de données
++ peut être lu.<br>
++ <br>
++ # La source d'entropie est interrogée de nouveau après un certains
++ temps. ce temps est calculé en utilisant le PRNG,<br>
++ # il est compris entre 0 et le temps spécifié, un defaut est spécifié
++ à 1 heure<br>
++ <br>
++ # tls_random_source = dev:/dev/urandom <br>
++ tls_random_source = egd:/var/run/egd-pool <br>
++ # tls_random_bytes = 32 <br>
++ # tls_random_reseed_period = 3600s <br>
++ <br>
++ # Le stock PRNG dans tlsmgr est utilisé pour regénérer
++ le fichier de 1024 octets qui est lu par smtp(d). Le temps, après lequel<br>
++ # le fichier d'échange se trouve regénéré est calculé
++ en utilisant le PRNG, il est compris entre 0 et le temps spécifié,
++ <br>
++ # le defaut est un maximum de 60 secondes<br>
++ <br>
++ # tls_random_upd_period = 60s<br>
++ <br>
++ # Si vous avez une source d'entropie disponible, qui n'est pas facilement vidée
++ (comme /dev/urandom), les démons<br>
++ # peuvent aussi charger une entropie supplémentaire au démarrage
++ depuis une source spécifiée. Par défaut une quantité<br>
++ # de 32 octets est lue, équivalent à 256 bits. Ceci est plus que suffisant pour
++ générer une clef de session de 128 (ou 168) bits<br>
++ # mais nous avons à en générer plus d'une. L'utilisation
++ de cette option peut vider EGD (en prenant le cas de 50 smtp <br>
++ # démarrant avec une file d'attente pleine en faisant "postfix start",
++ ceci devrait requérir 1600 octets d'entropie). Ceci<br>
++ # n'est cependant pas une cause d'arrêt, du fait que les données
++ d'entropie peuvent être lues depuis le fichier d'échange.<br>
++ <br>
++ # tls_daemon_random_source = dev:/dev/urandom <br>
++ tls_daemon_random_source = egd:/var/run/egd-pool <br>
++ # tls_daemon_random_bytes = 32 </p>
++<p>master.cf: le démon tlsmgr</p>
++<p>Si vous n'avez pas de périphérique /dev/urandom ou si vous n'utilisez
++ pas le système de cache de session, vous devez lancer <br>
++ le démon tlsmgr (voir conf/master.cf). Tlsmgr a besoin d'avoir accés
++ à la source d'entropie et ne peut (encore) être éxécuté
++ <br>
++ dans une cage. Il peut restreindre ses privilèges, si les sources d'entropie
++ (par exemple /dev/urandom ou un port de communication<br>
++ (socket) EGD) n'ont pas des restrictions d'accès.<br>
++ <br>
++ # ==========================================================================
++ <br>
++ # service type private unpriv chroot wakeup maxproc command + args <br>
++ # (yes) (yes) (yes) (never) (50) <br>
++ # ==========================================================================
++ <br>
++ tlsmgr fifo - - n 300 1 tlsmgr </p>
++<p>master.cf: services supplémenentaires</p>
++<p> Il peut être pratique d'avoir postfix écoutant sur des ports supplémentaires,
++ nommés "submission"=587 pour la <br>
++ soumission d'email comme défini dans la RFC2476; c'est particulièrement utile
++ si vous voulez permettre une authentification<br>
++ avec des mots de passes en clair (PLAIN,LOGIN) et par conséquent exécuter sur
++ un port avec l'application de <br>
++ chiffrement. Un autre port utile peut être "smtps"=465 qui a été destiné pour
++ l'emballage TLS et qui est toujours<br>
++ utlisé par outlook (express)<br>
++ <br>
++ Les deux entrées d'exemple contiennent déjà les indicateurs pour permettre l'authentification
++ de SASL (qui peut être <br>
++ desactivé sur le port normal). Puisque les noms réels de service sont
++ utilisés, les smtps et la soumission doivent être définis<br>
++ dans /etc/services (et probablement aussi dans / var/spool/postfix/etc/services
++ si éxecuté dans une cage)!!! <br>
++ (utilisez les numéros de ports autrement.) <br>
++ <br>
++ # ==========================================================================
++ <br>
++ # service type private unpriv chroot wakeup maxproc command + args <br>
++ # (yes) (yes) (yes) (never) (50)<br>
++ # ==========================================================================
++ <br>
++ smtps inet n - y - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
++ <br>
++ submission inet n - y - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
++</p>
++</body>
++</html>
+diff -urNad postfix-release/tls/doc_french/index.html /tmp/dpep.cXJuVH/postfix-release/tls/doc_french/index.html
+--- postfix-release/tls/doc_french/index.html 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc_french/index.html 2005-02-03 10:22:13.101087544 -0700
+@@ -0,0 +1,35 @@
++<html>
++<head>
++<title>Untitled Document</title>
++<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
++</head>
++
++<body bgcolor="#FFFFFF">
++<p><b>Postfix/tls - Une extension TLS pour Postfix </b></p>
++<p><b>Contenu : </b></p>
++<p><a href="intro.html">Introduction </a></p>
++<p><a href="install.html">Installation de la mise à jour </a></p>
++<p><a href="setup.html">Configurer les certificats </a></p>
++<p><a href="conf.html">Configurer main.cf </a></p>
++<p><a href="security.html">Considérations de sécurité </a></p>
++<p><a href="test.html">Tester </a></p>
++<p>RAPPELEZ VOUS QU'IMPORTER/EXPORTER ET/OU L'USAGE DE LOGICIELS USANT<br>
++ DE CHIFFREMENT FORT, FOURNIR DES POINTS D'ENTREE POUR DES FONCTIONS <br>
++ CRYPTOGRAPHIQUES OU DIVULGUER DES TECHNIQUES DE CRYPTOGRAPHIE EST<br>
++ ILLEGAL DANS CERTAINES PARTIES DU MONDE. DONC SI VOUS IMPORTEZ CE <br>
++ PAQUET DANS VOTRE PAYS, LE REDISTRIBUEZ DEPUIS ICI OU MEME JUSTE<br>
++ ENVOYER DES SUGGESTIONS TECHNIQUES PAR COURRIER ELECTRONIQUE OU <br>
++ MEME DES CORRECTIONS DE SOURCES A L'AUTEUR OU D'AUTRES PERSONNES<br>
++ VOUS ETES LARGEMENT INVITE A FAIRE ATTENTION A TOUTES LES LOIS<br>
++ CONCERNANT L'IMPORT/EXPORT QUI S'APPLIQUENT DANS VOTRE PAYS.<br>
++ L'AUTEUR DE POSTFIX/TLS NE PEUT PAS ETRE TENU POUR RESPONSABLE EN CAS<br>
++ DE VIOLATION. DONC FAITES TRES ATTENTION, IL EN VA DE VOTRE RESPONSABILITE.</p>
++<p> </p>
++<p>Lutz Jänicke,<a href="http://www.aet.tu-cottbus.de/personen/jaenicke/"> Homepage</a>,
++ Email: <a href="mailto:Lutz.Jaenicke at aet.TU-Cottbus.DE">Lutz.Jaenicke at aet.TU-Cottbus.DE</a>
++</p>
++Merci a tous ceux qui m'ont aidé sur #linuxfr ;-)
++</body>
++</html>
++
++
+diff -urNad postfix-release/tls/doc_french/install.html /tmp/dpep.cXJuVH/postfix-release/tls/doc_french/install.html
+--- postfix-release/tls/doc_french/install.html 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc_french/install.html 2005-02-03 10:22:13.101087544 -0700
+@@ -0,0 +1,57 @@
++<html>
++<head>
++<title>Untitled Document</title>
++<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
++</head>
++
++<body bgcolor="#FFFFFF">
++<p>postfix/TLS - Installation de la mise a jour</p>
++<p>Prérequis:<br>
++ Postfix Version 2.1.0<br>
++ http://www.postfix.org </p>
++<p>L'utilisation d'autres versions pourrait mener à des conflits ou à des pannes
++ silencieuses du fait que nous intervenons directement sur le code source.<br>
++ OpenSSL Version 0.9.5 ou plus (0.9.7d recommandée)<br>
++ http://www.openssl.org</p>
++<p>Nous utilisons OpenSSL comme bibliothèque (et quelques outils en ligne de commande
++ pour créer les certificats, au besoin). OpenSSL est le successeur de SSLeay.
++</p>
++<p>Postfix/TLS utilise les propriétés qui sont seulement disponibles à
++ partir de la version 0.9.5 des bibliothèque OpenSSL. 0.9.5a a prouvé une stabilité
++ au delà de plusieurs mois. La dernière version 0.9.7d contient plusieurs
++ améliorations et a prouvé sa stabilité jusqu'ici. <br>
++ Vous pouvez également avoir à mettre à jour votre utilitaire 'patch'(voir ci-dessous).
++</p>
++<p>Mettre à jour:</p>
++<p>Les modifications du code source de Postfix tout comme les fichiers supplementaires
++ sont inclus dans le fichier "pfixtls.diff" dans le répertoire
++ principal du kit de mise à jour.<br>
++ Pour appliquer la mise à jour, allez dans le répertoire parent de l'arborescence
++ des sources originales de Postfix (vous devez voir "postfix-xxxxxx"
++ ou "snapshot-xxxxxx" quand vous faites un "ls -al" depuis
++ ce repertoire. La mise à jour est alors appliquee par:</p>
++<p>patch -p0 < chemin-de/pfixtls.diff </p>
++<p>Si vous avez des problèmes pendant le processus de mise à jour (par exemple avec les
++ includes de HP-UX 10.20 ou de Solaris), vous devriez mettre à jour votre utilitaire de patch,
++ par exemple un GNU-patch plus récent.<br>
++ Si vous avez besoin d'appliquer la mise à jour sur une autre version de postfix, vous
++ pouvez essayer:<br>
++ cd repertoire-postfix; patch -p1 < chemin-de/pfixtls.diff <br>
++ Puisque la mise à jour est sous forme unifiée, elle peut être également
++ appliqué à un code source modérément modifié
++ sans que des conflits apparaissent.</p>
++<p>Compiler</p>
++<p>Apres être mis à jour; postfix va se configurer et se compiler comme
++ avant. Dans le but d'activer les fonctions TLS, vous devez spécifier
++ le chemin des headers OpenSSL ainsi que les bibliothéques appropriées,
++ et vous devez définir USE_SSL. Votre commande pour la configuration doit
++ être :<br>
++ make makefiles CCARGS="-DUSE_SSL -I/usr/local/ssl/include" AUXLIBS="-L/usr/local/ssl/lib
++ -lssl -lcrypto" <br>
++ Vous pourriez avoir besoin de personnalisation supplémentaire par exemple pour
++ l'usage des Berkeley-DB comme énuméré dans les instructions INSTALL de postfix
++ . Vous pouvez alors continuer de la manière habituelle avec: <br>
++ make</p>
++<p>et ensuite suivre les instructions du fichier INSTALL de postfix</p>
++</body>
++</html>
+diff -urNad postfix-release/tls/doc_french/intro.html /tmp/dpep.cXJuVH/postfix-release/tls/doc_french/intro.html
+--- postfix-release/tls/doc_french/intro.html 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc_french/intro.html 2005-02-03 10:22:13.102087321 -0700
+@@ -0,0 +1,116 @@
++<html>
++<head>
++<title>Untitled Document</title>
++<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
++</head>
++
++<body bgcolor="#FFFFFF">
++<p>Postfix/TLS - Introduction</p>
++<p>Postfix/PLS est une extension du MTA Postfix dans le but de supporter le protocole
++ TLS</p>
++<p>Une note à propos du démarrage du projet</p>
++<p>Quand j'ai commencé a écrire ce programme, j'avais en tête un un moyen sophistiqué
++ pour autoriser le relayage de mes utilisateurs itinérants. En
++ attendant ce projet vit de lui-même.</p>
++<p>RFC2246 : le protocol TLS (anciennement SSL)</p>
++<p>Par défaut toutes les communications sur internet sont faites sans cryptage
++ et sans authentification forte. Cela signifie que toute personne avec un accès
++ physique au chemin de communication qu'emprunte un paquet peut écouter vos communications.
++ Pire, il est même possible de rediriger ou de modifier vos communications donc
++ l'information que vous voulez envoyer à quelqu'un peut être perdue ou modifiée
++ à votre insu.</p>
++<p>Dans le but de résoudre ces problèmes de sécurité, le protocole SSL (Secure
++ Socket Layers), présenté par Netscape inc.,
++ a maintenant évolué en protocole TLS (Transportation Layer Security)
++ standardisé par la <a href="http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/doc/rfc2246.txt">RFC2246</a>.
++ Cela permet à la fois le cryptage de la communication (arrêt des
++ écoutes) et l'authentification forte (être sûr que les deux parties de
++ la communication sont correctement identifiées et que la communication
++ ne peut pas être altérée)</p>
++<p>Postfix/TLS ne réalise pas le protocole TLS lui-même, il utilise
++ plutôt le package OpenSSL pour cette tâche. Sur le site d'OpenSSL, vous
++ trouverez aussi des liens vers une documentation plus approfondie sur le
++ protocole et ses dispositifs, il n'est donc pas nécessaire de les inclure
++ ici. (Et, bien sûr il n'y a aucune utilité de réécrire ce
++ que d'autres ont déjà ecrits, cela présente juste l'intérêt
++ de rajouter des erreurs)</p>
++<p> </p>
++<p>RFC2487: Présentation de TLS a SMTP</p>
++<p>L'intégration du protocole TLS au protocole SMTP (Simple Mail Transport Protocol)
++ est décrit dans la RFC2487</p>
++<p>À la différence des premières incarnations du SSL comme 'emballage'
++ d'une communication normale [STUNNEL] [JONAMA], le protocole TLS est maintenant
++ complétement intégré dans SMTP : pendant la négociation
++ de départ (EHLO) le serveur offre le support de TLS avec la commande
++ STARTTLS. Le client peut maintenant envoyer la commande STARTTLS pour permettre
++ l'authentification et passer en mode crypté.</p>
++<p>Postfix/TLS : Ce qu'il peut faire pour vous </p>
++<p>La liste de fonctions présentée ici doit être comprise
++ comme une liste d'idées. Toutes ne sont pas encore réalisées,
++ regardez bien les notes pour chaque fonction.</p>
++<p>Encryption de message d'une machine à une autre:<br>
++ Etat: Fait<br>
++ Commentaire: une fois que la negociation STARTTLS est réalisée,
++ la communication entre les deux machines est cryptée. Ceci inclue aussi
++ les enveloppes MAIL FROM: et RCPT TO:, les 'sniffeurs' ne seront pas capables
++ d'avoir ces informations.</p>
++<p>Authentification de l'hôte récepteur afin d'éviter une interception<br>
++ Etat: Fait<br>
++ Commentaire: Ceci est une fonction importante qui n'est pas difficile a implementer.
++ Le problème est en fait que toutes les machines (en fait presque aucune) ne
++ supportent pas ce protocole. L'expéditeur doit par conséquent mettre à jour une liste
++ de récepteurs qui doivent s'identifier par TLS, sinon quelqu'un peut intercepter
++ la session et ne pas prèsenter la commande STARTTLS, dans ce cas, aucune authentification
++ n'est faite. On doit également faire attention à utiliser le nom correct du
++ serveur (voir le CNAME), mais ce problème est le même pour des serveurs HTTP.</p>
++<p>Authentification de l'hote émetteur afin d'éviter la contrefaçon<br>
++ Etat: Fait<br>
++ Commentaire: Ceci est l'idée à l'origine de ce projet, ce fut
++ donc la première réalisation. Basé sur le certificat du
++ client MTA (ou MUA) présenté au serveur, le relayage peut être
++ ainsi autorisé.</p>
++<p>D'autres idées:<br>
++ Etat: envoyez moi un message</p>
++<p>Postfix/TLS: ce qu'il ne peut pas faire pour vous</p>
++<p>Voici un point sur lequel je veux insister:</p>
++<p>Garantir l'intimité de votre correspondance<br>
++ Etat: ne peut pas etre fait<br>
++ Commentaire: La RFC2487 ne prend en compte uniquement le transport entre deux
++ serveurs de courrier. Pour vous assurer que personne ne peut 'sniffer' votre
++ correspondance il faudrait que:<br>
++ - Tous les serveurs de courrier soient forcés en TLS<br>
++ - Tous les serveurs eux-mêmes soient dignes de confiance, car l'email est seulement
++ chiffré pendant le transport, pas en spool ni en queue.<br>
++ - La destination soit digne de confiance, car le courrier est spoolé en
++ clair et toute personne pouvant accéder à votre boite aux lettres (root par exemple)
++ peut lire votre courrier! <br>
++ Par conséquent, si vous voulez une intimité plus conséquente, vous devez
++ envoyer votre email chiffré, par exemple en utilisant S/MIME ou le module traditionnel
++ de PGP</p>
++<p>Authentifier l'émetteur du message<br>
++ Etat: ne peut être fait<br>
++ Commentaire: Beaucoup de MUA envoient les messages juste en se connectant sur
++ le port SMTP de l'hôte local ou du mailhub le plus proche. il n'y a aucun moyen
++ de s'assurer que l'émetteur listé dans le message est bien l'émetteur
++ réel. Et même si il était possible d'identifier l'émetteur,
++ le contenu du message pourrait avoir été modifié entre
++ temps.<br>
++ Pour assurer l'identité de l'expéditeur et l'intégrité de l'email, vous pouvez
++ encore employer S/MIME ou PGP. </p>
++<p>D'autres packages Opensource:<br>
++ Depuis la version 8.11 sendmail intègre le support de la RFC2487.<br>
++ Frederik Vermeulen a réalisé une extension de la RFC2487 pour
++ le MTA Qmail.<br>
++ Matti Aarnio a intégré la RFC2487 dans ZMailer.<br>
++ Michal Trojnara est actuellement en train d'intégrer un système basique
++ d'authentification SMTP dans son logiciel stunnel depuis la version stunnel-3.3.<br>
++ Trey Childs travaille sur une solution d'emballage.</p>
++<p>Implémentations commerciales:</p>
++<p>La version commerciale de sendmail supporte la RFC2487.<br>
++ Netscape Enterprise Server et Microsoft exchange server supportent aussi la
++ RFC 2487.<br>
++ CommunigatePro mailserver software supporte aussi la RFC2487.</p>
++<p> </p>
++<p> </p>
++</body>
++</html>
+diff -urNad postfix-release/tls/doc_french/security.html /tmp/dpep.cXJuVH/postfix-release/tls/doc_french/security.html
+--- postfix-release/tls/doc_french/security.html 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc_french/security.html 2005-02-03 10:22:13.102087321 -0700
+@@ -0,0 +1,67 @@
++<html>
++<head>
++<title>Untitled Document</title>
++<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
++</head>
++
++<body bgcolor="#FFFFFF">
++<p>Postfix/TLS - Considérations de Sécurité</p>
++<p>Les sections suivantes couvrent quelques considérations de sécurités
++ (possibles) en ce qui concerne Postfix/TLS.</p>
++<p>Clef privée du client/serveur<br>
++ Postfix/TLS utilise l'authentification du côté serveur (obligatoire) et du côté
++ client (facultatif). Afin de s'authentifier, <br>
++ le processus défini (smptd/smtp) doit pouvoir accéder à la clef privée,
++ qui doit cependant être maintenue secrète.<br>
++ Car ces processus sont lancés à partir de 'master' sans possibilité d'interaction
++ d'utilisateur, il n'est pas possible <br>
++ de fournir un mot de passe, de sorte que la clef privée ne puisse pas être chiffrée.
++</p>
++<p>La seule protection peut donc venu des droits d'accès de systéme de
++ fichiers, qui devraient être placés <br>
++ à 'root' et ' lisible pour le propriétaire seulement <br>
++ -rw------- 1 root sys 887 Apr 29 1999 /etc/postfix/key.pem <br>
++ <br>
++ Cette protection n'est valable que si votre système est protégé
++ contre les failles de sécurités concernant root<br>
++ <br>
++ Vous devez aussi vous rendre compte que des personnes ayant un accés physique
++ à la machine peuvent voler<br>
++ la clef privée si ils peuvent démarrer la machine en mode 'superutilisateur'
++ (single-user) sans mot de passe<br>
++ ou peuvent voler le disque et le monter sur un autre système où
++ ils sont super-utilisateur. (Oui je sais qu'il existe <br>
++ des systémes de fichiers encryptés mais ils n'ont pas encore une
++ large diffusion)</p>
++<p>Antémemoire de session sur le disque</p>
++<p>Si vous utilisez l'antémemoire de session sur le disque (par défaut)
++ des personnes capables mettre la main sur les fichiers <br>
++ devraient pouvoir éviter les paramètres de transmission sécurisée.
++ Cette situation n'est cependant pas plus grave que le cas<br>
++ de la clef privée décrit ci-dessus, ainsi je ne considère aucun
++ danger supplémentaire venant de l'enregistrement information <br>
++ de session sur un peripherique de stockage <br>
++ <br>
++ Casser le cryptage avec un système de clefs n'est qu'une affaire de temps
++ (même si ce temps peut être très long), les sessions<br>
++ ne devraient pas être utilisées indéfiniment. La valeur par défaut
++ pour Postfix/TLS est 1 heure, la RFC 2246 recommande <br>
++ de ne pas utiliser les sessions plus de 24 heures</p>
++<p>Solutions pour le DNS<br>
++ Un point faible dans l'authentification est l'utilisation du DNS pour découvrir
++ le MX. Comme nous faisons du (E)SMTP<br>
++ nous avons à utiliser les enregistrements MX.<br>
++ Comme nous avons à authentifier le server découvert par le MX,
++ quelqu'un est capable d'usurper un faux enregistrement MX<br>
++ pour être capable de recevoir le mail, si son serveur peut présenter un
++ certificat délivré par un CA acceptable. La dernière <br>
++ partie n'est pas difficile si les certificat 'standarts' sont inclus (Verisign,
++ Thawte,...)<br>
++ Le seul moyen de se protéger contre ce problème est que, pour
++ les destinataires pour lesquels nous voulons imposer le <br>
++ chiffrement et l'authentification, la consultation de MX doit être ignorée avec
++ une entrée appropriée dans la table /etc/postfix/transport<br>
++ <br>
++ domaine.tres.important smtp:[server.du.domaine.important]</p>
++</body>
++</html>
+diff -urNad postfix-release/tls/doc_french/setup.html /tmp/dpep.cXJuVH/postfix-release/tls/doc_french/setup.html
+--- postfix-release/tls/doc_french/setup.html 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc_french/setup.html 2005-02-03 10:22:13.102087321 -0700
+@@ -0,0 +1,162 @@
++<html>
++<head>
++<title>Untitled Document</title>
++<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
++</head>
++
++<body bgcolor="#FFFFFF">
++<p>Postfix/TLS - Paramétrer les certificats</p>
++<p>Ce paragraphe explique quels types de certificats sont nécessaires pour utiliser
++ postfix avec TLS. Les certificats (et peut être les clefs) peuvent être
++ obtenus auprès de tierces parties, qui peuvent être une autorité
++ de certification commerciale ou votre FAI. Tout le long vous aurez besoin de
++ certificats acceptés par d'autres entités sur internet, vous avez
++ donc à être d'accord sur les entités de certifications,
++ quelque soit leurs types.</p>
++<p>certificat serveur</p>
++<p>Pour utiliser SMTP avec TLS en mode serveur, votre serveur DOIT avoir une paire
++ de clefs (privée et publique).<br>
++ Puisque la clé publique doit être distribuée de façon ou d'autre au client,
++ elle est envoyée du serveur au client pendant la négociation de départ.
++ Cependant,au début de la négociation, le client ne peut pas savoir que
++ la clef publique appartient réellement au serveur et n'est pas contrefaite.
++ Par conséquent un troisième composant est nécessaire : le certificat d'une autorité
++ de certification (CA), qui est envoyé combiné avec la clef publique. Ce certificat
++ de serveur contient le nom de votre hote. Le client contrôlera alors la signature
++ du CA sur la clef publique pour décider si le certificat (et la clef publique)
++ sont authentiques. <br>
++ Ainsi pour le serveur nous avons besoin: <br>
++ - 1 clef privée de serveur<br>
++ - 1 clef publique de serveur signée par une autorité de certification,
++ certifiant que la clef publique appartient à votre hôte
++<br>
++ - 1 certificat CA avec la clef publique du CA<br>
++ Pour cette liste je veux absolument préciser que le nombre de composants utilisés
++ est 1, parce que vous devez en avoir 1, vous ne pouvez pas en avoir ni moins
++ ni plus!</p>
++<p>Politique de certificat serveur</p>
++<p>A partir de maintenant vous avez à vous décider sur la politique.
++ Le client qui va se connecter sur votre hôte va comparer le nom dans le
++ certificat de votre serveur à son FQDN (Fully Qualified Domain Name). Si ils
++ correspondent, l'identité de votre serveur est prouvée.<br>
++ Pour voir, si le certificat lui-même est authentique, le client lui-même doit
++ avoir le certificat du CA. Ainsi, si vous voulez le rendre facilement accessible
++ à d'autres, parties inconnues, vous devez avoir un certificat issu d'un CA connu
++ et digne de confiance. Rappelez vous que votre serveur ne peut avoir qu'un certificat
++ à la fois.<br>
++ Il y a des fournisseurs commerciaux (Thawte, Verisign, pour n'en citer que quelques
++ uns), leurs certificats CA sont bien distribués. Je ne sais pas pour
++ les autres pays mais en Allemagne le organisation de la recherche reseaux (DFN) a commencé
++ un programme pour les universités.<br>
++ Si vous ne portez pas d'importance à ceci (vous pourrez le changer plus
++ tard), vous pouvez devenir votre propre CA et distribuer vos certificat de CA
++ aux parties qui devront le connaitre, et vous êtes prêts. Ce n'est
++ pas difficile de le faire.<br>
++ <a href="http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/doc/myownca.html">Le
++ cours tres bref de Lutz pour être votre propre CA</a> (toujours en anglais ..)</p>
++<p>Utiliser les certificats</p>
++<p>Pour rendre la clef et les certificats utilisables par Postfix/TLS, ils doivent
++ être au format "PEM". Puis vous avez à indiquer à
++ postfix où les trouver:<br>
++ - La clef privée:<br>
++ <br>
++ smtpd_tls_key_file = /etc/postfix/key.pem<br>
++ <br>
++ comme la clef publique est publique y compris le certificat (tout le monde peut
++ la récupérer), une personne disposant d'une copie de votre clef
++ privée peut usurper votre identitée. Ce n'est pas si facile que
++ ça, du fait qu'il doit être capable d'intercepter ou de rediriger
++ les paquets envoyés vers votre serveur, mais j'ai déja vu bien
++ de choses arriver. Donc protégez cette clef avec :<br>
++ <br>
++ chown root /etc/postfix/key.pem ; chmod 400 /etc/postfix/key.pem <br>
++ <br>
++ Une autre possibilité de protection est la 'phrase clef'. Ceci est toutefois
++ un problème, du fait que vous ayez à le taper à chaque fois que
++ le server est démarré. Ceci a des inconvenients : premièrement
++ vous devez le taper dans postfix à chaque fois que vous le redémarrez.
++ Deuxièmement les process smtpd sont lancés indépendamment
++ à partir de master, dans ce cas master doit passer la 'phrase clef' aux
++ clients d'une façon ou d'une autre. Tout cela fait que je pense que cette
++ méthode n'est pas pratique et donc n'est pas supportée par le programme.<br>
++ <br>
++ - Le certificat serveur : ce certificat n'est pas secret, du fait qu'il est
++ présenté à chaque client de toutes façons, ainsi
++ nommez le juste a postfix :<br>
++ <br>
++ smtpd_tls_cert_file = /etc/postfix/cert.pem<br>
++ <br>
++ Si vous voulez vous pouvez concaténer la clef privée et le certificat
++ dans le même fichier.<br>
++ <br>
++ - Le certificat CA: pour avoir également le certificat CA disponible,
++écrivez le dans un fichier et donnez le nom à postfix/TLS. Nous reviendrons
++ plus tard sur ce fichier.<br>
++ <br>
++ smtpd_tls_CAfile = /etc/postfix/CAcert.pem <br>
++ <br>
++ Avec ces certificats vous devez être en mesure de faire tourner Postfix/TLS.</p>
++<p>Postfix/TLS en mode client<br>
++ <br>
++ Quand il se connecte à un serveur offrant TLS postfix peut présenter
++ un certificat client de lui même. Du fait de la réalisation actuelle,
++ seulement un certificat ne peut être contrôlé, ainsi il devrait être émis depuis
++ votre propre nom d'hôte. Par défaut aucun certificat n'est présenté,
++ à moins que vous placiez explicitement le certificat dans la configuration.
++ Vous pouvez utiliser le même certificat que pour le serveur: <br>
++ <br>
++ smtp_tls_key_file = /etc/postfix/key.pem <br>
++ chown root /etc/postfix/key.pem ; chmod 400 /etc/postfix/key.pem <br>
++ <br>
++ smtp_tls_cert_file = /etc/postfix/cert.pem <br>
++ smtp_tls_CAfile = /etc/postfix/CAcert.pem<br>
++</p>
++<p>Certificats clients:<br>
++ <br>
++ Une des raisons pour laquelle j'ai fait ce travail est que je voulais faire
++ du relayage basé sur les certificats clients. Le client présente
++ un certificat d'un CA, qui est unique et ne peut être usurpé.<br>
++ Des clients peuvent avoir plusieus certificats émis par diffèrents CA.
++ Lors de la connexion le serveur passera au client la liste de CA qu'il connait
++ (les certificats de CA) et le client peut alors choisir le certificat à
++ passer. Avec Netscape cela signifie qu'une fenêtre est ouverte et seulement
++ le certificat client est listé.<br>
++ Donc si vos clients ont déjà des certificats émanant de
++ sources de confiances ce n'est pas nécessaire de se créer des
++ problémes. Vous avez juste à récupérer les certificats
++ CA et les rendre disponibles à Postfix/TLS. Si ce n'est pas suffisant,
++ vous pouvez toujours devenir votre propre CA pour créer facilement vos
++ certificats clients pour vos usagers (qui sont naturellement inutiles en dehors
++ de votre portée)</p>
++<p>Lister les certificats CA<br>
++ <br>
++ Vous avez deux possibilité de faire ceci:<br>
++ 1- Concaténez les certificats CA au fichier smtp[d]_tls_CAfile que vous
++ avez créé. Ce fichier n'est certainement pas très lisible
++ mais a l'avantage d'être lu par smtpd avant le changement dans la cage
++ chroot et par conséquent fonctionne en mode chrooté.<br>
++ 2- Vous pouvez ajouter les certificats CA dans plusieurs fichiers avec des noms
++ adéquats dans un répertoire de certificats spécifié
++ par:<br>
++ smtpd_tls_CApath = /etc/postfix/certs<br>
++ N'oubliez pas de faire un $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs après
++ tout changement, car les tables de hachages sont utilisées pour trouver
++ le bon certificat CA. Cette methode ne doit pas fonctionner en mode chrooté.</p>
++<p>Ajouter des certificats client:<br>
++ <br>
++ Les certificats de client sont délivrés pour un DN (Distinguished Name) (Nom
++ Complet) composé de la compagnie, service, le nom, l'email... Du fait qu'ils
++ peuvent contenir des blancs, des @, des signes et des colonnes, il est tout à fait
++ difficile de les manipuler avec les outils standards de postfix. <br>
++ Une chose tout à fait pratique est que chaque certificat de client a une " empreinte
++ digitale " il est extrêmement difficile truquer que (à ma connaissance,
++ elle pourrait prendre des années même sur les ordinateurs rapides). Je dois
++ faire encore plus de recherche au sujet de la sécurité de l'empreinte digitale,
++ mais au moins pour relayer cela doit être suffisament sécurisé.
++ Je trouverai plus facilement une machine avec une mauvaise sécurité
++ pour envoyer mon spam au lieu de truquer un certificat de client avec une empreinte
++ digitale assortie (que d'ailleurs je ne connais pas depuis l'extérieur,
++ même depuis l'interieur vous pouvez protéger la base "d'empreintes
++ digitales" par un chmod 400)</p>
++</body>
++</html>
+diff -urNad postfix-release/tls/doc_french/test.html /tmp/dpep.cXJuVH/postfix-release/tls/doc_french/test.html
+--- postfix-release/tls/doc_french/test.html 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc_french/test.html 2005-02-03 10:22:13.103087098 -0700
+@@ -0,0 +1,118 @@
++<html>
++<head>
++<title>Untitled Document</title>
++<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
++</head>
++
++<body bgcolor="#FFFFFF">
++<p>tester Postfix/TLS</p>
++<p>Le test du module est un peu difficile, car la transmission est chiffrée, de
++ sorte que vous ne puissiez pas "imiter" la <br>
++ conversation juste par un telnet sur le port smtp. Vous ne pouvez pas également
++ capturer les paquets (vous pouvez, <br>
++ mais si tout fonctionne comme annoncé, cela ne vous aidera pas :-). <br>
++ <br>
++ Outils de mise au point inclus:<br>
++ Comme tous les messages générés par postfix sont envoyés
++ au système de journalisation, la mise au point doit être faite<br>
++ en utilisant vos fichier de journalisation. Postfix/TLS supporte les niveaux
++ de journalisation de 0 (très calme) à 4 (vidange<br>
++ mémoire de la conversation complète, non recommandé). Dans un premier temps
++ placez smpt[d]_tls_loglevel=2 et <br>
++ observez le fichier journal. Typiquement vous aurez des problèmes avec l'accès
++ aux clés ou aux certificats, ainsi vous <br>
++ trouverez des messages d'erreur ici. Vous pouvez toujours essayer d'envoyer
++ un email à postfix_tls-bounce at serv01.aet.tu-cottbus.de <br>
++ avec le TLS activé de votre côté et regardez ce qui se produit
++ :-).<br>
++ Tout en testant l'interopérabilité avec ZMailer nous avons appris qu'un certificat
++ incorrect (qui doit être le serveur pour le serveur :-) peut <br>
++ mener à des erreurs de connexions sans messages clairs. cela peut nous
++ aider d'utiliser Netscape 4.5x en tant que client et d'étudier<br>
++ soigneusement les informations ainsi que les boites de dialogue.<br>
++ Je n'ai pas encore trouvé comment identifier le problème de postfix
++ à afficher un message approprié dans le fichier de journalisation.<br>
++ Si tout va bien ce sera possible sans modifier les bibliothèques d'OpenSSL.</p>
++<p>Plateformes:</p>
++<p>Plateformes de développement:<br>
++ OS: HP-UX 10.20 <br>
++ OS: Linux 2.x (SuSE Linux) <br>
++ <br>
++ Succés enregistrés:<br>
++ OS: Solaris 2.5 - Walcir Fontanini <walcir at densis.fee.unicamp.br> </p>
++<p>Clients de test:<br>
++ Software: Netscape 4.5x, Netscape 4.6x, Netscape 4.7x <br>
++ OS: HP-UX 10.20, Linux 2.x, Win95 </p>
++<p>Intéropérabilité:<br>
++ Sans compter le support par les solutions génériques d'emballage, il existe
++ des extensions particulièrement travaillés pour<br>
++ d'autres MTA:</p>
++<p>Qmail il y a un patch en sources libres disponible, étendant le MTA de Qmail
++ pour supporter la RFC2487,<br>
++ écrit par Frederik Vermeulen . L'envoi et la réception fonctionne des deux côtés.<br>
++ Test: envoyez le courrier à ping at linux.student.kuleuven.ac.be (renverra l'email
++ complet comprenant des en-têtes).<br>
++ Zmailer l'autheur/développeur de ZMailer, Matti Aarnio, a incorporé le
++ support serveur et client de TLS .<br>
++ Zmailer - > Postfix très bien, <br>
++ Postfix - > Zmailer ne fonctionne pas, puisqu'Esmtp n'est pas identifié (problème
++ signalé). <br>
++ Test: envoyez un courrier à autoanswer at mea.tmt.tele.fi (renverra des en-têtes).
++ <br>
++ Sendmail la verson commerciale supporte le client et le serveur TLS,
++ les deux côtés fonctionnent avec Postfix/TLS.<br>
++ En date de sendmail-8.11, TLS est également inclus avec la version opensource
++ . <br>
++ Test: envoyez le courrier à bounce at esmtp.org (reverra le message d'erreur comprenant
++ de vieux en-têtes). <br>
++ Postfix: peut s'envoyer des messages à lui-même :-)<br>
++ Test: envoyez le courrier à postfix_tls-bounce at serv01.aet.tu-cottbus.de (reviendra,
++ en incluant de vieux en-têtes). <br>
++ <br>
++ D'autres retour sont les bienvenus</p>
++<p>Problèmes connus:<br>
++ Ce logiciel en est qu'à ses débuts, soyez donc patients. À ce
++ jour j'ai ces points: </p>
++<p>Côté de serveur: Sous Win95/NT j'ai quelques problèmes avec les certificats
++ de client. En ouvrant la première connexion <br>
++ (Netscape demande le mot de passe pour accéder à la base de données de certificat),
++ la connexion s'arrête. Ceci semble <br>
++ être provoqué par Netscape: une vidange mémoire de la transmission montre que
++ Netscape ne reprend pas la poignée de main<br>
++ (TLS handshake) de TLS.<br>
++ Remarque: je n'ai pas pu reproduire cette anomalie récemment après évolution
++ d'OpenSSL 0.9.4. J'espère qu'elle a disparue,<br>
++ mais peut-être est elle juste une conséquence du jeu autour avec les options
++ de la sécurité de Netscape. Plus de test exigé... <br>
++ Solution: détruisez cette connexion, la prochaine fonctionnera immédiatement
++ ou utilisez SSLv2 seulement (deuxième solution<br>
++ non recommandée).</p>
++<p>Doit être résolu avec OpenSSL 0.9.5<br>
++ Coté serveur: Outlook Express tout comme Internet explorer 5 fonctionneront
++ avec Postfix/TLS mais aucun certificat<br>
++ client ne seront présentés. Ainsi vous pouvez chiffrer votre transfert
++ de courrier mais vous ne pouvez pas vous authentifier <br>
++ (et relayer) avec des certificats clients. Cela fonctionne seulement sur le
++ port 25 (smtp); sur d'autres ports vous devez <br>
++ utiliser le smtpd_tls_wrappermode à la place. <br>
++ Coté serveur: Outlook Express tout comme Internet explorer 4 semble
++ ne pas supporter la RFC2487. Utilisez <br>
++ smtpd_tls_wrappermode=yes sur un autre port.<br>
++ Coté serveur: Outlook Express (Mac) semble ne pas supporter la RFC2487.
++ Utilisez smtpd_tls_wrappermode=yes<br>
++ sur un autre port.<br>
++ Coté client: MS Exchange même en version récente offre STARTTLS
++ même si ce dernier n'est pas configuré (la liste <br>
++ de diffusion[IETF-APPS-TLS]). Je ne pourrais pas tester ceci sans accès à un
++ tel serveur, je ne peux donc pas prévoir<br>
++ ce qui va se produire. <br>
++ Coté client: Les connexions de TLS à un serveur de CommunigatePro échouent
++ avec une erreur de poignée de main <br>
++ avec des versions plus anciennes de CommunigatePro. La raison est une violation
++ de protocole de CommunigatePro <br>
++ en ce qui concerne la numérotation de version de protocole SSL. (cf RFC 2246
++ section 7.4.7.1)<br>
++ Ce problème a été fixé dans CommunigatePro 3.3b?? (je ne connais pas la numérotation
++ exacte) autour du 9 juin 2000. .</p>
++</body>
++</html>
+diff -urNad postfix-release/tls/INSTALL /tmp/dpep.cXJuVH/postfix-release/tls/INSTALL
+--- postfix-release/tls/INSTALL 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/INSTALL 2005-02-03 10:22:13.103087098 -0700
+@@ -0,0 +1,2 @@
++For installation instructions please read the HTML documentation in the
++"doc/" subdirectory.
+diff -urNad postfix-release/tls/pfixtls.diff /tmp/dpep.cXJuVH/postfix-release/tls/pfixtls.diff
+--- postfix-release/tls/pfixtls.diff 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/pfixtls.diff 2005-02-03 10:22:13.115084422 -0700
+@@ -0,0 +1,8752 @@
++diff -ruN postfix-2.1.0-vanilla/Makefile.in postfix-2.1.0/Makefile.in
++--- postfix-2.1.0-vanilla/Makefile.in Wed Apr 14 20:57:00 2004
+++++ postfix-2.1.0/Makefile.in Sat Apr 24 14:38:26 2004
++@@ -7,7 +7,7 @@
++ src/pipe src/showq src/postalias src/postcat src/postconf src/postdrop \
++ src/postkick src/postlock src/postlog src/postmap src/postqueue \
++ src/postsuper src/qmqpd src/spawn src/flush src/verify \
++- src/virtual src/proxymap
+++ src/virtual src/proxymap src/tlsmgr
++ MANDIRS = proto man html
++
++ default: update
++diff -ruN postfix-2.1.0-vanilla/conf/master.cf postfix-2.1.0/conf/master.cf
++--- postfix-2.1.0-vanilla/conf/master.cf Wed Apr 21 13:35:32 2004
+++++ postfix-2.1.0/conf/master.cf Sun Apr 25 01:47:52 2004
++@@ -80,11 +80,17 @@
++ smtp inet n - n - - smtpd
++ #submission inet n - n - - smtpd
++ # -o smtpd_etrn_restrictions=reject
+++#smtps inet n - n - - smtpd
+++# -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
+++#submission inet n - n - - smtpd
+++# -o smtpd_etrn_restrictions=reject
+++# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
++ #628 inet n - n - - qmqpd
++ pickup fifo n - n 60 1 pickup
++ cleanup unix n - n - 0 cleanup
++ qmgr fifo n - n 300 1 qmgr
++ #qmgr fifo n - n 300 1 oqmgr
+++#tlsmgr fifo - - n 300 1 tlsmgr
++ rewrite unix - - n - - trivial-rewrite
++ bounce unix - - n - 0 bounce
++ defer unix - - n - 0 bounce
++diff -ruN postfix-2.1.0-vanilla/conf/postfix-files postfix-2.1.0/conf/postfix-files
++--- postfix-2.1.0-vanilla/conf/postfix-files Thu Apr 22 19:20:50 2004
+++++ postfix-2.1.0/conf/postfix-files Sun Apr 25 01:48:34 2004
++@@ -78,6 +78,7 @@
++ $daemon_directory/smtp:f:root:-:755
++ $daemon_directory/smtpd:f:root:-:755
++ $daemon_directory/spawn:f:root:-:755
+++$daemon_directory/tlsmgr:f:root:-:755
++ $daemon_directory/trivial-rewrite:f:root:-:755
++ $daemon_directory/verify:f:root:-:755
++ $daemon_directory/virtual:f:root:-:755
++@@ -165,6 +166,7 @@
++ $manpage_directory/man8/smtp.8:f:root:-:644
++ $manpage_directory/man8/smtpd.8:f:root:-:644
++ $manpage_directory/man8/spawn.8:f:root:-:644
+++$manpage_directory/man8/tlsmgr.8:f:root:-:644
++ $manpage_directory/man8/trace.8:f:root:-:644
++ $manpage_directory/man8/trivial-rewrite.8:f:root:-:644
++ $manpage_directory/man8/verify.8:f:root:-:644
++@@ -196,6 +198,7 @@
++ $sample_directory/sample-scheduler.cf:f:root:-:644:o
++ $sample_directory/sample-smtp.cf:f:root:-:644:o
++ $sample_directory/sample-smtpd.cf:f:root:-:644:o
+++$sample_directory/sample-tls.cf:f:root:-:644:o
++ $sample_directory/sample-transport.cf:f:root:-:644:o
++ $sample_directory/sample-verify.cf:f:root:-:644:o
++ $sample_directory/sample-virtual.cf:f:root:-:644:o
++diff -ruN postfix-2.1.0-vanilla/man/man8/tlsmgr.8 postfix-2.1.0/man/man8/tlsmgr.8
++--- postfix-2.1.0-vanilla/man/man8/tlsmgr.8 Thu Jan 1 01:00:00 1970
+++++ postfix-2.1.0/man/man8/tlsmgr.8 Sat Apr 24 14:35:26 2004
++@@ -0,0 +1,130 @@
+++.TH TLSMGR 8
+++.ad
+++.fi
+++.SH NAME
+++tlsmgr
+++\-
+++Postfix TLS session cache and PRNG handling manager
+++.SH SYNOPSIS
+++.na
+++.nf
+++\fBtlsmgr\fR [generic Postfix daemon options]
+++.SH DESCRIPTION
+++.ad
+++.fi
+++The tlsmgr process does housekeeping on the session cache database
+++files. It runs through the databases and removes expired entries
+++and entries written by older (incompatible) versions.
+++
+++The tlsmgr is responsible for the PRNG handling. The used internal
+++OpenSSL PRNG has a pool size of 8192 bits (= 1024 bytes). The pool
+++is initially seeded at startup from an external source (EGD or
+++/dev/urandom) and additional seed is obtained later during program
+++run at a configurable period. The exact time of seed query is
+++using random information and is equally distributed in the range of
+++[0-\fBtls_random_reseed_period\fR] with a \fBtls_random_reseed_period\fR
+++having a default of 1 hour.
+++
+++Tlsmgr can be run chrooted and with dropped privileges, as it will
+++connect to the entropy source at startup.
+++
+++The PRNG is additionally seeded internally by the data found in the
+++session cache and timevalues.
+++
+++Tlsmgr reads the old value of the exchange file at startup to keep
+++entropy already collected during previous runs.
+++
+++From the PRNG random pool a cryptographically strong 1024 byte random
+++sequence is written into the PRNG exchange file. The file is updated
+++periodically with the time changing randomly from
+++[0-\fBtls_random_prng_update_period\fR].
+++.SH STANDARDS
+++.na
+++.nf
+++.SH SECURITY
+++.na
+++.nf
+++.ad
+++.fi
+++Tlsmgr is not security-sensitive. It only deals with external data
+++to be fed into the PRNG, the contents is never trusted. The session
+++cache housekeeping will only remove entries if expired and will never
+++touch the contents of the cached data.
+++.SH DIAGNOSTICS
+++.ad
+++.fi
+++Problems and transactions are logged to the syslog daemon.
+++.SH BUGS
+++.ad
+++.fi
+++There is no automatic means to limit the number of entries in the
+++session caches and/or the size of the session cache files.
+++.SH CONFIGURATION PARAMETERS
+++.na
+++.nf
+++.ad
+++.fi
+++The following \fBmain.cf\fR parameters are especially relevant to
+++this program. See the Postfix \fBmain.cf\fR file for syntax details
+++and for default values. Use the \fBpostfix reload\fR command after
+++a configuration change.
+++.SH Session Cache
+++.ad
+++.fi
+++.IP \fBsmtpd_tls_session_cache_database\fR
+++Name of the SDBM file (type sdbm:) containing the SMTP server session
+++cache. If the file does not exist, it is created.
+++.IP \fBsmtpd_tls_session_cache_timeout\fR
+++Expiry time of SMTP server session cache entries in seconds. Entries
+++older than this are removed from the session cache. A cleanup-run is
+++performed periodically every \fBsmtpd_tls_session_cache_timeout\fR
+++seconds. Default is 3600 (= 1 hour).
+++.IP \fBsmtp_tls_session_cache_database\fR
+++Name of the SDBM file (type sdbm:) containing the SMTP client session
+++cache. If the file does not exist, it is created.
+++.IP \fBsmtp_tls_session_cache_timeout\fR
+++Expiry time of SMTP client session cache entries in seconds. Entries
+++older than this are removed from the session cache. A cleanup-run is
+++performed periodically every \fBsmtp_tls_session_cache_timeout\fR
+++seconds. Default is 3600 (= 1 hour).
+++.SH Pseudo Random Number Generator
+++.ad
+++.fi
+++.IP \fBtls_random_source\fR
+++Name of the EGD socket or device or regular file to obtain entropy
+++from. The type of entropy source must be specified by preceding the
+++name with the appropriate type: egd:/path/to/egd_socket,
+++dev:/path/to/devicefile, or /path/to/regular/file.
+++tlsmgr opens \fBtls_random_source\fR and tries to read
+++\fBtls_random_bytes\fR from it.
+++.IP \fBtls_random_bytes\fR
+++Number of bytes to be read from \fBtls_random_source\fR.
+++Default value is 32 bytes. If using EGD, a maximum of 255 bytes is read.
+++.IP \fBtls_random_exchange_name\fR
+++Name of the file written by tlsmgr and read by smtp and smtpd at
+++startup. The length is 1024 bytes. Default value is
+++/etc/postfix/prng_exch.
+++.IP \fBtls_random_reseed_period\fR
+++Time in seconds until the next reseed from external sources is due.
+++This is the maximum value. The actual point in time is calculated
+++with a random factor equally distributed between 0 and this maximum
+++value. Default is 3600 (= 60 minutes).
+++.IP \fBtls_random_prng_update_period\fR
+++Time in seconds until the PRNG exchange file is updated with new
+++pseude random values. This is the maximum value. The actual point
+++in time is calculated with a random factor equally distributed
+++between 0 and this maximum value. Default is 60 (= 1 minute).
+++.SH SEE ALSO
+++.na
+++.nf
+++smtp(8) SMTP client
+++smtpd(8) SMTP server
+++.SH LICENSE
+++.na
+++.nf
+++.ad
+++.fi
+++The Secure Mailer license must be distributed with this software.
+++.SH AUTHOR(S)
+++.na
+++.nf
++diff -ruN postfix-2.1.0-vanilla/proto/Makefile.in postfix-2.1.0/proto/Makefile.in
++--- postfix-2.1.0-vanilla/proto/Makefile.in Wed Apr 14 17:05:40 2004
+++++ postfix-2.1.0/proto/Makefile.in Mon Apr 26 13:39:34 2004
++@@ -29,6 +29,7 @@
++ ../html/SMTPD_POLICY_README.html \
++ ../html/SMTPD_PROXY_README.html \
++ ../html/STANDARD_CONFIGURATION_README.html \
+++ ../html/TLS_README.html \
++ ../html/TUNING_README.html \
++ ../html/UUCP_README.html ../html/ULTRIX_README.html \
++ ../html/VERP_README.html ../html/VIRTUAL_README.html \
++@@ -59,6 +60,7 @@
++ ../README_FILES/SMTPD_ACCESS_README \
++ ../README_FILES/SMTPD_POLICY_README ../README_FILES/SMTPD_PROXY_README \
++ ../README_FILES/STANDARD_CONFIGURATION_README \
+++ ../README_FILES/TLS_README \
++ ../README_FILES/TUNING_README \
++ ../README_FILES/UUCP_README ../README_FILES/ULTRIX_README \
++ ../README_FILES/VERP_README ../README_FILES/VIRTUAL_README \
++diff -ruN postfix-2.1.0-vanilla/proto/TLS_README.html postfix-2.1.0/proto/TLS_README.html
++--- postfix-2.1.0-vanilla/proto/TLS_README.html Thu Jan 1 01:00:00 1970
+++++ postfix-2.1.0/proto/TLS_README.html Mon Apr 26 13:40:28 2004
++@@ -0,0 +1,1093 @@
+++<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
+++ "http://www.w3.org/TR/html4/loose.dtd">
+++
+++<html>
+++
+++<head>
+++
+++<title>Postfix TLS Support </title>
+++
+++<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
+++
+++</head>
+++
+++<body>
+++
+++<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix TLS Support
+++</h1>
+++
+++<hr>
+++
+++<h2> Purpose of this document </h2>
+++
+++<p> This document describes how to configure the Transport Layer
+++Security (TLS) support in the Postfix SMTP client and Postfix SMTP server,
+++and how to configure the TLS manager daemon that maintains the
+++Pseudo Random Number Generator (PRNG) pool and the TLS session
+++cache information. </p>
+++
+++<p> Topics covered in this document: </p>
+++
+++<ul>
+++
+++<li><a href="#server_tls">SMTP Server specific settings</a>
+++
+++<li> <a href="#client_tls">SMTP Client specific settings</a>
+++
+++<li><a href="#tlsmgr_controls"> TLS manager specific settings </a>
+++
+++<li><a href="#problems"> Reporting problems </a>
+++
+++<li><a href="#credits"> Credits </a>
+++
+++</ul>
+++
+++<h2><a name="server_tls">SMTP Server specific settings</a></h2>
+++
+++<p> Topics covered in this section: </p>
+++
+++<ul>
+++
+++<li><a href="#server_cert_key">Server-side certificate and private
+++key configuration </a>
+++
+++<li><a href="#server_logging"> Server-side TLS activity logging
+++</a>
+++
+++<li><a href="#server_enable">Enabling TLS in the Postfix SMTP server </a>
+++
+++<li><a href="#server_vrfy_client">Client certificate verification</a>
+++
+++<li><a href="#server_tls_auth">Supporting AUTH over TLS only</a>
+++
+++<li><a href="#server_tls_cache">Server-side TLS session cache</a>
+++
+++<li><a href="#server_access">Server access control</a>
+++
+++<li><a href="#server_cipher">Server-side cipher controls</a>
+++
+++<li><a href="#server_misc"> Miscellaneous server controls</a>
+++
+++</ul>
+++
+++<h3><a name="server_cert_key">Server-side certificate and private
+++key configuration </a> </h3>
+++
+++<p> In order to use TLS, the Postfix SMTP server needs a certificate
+++and a private key. Both must be in "pem" format. The private key
+++must not be encrypted, meaning: the key must be accessible without
+++password. Both certificate and private key may be in the same
+++file. </p>
+++
+++<p> Both RSA and DSA certificates are supported. Typically you will
+++only have RSA certificates issued by a commercial CA. In addition,
+++the tools supplied with OpenSSL will by default issue RSA certificates.
+++You can have both at the same time, in which case the cipher used
+++determines which certificate is presented. For Netscape and OpenSSL
+++clients without special cipher choices, the RSA certificate is
+++preferred. </p>
+++
+++<p> In order for remote SMTP clients to check the Postfix SMTP
+++server certificates, the CA certificate (in case of a certificate
+++chain, all CA certificates) must be available. You should add
+++these certificates to the server certificate, the server certificate
+++first, then the issuing CA(s). </p>
+++
+++<p> Example: the certificate for "server.dom.ain" was issued by
+++"intermediate CA" which itself has a certificate issued by "root
+++CA". Create the server.pem file with: </p>
+++
+++<blockquote>
+++<pre>
+++cat server_cert.pem intermediate_CA.pem root_CA.pem > server.pem
+++</pre>
+++</blockquote>
+++
+++<p> If you want the Postfix SMTP server to accept remote SMTP client
+++certificates issued by these CAs, you can also add the CA certificates
+++to the smtpd_tls_CAfile, in which case it is not necessary to have
+++them in the smtpd_tls_cert_file or smtpd_tls_dcert_file. </p>
+++
+++<p> A Postfix SMTP server certificate supplied here must be usable
+++as SSL server certificate and hence pass the "openssl verify -purpose
+++sslserver
+++..." test. </p>
+++
+++<p> RSA key and certificate examples: </p>
+++
+++<blockquote>
+++<pre>
+++smtpd_tls_cert_file = /etc/postfix/server.pem
+++smtpd_tls_key_file = $smtpd_tls_cert_file
+++</pre>
+++</blockquote>
+++
+++<p> Their DSA counterparts: </p>
+++
+++<blockquote>
+++<pre>
+++smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
+++smtpd_tls_dkey_file = $smtpd_tls_dcert_file
+++</pre>
+++</blockquote>
+++
+++<p> The Postfix SMTP server certificate was issued by a certification
+++authority (CA), the CA-cert of which must be provided with the CA
+++file if it is not already provided in the certificate file. The
+++CA file may also contain the CA certificates of other trusted CAs.
+++You must use this file for the list of trusted CAs if you want to
+++use chroot-mode. No default is supplied for this value as of now.
+++</p>
+++
+++<p> Example: </p>
+++<blockquote>
+++<pre>
+++smtpd_tls_CAfile = /etc/postfix/CAcert.pem
+++</pre>
+++</blockquote>
+++
+++<p> To verify a remote SMTP client certificate, the Postfix SMTP
+++server needs to know the certificates of the issuing certification
+++authorities. These certificates in "pem" format are collected in
+++a directory. The same CA certificates are offered to clients for
+++client verification. Don't forget to create the necessary "hash"
+++links with $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs. A typical
+++place for the CA certificates may also be $OPENSSL_HOME/certs, so
+++there is no default and you explicitly have to set the value here!
+++</p>
+++
+++<p> To use this option in chroot mode, this directory itself or a
+++copy of it must be inside the chroot jail. Please note also, that
+++the CAs in this directory are not listed to the client, so that
+++e.g. Netscape might not offer certificates issued by them. For
+++this reason, the use of this feature is discouraged. </p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtpd_tls_CApath = /etc/postfix/certs
+++</pre>
+++</blockquote>
+++
+++<h3><a name="server_logging"> Server-side TLS activity logging </a> </h3>
+++
+++<p> To get additional information about Postfix SMTP server TLS
+++activity you can increase the loglevel from 0..4. Each logging
+++level also includes the information that is logged at a lower
+++logging level. </p>
+++
+++<blockquote>
+++
+++<table>
+++
+++<tr> <td> 0 </td> <td> Disable logging of TLS activity.</td> </tr>
+++
+++<tr> <td> 1 </td> <td> Log TLS handshake and certificate information.
+++</td> </tr>
+++
+++<tr> <td> 2 </td> <td> Log levels during TLS negotiation. </td>
+++</tr>
+++
+++<tr> <td> 3 </td> <td> Log hexadecimal and ASCII dump of TLS
+++negotiation process </td> </tr>
+++
+++<tr> <td> 4 </td> <td> Log hexadecimal and ASCII dump of complete
+++transmission after STARTTLS </td> </tr>
+++
+++</table>
+++
+++</blockquote>
+++
+++<p> Use loglevel 3 only in case of problems. Use of loglevel 4 is
+++strongly discouraged. </p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtpd_tls_loglevel = 0
+++</pre>
+++</blockquote>
+++
+++<p> To include information about the protocol and cipher used as
+++well as the client and issuer CommonName into the "Received:"
+++message header, set the smtpd_tls_received_header variable to true.
+++The default is no, as the information is not necessarily authentic.
+++Only information recorded at the final destination is reliable,
+++since the headers may be changed by intermediate servers. </p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtpd_tls_received_header = yes
+++</pre>
+++</blockquote>
+++
+++<h3><a name="server_enable">Enabling TLS in the Postfix SMTP server </a> </h3>
+++
+++<p> By default, TLS is disabled in the Postfix SMTP server, so no
+++difference to plain Postfix is visible. Explicitly switch it on
+++using "smtpd_use_tls = yes". </p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtpd_use_tls = yes
+++</pre>
+++</blockquote>
+++
+++<p> Note: when an unprivileged user invokes "sendmail -bs", STARTTLS
+++is never offered due to insufficient privileges to access the server
+++private key. This is intended behavior. </p>
+++
+++<p> You can ENFORCE the use of TLS, so that the Postfix SMTP server
+++accepts no commands (except QUIT of course) without TLS encryption,
+++by setting "smtpd_enforce_tls = yes". According to RFC 2487 this
+++MUST NOT be applied in case of a publicly-referenced Postfix SMTP
+++server. So this option is off by default and should only seldom
+++be used. Using this option implies "smtpd_use_tls = yes". </p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtpd_enforce_tls = yes
+++</pre>
+++</blockquote>
+++
+++<p> Besides RFC 2487 some clients, namely Outlook [Express] prefer
+++to run the non-standard "wrapper" mode, not the STARTTLS enhancement
+++to SMTP. This is true for OE (Win32 < 5.0 and Win32 >=5.0 when
+++run on a port<>25 and OE (5.01 Mac on all ports). </p>
+++
+++<p> It is strictly discouraged to use this mode from main.cf. If
+++you want to support this service, enable a special port in master.cf
+++and specify "-o smtpd_tls_wrappermode = yes" as an smtpd(8) command
+++line option. Port 465 (smtps) was once chosen for this feature.
+++</p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtpd_tls_wrappermode = no
+++</pre>
+++</blockquote>
+++
+++<h3><a name="server_vrfy_client">Client certificate verification</a> </h3>
+++
+++<p> To receive a remote SMTP client certificate, the Postfix SMTP
+++server must explicitly ask for one by sending the $smtpd_tls_CAfile
+++certificates to the client. Unfortunately, Netscape clients will
+++either complain if no matching client certificate is available or
+++will offer the user client a list of certificates to choose from.
+++This might be annoying, so this option is "off" by default. You
+++will however need the certificate if you want to use certificate
+++based relaying with, for example, the permit_tls_client_certs
+++feature. </p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtpd_tls_ask_ccert = no
+++</pre>
+++</blockquote>
+++
+++<p> You may also decide to REQUIRE a remote SMTP client certificate
+++before allowing TLS connections. This feature is included for
+++completeness, and implies "smtpd_tls_ask_ccert = yes". </p>
+++
+++<p> Please be aware, that this will inhibit TLS connections without
+++a proper client certificate and that it makes sense only when
+++non-TLS submission is disabled (smtpd_enforce_tls = yes). Otherwise,
+++clients could bypass the restriction by simply not using STARTTLS
+++at all. </p>
+++
+++<p> When TLS is not enforced, the connection will be handled as
+++if only "smtpd_tls_ask_ccert = yes" is specified, and a warning is
+++logged. </p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtpd_tls_req_ccert = no
+++</pre>
+++</blockquote>
+++
+++<p> A client certificate verification depth of 1 is sufficient if
+++the certificate is directly issued by a CA listed in the CA file.
+++The default value (5) should also suffice for longer chains (root
+++CA issues special CA which then issues the actual certificate...)
+++</p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtpd_tls_ccert_verifydepth = 5
+++</pre>
+++</blockquote>
+++
+++<h3><a name="server_tls_auth">Supporting AUTH over TLS only</a></h3>
+++
+++<p> Sending AUTH data over an un-encrypted channel poses a security
+++risk. When TLS layer encryption is required (smtpd_enforce_tls =
+++yes), the Postfix SMTP server will announce and accept AUTH only
+++after the TLS layer has been activated with STARTTLS. When TLS
+++layer encryption is optional (smtpd_enforce_tls = no), it may
+++however still be useful to only offer AUTH when TLS is active. To
+++maintain compatibility with non-TLS clients, the default is to
+++accept AUTH without encryption. In order to change this behavior,
+++set "smtpd_tls_auth_only = yes". </p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtpd_tls_auth_only = no
+++</pre>
+++</blockquote>
+++
+++<h3><a name="server_tls_cache">Server-side TLS session cache</a> </h3>
+++
+++<p> The Postfix SMTP server and the remote SMTP client negotiate a
+++session, which takes some computer time and network bandwidth. By
+++default, this session information is cached only in the smtpd(8)
+++process actually using this session and is lost when the process
+++terminates. To share the session information between multiple
+++smtpd(8) processes, a persistent session cache can be used based
+++on the SDBM databases (routines included in Postfix/TLS). Since
+++concurrent writing must be supported, only SDBM can be used. </p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache
+++</pre>
+++</blockquote>
+++
+++<p> Cached Postfix SMTP server session information expires after
+++a certain amount of time. Postfix/TLS does not use the OpenSSL
+++default of 300s, but a longer time of 3600sec (=1 hour). RFC 2246
+++recommends a maximum of 24 hours. </p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtpd_tls_session_cache_timeout = 3600s
+++</pre>
+++</blockquote>
+++
+++<h3><a name="server_access">Server access control</a> </h3>
+++
+++<p> Postfix TLS support introduces two additional features for
+++Postfix SMTP server access control: </p>
+++
+++<blockquote>
+++
+++<dl>
+++
+++<dt> permit_tls_clientcerts </dt> <dd> <p> Allow the remote SMTP
+++client SMTP request if the client certificate passes verification,
+++and if its fingerprint is listed in the list of client certificates
+++(see relay_clientcerts discussion below). </p> </dd>
+++
+++<dt> permit_tls_all_clientcerts </dt> <dd> <p> Allow the remote
+++client SMTP request if the client certificate passes verification.
+++</p> </dd>
+++
+++</dl>
+++
+++</blockquote>
+++
+++<p> The permit_tls_all_clientcerts feature must be used with caution,
+++because it can result in too many access permissions. Use this
+++feature only if a special CA issues the client certificates, and
+++only if this CA is listed as trusted CA. If other CAs are trusted,
+++any owner of a valid client certificate would be authorized.
+++The permit_tls_all_clientcerts feature can be practical for a
+++specially created email relay server. </p>
+++
+++<p> It is however recommended to stay with the permit_tls_clientcerts
+++feature and list all certificates via $relay_clientcerts, as
+++permit_tls_all_clientcerts does not permit any control when a
+++certificate must no longer be used (e.g. an employee leaving). </p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtpd_recipient_restrictions =
+++ ...
+++ permit_tls_clientcerts
+++ reject_unauth_destination
+++ ...
+++</pre>
+++</blockquote>
+++
+++<p> The Postfix list manipulation routines give special treatment
+++to whitespace and some other characters, making the use of certificate
+++names unpractical. Instead we use the certificate fingerprints as
+++they are difficult to fake but easy to use for lookup. Postfix
+++lookup tables are in the form of (key, value) pairs. Since we only
+++need the key, the value can be chosen freely, e.g. the name of
+++the user or host:</p>
+++
+++<blockquote>
+++<pre>
+++D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home
+++</pre>
+++</blockquote>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++relay_clientcerts = hash:/etc/postfix/relay_clientcerts
+++</pre>
+++</blockquote>
+++
+++<h3><a name="server_cipher">Server-side cipher controls</a> </h3>
+++
+++<p> To influence the Postfix SMTP server cipher selection scheme,
+++you can give cipherlist string. A detailed description would go
+++to far here, please refer to the openssl documentation. If you
+++don't know what to do with it, simply don't touch it and leave the
+++(openssl-)compiled in default! </p>
+++
+++<p> DO NOT USE " to enclose the string, specify just the string!!! </p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtpd_tls_cipherlist = DEFAULT
+++</pre>
+++</blockquote>
+++
+++<p> If you want to take advantage of ciphers with EDH, DH parameters
+++are needed. Instead of using the built-in DH parameters for both
+++1024bit and 512bit, it is better to generate "own" parameters,
+++since otherwise it would "pay" for a possible attacker to start a
+++brute force attack against parameters that are used by everybody.
+++For this reason, the parameters chosen are already different from
+++those distributed with other TLS packages. </p>
+++
+++<p> To generate your own set of DH parameters, use: </p>
+++
+++<blockquote>
+++<pre>
+++openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024
+++openssl gendh -out /etc/postfix/dh_512.pem -2 -rand /var/run/egd-pool 512
+++</pre>
+++</blockquote>
+++
+++<p> Your source for "entropy" might vary; some systems have
+++/dev/random; on other systems you might consider the "Entropy
+++Gathering Daemon EGD", available at http://www.lothar.com/tech/crypto/.
+++</p>
+++
+++<p> Examples: </p>
+++
+++<blockquote>
+++<pre>
+++smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
+++smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
+++</pre>
+++</blockquote>
+++
+++<h3><a name="server_misc"> Miscellaneous server controls</a> </h3>
+++
+++<p> The smtpd_starttls_timeout parameter limits the time of Postfix
+++SMTP server write and read operations during TLS startup and shutdown
+++handshake procedures. </p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtpd_starttls_timeout = 300s
+++</pre>
+++</blockquote>
+++
+++<h2> <a name="client_tls">SMTP Client specific settings</a> </h2>
+++
+++<p> Topics covered in this section: </p>
+++
+++<ul>
+++
+++<li><a href="#client_cert_key">Client-side certificate and private
+++key configuration </a>
+++
+++<li><a href="#client_logging"> Client-side TLS activity logging
+++</a>
+++
+++<li><a href="#client_tls_cache">Client-side TLS session cache</a>
+++
+++<li><a href="#client_tls"> Enabling TLS in the Postfix SMTP client </a>
+++
+++<li><a href="#client_vrfy_server">Server certificate verification</a>
+++
+++<li> <a href="#client_cipher">Client-side cipher controls </a>
+++
+++<li> <a href="#client_misc"> Miscellaneous client controls </a>
+++
+++</ul>
+++
+++<h3><a name="client_cert_key">Client-side certificate and private
+++key configuration </a> </h3>
+++
+++During TLS startup negotiation the Postfix SMTP client may present
+++a certificate to the remote SMTP server. The Netscape client is
+++rather clever here and lets the user select between only those
+++certificates that match CA certificates offered by the remote SMTP
+++server. As the Postfix SMTP client uses the "SSL_connect()" function
+++from the OpenSSL package, this is not possible and we have to choose
+++just one certificate. So for now the default is to use _no_
+++certificate and key unless one is explicitly specified here. </p>
+++
+++<p> Both RSA and DSA certificates are supported. You can have both
+++at the same time, in which case the cipher used determines which
+++certificate is presented. </p>
+++
+++<p> It is possible for the Postfix SMTP client to use the same
+++key/certificate pair as the Postfix SMTP server. If a certificate
+++is to be presented, it must be in "pem" format. The private key
+++must not be encrypted, meaning: it must be accessible without
+++password. Both parts (certificate and private key) may be in the
+++same file. </p>
+++
+++<p> In order for remote SMTP servers to verify the Postfix SMTP
+++client certificates, the CA certificate (in case of a certificate
+++chain, all CA certificates) must be available. You should add
+++these certificates to the client certificate, the client certificate
+++first, then the issuing CA(s). </p>
+++
+++<p> Example: the certificate for "client.dom.ain" was issued by
+++"intermediate CA" which itself has a certificate of "root CA".
+++Create the client.pem file with: </p>
+++
+++<blockquote>
+++<pre>
+++cat client_cert.pem intermediate_CA.pem root_CA.pem > client.pem
+++</pre>
+++</blockquote>
+++
+++<p> If you want the Postfix SMTP client to accept certificates
+++issued by these CAs, you can also add the CA certificates to the
+++smtp_tls_CAfile, in which case it is not necessary to have them in
+++the smtp_tls_cert_file or smtp_tls_dcert_file. </p>
+++
+++<p> A Postfix SMTP client certificate supplied here must be usable
+++as SSL client certificate and hence pass the "openssl verify -purpose
+++sslclient
+++..." test. </p>
+++
+++<p> RSA key and certificate examples: </p>
+++
+++<blockquote>
+++<pre>
+++smtp_tls_cert_file = /etc/postfix/client.pem
+++smtp_tls_key_file = $smtp_tls_cert_file
+++</pre>
+++</blockquote>
+++
+++<p> Their DSA counterparts: </p>
+++
+++<blockquote>
+++<pre>
+++smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
+++smtp_tls_dkey_file = $smtpd_tls_cert_file
+++</pre>
+++</blockquote>
+++
+++<p> The Postfix SMTP client certificate was issued by a certification
+++authority (CA), the CA-cert of which must be provided with the CA
+++file if it is not already provided in the certificate file. The
+++CA file may also contain the CA certificates of other trusted CAs.
+++You must use this file for the list of trusted CAs if you want to
+++use chroot-mode. No default is supplied for this value as of now.
+++</p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtp_tls_CAfile = /etc/postfix/CAcert.pem
+++</pre>
+++</blockquote>
+++
+++<p> To verify a remote SMTP server certificate, the Postfix SMTP
+++client needs to know the certificates of the issuing certification
+++authorities. These certificates in "pem" format are collected in
+++a directory. Don't forget to create the necessary "hash" links with
+++$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs. A typical place for
+++the CA certificates may also be $OPENSSL_HOME/certs, so there is
+++no default and you explicitly have to set the value here! </p>
+++
+++<p> To use this option in chroot mode, this directory itself or a
+++copy of it must be inside the chroot jail. </p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtp_tls_CApath = /etc/postfix/certs
+++</pre>
+++</blockquote>
+++
+++<h3><a name="client_logging"> Client-side TLS activity logging </a> </h3>
+++
+++<p> To get additional information about Postfix SMTP client TLS
+++activity you can increase the loglevel from 0..4. Each logging
+++level also includes the information that is logged at a lower
+++logging level. </p>
+++
+++<blockquote>
+++
+++<table>
+++
+++<tr> <td> 0 </td> <td> Disable logging of TLS activity.</td> </tr>
+++
+++<tr> <td> 1 </td> <td> Log TLS handshake and certificate information.
+++</td> </tr>
+++
+++<tr> <td> 2 </td> <td> Log levels during TLS negotiation. </td>
+++</tr>
+++
+++<tr> <td> 3 </td> <td> Log hexadecimal and ASCII dump of TLS
+++negotiation process </td> </tr>
+++
+++<tr> <td> 4 </td> <td> Log hexadecimal and ASCII dump of complete
+++transmission after STARTTLS </td> </tr>
+++
+++</table>
+++
+++</blockquote>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtp_tls_loglevel = 0
+++</pre>
+++</blockquote>
+++
+++<h3><a name="client_tls_cache">Client-side TLS session cache</a> </h3>
+++
+++<p> The remote SMTP server and the Postfix SMTP client negotiate a
+++session, which takes some computer time and network bandwidth. By
+++default, this session information is cached only in the smtp(8)
+++process actually using this session and is lost when the process
+++terminates. To share the session information between multiple
+++smtp(8) processes, a persistent session cache can be used based on
+++the SDBM databases (routines included in Postfix/TLS). Since
+++concurrent writing must be supported, only SDBM can be used. </p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache
+++</pre>
+++</blockquote>
+++
+++<p> Cached Postfix SMTP client session information expires after
+++a certain amount of time. Postfix/TLS does not use the OpenSSL
+++default of 300s, but a longer time of 3600s (=1 hour). RFC 2246
+++recommends a maximum of 24 hours. </p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtp_tls_session_cache_timeout = 3600s
+++</pre>
+++</blockquote>
+++
+++<h3><a name="client_tls"> Enabling TLS in the Postfix SMTP client </a>
+++</h3>
+++
+++<p> By default, TLS is disabled in the Postfix SMTP client, so no
+++difference to plain Postfix is visible. If you enable TLS, the
+++Postfix SMTP client will send STARTTLS when TLS support is announced
+++by the remote SMTP server. </p>
+++
+++<p> WARNING: MS Exchange servers will announce STARTTLS support
+++even when the service is not configured, so that the TLS handshake
+++will fail. It may be wise to not use this option on your central
+++mail hub, as you don't know in advance whether you are going to
+++connect to such a host. Instead, use the smtp_tls_per_site
+++recipient/site specific options that are described below. </p>
+++
+++<p> When the TLS handshake fails and no other server is available,
+++the Postfix SMTP client defers the delivery attempt, and the mail
+++stays in the queue. </p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtp_use_tls = yes
+++</pre>
+++</blockquote>
+++
+++<p> You can ENFORCE the use of TLS, so that the Postfix SMTP client
+++will not deliver mail over un-encrypted connections. In this mode,
+++the remote SMTP server hostname must match the information in the
+++remote server certificate, and the server certificate must be issued
+++by a CA that is trusted by the Postfix SMTP client. If the remote
+++server certificate doesn't verify or the remote SMTP server hostname
+++doesn't match, and no other server is available, the delivery
+++attempt is deferred and the mail stays in the queue. </p>
+++
+++<p> The remote SMTP server hostname used in the check is beyond
+++question, as it must be the principal hostname (no CNAME allowed
+++here). Checks are performed against all names provided as dNSNames
+++in the SubjectAlternativeName. If no dNSNames are specified, the
+++CommonName is checked. The behavior may be changed with the
+++smtp_tls_enforce_peername option which is discussed below. </p>
+++
+++<p> This option is useful only if you know that you will only
+++connect to servers that support RFC 2487 _and_ that present server
+++certificates that meet the above requirements. An example would
+++be a client only sends email to one specific mailhub that offers
+++the necessary STARTTLS support. </p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtp_enforce_tls = no
+++</pre>
+++</blockquote>
+++
+++<p> As of RFC 2487 the requirements for hostname checking for MTA
+++clients are not set. When TLS is required (smtp_enforce_tls = yes),
+++the option smtp_tls_enforce_peername can be set to "no" to disable
+++strict remote SMTP server hostname checking. In this case, the mail
+++delivery will proceed regardless of the CommonName etc. listed in
+++the certificate. </p>
+++
+++<p> Note: the smtp_tls_enforce_peername setting has no effect on
+++sessions that are controlled via the smtp_tls_per_site table. </p>
+++
+++<p> Disabling the remote SMTP server hostname verification can
+++make sense in closed environment where special CAs are created.
+++If not used carefully, this option opens the danger of a
+++"man-in-the-middle" attack (the CommonName of this possible attacker
+++is logged). </p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtp_tls_enforce_peername = yes
+++</pre>
+++</blockquote>
+++
+++<p> Generally, trying TLS can be a bad idea, as some servers offer
+++STARTTLS but the negotiation will fail leading to unexplainable
+++failures. Instead, it may be a good idea to choose the TLS usage
+++policy based on the recipient or the mailhub to which you are
+++connecting. </p>
+++
+++<p> Deciding the TLS usage policy per recipient may be difficult,
+++since a single email delivery attempt can involve several recipients.
+++Instead, use of TLS is controlled by the Postfix next-hop destination
+++domain name and by the remote SMTP server hostname. If either of these
+++matches an entry in the smtp_tls_per_site table, appropriate action
+++is taken. </p>
+++
+++<p> The remote SMTP server hostname is simply the DNS name of the
+++server that the Postfix SMTP client connects to. The next-hop
+++destination is Postfix specific. By default, this is the domain
+++name in the recipient address, but this information can be overruled
+++by the transport(5) table or by the relayhost parameter setting.
+++In these cases the relayhost etc. must be listed in the smtp_tls_per_site
+++table, instead of the recipient domain name. </p>
+++
+++<p> Format of the table: domain or host names are specified on the
+++left-hand side; no wildcards are allowed. On the right hand side
+++specify one of the following keywords: </p>
+++
+++<blockquote>
+++
+++<dl>
+++
+++<dt> NONE </dt> <dd> Don't use TLS at all. </dd>
+++
+++<dt> MAY </dt> <dd> Try to use STARTTLS if offered,
+++otherwise use the un-encrypted connection. </dd>
+++
+++<dt> MUST </dt> <dd> Require usage of STARTTLS, require that the
+++remote SMTP server hostname matches the information in the remote
+++SMTP server certificate, and require that the remote SMTP server
+++certificate was issued by a trusted CA. </dd>
+++
+++<dt> MUST_NOPEERMATCH </dt> <dd> Require usage of STARTTLS, but do
+++not require that the remote SMTP server hostname matches the
+++information in the remote SMTP server certificate, or that the
+++server certificate was issued by a trusted CA. </dd>
+++
+++</dl>
+++
+++</blockquote>
+++
+++<p> The actual TLS usage policy depends not only on whether the
+++next-hop destination or remote SMTP server hostname are found in
+++the smtp_tls_per_site table, but also on the smtp_enforce_tls
+++setting: </p>
+++
+++<ul>
+++
+++<li> <p> If no match was found, the policy is applied as specified
+++with smtp_enforce_tls. </p>
+++
+++<li> <p> If a match was found, and the smtp_enforce_tls policy is
+++"enforce", NONE explicitly switches it off; otherwise the "enforce"
+++mode is used even for entries that specify MAY. </p>
+++
+++</ul>
+++
+++<p> Special hint for TLS enforcement mode: since no secure DNS
+++lookup mechanism is available, mail can be delivered to the wrong
+++remote SMTP server. This is not prevented by specifying MUST for
+++the next-hop domain name. The recommended setup is: specify local
+++transport(5) table entries for sensitive domains with explicit
+++smtp:[mailhost] destinations (since you can assure security of this
+++table unlike DNS), then specify MUST for these mail hosts in the
+++smtp_tls_per_site table. </p>
+++
+++<!-- XXX What it we were to require that each MX host lists the
+++domain it is responsible for in its server certificate, and that
+++Postfix/TLS includes the next-hop domain name in the peer name
+++verification process? -->
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtp_tls_per_site = hash:/etc/postfix/tls_per_site
+++</pre>
+++</blockquote>
+++
+++<p> As we decide on a "per site" basis whether or not to use TLS,
+++it would be good to have a list of sites that offered "STARTTLS".
+++We can collect it ourselves with this option. </p>
+++
+++<p> If the smtp_tls_note_starttls_offer feature is enabled and a
+++server offers STARTTLS while TLS is not already enabled for that
+++server, the Postfix SMTP client logs a line as follows: </p>
+++
+++<blockquote>
+++<pre>
+++postfix/smtp[pid]: Host offered STARTTLS: [hostname.example.com]
+++</pre>
+++</blockquote>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtp_tls_note_starttls_offer = yes
+++</pre>
+++</blockquote>
+++
+++<h3><a name="client_vrfy_server">Server certificate verification</a> </h3>
+++
+++<p> When verifying a remote SMTP server certificate, a verification
+++depth of 1 is sufficient if the certificate is directly issued by
+++a CA specified with smtp_tls_CAfile or smtp_tls_CApath. The default
+++value of 5 should also suffice for longer chains (root CA issues
+++special CA which then issues the actual certificate...) </p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtp_tls_scert_verifydepth = 5
+++</pre>
+++</blockquote>
+++
+++<h3> <a name="client_cipher">Client-side cipher controls </a> </h3>
+++
+++<p> To influence the Postfix SMTP client cipher selection scheme,
+++you can give cipherlist string. A detailed description would go
+++to far here, please refer to the openssl documentation. If you
+++don't know what to do with it, simply don't touch it and leave the
+++(openssl-)compiled in default! </p>
+++
+++<p> DO NOT USE " to enclose the string, specify just the string!!! </p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtp_tls_cipherlist = DEFAULT
+++</pre>
+++</blockquote>
+++
+++<h3> <a name="client_misc"> Miscellaneous client controls </a> </h3>
+++
+++<p> The smtp_starttls_timeout parameter limits the time of Postfix
+++SMTP client write and read operations during TLS startup and shutdown
+++handshake procedures. In case of problems the Postfix SMTP client
+++tries the next network address on the mail exchanger list, and
+++defers delivery if no alternative server is available. </p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtp_starttls_timeout = 300s
+++</pre>
+++</blockquote>
+++
+++<h2><a name="tlsmgr_controls"> TLS manager specific settings </a> </h2>
+++
+++<p> The security of cryptographic software such as TLS depends
+++critically on the ability to generate unpredictable numbers for
+++keys and other information. To this end, the tlsmgr(8) process
+++maintains a Pseudo Random Number Generator (PRNG) pool. This is
+++a fixed-size 1024-byte exchange file that is read by the smtp(8)
+++and smtpd(8) processes when they initialize. These processes also
+++add some more entropy to the file by stirring in their own time
+++and process id information. </p>
+++
+++<p> The tlsmgr(8) process creates the file if it does not already
+++exist, and rewrites the file at random time intervals with information
+++from its in-memory PRNG pool. The default location is under the
+++Postfix configuration directory, which is not the proper place for
+++information that is modified by Postfix. Instead, the file location
+++should probably be on the /var partition (but _not_ inside the
+++chroot jail). </p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++tls_random_exchange_name = /etc/postfix/prng_exch
+++</pre>
+++</blockquote>
+++
+++<p> In order to feed its in-memory PRNG pool, the tlsmgr(8) reads
+++entropy from an external source, both at startup and during run-time.
+++Specify a good entropy source, like EGD or /dev/urandom; be sure
+++to only use non-blocking sources. If the entropy source is not a
+++regular file, you must prepend the source type to the source name:
+++"dev:" for a device special file, or "egd:" for a source with EGD
+++compatible socket interface. </p>
+++
+++<p> Examples (specify only one in main.cf): </p>
+++
+++<blockquote>
+++<pre>
+++tls_random_source = dev:/dev/urandom
+++tls_random_source = egd:/var/run/egd-pool
+++</pre>
+++</blockquote>
+++
+++<p> By default, tlsmgr(8) reads 32 bytes from the external entropy
+++source at each seeding event. This amount (256bits) is more than
+++sufficient for generating a 128bit symmetric key. With EGD and
+++device entropy sources, the tlsmgr(8) limits the amount of data
+++read at each step to 255 bytes. If you specify a regular file as
+++entropy source, a larger amount of data can be read. </p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++tls_random_bytes = 32
+++</pre>
+++</blockquote>
+++
+++<p> In order to update its in-memory PRNG pool, the tlsmgr(8)
+++queries the external entropy source again after a random amount of
+++time. The time is calculated using the PRNG, and is between 0 and
+++the maximal time specified with tls_random_reseed_period. The
+++default maximal time interval is 1 hour. </p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++tls_random_reseed_period = 3600s
+++</pre>
+++</blockquote>
+++
+++<p> The tlsmgr(8) re-generates the 1024 byte seed exchange file
+++after a random amount of time. The time is calculated using the
+++PRNG, and is between 0 and the maximal time specified with
+++tls_random_update_period. The default maximal time interval is 60
+++seconds. </p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++tls_random_prng_update_period = 60s
+++</pre>
+++</blockquote>
+++
+++<p> If you have an entropy source available that is not easily
+++drained (like /dev/urandom), the smtp(8) and smtpd(8) daemons can
+++load additional entropy on startup. By default, an amount of 32
+++bytes is read, the equivalent to 256 bits. This is more than
+++sufficient to generate a 128bit (or 168bit) session key. However,
+++when Postfix needs to generate more than one key it can drain the
+++EGD. Consider the case of 50 smtp(8) processes starting up with a
+++full queue; this will request 1600bytes of entropy. This is however
+++not fatal, as long as "entropy" data can still be read from the
+++seed file that is maintained by tlsmgr(8). </p>
+++
+++<p> Examples: </p>
+++
+++<blockquote>
+++<pre>
+++tls_daemon_random_source = dev:/dev/urandom
+++tls_daemon_random_source = egd:/var/run/egd-pool
+++tls_daemon_random_bytes = 32
+++</pre>
+++</blockquote>
+++
+++<h2> <a name="problems"> Reporting problems </a> </h2>
+++
+++<p> When reporting a problem, please be thorough in the report.
+++Patches, when possible, are greatly appreciated too. </p>
+++
+++<p> Please differentiate when possible between: </p>
+++
+++<ul>
+++
+++<li> Problems in the IPv6 code: <postfix-ipv6 at stack.nl>
+++
+++<li> Problems in the TLS code: <postfix_tls at aet.tu-cottbus.de>
+++
+++<li> Problems in vanilla Postfix: <postfix-users at postfix.org>
+++
+++</ul>
+++
+++<h2><a name="credits">Credits </a> </h2>
+++
+++<ul>
+++
+++<li> TLS support for Postfix was originally developed by Lutz
+++Jänicke at Cottbus Technical University.
+++
+++<li> This part of the documentation was compiled by Wietse Venema
+++</p>
+++
+++</ul>
+++
+++</body>
+++
+++</html>
++diff -ruN postfix-2.1.0-vanilla/proto/postconf.proto postfix-2.1.0/proto/postconf.proto
++--- postfix-2.1.0-vanilla/proto/postconf.proto Fri Apr 23 01:10:02 2004
+++++ postfix-2.1.0/proto/postconf.proto Mon Apr 26 13:44:06 2004
++@@ -3820,6 +3820,19 @@
++ <dd>Permit the request when the client IP address matches any
++ network listed in $mynetworks. </dd>
++
+++<dt><b><a name="permit_tls_all_clientcerts">permit_tls_all_clientcerts</a></b></dt>
+++
+++<dd> Permit the request when the remote SMTP client certificate is
+++verified successfully. This option must be used only if a special
+++CA issues the certificates and only this CA is listed as trusted
+++CA, otherwise all clients with a recognized certificate would be
+++allowed to relay. </dd>
+++
+++<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
+++
+++<dd>Permit the request when the remote SMTP client certificate is
+++verified successfully, and the certificate fingerprint is listed
+++in $relay_clientcerts. </dd>
++ <dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>
++
++ <dd>Reject the request when the reversed client network address is
++@@ -6796,3 +6809,618 @@
++ remote domains. Available before Postfix version 2.0. With Postfix 2.1
++ and later, this is replaced by separate controls: virtual_alias_domains
++ and virtual_alias_maps. </p>
+++
+++%PARAM smtpd_tls_cert_file
+++
+++<p> File with the Postfix SMTP server RSA certificate in PEM format.
+++This file may also contain the server private key. </p>
+++
+++<p> Both RSA and DSA certificates are supported. When both types
+++are present, the cipher used determines which certificate will be
+++presented to the client. For Netscape and OpenSSL clients without
+++special cipher choices the RSA certificate is preferred. </p>
+++
+++<p> In order to verify a certificate, the CA certificate (in case
+++of a certificate chain, all CA certificates) must be available.
+++You should add these certificates to the server certificate, the
+++server certificate first, then the issuing CA(s). </p>
+++
+++<p> Example: the certificate for "server.dom.ain" was issued by
+++"intermediate CA" which itself has a certificate of "root CA".
+++Create the server.pem file with "cat server_cert.pem intermediate_CA.pem
+++root_CA.pem > server.pem". </p>
+++
+++<p> If you want to accept certificates issued by these CAs yourself,
+++you can also add the CA certificates to the smtpd_tls_CAfile, in
+++which case it is not necessary to have them in the smtpd_tls_dcert_file
+++or smtpd_tls_cert_file. </p>
+++
+++<p> A certificate supplied here must be usable as SSL server
+++certificate and hence pass the "openssl verify -purpose sslserver
+++..." test. </p>
+++
+++<p> Example: </p>
+++
+++<pre>
+++smtpd_tls_cert_file = /etc/postfix/server.pem
+++</pre>
+++
+++%PARAM smtpd_tls_key_file $smtpd_tls_cert_file
+++
+++<p> File with the Postfix SMTP server RSA private key in PEM format.
+++This file may be combined with the server certificate file specified
+++with $smtpd_tls_cert_file. </p>
+++
+++<p> The private key must not be encrypted. In other words, the key
+++must be accessible without password. </p>
+++
+++%PARAM smtpd_tls_dcert_file
+++
+++<p> File with the Postfix SMTP server DSA certificate in PEM format.
+++This file may also contain the server private key. <p>
+++
+++<p> See the discussion under smtpd_tls_cert_file for more details.
+++</p>
+++
+++<p> Example: </p>
+++
+++<pre>
+++smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
+++</pre>
+++
+++%PARAM smtpd_tls_dkey_file $smtpd_tls_dcert_file
+++
+++<p> File with the Postfix SMTP server DSA private key in PEM format.
+++This file may be combined with the server certificate file specified
+++with $smtpd_tls_dcert_file. </p>
+++
+++<p> The private key must not be encrypted. In other words, the key
+++must be accessible without password. </p>
+++
+++%PARAM smtpd_tls_CAfile
+++
+++<p> The file with the certificate of the certification authority
+++(CA) that issued the Postfix SMTP server certificate. This is
+++needed only when the CA certificate is not already present in the
+++server certificate file. This file may also contain the CA
+++certificates of other trusted CAs. You must use this file for the
+++list of trusted CAs if you want to use chroot-mode. </p>
+++
+++<p> Example: </p>
+++
+++<pre>
+++smtpd_tls_CAfile = /etc/postfix/CAcert.pem
+++</pre>
+++
+++%PARAM smtpd_tls_CApath
+++
+++<p> Directory with PEM format certificate authority certificates
+++that the Postfix SMTP server offers to remote SMTP clients for the
+++purpose of client certificate verification. Do not forget to create
+++the necessary "hash" links with, for example, "$OPENSSL_HOME/bin/c_rehash
+++/etc/postfix/certs". </p>
+++
+++<p> To use this option in chroot mode, this directory (or a copy)
+++must be inside the chroot jail. Please note that in this case the
+++CA certificates are not offered to the client, so that e.g. Netscape
+++clients might not offer certificates issued by them. Use of this
+++feature is therefore not recommended. </p>
+++
+++<p> Example: </p>
+++
+++<pre>
+++smtpd_tls_CApath = /etc/postfix/certs
+++</pre>
+++
+++%PARAM smtpd_tls_loglevel 0
+++
+++<p> Enable additional Postfix SMTP server logging of TLS activity.
+++Each logging level also includes the information that is logged at
+++a lower logging level. </p>
+++
+++<dl compact>
+++
+++<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
+++
+++<dt> </dt> <dd> 1 Log TLS handshake and certificate information. </dd>
+++
+++<dt> </dt> <dd> 2 Log levels during TLS negotiation. </dd>
+++
+++<dt> </dt> <dd> 3 Log hexadecimal and ASCII dump of TLS negotiation
+++process. </dd>
+++
+++<dt> </dt> <dd> 4 Also log hexadecimal and ASCII dump of complete
+++transmission after STARTTLS. </dd>
+++
+++</dl>
+++
+++<p> Use "smtpd_tls_loglevel = 3" only in case of problems. Use of
+++loglevel 4 is strongly discouraged. </p>
+++
+++%PARAM smtpd_tls_received_header no
+++
+++<p> Request that the Postfix SMTP server produces Received: message
+++headers that include information about the protocol and cipher used,
+++as well as the client CommonName and client certificate issuer
+++CommonName. This is disabled by default, as the information may
+++be modified in transit through other mail servers. Only information
+++that was recorded by the final destination can be trusted. </p>
+++
+++%PARAM smtpd_use_tls no
+++
+++<p> Enable TLS support in the Postfix SMTP server. </p>
+++
+++<p> Note: when invoked via "sendmail -bs", Postfix will never offer
+++STARTTLS due to insufficient privileges to access the server private
+++key. This is intended behavior. </p>
+++
+++%PARAM smtpd_enforce_tls no
+++
+++<p> Require that remote SMTP clients use TLS encryption. According
+++to RFC 2487 this MUST NOT be applied in case of a publicly-referenced
+++SMTP server. This option is off by default and should only rarely
+++be used. </p>
+++
+++<p> This option implies "smtpd_use_tls = yes". </p>
+++
+++<p> Note: when invoked via "sendmail -bs", Postfix will never offer
+++STARTTLS due to insufficient privileges to access the server private
+++key. This is intended behavior. </p>
+++
+++%PARAM smtpd_tls_wrappermode no
+++
+++<p> Run the Postfix SMTP server in the non-standard "wrapper" mode,
+++instead of using the STARTTLS command. </p>
+++
+++<p> If you want to support this service, enable a special port in
+++master.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP
+++server's command line. Port 465 (smtps) was once chosen for this
+++purpose. </p>
+++
+++%PARAM smtpd_tls_ask_ccert no
+++
+++<p> Ask a remote SMTP client for a client certificate. This
+++information is needed for certificate based mail relaying with,
+++for example, the permit_tls_clientcerts feature. </p>
+++
+++<p> Some clients such as Netscape will either complain if no
+++certificate is available (for the list of CAs in /etc/postfix/certs)
+++or will offer multiple client certificates to choose from. This
+++may be annoying, so this option is "off" by default. </p>
+++
+++%PARAM smtpd_tls_req_ccert no
+++
+++<p> When TLS encryption is enforced, require a remote SMTP client
+++certificate in order to allow TLS connections to proceed. This
+++option implies "smtpd_tls_ask_ccert = yes". </p>
+++
+++<p> When TLS encryption is optional, remote SMTP clients can bypass
+++the restriction by simply not using STARTTLS at all. For this reason
+++a TLS connection will be handled as if only "smtpd_tls_ask_ccert
+++= yes" is specified. </p>
+++
+++%PARAM smtpd_tls_ccert_verifydepth 5
+++
+++<p> The verification depth for remote SMTP client certificates. A
+++depth of 1 is sufficient if the issuing CA is listed in a local CA
+++file. The default value should also suffice for longer chains (the
+++root CA issues special CA which then issues the actual certificate...).
+++</p>
+++
+++%PARAM smtpd_tls_auth_only no
+++
+++<p> When TLS encryption is optional in the Postfix SMTP server, do
+++not announce or accept SASL authentication over un-encrypted
+++connections. </p>
+++
+++%PARAM smtpd_tls_session_cache_database
+++
+++<p> Name of the SDBM file (type sdbm:) containing the optional
+++Postfix SMTP server TLS session cache. SDBM is required in order
+++to support concurrent updates. The file is created if it does not
+++exist. </p>
+++
+++<p> Example: </p>
+++
+++<pre>
+++smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache
+++</pre>
+++
+++%PARAM smtpd_tls_session_cache_timeout 3600s
+++
+++<p> The expiration time of Postfix SMTP server TLS session cache
+++information. A cache cleanup is performed periodically every
+++$smtpd_tls_session_cache_timeout seconds. </p>
+++
+++%PARAM relay_clientcerts
+++
+++<p> The list of remote SMTP client certificates for which the
+++Postfix SMTP server will allow access with the permit_tls_clientcerts
+++feature. This feature does not use certificate names, because
+++Postfix list manipulation routines treat whitespace and some other
+++characters as special. Instead we use certificate fingerprints as
+++they are difficult to fake but easy to use for lookup. </p>
+++
+++<p> Postfix lookup tables are in the form of (key, value) pairs.
+++Since we only need the key, the value can be chosen freely, e.g.
+++the name of the user or host:
+++D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home </p>
+++
+++<p> Example: </p>
+++
+++<pre>
+++relay_clientcerts = hash:/etc/postfix/relay_clientcerts
+++</pre>
+++
+++%PARAM smtpd_tls_cipherlist
+++
+++<p> Controls the Postfix SMTP server TLS cipher selection scheme.
+++For details, see the OpenSSL documentation. Note: do not use ""
+++quotes around the parameter value. </p>
+++
+++%PARAM smtpd_tls_dh1024_param_file
+++
+++<p> File with DH parameters that the Postfix SMTP server should
+++use with EDH ciphers. </p>
+++
+++<p> Instead of using the exact same parameter sets as distributed
+++with other TLS packages, it is more secure to generate your own
+++set of parameters with something like the following command: </p>
+++
+++<pre>
+++openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024
+++</pre>
+++
+++<p> Your actual source for entropy may differ. Some systems have
+++/dev/random; on other system you may consider using the "Entropy
+++Gathering Daemon EGD", available at http://www.lothar.com/tech/crypto/.
+++</p>
+++
+++<p> Example: </p>
+++
+++<pre>
+++smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
+++</pre>
+++
+++%PARAM smtpd_tls_dh512_param_file
+++
+++<p> File with DH parameters that the Postfix SMTP server should
+++use with EDH ciphers. </p>
+++
+++<p> See also the discussion under the smtpd_tls_dh1024_param_file
+++configuration parameter. </p>
+++
+++<p> Example: </p>
+++
+++<pre>
+++smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
+++</pre>
+++
+++%PARAM smtpd_starttls_timeout 300s
+++
+++<p> The time limit for Postfix SMTP server write and read operations
+++during TLS startup and shutdown handshake procedures. </p>
+++
+++%PARAM smtp_tls_cert_file
+++
+++<p> File with the Postfix SMTP client RSA certificate in PEM format.
+++This file may also contain the client private key, and these may
+++be the same as the server certificate and key file. </p>
+++
+++<p> In order to verify certificates, the CA certificate (in case
+++of a certificate chain, all CA certificates) must be available.
+++You should add these certificates to the server certificate, the
+++server certificate first, then the issuing CA(s). </p>
+++
+++<p> Example: the certificate for "client.dom.ain" was issued by
+++"intermediate CA" which itself has a certificate of "root CA".
+++Create the client.pem file with "cat client_cert.pem intermediate_CA.pem
+++root_CA.pem > client.pem". </p>
+++
+++<p> If you want to accept remote SMTP server certificates issued
+++by these CAs yourself, you can also add the CA certificates to the
+++smtp_tls_CAfile, in which case it is not necessary to have them in
+++the smtp_tls_cert_file or smtp_tls_dcert_file. </p>
+++
+++<p> A certificate supplied here must be usable as SSL client certificate and
+++hence pass the "openssl verify -purpose sslclient ..." test. </p>
+++
+++<p> Example: </p>
+++
+++<pre>
+++smtp_tls_cert_file = /etc/postfix/client.pem
+++</pre>
+++
+++%PARAM smtp_tls_key_file $smtp_tls_cert_file
+++
+++<p> File with the Postfix SMTP client RSA private key in PEM format.
+++This file may be combined with the client certificate file specified
+++with $smtp_tls_cert_file. </p>
+++
+++<p> The private key must not be encrypted. In other words, the key
+++must be accessible without password. </p>
+++
+++<p> Example: </p>
+++
+++<pre>
+++smtp_tls_key_file = $smtp_tls_cert_file
+++</pre>
+++
+++%PARAM smtp_tls_CAfile
+++
+++<p> The file with the certificate of the certification authority
+++(CA) that issued the Postfix SMTP client certificate. This is
+++needed only when the CA certificate is not already present in the
+++client certificate file. </p>
+++
+++<p> Example: </p>
+++
+++<pre>
+++smtp_tls_CAfile = /etc/postfix/CAcert.pem
+++</pre>
+++
+++%PARAM smtp_tls_CApath
+++
+++<p> Directory with PEM format certificate authority certificates
+++that the Postfix SMTP client uses to verify a remote SMTP server
+++certificate. Don't forget to create the necessary "hash" links
+++with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
+++</p>
+++
+++<p> To use this option in chroot mode, this directory (or a copy)
+++must be inside the chroot jail. </p>
+++
+++<p> Example: </p>
+++
+++<pre>
+++smtp_tls_CApath = /etc/postfix/certs
+++</pre>
+++
+++%PARAM smtp_tls_loglevel 0
+++
+++<p> Enable additional Postfix SMTP client logging of TLS activity.
+++Each logging level also includes the information that is logged at
+++a lower logging level. </p>
+++
+++<dl compact>
+++
+++<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
+++
+++<dt> </dt> <dd> 1 Log TLS handshake and certificate information. </dd>
+++
+++<dt> </dt> <dd> 2 Log levels during TLS negotiation. </dd>
+++
+++<dt> </dt> <dd> 3 Log hexadecimal and ASCII dump of TLS negotiation
+++process. </dd>
+++
+++<dt> </dt> <dd> 4 Log hexadecimal and ASCII dump of complete
+++transmission after STARTTLS. </dd>
+++
+++</dl>
+++
+++<p> Use "smtp_tls_loglevel = 3" only in case of problems. Use of
+++loglevel 4 is strongly discouraged. </p>
+++
+++%PARAM smtp_tls_session_cache_database
+++
+++<p> Name of the SDBM file (type sdbm:) containing the optional
+++Postfix SMTP client TLS session cache. SDBM is required in order
+++to support concurrent updates. The file is created if it does not
+++exist. </p>
+++
+++<p> Example: </p>
+++
+++<pre>
+++smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache
+++</pre>
+++
+++%PARAM smtp_tls_session_cache_timeout 3600s
+++
+++<p> The expiration time of Postfix SMTP client TLS session cache
+++information. A cache cleanup is performed periodically every
+++$smtp_tls_session_cache_timeout seconds. </p>
+++
+++%PARAM smtp_use_tls no
+++
+++<p> Always use TLS when a remote SMTP server announces STARTTLS
+++support. Beware: some remote SMTP servers offer STARTTLS even if
+++it is not configured. If the TLS handshake fails, and no other
+++server is available, delivery is deferred and mail stays in the
+++queue. If this is a concern for you, use the smtp_tls_per_site
+++feature instead. </p>
+++
+++%PARAM smtp_enforce_tls no
+++
+++<p> Require that remote SMTP servers use TLS encryption. This also
+++requires that the remote SMTP server hostname matches the information
+++in the remote server certificate, and that the remote SMTP server
+++certificate was issued by a CA that is trusted by the Postfix SMTP
+++client. If the certificate doesn't verify or the hostname doesn't
+++match, delivery is deferred and mail stays in the queue. </p>
+++
+++<p> The hostname used in the check is performed against all names
+++provided as dNSNames in the SubjectAlternativeName. If no dNSNames
+++are specified, the CommonName is checked. The behavior may be
+++changed with the smtp_tls_enforce_peername option. </p>
+++
+++<p> This option is useful only if you are definitely sure that you
+++will only connect to servers that support RFC 2487 _and_ that
+++provide valid server certificates. It is relatively safe to use
+++for local clients that only send email to one mailhub with the
+++necessary STARTTLS support. </p>
+++
+++%PARAM smtp_tls_enforce_peername yes
+++
+++<p> When TLS encryption is enforced, require that the remote SMTP
+++server hostname matches the information in the remote SMTP server
+++certificate. As of RFC 2487 the requirements for hostname checking
+++for MTA clients are not set. </p>
+++
+++<p> This option can be set to "no" to disable strict peer name
+++checking. This setting has no effect on sessions that are controlled
+++via the smtp_tls_per_site table. </p>
+++
+++<p> Disabling the hostname verification can make sense in closed
+++environment where special CAs are created. If not used carefully,
+++this option opens the danger of a "man-in-the-middle" attack (the
+++CommonName of this attacker will be logged). </p>
+++
+++%PARAM smtp_tls_per_site
+++
+++<p> Optional lookup tables with the Postfix SMTP client TLS usage
+++policy by next-hop domain name and by remote SMTP server hostname.
+++</p>
+++
+++<p> Table format: domain names or server hostnames are specified
+++on the left-hand side; no wildcards are allowed. On the right hand
+++side specify one of the following keywords: </p>
+++
+++<dl>
+++
+++<dt> NONE </dt> <dd>Don't use TLS at all. </dd>
+++
+++<dt> MAY </dt> <dd>Try to use STARTTLS if offered,
+++otherwise use the un-encrypted connection. </dd>
+++
+++<dt> MUST </dt> <dd>Require usage of STARTTLS, require that the
+++remote SMTP server hostname matches the information in the remote
+++SMTP server certificate, and require that the remote SMTP server
+++certificate was issued by a trusted CA. </dd>
+++
+++<dt> MUST_NOPEERMATCH </dt> <dd>Require usage of STARTTLS, but do
+++not require that the remote SMTP server hostname matches the
+++information in the remote SMTP server certificate, or that the
+++server certificate was issued by a trusted CA. </dd>
+++
+++</dl>
+++
+++<p> Special hint for enforcement mode: since no secure DNS lookup
+++mechanism is available, the recommended setup is: specify local
+++transport(5) table entries for sensitive domains with explicit
+++smtp:[mailhost] destinations (since you can assure security of this
+++table unlike DNS), then specify MUST for these mail hosts in the
+++smtp_tls_per_site table. </p>
+++
+++%PARAM smtp_tls_scert_verifydepth 5
+++
+++<p> The verification depth for remote SMTP server certificates. A
+++depth of 1 is sufficient, if the certificate is directly issued by
+++a CA listed in the CA files. The default value (5) should suffice
+++for longer chains (the root CA issues special CA which then issues
+++the actual certificate...). </p>
+++
+++%PARAM smtp_tls_note_starttls_offer no
+++
+++<p> Log the hostname of a remote SMTP server that offers STARTTLS,
+++when TLS is not already enabled for that server. </p>
+++
+++<p> The logfile record looks like: </p>
+++
+++<pre>
+++postfix/smtp[pid]: Host offered STARTTLS: [name.of.host]
+++</pre>
+++
+++%PARAM smtp_tls_cipherlist
+++
+++<p> Controls the Postfix SMTP client TLS cipher selection scheme.
+++For details, see the OpenSSL documentation. Note: do not use ""
+++quotes around the parameter value. </p>
+++
+++%PARAM smtp_starttls_timeout 300s
+++
+++<p> Time limit for Postfix SMTP client write and read operations
+++during TLS startup and shutdown handshake procedures. </p>
+++
+++%PARAM smtp_tls_dkey_file $smtp_tls_dcert_file
+++
+++<p> File with the Postfix SMTP client DSA private key in PEM format.
+++The private key must not be encrypted. In other words, the key must
+++be accessible without password. </p>
+++
+++<p> This file may be combined with the server certificate file
+++specified with $smtp_tls_cert_file. </p>
+++
+++%PARAM smtp_tls_dcert_file
+++
+++<p> File with the Postfix SMTP client DSA certificate in PEM format.
+++This file may also contain the server private key. </p>
+++
+++<p> See the discussion under smtp_tls_cert_file for more details.
+++</p>
+++
+++<p> Example: </p>
+++
+++<pre>
+++smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
+++</pre>
+++
+++%PARAM tls_random_exchange_name ${config_directory}/prng_exch
+++
+++<p> Name of the pseudo random number generator (PRNG) seed file
+++that is maintained by tlsmgr(8), and that is read by the smtp(8)
+++and smtpd(8) processes upon startup. The file length is fixed at
+++1024 bytes, and is created by tlsmgr(8) when it does not exist.
+++</p>
+++
+++<p> Since this file is changed by Postfix, it should probably be
+++kept in the /var file system, instead of under $config_directory.
+++The location should not be inside the chroot jail. </p>
+++
+++%PARAM tls_random_source
+++
+++<p> The external entropy source for the in-memory tlsmgr(8) pseudo
+++random number generator (PRNG) pool. Be sure to specify a non-blocking
+++source. If this source is not a regular file, the entropy source
+++type must be prepended: egd:/path/to/egd_socket for a source with
+++EGD compatible socket interface, or dev:/path/to/device for a
+++device file. </p>
+++
+++%PARAM tls_random_bytes 32
+++
+++<p> The number of bytes that tlsmgr(8) reads from $tls_random_source
+++when (re)seeding the in-memory pseudo random number generator (PRNG)
+++pool. The default of 32 bytes (256 bits) is good enough for 128bit
+++symmetric keys. If using EGD, a maximum of 255 bytes is read. </p>
+++
+++%PARAM tls_random_reseed_period 3600s
+++
+++<p> The maximal time between attempts by tlsmgr(8) to re-seed the
+++in-memory pseudo random number generator (PRNG) pool from external
+++sources. The actual time between re-seeding attempts is calculated
+++using the PRNG, and is between 0 and the time specified. </p>
+++
+++%PARAM tls_random_prng_update_period 60s
+++
+++<p> The maximal time between attempts by tlsmgr(8) to rewrite the
+++pseudo random number generator (PRNG) seed file specified with
+++$tls_random_exchange_name. This file is read by smtpd(8) and smtpd(8)
+++processes in order to seed their PRNGs. The actual time between
+++rewriting attempts is calculated using the PRNG, and is between 0
+++and the time specified. </p>
+++
+++%PARAM tls_daemon_random_source
+++
+++<p> Optional external source of entropy that can be read by smtpd(8)
+++and smtpd(8) processes in order to initialize their PRNGs. Be sure
+++to specify a non-blocking source. The entropy source type must be
+++prepended to the source name: egd:/path/to/egd_socket for a source
+++with EGD compatible socket interface, or dev:/path/to/device for
+++a device file. </p>
+++
+++<p> Examples: </p>
+++
+++<pre>
+++tls_daemon_random_source = dev:/dev/urandom
+++tls_daemon_random_source = egd:/var/run/egd-pool
+++</pre>
+++
+++%PARAM tls_daemon_random_bytes 32
+++
+++<p> The amount of data that smtpd(8) and smtpd(8) processes read
+++from the entropy source specified with $tls_daemon_random_source.
+++The default of 32 bytes (equivalent to 256 bits) is sufficient to
+++generate a 128bit (or 168bit) session key. </p>
+++
+++<p> Usage of this option may drain EGD (consider the case of 50
+++smtp(8) processes starting up with a full queue and "postfix start",
+++which will request 1600 bytes of entropy). This is however not
++diff -ruN postfix-2.1.0-vanilla/src/global/Makefile.in postfix-2.1.0/src/global/Makefile.in
++--- postfix-2.1.0-vanilla/src/global/Makefile.in Thu Apr 22 21:37:34 2004
+++++ postfix-2.1.0/src/global/Makefile.in Sat Apr 24 14:44:19 2004
++@@ -22,7 +22,7 @@
++ sent.c smtp_stream.c split_addr.c string_list.c strip_addr.c \
++ sys_exits.c timed_ipc.c tok822_find.c tok822_node.c tok822_parse.c \
++ tok822_resolve.c tok822_rewrite.c tok822_tree.c trace.c verify.c \
++- verify_clnt.c verp_sender.c virtual8_maps.c xtext.c
+++ verify_clnt.c verp_sender.c virtual8_maps.c xtext.c pfixtls.c
++ OBJS = abounce.o been_here.o bounce.o bounce_log.o \
++ canon_addr.o cfg_parser.o cleanup_strerror.o cleanup_strflags.o \
++ clnt_stream.o debug_peer.o debug_process.o defer.o \
++@@ -46,7 +46,7 @@
++ sent.o smtp_stream.o split_addr.o string_list.o strip_addr.o \
++ sys_exits.o timed_ipc.o tok822_find.o tok822_node.o tok822_parse.o \
++ tok822_resolve.o tok822_rewrite.o tok822_tree.o trace.o verify.o \
++- verify_clnt.o verp_sender.o virtual8_maps.o xtext.o
+++ verify_clnt.o verp_sender.o virtual8_maps.o xtext.o pfixtls.o
++ HDRS = abounce.h been_here.h bounce.h bounce_log.h \
++ canon_addr.h cfg_parser.h cleanup_user.h clnt_stream.h config.h \
++ debug_peer.h debug_process.h defer.h deliver_completed.h \
++@@ -67,7 +67,7 @@
++ resolve_local.h rewrite_clnt.h sent.h smtp_stream.h split_addr.h \
++ string_list.h strip_addr.h sys_exits.h timed_ipc.h tok822.h \
++ trace.h verify.h verify_clnt.h verp_sender.h virtual8_maps.h \
++- xtext.h
+++ xtext.h pfixtls.h
++ TESTSRC = rec2stream.c stream2rec.c recdump.c
++ DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE)
++ CFLAGS = $(DEBUG) $(OPT) $(DEFS)
++@@ -862,6 +862,7 @@
++ mail_params.o: ../../include/attr.h
++ mail_params.o: verp_sender.h
++ mail_params.o: mail_params.h
+++mail_params.o: pfixtls.h
++ mail_pathname.o: mail_pathname.c
++ mail_pathname.o: ../../include/sys_defs.h
++ mail_pathname.o: ../../include/stringops.h
++@@ -1394,3 +1395,16 @@
++ xtext.o: ../../include/vstring.h
++ xtext.o: ../../include/vbuf.h
++ xtext.o: xtext.h
+++pfixtls.o: pfixtls.c
+++pfixtls.o: ../../include/sys_defs.h
+++pfixtls.o: ../../include/iostuff.h
+++pfixtls.o: ../../include/mymalloc.h
+++pfixtls.o: ../../include/vstring.h
+++pfixtls.o: ../../include/vstream.h
+++pfixtls.o: ../../include/dict.h
+++pfixtls.o: ../../include/myflock.h
+++pfixtls.o: ../../include/stringops.h
+++pfixtls.o: ../../include/msg.h
+++pfixtls.o: ../../include/connect.h
+++pfixtls.o: mail_params.h
+++pfixtls.o: pfixtls.h
++diff -ruN postfix-2.1.0-vanilla/src/global/mail_params.c postfix-2.1.0/src/global/mail_params.c
++--- postfix-2.1.0-vanilla/src/global/mail_params.c Mon Jan 26 16:43:42 2004
+++++ postfix-2.1.0/src/global/mail_params.c Sat Apr 24 14:35:26 2004
++@@ -161,6 +161,7 @@
++ #include "mail_proto.h"
++ #include "verp_sender.h"
++ #include "mail_params.h"
+++#include "pfixtls.h"
++
++ /*
++ * Special configuration variables.
++@@ -231,6 +232,33 @@
++ int var_in_flow_delay;
++ char *var_par_dom_match;
++ char *var_config_dirs;
+++#ifdef USE_SSL
+++char *var_tls_rand_exch_name;
+++char *var_smtpd_tls_cert_file;
+++char *var_smtpd_tls_key_file;
+++char *var_smtpd_tls_dcert_file;
+++char *var_smtpd_tls_dkey_file;
+++char *var_smtpd_tls_CAfile;
+++char *var_smtpd_tls_CApath;
+++char *var_smtpd_tls_cipherlist;
+++char *var_smtpd_tls_dh512_param_file;
+++char *var_smtpd_tls_dh1024_param_file;
+++int var_smtpd_tls_loglevel;
+++char *var_smtpd_tls_scache_db;
+++int var_smtpd_tls_scache_timeout;
+++char *var_smtp_tls_cert_file;
+++char *var_smtp_tls_key_file;
+++char *var_smtp_tls_dcert_file;
+++char *var_smtp_tls_dkey_file;
+++char *var_smtp_tls_CAfile;
+++char *var_smtp_tls_CApath;
+++char *var_smtp_tls_cipherlist;
+++int var_smtp_tls_loglevel;
+++char *var_smtp_tls_scache_db;
+++int var_smtp_tls_scache_timeout;
+++char *var_tls_daemon_rand_source;
+++int var_tls_daemon_rand_bytes;
+++#endif
++
++ char *var_import_environ;
++ char *var_export_environ;
++@@ -478,6 +506,28 @@
++ VAR_FLUSH_SERVICE, DEF_FLUSH_SERVICE, &var_flush_service, 1, 0,
++ VAR_VERIFY_SERVICE, DEF_VERIFY_SERVICE, &var_verify_service, 1, 0,
++ VAR_TRACE_SERVICE, DEF_TRACE_SERVICE, &var_trace_service, 1, 0,
+++#ifdef USE_SSL
+++ VAR_TLS_RAND_EXCH_NAME, DEF_TLS_RAND_EXCH_NAME, &var_tls_rand_exch_name, 0, 0,
+++ VAR_SMTPD_TLS_CERT_FILE, DEF_SMTPD_TLS_CERT_FILE, &var_smtpd_tls_cert_file, 0, 0,
+++ VAR_SMTPD_TLS_KEY_FILE, DEF_SMTPD_TLS_KEY_FILE, &var_smtpd_tls_key_file, 0, 0,
+++ VAR_SMTPD_TLS_DCERT_FILE, DEF_SMTPD_TLS_DCERT_FILE, &var_smtpd_tls_dcert_file, 0, 0,
+++ VAR_SMTPD_TLS_DKEY_FILE, DEF_SMTPD_TLS_DKEY_FILE, &var_smtpd_tls_dkey_file, 0, 0,
+++ VAR_SMTPD_TLS_CA_FILE, DEF_SMTPD_TLS_CA_FILE, &var_smtpd_tls_CAfile, 0, 0,
+++ VAR_SMTPD_TLS_CA_PATH, DEF_SMTPD_TLS_CA_PATH, &var_smtpd_tls_CApath, 0, 0,
+++ VAR_SMTPD_TLS_CLIST, DEF_SMTPD_TLS_CLIST, &var_smtpd_tls_cipherlist, 0, 0,
+++ VAR_SMTPD_TLS_512_FILE, DEF_SMTPD_TLS_512_FILE, &var_smtpd_tls_dh512_param_file, 0, 0,
+++ VAR_SMTPD_TLS_1024_FILE, DEF_SMTPD_TLS_1024_FILE, &var_smtpd_tls_dh1024_param_file, 0, 0,
+++ VAR_SMTPD_TLS_SCACHE_DB, DEF_SMTPD_TLS_SCACHE_DB, &var_smtpd_tls_scache_db, 0, 0,
+++ VAR_SMTP_TLS_CERT_FILE, DEF_SMTP_TLS_CERT_FILE, &var_smtp_tls_cert_file, 0, 0,
+++ VAR_SMTP_TLS_KEY_FILE, DEF_SMTP_TLS_KEY_FILE, &var_smtp_tls_key_file, 0, 0,
+++ VAR_SMTP_TLS_DCERT_FILE, DEF_SMTP_TLS_DCERT_FILE, &var_smtp_tls_dcert_file, 0, 0,
+++ VAR_SMTP_TLS_DKEY_FILE, DEF_SMTP_TLS_DKEY_FILE, &var_smtp_tls_dkey_file, 0, 0,
+++ VAR_SMTP_TLS_CA_FILE, DEF_SMTP_TLS_CA_FILE, &var_smtp_tls_CAfile, 0, 0,
+++ VAR_SMTP_TLS_CA_PATH, DEF_SMTP_TLS_CA_PATH, &var_smtp_tls_CApath, 0, 0,
+++ VAR_SMTP_TLS_CLIST, DEF_SMTP_TLS_CLIST, &var_smtp_tls_cipherlist, 0, 0,
+++ VAR_SMTP_TLS_SCACHE_DB, DEF_SMTP_TLS_SCACHE_DB, &var_smtp_tls_scache_db, 0, 0,
+++ VAR_TLS_DAEMON_RAND_SOURCE, DEF_TLS_DAEMON_RAND_SOURCE, &var_tls_daemon_rand_source, 0, 0,
+++#endif
++ 0,
++ };
++ static CONFIG_STR_FN_TABLE function_str_defaults_2[] = {
++@@ -500,6 +550,11 @@
++ VAR_TOKEN_LIMIT, DEF_TOKEN_LIMIT, &var_token_limit, 1, 0,
++ VAR_MIME_MAXDEPTH, DEF_MIME_MAXDEPTH, &var_mime_maxdepth, 1, 0,
++ VAR_MIME_BOUND_LEN, DEF_MIME_BOUND_LEN, &var_mime_bound_len, 1, 0,
+++#ifdef USE_SSL
+++ VAR_SMTPD_TLS_LOGLEVEL, DEF_SMTPD_TLS_LOGLEVEL, &var_smtpd_tls_loglevel, 0, 0,
+++ VAR_SMTP_TLS_LOGLEVEL, DEF_SMTP_TLS_LOGLEVEL, &var_smtp_tls_loglevel, 0, 0,
+++ VAR_TLS_DAEMON_RAND_BYTES, DEF_TLS_DAEMON_RAND_BYTES, &var_tls_daemon_rand_bytes, 0, 0,
+++#endif
++ 0,
++ };
++ static CONFIG_TIME_TABLE time_defaults[] = {
++@@ -512,6 +567,10 @@
++ VAR_FORK_DELAY, DEF_FORK_DELAY, &var_fork_delay, 1, 0,
++ VAR_FLOCK_DELAY, DEF_FLOCK_DELAY, &var_flock_delay, 1, 0,
++ VAR_FLOCK_STALE, DEF_FLOCK_STALE, &var_flock_stale, 1, 0,
+++#ifdef USE_SSL
+++ VAR_SMTPD_TLS_SCACHTIME, DEF_SMTPD_TLS_SCACHTIME, &var_smtpd_tls_scache_timeout, 0, 0,
+++ VAR_SMTP_TLS_SCACHTIME, DEF_SMTP_TLS_SCACHTIME, &var_smtp_tls_scache_timeout, 0, 0,
+++#endif
++ VAR_DAEMON_TIMEOUT, DEF_DAEMON_TIMEOUT, &var_daemon_timeout, 1, 0,
++ VAR_IN_FLOW_DELAY, DEF_IN_FLOW_DELAY, &var_in_flow_delay, 0, 10,
++ 0,
++diff -ruN postfix-2.1.0-vanilla/src/global/mail_params.h postfix-2.1.0/src/global/mail_params.h
++--- postfix-2.1.0-vanilla/src/global/mail_params.h Wed Apr 21 20:56:04 2004
+++++ postfix-2.1.0/src/global/mail_params.h Sat Apr 24 14:35:27 2004
++@@ -519,6 +519,34 @@
++ #define DEF_DUP_FILTER_LIMIT 1000
++ extern int var_dup_filter_limit;
++
+++#define VAR_TLS_RAND_EXCH_NAME "tls_random_exchange_name"
+++#define DEF_TLS_RAND_EXCH_NAME "${config_directory}/prng_exch"
+++extern char *var_tls_rand_exch_name;
+++
+++#define VAR_TLS_RAND_SOURCE "tls_random_source"
+++#define DEF_TLS_RAND_SOURCE ""
+++extern char *var_tls_rand_source;
+++
+++#define VAR_TLS_RAND_BYTES "tls_random_bytes"
+++#define DEF_TLS_RAND_BYTES 32
+++extern int var_tls_rand_bytes;
+++
+++#define VAR_TLS_DAEMON_RAND_SOURCE "tls_daemon_random_source"
+++#define DEF_TLS_DAEMON_RAND_SOURCE ""
+++extern char *var_tls_daemon_rand_source;
+++
+++#define VAR_TLS_DAEMON_RAND_BYTES "tls_daemon_random_bytes"
+++#define DEF_TLS_DAEMON_RAND_BYTES 32
+++extern int var_tls_daemon_rand_bytes;
+++
+++#define VAR_TLS_RESEED_PERIOD "tls_random_reseed_period"
+++#define DEF_TLS_RESEED_PERIOD "3600s"
+++extern int var_tls_reseed_period;
+++
+++#define VAR_TLS_PRNG_UPD_PERIOD "tls_random_prng_update_period"
+++#define DEF_TLS_PRNG_UPD_PERIOD "60s"
+++extern int var_tls_prng_upd_period;
+++
++ /*
++ * Queue manager: relocated databases.
++ */
++@@ -768,6 +796,10 @@
++ #define DEF_SMTP_XFWD_TMOUT "300s"
++ extern int var_smtp_xfwd_tmout;
++
+++#define VAR_SMTP_STARTTLS_TMOUT "smtp_starttls_timeout"
+++#define DEF_SMTP_STARTTLS_TMOUT "300s"
+++extern int var_smtp_starttls_tmout;
+++
++ #define VAR_SMTP_MAIL_TMOUT "smtp_mail_timeout"
++ #define DEF_SMTP_MAIL_TMOUT "300s"
++ extern int var_smtp_mail_tmout;
++@@ -869,6 +901,10 @@
++ #define DEF_SMTPD_TMOUT "300s"
++ extern int var_smtpd_tmout;
++
+++#define VAR_SMTPD_STARTTLS_TMOUT "smtpd_starttls_timeout"
+++#define DEF_SMTPD_STARTTLS_TMOUT "300s"
+++extern int var_smtpd_starttls_tmout;
+++
++ #define VAR_SMTPD_RCPT_LIMIT "smtpd_recipient_limit"
++ #define DEF_SMTPD_RCPT_LIMIT 1000
++ extern int var_smtpd_rcpt_limit;
++@@ -901,6 +937,150 @@
++ #define DEF_SMTPD_NOOP_CMDS ""
++ extern char *var_smtpd_noop_cmds;
++
+++#define VAR_SMTPD_TLS_WRAPPER "smtpd_tls_wrappermode"
+++#define DEF_SMTPD_TLS_WRAPPER 0
+++extern bool var_smtpd_tls_wrappermode;
+++
+++#define VAR_SMTPD_USE_TLS "smtpd_use_tls"
+++#define DEF_SMTPD_USE_TLS 0
+++extern bool var_smtpd_use_tls;
+++
+++#define VAR_SMTPD_ENFORCE_TLS "smtpd_enforce_tls"
+++#define DEF_SMTPD_ENFORCE_TLS 0
+++extern bool var_smtpd_enforce_tls;
+++
+++#define VAR_SMTPD_TLS_AUTH_ONLY "smtpd_tls_auth_only"
+++#define DEF_SMTPD_TLS_AUTH_ONLY 0
+++extern bool var_smtpd_tls_auth_only;
+++
+++#define VAR_SMTPD_TLS_ACERT "smtpd_tls_ask_ccert"
+++#define DEF_SMTPD_TLS_ACERT 0
+++extern bool var_smtpd_tls_ask_ccert;
+++
+++#define VAR_SMTPD_TLS_RCERT "smtpd_tls_req_ccert"
+++#define DEF_SMTPD_TLS_RCERT 0
+++extern bool var_smtpd_tls_req_ccert;
+++
+++#define VAR_SMTPD_TLS_CCERT_VD "smtpd_tls_ccert_verifydepth"
+++#define DEF_SMTPD_TLS_CCERT_VD 5
+++extern int var_smtpd_tls_ccert_vd;
+++
+++#define VAR_SMTPD_TLS_CERT_FILE "smtpd_tls_cert_file"
+++#define DEF_SMTPD_TLS_CERT_FILE ""
+++extern char *var_smtpd_tls_cert_file;
+++
+++#define VAR_SMTPD_TLS_KEY_FILE "smtpd_tls_key_file"
+++#define DEF_SMTPD_TLS_KEY_FILE "$smtpd_tls_cert_file"
+++extern char *var_smtpd_tls_key_file;
+++
+++#define VAR_SMTPD_TLS_DCERT_FILE "smtpd_tls_dcert_file"
+++#define DEF_SMTPD_TLS_DCERT_FILE ""
+++extern char *var_smtpd_tls_dcert_file;
+++
+++#define VAR_SMTPD_TLS_DKEY_FILE "smtpd_tls_dkey_file"
+++#define DEF_SMTPD_TLS_DKEY_FILE "$smtpd_tls_dcert_file"
+++extern char *var_smtpd_tls_dkey_file;
+++
+++#define VAR_SMTPD_TLS_CA_FILE "smtpd_tls_CAfile"
+++#define DEF_SMTPD_TLS_CA_FILE ""
+++extern char *var_smtpd_tls_CAfile;
+++
+++#define VAR_SMTPD_TLS_CA_PATH "smtpd_tls_CApath"
+++#define DEF_SMTPD_TLS_CA_PATH ""
+++extern char *var_smtpd_tls_CApath;
+++
+++#define VAR_SMTPD_TLS_CLIST "smtpd_tls_cipherlist"
+++#define DEF_SMTPD_TLS_CLIST ""
+++extern char *var_smtpd_tls_cipherlist;
+++
+++#define VAR_SMTPD_TLS_512_FILE "smtpd_tls_dh512_param_file"
+++#define DEF_SMTPD_TLS_512_FILE ""
+++extern char *var_smtpd_tls_dh512_param_file;
+++
+++#define VAR_SMTPD_TLS_1024_FILE "smtpd_tls_dh1024_param_file"
+++#define DEF_SMTPD_TLS_1024_FILE ""
+++extern char *var_smtpd_tls_dh1024_param_file;
+++
+++#define VAR_SMTPD_TLS_LOGLEVEL "smtpd_tls_loglevel"
+++#define DEF_SMTPD_TLS_LOGLEVEL 0
+++extern int var_smtpd_tls_loglevel;
+++
+++#define VAR_SMTPD_TLS_RECHEAD "smtpd_tls_received_header"
+++#define DEF_SMTPD_TLS_RECHEAD 0
+++extern bool var_smtpd_tls_received_header;
+++
+++#define VAR_SMTPD_TLS_SCACHE_DB "smtpd_tls_session_cache_database"
+++#define DEF_SMTPD_TLS_SCACHE_DB ""
+++extern char *var_smtpd_tls_scache_db;
+++
+++#define VAR_SMTPD_TLS_SCACHTIME "smtpd_tls_session_cache_timeout"
+++#define DEF_SMTPD_TLS_SCACHTIME "3600s"
+++extern int var_smtpd_tls_scache_timeout;
+++
+++#define VAR_SMTP_TLS_PER_SITE "smtp_tls_per_site"
+++#define DEF_SMTP_TLS_PER_SITE ""
+++extern char *var_smtp_tls_per_site;
+++
+++#define VAR_SMTP_USE_TLS "smtp_use_tls"
+++#define DEF_SMTP_USE_TLS 0
+++extern bool var_smtp_use_tls;
+++
+++#define VAR_SMTP_ENFORCE_TLS "smtp_enforce_tls"
+++#define DEF_SMTP_ENFORCE_TLS 0
+++extern bool var_smtp_enforce_tls;
+++
+++#define VAR_SMTP_TLS_ENFORCE_PN "smtp_tls_enforce_peername"
+++#define DEF_SMTP_TLS_ENFORCE_PN 1
+++extern bool var_smtp_tls_enforce_peername;
+++
+++#define VAR_SMTP_TLS_SCERT_VD "smtp_tls_scert_verifydepth"
+++#define DEF_SMTP_TLS_SCERT_VD 5
+++extern int var_smtp_tls_scert_vd;
+++
+++#define VAR_SMTP_TLS_CERT_FILE "smtp_tls_cert_file"
+++#define DEF_SMTP_TLS_CERT_FILE ""
+++extern char *var_smtp_tls_cert_file;
+++
+++#define VAR_SMTP_TLS_KEY_FILE "smtp_tls_key_file"
+++#define DEF_SMTP_TLS_KEY_FILE "$smtp_tls_cert_file"
+++extern char *var_smtp_tls_key_file;
+++
+++#define VAR_SMTP_TLS_DCERT_FILE "smtp_tls_dcert_file"
+++#define DEF_SMTP_TLS_DCERT_FILE ""
+++extern char *var_smtp_tls_dcert_file;
+++
+++#define VAR_SMTP_TLS_DKEY_FILE "smtp_tls_dkey_file"
+++#define DEF_SMTP_TLS_DKEY_FILE "$smtp_tls_dcert_file"
+++extern char *var_smtp_tls_dkey_file;
+++
+++#define VAR_SMTP_TLS_CA_FILE "smtp_tls_CAfile"
+++#define DEF_SMTP_TLS_CA_FILE ""
+++extern char *var_smtp_tls_CAfile;
+++
+++#define VAR_SMTP_TLS_CA_PATH "smtp_tls_CApath"
+++#define DEF_SMTP_TLS_CA_PATH ""
+++extern char *var_smtp_tls_CApath;
+++
+++#define VAR_SMTP_TLS_CLIST "smtp_tls_cipherlist"
+++#define DEF_SMTP_TLS_CLIST ""
+++extern char *var_smtp_tls_cipherlist;
+++
+++#define VAR_SMTP_TLS_LOGLEVEL "smtp_tls_loglevel"
+++#define DEF_SMTP_TLS_LOGLEVEL 0
+++extern int var_smtp_tls_loglevel;
+++
+++#define VAR_SMTP_TLS_NOTEOFFER "smtp_tls_note_starttls_offer"
+++#define DEF_SMTP_TLS_NOTEOFFER 0
+++extern bool var_smtp_tls_note_starttls_offer;
+++
+++#define VAR_SMTP_TLS_SCACHE_DB "smtp_tls_session_cache_database"
+++#define DEF_SMTP_TLS_SCACHE_DB ""
+++extern char *var_smtp_tls_scache_db;
+++
+++#define VAR_SMTP_TLS_SCACHTIME "smtp_tls_session_cache_timeout"
+++#define DEF_SMTP_TLS_SCACHTIME "3600s"
+++extern int var_smtp_tls_scache_timeout;
+++
++ /*
++ * SASL authentication support, SMTP server side.
++ */
++@@ -916,6 +1096,10 @@
++ #define DEF_SMTPD_SASL_APPNAME "smtpd"
++ extern char *var_smtpd_sasl_appname;
++
+++#define VAR_SMTPD_SASL_TLS_OPTS "smtpd_sasl_tls_security_options"
+++#define DEF_SMTPD_SASL_TLS_OPTS "$smtpd_sasl_security_options"
+++extern char *var_smtpd_sasl_opts;
+++
++ #define VAR_SMTPD_SASL_REALM "smtpd_sasl_local_domain"
++ #define DEF_SMTPD_SASL_REALM ""
++ extern char *var_smtpd_sasl_realm;
++@@ -945,6 +1129,14 @@
++ #define DEF_SMTP_SASL_OPTS "noplaintext, noanonymous"
++ extern char *var_smtp_sasl_opts;
++
+++#define VAR_SMTP_SASL_TLS_OPTS "smtp_sasl_tls_security_options"
+++#define DEF_SMTP_SASL_TLS_OPTS "$var_smtp_sasl_opts"
+++extern char *var_smtp_sasl_tls_opts;
+++
+++#define VAR_SMTP_SASL_TLSV_OPTS "smtp_sasl_tls_verified_security_options"
+++#define DEF_SMTP_SASL_TLSV_OPTS "$var_smtp_sasl_tls_opts"
+++extern char *var_smtp_sasl_tls_verified_opts;
+++
++ /*
++ * LMTP server. The soft error limit determines how many errors an LMTP
++ * client may make before we start to slow down; the hard error limit
++@@ -1234,6 +1426,10 @@
++ #define DEF_RELAY_RCPT_CODE 550
++ extern int var_relay_rcpt_code;
++
+++#define VAR_RELAY_CCERTS "relay_clientcerts"
+++#define DEF_RELAY_CCERTS ""
+++extern char *var_relay_ccerts;
+++
++ #define VAR_CLIENT_CHECKS "smtpd_client_restrictions"
++ #define DEF_CLIENT_CHECKS ""
++ extern char *var_client_checks;
++@@ -1352,6 +1548,8 @@
++ #define PERMIT_AUTH_DEST "permit_auth_destination"
++ #define REJECT_UNAUTH_DEST "reject_unauth_destination"
++ #define CHECK_RELAY_DOMAINS "check_relay_domains"
+++#define PERMIT_TLS_CLIENTCERTS "permit_tls_clientcerts"
+++#define PERMIT_TLS_ALL_CLIENTCERTS "permit_tls_all_clientcerts"
++ #define VAR_RELAY_CODE "relay_domains_reject_code"
++ #define DEF_RELAY_CODE 554
++ extern int var_relay_code;
++diff -ruN postfix-2.1.0-vanilla/src/global/mail_proto.h postfix-2.1.0/src/global/mail_proto.h
++--- postfix-2.1.0-vanilla/src/global/mail_proto.h Sun Feb 1 19:51:03 2004
+++++ postfix-2.1.0/src/global/mail_proto.h Sat Apr 24 14:35:27 2004
++@@ -42,6 +42,7 @@
++ #define MAIL_SERVICE_LOCAL "local"
++ #define MAIL_SERVICE_PICKUP "pickup"
++ #define MAIL_SERVICE_QUEUE "qmgr"
+++#define MAIL_SERVICE_TLSMGR "tlsmgr"
++ #define MAIL_SERVICE_RESOLVE "resolve"
++ #define MAIL_SERVICE_REWRITE "rewrite"
++ #define MAIL_SERVICE_VIRTUAL "virtual"
++diff -ruN postfix-2.1.0-vanilla/src/global/pfixtls.c postfix-2.1.0/src/global/pfixtls.c
++--- postfix-2.1.0-vanilla/src/global/pfixtls.c Thu Jan 1 01:00:00 1970
+++++ postfix-2.1.0/src/global/pfixtls.c Sat Apr 24 14:35:27 2004
++@@ -0,0 +1,2822 @@
+++/*++
+++/* NAME
+++/* pfixtls
+++/* SUMMARY
+++/* interface to openssl routines
+++/* SYNOPSIS
+++/* #include <pfixtls.h>
+++/*
+++/* const long scache_db_version;
+++/* const long openssl_version;
+++/*
+++/* int pfixtls_serverengine;
+++/*
+++/* int pfixtls_clientengine;
+++/*
+++/* int pfixtls_timed_read(fd, buf, len, timeout, unused_context)
+++/* int fd;
+++/* void *buf;
+++/* unsigned len;
+++/* int timeout;
+++/* void *context;
+++/*
+++/* int pfixtls_timed_write(fd, buf, len, timeout, unused_context);
+++/* int fd;
+++/* void *buf;
+++/* unsigned len;
+++/* int timeout;
+++/* void *context;
+++/*
+++/* int pfixtls_init_serverengine(verifydepth, askcert);
+++/* int verifydepth;
+++/* int askcert;
+++/*
+++/* int pfixtls_start_servertls(stream, timeout, peername, peeraddr,
+++/* tls_info, requirecert);
+++/* VSTREAM *stream;
+++/* int timeout;
+++/* const char *peername;
+++/* const char *peeraddr;
+++/* tls_info_t *tls_info;
+++/* int requirecert;
+++/*
+++/* int pfixtls_stop_servertls(stream, failure, tls_info);
+++/* VSTREAM *stream;
+++/* int failure;
+++/* tls_info_t *tls_info;
+++/*
+++/* int pfixtls_init_clientengine(verifydepth);
+++/* int verifydepth;
+++/*
+++/* int pfixtls_start_clienttls(stream, timeout, peername, peeraddr,
+++/* tls_info);
+++/* VSTREAM *stream;
+++/* int timeout;
+++/* const char *peername;
+++/* const char *peeraddr;
+++/* tls_info_t *tls_info;
+++/*
+++/* int pfixtls_stop_clienttls(stream, failure, tls_info);
+++/* VSTREAM *stream;
+++/* int failure;
+++/* tls_info_t *tls_info;
+++/*
+++/* DESCRIPTION
+++/* This module is the interface between Postfix and the OpenSSL library.
+++/*
+++/* pfixtls_timed_read() reads the requested number of bytes calling
+++/* SSL_read(). pfixtls_time_read() will only be called indirect
+++/* as a VSTREAM_FN function.
+++/* pfixtls_timed_write() is the corresponding write function.
+++/*
+++/* pfixtls_init_serverengine() is called once when smtpd is started
+++/* in order to initialize as much of the TLS stuff as possible.
+++/* The certificate handling is also decided during the setup phase,
+++/* so that a peer specific handling is not possible.
+++/*
+++/* pfixtls_init_clientengine() is the corresponding function called
+++/* in smtp. Here we take the peer's (server's) certificate in any
+++/* case.
+++/*
+++/* pfixtls_start_servertls() activates the TLS feature for the VSTREAM
+++/* passed as argument. We expect that all buffers are flushed and the
+++/* TLS handshake can begin immediately. Information about the peer
+++/* is stored into the tls_info structure passed as argument.
+++/*
+++/* pfixtls_stop_servertls() sends the "close notify" alert via
+++/* SSL_shutdown() to the peer and resets all connection specific
+++/* TLS data. As RFC2487 does not specify a seperate shutdown, it
+++/* is supposed that the underlying TCP connection is shut down
+++/* immediately afterwards, so we don't care about additional data
+++/* coming through the channel.
+++/* If the failure flag is set, the session is cleared from the cache.
+++/*
+++/* pfixtls_start_clienttls() and pfixtls_stop_clienttls() are the
+++/* corresponding functions for smtp.
+++/*
+++/* Once the TLS connection is initiated, information about the TLS
+++/* state is available via the tls_info structure:
+++/* protocol holds the protocol name (SSLv2, SSLv3, TLSv1),
+++/* tls_info->cipher_name the cipher name (e.g. RC4/MD5),
+++/* tls_info->cipher_usebits the number of bits actually used (e.g. 40),
+++/* tls_info->cipher_algbits the number of bits the algorithm is based on
+++/* (e.g. 128).
+++/* The last two values may be different when talking to a crippled
+++/* - ahem - export controled peer (e.g. 40/128).
+++/*
+++/* The status of the peer certificate verification is available in
+++/* pfixtls_peer_verified. It is set to 1, when the certificate could
+++/* be verified.
+++/* If the peer offered a certifcate, part of the certificate data are
+++/* available as:
+++/* tls_info->peer_subject X509v3-oneline with the DN of the peer
+++/* tls_info->peer_CN extracted CommonName of the peer
+++/* tls_info->peer_issuer X509v3-oneline with the DN of the issuer
+++/* tls_info->peer_CN extracted CommonName of the issuer
+++/* tls_info->PEER_FINGERPRINT fingerprint of the certificate
+++/*
+++/* DESCRIPTION (SESSION CACHING)
+++/* In order to achieve high performance when using a lot of connections
+++/* with TLS, session caching is implemented. It reduces both the CPU load
+++/* (less cryptograpic operations) and the network load (the amount of
+++/* certificate data exchanged is reduced).
+++/* Since postfix uses a setup of independent processes for receiving
+++/* and sending email, the processes must exchange the session information.
+++/* Several connections at the same time between the identical peers can
+++/* occur, so uniqueness and race conditions have to be taken into
+++/* account.
+++/* I have checked both Apache-SSL (Ben Laurie), using a seperate "gcache"
+++/* process and Apache mod_ssl (Ralf S. Engelshall), using shared memory
+++/* between several identical processes spawned from one parent.
+++/*
+++/* Postfix/TLS uses a database approach based on the internal "dict"
+++/* interface. Since the session cache information is approximately
+++/* 1300 bytes binary data, it will not fit into the dbm/ndbm model.
+++/* It also needs write access to the database, ruling out most other
+++/* interface, leaving Berkeley DB, which however cannot handle concurrent
+++/* access by several processes. Hence a modified SDBM (public domain DBM)
+++/* with enhanced buffer size is used and concurrent write capability
+++/* is used. SDBM is part of Postfix/TLS.
+++/*
+++/* Realization:
+++/* Both (client and server) session cache are realized by individual
+++/* cache databases. A common database would not make sense, since the
+++/* key criteria are different (session ID for server, peername for
+++/* client).
+++/*
+++/* Server side:
+++/* Session created by OpenSSL have a 32 byte session id, yielding a
+++/* 64 char file name. I consider these sessions to be unique. If they
+++/* are not, the last session will win, overwriting the older one in
+++/* the database. Remember: everything that is lost is a temporary
+++/* information and not more than a renegotiation will happen.
+++/* Originating from the same client host, several sessions can come
+++/* in (e.g. from several users sending mail with Netscape at the same
+++/* time), so the session id is the correct identifier; the hostname
+++/* is of no importance, here.
+++/*
+++/* Client side:
+++/* We cannot recall sessions based on their session id, because we would
+++/* have to check every session on disk for a matching server name, so
+++/* the lookup has to be done based on the FQDN of the peer (receiving
+++/* host).
+++/* With regard to uniqueness, we might experience several open connections
+++/* to the same server at the same time. This is even very likely to
+++/* happen, since we might have several mails for the same destination
+++/* in the queue, when a queue run is started. So several smtp's might
+++/* negotiate sessions at the same time. We can however only save one
+++/* session for one host.
+++/* Like on the server side, the "last write" wins. The reason is
+++/* quite simple. If we don't want to overwrite old sessions, an old
+++/* session file will just stay in place until it is expired. In the
+++/* meantime we would lose "fresh" session however. So we will keep the
+++/* fresh one instead to avoid unnecessary renegotiations.
+++/*
+++/* Session lifetime:
+++/* RFC2246 recommends a session lifetime of less than 24 hours. The
+++/* default is 300 seconds (5 minutes) for OpenSSL and is also used
+++/* this way in e.g. mod_ssl. The typical usage for emails might be
+++/* humans typing in emails and sending them, which might take just
+++/* a while, so I think 3600 seconds (1 hour) is a good compromise.
+++/* If the environment is save (the cached session contains secret
+++/* key data), one might even consider using a longer timeout. Anyway,
+++/* since everlasting sessions must be avoided, the session timeout
+++/* is done based on the creation date of the session and so each
+++/* session will timeout eventually.
+++/*
+++/* Connection failures:
+++/* RFC2246 requires us to remove sessions if something went wrong.
+++/* Since the in-memory session cache of other smtp[d] processes cannot
+++/* be controlled by simple means, we completely rely on the disc
+++/* based session caching and remove all sessions from memory after
+++/* connection closure.
+++/*
+++/* Cache cleanup:
+++/* Since old entries have to be removed from the session cache, a
+++/* cleanup process is needed that runs through the collected session
+++/* files on regular basis. The task is performed by tlsmgr based on
+++/* the timestamp created by pfixtls and included in the saved session,
+++/* so that tlsmgr has not to care about the SSL_SESSION internal data.
+++/*
+++/* BUGS
+++/* The memory allocation policy of the OpenSSL library is not well
+++/* documented, especially when loading sessions from disc. Hence there
+++/* might be memory leaks.
+++/*
+++/* LICENSE
+++/* AUTHOR(S)
+++/* Lutz Jaenicke
+++/* BTU Cottbus
+++/* Allgemeine Elektrotechnik
+++/* Universitaetsplatz 3-4
+++/* D-03044 Cottbus, Germany
+++/*--*/
+++
+++/* System library. */
+++
+++#include <sys_defs.h>
+++#include <sys/types.h>
+++#include <sys/stat.h>
+++#include <sys/time.h> /* gettimeofday, not in POSIX */
+++#include <unistd.h>
+++#include <stdio.h>
+++#include <string.h>
+++#include <errno.h>
+++#include <ctype.h>
+++
+++/* Utility library. */
+++
+++#include <iostuff.h>
+++#include <mymalloc.h>
+++#include <vstring.h>
+++#include <vstream.h>
+++#include <dict.h>
+++#include <myflock.h>
+++#include <stringops.h>
+++#include <msg.h>
+++#include <connect.h>
+++
+++/* Application-specific. */
+++
+++#include "mail_params.h"
+++#include "pfixtls.h"
+++
+++#define STR vstring_str
+++
+++const tls_info_t tls_info_zero = {
+++ 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0, 0
+++};
+++
+++#ifdef USE_SSL
+++
+++/* OpenSSL library. */
+++
+++#include <openssl/lhash.h>
+++#include <openssl/bn.h>
+++#include <openssl/err.h>
+++#include <openssl/pem.h>
+++#include <openssl/x509.h>
+++#include <openssl/x509v3.h>
+++#include <openssl/rand.h>
+++#include <openssl/ssl.h>
+++
+++/* We must keep some of the info available */
+++static const char hexcodes[] = "0123456789ABCDEF";
+++
+++/*
+++ * When saving sessions, we want to make sure, that the lenght of the key
+++ * is somehow limited. When saving client sessions, the hostname is used
+++ * as key. According to HP-UX 10.20, MAXHOSTNAMELEN=64. Maybe new standards
+++ * will increase this value, but as this will break compatiblity with existing
+++ * implementations, we won't see this for long. We therefore choose a limit
+++ * of 64 bytes.
+++ * The length of the (TLS) session id can be up to 32 bytes according to
+++ * RFC2246, so it fits well into the 64bytes limit.
+++ */
+++#define ID_MAXLENGTH 64 /* Max ID length in bytes */
+++
+++/*
+++ * The session_id_context is set, such that the client knows which services
+++ * on a host share the same session information (on the postfix host may
+++ * as well run a TLS-enabled webserver.
+++ */
+++static char server_session_id_context[] = "Postfix/TLS"; /* anything will do */
+++static int TLScontext_index = -1;
+++static int TLSpeername_index = -1;
+++static int do_dump = 0;
+++static DH *dh_512 = NULL, *dh_1024 = NULL;
+++static SSL_CTX *ctx = NULL;
+++
+++static int rand_exch_fd = -1;
+++
+++static DICT *scache_db = NULL;
+++const long scache_db_version = 0x00000003L;
+++const long openssl_version = OPENSSL_VERSION_NUMBER;
+++
+++
+++int pfixtls_serverengine = 0;
+++static int pfixtls_serveractive = 0; /* available or not */
+++
+++int pfixtls_clientengine = 0;
+++static int pfixtls_clientactive = 0; /* available or not */
+++
+++/*
+++ * Define a maxlength for certificate onelines. The length is checked by
+++ * all routines when copying.
+++ */
+++#define CCERT_BUFSIZ 256
+++
+++typedef struct {
+++ SSL *con;
+++ BIO *internal_bio; /* postfix/TLS side of pair */
+++ BIO *network_bio; /* netsork side of pair */
+++ char peer_subject[CCERT_BUFSIZ];
+++ char peer_issuer[CCERT_BUFSIZ];
+++ char peer_CN[CCERT_BUFSIZ];
+++ char issuer_CN[CCERT_BUFSIZ];
+++ unsigned char md[EVP_MAX_MD_SIZE];
+++ char fingerprint[EVP_MAX_MD_SIZE * 3];
+++ char peername_save[129];
+++ int enforce_verify_errors;
+++ int enforce_CN;
+++ int hostname_matched;
+++} TLScontext_t;
+++
+++typedef struct {
+++ int pid;
+++ struct timeval tv;
+++} randseed_t;
+++
+++static randseed_t randseed;
+++
+++/*
+++ * Finally some "backup" DH-Parameters to be loaded, if no parameters are
+++ * explicitely loaded from file.
+++ */
+++static unsigned char dh512_p[] = {
+++ 0x88, 0x3F, 0x00, 0xAF, 0xFC, 0x0C, 0x8A, 0xB8, 0x35, 0xCD, 0xE5, 0xC2,
+++ 0x0F, 0x55, 0xDF, 0x06, 0x3F, 0x16, 0x07, 0xBF, 0xCE, 0x13, 0x35, 0xE4,
+++ 0x1C, 0x1E, 0x03, 0xF3, 0xAB, 0x17, 0xF6, 0x63, 0x50, 0x63, 0x67, 0x3E,
+++ 0x10, 0xD7, 0x3E, 0xB4, 0xEB, 0x46, 0x8C, 0x40, 0x50, 0xE6, 0x91, 0xA5,
+++ 0x6E, 0x01, 0x45, 0xDE, 0xC9, 0xB1, 0x1F, 0x64, 0x54, 0xFA, 0xD9, 0xAB,
+++ 0x4F, 0x70, 0xBA, 0x5B,
+++};
+++
+++static unsigned char dh512_g[] = {
+++ 0x02,
+++};
+++
+++static unsigned char dh1024_p[] = {
+++ 0xB0, 0xFE, 0xB4, 0xCF, 0xD4, 0x55, 0x07, 0xE7, 0xCC, 0x88, 0x59, 0x0D,
+++ 0x17, 0x26, 0xC5, 0x0C, 0xA5, 0x4A, 0x92, 0x23, 0x81, 0x78, 0xDA, 0x88,
+++ 0xAA, 0x4C, 0x13, 0x06, 0xBF, 0x5D, 0x2F, 0x9E, 0xBC, 0x96, 0xB8, 0x51,
+++ 0x00, 0x9D, 0x0C, 0x0D, 0x75, 0xAD, 0xFD, 0x3B, 0xB1, 0x7E, 0x71, 0x4F,
+++ 0x3F, 0x91, 0x54, 0x14, 0x44, 0xB8, 0x30, 0x25, 0x1C, 0xEB, 0xDF, 0x72,
+++ 0x9C, 0x4C, 0xF1, 0x89, 0x0D, 0x68, 0x3F, 0x94, 0x8E, 0xA4, 0xFB, 0x76,
+++ 0x89, 0x18, 0xB2, 0x91, 0x16, 0x90, 0x01, 0x99, 0x66, 0x8C, 0x53, 0x81,
+++ 0x4E, 0x27, 0x3D, 0x99, 0xE7, 0x5A, 0x7A, 0xAF, 0xD5, 0xEC, 0xE2, 0x7E,
+++ 0xFA, 0xED, 0x01, 0x18, 0xC2, 0x78, 0x25, 0x59, 0x06, 0x5C, 0x39, 0xF6,
+++ 0xCD, 0x49, 0x54, 0xAF, 0xC1, 0xB1, 0xEA, 0x4A, 0xF9, 0x53, 0xD0, 0xDF,
+++ 0x6D, 0xAF, 0xD4, 0x93, 0xE7, 0xBA, 0xAE, 0x9B,
+++};
+++
+++static unsigned char dh1024_g[] = {
+++ 0x02,
+++};
+++
+++/*
+++ * DESCRIPTION: Keeping control of the network interface using BIO-pairs.
+++ *
+++ * When the TLS layer is active, all input/output must be filtered through
+++ * it. On the other hand to handle timeout conditions, full control over
+++ * the network socket must be kept. This rules out the "normal way" of
+++ * connecting the TLS layer directly to the socket.
+++ * The TLS layer is realized with a BIO-pair:
+++ *
+++ * postfix | TLS-engine
+++ * | |
+++ * +--------> SSL_operations()
+++ * | /\ ||
+++ * | || \/
+++ * | BIO-pair (internal_bio)
+++ * +--------< BIO-pair (network_bio)
+++ * | |
+++ * socket |
+++ *
+++ * The normal postfix operations connect to the SSL operations to send
+++ * and retrieve (cleartext) data. Inside the TLS-engine the data are converted
+++ * to/from TLS protocol. The TLS functionality itself is only connected to
+++ * the internal_bio and hence only has status information about this internal
+++ * interface.
+++ * Thus, if the SSL_operations() return successfully (SSL_ERROR_NONE) or want
+++ * to read (SSL_ERROR_WANT_READ) there may as well be data inside the buffering
+++ * BIO-pair. So whenever an SSL_operation() returns without a fatal error,
+++ * the BIO-pair internal buffer must be flushed to the network.
+++ * NOTE: This is especially true in the SSL_ERROR_WANT_READ case: the TLS-layer
+++ * might want to read handshake data, that will never come since its own
+++ * written data will only reach the peer after flushing the buffer!
+++ *
+++ * The BIO-pair buffer size has been set to 8192 bytes, this is an arbitrary
+++ * value that can hold more data than the typical PMTU, so that it does
+++ * not force the generation of packets smaller than necessary.
+++ * It is also larger than the default VSTREAM_BUFSIZE (4096, see vstream.h),
+++ * so that large write operations could be handled within one call.
+++ * The internal buffer in the network/network_bio handling layer has been
+++ * set to the same value, since this seems to be reasonable. The code is
+++ * however able to handle arbitrary values smaller or larger than the
+++ * buffer size in the BIO-pair.
+++ */
+++
+++const size_t BIO_bufsiz = 8192;
+++
+++/*
+++ * The interface layer between network and BIO-pair. The BIO-pair buffers
+++ * the data to/from the TLS layer. Hence, at any time, there may be data
+++ * in the buffer that must be written to the network. This writing has
+++ * highest priority because the handshake might fail otherwise.
+++ * Only then a read_request can be satisfied.
+++ */
+++static int network_biopair_interop(int fd, int timeout, BIO *network_bio)
+++{
+++ int want_write;
+++ int num_write;
+++ int write_pos;
+++ int from_bio;
+++ int want_read;
+++ int num_read;
+++ int to_bio;
+++#define NETLAYER_BUFFERSIZE 8192
+++ char buffer[8192];
+++
+++ while ((want_write = BIO_ctrl_pending(network_bio)) > 0) {
+++ if (want_write > NETLAYER_BUFFERSIZE)
+++ want_write = NETLAYER_BUFFERSIZE;
+++ from_bio = BIO_read(network_bio, buffer, want_write);
+++
+++ /*
+++ * Write the complete contents of the buffer. Since TLS performs
+++ * underlying handshaking, we cannot afford to leave the buffer
+++ * unflushed, as we could run into a deadlock trap (the peer
+++ * waiting for a final byte and we already waiting for his reply
+++ * in read position).
+++ */
+++ write_pos = 0;
+++ do {
+++ if (timeout > 0 && write_wait(fd, timeout) < 0)
+++ return (-1);
+++ num_write = write(fd, buffer + write_pos, from_bio - write_pos);
+++ if (num_write <= 0) {
+++ if ((num_write < 0) && (timeout > 0) && (errno == EAGAIN)) {
+++ msg_warn("write() returns EAGAIN on a writable file descriptor!");
+++ msg_warn("pausing to avoid going into a tight select/write loop!");
+++ sleep(1);
+++ } else {
+++ msg_warn("Write failed in network_biopair_interop with errno=%d: num_write=%d, provided=%d", errno, num_write, from_bio - write_pos);
+++ return (-1); /* something happened to the socket */
+++ }
+++ } else
+++ write_pos += num_write;
+++ } while (write_pos < from_bio);
+++ }
+++
+++ while ((want_read = BIO_ctrl_get_read_request(network_bio)) > 0) {
+++ if (want_read > NETLAYER_BUFFERSIZE)
+++ want_read = NETLAYER_BUFFERSIZE;
+++ if (timeout > 0 && read_wait(fd, timeout) < 0)
+++ return (-1);
+++ num_read = read(fd, buffer, want_read);
+++ if (num_read <= 0) {
+++ if ((num_write < 0) && (timeout > 0) && (errno == EAGAIN)) {
+++ msg_warn("read() returns EAGAIN on a readable file descriptor!");
+++ msg_warn("pausing to avoid going into a tight select/write loop!");
+++ sleep(1);
+++ } else {
+++ msg_warn("Read failed in network_biopair_interop with errno=%d: num_read=%d, want_read=%d", errno, num_read, want_read);
+++ return (-1); /* something happened to the socket */
+++ }
+++ } else {
+++ to_bio = BIO_write(network_bio, buffer, num_read);
+++ if (to_bio != num_read)
+++ msg_fatal("to_bio != num_read");
+++ }
+++ }
+++
+++ return (0);
+++}
+++
+++static void pfixtls_print_errors(void);
+++
+++ /*
+++ * Function to perform the handshake for SSL_accept(), SSL_connect(),
+++ * and SSL_shutdown() and perform the SSL_read(), SSL_write() operations.
+++ * Call the underlying network_biopair_interop-layer to make sure the
+++ * write buffer is flushed after every operation (that did not fail with
+++ * a fatal error).
+++ */
+++static int do_tls_operation(int fd, int timeout, TLScontext_t *TLScontext,
+++ int (*hsfunc)(SSL *),
+++ int (*rfunc)(SSL *, void *, int),
+++ int (*wfunc)(SSL *, const void *, int),
+++ char *buf, int num)
+++{
+++ int status;
+++ int err;
+++ int retval = 0;
+++ int biop_retval;
+++ int done = 0;
+++
+++ while (!done) {
+++ if (hsfunc)
+++ status = hsfunc(TLScontext->con);
+++ else if (rfunc)
+++ status = rfunc(TLScontext->con, buf, num);
+++ else
+++ status = wfunc(TLScontext->con, (const char *)buf, num);
+++ err = SSL_get_error(TLScontext->con, status);
+++
+++#if (OPENSSL_VERSION_NUMBER <= 0x0090581fL)
+++ /*
+++ * There is a bug up to and including OpenSSL-0.9.5a: if an error
+++ * occurs while checking the peers certificate due to some certificate
+++ * error (e.g. as happend with a RSA-padding error), the error is put
+++ * onto the error stack. If verification is not enforced, this error
+++ * should be ignored, but the error-queue is not cleared, so we
+++ * can find this error here. The bug has been fixed on May 28, 2000.
+++ *
+++ * This bug so far has only manifested as
+++ * 4800:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
+++ * 4800:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:396:
+++ * 4800:error:0D079006:asn1 encoding routines:ASN1_verify:bad get asn1 object call:a_verify.c:109:
+++ * so that we specifically test for this error. We print the errors
+++ * to the logfile and automatically clear the error queue. Then we
+++ * retry to get another error code. We cannot do better, since we
+++ * can only retrieve the last entry of the error-queue without
+++ * actually cleaning it on the way.
+++ *
+++ * This workaround is secure, as verify_result is set to "failed"
+++ * anyway.
+++ */
+++ if (err == SSL_ERROR_SSL) {
+++ if (ERR_peek_error() == 0x0407006AL) {
+++ pfixtls_print_errors(); /* Keep information for the logfile */
+++ msg_info("OpenSSL <= 0.9.5a workaround called: certificate errors ignored");
+++ err = SSL_get_error(TLScontext->con, status);
+++ }
+++ }
+++#endif
+++
+++ switch (err) {
+++ case SSL_ERROR_NONE: /* success */
+++ retval = status;
+++ done = 1; /* no break, flush buffer before */
+++ /* leaving */
+++ case SSL_ERROR_WANT_WRITE:
+++ case SSL_ERROR_WANT_READ:
+++ biop_retval = network_biopair_interop(fd, timeout,
+++ TLScontext->network_bio);
+++ if (biop_retval < 0)
+++ return (-1); /* fatal network error */
+++ break;
+++ case SSL_ERROR_ZERO_RETURN: /* connection was closed cleanly */
+++ case SSL_ERROR_SYSCALL:
+++ case SSL_ERROR_SSL:
+++ default:
+++ retval = status;
+++ done = 1;
+++ ;
+++ }
+++ };
+++ return retval;
+++}
+++
+++int pfixtls_timed_read(int fd, void *buf, unsigned buf_len, int timeout,
+++ void *context)
+++{
+++ int i;
+++ int ret;
+++ char mybuf[40];
+++ char *mybuf2;
+++ TLScontext_t *TLScontext;
+++
+++ TLScontext = (TLScontext_t *)context;
+++ if (!TLScontext)
+++ msg_fatal("Called tls_timed_read() without TLS-context");
+++
+++ ret = do_tls_operation(fd, timeout, TLScontext, NULL, SSL_read, NULL,
+++ (char *)buf, buf_len);
+++ if ((pfixtls_serveractive && var_smtpd_tls_loglevel >= 4) ||
+++ (pfixtls_clientactive && var_smtp_tls_loglevel >= 4)) {
+++ mybuf2 = (char *) buf;
+++ if (ret > 0) {
+++ i = 0;
+++ while ((i < 39) && (i < ret) && (mybuf2[i] != 0)) {
+++ mybuf[i] = mybuf2[i];
+++ i++;
+++ }
+++ mybuf[i] = '\0';
+++ msg_info("Read %d chars: %s", ret, mybuf);
+++ }
+++ }
+++ return (ret);
+++}
+++
+++int pfixtls_timed_write(int fd, void *buf, unsigned len, int timeout,
+++ void *context)
+++{
+++ int i;
+++ char mybuf[40];
+++ char *mybuf2;
+++ TLScontext_t *TLScontext;
+++
+++ TLScontext = (TLScontext_t *)context;
+++ if (!TLScontext)
+++ msg_fatal("Called tls_timed_write() without TLS-context");
+++
+++ if ((pfixtls_serveractive && var_smtpd_tls_loglevel >= 4) ||
+++ (pfixtls_clientactive && var_smtp_tls_loglevel >= 4)) {
+++ mybuf2 = (char *) buf;
+++ if (len > 0) {
+++ i = 0;
+++ while ((i < 39) && (i < len) && (mybuf2[i] != 0)) {
+++ mybuf[i] = mybuf2[i];
+++ i++;
+++ }
+++ mybuf[i] = '\0';
+++ msg_info("Write %d chars: %s", len, mybuf);
+++ }
+++ }
+++ return (do_tls_operation(fd, timeout, TLScontext, NULL, NULL, SSL_write,
+++ buf, len));
+++}
+++
+++/* Add some more entropy to the pool by adding the actual time */
+++
+++static void pfixtls_stir_seed(void)
+++{
+++ GETTIMEOFDAY(&randseed.tv);
+++ RAND_seed(&randseed, sizeof(randseed_t));
+++}
+++
+++/*
+++ * Skeleton taken from OpenSSL crypto/err/err_prn.c.
+++ * Query the error stack and print the error string into the logging facility.
+++ * Clear the error stack on the way.
+++ */
+++
+++static void pfixtls_print_errors(void)
+++{
+++ unsigned long l;
+++ char buf[256];
+++ const char *file;
+++ const char *data;
+++ int line;
+++ int flags;
+++ unsigned long es;
+++
+++ es = CRYPTO_thread_id();
+++ while ((l = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0) {
+++ if (flags & ERR_TXT_STRING)
+++ msg_info("%lu:%s:%s:%d:%s:", es, ERR_error_string(l, buf),
+++ file, line, data);
+++ else
+++ msg_info("%lu:%s:%s:%d:", es, ERR_error_string(l, buf),
+++ file, line);
+++ }
+++}
+++
+++ /*
+++ * Set up the cert things on the server side. We do need both the
+++ * private key (in key_file) and the cert (in cert_file).
+++ * Both files may be identical.
+++ *
+++ * This function is taken from OpenSSL apps/s_cb.c
+++ */
+++
+++static int set_cert_stuff(SSL_CTX * ctx, char *cert_file, char *key_file)
+++{
+++ if (cert_file != NULL) {
+++ if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0) {
+++ msg_info("unable to get certificate from '%s'", cert_file);
+++ pfixtls_print_errors();
+++ return (0);
+++ }
+++ if (key_file == NULL)
+++ key_file = cert_file;
+++ if (SSL_CTX_use_PrivateKey_file(ctx, key_file,
+++ SSL_FILETYPE_PEM) <= 0) {
+++ msg_info("unable to get private key from '%s'", key_file);
+++ pfixtls_print_errors();
+++ return (0);
+++ }
+++ /* Now we know that a key and cert have been set against
+++ * the SSL context */
+++ if (!SSL_CTX_check_private_key(ctx)) {
+++ msg_info("Private key does not match the certificate public key");
+++ return (0);
+++ }
+++ }
+++ return (1);
+++}
+++
+++/* taken from OpenSSL apps/s_cb.c */
+++
+++static RSA *tmp_rsa_cb(SSL * s, int export, int keylength)
+++{
+++ static RSA *rsa_tmp = NULL;
+++
+++ if (rsa_tmp == NULL) {
+++ rsa_tmp = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
+++ }
+++ return (rsa_tmp);
+++}
+++
+++
+++static DH *get_dh512(void)
+++{
+++ DH *dh;
+++
+++ if (dh_512 == NULL) {
+++ /* No parameter file loaded, use the compiled in parameters */
+++ if ((dh = DH_new()) == NULL) return(NULL);
+++ dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
+++ dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
+++ if ((dh->p == NULL) || (dh->g == NULL))
+++ return(NULL);
+++ else
+++ dh_512 = dh;
+++ }
+++ return (dh_512);
+++}
+++
+++static DH *get_dh1024(void)
+++{
+++ DH *dh;
+++
+++ if (dh_1024 == NULL) {
+++ /* No parameter file loaded, use the compiled in parameters */
+++ if ((dh = DH_new()) == NULL) return(NULL);
+++ dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
+++ dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
+++ if ((dh->p == NULL) || (dh->g == NULL))
+++ return(NULL);
+++ else
+++ dh_1024 = dh;
+++ }
+++ return (dh_1024);
+++}
+++
+++/* partly inspired by mod_ssl */
+++
+++static DH *tmp_dh_cb(SSL *s, int export, int keylength)
+++{
+++ DH *dh_tmp = NULL;
+++
+++ if (export) {
+++ if (keylength == 512)
+++ dh_tmp = get_dh512(); /* export cipher */
+++ else if (keylength == 1024)
+++ dh_tmp = get_dh1024(); /* normal */
+++ else
+++ dh_tmp = get_dh1024(); /* not on-the-fly (too expensive) */
+++ /* so use the 1024bit instead */
+++ }
+++ else {
+++ dh_tmp = get_dh1024(); /* sign-only certificate */
+++ }
+++ return (dh_tmp);
+++}
+++
+++
+++/*
+++ * match_hostname: match name provided in "buf" against the expected
+++ * hostname. Comparison is case-insensitive, wildcard certificates are
+++ * supported.
+++ * "buf" may be come from some OpenSSL data structures, so we copy before
+++ * modifying.
+++ */
+++static int match_hostname(const char *buf, TLScontext_t *TLScontext)
+++{
+++ char *hostname_lowercase;
+++ char *peername_left;
+++ int hostname_matched = 0;
+++ int buf_len;
+++
+++ buf_len = strlen(buf);
+++ if (!(hostname_lowercase = (char *)mymalloc(buf_len + 1)))
+++ return 0;
+++ memcpy(hostname_lowercase, buf, buf_len + 1);
+++
+++ hostname_lowercase = lowercase(hostname_lowercase);
+++ if (!strcmp(TLScontext->peername_save, hostname_lowercase)) {
+++ hostname_matched = 1;
+++ } else {
+++ if ((buf_len > 2) &&
+++ (hostname_lowercase[0] == '*') && (hostname_lowercase[1] == '.')) {
+++ /*
+++ * Allow wildcard certificate matching. The proposed rules in
+++ * RFCs (2818: HTTP/TLS, 2830: LDAP/TLS) are different, RFC2874
+++ * does not specify a rule, so here the strict rule is applied.
+++ * An asterisk '*' is allowed as the leftmost component and may
+++ * replace the left most part of the hostname. Matching is done
+++ * by removing '*.' from the wildcard name and the Name. from
+++ * the peername and compare what is left.
+++ */
+++ peername_left = strchr(TLScontext->peername_save, '.');
+++ if (peername_left) {
+++ if (!strcmp(peername_left + 1, hostname_lowercase + 2))
+++ hostname_matched = 1;
+++ }
+++ }
+++ }
+++ myfree(hostname_lowercase);
+++ return hostname_matched;
+++}
+++
+++/*
+++ * Skeleton taken from OpenSSL apps/s_cb.c
+++ *
+++ * The verify_callback is called several times (directly or indirectly) from
+++ * crypto/x509/x509_vfy.c. It is called as a last check for several issues,
+++ * so this verify_callback() has the famous "last word". If it does return "0",
+++ * the handshake is immediately shut down and the connection fails.
+++ *
+++ * Postfix/TLS has two modes, the "use" mode and the "enforce" mode:
+++ *
+++ * In the "use" mode we never want the connection to fail just because there is
+++ * something wrong with the certificate (as we would have sent happily without
+++ * TLS). Therefore the return value is always "1".
+++ *
+++ * In the "enforce" mode we can shut down the connection as soon as possible.
+++ * In server mode TLS itself may be enforced (e.g. to protect passwords),
+++ * but certificates are optional. In this case the handshake must not fail
+++ * if we are unhappy with the certificate and return "1" in any case.
+++ * Only if a certificate is required the certificate must pass the verification
+++ * and failure to do so will result in immediate termination (return 0).
+++ * In the client mode the decision is made with respect to the peername
+++ * enforcement. If we strictly enforce the matching of the expected peername
+++ * the verification must fail immediatly on verification errors. We can also
+++ * immediatly check the expected peername, as it is the CommonName at level 0.
+++ * In all other cases, the problem is logged, so the SSL_get_verify_result()
+++ * will inform about the verification failure, but the handshake (and SMTP
+++ * connection will continue).
+++ *
+++ * The only error condition not handled inside the OpenSSL-Library is the
+++ * case of a too-long certificate chain, so we check inside verify_callback().
+++ * We only take care of this problem, if "ok = 1", because otherwise the
+++ * verification already failed because of another problem and we don't want
+++ * to overwrite the other error message. And if the verification failed,
+++ * there is no such thing as "more failed", "most failed"... :-)
+++ */
+++
+++static int verify_callback(int ok, X509_STORE_CTX * ctx)
+++{
+++ char buf[256];
+++ char *peername_left;
+++ X509 *err_cert;
+++ int err;
+++ int depth;
+++ int verify_depth;
+++ SSL *con;
+++ TLScontext_t *TLScontext;
+++
+++ err_cert = X509_STORE_CTX_get_current_cert(ctx);
+++ err = X509_STORE_CTX_get_error(ctx);
+++ depth = X509_STORE_CTX_get_error_depth(ctx);
+++
+++ con = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
+++ TLScontext = SSL_get_ex_data(con, TLScontext_index);
+++
+++ X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256);
+++ if (((pfixtls_serverengine) && (var_smtpd_tls_loglevel >= 2)) ||
+++ ((pfixtls_clientengine) && (var_smtp_tls_loglevel >= 2)))
+++ msg_info("Peer cert verify depth=%d %s", depth, buf);
+++
+++ verify_depth = SSL_get_verify_depth(con);
+++ if (ok && (verify_depth >= 0) && (depth > verify_depth)) {
+++ ok = 0;
+++ err = X509_V_ERR_CERT_CHAIN_TOO_LONG;
+++ X509_STORE_CTX_set_error(ctx, err);
+++ }
+++ if (!ok) {
+++ msg_info("verify error:num=%d:%s", err,
+++ X509_verify_cert_error_string(err));
+++ }
+++
+++ if (ok && (depth == 0) && pfixtls_clientengine) {
+++ int i, r;
+++ int hostname_matched;
+++ int dNSName_found;
+++ STACK_OF(GENERAL_NAME) *gens;
+++
+++ /*
+++ * Check out the name certified against the hostname expected.
+++ * In case it does not match, print an information about the result.
+++ * If a matching is enforced, bump out with a verification error
+++ * immediately.
+++ * Standards are not always clear with respect to the handling of
+++ * dNSNames. RFC3207 does not specify the handling. We therefore follow
+++ * the strict rules in RFC2818 (HTTP over TLS), Section 3.1:
+++ * The Subject Alternative Name/dNSName has precedence over CommonName
+++ * (CN). If dNSName entries are provided, CN is not checked anymore.
+++ */
+++ hostname_matched = dNSName_found = 0;
+++
+++ gens = X509_get_ext_d2i(err_cert, NID_subject_alt_name, 0, 0);
+++ if (gens) {
+++ for (i = 0, r = sk_GENERAL_NAME_num(gens); i < r; ++i) {
+++ const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
+++ if (gn->type == GEN_DNS) {
+++ dNSName_found++;
+++ if ((hostname_matched =
+++ match_hostname((char *)gn->d.ia5->data, TLScontext)))
+++ break;
+++ }
+++ }
+++ sk_GENERAL_NAME_free(gens);
+++ }
+++ if (dNSName_found) {
+++ if (!hostname_matched)
+++ msg_info("Peer verification: %d dNSNames in certificate found, but no one does match %s", dNSName_found, TLScontext->peername_save);
+++ } else {
+++ buf[0] = '\0';
+++ if (!X509_NAME_get_text_by_NID(X509_get_subject_name(err_cert),
+++ NID_commonName, buf, 256)) {
+++ msg_info("Could not parse server's subject CN");
+++ pfixtls_print_errors();
+++ }
+++ else {
+++ hostname_matched = match_hostname(buf, TLScontext);
+++ if (!hostname_matched)
+++ msg_info("Peer verification: CommonName in certificate does not match: %s != %s", buf, TLScontext->peername_save);
+++ }
+++ }
+++
+++ if (!hostname_matched) {
+++ if (TLScontext->enforce_verify_errors && TLScontext->enforce_CN) {
+++ err = X509_V_ERR_CERT_REJECTED;
+++ X509_STORE_CTX_set_error(ctx, err);
+++ msg_info("Verify failure: Hostname mismatch");
+++ ok = 0;
+++ }
+++ }
+++ else
+++ TLScontext->hostname_matched = 1;
+++ }
+++
+++ switch (ctx->error) {
+++ case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+++ X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256);
+++ msg_info("issuer= %s", buf);
+++ break;
+++ case X509_V_ERR_CERT_NOT_YET_VALID:
+++ case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+++ msg_info("cert not yet valid");
+++ break;
+++ case X509_V_ERR_CERT_HAS_EXPIRED:
+++ case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+++ msg_info("cert has expired");
+++ break;
+++ }
+++ if (((pfixtls_serverengine) && (var_smtpd_tls_loglevel >= 2)) ||
+++ ((pfixtls_clientengine) && (var_smtp_tls_loglevel >= 2)))
+++ msg_info("verify return:%d", ok);
+++
+++ if (TLScontext->enforce_verify_errors)
+++ return (ok);
+++ else
+++ return (1);
+++}
+++
+++/* taken from OpenSSL apps/s_cb.c */
+++
+++static void apps_ssl_info_callback(SSL * s, int where, int ret)
+++{
+++ char *str;
+++ int w;
+++
+++ w = where & ~SSL_ST_MASK;
+++
+++ if (w & SSL_ST_CONNECT)
+++ str = "SSL_connect";
+++ else if (w & SSL_ST_ACCEPT)
+++ str = "SSL_accept";
+++ else
+++ str = "undefined";
+++
+++ if (where & SSL_CB_LOOP) {
+++ msg_info("%s:%s", str, SSL_state_string_long(s));
+++ } else if (where & SSL_CB_ALERT) {
+++ str = (where & SSL_CB_READ) ? "read" : "write";
+++ if ((ret & 0xff) != SSL3_AD_CLOSE_NOTIFY)
+++ msg_info("SSL3 alert %s:%s:%s", str,
+++ SSL_alert_type_string_long(ret),
+++ SSL_alert_desc_string_long(ret));
+++ } else if (where & SSL_CB_EXIT) {
+++ if (ret == 0)
+++ msg_info("%s:failed in %s",
+++ str, SSL_state_string_long(s));
+++ else if (ret < 0) {
+++ msg_info("%s:error in %s",
+++ str, SSL_state_string_long(s));
+++ }
+++ }
+++}
+++
+++/*
+++ * taken from OpenSSL crypto/bio/b_dump.c, modified to save a lot of strcpy
+++ * and strcat by Matti Aarnio.
+++ */
+++
+++#define TRUNCATE
+++#define DUMP_WIDTH 16
+++
+++static int pfixtls_dump(const char *s, int len)
+++{
+++ int ret = 0;
+++ char buf[160 + 1];
+++ char *ss;
+++ int i;
+++ int j;
+++ int rows;
+++ int trunc;
+++ unsigned char ch;
+++
+++ trunc = 0;
+++
+++#ifdef TRUNCATE
+++ for (; (len > 0) && ((s[len - 1] == ' ') || (s[len - 1] == '\0')); len--)
+++ trunc++;
+++#endif
+++
+++ rows = (len / DUMP_WIDTH);
+++ if ((rows * DUMP_WIDTH) < len)
+++ rows++;
+++
+++ for (i = 0; i < rows; i++) {
+++ buf[0] = '\0'; /* start with empty string */
+++ ss = buf;
+++
+++ sprintf(ss, "%04x ", i * DUMP_WIDTH);
+++ ss += strlen(ss);
+++ for (j = 0; j < DUMP_WIDTH; j++) {
+++ if (((i * DUMP_WIDTH) + j) >= len) {
+++ strcpy(ss, " ");
+++ } else {
+++ ch = ((unsigned char) *((char *) (s) + i * DUMP_WIDTH + j))
+++ & 0xff;
+++ sprintf(ss, "%02x%c", ch, j == 7 ? '|' : ' ');
+++ ss += 3;
+++ }
+++ }
+++ ss += strlen(ss);
+++ *ss++ = ' ';
+++ for (j = 0; j < DUMP_WIDTH; j++) {
+++ if (((i * DUMP_WIDTH) + j) >= len)
+++ break;
+++ ch = ((unsigned char) *((char *) (s) + i * DUMP_WIDTH + j)) & 0xff;
+++ *ss++ = (((ch >= ' ') && (ch <= '~')) ? ch : '.');
+++ if (j == 7) *ss++ = ' ';
+++ }
+++ *ss = 0;
+++ /*
+++ * if this is the last call then update the ddt_dump thing so that
+++ * we will move the selection point in the debug window
+++ */
+++ msg_info("%s", buf);
+++ ret += strlen(buf);
+++ }
+++#ifdef TRUNCATE
+++ if (trunc > 0) {
+++ sprintf(buf, "%04x - <SPACES/NULS>\n", len + trunc);
+++ msg_info("%s", buf);
+++ ret += strlen(buf);
+++ }
+++#endif
+++ return (ret);
+++}
+++
+++
+++
+++/* taken from OpenSSL apps/s_cb.c */
+++
+++static long bio_dump_cb(BIO * bio, int cmd, const char *argp, int argi,
+++ long argl, long ret)
+++{
+++ if (!do_dump)
+++ return (ret);
+++
+++ if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) {
+++ msg_info("read from %08X [%08lX] (%d bytes => %ld (0x%X))",
+++ (unsigned int)bio, (unsigned long)argp, argi,
+++ ret, (unsigned int)ret);
+++ pfixtls_dump(argp, (int) ret);
+++ return (ret);
+++ } else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) {
+++ msg_info("write to %08X [%08lX] (%d bytes => %ld (0x%X))",
+++ (unsigned int)bio, (unsigned long)argp, argi,
+++ ret, (unsigned int)ret);
+++ pfixtls_dump(argp, (int) ret);
+++ }
+++ return (ret);
+++}
+++
+++
+++ /*
+++ * Callback to retrieve a session from the external session cache.
+++ */
+++static SSL_SESSION *get_session_cb(SSL *ssl, unsigned char *SessionID,
+++ int length, int *copy)
+++{
+++ SSL_SESSION *session;
+++ char idstring[2 * ID_MAXLENGTH + 1];
+++ int n;
+++ int uselength;
+++ int hex_length;
+++ const char *session_hex;
+++ pfixtls_scache_info_t scache_info;
+++ unsigned char nibble, *data, *sess_data;
+++
+++ if (length > ID_MAXLENGTH)
+++ uselength = ID_MAXLENGTH; /* Limit length of ID */
+++ else
+++ uselength = length;
+++
+++ for(n=0 ; n < uselength ; n++)
+++ sprintf(idstring + 2 * n, "%02x", SessionID[n]);
+++ if (var_smtpd_tls_loglevel >= 3)
+++ msg_info("Trying to reload Session from disc: %s", idstring);
+++
+++ session = NULL;
+++
+++ session_hex = dict_get(scache_db, idstring);
+++ if (session_hex) {
+++ hex_length = strlen(session_hex);
+++ data = (unsigned char *)mymalloc(hex_length / 2);
+++ if (!data) {
+++ msg_info("could not allocate memory for session reload");
+++ return(NULL);
+++ }
+++
+++ memset(data, 0, hex_length / 2);
+++ for (n = 0; n < hex_length; n++) {
+++ if ((session_hex[n] >= '0') && (session_hex[n] <= '9'))
+++ nibble = session_hex[n] - '0';
+++ else
+++ nibble = session_hex[n] - 'A' + 10;
+++ if (n % 2)
+++ data[n / 2] |= nibble;
+++ else
+++ data[n / 2] |= (nibble << 4);
+++ }
+++
+++ /*
+++ * First check the version numbers, since wrong session data might
+++ * hit us hard (SEGFAULT). We also have to check for expiry.
+++ */
+++ memcpy(&scache_info, data, sizeof(pfixtls_scache_info_t));
+++ if ((scache_info.scache_db_version != scache_db_version) ||
+++ (scache_info.openssl_version != openssl_version) ||
+++ (scache_info.timestamp + var_smtpd_tls_scache_timeout < time(NULL)))
+++ dict_del(scache_db, idstring);
+++ else {
+++ sess_data = data + sizeof(pfixtls_scache_info_t);
+++ session = d2i_SSL_SESSION(NULL, &sess_data,
+++ hex_length / 2 - sizeof(pfixtls_scache_info_t));
+++ if (!session)
+++ pfixtls_print_errors();
+++ }
+++ myfree((char *)data);
+++ }
+++
+++ if (session && (var_smtpd_tls_loglevel >= 3))
+++ msg_info("Successfully reloaded session from disc");
+++
+++ return (session);
+++}
+++
+++
+++static SSL_SESSION *load_clnt_session(const char *hostname,
+++ int enforce_peername)
+++{
+++ SSL_SESSION *session = NULL;
+++ char idstring[ID_MAXLENGTH + 1];
+++ int n;
+++ int uselength;
+++ int length;
+++ int hex_length;
+++ const char *session_hex;
+++ pfixtls_scache_info_t scache_info;
+++ unsigned char nibble, *data, *sess_data;
+++
+++ length = strlen(hostname);
+++ if (length > ID_MAXLENGTH)
+++ uselength = ID_MAXLENGTH; /* Limit length of ID */
+++ else
+++ uselength = length;
+++
+++ for(n=0 ; n < uselength ; n++)
+++ idstring[n] = tolower(hostname[n]);
+++ idstring[uselength] = '\0';
+++ if (var_smtp_tls_loglevel >= 3)
+++ msg_info("Trying to reload Session from disc: %s", idstring);
+++
+++ session_hex = dict_get(scache_db, idstring);
+++ if (session_hex) {
+++ hex_length = strlen(session_hex);
+++ data = (unsigned char *)mymalloc(hex_length / 2);
+++ if (!data) {
+++ msg_info("could not allocate memory for session reload");
+++ return(NULL);
+++ }
+++
+++ memset(data, 0, hex_length / 2);
+++ for (n = 0; n < hex_length; n++) {
+++ if ((session_hex[n] >= '0') && (session_hex[n] <= '9'))
+++ nibble = session_hex[n] - '0';
+++ else
+++ nibble = session_hex[n] - 'A' + 10;
+++ if (n % 2)
+++ data[n / 2] |= nibble;
+++ else
+++ data[n / 2] |= (nibble << 4);
+++ }
+++
+++ /*
+++ * First check the version numbers, since wrong session data might
+++ * hit us hard (SEGFAULT). We also have to check for expiry.
+++ * When we enforce_peername, we may find an old session, that was
+++ * saved when enforcement was not set. In this case the session will
+++ * be removed and a fresh session will be negotiated.
+++ */
+++ memcpy(&scache_info, data, sizeof(pfixtls_scache_info_t));
+++ if ((scache_info.scache_db_version != scache_db_version) ||
+++ (scache_info.openssl_version != openssl_version) ||
+++ (scache_info.timestamp + var_smtpd_tls_scache_timeout < time(NULL)))
+++ dict_del(scache_db, idstring);
+++ else if (enforce_peername && (!scache_info.enforce_peername))
+++ dict_del(scache_db, idstring);
+++ else {
+++ sess_data = data + sizeof(pfixtls_scache_info_t);
+++ session = d2i_SSL_SESSION(NULL, &sess_data,
+++ hex_length / 2 - sizeof(time_t));
+++ strncpy(SSL_SESSION_get_ex_data(session, TLSpeername_index),
+++ idstring, ID_MAXLENGTH + 1);
+++ if (!session)
+++ pfixtls_print_errors();
+++ }
+++ myfree((char *)data);
+++ }
+++
+++ if (session && (var_smtp_tls_loglevel >= 3))
+++ msg_info("Successfully reloaded session from disc");
+++
+++ return (session);
+++}
+++
+++
+++static void create_client_lookup_id(char *idstring, char *hostname)
+++{
+++ int n, len, uselength;
+++
+++ len = strlen(hostname);
+++ if (len > ID_MAXLENGTH)
+++ uselength = ID_MAXLENGTH; /* Limit length of ID */
+++ else
+++ uselength = len;
+++
+++ for (n = 0 ; n < uselength ; n++)
+++ idstring[n] = tolower(hostname[n]);
+++ idstring[uselength] = '\0';
+++}
+++
+++
+++static void create_server_lookup_id(char *idstring, SSL_SESSION *session)
+++{
+++ int n, uselength;
+++
+++ if (session->session_id_length > ID_MAXLENGTH)
+++ uselength = ID_MAXLENGTH; /* Limit length of ID */
+++ else
+++ uselength = session->session_id_length;
+++
+++ for(n = 0; n < uselength ; n++)
+++ sprintf(idstring + 2 * n, "%02x", session->session_id[n]);
+++}
+++
+++
+++static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *session)
+++{
+++ char idstring[2 * ID_MAXLENGTH + 1];
+++ char *hostname;
+++
+++ if (pfixtls_clientengine) {
+++ hostname = SSL_SESSION_get_ex_data(session, TLSpeername_index);
+++ create_client_lookup_id(idstring, hostname);
+++ if (var_smtp_tls_loglevel >= 3)
+++ msg_info("Trying to remove session from disc: %s", idstring);
+++ }
+++ else {
+++ create_server_lookup_id(idstring, session);
+++ if (var_smtpd_tls_loglevel >= 3)
+++ msg_info("Trying to remove session from disc: %s", idstring);
+++ }
+++
+++ if (scache_db)
+++ dict_del(scache_db, idstring);
+++}
+++
+++
+++/*
+++ * We need space to save the peername into the SSL_SESSION, as we must
+++ * look up the external database for client sessions by peername, not
+++ * by session id. We therefore allocate place for the peername string,
+++ * when a new SSL_SESSION is generated. It is filled later.
+++ */
+++static int new_peername_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+++ int idx, long argl, void *argp)
+++{
+++ char *peername;
+++
+++ peername = (char *)mymalloc(ID_MAXLENGTH + 1);
+++ if (!peername)
+++ return 0;
+++ peername[0] = '\0'; /* initialize */
+++ return CRYPTO_set_ex_data(ad, idx, peername);
+++}
+++
+++/*
+++ * When the SSL_SESSION is removed again, we must free the memory to avoid
+++ * leaks.
+++ */
+++static void free_peername_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+++ int idx, long argl, void *argp)
+++{
+++ myfree(CRYPTO_get_ex_data(ad, idx));
+++}
+++
+++/*
+++ * Duplicate application data, when a SSL_SESSION is duplicated
+++ */
+++static int dup_peername_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from,
+++ void *from_d, int idx, long argl, void *argp)
+++{
+++ char *peername_old, *peername_new;
+++
+++ peername_old = CRYPTO_get_ex_data(from, idx);
+++ peername_new = CRYPTO_get_ex_data(to, idx);
+++ if (!peername_old || !peername_new)
+++ return 0;
+++ memcpy(peername_new, peername_old, ID_MAXLENGTH + 1);
+++ return 1;
+++}
+++
+++
+++ /*
+++ * Save a new session to the external cache
+++ */
+++static int new_session_cb(SSL *ssl, SSL_SESSION *session)
+++{
+++ char idstring[2 * ID_MAXLENGTH + 1];
+++ int n;
+++ int dsize;
+++ int len;
+++ unsigned char *data, *sess_data;
+++ pfixtls_scache_info_t scache_info;
+++ char *hexdata, *hostname;
+++ TLScontext_t *TLScontext;
+++
+++ if (pfixtls_clientengine) {
+++ TLScontext = SSL_get_ex_data(ssl, TLScontext_index);
+++ hostname = TLScontext->peername_save;
+++ create_client_lookup_id(idstring, hostname);
+++ strncpy(SSL_SESSION_get_ex_data(session, TLSpeername_index),
+++ hostname, ID_MAXLENGTH + 1);
+++ /*
+++ * Remember, whether peername matching was enforced when the session
+++ * was created. If later enforce mode is enabled, we do not want to
+++ * reuse a session that was not sufficiently checked.
+++ */
+++ scache_info.enforce_peername =
+++ (TLScontext->enforce_verify_errors && TLScontext->enforce_CN);
+++
+++ if (var_smtp_tls_loglevel >= 3)
+++ msg_info("Trying to save session for hostID to disc: %s", idstring);
+++
+++#if (OPENSSL_VERSION_NUMBER < 0x00906011L) || (OPENSSL_VERSION_NUMBER == 0x00907000L)
+++ /*
+++ * Ugly Hack: OpenSSL before 0.9.6a does not store the verify
+++ * result in sessions for the client side.
+++ * We modify the session directly which is version specific,
+++ * but this bug is version specific, too.
+++ *
+++ * READ: 0-09-06-01-1 = 0-9-6-a-beta1: all versions before
+++ * beta1 have this bug, it has been fixed during development
+++ * of 0.9.6a. The development version of 0.9.7 can have this
+++ * bug, too. It has been fixed on 2000/11/29.
+++ */
+++ session->verify_result = SSL_get_verify_result(TLScontext->con);
+++#endif
+++
+++ }
+++ else {
+++ create_server_lookup_id(idstring, session);
+++ if (var_smtpd_tls_loglevel >= 3)
+++ msg_info("Trying to save Session to disc: %s", idstring);
+++ }
+++
+++
+++ /*
+++ * Get the session and convert it into some "database" useable form.
+++ * First, get the length of the session to allocate the memory.
+++ */
+++ dsize = i2d_SSL_SESSION(session, NULL);
+++ if (dsize < 0) {
+++ msg_info("Could not access session");
+++ return 0;
+++ }
+++ data = (unsigned char *)mymalloc(dsize + sizeof(pfixtls_scache_info_t));
+++ if (!data) {
+++ msg_info("could not allocate memory for SSL session");
+++ return 0;
+++ }
+++
+++ /*
+++ * OpenSSL is not robust against wrong session data (might SEGFAULT),
+++ * so we secure it against version ids (session cache structure as well
+++ * as OpenSSL version).
+++ */
+++ scache_info.scache_db_version = scache_db_version;
+++ scache_info.openssl_version = openssl_version;
+++
+++ /*
+++ * Put a timestamp, so that expiration can be checked without
+++ * analyzing the session data itself. (We would need OpenSSL funtions,
+++ * since the SSL_SESSION is a private structure.)
+++ */
+++ scache_info.timestamp = time(NULL);
+++
+++ memcpy(data, &scache_info, sizeof(pfixtls_scache_info_t));
+++ sess_data = data + sizeof(pfixtls_scache_info_t);
+++
+++ /*
+++ * Now, obtain the session. Unfortunately, it is binary and dict_update
+++ * cannot handle binary data (it could contain '\0' in it) directly.
+++ * To save memory we could use base64 encoding. To make handling easier,
+++ * we simply use hex format.
+++ */
+++ len = i2d_SSL_SESSION(session, &sess_data);
+++ len += sizeof(pfixtls_scache_info_t);
+++
+++ hexdata = (char *)mymalloc(2 * len + 1);
+++
+++ if (!hexdata) {
+++ msg_info("could not allocate memory for SSL session (HEX)");
+++ myfree((char *)data);
+++ return 0;
+++ }
+++ for (n = 0; n < len; n++) {
+++ hexdata[n * 2] = hexcodes[(data[n] & 0xf0) >> 4];
+++ hexdata[(n * 2) + 1] = hexcodes[(data[n] & 0x0f)];
+++ }
+++ hexdata[len * 2] = '\0';
+++
+++ /*
+++ * The session id is a hex string, all uppercase. We are using SDBM as
+++ * compiled into Postfix with 8kB maximum entry size, so we set a limit
+++ * when caching. If the session is not cached, we have to renegotiate,
+++ * not more, not less. For a real session, this limit should never be
+++ * met
+++ */
+++ if (strlen(idstring) + strlen(hexdata) < 8000)
+++ dict_put(scache_db, idstring, hexdata);
+++
+++ myfree(hexdata);
+++ myfree((char *)data);
+++ return (1);
+++}
+++
+++
+++ /*
+++ * pfixtls_exchange_seed: read bytes from the seed exchange-file (expect
+++ * 1024 bytes)and immediately write back random bytes. Do so with EXCLUSIVE
+++ * lock, so * that each process will find a completely different (and
+++ * reseeded) file.
+++ */
+++static void pfixtls_exchange_seed(void)
+++{
+++ unsigned char buffer[1024];
+++
+++ if (rand_exch_fd == -1)
+++ return;
+++
+++ if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) != 0)
+++ msg_info("Could not lock random exchange file: %s",
+++ strerror(errno));
+++
+++ lseek(rand_exch_fd, 0, SEEK_SET);
+++ if (read(rand_exch_fd, buffer, 1024) < 0)
+++ msg_fatal("reading exchange file failed");
+++ RAND_seed(buffer, 1024);
+++
+++ RAND_bytes(buffer, 1024);
+++ lseek(rand_exch_fd, 0, SEEK_SET);
+++ if (write(rand_exch_fd, buffer, 1024) != 1024)
+++ msg_fatal("Writing exchange file failed");
+++
+++ if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) != 0)
+++ msg_fatal("Could not unlock random exchange file: %s",
+++ strerror(errno));
+++}
+++
+++ /*
+++ * This is the setup routine for the SSL server. As smtpd might be called
+++ * more than once, we only want to do the initialization one time.
+++ *
+++ * The skeleton of this function is taken from OpenSSL apps/s_server.c.
+++ */
+++
+++int pfixtls_init_serverengine(int verifydepth, int askcert)
+++{
+++ int off = 0;
+++ int verify_flags = SSL_VERIFY_NONE;
+++ int rand_bytes;
+++ int rand_source_dev_fd;
+++ int rand_source_socket_fd;
+++ unsigned char buffer[255];
+++ char *CApath;
+++ char *CAfile;
+++ char *s_cert_file;
+++ char *s_key_file;
+++ char *s_dcert_file;
+++ char *s_dkey_file;
+++ FILE *paramfile;
+++
+++ if (pfixtls_serverengine)
+++ return (0); /* already running */
+++
+++ if (var_smtpd_tls_loglevel >= 2)
+++ msg_info("starting TLS engine");
+++
+++ /*
+++ * Initialize the OpenSSL library by the book!
+++ * To start with, we must initialize the algorithms.
+++ * We want cleartext error messages instead of just error codes, so we
+++ * load the error_strings.
+++ */
+++ SSL_load_error_strings();
+++ OpenSSL_add_ssl_algorithms();
+++
+++ /*
+++ * Side effect, call a non-existing function to disable TLS usage with an
+++ * outdated OpenSSL version. There is a security reason (verify_result
+++ * is not stored with the session data).
+++ */
+++#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
+++ needs_openssl_095_or_later();
+++#endif
+++
+++ /*
+++ * Initialize the PRNG Pseudo Random Number Generator with some seed.
+++ */
+++ randseed.pid = getpid();
+++ GETTIMEOFDAY(&randseed.tv);
+++ RAND_seed(&randseed, sizeof(randseed_t));
+++
+++ /*
+++ * Access the external sources for random seed. We will only query them
+++ * once, this should be sufficient and we will stir our entropy by using
+++ * the prng-exchange file anyway.
+++ * For reliability, we don't consider failure to access the additional
+++ * source fatal, as we can run happily without it (considering that we
+++ * still have the exchange-file). We also don't care how much entropy
+++ * we get back, as we must run anyway. We simply stir in the buffer
+++ * regardless how many bytes are actually in it.
+++ */
+++ if (*var_tls_daemon_rand_source) {
+++ if (!strncmp(var_tls_daemon_rand_source, "dev:", 4)) {
+++ /*
+++ * Source is a random device
+++ */
+++ rand_source_dev_fd = open(var_tls_daemon_rand_source + 4, 0, 0);
+++ if (rand_source_dev_fd == -1)
+++ msg_info("Could not open entropy device %s",
+++ var_tls_daemon_rand_source);
+++ else {
+++ if (var_tls_daemon_rand_bytes > 255)
+++ var_tls_daemon_rand_bytes = 255;
+++ read(rand_source_dev_fd, buffer, var_tls_daemon_rand_bytes);
+++ RAND_seed(buffer, var_tls_daemon_rand_bytes);
+++ close(rand_source_dev_fd);
+++ }
+++ } else if (!strncmp(var_tls_daemon_rand_source, "egd:", 4)) {
+++ /*
+++ * Source is a EGD compatible socket
+++ */
+++ rand_source_socket_fd = unix_connect(var_tls_daemon_rand_source +4,
+++ BLOCKING, 10);
+++ if (rand_source_socket_fd == -1)
+++ msg_info("Could not connect to %s", var_tls_daemon_rand_source);
+++ else {
+++ if (var_tls_daemon_rand_bytes > 255)
+++ var_tls_daemon_rand_bytes = 255;
+++ buffer[0] = 1;
+++ buffer[1] = var_tls_daemon_rand_bytes;
+++ if (write(rand_source_socket_fd, buffer, 2) != 2)
+++ msg_info("Could not talk to %s",
+++ var_tls_daemon_rand_source);
+++ else if (read(rand_source_socket_fd, buffer, 1) != 1)
+++ msg_info("Could not read info from %s",
+++ var_tls_daemon_rand_source);
+++ else {
+++ rand_bytes = buffer[0];
+++ read(rand_source_socket_fd, buffer, rand_bytes);
+++ RAND_seed(buffer, rand_bytes);
+++ }
+++ close(rand_source_socket_fd);
+++ }
+++ } else {
+++ RAND_load_file(var_tls_daemon_rand_source,
+++ var_tls_daemon_rand_bytes);
+++ }
+++ }
+++
+++ if (*var_tls_rand_exch_name) {
+++ rand_exch_fd = open(var_tls_rand_exch_name, O_RDWR | O_CREAT, 0600);
+++ if (rand_exch_fd != -1)
+++ pfixtls_exchange_seed();
+++ }
+++
+++ randseed.pid = getpid();
+++ GETTIMEOFDAY(&randseed.tv);
+++ RAND_seed(&randseed, sizeof(randseed_t));
+++
+++ /*
+++ * The SSL/TLS speficications require the client to send a message in
+++ * the oldest specification it understands with the highest level it
+++ * understands in the message.
+++ * Netscape communicator can still communicate with SSLv2 servers, so it
+++ * sends out a SSLv2 client hello. To deal with it, our server must be
+++ * SSLv2 aware (even if we don't like SSLv2), so we need to have the
+++ * SSLv23 server here. If we want to limit the protocol level, we can
+++ * add an option to not use SSLv2/v3/TLSv1 later.
+++ */
+++ ctx = SSL_CTX_new(SSLv23_server_method());
+++ if (ctx == NULL) {
+++ pfixtls_print_errors();
+++ return (-1);
+++ };
+++
+++ /*
+++ * Here we might set SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1.
+++ * Of course, the last one would not make sense, since RFC2487 is only
+++ * defined for TLS, but we also want to accept Netscape communicator
+++ * requests, and it only supports SSLv3.
+++ */
+++ off |= SSL_OP_ALL; /* Work around all known bugs */
+++ SSL_CTX_set_options(ctx, off);
+++
+++ /*
+++ * Set the info_callback, that will print out messages during
+++ * communication on demand.
+++ */
+++ if (var_smtpd_tls_loglevel >= 2)
+++ SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
+++
+++ /*
+++ * Set the list of ciphers, if explicitely given; otherwise the
+++ * (reasonable) default list is kept.
+++ */
+++ if (strlen(var_smtpd_tls_cipherlist) != 0)
+++ if (SSL_CTX_set_cipher_list(ctx, var_smtpd_tls_cipherlist) == 0) {
+++ pfixtls_print_errors();
+++ return (-1);
+++ }
+++
+++ /*
+++ * Now we must add the necessary certificate stuff: A server key, a
+++ * server certificate, and the CA certificates for both the server
+++ * cert and the verification of client certificates.
+++ * As provided by OpenSSL we support two types of CA certificate handling:
+++ * One possibility is to add all CA certificates to one large CAfile,
+++ * the other possibility is a directory pointed to by CApath, containing
+++ * seperate files for each CA pointed on by softlinks named by the hash
+++ * values of the certificate.
+++ * The first alternative has the advantage, that the file is opened and
+++ * read at startup time, so that you don't have the hassle to maintain
+++ * another copy of the CApath directory for chroot-jail. On the other
+++ * hand, the file is not really readable.
+++ */
+++ if (strlen(var_smtpd_tls_CAfile) == 0)
+++ CAfile = NULL;
+++ else
+++ CAfile = var_smtpd_tls_CAfile;
+++ if (strlen(var_smtpd_tls_CApath) == 0)
+++ CApath = NULL;
+++ else
+++ CApath = var_smtpd_tls_CApath;
+++
+++ if (CAfile || CApath) {
+++ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
+++ msg_info("TLS engine: cannot load CA data");
+++ pfixtls_print_errors();
+++ return (-1);
+++ }
+++ if (!SSL_CTX_set_default_verify_paths(ctx)) {
+++ msg_info("TLS engine: cannot set verify paths");
+++ pfixtls_print_errors();
+++ return (-1);
+++ }
+++ }
+++
+++ /*
+++ * Now we load the certificate and key from the files and check,
+++ * whether the cert matches the key (internally done by set_cert_stuff().
+++ * We cannot run without (we do not support ADH anonymous Diffie-Hellman
+++ * ciphers as of now).
+++ * We can use RSA certificates ("cert") and DSA certificates ("dcert"),
+++ * both can be made available at the same time. The CA certificates for
+++ * both are handled in the same setup already finished.
+++ * Which one is used depends on the cipher negotiated (that is: the first
+++ * cipher listed by the client which does match the server). A client with
+++ * RSA only (e.g. Netscape) will use the RSA certificate only.
+++ * A client with openssl-library will use RSA first if not especially
+++ * changed in the cipher setup.
+++ */
+++ if (strlen(var_smtpd_tls_cert_file) == 0)
+++ s_cert_file = NULL;
+++ else
+++ s_cert_file = var_smtpd_tls_cert_file;
+++ if (strlen(var_smtpd_tls_key_file) == 0)
+++ s_key_file = NULL;
+++ else
+++ s_key_file = var_smtpd_tls_key_file;
+++
+++ if (strlen(var_smtpd_tls_dcert_file) == 0)
+++ s_dcert_file = NULL;
+++ else
+++ s_dcert_file = var_smtpd_tls_dcert_file;
+++ if (strlen(var_smtpd_tls_dkey_file) == 0)
+++ s_dkey_file = NULL;
+++ else
+++ s_dkey_file = var_smtpd_tls_dkey_file;
+++
+++ if (s_cert_file) {
+++ if (!set_cert_stuff(ctx, s_cert_file, s_key_file)) {
+++ msg_info("TLS engine: cannot load RSA cert/key data");
+++ pfixtls_print_errors();
+++ return (-1);
+++ }
+++ }
+++ if (s_dcert_file) {
+++ if (!set_cert_stuff(ctx, s_dcert_file, s_dkey_file)) {
+++ msg_info("TLS engine: cannot load DSA cert/key data");
+++ pfixtls_print_errors();
+++ return (-1);
+++ }
+++ }
+++ if (!s_cert_file && !s_dcert_file) {
+++ msg_info("TLS engine: do need at least RSA _or_ DSA cert/key data");
+++ return (-1);
+++ }
+++
+++ /*
+++ * Sometimes a temporary RSA key might be needed by the OpenSSL
+++ * library. The OpenSSL doc indicates, that this might happen when
+++ * export ciphers are in use. We have to provide one, so well, we
+++ * just do it.
+++ */
+++ SSL_CTX_set_tmp_rsa_callback(ctx, tmp_rsa_cb);
+++
+++ /*
+++ * We might also need dh parameters, which can either be loaded from
+++ * file (preferred) or we simply take the compiled in values.
+++ * First, set the callback that will select the values when requested,
+++ * then load the (possibly) available DH parameters from files.
+++ * We are generous with the error handling, since we do have default
+++ * values compiled in, so we will not abort but just log the error message.
+++ */
+++ SSL_CTX_set_tmp_dh_callback(ctx, tmp_dh_cb);
+++ if (strlen(var_smtpd_tls_dh1024_param_file) != 0) {
+++ if ((paramfile = fopen(var_smtpd_tls_dh1024_param_file, "r")) != NULL) {
+++ dh_1024 = PEM_read_DHparams(paramfile, NULL, NULL, NULL);
+++ if (dh_1024 == NULL) {
+++ msg_info("TLS engine: cannot load 1024bit DH parameters");
+++ pfixtls_print_errors();
+++ }
+++ }
+++ else {
+++ msg_info("TLS engine: cannot load 1024bit DH parameters: %s: %s",
+++ var_smtpd_tls_dh1024_param_file, strerror(errno));
+++ }
+++ }
+++ if (strlen(var_smtpd_tls_dh512_param_file) != 0) {
+++ if ((paramfile = fopen(var_smtpd_tls_dh512_param_file, "r")) != NULL) {
+++ dh_512 = PEM_read_DHparams(paramfile, NULL, NULL, NULL);
+++ if (dh_512 == NULL) {
+++ msg_info("TLS engine: cannot load 512bit DH parameters");
+++ pfixtls_print_errors();
+++ }
+++ }
+++ else {
+++ msg_info("TLS engine: cannot load 512bit DH parameters: %s: %s",
+++ var_smtpd_tls_dh512_param_file, strerror(errno));
+++ }
+++ }
+++
+++ /*
+++ * If we want to check client certificates, we have to indicate it
+++ * in advance. By now we only allow to decide on a global basis.
+++ * If we want to allow certificate based relaying, we must ask the
+++ * client to provide one with SSL_VERIFY_PEER. The client now can
+++ * decide, whether it provides one or not. We can enforce a failure
+++ * of the negotiation with SSL_VERIFY_FAIL_IF_NO_PEER_CERT, if we
+++ * do not allow a connection without one.
+++ * In the "server hello" following the initialization by the "client hello"
+++ * the server must provide a list of CAs it is willing to accept.
+++ * Some clever clients will then select one from the list of available
+++ * certificates matching these CAs. Netscape Communicator will present
+++ * the list of certificates for selecting the one to be sent, or it will
+++ * issue a warning, if there is no certificate matching the available
+++ * CAs.
+++ *
+++ * With regard to the purpose of the certificate for relaying, we might
+++ * like a later negotiation, maybe relaying would already be allowed
+++ * for other reasons, but this would involve severe changes in the
+++ * internal postfix logic, so we have to live with it the way it is.
+++ */
+++ if (askcert)
+++ verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
+++ SSL_CTX_set_verify(ctx, verify_flags, verify_callback);
+++ SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));
+++
+++ /*
+++ * Initialize the session cache. We only want external caching to
+++ * synchronize between server sessions, so we set it to a minimum value
+++ * of 1. If the external cache is disabled, we won't cache at all.
+++ * The recall of old sessions "get" and save to disk of just created
+++ * sessions "new" is handled by the appropriate callback functions.
+++ *
+++ * We must not forget to set a session id context to identify to which
+++ * kind of server process the session was related. In our case, the
+++ * context is just the name of the patchkit: "Postfix/TLS".
+++ */
+++ SSL_CTX_sess_set_cache_size(ctx, 1);
+++ SSL_CTX_set_timeout(ctx, var_smtpd_tls_scache_timeout);
+++ SSL_CTX_set_session_id_context(ctx, (void*)&server_session_id_context,
+++ sizeof(server_session_id_context));
+++
+++ /*
+++ * The session cache is realized by an external database file, that
+++ * must be opened before going to chroot jail. Since the session cache
+++ * data can become quite large, "[n]dbm" cannot be used as it has a
+++ * size limit that is by far to small.
+++ */
+++ if (*var_smtpd_tls_scache_db) {
+++ /*
+++ * Insert a test against other dbms here, otherwise while writing
+++ * a session (content to large), we will receive a fatal error!
+++ */
+++ if (strncmp(var_smtpd_tls_scache_db, "sdbm:", 5))
+++ msg_warn("Only sdbm: type allowed for %s",
+++ var_smtpd_tls_scache_db);
+++ else
+++ scache_db = dict_open(var_smtpd_tls_scache_db, O_RDWR,
+++ DICT_FLAG_DUP_REPLACE | DICT_FLAG_LOCK | DICT_FLAG_SYNC_UPDATE);
+++ if (scache_db) {
+++ SSL_CTX_set_session_cache_mode(ctx,
+++ SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_AUTO_CLEAR);
+++ SSL_CTX_sess_set_get_cb(ctx, get_session_cb);
+++ SSL_CTX_sess_set_new_cb(ctx, new_session_cb);
+++ SSL_CTX_sess_set_remove_cb(ctx, remove_session_cb);
+++ }
+++ else
+++ msg_warn("Could not open session cache %s",
+++ var_smtpd_tls_scache_db);
+++ }
+++
+++ /*
+++ * Finally create the global index to access TLScontext information
+++ * inside verify_callback.
+++ */
+++ TLScontext_index = SSL_get_ex_new_index(0, "TLScontext ex_data index",
+++ NULL, NULL, NULL);
+++
+++ pfixtls_serverengine = 1;
+++ return (0);
+++}
+++
+++ /*
+++ * This is the actual startup routine for the connection. We expect
+++ * that the buffers are flushed and the "220 Ready to start TLS" was
+++ * send to the client, so that we can immediately can start the TLS
+++ * handshake process.
+++ */
+++int pfixtls_start_servertls(VSTREAM *stream, int timeout,
+++ const char *peername, const char *peeraddr,
+++ tls_info_t *tls_info, int requirecert)
+++{
+++ int sts;
+++ int j;
+++ int verify_flags;
+++ unsigned int n;
+++ TLScontext_t *TLScontext;
+++ SSL_SESSION *session;
+++ SSL_CIPHER *cipher;
+++ X509 *peer;
+++
+++ if (!pfixtls_serverengine) { /* should never happen */
+++ msg_info("tls_engine not running");
+++ return (-1);
+++ }
+++ if (var_smtpd_tls_loglevel >= 1)
+++ msg_info("setting up TLS connection from %s[%s]", peername, peeraddr);
+++
+++ /*
+++ * Allocate a new TLScontext for the new connection and get an SSL
+++ * structure. Add the location of TLScontext to the SSL to later
+++ * retrieve the information inside the verify_callback().
+++ */
+++ TLScontext = (TLScontext_t *)mymalloc(sizeof(TLScontext_t));
+++ if (!TLScontext) {
+++ msg_fatal("Could not allocate 'TLScontext' with mymalloc");
+++ }
+++ if ((TLScontext->con = (SSL *) SSL_new(ctx)) == NULL) {
+++ msg_info("Could not allocate 'TLScontext->con' with SSL_new()");
+++ pfixtls_print_errors();
+++ myfree((char *)TLScontext);
+++ return (-1);
+++ }
+++ if (!SSL_set_ex_data(TLScontext->con, TLScontext_index, TLScontext)) {
+++ msg_info("Could not set application data for 'TLScontext->con'");
+++ pfixtls_print_errors();
+++ SSL_free(TLScontext->con);
+++ myfree((char *)TLScontext);
+++ return (-1);
+++ }
+++
+++ /*
+++ * Set the verification parameters to be checked in verify_callback().
+++ */
+++ if (requirecert) {
+++ verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
+++ verify_flags |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+++ TLScontext->enforce_verify_errors = 1;
+++ SSL_set_verify(TLScontext->con, verify_flags, verify_callback);
+++ }
+++ else {
+++ TLScontext->enforce_verify_errors = 0;
+++ }
+++ TLScontext->enforce_CN = 0;
+++
+++ /*
+++ * The TLS connection is realized by a BIO_pair, so obtain the pair.
+++ */
+++ if (!BIO_new_bio_pair(&TLScontext->internal_bio, BIO_bufsiz,
+++ &TLScontext->network_bio, BIO_bufsiz)) {
+++ msg_info("Could not obtain BIO_pair");
+++ pfixtls_print_errors();
+++ SSL_free(TLScontext->con);
+++ myfree((char *)TLScontext);
+++ return (-1);
+++ }
+++
+++ /*
+++ * Before really starting anything, try to seed the PRNG a little bit
+++ * more.
+++ */
+++ pfixtls_stir_seed();
+++ pfixtls_exchange_seed();
+++
+++ /*
+++ * Initialize the SSL connection to accept state. This should not be
+++ * necessary anymore since 0.9.3, but the call is still in the library
+++ * and maintaining compatibility never hurts.
+++ */
+++ SSL_set_accept_state(TLScontext->con);
+++
+++ /*
+++ * Connect the SSL-connection with the postfix side of the BIO-pair for
+++ * reading and writing.
+++ */
+++ SSL_set_bio(TLScontext->con, TLScontext->internal_bio,
+++ TLScontext->internal_bio);
+++
+++ /*
+++ * If the debug level selected is high enough, all of the data is
+++ * dumped: 3 will dump the SSL negotiation, 4 will dump everything.
+++ *
+++ * We do have an SSL_set_fd() and now suddenly a BIO_ routine is called?
+++ * Well there is a BIO below the SSL routines that is automatically
+++ * created for us, so we can use it for debugging purposes.
+++ */
+++ if (var_smtpd_tls_loglevel >= 3)
+++ BIO_set_callback(SSL_get_rbio(TLScontext->con), bio_dump_cb);
+++
+++
+++ /* Dump the negotiation for loglevels 3 and 4 */
+++ if (var_smtpd_tls_loglevel >= 3)
+++ do_dump = 1;
+++
+++ /*
+++ * Now we expect the negotiation to begin. This whole process is like a
+++ * black box for us. We totally have to rely on the routines build into
+++ * the OpenSSL library. The only thing we can do we already have done
+++ * by choosing our own callbacks for session caching and certificate
+++ * verification.
+++ *
+++ * Error handling:
+++ * If the SSL handhake fails, we print out an error message and remove
+++ * everything that might be there. A session has to be removed anyway,
+++ * because RFC2246 requires it.
+++ */
+++ sts = do_tls_operation(vstream_fileno(stream), timeout, TLScontext,
+++ SSL_accept, NULL, NULL, NULL, 0);
+++ if (sts <= 0) {
+++ msg_info("SSL_accept error from %s[%s]: %d", peername, peeraddr, sts);
+++ pfixtls_print_errors();
+++ SSL_free(TLScontext->con);
+++ myfree((char *)TLScontext);
+++ return (-1);
+++ }
+++
+++ /* Only loglevel==4 dumps everything */
+++ if (var_smtpd_tls_loglevel < 4)
+++ do_dump = 0;
+++
+++ /*
+++ * Lets see, whether a peer certificate is available and what is
+++ * the actual information. We want to save it for later use.
+++ */
+++ peer = SSL_get_peer_certificate(TLScontext->con);
+++ if (peer != NULL) {
+++ if (SSL_get_verify_result(TLScontext->con) == X509_V_OK)
+++ tls_info->peer_verified = 1;
+++
+++ X509_NAME_oneline(X509_get_subject_name(peer),
+++ TLScontext->peer_subject, CCERT_BUFSIZ);
+++ if (var_smtpd_tls_loglevel >= 2)
+++ msg_info("subject=%s", TLScontext->peer_subject);
+++ tls_info->peer_subject = TLScontext->peer_subject;
+++ X509_NAME_oneline(X509_get_issuer_name(peer),
+++ TLScontext->peer_issuer, CCERT_BUFSIZ);
+++ if (var_smtpd_tls_loglevel >= 2)
+++ msg_info("issuer=%s", TLScontext->peer_issuer);
+++ tls_info->peer_issuer = TLScontext->peer_issuer;
+++ if (X509_digest(peer, EVP_md5(), TLScontext->md, &n)) {
+++ for (j = 0; j < (int) n; j++) {
+++ TLScontext->fingerprint[j * 3] =
+++ hexcodes[(TLScontext->md[j] & 0xf0) >> 4];
+++ TLScontext->fingerprint[(j * 3) + 1] =
+++ hexcodes[(TLScontext->md[j] & 0x0f)];
+++ if (j + 1 != (int) n)
+++ TLScontext->fingerprint[(j * 3) + 2] = ':';
+++ else
+++ TLScontext->fingerprint[(j * 3) + 2] = '\0';
+++ }
+++ if (var_smtpd_tls_loglevel >= 1)
+++ msg_info("fingerprint=%s", TLScontext->fingerprint);
+++ tls_info->peer_fingerprint = TLScontext->fingerprint;
+++ }
+++
+++ TLScontext->peer_CN[0] = '\0';
+++ if (!X509_NAME_get_text_by_NID(X509_get_subject_name(peer),
+++ NID_commonName, TLScontext->peer_CN, CCERT_BUFSIZ)) {
+++ msg_info("Could not parse client's subject CN");
+++ pfixtls_print_errors();
+++ }
+++ tls_info->peer_CN = TLScontext->peer_CN;
+++
+++ TLScontext->issuer_CN[0] = '\0';
+++ if (!X509_NAME_get_text_by_NID(X509_get_issuer_name(peer),
+++ NID_commonName, TLScontext->issuer_CN, CCERT_BUFSIZ)) {
+++ msg_info("Could not parse client's issuer CN");
+++ pfixtls_print_errors();
+++ }
+++ if (!TLScontext->issuer_CN[0]) {
+++ /* No issuer CN field, use Organization instead */
+++ if (!X509_NAME_get_text_by_NID(X509_get_issuer_name(peer),
+++ NID_organizationName, TLScontext->issuer_CN, CCERT_BUFSIZ)) {
+++ msg_info("Could not parse client's issuer Organization");
+++ pfixtls_print_errors();
+++ }
+++ }
+++ tls_info->issuer_CN = TLScontext->issuer_CN;
+++
+++ if (var_smtpd_tls_loglevel >= 1) {
+++ if (tls_info->peer_verified)
+++ msg_info("Verified: subject_CN=%s, issuer=%s",
+++ TLScontext->peer_CN, TLScontext->issuer_CN);
+++ else
+++ msg_info("Unverified: subject_CN=%s, issuer=%s",
+++ TLScontext->peer_CN, TLScontext->issuer_CN);
+++ }
+++
+++ X509_free(peer);
+++ }
+++
+++ /*
+++ * At this point we should have a certificate when required.
+++ * We may however have a cached session, so the callback would never
+++ * be called. We therefore double-check to make sure and remove the
+++ * session, if applicable.
+++ */
+++ if (requirecert) {
+++ if (!tls_info->peer_verified || !tls_info->peer_CN) {
+++ msg_info("Re-used session without peer certificate removed");
+++ session = SSL_get_session(TLScontext->con);
+++ SSL_CTX_remove_session(ctx, session);
+++ return (-1);
+++ }
+++ }
+++
+++ /*
+++ * Finally, collect information about protocol and cipher for logging
+++ */
+++ tls_info->protocol = SSL_get_version(TLScontext->con);
+++ cipher = SSL_get_current_cipher(TLScontext->con);
+++ tls_info->cipher_name = SSL_CIPHER_get_name(cipher);
+++ tls_info->cipher_usebits = SSL_CIPHER_get_bits(cipher,
+++ &(tls_info->cipher_algbits));
+++
+++ pfixtls_serveractive = 1;
+++
+++ /*
+++ * The TLS engine is active, switch to the pfixtls_timed_read/write()
+++ * functions and store the context.
+++ */
+++ vstream_control(stream,
+++ VSTREAM_CTL_READ_FN, pfixtls_timed_read,
+++ VSTREAM_CTL_WRITE_FN, pfixtls_timed_write,
+++ VSTREAM_CTL_CONTEXT, (void *)TLScontext,
+++ VSTREAM_CTL_END);
+++
+++ if (var_smtpd_tls_loglevel >= 1)
+++ msg_info("TLS connection established from %s[%s]: %s with cipher %s (%d/%d bits)",
+++ peername, peeraddr,
+++ tls_info->protocol, tls_info->cipher_name,
+++ tls_info->cipher_usebits, tls_info->cipher_algbits);
+++ pfixtls_stir_seed();
+++
+++ return (0);
+++}
+++
+++ /*
+++ * Shut down the TLS connection, that does mean: remove all the information
+++ * and reset the flags! This is needed if the actual running smtpd is to
+++ * be restarted. We do not give back any value, as there is nothing to
+++ * be reported.
+++ * Since our session cache is external, we will remove the session from
+++ * memory in any case. The SSL_CTX_flush_sessions might be redundant here,
+++ * I however want to make sure nothing is left.
+++ * RFC2246 requires us to remove sessions if something went wrong, as
+++ * indicated by the "failure" value, so we remove it from the external
+++ * cache, too.
+++ */
+++int pfixtls_stop_servertls(VSTREAM *stream, int timeout, int failure,
+++ tls_info_t *tls_info)
+++{
+++ TLScontext_t *TLScontext;
+++ int retval;
+++
+++ if (pfixtls_serveractive) {
+++ TLScontext = (TLScontext_t *)vstream_context(stream);
+++ /*
+++ * Perform SSL_shutdown() twice, as the first attempt may return
+++ * to early: it will only send out the shutdown alert but it will
+++ * not wait for the peer's shutdown alert. Therefore, when we are
+++ * the first party to send the alert, we must call SSL_shutdown()
+++ * again.
+++ * On failure we don't want to resume the session, so we will not
+++ * perform SSL_shutdown() and the session will be removed as being
+++ * bad.
+++ */
+++ if (!failure) {
+++ retval = do_tls_operation(vstream_fileno(stream), timeout,
+++ TLScontext, SSL_shutdown, NULL, NULL, NULL, 0);
+++ if (retval == 0)
+++ do_tls_operation(vstream_fileno(stream), timeout, TLScontext,
+++ SSL_shutdown, NULL, NULL, NULL, 0);
+++ }
+++ /*
+++ * Free the SSL structure and the BIOs. Warning: the internal_bio is
+++ * connected to the SSL structure and is automatically freed with
+++ * it. Do not free it again (core dump)!!
+++ * Only free the network_bio.
+++ */
+++ SSL_free(TLScontext->con);
+++ BIO_free(TLScontext->network_bio);
+++ myfree((char *)TLScontext);
+++ vstream_control(stream,
+++ VSTREAM_CTL_READ_FN, (VSTREAM_FN) NULL,
+++ VSTREAM_CTL_WRITE_FN, (VSTREAM_FN) NULL,
+++ VSTREAM_CTL_CONTEXT, (void *) NULL,
+++ VSTREAM_CTL_END);
+++ SSL_CTX_flush_sessions(ctx, time(NULL));
+++
+++ pfixtls_stir_seed();
+++ pfixtls_exchange_seed();
+++
+++ *tls_info = tls_info_zero;
+++ pfixtls_serveractive = 0;
+++
+++ }
+++
+++ return (0);
+++}
+++
+++
+++ /*
+++ * This is the setup routine for the SSL client. As smtpd might be called
+++ * more than once, we only want to do the initialization one time.
+++ *
+++ * The skeleton of this function is taken from OpenSSL apps/s_client.c.
+++ */
+++
+++int pfixtls_init_clientengine(int verifydepth)
+++{
+++ int off = 0;
+++ int verify_flags = SSL_VERIFY_NONE;
+++ int rand_bytes;
+++ int rand_source_dev_fd;
+++ int rand_source_socket_fd;
+++ unsigned char buffer[255];
+++ char *CApath;
+++ char *CAfile;
+++ char *c_cert_file;
+++ char *c_key_file;
+++
+++
+++ if (pfixtls_clientengine)
+++ return (0); /* already running */
+++
+++ if (var_smtp_tls_loglevel >= 2)
+++ msg_info("starting TLS engine");
+++
+++ /*
+++ * Initialize the OpenSSL library by the book!
+++ * To start with, we must initialize the algorithms.
+++ * We want cleartext error messages instead of just error codes, so we
+++ * load the error_strings.
+++ */
+++ SSL_load_error_strings();
+++ OpenSSL_add_ssl_algorithms();
+++
+++ /*
+++ * Side effect, call a non-existing function to disable TLS usage with an
+++ * outdated OpenSSL version. There is a security reason (verify_result
+++ * is not stored with the session data).
+++ */
+++#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
+++ needs_openssl_095_or_later();
+++#endif
+++
+++ /*
+++ * Initialize the PRNG Pseudo Random Number Generator with some seed.
+++ */
+++ randseed.pid = getpid();
+++ GETTIMEOFDAY(&randseed.tv);
+++ RAND_seed(&randseed, sizeof(randseed_t));
+++
+++ /*
+++ * Access the external sources for random seed. We will only query them
+++ * once, this should be sufficient and we will stir our entropy by using
+++ * the prng-exchange file anyway.
+++ * For reliability, we don't consider failure to access the additional
+++ * source fatal, as we can run happily without it (considering that we
+++ * still have the exchange-file). We also don't care how much entropy
+++ * we get back, as we must run anyway. We simply stir in the buffer
+++ * regardless how many bytes are actually in it.
+++ */
+++ if (*var_tls_daemon_rand_source) {
+++ if (!strncmp(var_tls_daemon_rand_source, "dev:", 4)) {
+++ /*
+++ * Source is a random device
+++ */
+++ rand_source_dev_fd = open(var_tls_daemon_rand_source + 4, 0, 0);
+++ if (rand_source_dev_fd == -1)
+++ msg_info("Could not open entropy device %s",
+++ var_tls_daemon_rand_source);
+++ else {
+++ if (var_tls_daemon_rand_bytes > 255)
+++ var_tls_daemon_rand_bytes = 255;
+++ read(rand_source_dev_fd, buffer, var_tls_daemon_rand_bytes);
+++ RAND_seed(buffer, var_tls_daemon_rand_bytes);
+++ close(rand_source_dev_fd);
+++ }
+++ } else if (!strncmp(var_tls_daemon_rand_source, "egd:", 4)) {
+++ /*
+++ * Source is a EGD compatible socket
+++ */
+++ rand_source_socket_fd = unix_connect(var_tls_daemon_rand_source +4,
+++ BLOCKING, 10);
+++ if (rand_source_socket_fd == -1)
+++ msg_info("Could not connect to %s", var_tls_daemon_rand_source);
+++ else {
+++ if (var_tls_daemon_rand_bytes > 255)
+++ var_tls_daemon_rand_bytes = 255;
+++ buffer[0] = 1;
+++ buffer[1] = var_tls_daemon_rand_bytes;
+++ if (write(rand_source_socket_fd, buffer, 2) != 2)
+++ msg_info("Could not talk to %s",
+++ var_tls_daemon_rand_source);
+++ else if (read(rand_source_socket_fd, buffer, 1) != 1)
+++ msg_info("Could not read info from %s",
+++ var_tls_daemon_rand_source);
+++ else {
+++ rand_bytes = buffer[0];
+++ read(rand_source_socket_fd, buffer, rand_bytes);
+++ RAND_seed(buffer, rand_bytes);
+++ }
+++ close(rand_source_socket_fd);
+++ }
+++ } else {
+++ RAND_load_file(var_tls_daemon_rand_source,
+++ var_tls_daemon_rand_bytes);
+++ }
+++ }
+++
+++ if (*var_tls_rand_exch_name) {
+++ rand_exch_fd = open(var_tls_rand_exch_name, O_RDWR | O_CREAT, 0600);
+++ if (rand_exch_fd != -1)
+++ pfixtls_exchange_seed();
+++ }
+++
+++ randseed.pid = getpid();
+++ GETTIMEOFDAY(&randseed.tv);
+++ RAND_seed(&randseed, sizeof(randseed_t));
+++
+++ /*
+++ * The SSL/TLS speficications require the client to send a message in
+++ * the oldest specification it understands with the highest level it
+++ * understands in the message.
+++ * RFC2487 is only specified for TLSv1, but we want to be as compatible
+++ * as possible, so we will start off with a SSLv2 greeting allowing
+++ * the best we can offer: TLSv1.
+++ * We can restrict this with the options setting later, anyhow.
+++ */
+++ ctx = SSL_CTX_new(SSLv23_client_method());
+++ if (ctx == NULL) {
+++ pfixtls_print_errors();
+++ return (-1);
+++ };
+++
+++ /*
+++ * Here we might set SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1.
+++ * Of course, the last one would not make sense, since RFC2487 is only
+++ * defined for TLS, but we don't know what is out there. So leave things
+++ * completely open, as of today.
+++ */
+++ off |= SSL_OP_ALL; /* Work around all known bugs */
+++ SSL_CTX_set_options(ctx, off);
+++
+++ /*
+++ * Set the info_callback, that will print out messages during
+++ * communication on demand.
+++ */
+++ if (var_smtp_tls_loglevel >= 2)
+++ SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
+++
+++ /*
+++ * Set the list of ciphers, if explicitely given; otherwise the
+++ * (reasonable) default list is kept.
+++ */
+++ if (strlen(var_smtp_tls_cipherlist) != 0)
+++ if (SSL_CTX_set_cipher_list(ctx, var_smtp_tls_cipherlist) == 0) {
+++ pfixtls_print_errors();
+++ return (-1);
+++ }
+++
+++ /*
+++ * Now we must add the necessary certificate stuff: A client key, a
+++ * client certificate, and the CA certificates for both the client
+++ * cert and the verification of server certificates.
+++ * In fact, we do not need a client certificate, so the certificates
+++ * are only loaded (and checked), if supplied. A clever client would
+++ * handle multiple client certificates and decide based on the list
+++ * of acceptable CAs, sent by the server, which certificate to submit.
+++ * OpenSSL does however not do this and also has no callback hoods to
+++ * easily realize it.
+++ *
+++ * As provided by OpenSSL we support two types of CA certificate handling:
+++ * One possibility is to add all CA certificates to one large CAfile,
+++ * the other possibility is a directory pointed to by CApath, containing
+++ * seperate files for each CA pointed on by softlinks named by the hash
+++ * values of the certificate.
+++ * The first alternative has the advantage, that the file is opened and
+++ * read at startup time, so that you don't have the hassle to maintain
+++ * another copy of the CApath directory for chroot-jail. On the other
+++ * hand, the file is not really readable.
+++ */
+++ if (strlen(var_smtp_tls_CAfile) == 0)
+++ CAfile = NULL;
+++ else
+++ CAfile = var_smtp_tls_CAfile;
+++ if (strlen(var_smtp_tls_CApath) == 0)
+++ CApath = NULL;
+++ else
+++ CApath = var_smtp_tls_CApath;
+++ if (CAfile || CApath) {
+++ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
+++ msg_info("TLS engine: cannot load CA data");
+++ pfixtls_print_errors();
+++ return (-1);
+++ }
+++ if (!SSL_CTX_set_default_verify_paths(ctx)) {
+++ msg_info("TLS engine: cannot set verify paths");
+++ pfixtls_print_errors();
+++ return (-1);
+++ }
+++ }
+++
+++ if (strlen(var_smtp_tls_cert_file) == 0)
+++ c_cert_file = NULL;
+++ else
+++ c_cert_file = var_smtp_tls_cert_file;
+++ if (strlen(var_smtp_tls_key_file) == 0)
+++ c_key_file = NULL;
+++ else
+++ c_key_file = var_smtp_tls_key_file;
+++ if (c_cert_file || c_key_file)
+++ if (!set_cert_stuff(ctx, c_cert_file, c_key_file)) {
+++ msg_info("TLS engine: cannot load cert/key data");
+++ pfixtls_print_errors();
+++ return (-1);
+++ }
+++
+++ /*
+++ * Sometimes a temporary RSA key might be needed by the OpenSSL
+++ * library. The OpenSSL doc indicates, that this might happen when
+++ * export ciphers are in use. We have to provide one, so well, we
+++ * just do it.
+++ */
+++ SSL_CTX_set_tmp_rsa_callback(ctx, tmp_rsa_cb);
+++
+++ /*
+++ * Finally, the setup for the server certificate checking, done
+++ * "by the book".
+++ */
+++ SSL_CTX_set_verify(ctx, verify_flags, verify_callback);
+++
+++ /*
+++ * Initialize the session cache. We only want external caching to
+++ * synchronize between server sessions, so we set it to a minimum value
+++ * of 1. If the external cache is disabled, we won't cache at all.
+++ *
+++ * In case of the client, there is no callback used in OpenSSL, so
+++ * we must call the session cache functions manually during the process.
+++ */
+++ SSL_CTX_sess_set_cache_size(ctx, 1);
+++ SSL_CTX_set_timeout(ctx, var_smtp_tls_scache_timeout);
+++
+++ /*
+++ * The session cache is realized by an external database file, that
+++ * must be opened before going to chroot jail. Since the session cache
+++ * data can become quite large, "[n]dbm" cannot be used as it has a
+++ * size limit that is by far to small.
+++ */
+++ if (*var_smtp_tls_scache_db) {
+++ /*
+++ * Insert a test against other dbms here, otherwise while writing
+++ * a session (content to large), we will receive a fatal error!
+++ */
+++ if (strncmp(var_smtp_tls_scache_db, "sdbm:", 5))
+++ msg_warn("Only sdbm: type allowed for %s",
+++ var_smtp_tls_scache_db);
+++ else
+++ scache_db = dict_open(var_smtp_tls_scache_db, O_RDWR,
+++ DICT_FLAG_DUP_REPLACE | DICT_FLAG_LOCK | DICT_FLAG_SYNC_UPDATE);
+++ if (!scache_db)
+++ msg_warn("Could not open session cache %s",
+++ var_smtp_tls_scache_db);
+++ /*
+++ * It is practical to have OpenSSL automatically save newly created
+++ * sessions for us by callback. Therefore we have to enable the
+++ * internal session cache for the client side. Disable automatic
+++ * clearing, as smtp has limited lifetime anyway and we can call
+++ * the cleanup routine at will.
+++ */
+++ SSL_CTX_set_session_cache_mode(ctx,
+++ SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_NO_AUTO_CLEAR);
+++ SSL_CTX_sess_set_new_cb(ctx, new_session_cb);
+++ }
+++
+++ /*
+++ * Finally create the global index to access TLScontext information
+++ * inside verify_callback.
+++ */
+++ TLScontext_index = SSL_get_ex_new_index(0, "TLScontext ex_data index",
+++ NULL, NULL, NULL);
+++ TLSpeername_index = SSL_SESSION_get_ex_new_index(0,
+++ "TLSpeername ex_data index",
+++ new_peername_func,
+++ dup_peername_func,
+++ free_peername_func);
+++
+++ pfixtls_clientengine = 1;
+++ return (0);
+++}
+++
+++ /*
+++ * This is the actual startup routine for the connection. We expect
+++ * that the buffers are flushed and the "220 Ready to start TLS" was
+++ * received by us, so that we can immediately can start the TLS
+++ * handshake process.
+++ */
+++int pfixtls_start_clienttls(VSTREAM *stream, int timeout,
+++ int enforce_peername,
+++ const char *peername,
+++ tls_info_t *tls_info)
+++{
+++ int sts;
+++ SSL_SESSION *session, *old_session;
+++ SSL_CIPHER *cipher;
+++ X509 *peer;
+++ int verify_flags;
+++ TLScontext_t *TLScontext;
+++
+++ if (!pfixtls_clientengine) { /* should never happen */
+++ msg_info("tls_engine not running");
+++ return (-1);
+++ }
+++ if (var_smtpd_tls_loglevel >= 1)
+++ msg_info("setting up TLS connection to %s", peername);
+++
+++ /*
+++ * Allocate a new TLScontext for the new connection and get an SSL
+++ * structure. Add the location of TLScontext to the SSL to later
+++ * retrieve the information inside the verify_callback().
+++ */
+++ TLScontext = (TLScontext_t *)mymalloc(sizeof(TLScontext_t));
+++ if (!TLScontext) {
+++ msg_fatal("Could not allocate 'TLScontext' with mymalloc");
+++ }
+++ if ((TLScontext->con = (SSL *) SSL_new(ctx)) == NULL) {
+++ msg_info("Could not allocate 'TLScontext->con' with SSL_new()");
+++ pfixtls_print_errors();
+++ myfree((char *)TLScontext);
+++ return (-1);
+++ }
+++ if (!SSL_set_ex_data(TLScontext->con, TLScontext_index, TLScontext)) {
+++ msg_info("Could not set application data for 'TLScontext->con'");
+++ pfixtls_print_errors();
+++ SSL_free(TLScontext->con);
+++ myfree((char *)TLScontext);
+++ return (-1);
+++ }
+++
+++ /*
+++ * Set the verification parameters to be checked in verify_callback().
+++ */
+++ if (enforce_peername) {
+++ verify_flags = SSL_VERIFY_PEER;
+++ TLScontext->enforce_verify_errors = 1;
+++ TLScontext->enforce_CN = 1;
+++ SSL_set_verify(TLScontext->con, verify_flags, verify_callback);
+++ }
+++ else {
+++ TLScontext->enforce_verify_errors = 0;
+++ TLScontext->enforce_CN = 0;
+++ }
+++ TLScontext->hostname_matched = 0;
+++
+++ /*
+++ * The TLS connection is realized by a BIO_pair, so obtain the pair.
+++ */
+++ if (!BIO_new_bio_pair(&TLScontext->internal_bio, BIO_bufsiz,
+++ &TLScontext->network_bio, BIO_bufsiz)) {
+++ msg_info("Could not obtain BIO_pair");
+++ pfixtls_print_errors();
+++ SSL_free(TLScontext->con);
+++ myfree((char *)TLScontext);
+++ return (-1);
+++ }
+++
+++ old_session = NULL;
+++
+++ /*
+++ * Find out the hashed HostID for the client cache and try to
+++ * load the session from the cache.
+++ */
+++ strncpy(TLScontext->peername_save, peername, ID_MAXLENGTH + 1);
+++ TLScontext->peername_save[ID_MAXLENGTH] = '\0'; /* just in case */
+++ (void)lowercase(TLScontext->peername_save);
+++ if (scache_db) {
+++ old_session = load_clnt_session(peername, enforce_peername);
+++ if (old_session) {
+++ SSL_set_session(TLScontext->con, old_session);
+++#if (OPENSSL_VERSION_NUMBER < 0x00906011L) || (OPENSSL_VERSION_NUMBER == 0x00907000L)
+++ /*
+++ * Ugly Hack: OpenSSL before 0.9.6a does not store the verify
+++ * result in sessions for the client side.
+++ * We modify the session directly which is version specific,
+++ * but this bug is version specific, too.
+++ *
+++ * READ: 0-09-06-01-1 = 0-9-6-a-beta1: all versions before
+++ * beta1 have this bug, it has been fixed during development
+++ * of 0.9.6a. The development version of 0.9.7 can have this
+++ * bug, too. It has been fixed on 2000/11/29.
+++ */
+++ SSL_set_verify_result(TLScontext->con, old_session->verify_result);
+++#endif
+++
+++ }
+++ }
+++
+++ /*
+++ * Before really starting anything, try to seed the PRNG a little bit
+++ * more.
+++ */
+++ pfixtls_stir_seed();
+++ pfixtls_exchange_seed();
+++
+++ /*
+++ * Initialize the SSL connection to connect state. This should not be
+++ * necessary anymore since 0.9.3, but the call is still in the library
+++ * and maintaining compatibility never hurts.
+++ */
+++ SSL_set_connect_state(TLScontext->con);
+++
+++ /*
+++ * Connect the SSL-connection with the postfix side of the BIO-pair for
+++ * reading and writing.
+++ */
+++ SSL_set_bio(TLScontext->con, TLScontext->internal_bio,
+++ TLScontext->internal_bio);
+++
+++ /*
+++ * If the debug level selected is high enough, all of the data is
+++ * dumped: 3 will dump the SSL negotiation, 4 will dump everything.
+++ *
+++ * We do have an SSL_set_fd() and now suddenly a BIO_ routine is called?
+++ * Well there is a BIO below the SSL routines that is automatically
+++ * created for us, so we can use it for debugging purposes.
+++ */
+++ if (var_smtp_tls_loglevel >= 3)
+++ BIO_set_callback(SSL_get_rbio(TLScontext->con), bio_dump_cb);
+++
+++
+++ /* Dump the negotiation for loglevels 3 and 4 */
+++ if (var_smtp_tls_loglevel >= 3)
+++ do_dump = 1;
+++
+++ /*
+++ * Now we expect the negotiation to begin. This whole process is like a
+++ * black box for us. We totally have to rely on the routines build into
+++ * the OpenSSL library. The only thing we can do we already have done
+++ * by choosing our own callback certificate verification.
+++ *
+++ * Error handling:
+++ * If the SSL handhake fails, we print out an error message and remove
+++ * everything that might be there. A session has to be removed anyway,
+++ * because RFC2246 requires it.
+++ */
+++ sts = do_tls_operation(vstream_fileno(stream), timeout, TLScontext,
+++ SSL_connect, NULL, NULL, NULL, 0);
+++ if (sts <= 0) {
+++ msg_info("SSL_connect error to %s: %d", peername, sts);
+++ pfixtls_print_errors();
+++ session = SSL_get_session(TLScontext->con);
+++ if (session) {
+++ SSL_CTX_remove_session(ctx, session);
+++ if (var_smtp_tls_loglevel >= 2)
+++ msg_info("SSL session removed");
+++ }
+++ if ((old_session) && (!SSL_session_reused(TLScontext->con)))
+++ SSL_SESSION_free(old_session); /* Must also be removed */
+++ SSL_free(TLScontext->con);
+++ myfree((char *)TLScontext);
+++ return (-1);
+++ }
+++
+++ if (!SSL_session_reused(TLScontext->con)) {
+++ SSL_SESSION_free(old_session); /* Remove unused session */
+++ }
+++ else if (var_smtp_tls_loglevel >= 3)
+++ msg_info("Reusing old session");
+++
+++ /* Only loglevel==4 dumps everything */
+++ if (var_smtp_tls_loglevel < 4)
+++ do_dump = 0;
+++
+++ /*
+++ * Lets see, whether a peer certificate is available and what is
+++ * the actual information. We want to save it for later use.
+++ */
+++ peer = SSL_get_peer_certificate(TLScontext->con);
+++ if (peer != NULL) {
+++ if (SSL_get_verify_result(TLScontext->con) == X509_V_OK)
+++ tls_info->peer_verified = 1;
+++
+++ tls_info->hostname_matched = TLScontext->hostname_matched;
+++ TLScontext->peer_CN[0] = '\0';
+++ if (!X509_NAME_get_text_by_NID(X509_get_subject_name(peer),
+++ NID_commonName, TLScontext->peer_CN, CCERT_BUFSIZ)) {
+++ msg_info("Could not parse server's subject CN");
+++ pfixtls_print_errors();
+++ }
+++ tls_info->peer_CN = TLScontext->peer_CN;
+++
+++ TLScontext->issuer_CN[0] = '\0';
+++ if (!X509_NAME_get_text_by_NID(X509_get_issuer_name(peer),
+++ NID_commonName, TLScontext->issuer_CN, CCERT_BUFSIZ)) {
+++ msg_info("Could not parse server's issuer CN");
+++ pfixtls_print_errors();
+++ }
+++ if (!TLScontext->issuer_CN[0]) {
+++ /* No issuer CN field, use Organization instead */
+++ if (!X509_NAME_get_text_by_NID(X509_get_issuer_name(peer),
+++ NID_organizationName, TLScontext->issuer_CN, CCERT_BUFSIZ)) {
+++ msg_info("Could not parse server's issuer Organization");
+++ pfixtls_print_errors();
+++ }
+++ }
+++ tls_info->issuer_CN = TLScontext->issuer_CN;
+++
+++ if (var_smtp_tls_loglevel >= 1) {
+++ if (tls_info->peer_verified)
+++ msg_info("Verified: subject_CN=%s, issuer=%s",
+++ TLScontext->peer_CN, TLScontext->issuer_CN);
+++ else
+++ msg_info("Unverified: subject_CN=%s, issuer=%s",
+++ TLScontext->peer_CN, TLScontext->issuer_CN);
+++ }
+++ X509_free(peer);
+++ }
+++
+++ /*
+++ * Finally, collect information about protocol and cipher for logging
+++ */
+++ tls_info->protocol = SSL_get_version(TLScontext->con);
+++ cipher = SSL_get_current_cipher(TLScontext->con);
+++ tls_info->cipher_name = SSL_CIPHER_get_name(cipher);
+++ tls_info->cipher_usebits = SSL_CIPHER_get_bits(cipher,
+++ &(tls_info->cipher_algbits));
+++
+++ pfixtls_clientactive = 1;
+++
+++ /*
+++ * The TLS engine is active, switch to the pfixtls_timed_read/write()
+++ * functions.
+++ */
+++ vstream_control(stream,
+++ VSTREAM_CTL_READ_FN, pfixtls_timed_read,
+++ VSTREAM_CTL_WRITE_FN, pfixtls_timed_write,
+++ VSTREAM_CTL_CONTEXT, (void *)TLScontext,
+++ VSTREAM_CTL_END);
+++
+++ if (var_smtp_tls_loglevel >= 1)
+++ msg_info("TLS connection established to %s: %s with cipher %s (%d/%d bits)",
+++ peername, tls_info->protocol, tls_info->cipher_name,
+++ tls_info->cipher_usebits, tls_info->cipher_algbits);
+++
+++ pfixtls_stir_seed();
+++
+++ return (0);
+++}
+++
+++ /*
+++ * Shut down the TLS connection, that does mean: remove all the information
+++ * and reset the flags! This is needed if the actual running smtp is to
+++ * be restarted. We do not give back any value, as there is nothing to
+++ * be reported.
+++ * Since our session cache is external, we will remove the session from
+++ * memory in any case. The SSL_CTX_flush_sessions might be redundant here,
+++ * I however want to make sure nothing is left.
+++ * RFC2246 requires us to remove sessions if something went wrong, as
+++ * indicated by the "failure" value,so we remove it from the external
+++ * cache, too.
+++ */
+++int pfixtls_stop_clienttls(VSTREAM *stream, int timeout, int failure,
+++ tls_info_t *tls_info)
+++{
+++ TLScontext_t *TLScontext;
+++ int retval;
+++
+++ if (pfixtls_clientactive) {
+++ TLScontext = (TLScontext_t *)vstream_context(stream);
+++ /*
+++ * Perform SSL_shutdown() twice, as the first attempt may return
+++ * to early: it will only send out the shutdown alert but it will
+++ * not wait for the peer's shutdown alert. Therefore, when we are
+++ * the first party to send the alert, we must call SSL_shutdown()
+++ * again.
+++ * On failure we don't want to resume the session, so we will not
+++ * perform SSL_shutdown() and the session will be removed as being
+++ * bad.
+++ */
+++ if (!failure) {
+++ retval = do_tls_operation(vstream_fileno(stream), timeout,
+++ TLScontext, SSL_shutdown, NULL, NULL, NULL, 0);
+++ if (retval == 0)
+++ do_tls_operation(vstream_fileno(stream), timeout, TLScontext,
+++ SSL_shutdown, NULL, NULL, NULL, 0);
+++ }
+++ /*
+++ * Free the SSL structure and the BIOs. Warning: the internal_bio is
+++ * connected to the SSL structure and is automatically freed with
+++ * it. Do not free it again (core dump)!!
+++ * Only free the network_bio.
+++ */
+++ SSL_free(TLScontext->con);
+++ BIO_free(TLScontext->network_bio);
+++ myfree((char *)TLScontext);
+++ vstream_control(stream,
+++ VSTREAM_CTL_READ_FN, (VSTREAM_FN) NULL,
+++ VSTREAM_CTL_WRITE_FN, (VSTREAM_FN) NULL,
+++ VSTREAM_CTL_CONTEXT, (void *) NULL,
+++ VSTREAM_CTL_END);
+++ SSL_CTX_flush_sessions(ctx, time(NULL));
+++
+++ pfixtls_stir_seed();
+++ pfixtls_exchange_seed();
+++
+++ *tls_info = tls_info_zero;
+++ pfixtls_clientactive = 0;
+++
+++ }
+++
+++ return (0);
+++}
+++
+++
+++#endif /* USE_SSL */
++diff -ruN postfix-2.1.0-vanilla/src/global/pfixtls.h postfix-2.1.0/src/global/pfixtls.h
++--- postfix-2.1.0-vanilla/src/global/pfixtls.h Thu Jan 1 01:00:00 1970
+++++ postfix-2.1.0/src/global/pfixtls.h Sat Apr 24 14:35:27 2004
++@@ -0,0 +1,81 @@
+++/*++
+++/* NAME
+++/* pfixtls 3h
+++/* SUMMARY
+++/* TLS routines
+++/* SYNOPSIS
+++/* include "pfixtls.h"
+++/* DESCRIPTION
+++/* .nf
+++/*--*/
+++
+++#ifndef PFIXTLS_H_INCLUDED
+++#define PFIXTLS_H_INCLUDED
+++
+++#if defined(HAS_SSL) && !defined(USE_SSL)
+++#define USE_SSL
+++#endif
+++
+++typedef struct {
+++ int peer_verified;
+++ int hostname_matched;
+++ char *peer_subject;
+++ char *peer_issuer;
+++ char *peer_fingerprint;
+++ char *peer_CN;
+++ char *issuer_CN;
+++ const char *protocol;
+++ const char *cipher_name;
+++ int cipher_usebits;
+++ int cipher_algbits;
+++} tls_info_t;
+++
+++extern const tls_info_t tls_info_zero;
+++
+++#ifdef USE_SSL
+++
+++typedef struct {
+++ long scache_db_version;
+++ long openssl_version;
+++ time_t timestamp; /* We could add other info here... */
+++ int enforce_peername;
+++} pfixtls_scache_info_t;
+++
+++extern const long scache_db_version;
+++extern const long openssl_version;
+++
+++int pfixtls_timed_read(int fd, void *buf, unsigned len, int timout,
+++ void *unused_timeout);
+++int pfixtls_timed_write(int fd, void *buf, unsigned len, int timeout,
+++ void *unused_timeout);
+++
+++extern int pfixtls_serverengine;
+++int pfixtls_init_serverengine(int verifydepth, int askcert);
+++int pfixtls_start_servertls(VSTREAM *stream, int timeout,
+++ const char *peername, const char *peeraddr,
+++ tls_info_t *tls_info, int require_cert);
+++int pfixtls_stop_servertls(VSTREAM *stream, int timeout, int failure,
+++ tls_info_t *tls_info);
+++
+++extern int pfixtls_clientengine;
+++int pfixtls_init_clientengine(int verifydepth);
+++int pfixtls_start_clienttls(VSTREAM *stream, int timeout,
+++ int enforce_peername,
+++ const char *peername,
+++ tls_info_t *tls_info);
+++int pfixtls_stop_clienttls(VSTREAM *stream, int timeout, int failure,
+++ tls_info_t *tls_info);
+++
+++#endif /* PFIXTLS_H_INCLUDED */
+++#endif
+++
+++/* LICENSE
+++/* .ad
+++/* .fi
+++/* AUTHOR(S)
+++/* Lutz Jaenicke
+++/* BTU Cottbus
+++/* Allgemeine Elektrotechnik
+++/* Universitaetsplatz 3-4
+++/* D-03044 Cottbus, Germany
+++/*--*/
++diff -ruN postfix-2.1.0-vanilla/src/smtp/Makefile.in postfix-2.1.0/src/smtp/Makefile.in
++--- postfix-2.1.0-vanilla/src/smtp/Makefile.in Thu Apr 22 21:37:45 2004
+++++ postfix-2.1.0/src/smtp/Makefile.in Sat Apr 24 14:35:27 2004
++@@ -77,6 +77,7 @@
++ smtp.o: ../../include/debug_peer.h
++ smtp.o: ../../include/flush_clnt.h
++ smtp.o: ../../include/mail_server.h
+++smtp.o: ../../include/pfixtls.h
++ smtp.o: smtp.h
++ smtp.o: smtp_sasl.h
++ smtp_addr.o: smtp_addr.c
++@@ -96,6 +97,7 @@
++ smtp_addr.o: ../../include/argv.h
++ smtp_addr.o: ../../include/deliver_request.h
++ smtp_addr.o: ../../include/recipient_list.h
+++smtp_addr.o: ../../include/pfixtls.h
++ smtp_addr.o: smtp_addr.h
++ smtp_chat.o: smtp_chat.c
++ smtp_chat.o: ../../include/sys_defs.h
++@@ -116,6 +118,7 @@
++ smtp_chat.o: ../../include/cleanup_user.h
++ smtp_chat.o: ../../include/mail_error.h
++ smtp_chat.o: ../../include/name_mask.h
+++smtp_chat.o: ../../include/pfixtls.h
++ smtp_chat.o: smtp.h
++ smtp_connect.o: smtp_connect.c
++ smtp_connect.o: ../../include/sys_defs.h
++@@ -142,6 +145,7 @@
++ smtp_connect.o: ../../include/mail_error.h
++ smtp_connect.o: ../../include/name_mask.h
++ smtp_connect.o: ../../include/dns.h
+++smtp_connect.o: ../../include/pfixtls.h
++ smtp_connect.o: smtp.h
++ smtp_connect.o: ../../include/argv.h
++ smtp_connect.o: smtp_addr.h
++@@ -174,6 +178,7 @@
++ smtp_proto.o: ../../include/attr.h
++ smtp_proto.o: ../../include/mime_state.h
++ smtp_proto.o: ../../include/header_opts.h
+++smtp_proto.o: ../../include/pfixtls.h
++ smtp_proto.o: smtp.h
++ smtp_proto.o: ../../include/argv.h
++ smtp_proto.o: smtp_sasl.h
++@@ -231,9 +236,12 @@
++ smtp_session.o: ../../include/stringops.h
++ smtp_session.o: ../../include/vstring.h
++ smtp_session.o: smtp.h
+++smtp_session.o: ../../include/mail_params.h
+++smtp_session.o: ../../include/pfixtls.h
++ smtp_session.o: ../../include/argv.h
++ smtp_session.o: ../../include/deliver_request.h
++ smtp_session.o: ../../include/recipient_list.h
+++smtp_session.o: ../../include/maps.h
++ smtp_state.o: smtp_state.c
++ smtp_state.o: ../../include/sys_defs.h
++ smtp_state.o: ../../include/mymalloc.h
++@@ -247,6 +255,7 @@
++ smtp_state.o: ../../include/argv.h
++ smtp_state.o: ../../include/deliver_request.h
++ smtp_state.o: ../../include/recipient_list.h
+++smtp_state.o: ../../include/pfixtls.h
++ smtp_state.o: smtp_sasl.h
++ smtp_trouble.o: smtp_trouble.c
++ smtp_trouble.o: ../../include/sys_defs.h
++@@ -266,6 +275,7 @@
++ smtp_trouble.o: ../../include/name_mask.h
++ smtp_trouble.o: smtp.h
++ smtp_trouble.o: ../../include/argv.h
+++smtp_trouble.o: ../../include/pfixtls.h
++ smtp_unalias.o: smtp_unalias.c
++ smtp_unalias.o: ../../include/sys_defs.h
++ smtp_unalias.o: ../../include/htable.h
++@@ -278,3 +288,4 @@
++ smtp_unalias.o: ../../include/argv.h
++ smtp_unalias.o: ../../include/deliver_request.h
++ smtp_unalias.o: ../../include/recipient_list.h
+++smtp_unalias.o: ../../include/pfixtls.h
++diff -ruN postfix-2.1.0-vanilla/src/smtp/smtp.c postfix-2.1.0/src/smtp/smtp.c
++--- postfix-2.1.0-vanilla/src/smtp/smtp.c Wed Apr 14 16:25:42 2004
+++++ postfix-2.1.0/src/smtp/smtp.c Sat Apr 24 14:35:27 2004
++@@ -284,6 +284,7 @@
++ #include <mail_conf.h>
++ #include <debug_peer.h>
++ #include <flush_clnt.h>
+++#include <pfixtls.h>
++
++ /* Single server skeleton. */
++
++@@ -333,6 +334,17 @@
++ bool var_smtp_send_xforward;
++ int var_smtp_mxaddr_limit;
++ int var_smtp_mxsess_limit;
+++bool var_smtp_use_tls;
+++bool var_smtp_enforce_tls;
+++char *var_smtp_tls_per_site;
+++#ifdef USE_SSL
+++int var_smtp_starttls_tmout;
+++char *var_smtp_sasl_tls_opts;
+++char *var_smtp_sasl_tls_verified_opts;
+++bool var_smtp_tls_enforce_peername;
+++int var_smtp_tls_scert_vd;
+++bool var_smtp_tls_note_starttls_offer;
+++#endif
++
++ /*
++ * Global variables. smtp_errno is set by the address lookup routines and by
++@@ -453,6 +465,16 @@
++ msg_warn("%s is true, but SASL support is not compiled in",
++ VAR_SMTP_SASL_ENABLE);
++ #endif
+++ /*
+++ * Initialize the TLS data before entering the chroot jail
+++ */
+++ if (var_smtp_use_tls || var_smtp_enforce_tls || var_smtp_tls_per_site[0])
+++#ifdef USE_SSL
+++ pfixtls_init_clientengine(var_smtp_tls_scert_vd);
+++#else
+++ msg_warn("TLS has been selected, but TLS support is not compiled in");
+++#endif
+++ smtp_tls_list_init();
++
++ /*
++ * Flush client.
++@@ -493,9 +515,14 @@
++ VAR_ERROR_RCPT, DEF_ERROR_RCPT, &var_error_rcpt, 1, 0,
++ VAR_SMTP_SASL_PASSWD, DEF_SMTP_SASL_PASSWD, &var_smtp_sasl_passwd, 0, 0,
++ VAR_SMTP_SASL_OPTS, DEF_SMTP_SASL_OPTS, &var_smtp_sasl_opts, 0, 0,
+++#ifdef USE_SSL
+++ VAR_SMTP_SASL_TLS_OPTS, DEF_SMTP_SASL_TLS_OPTS, &var_smtp_sasl_tls_opts, 0, 0,
+++ VAR_SMTP_SASL_TLSV_OPTS, DEF_SMTP_SASL_TLSV_OPTS, &var_smtp_sasl_tls_verified_opts, 0, 0,
+++#endif
++ VAR_SMTP_BIND_ADDR, DEF_SMTP_BIND_ADDR, &var_smtp_bind_addr, 0, 0,
++ VAR_SMTP_HELO_NAME, DEF_SMTP_HELO_NAME, &var_smtp_helo_name, 1, 0,
++ VAR_SMTP_HOST_LOOKUP, DEF_SMTP_HOST_LOOKUP, &var_smtp_host_lookup, 1, 0,
+++ VAR_SMTP_TLS_PER_SITE, DEF_SMTP_TLS_PER_SITE, &var_smtp_tls_per_site, 0, 0,
++ 0,
++ };
++ static CONFIG_TIME_TABLE time_table[] = {
++@@ -511,12 +538,18 @@
++ VAR_SMTP_QUIT_TMOUT, DEF_SMTP_QUIT_TMOUT, &var_smtp_quit_tmout, 1, 0,
++ VAR_SMTP_PIX_THRESH, DEF_SMTP_PIX_THRESH, &var_smtp_pix_thresh, 0, 0,
++ VAR_SMTP_PIX_DELAY, DEF_SMTP_PIX_DELAY, &var_smtp_pix_delay, 1, 0,
+++#ifdef USE_SSL
+++ VAR_SMTP_STARTTLS_TMOUT, DEF_SMTP_STARTTLS_TMOUT, &var_smtp_starttls_tmout, 1, 0,
+++#endif
++ 0,
++ };
++ static CONFIG_INT_TABLE int_table[] = {
++ VAR_SMTP_LINE_LIMIT, DEF_SMTP_LINE_LIMIT, &var_smtp_line_limit, 0, 0,
++ VAR_SMTP_MXADDR_LIMIT, DEF_SMTP_MXADDR_LIMIT, &var_smtp_mxaddr_limit, 0, 0,
++ VAR_SMTP_MXSESS_LIMIT, DEF_SMTP_MXSESS_LIMIT, &var_smtp_mxsess_limit, 0, 0,
+++#ifdef USE_SSL
+++ VAR_SMTP_TLS_SCERT_VD, DEF_SMTP_TLS_SCERT_VD, &var_smtp_tls_scert_vd, 0, 0,
+++#endif
++ 0,
++ };
++ static CONFIG_BOOL_TABLE bool_table[] = {
++@@ -530,6 +563,12 @@
++ VAR_SMTP_QUOTE_821_ENV, DEF_SMTP_QUOTE_821_ENV, &var_smtp_quote_821_env,
++ VAR_SMTP_DEFER_MXADDR, DEF_SMTP_DEFER_MXADDR, &var_smtp_defer_mxaddr,
++ VAR_SMTP_SEND_XFORWARD, DEF_SMTP_SEND_XFORWARD, &var_smtp_send_xforward,
+++ VAR_SMTP_USE_TLS, DEF_SMTP_USE_TLS, &var_smtp_use_tls,
+++ VAR_SMTP_ENFORCE_TLS, DEF_SMTP_ENFORCE_TLS, &var_smtp_enforce_tls,
+++#ifdef USE_SSL
+++ VAR_SMTP_TLS_ENFORCE_PN, DEF_SMTP_TLS_ENFORCE_PN, &var_smtp_tls_enforce_peername,
+++ VAR_SMTP_TLS_NOTEOFFER, DEF_SMTP_TLS_NOTEOFFER, &var_smtp_tls_note_starttls_offer,
+++#endif
++ 0,
++ };
++
++diff -ruN postfix-2.1.0-vanilla/src/smtp/smtp.h postfix-2.1.0/src/smtp/smtp.h
++--- postfix-2.1.0-vanilla/src/smtp/smtp.h Fri Dec 26 20:17:29 2003
+++++ postfix-2.1.0/src/smtp/smtp.h Sat Apr 24 14:35:27 2004
++@@ -27,6 +27,7 @@
++ * Global library.
++ */
++ #include <deliver_request.h>
+++#include <pfixtls.h>
++
++ /*
++ * State information associated with each SMTP delivery. We're bundling the
++@@ -113,9 +114,14 @@
++ char *addr; /* mail exchanger */
++ char *namaddr; /* mail exchanger */
++ int best; /* most preferred host */
+++ int tls_use_tls; /* can do TLS */
+++ int tls_enforce_tls; /* must do TLS */
+++ int tls_enforce_peername; /* cert must match */
+++ tls_info_t tls_info; /* TLS connection state */
++ } SMTP_SESSION;
++
++-extern SMTP_SESSION *smtp_session_alloc(VSTREAM *, char *, char *);
+++extern void smtp_tls_list_init(void);
+++extern SMTP_SESSION *smtp_session_alloc(char *, VSTREAM *, char *, char *);
++ extern void smtp_session_free(SMTP_SESSION *);
++
++ /*
++diff -ruN postfix-2.1.0-vanilla/src/smtp/smtp_connect.c postfix-2.1.0/src/smtp/smtp_connect.c
++--- postfix-2.1.0-vanilla/src/smtp/smtp_connect.c Thu Mar 25 19:07:35 2004
+++++ postfix-2.1.0/src/smtp/smtp_connect.c Sat Apr 24 14:46:23 2004
++@@ -86,6 +86,7 @@
++ #include <debug_peer.h>
++ #include <deliver_pass.h>
++ #include <mail_error.h>
+++#include <pfixtls.h>
++
++ /* DNS library. */
++
++@@ -98,7 +99,7 @@
++
++ /* smtp_connect_addr - connect to explicit address */
++
++-static SMTP_SESSION *smtp_connect_addr(DNS_RR *addr, unsigned port,
+++static SMTP_SESSION *smtp_connect_addr(char *dest, DNS_RR *addr, unsigned port,
++ VSTRING *why)
++ {
++ char *myname = "smtp_connect_addr";
++@@ -212,7 +213,7 @@
++ return (0);
++ }
++ vstream_ungetc(stream, ch);
++- return (smtp_session_alloc(stream, addr->name, inet_ntoa(sin.sin_addr)));
+++ return (smtp_session_alloc(dest, stream, addr->name, inet_ntoa(sin.sin_addr)));
++ }
++
++ /* smtp_parse_destination - parse destination */
++@@ -348,7 +349,7 @@
++ next = addr->next;
++ if (++addr_count == var_smtp_mxaddr_limit)
++ next = 0;
++- if ((state->session = smtp_connect_addr(addr, port, why)) != 0) {
+++ if ((state->session = smtp_connect_addr(host, addr, port, why)) != 0) {
++ if (++sess_count == var_smtp_mxsess_limit)
++ next = 0;
++ state->final_server = (cpp[1] == 0 && next == 0);
++diff -ruN postfix-2.1.0-vanilla/src/smtp/smtp_proto.c postfix-2.1.0/src/smtp/smtp_proto.c
++--- postfix-2.1.0-vanilla/src/smtp/smtp_proto.c Wed Apr 14 22:02:20 2004
+++++ postfix-2.1.0/src/smtp/smtp_proto.c Sat Apr 24 14:35:27 2004
++@@ -102,6 +102,7 @@
++ #include <quote_821_local.h>
++ #include <mail_proto.h>
++ #include <mime_state.h>
+++#include <pfixtls.h>
++
++ /* Application-specific. */
++
++@@ -184,6 +185,8 @@
++ XFORWARD_HELO, SMTP_FEATURE_XFORWARD_HELO,
++ 0, 0,
++ };
+++ int oldfeatures;
+++ int rval;
++
++ /*
++ * Prepare for disaster.
++@@ -256,7 +259,8 @@
++ translit(resp->str, "\n", " ")));
++ return (0);
++ }
++-
+++ if (var_smtp_always_ehlo)
+++ state->features |= SMTP_FEATURE_ESMTP;
++ /*
++ * Pick up some useful features offered by the SMTP server. XXX Until we
++ * have a portable routine to convert from string to off_t with proper
++@@ -268,6 +272,7 @@
++ * MicroSoft implemented AUTH based on an old draft.
++ */
++ lines = resp->str;
+++ oldfeatures = state->features; /* remember */
++ while ((words = mystrtok(&lines, "\n")) != 0) {
++ if (mystrtok(&words, "- ") && (word = mystrtok(&words, " \t=")) != 0) {
++ if (strcasecmp(word, "8BITMIME") == 0)
++@@ -288,6 +293,8 @@
++ state->size_limit = off_cvt_string(word);
++ }
++ }
+++ else if (strcasecmp(word, "STARTTLS") == 0)
+++ state->features |= SMTP_FEATURE_STARTTLS;
++ #ifdef USE_SASL_AUTH
++ else if (var_smtp_sasl_enable && strcasecmp(word, "AUTH") == 0)
++ smtp_sasl_helo_auth(state, words);
++@@ -307,6 +314,128 @@
++ msg_info("server features: 0x%x size %.0f",
++ state->features, (double) state->size_limit);
++
+++#ifdef USE_SSL
+++ if ((state->features & SMTP_FEATURE_STARTTLS) &&
+++ (var_smtp_tls_note_starttls_offer) &&
+++ (!(session->tls_enforce_tls || session->tls_use_tls)))
+++ msg_info("Host offered STARTTLS: [%s]", session->host);
+++ if ((session->tls_enforce_tls) &&
+++ !(state->features & SMTP_FEATURE_STARTTLS))
+++ {
+++ /*
+++ * We are enforced to use TLS but it is not offered, so we will give
+++ * up on this host. We won't even try STARTTLS, because we could
+++ * receive a "500 command unrecognized" which would bounce the
+++ * message. We instead want to delay until STARTTLS becomes
+++ * available.
+++ */
+++ return (smtp_site_fail(state, 450, "Could not start TLS: not offered"));
+++ }
+++ if ((session->tls_enforce_tls) && !pfixtls_clientengine) {
+++ /*
+++ * We would like to start client TLS, but our own TLS-engine is
+++ * not running.
+++ */
+++ return (smtp_site_fail(state, 450,
+++ "Could not start TLS: our TLS-engine not running"));
+++ }
+++ if ((state->features & SMTP_FEATURE_STARTTLS) &&
+++ ((session->tls_use_tls && pfixtls_clientengine) ||
+++ (session->tls_enforce_tls))) {
+++ /*
+++ * Try to use the TLS feature
+++ */
+++ smtp_chat_cmd(state, "STARTTLS");
+++ if ((resp = smtp_chat_resp(state))->code / 100 != 2) {
+++ state->features &= ~SMTP_FEATURE_STARTTLS;
+++ /*
+++ * At this point a political decision is necessary. If we
+++ * enforce usage of tls, we have to close the connection
+++ * now.
+++ */
+++ if (session->tls_enforce_tls)
+++ return (smtp_site_fail(state, resp->code,
+++ "host %s refused to start TLS: %s",
+++ session->host,
+++ translit(resp->str, "\n", " ")));
+++ } else {
+++ if (rval = pfixtls_start_clienttls(session->stream,
+++ var_smtp_starttls_tmout,
+++ session->tls_enforce_peername,
+++ session->host,
+++ &(session->tls_info)))
+++ return (smtp_site_fail(state, 450,
+++ "Could not start TLS: client failure"));
+++
+++
+++ /*
+++ * Now the connection is established and maybe we do have a
+++ * validated cert with a CommonName in it.
+++ * In enforce_peername state, the handshake would already have
+++ * been terminated so the check here is for logging only!
+++ */
+++ if (session->tls_info.peer_CN != NULL) {
+++ if (!session->tls_info.peer_verified) {
+++ msg_info("Peer certficate could not be verified");
+++ if (session->tls_enforce_tls) {
+++ pfixtls_stop_clienttls(session->stream,
+++ var_smtp_starttls_tmout, 1,
+++ &(session->tls_info));
+++ return(smtp_site_fail(state, 450, "TLS-failure: Could not verify certificate"));
+++ }
+++ }
+++ } else if (session->tls_enforce_tls) {
+++ pfixtls_stop_clienttls(session->stream,
+++ var_smtp_starttls_tmout, 1,
+++ &(session->tls_info));
+++ return (smtp_site_fail(state, 450, "TLS-failure: Cannot verify hostname"));
+++ }
+++
+++ /*
+++ * At this point we have to re-negotiate the "EHLO" to reget
+++ * the feature-list
+++ */
+++ state->features = oldfeatures;
+++#ifdef USE_SASL_AUTH
+++ if (state->sasl_mechanism_list) {
+++ myfree(state->sasl_mechanism_list);
+++ state->sasl_mechanism_list = 0;
+++ }
+++#endif
+++ if (state->features & SMTP_FEATURE_ESMTP) {
+++ smtp_chat_cmd(state, "EHLO %s", var_myhostname);
+++ if ((resp = smtp_chat_resp(state))->code / 100 != 2)
+++ state->features &= ~SMTP_FEATURE_ESMTP;
+++ }
+++ lines = resp->str;
+++ (void) mystrtok(&lines, "\n");
+++ while ((words = mystrtok(&lines, "\n")) != 0) {
+++ if (mystrtok(&words, "- ") &&
+++ (word = mystrtok(&words, " \t=")) != 0) {
+++ if (strcasecmp(word, "8BITMIME") == 0)
+++ state->features |= SMTP_FEATURE_8BITMIME;
+++ else if (strcasecmp(word, "PIPELINING") == 0)
+++ state->features |= SMTP_FEATURE_PIPELINING;
+++ else if (strcasecmp(word, "SIZE") == 0)
+++ state->features |= SMTP_FEATURE_SIZE;
+++ else if (strcasecmp(word, "STARTTLS") == 0)
+++ state->features |= SMTP_FEATURE_STARTTLS;
+++#ifdef USE_SASL_AUTH
+++ else if (var_smtp_sasl_enable &&
+++ strcasecmp(word, "AUTH") == 0)
+++ smtp_sasl_helo_auth(state, words);
+++#endif
+++ }
+++ }
+++ /*
+++ * Actually, at this point STARTTLS should not be offered
+++ * anymore, so we could check for a protocol violation, but
+++ * what should we do then?
+++ */
+++
+++ }
+++ }
+++#endif
++ #ifdef USE_SASL_AUTH
++ if (var_smtp_sasl_enable && (state->features & SMTP_FEATURE_AUTH))
++ return (smtp_sasl_helo_login(state));
++diff -ruN postfix-2.1.0-vanilla/src/smtp/smtp_session.c postfix-2.1.0/src/smtp/smtp_session.c
++--- postfix-2.1.0-vanilla/src/smtp/smtp_session.c Mon Nov 20 19:06:05 2000
+++++ postfix-2.1.0/src/smtp/smtp_session.c Sat Apr 24 14:35:27 2004
++@@ -42,15 +42,40 @@
++ #include <vstream.h>
++ #include <stringops.h>
++
+++#include <mail_params.h>
+++#include <maps.h>
+++#include <pfixtls.h>
+++
++ /* Application-specific. */
++
++ #include "smtp.h"
++
+++/* static lists */
+++static MAPS *tls_per_site;
+++
+++/* smtp_tls_list_init - initialize lists */
+++
+++void smtp_tls_list_init(void)
+++{
+++ tls_per_site = maps_create(VAR_SMTP_TLS_PER_SITE, var_smtp_tls_per_site,
+++ DICT_FLAG_LOCK);
+++}
+++
++ /* smtp_session_alloc - allocate and initialize SMTP_SESSION structure */
++
++-SMTP_SESSION *smtp_session_alloc(VSTREAM *stream, char *host, char *addr)
+++SMTP_SESSION *smtp_session_alloc(char *dest, VSTREAM *stream, char *host, char *addr)
++ {
++ SMTP_SESSION *session;
+++ const char *lookup;
+++ char *lookup_key;
+++ int host_dont_use = 0;
+++ int host_use = 0;
+++ int host_enforce = 0;
+++ int host_enforce_peername = 0;
+++ int recipient_dont_use = 0;
+++ int recipient_use = 0;
+++ int recipient_enforce = 0;
+++ int recipient_enforce_peername = 0;
++
++ session = (SMTP_SESSION *) mymalloc(sizeof(*session));
++ session->stream = stream;
++@@ -58,6 +83,61 @@
++ session->addr = mystrdup(addr);
++ session->namaddr = concatenate(host, "[", addr, "]", (char *) 0);
++ session->best = 1;
+++ session->tls_use_tls = session->tls_enforce_tls = 0;
+++ session->tls_enforce_peername = 0;
+++#ifdef USE_SSL
+++ lookup_key = lowercase(mystrdup(host));
+++ if (lookup = maps_find(tls_per_site, lookup_key, 0)) {
+++ if (!strcasecmp(lookup, "NONE"))
+++ host_dont_use = 1;
+++ else if (!strcasecmp(lookup, "MAY"))
+++ host_use = 1;
+++ else if (!strcasecmp(lookup, "MUST"))
+++ host_enforce = host_enforce_peername = 1;
+++ else if (!strcasecmp(lookup, "MUST_NOPEERMATCH"))
+++ host_enforce = 1;
+++ else
+++ msg_warn("Unknown TLS state for receiving host %s: '%s', using default policy", session->host, lookup);
+++ }
+++ myfree(lookup_key);
+++ lookup_key = lowercase(mystrdup(dest));
+++ if (lookup = maps_find(tls_per_site, dest, 0)) {
+++ if (!strcasecmp(lookup, "NONE"))
+++ recipient_dont_use = 1;
+++ else if (!strcasecmp(lookup, "MAY"))
+++ recipient_use = 1;
+++ else if (!strcasecmp(lookup, "MUST"))
+++ recipient_enforce = recipient_enforce_peername = 1;
+++ else if (!strcasecmp(lookup, "MUST_NOPEERMATCH"))
+++ recipient_enforce = 1;
+++ else
+++ msg_warn("Unknown TLS state for recipient domain %s: '%s', using default policy", dest, lookup);
+++ }
+++ myfree(lookup_key);
+++
+++ if ((var_smtp_enforce_tls && !host_dont_use && !recipient_dont_use) || host_enforce ||
+++ recipient_enforce)
+++ session->tls_enforce_tls = session->tls_use_tls = 1;
+++
+++ /*
+++ * Set up peername checking. We want to make sure that a MUST* entry in
+++ * the tls_per_site table always has precedence. MUST always must lead to
+++ * a peername check, MUST_NOPEERMATCH must always disable it. Only when
+++ * no explicit setting has been found, the default will be used.
+++ * There is the case left, that both "host" and "recipient" settings
+++ * conflict. In this case, the "host" setting wins.
+++ */
+++ if (host_enforce && host_enforce_peername)
+++ session->tls_enforce_peername = 1;
+++ else if (recipient_enforce && recipient_enforce_peername)
+++ session->tls_enforce_peername = 1;
+++ else if (var_smtp_enforce_tls && var_smtp_tls_enforce_peername)
+++ session->tls_enforce_peername = 1;
+++
+++ else if ((var_smtp_use_tls && !host_dont_use && !recipient_dont_use) || host_use || recipient_use)
+++ session->tls_use_tls = 1;
+++#endif
+++ session->tls_info = tls_info_zero;
++ return (session);
++ }
++
++@@ -65,6 +145,11 @@
++
++ void smtp_session_free(SMTP_SESSION *session)
++ {
+++#ifdef USE_SSL
+++ vstream_fflush(session->stream);
+++ pfixtls_stop_clienttls(session->stream, var_smtp_starttls_tmout, 0,
+++ &(session->tls_info));
+++#endif
++ vstream_fclose(session->stream);
++ myfree(session->host);
++ myfree(session->addr);
++diff -ruN postfix-2.1.0-vanilla/src/smtpd/Makefile.in postfix-2.1.0/src/smtpd/Makefile.in
++--- postfix-2.1.0-vanilla/src/smtpd/Makefile.in Thu Apr 22 21:37:39 2004
+++++ postfix-2.1.0/src/smtpd/Makefile.in Sat Apr 24 14:35:27 2004
++@@ -150,6 +150,7 @@
++ smtpd.o: ../../include/namadr_list.h
++ smtpd.o: ../../include/input_transp.h
++ smtpd.o: ../../include/mail_server.h
+++smtpd.o: ../../include/pfixtls.h
++ smtpd.o: smtpd_token.h
++ smtpd.o: smtpd.h
++ smtpd.o: smtpd_check.h
++@@ -179,6 +180,7 @@
++ smtpd_chat.o: ../../include/cleanup_user.h
++ smtpd_chat.o: ../../include/mail_error.h
++ smtpd_chat.o: ../../include/name_mask.h
+++smtpd_chat.o: ../../include/pfixtls.h
++ smtpd_chat.o: smtpd.h
++ smtpd_chat.o: ../../include/mail_stream.h
++ smtpd_chat.o: smtpd_chat.h
++@@ -233,6 +235,7 @@
++ smtpd_check.o: ../../include/is_header.h
++ smtpd_check.o: smtpd.h
++ smtpd_check.o: ../../include/mail_stream.h
+++smtpd_check.o: ../../include/pfixtls.h
++ smtpd_check.o: smtpd_sasl_glue.h
++ smtpd_check.o: smtpd_check.h
++ smtpd_peer.o: smtpd_peer.c
++@@ -250,6 +253,7 @@
++ smtpd_peer.o: smtpd.h
++ smtpd_peer.o: ../../include/argv.h
++ smtpd_peer.o: ../../include/mail_stream.h
+++smtpd_peer.o: ../../include/pfixtls.h
++ smtpd_proxy.o: smtpd_proxy.c
++ smtpd_proxy.o: ../../include/sys_defs.h
++ smtpd_proxy.o: ../../include/msg.h
++@@ -329,6 +333,7 @@
++ smtpd_state.o: ../../include/vstring.h
++ smtpd_state.o: ../../include/argv.h
++ smtpd_state.o: ../../include/mail_stream.h
+++smtpd_state.o: ../../include/pfixtls.h
++ smtpd_state.o: smtpd_chat.h
++ smtpd_state.o: smtpd_sasl_glue.h
++ smtpd_token.o: smtpd_token.c
++@@ -338,6 +343,7 @@
++ smtpd_token.o: smtpd_token.h
++ smtpd_token.o: ../../include/vstring.h
++ smtpd_token.o: ../../include/vbuf.h
+++smtpd_token.o: ../../include/pfixtls.h
++ smtpd_xforward.o: smtpd_xforward.c
++ smtpd_xforward.o: ../../include/sys_defs.h
++ smtpd_xforward.o: ../../include/mymalloc.h
++diff -ruN postfix-2.1.0-vanilla/src/smtpd/smtpd.c postfix-2.1.0/src/smtpd/smtpd.c
++--- postfix-2.1.0-vanilla/src/smtpd/smtpd.c Wed Apr 21 23:10:01 2004
+++++ postfix-2.1.0/src/smtpd/smtpd.c Sat Apr 24 14:47:36 2004
++@@ -653,6 +653,7 @@
++ #include <anvil_clnt.h>
++ #endif
++ #include <flush_clnt.h>
+++#include <pfixtls.h>
++
++ /* Single-threaded server skeleton. */
++
++@@ -678,6 +679,7 @@
++ */
++ int var_smtpd_rcpt_limit;
++ int var_smtpd_tmout;
+++char *var_relay_ccerts;
++ int var_smtpd_soft_erlim;
++ int var_smtpd_hard_erlim;
++ int var_queue_minfree; /* XXX use off_t */
++@@ -760,7 +762,19 @@
++ int var_smtpd_crate_limit;
++ int var_smtpd_cconn_limit;
++ char *var_smtpd_hoggers;
+++#endif
++
+++bool var_smtpd_use_tls;
+++bool var_smtpd_enforce_tls;
+++bool var_smtpd_tls_wrappermode;
+++#ifdef USE_SSL
+++int var_smtpd_starttls_tmout;
+++bool var_smtpd_tls_auth_only;
+++bool var_smtpd_tls_ask_ccert;
+++bool var_smtpd_tls_req_ccert;
+++int var_smtpd_tls_ccert_vd;
+++bool var_smtpd_tls_received_header;
+++char *var_smtpd_sasl_tls_opts;
++ #endif
++
++ /*
++@@ -939,11 +953,21 @@
++ if (var_disable_vrfy_cmd == 0)
++ smtpd_chat_reply(state, "250-VRFY");
++ smtpd_chat_reply(state, "250-ETRN");
+++#ifdef USE_SSL
+++ if ((state->tls_use_tls || state->tls_enforce_tls) && (!state->tls_active))
+++ smtpd_chat_reply(state, "250-STARTTLS");
+++#endif
++ #ifdef USE_SASL_AUTH
++ if (var_smtpd_sasl_enable && !sasl_client_exception(state)) {
+++#ifdef USE_SSL
+++ if (!state->tls_auth_only || state->tls_active) {
+++#endif
++ smtpd_chat_reply(state, "250-AUTH %s", state->sasl_mechanism_list);
++ if (var_broken_auth_clients)
++ smtpd_chat_reply(state, "250-AUTH=%s", state->sasl_mechanism_list);
+++#ifdef USE_SSL
+++ }
+++#endif
++ }
++ #endif
++ if (namadr_list_match(verp_clients, state->name, state->addr))
++@@ -1501,12 +1525,77 @@
++ state->rcpt_overshoot = 0;
++ }
++
+++/* CN_sanitize - make sure, the CN-string is well behaved */
+++
+++static void CN_sanitize(char *CNstring)
+++{
+++ int i;
+++ int len;
+++ int parencount;
+++
+++ /*
+++ * The information included in the CN (CommonName) of the peer and its
+++ * issuer can be included into the Received: header line. The characters
+++ * allowed as well as comment nesting are limited by RFC822.
+++ */
+++
+++ len = strlen(CNstring);
+++ /*
+++ * The Received: header can only contain characters. Make sure that only
+++ * acceptable characters are printed. Maybe we could allow more, but
+++ * not everything makes sense inside a CommonName.
+++ */
+++ for (i = 0; i < len; i++)
+++ if (!((CNstring[i] >= 'A') && (CNstring[i] <='Z')) &&
+++ !((CNstring[i] >= 'a') && (CNstring[i] <='z')) &&
+++ !((CNstring[i] >= '0') && (CNstring[i] <='9')) &&
+++ (CNstring[i] != '(') && (CNstring[i] != ')') &&
+++ (CNstring[i] != '[') && (CNstring[i] != ']') &&
+++ (CNstring[i] != '{') && (CNstring[i] != '}') &&
+++ (CNstring[i] != '<') && (CNstring[i] != '>') &&
+++ (CNstring[i] != '?') && (CNstring[i] != '!') &&
+++ (CNstring[i] != ';') && (CNstring[i] != ':') &&
+++ (CNstring[i] != '"') && (CNstring[i] != '\'') &&
+++ (CNstring[i] != '/') && (CNstring[i] != '|') &&
+++ (CNstring[i] != '+') && (CNstring[i] != '&') &&
+++ (CNstring[i] != '~') && (CNstring[i] != '@') &&
+++ (CNstring[i] != '#') && (CNstring[i] != '$') &&
+++ (CNstring[i] != '%') && (CNstring[i] != '&') &&
+++ (CNstring[i] != '^') && (CNstring[i] != '*') &&
+++ (CNstring[i] != '_') && (CNstring[i] != '-') &&
+++ (CNstring[i] != '.') && (CNstring[i] != ' '))
+++ CNstring[i] = '?';
+++
+++ /*
+++ * This information will go into the Received: header inside a comment.
+++ * Since comments can be nested, parentheses '(' and ')' must match.
+++ */
+++ parencount = 0;
+++ for (i = 0; i < len; i++) {
+++ if (CNstring[i] == '(')
+++ parencount++;
+++ else if (CNstring[i] == ')')
+++ parencount--;
+++ }
+++ /*
+++ * The necessary condition is violated. Do YOU know, where to correct?
+++ * I don't know, so I will practically remove all parentheses.
+++ */
+++ if (parencount != 0) {
+++ for (i = 0; i < len; i++)
+++ if ((CNstring[i] == '(') || (CNstring[i] == ')'))
+++ CNstring[i] = '/';
+++ }
+++}
+++
++ /* data_cmd - process DATA command */
++
++ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
++ {
++ char *err;
++ char *start;
+++ char *peer_CN;
+++ char *issuer_CN;
++ int len;
++ int curr_rec_type;
++ int prev_rec_type;
++@@ -1600,6 +1689,37 @@
++ "Received: from %s (%s [%s])",
++ state->helo_name ? state->helo_name : state->name,
++ state->name, state->addr);
+++#ifdef USE_SSL
+++ if (var_smtpd_tls_received_header && state->tls_active) {
+++ out_fprintf(out_stream, REC_TYPE_NORM,
+++ "\t(using %s with cipher %s (%d/%d bits))",
+++ state->tls_info.protocol, state->tls_info.cipher_name,
+++ state->tls_info.cipher_usebits,
+++ state->tls_info.cipher_algbits);
+++ if (state->tls_info.peer_CN) {
+++ peer_CN = mystrdup(state->tls_info.peer_CN);
+++ CN_sanitize(peer_CN);
+++ issuer_CN = mystrdup(state->tls_info.issuer_CN);
+++ CN_sanitize(issuer_CN);
+++ if (state->tls_info.peer_verified)
+++ out_fprintf(out_stream, REC_TYPE_NORM,
+++ "\t(Client CN \"%s\", Issuer \"%s\" (verified OK))",
+++ peer_CN, issuer_CN);
+++ else
+++ out_fprintf(out_stream, REC_TYPE_NORM,
+++ "\t(Client CN \"%s\", Issuer \"%s\" (not verified))",
+++ peer_CN, issuer_CN);
+++ myfree(issuer_CN);
+++ myfree(peer_CN);
+++ }
+++ else if (var_smtpd_tls_ask_ccert)
+++ out_fprintf(out_stream, REC_TYPE_NORM,
+++ "\t(Client did not present a certificate)");
+++ else
+++ out_fprintf(out_stream, REC_TYPE_NORM,
+++ "\t(No client certificate requested)");
+++ }
+++#endif
++ if (state->rcpt_count == 1 && state->recipient) {
++ out_fprintf(out_stream, REC_TYPE_NORM,
++ state->cleanup ? "\tby %s (%s) with %s id %s" :
++@@ -2307,6 +2427,90 @@
++ }
++ }
++
+++static int starttls_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
+++{
+++ char *err;
+++
+++#ifdef USE_SSL
+++ if (argc != 1) {
+++ state->error_mask |= MAIL_ERROR_PROTOCOL;
+++ smtpd_chat_reply(state, "501 Syntax: STARTTLS");
+++ return (-1);
+++ }
+++ if (state->tls_active != 0) {
+++ state->error_mask |= MAIL_ERROR_PROTOCOL;
+++ smtpd_chat_reply(state, "554 Error: TLS already active");
+++ return (-1);
+++ }
+++ if (state->tls_use_tls == 0) {
+++ state->error_mask |= MAIL_ERROR_PROTOCOL;
+++ smtpd_chat_reply(state, "502 Error: command not implemented");
+++ return (-1);
+++ }
+++ if (!pfixtls_serverengine) {
+++ smtpd_chat_reply(state, "454 TLS not available due to temporary reason");
+++ return (0);
+++ }
+++ smtpd_chat_reply(state, "220 Ready to start TLS");
+++ vstream_fflush(state->client);
+++ /*
+++ * When deciding about continuing the handshake, we will stop when a
+++ * client certificate was _required_ and none was presented or the
+++ * verification failed. This however does only make sense when TLS is
+++ * enforced. Otherwise we would happily perform perform the SMTP
+++ * transaction without any STARTTLS at all! So only have the handshake
+++ * fail when TLS is also enforced.
+++ */
+++ if (pfixtls_start_servertls(state->client, var_smtpd_starttls_tmout,
+++ state->name, state->addr, &(state->tls_info),
+++ (var_smtpd_tls_req_ccert && state->tls_enforce_tls))) {
+++ /*
+++ * Typically the connection is hanging at this point, so
+++ * we should try to shut it down by force! Unfortunately this
+++ * problem is not addressed in postfix!
+++ */
+++ return (-1);
+++ }
+++ state->tls_active = 1;
+++ helo_reset(state);
+++#ifdef USE_SASL_AUTH
+++ if (var_smtpd_sasl_enable) {
+++ /*
+++ * When TLS is enabled, another set of AUTH methods may be offered,
+++ * for example plain text methods that would not be offered without
+++ * encryption protection. Reconnect with a different set of options.
+++ */
+++ smtpd_sasl_disconnect(state);
+++ smtpd_sasl_connect(state, VAR_SMTPD_SASL_TLS_OPTS,
+++ var_smtpd_sasl_tls_opts);
+++ smtpd_sasl_auth_reset(state);
+++ }
+++#endif
+++ mail_reset(state);
+++ rcpt_reset(state);
+++ return (0);
+++#else
+++ state->error_mask |= MAIL_ERROR_PROTOCOL;
+++ smtpd_chat_reply(state, "502 Error: command not implemented");
+++ return (-1);
+++#endif
+++}
+++
+++static void tls_reset(SMTPD_STATE *state)
+++{
+++ int failure = 0;
+++
+++ if (state->reason && state->where && strcmp(state->where, SMTPD_AFTER_DOT))
+++ failure = 1;
+++#ifdef USE_SSL
+++ vstream_fflush(state->client);
+++ if (state->tls_active)
+++ pfixtls_stop_servertls(state->client, var_smtpd_starttls_tmout,
+++ failure, &(state->tls_info));
+++#endif
+++ state->tls_active = 0;
+++}
+++
++ /*
++ * The table of all SMTP commands that we know. Set the junk limit flag on
++ * any command that can be repeated an arbitrary number of times without
++@@ -2325,6 +2529,10 @@
++ "HELO", helo_cmd, SMTPD_CMD_FLAG_LIMIT,
++ "EHLO", ehlo_cmd, SMTPD_CMD_FLAG_LIMIT,
++
+++#ifdef USE_SSL
+++ "STARTTLS", starttls_cmd, 0,
+++#endif
+++
++ #ifdef USE_SASL_AUTH
++ "AUTH", smtpd_sasl_auth_cmd, 0,
++ #endif
++@@ -2483,9 +2691,28 @@
++ state->error_count++;
++ continue;
++ }
+++ if (state->tls_enforce_tls &&
+++ !state->tls_active &&
+++ cmdp->action != starttls_cmd &&
+++ cmdp->action != noop_cmd &&
+++ cmdp->action != ehlo_cmd &&
+++ cmdp->action != quit_cmd) {
+++ smtpd_chat_reply(state,
+++ "530 Must issue a STARTTLS command first");
+++ state->error_count++;
+++ continue;
+++ }
++ state->where = cmdp->name;
++- if (cmdp->action(state, argc, argv) != 0)
+++ if (cmdp->action(state, argc, argv) != 0) {
++ state->error_count++;
+++ /*
+++ * Die after TLS negotiation failure, as there is no
+++ * stable way to recover from a possible mixture of
+++ * TLS and SMTP protocol from the client.
+++ */
+++ if (cmdp->action == starttls_cmd)
+++ break;
+++ }
++ if ((cmdp->flags & SMTPD_CMD_FLAG_LIMIT)
++ && state->junk_cmds++ > var_smtpd_junk_cmd_limit)
++ state->error_count++;
++@@ -2525,6 +2752,7 @@
++ * Cleanup whatever information the client gave us during the SMTP
++ * dialog.
++ */
+++ tls_reset(state);
++ helo_reset(state);
++ #ifdef USE_SASL_AUTH
++ if (var_smtpd_sasl_enable)
++@@ -2557,6 +2785,58 @@
++ * machines.
++ */
++ smtpd_state_init(&state, stream);
+++
+++#ifdef USE_SSL
+++ if (SMTPD_STAND_ALONE((&state))) {
+++ state.tls_use_tls = 0;
+++ state.tls_enforce_tls = 0;
+++ state.tls_auth_only = 0;
+++ }
+++ else {
+++ state.tls_use_tls = var_smtpd_use_tls | var_smtpd_enforce_tls;
+++ state.tls_enforce_tls = var_smtpd_enforce_tls;
+++ if (var_smtpd_tls_wrappermode) {
+++ /*
+++ * TLS has been set to wrapper mode, meaning that we run on a
+++ * seperate port and we must switch to TLS layer before actually
+++ * performing the SMTP protocol. This implies enforce-mode.
+++ */
+++ state.tls_use_tls = state.tls_enforce_tls = 1;
+++ if (pfixtls_start_servertls(state.client, var_smtpd_starttls_tmout,
+++ state.name, state.addr, &state.tls_info,
+++ var_smtpd_tls_req_ccert)) {
+++ /*
+++ * Typically the connection is hanging at this point, so
+++ * we should try to shut it down by force! Unfortunately this
+++ * problem is not addressed in postfix!
+++ */
+++ return;
+++ }
+++ state.tls_active = 1;
+++#ifdef USE_SASL_AUTH
+++ if (var_smtpd_sasl_enable) {
+++ /*
+++ * When TLS is enabled, another set of AUTH methods may be
+++ * offered, for example plain text methods that would not be
+++ * offered without encryption protection. Reconnect with a
+++ * different set of options.
+++ */
+++ smtpd_sasl_disconnect(&state);
+++ smtpd_sasl_connect(&state, VAR_SMTPD_SASL_TLS_OPTS,
+++ var_smtpd_sasl_tls_opts);
+++ smtpd_sasl_auth_reset(&state);
+++ }
+++#endif
+++ }
+++ if (var_smtpd_tls_auth_only || state.tls_enforce_tls)
+++ state.tls_auth_only = 1;
+++ }
+++#else
+++ state.tls_use_tls = 0;
+++ state.tls_enforce_tls = 0;
+++ state.tls_auth_only = 0;
+++#endif
+++
++ msg_info("connect from %s[%s]", state.name, state.addr);
++
++ /*
++@@ -2606,7 +2886,6 @@
++
++ static void pre_jail_init(char *unused_name, char **unused_argv)
++ {
++-
++ /*
++ * Initialize blacklist/etc. patterns before entering the chroot jail, in
++ * case they specify a filename pattern.
++@@ -2634,6 +2913,21 @@
++ msg_warn("%s is true, but SASL support is not compiled in",
++ VAR_SMTPD_SASL_ENABLE);
++ #endif
+++ /*
+++ * Keys can only be loaded when running with superuser permissions.
+++ * When called from "sendmail -bs" this is not the case, but STARTTLS
+++ * is not used in this scenario anyhow.
+++ */
+++ if (geteuid() == 0) {
+++ if (var_smtpd_use_tls || var_smtpd_enforce_tls
+++ || var_smtpd_tls_wrappermode)
+++#ifdef USE_SSL
+++ pfixtls_init_serverengine(var_smtpd_tls_ccert_vd,
+++ var_smtpd_tls_ask_ccert);
+++#else
+++ msg_warn("TLS has been selected but TLS support is not compiled in");
+++#endif
+++ }
++
++ /*
++ * flush client.
++@@ -2672,6 +2966,7 @@
++ if (var_smtpd_crate_limit || var_smtpd_cconn_limit)
++ anvil_clnt = anvil_clnt_create();
++ #endif
+++
++ }
++
++ /* main - the main program */
++@@ -2708,6 +3003,9 @@
++ VAR_SMTPD_CRATE_LIMIT, DEF_SMTPD_CRATE_LIMIT, &var_smtpd_crate_limit, 0, 0,
++ VAR_SMTPD_CCONN_LIMIT, DEF_SMTPD_CCONN_LIMIT, &var_smtpd_cconn_limit, 0, 0,
++ #endif
+++#ifdef USE_SSL
+++ VAR_SMTPD_TLS_CCERT_VD, DEF_SMTPD_TLS_CCERT_VD, &var_smtpd_tls_ccert_vd, 0, 0,
+++#endif
++ 0,
++ };
++ static CONFIG_TIME_TABLE time_table[] = {
++@@ -2718,6 +3016,9 @@
++ VAR_SMTPD_POLICY_TMOUT, DEF_SMTPD_POLICY_TMOUT, &var_smtpd_policy_tmout, 1, 0,
++ VAR_SMTPD_POLICY_IDLE, DEF_SMTPD_POLICY_IDLE, &var_smtpd_policy_idle, 1, 0,
++ VAR_SMTPD_POLICY_TTL, DEF_SMTPD_POLICY_TTL, &var_smtpd_policy_ttl, 1, 0,
+++#ifdef USE_SSL
+++ VAR_SMTPD_STARTTLS_TMOUT, DEF_SMTPD_STARTTLS_TMOUT, &var_smtpd_starttls_tmout, 1, 0,
+++#endif
++ 0,
++ };
++ static CONFIG_BOOL_TABLE bool_table[] = {
++@@ -2731,6 +3032,15 @@
++ VAR_SHOW_UNK_RCPT_TABLE, DEF_SHOW_UNK_RCPT_TABLE, &var_show_unk_rcpt_table,
++ VAR_SMTPD_REJ_UNL_FROM, DEF_SMTPD_REJ_UNL_FROM, &var_smtpd_rej_unl_from,
++ VAR_SMTPD_REJ_UNL_RCPT, DEF_SMTPD_REJ_UNL_RCPT, &var_smtpd_rej_unl_rcpt,
+++ VAR_SMTPD_USE_TLS, DEF_SMTPD_USE_TLS, &var_smtpd_use_tls,
+++ VAR_SMTPD_ENFORCE_TLS, DEF_SMTPD_ENFORCE_TLS, &var_smtpd_enforce_tls,
+++ VAR_SMTPD_TLS_WRAPPER, DEF_SMTPD_TLS_WRAPPER, &var_smtpd_tls_wrappermode,
+++#ifdef USE_SSL
+++ VAR_SMTPD_TLS_AUTH_ONLY, DEF_SMTPD_TLS_AUTH_ONLY, &var_smtpd_tls_auth_only,
+++ VAR_SMTPD_TLS_ACERT, DEF_SMTPD_TLS_ACERT, &var_smtpd_tls_ask_ccert,
+++ VAR_SMTPD_TLS_RCERT, DEF_SMTPD_TLS_RCERT, &var_smtpd_tls_req_ccert,
+++ VAR_SMTPD_TLS_RECHEAD, DEF_SMTPD_TLS_RECHEAD, &var_smtpd_tls_received_header,
+++#endif
++ 0,
++ };
++ static CONFIG_STR_TABLE str_table[] = {
++@@ -2772,6 +3082,10 @@
++ #ifdef SNAPSHOT
++ VAR_SMTPD_HOGGERS, DEF_SMTPD_HOGGERS, &var_smtpd_hoggers, 0, 0,
++ #endif
+++#ifdef USE_SSL
+++ VAR_RELAY_CCERTS, DEF_RELAY_CCERTS, &var_relay_ccerts, 0, 0,
+++ VAR_SMTPD_SASL_TLS_OPTS, DEF_SMTPD_SASL_TLS_OPTS, &var_smtpd_sasl_tls_opts, 0, 0,
+++#endif
++ 0,
++ };
++ static CONFIG_RAW_TABLE raw_table[] = {
++@@ -2794,3 +3108,4 @@
++ MAIL_SERVER_POST_INIT, post_jail_init,
++ 0);
++ }
+++
++diff -ruN postfix-2.1.0-vanilla/src/smtpd/smtpd.h postfix-2.1.0/src/smtpd/smtpd.h
++--- postfix-2.1.0-vanilla/src/smtpd/smtpd.h Wed Apr 21 20:23:33 2004
+++++ postfix-2.1.0/src/smtpd/smtpd.h Sat Apr 24 14:35:28 2004
++@@ -32,6 +32,7 @@
++ * Global library.
++ */
++ #include <mail_stream.h>
+++#include <pfixtls.h>
++
++ /*
++ * Variables that keep track of conversation state. There is only one SMTP
++@@ -136,6 +137,11 @@
++ * XFORWARD server state.
++ */
++ SMTPD_XFORWARD_ATTR xforward; /* up-stream logging info */
+++ int tls_active;
+++ int tls_use_tls;
+++ int tls_enforce_tls;
+++ int tls_auth_only;
+++ tls_info_t tls_info;
++ } SMTPD_STATE;
++
++ #define SMTPD_STATE_XFORWARD_INIT (1<<0) /* xforward preset done */
++diff -ruN postfix-2.1.0-vanilla/src/smtpd/smtpd_check.c postfix-2.1.0/src/smtpd/smtpd_check.c
++--- postfix-2.1.0-vanilla/src/smtpd/smtpd_check.c Mon Apr 19 21:31:20 2004
+++++ postfix-2.1.0/src/smtpd/smtpd_check.c Sat Apr 24 14:35:28 2004
++@@ -185,6 +185,7 @@
++ #include <string_list.h>
++ #include <namadr_list.h>
++ #include <domain_list.h>
+++#include <string_list.h>
++ #include <mail_params.h>
++ #include <canon_addr.h>
++ #include <resolve_clnt.h>
++@@ -269,6 +270,9 @@
++ static DOMAIN_LIST *relay_domains;
++ static NAMADR_LIST *mynetworks;
++ static NAMADR_LIST *perm_mx_networks;
+++#ifdef USE_SSL
+++static MAPS *relay_ccerts;
+++#endif
++
++ /*
++ * How to do parent domain wildcard matching, if any.
++@@ -563,6 +567,10 @@
++ perm_mx_networks =
++ namadr_list_init(match_parent_style(VAR_PERM_MX_NETWORKS),
++ var_perm_mx_networks);
+++#ifdef USE_SSL
+++ relay_ccerts = maps_create(VAR_RELAY_CCERTS, var_relay_ccerts,
+++ DICT_FLAG_LOCK);
+++#endif
++
++ /*
++ * Pre-parse and pre-open the recipient maps.
++@@ -1056,6 +1064,36 @@
++
++ static int permit_auth_destination(SMTPD_STATE *state, char *recipient);
++
+++/* permit_tls_clientcerts - OK/DUNNO for message relaying */
+++
+++#ifdef USE_SSL
+++static int permit_tls_clientcerts(SMTPD_STATE *state, int permit_all_certs)
+++{
+++ char *low_name;
+++ const char *found;
+++
+++ if (state->tls_info.peer_verified && permit_all_certs) {
+++ if (msg_verbose)
+++ msg_info("Relaying allowed for all verified client certificates");
+++ return(SMTPD_CHECK_OK);
+++ }
+++
+++ if (state->tls_info.peer_verified && state->tls_info.peer_fingerprint) {
+++ low_name = lowercase(mystrdup(state->tls_info.peer_fingerprint));
+++ found = maps_find(relay_ccerts, low_name, DICT_FLAG_FIXED);
+++ myfree(low_name);
+++ if (found) {
+++ if (msg_verbose)
+++ msg_info("Relaying allowed for certified client: %s", found);
+++ return (SMTPD_CHECK_OK);
+++ } else if (msg_verbose)
+++ msg_info("relay_clientcerts: No match for fingerprint '%s'",
+++ state->tls_info.peer_fingerprint);
+++ }
+++ return (SMTPD_CHECK_DUNNO);
+++}
+++#endif
+++
++ /* check_relay_domains - OK/FAIL for message relaying */
++
++ static int check_relay_domains(SMTPD_STATE *state, char *recipient,
++@@ -3235,6 +3273,12 @@
++ #else
++ msg_warn("restriction `%s' ignored: no SASL support", name);
++ #endif
+++#ifdef USE_SSL
+++ } else if (strcasecmp(name, PERMIT_TLS_ALL_CLIENTCERTS) == 0) {
+++ status = permit_tls_clientcerts(state, 1);
+++ } else if (strcasecmp(name, PERMIT_TLS_CLIENTCERTS) == 0) {
+++ status = permit_tls_clientcerts(state, 0);
+++#endif
++ } else if (strcasecmp(name, REJECT_UNKNOWN_RCPTDOM) == 0) {
++ if (state->recipient)
++ status = reject_unknown_address(state, state->recipient,
++@@ -3945,6 +3989,7 @@
++ char *var_etrn_checks = "";
++ char *var_data_checks = "";
++ char *var_relay_domains = "";
+++char *var_relay_ccerts = "";
++ char *var_mynetworks = "";
++ char *var_notify_classes = "";
++
++diff -ruN postfix-2.1.0-vanilla/src/smtpd/smtpd_sasl_proto.c postfix-2.1.0/src/smtpd/smtpd_sasl_proto.c
++--- postfix-2.1.0-vanilla/src/smtpd/smtpd_sasl_proto.c Mon Mar 29 21:40:52 2004
+++++ postfix-2.1.0/src/smtpd/smtpd_sasl_proto.c Sat Apr 24 14:35:28 2004
++@@ -129,6 +129,13 @@
++ smtpd_chat_reply(state, "503 Error: authentication not enabled");
++ return (-1);
++ }
+++#ifdef USE_SSL
+++ if (state->tls_auth_only && !state->tls_active) {
+++ state->error_mask |= MAIL_ERROR_PROTOCOL;
+++ smtpd_chat_reply(state, "538 Encryption required for requested authentication mechanism");
+++ return (-1);
+++ }
+++#endif
++ if (state->sasl_username) {
++ state->error_mask |= MAIL_ERROR_PROTOCOL;
++ smtpd_chat_reply(state, "503 Error: already authenticated");
++diff -ruN postfix-2.1.0-vanilla/src/smtpd/smtpd_state.c postfix-2.1.0/src/smtpd/smtpd_state.c
++--- postfix-2.1.0-vanilla/src/smtpd/smtpd_state.c Wed Apr 21 20:23:49 2004
+++++ postfix-2.1.0/src/smtpd/smtpd_state.c Sat Apr 24 14:48:22 2004
++@@ -111,6 +111,11 @@
++ state->saved_flags = 0;
++ state->instance = vstring_alloc(10);
++ state->seqno = 0;
+++ state->tls_active = 0;
+++ state->tls_use_tls = 0;
+++ state->tls_enforce_tls = 0;
+++ state->tls_info = tls_info_zero;
+++ state->tls_auth_only = 0;
++
++ #ifdef USE_SASL_AUTH
++ if (SMTPD_STAND_ALONE(state))
++diff -ruN postfix-2.1.0-vanilla/src/tlsmgr/Makefile.in postfix-2.1.0/src/tlsmgr/Makefile.in
++--- postfix-2.1.0-vanilla/src/tlsmgr/Makefile.in Thu Jan 1 01:00:00 1970
+++++ postfix-2.1.0/src/tlsmgr/Makefile.in Sat Apr 24 14:35:28 2004
++@@ -0,0 +1,75 @@
+++SHELL = /bin/sh
+++SRCS = tlsmgr.c
+++OBJS = tlsmgr.o
+++HDRS =
+++TESTSRC =
+++WARN = -W -Wformat -Wimplicit -Wmissing-prototypes \
+++ -Wparentheses -Wstrict-prototypes -Wswitch -Wuninitialized \
+++ -Wunused
+++DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE)
+++CFLAGS = $(DEBUG) $(OPT) $(DEFS)
+++TESTPROG=
+++PROG = tlsmgr
+++INC_DIR = ../../include
+++LIBS = ../../lib/libmaster.a ../../lib/libglobal.a ../../lib/libutil.a
+++
+++.c.o:; $(CC) $(CFLAGS) -c $*.c
+++
+++$(PROG): $(OBJS) $(LIBS)
+++ $(CC) $(CFLAGS) -o $@ $(OBJS) $(LIBS) $(SYSLIBS)
+++
+++Makefile: Makefile.in
+++ (set -e; echo "# DO NOT EDIT"; $(OPTS) $(SHELL) ../../makedefs; cat $?) >$@
+++
+++test: $(TESTPROG)
+++
+++update: ../../libexec/$(PROG)
+++
+++../../libexec/$(PROG): $(PROG)
+++ cp $(PROG) ../../libexec
+++
+++printfck: $(OBJS) $(PROG)
+++ rm -rf printfck
+++ mkdir printfck
+++ cp *.h printfck
+++ sed '1,/^# do not edit/!d' Makefile >printfck/Makefile
+++ set -e; for i in *.c; do printfck -f .printfck $$i >printfck/$$i; done
+++ cd printfck; make "INC_DIR=../../../../include" `cd ../..; ls *.o`
+++
+++lint:
+++ lint $(DEFS) $(SRCS) $(LINTFIX)
+++
+++clean:
+++ rm -f *.o *core $(PROG) $(TESTPROG) junk
+++ rm -rf printfck
+++
+++tidy: clean
+++
+++depend: $(MAKES)
+++ (sed '1,/^# do not edit/!d' Makefile.in; \
+++ set -e; for i in [a-z][a-z0-9]*.c; do \
+++ $(CC) -E $(DEFS) $(INCL) $$i | sed -n -e '/^# *1 *"\([^"]*\)".*/{' \
+++ -e 's//'`echo $$i|sed 's/c$$/o/'`': \1/' -e 'p' -e '}'; \
+++ done) | grep -v '[.][o][:][ ][/]' >$$$$ && mv $$$$ Makefile.in
+++ @make -f Makefile.in Makefile
+++
+++# do not edit below this line - it is generated by 'make depend'
+++tlsmgr.o: tlsmgr.c
+++tlsmgr.o: ../../include/sys_defs.h
+++tlsmgr.o: ../../include/msg.h
+++tlsmgr.o: ../../include/events.h
+++tlsmgr.o: ../../include/vstream.h
+++tlsmgr.o: ../../include/vbuf.h
+++tlsmgr.o: ../../include/dict.h
+++tlsmgr.o: ../../include/argv.h
+++tlsmgr.o: ../../include/vstring.h
+++tlsmgr.o: ../../include/stringops.h
+++tlsmgr.o: ../../include/mymalloc.h
+++tlsmgr.o: ../../include/connect.h
+++tlsmgr.o: ../../include/myflock.h
+++tlsmgr.o: ../../include/mail_conf.h
+++tlsmgr.o: ../../include/mail_params.h
+++tlsmgr.o: ../../include/iostuff.h
+++tlsmgr.o: ../../include/master_proto.h
+++tlsmgr.o: ../../include/mail_server.h
+++tlsmgr.o: ../../include/pfixtls.h
++diff -ruN postfix-2.1.0-vanilla/src/tlsmgr/tlsmgr.c postfix-2.1.0/src/tlsmgr/tlsmgr.c
++--- postfix-2.1.0-vanilla/src/tlsmgr/tlsmgr.c Thu Jan 1 01:00:00 1970
+++++ postfix-2.1.0/src/tlsmgr/tlsmgr.c Sat Apr 24 14:35:28 2004
++@@ -0,0 +1,598 @@
+++/*++
+++/* NAME
+++/* tlsmgr 8
+++/* SUMMARY
+++/* Postfix TLS session cache and PRNG handling manager
+++/* SYNOPSIS
+++/* \fBtlsmgr\fR [generic Postfix daemon options]
+++/* DESCRIPTION
+++/* The tlsmgr process does housekeeping on the session cache database
+++/* files. It runs through the databases and removes expired entries
+++/* and entries written by older (incompatible) versions.
+++/*
+++/* The tlsmgr is responsible for the PRNG handling. The used internal
+++/* OpenSSL PRNG has a pool size of 8192 bits (= 1024 bytes). The pool
+++/* is initially seeded at startup from an external source (EGD or
+++/* /dev/urandom) and additional seed is obtained later during program
+++/* run at a configurable period. The exact time of seed query is
+++/* using random information and is equally distributed in the range of
+++/* [0-\fBtls_random_reseed_period\fR] with a \fBtls_random_reseed_period\fR
+++/* having a default of 1 hour.
+++/*
+++/* Tlsmgr can be run chrooted and with dropped privileges, as it will
+++/* connect to the entropy source at startup.
+++/*
+++/* The PRNG is additionally seeded internally by the data found in the
+++/* session cache and timevalues.
+++/*
+++/* Tlsmgr reads the old value of the exchange file at startup to keep
+++/* entropy already collected during previous runs.
+++/*
+++/* From the PRNG random pool a cryptographically strong 1024 byte random
+++/* sequence is written into the PRNG exchange file. The file is updated
+++/* periodically with the time changing randomly from
+++/* [0-\fBtls_random_prng_update_period\fR].
+++/* STANDARDS
+++/* SECURITY
+++/* .ad
+++/* .fi
+++/* Tlsmgr is not security-sensitive. It only deals with external data
+++/* to be fed into the PRNG, the contents is never trusted. The session
+++/* cache housekeeping will only remove entries if expired and will never
+++/* touch the contents of the cached data.
+++/* DIAGNOSTICS
+++/* Problems and transactions are logged to the syslog daemon.
+++/* BUGS
+++/* There is no automatic means to limit the number of entries in the
+++/* session caches and/or the size of the session cache files.
+++/* CONFIGURATION PARAMETERS
+++/* .ad
+++/* .fi
+++/* The following \fBmain.cf\fR parameters are especially relevant to
+++/* this program. See the Postfix \fBmain.cf\fR file for syntax details
+++/* and for default values. Use the \fBpostfix reload\fR command after
+++/* a configuration change.
+++/* .SH Session Cache
+++/* .ad
+++/* .fi
+++/* .IP \fBsmtpd_tls_session_cache_database\fR
+++/* Name of the SDBM file (type sdbm:) containing the SMTP server session
+++/* cache. If the file does not exist, it is created.
+++/* .IP \fBsmtpd_tls_session_cache_timeout\fR
+++/* Expiry time of SMTP server session cache entries in seconds. Entries
+++/* older than this are removed from the session cache. A cleanup-run is
+++/* performed periodically every \fBsmtpd_tls_session_cache_timeout\fR
+++/* seconds. Default is 3600 (= 1 hour).
+++/* .IP \fBsmtp_tls_session_cache_database\fR
+++/* Name of the SDBM file (type sdbm:) containing the SMTP client session
+++/* cache. If the file does not exist, it is created.
+++/* .IP \fBsmtp_tls_session_cache_timeout\fR
+++/* Expiry time of SMTP client session cache entries in seconds. Entries
+++/* older than this are removed from the session cache. A cleanup-run is
+++/* performed periodically every \fBsmtp_tls_session_cache_timeout\fR
+++/* seconds. Default is 3600 (= 1 hour).
+++/* .SH Pseudo Random Number Generator
+++/* .ad
+++/* .fi
+++/* .IP \fBtls_random_source\fR
+++/* Name of the EGD socket or device or regular file to obtain entropy
+++/* from. The type of entropy source must be specified by preceding the
+++/* name with the appropriate type: egd:/path/to/egd_socket,
+++/* dev:/path/to/devicefile, or /path/to/regular/file.
+++/* tlsmgr opens \fBtls_random_source\fR and tries to read
+++/* \fBtls_random_bytes\fR from it.
+++/* .IP \fBtls_random_bytes\fR
+++/* Number of bytes to be read from \fBtls_random_source\fR.
+++/* Default value is 32 bytes. If using EGD, a maximum of 255 bytes is read.
+++/* .IP \fBtls_random_exchange_name\fR
+++/* Name of the file written by tlsmgr and read by smtp and smtpd at
+++/* startup. The length is 1024 bytes. Default value is
+++/* /etc/postfix/prng_exch.
+++/* .IP \fBtls_random_reseed_period\fR
+++/* Time in seconds until the next reseed from external sources is due.
+++/* This is the maximum value. The actual point in time is calculated
+++/* with a random factor equally distributed between 0 and this maximum
+++/* value. Default is 3600 (= 60 minutes).
+++/* .IP \fBtls_random_prng_update_period\fR
+++/* Time in seconds until the PRNG exchange file is updated with new
+++/* pseude random values. This is the maximum value. The actual point
+++/* in time is calculated with a random factor equally distributed
+++/* between 0 and this maximum value. Default is 60 (= 1 minute).
+++/* SEE ALSO
+++/* smtp(8) SMTP client
+++/* smtpd(8) SMTP server
+++/* LICENSE
+++/* .ad
+++/* .fi
+++/* The Secure Mailer license must be distributed with this software.
+++/* AUTHOR(S)
+++/*--*/
+++
+++/* System library. */
+++
+++#include <sys_defs.h>
+++#include <stdlib.h>
+++#include <unistd.h>
+++#include <ctype.h>
+++#include <errno.h>
+++#include <string.h>
+++#include <sys/time.h> /* gettimeofday, not POSIX */
+++
+++/* OpenSSL library. */
+++#ifdef USE_SSL
+++#include <openssl/rand.h> /* For the PRNG */
+++#endif
+++
+++/* Utility library. */
+++
+++#include <msg.h>
+++#include <events.h>
+++#include <dict.h>
+++#include <stringops.h>
+++#include <mymalloc.h>
+++#include <connect.h>
+++#include <myflock.h>
+++
+++/* Global library. */
+++
+++#include <mail_conf.h>
+++#include <mail_params.h>
+++#include <pfixtls.h>
+++
+++/* Master process interface */
+++
+++#include <master_proto.h>
+++#include <mail_server.h>
+++
+++/* Application-specific. */
+++
+++#ifdef USE_SSL
+++ /*
+++ * Tunables.
+++ */
+++char *var_tls_rand_source;
+++int var_tls_rand_bytes;
+++int var_tls_reseed_period;
+++int var_tls_prng_upd_period;
+++
+++static int rand_exch_fd;
+++static int rand_source_dev_fd = -1;
+++static int rand_source_socket_fd = -1;
+++static int srvr_scache_db_active;
+++static int clnt_scache_db_active;
+++static DICT *srvr_scache_db = NULL;
+++static DICT *clnt_scache_db = NULL;
+++
+++static void tlsmgr_prng_upd_event(int unused_event, char *dummy)
+++{
+++ struct timeval tv;
+++ unsigned char buffer[1024];
+++ int next_period;
+++
+++ /*
+++ * It is time to update the PRNG exchange file. Since other processes might
+++ * have added entropy, we do this in a read_stir-back_write cycle.
+++ */
+++ GETTIMEOFDAY(&tv);
+++ RAND_seed(&tv, sizeof(struct timeval));
+++
+++ if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) != 0)
+++ msg_fatal("Could not lock random exchange file: %s",
+++ strerror(errno));
+++
+++ lseek(rand_exch_fd, 0, SEEK_SET);
+++ if (read(rand_exch_fd, buffer, 1024) < 0)
+++ msg_fatal("reading exchange file failed");
+++ RAND_seed(buffer, 1024);
+++
+++ RAND_bytes(buffer, 1024);
+++ lseek(rand_exch_fd, 0, SEEK_SET);
+++ if (write(rand_exch_fd, buffer, 1024) != 1024)
+++ msg_fatal("Writing exchange file failed");
+++
+++ if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) != 0)
+++ msg_fatal("Could not unlock random exchange file: %s",
+++ strerror(errno));
+++
+++ /*
+++ * Make prediction difficult for outsiders and calculate the time for the
+++ * next execution randomly.
+++ */
+++ next_period = (var_tls_prng_upd_period * buffer[0]) / 255;
+++ event_request_timer(tlsmgr_prng_upd_event, dummy, next_period);
+++}
+++
+++
+++static void tlsmgr_reseed_event(int unused_event, char *dummy)
+++{
+++ int egd_success;
+++ int next_period;
+++ int rand_bytes;
+++ char buffer[255];
+++ struct timeval tv;
+++ unsigned char randbyte;
+++
+++ /*
+++ * It is time to reseed the PRNG.
+++ */
+++
+++ GETTIMEOFDAY(&tv);
+++ RAND_seed(&tv, sizeof(struct timeval));
+++ if (rand_source_dev_fd != -1) {
+++ rand_bytes = read(rand_source_dev_fd, buffer, var_tls_rand_bytes);
+++ if (rand_bytes > 0)
+++ RAND_seed(buffer, rand_bytes);
+++ else if (rand_bytes < 0) {
+++ msg_fatal("Read from entropy device %s failed",
+++ var_tls_rand_source);
+++ }
+++ } else if (rand_source_socket_fd != -1) {
+++ egd_success = 0;
+++ buffer[0] = 1;
+++ buffer[1] = var_tls_rand_bytes;
+++ if (write(rand_source_socket_fd, buffer, 2) != 2)
+++ msg_info("Could not talk to %s", var_tls_rand_source);
+++ else if (read(rand_source_socket_fd, buffer, 1) != 1)
+++ msg_info("Could not read info from %s", var_tls_rand_source);
+++ else {
+++ rand_bytes = buffer[0];
+++ if (read(rand_source_socket_fd, buffer, rand_bytes) != rand_bytes)
+++ msg_info("Could not read data from %s", var_tls_rand_source);
+++ else {
+++ egd_success = 1;
+++ RAND_seed(buffer, rand_bytes);
+++ }
+++ }
+++ if (!egd_success) {
+++ msg_info("Lost connection to EGD-device, exiting to reconnect.");
+++ exit(0);
+++ }
+++ } else if (*var_tls_rand_source) {
+++ rand_bytes = RAND_load_file(var_tls_rand_source, var_tls_rand_bytes);
+++ }
+++
+++ /*
+++ * Make prediction difficult for outsiders and calculate the time for the
+++ * next execution randomly.
+++ */
+++ RAND_bytes(&randbyte, 1);
+++ next_period = (var_tls_reseed_period * randbyte) / 255;
+++ event_request_timer(tlsmgr_reseed_event, dummy, next_period);
+++}
+++
+++
+++static int tlsmgr_do_scache_check(DICT *scache_db, int scache_timeout,
+++ int start)
+++{
+++ int func;
+++ int len;
+++ int n;
+++ int delete = 0;
+++ int result;
+++ struct timeval tv;
+++ const char *member;
+++ const char *value;
+++ char *member_copy;
+++ unsigned char nibble, *data;
+++ pfixtls_scache_info_t scache_info;
+++
+++ GETTIMEOFDAY(&tv);
+++ RAND_seed(&tv, sizeof(struct timeval));
+++
+++ /*
+++ * Run through the given dictionary and check the stored sessions.
+++ * If "start" is set to 1, a new run is initiated, otherwise the next
+++ * item is accessed. The state is internally kept in the DICT.
+++ */
+++ if (start)
+++ func = DICT_SEQ_FUN_FIRST;
+++ else
+++ func = DICT_SEQ_FUN_NEXT;
+++ result = dict_seq(scache_db, func, &member, &value);
+++
+++ if (result > 0)
+++ return 0; /* End of list reached */
+++ else if (result < 0)
+++ msg_fatal("Database fault, should already be caught.");
+++ else {
+++ member_copy = mystrdup(member);
+++ len = strlen(value);
+++ RAND_seed(value, len); /* Use it to increase entropy */
+++ if (len < 2 * sizeof(pfixtls_scache_info_t))
+++ delete = 1; /* Messed up, delete */
+++ else if (len > 2 * sizeof(pfixtls_scache_info_t))
+++ len = 2 * sizeof(pfixtls_scache_info_t);
+++ if (!delete) {
+++ data = (unsigned char *)(&scache_info);
+++ memset(data, 0, len / 2);
+++ for (n = 0; n < len; n++) {
+++ if ((value[n] >= '0') && (value[n] <= '9'))
+++ nibble = value[n] - '0';
+++ else
+++ nibble = value[n] - 'A' + 10;
+++ if (n % 2)
+++ data[n / 2] |= nibble;
+++ else
+++ data[n / 2] |= (nibble << 4);
+++ }
+++
+++ if ((scache_info.scache_db_version != scache_db_version) ||
+++ (scache_info.openssl_version != openssl_version) ||
+++ (scache_info.timestamp + scache_timeout < time(NULL)))
+++ delete = 1;
+++ }
+++ if (delete)
+++ result = dict_del(scache_db, member_copy);
+++ myfree(member_copy);
+++ }
+++
+++ if (delete && result)
+++ msg_info("Could not delete %s", member);
+++ return 1;
+++
+++}
+++
+++static void tlsmgr_clnt_cache_run_event(int unused_event, char *dummy)
+++{
+++
+++ /*
+++ * This routine runs when it is time for another tls session cache scan.
+++ * Make sure this routine gets called again in the future.
+++ */
+++ clnt_scache_db_active = tlsmgr_do_scache_check(clnt_scache_db,
+++ var_smtp_tls_scache_timeout, 1);
+++ event_request_timer(tlsmgr_clnt_cache_run_event, dummy,
+++ var_smtp_tls_scache_timeout);
+++}
+++
+++
+++static void tlsmgr_srvr_cache_run_event(int unused_event, char *dummy)
+++{
+++
+++ /*
+++ * This routine runs when it is time for another tls session cache scan.
+++ * Make sure this routine gets called again in the future.
+++ */
+++ srvr_scache_db_active = tlsmgr_do_scache_check(srvr_scache_db,
+++ var_smtpd_tls_scache_timeout, 1);
+++ event_request_timer(tlsmgr_srvr_cache_run_event, dummy,
+++ var_smtpd_tls_scache_timeout);
+++}
+++
+++
+++static DICT *tlsmgr_cache_open(const char *dbname)
+++{
+++ DICT *retval;
+++ char *dbpagname;
+++ char *dbdirname;
+++
+++ /*
+++ * First, try to find out the real name of the database file, so that
+++ * it can be removed.
+++ */
+++ if (!strncmp(dbname, "sdbm:", 5)) {
+++ dbpagname = concatenate(dbname + 5, ".pag", NULL);
+++ REMOVE(dbpagname);
+++ myfree(dbpagname);
+++ dbdirname = concatenate(dbname + 5, ".dir", NULL);
+++ REMOVE(dbdirname);
+++ myfree(dbdirname);
+++ }
+++ else {
+++ msg_warn("Only type sdbm: supported: %s", dbname);
+++ return NULL;
+++ }
+++
+++ /*
+++ * Now open the dictionary. Do it with O_EXCL, so that we only open a
+++ * fresh file. If we cannot open it with a fresh file, then we won't
+++ * touch it.
+++ */
+++ retval = dict_open(dbname, O_RDWR | O_CREAT | O_EXCL,
+++ DICT_FLAG_DUP_REPLACE | DICT_FLAG_LOCK | DICT_FLAG_SYNC_UPDATE);
+++ if (!retval)
+++ msg_warn("Could not create dictionary %s", dbname);
+++ return retval;
+++}
+++
+++/* tlsmgr_trigger_event - respond to external trigger(s) */
+++
+++static void tlsmgr_trigger_event(char *buf, int len,
+++ char *unused_service, char **argv)
+++{
+++ /*
+++ * Sanity check. This service takes no command-line arguments.
+++ */
+++ if (argv[0])
+++ msg_fatal("unexpected command-line argument: %s", argv[0]);
+++
+++}
+++
+++/* tlsmgr_loop - queue manager main loop */
+++
+++static int tlsmgr_loop(char *unused_name, char **unused_argv)
+++{
+++ /*
+++ * This routine runs as part of the event handling loop, after the event
+++ * manager has delivered a timer or I/O event (including the completion
+++ * of a connection to a delivery process), or after it has waited for a
+++ * specified amount of time. The result value of qmgr_loop() specifies
+++ * how long the event manager should wait for the next event.
+++ */
+++#define DONT_WAIT 0
+++#define WAIT_FOR_EVENT (-1)
+++
+++ if (clnt_scache_db_active)
+++ clnt_scache_db_active = tlsmgr_do_scache_check(clnt_scache_db,
+++ var_smtp_tls_scache_timeout, 0);
+++ if (srvr_scache_db_active)
+++ srvr_scache_db_active = tlsmgr_do_scache_check(srvr_scache_db,
+++ var_smtpd_tls_scache_timeout, 0);
+++ if (clnt_scache_db_active || srvr_scache_db_active)
+++ return (DONT_WAIT);
+++ return (WAIT_FOR_EVENT);
+++}
+++
+++/* pre_accept - see if tables have changed */
+++
+++static void pre_accept(char *unused_name, char **unused_argv)
+++{
+++ if (dict_changed()) {
+++ msg_info("table has changed -- exiting");
+++ exit(0);
+++ }
+++}
+++
+++/* tlsmgr_pre_init - pre-jail initialization */
+++
+++static void tlsmgr_pre_init(char *unused_name, char **unused_argv)
+++{
+++ int rand_bytes;
+++ unsigned char buffer[255];
+++
+++ /*
+++ * Access the external sources for random seed. We may not be able to
+++ * access them again if we are sent to chroot jail, so we must leave
+++ * dev: and egd: type sources open.
+++ */
+++ if (*var_tls_rand_source) {
+++ if (!strncmp(var_tls_rand_source, "dev:", 4)) {
+++ /*
+++ * Source is a random device
+++ */
+++ rand_source_dev_fd = open(var_tls_rand_source + 4, 0, 0);
+++ if (rand_source_dev_fd == -1)
+++ msg_fatal("Could not open entropy device %s",
+++ var_tls_rand_source);
+++ if (var_tls_rand_bytes > 255)
+++ var_tls_rand_bytes = 255;
+++ rand_bytes = read(rand_source_dev_fd, buffer, var_tls_rand_bytes);
+++ RAND_seed(buffer, rand_bytes);
+++ } else if (!strncmp(var_tls_rand_source, "egd:", 4)) {
+++ /*
+++ * Source is a EGD compatible socket
+++ */
+++ rand_source_socket_fd = unix_connect(var_tls_rand_source +4,
+++ BLOCKING, 10);
+++ if (rand_source_socket_fd == -1)
+++ msg_fatal("Could not connect to %s", var_tls_rand_source);
+++ if (var_tls_rand_bytes > 255)
+++ var_tls_rand_bytes = 255;
+++ buffer[0] = 1;
+++ buffer[1] = var_tls_rand_bytes;
+++ if (write(rand_source_socket_fd, buffer, 2) != 2)
+++ msg_fatal("Could not talk to %s", var_tls_rand_source);
+++ if (read(rand_source_socket_fd, buffer, 1) != 1)
+++ msg_fatal("Could not read info from %s", var_tls_rand_source);
+++ rand_bytes = buffer[0];
+++ if (read(rand_source_socket_fd, buffer, rand_bytes) != rand_bytes)
+++ msg_fatal("Could not read data from %s", var_tls_rand_source);
+++ RAND_seed(buffer, rand_bytes);
+++ } else {
+++ rand_bytes = RAND_load_file(var_tls_rand_source,
+++ var_tls_rand_bytes);
+++ }
+++ }
+++
+++ /*
+++ * Now open the PRNG exchange file
+++ */
+++ if (*var_tls_rand_exch_name) {
+++ rand_exch_fd = open(var_tls_rand_exch_name, O_RDWR | O_CREAT, 0600);
+++ }
+++
+++ /*
+++ * Finally, open the session cache files. Remove old files, if still there.
+++ * If we could not remove the old files, something is pretty wrong and we
+++ * won't touch it!!
+++ */
+++ if (*var_smtp_tls_scache_db)
+++ clnt_scache_db = tlsmgr_cache_open(var_smtp_tls_scache_db);
+++ if (*var_smtpd_tls_scache_db)
+++ srvr_scache_db = tlsmgr_cache_open(var_smtpd_tls_scache_db);
+++}
+++
+++/* qmgr_post_init - post-jail initialization */
+++
+++static void tlsmgr_post_init(char *unused_name, char **unused_argv)
+++{
+++ unsigned char buffer[1024];
+++
+++ /*
+++ * This routine runs after the skeleton code has entered the chroot jail.
+++ * Prevent automatic process suicide after a limited number of client
+++ * requests or after a limited amount of idle time.
+++ */
+++ var_use_limit = 0;
+++ var_idle_limit = 0;
+++
+++ /*
+++ * Complete thie initialization by reading the additional seed from the
+++ * PRNG exchange file. Don't care how many bytes were actually read, just
+++ * seed buffer into the PRNG, regardless of its contents.
+++ */
+++ if (rand_exch_fd >= 0) {
+++ if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_SHARED) == -1)
+++ msg_fatal("Could not lock random exchange file: %s",
+++ strerror(errno));
+++ read(rand_exch_fd, buffer, 1024);
+++ if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) == -1)
+++ msg_fatal("Could not unlock random exchange file: %s",
+++ strerror(errno));
+++ RAND_seed(buffer, 1024);
+++ tlsmgr_prng_upd_event(0, (char *) 0);
+++ tlsmgr_reseed_event(0, (char *) 0);
+++ }
+++
+++ clnt_scache_db_active = 0;
+++ srvr_scache_db_active = 0;
+++ if (clnt_scache_db)
+++ tlsmgr_clnt_cache_run_event(0, (char *) 0);
+++ if (srvr_scache_db)
+++ tlsmgr_srvr_cache_run_event(0, (char *) 0);
+++}
+++
+++
+++/* main - the main program */
+++
+++int main(int argc, char **argv)
+++{
+++ static CONFIG_STR_TABLE str_table[] = {
+++ VAR_TLS_RAND_SOURCE, DEF_TLS_RAND_SOURCE, &var_tls_rand_source, 0, 0,
+++ 0,
+++ };
+++ static CONFIG_TIME_TABLE time_table[] = {
+++ VAR_TLS_RESEED_PERIOD, DEF_TLS_RESEED_PERIOD, &var_tls_reseed_period, 0, 0,
+++ VAR_TLS_PRNG_UPD_PERIOD, DEF_TLS_PRNG_UPD_PERIOD, &var_tls_prng_upd_period, 0, 0,
+++ 0,
+++ };
+++ static CONFIG_INT_TABLE int_table[] = {
+++ VAR_TLS_RAND_BYTES, DEF_TLS_RAND_BYTES, &var_tls_rand_bytes, 0, 0,
+++ 0,
+++ };
+++
+++ /*
+++ * Use the trigger service skeleton, because no-one else should be
+++ * monitoring our service port while this process runs, and because we do
+++ * not talk back to the client.
+++ */
+++ trigger_server_main(argc, argv, tlsmgr_trigger_event,
+++ MAIL_SERVER_TIME_TABLE, time_table,
+++ MAIL_SERVER_INT_TABLE, int_table,
+++ MAIL_SERVER_STR_TABLE, str_table,
+++ MAIL_SERVER_PRE_INIT, tlsmgr_pre_init,
+++ MAIL_SERVER_POST_INIT, tlsmgr_post_init,
+++ MAIL_SERVER_LOOP, tlsmgr_loop,
+++ MAIL_SERVER_PRE_ACCEPT, pre_accept,
+++ 0);
+++ trigger_server_main(argc, argv, tlsmgr_trigger_event,
+++ MAIL_SERVER_PRE_INIT, tlsmgr_pre_init,
+++ 0);
+++}
+++
+++#else
+++int main(int argc, char **argv)
+++{
+++ msg_fatal("Do not run tlsmgr with TLS support compiled in\n");
+++}
+++#endif
++diff -ruN postfix-2.1.0-vanilla/src/util/Makefile.in postfix-2.1.0/src/util/Makefile.in
++--- postfix-2.1.0-vanilla/src/util/Makefile.in Thu Apr 22 21:37:28 2004
+++++ postfix-2.1.0/src/util/Makefile.in Sat Apr 24 14:35:28 2004
++@@ -28,7 +28,7 @@
++ vstream_popen.c vstring.c vstring_vstream.c watchdog.c writable.c \
++ write_buf.c write_wait.c auto_clnt.c attr_clnt.c attr_scan_plain.c \
++ attr_print_plain.c sane_connect.c neuter.c name_code.c \
++- uppercase.c
+++ uppercase.c dict_sdbm.c sdbm.c
++ OBJS = alldig.o argv.o argv_split.o attr_print0.o attr_print64.o \
++ attr_scan0.o attr_scan64.o base64_code.o basename.o binhash.o \
++ chroot_uid.o clean_env.o close_on_exec.o concatenate.o ctable.o \
++@@ -58,7 +58,7 @@
++ vstream_popen.o vstring.o vstring_vstream.o watchdog.o writable.o \
++ write_buf.o write_wait.o auto_clnt.o attr_clnt.o attr_scan_plain.o \
++ attr_print_plain.o sane_connect.o $(STRCASE) neuter.o name_code.o \
++- uppercase.o
+++ uppercase.o dict_sdbm.o sdbm.o
++ HDRS = argv.h attr.h base64_code.h binhash.h chroot_uid.h clean_env.h \
++ connect.h ctable.h dict.h dict_db.h dict_dbm.h dict_env.h \
++ dict_cidr.h dict_ht.h dict_ni.h dict_nis.h \
++@@ -77,7 +77,7 @@
++ split_at.h stat_as.h stringops.h sys_defs.h timed_connect.h \
++ timed_wait.h trigger.h username.h valid_hostname.h vbuf.h \
++ vbuf_print.h vstream.h vstring.h vstring_vstream.h watchdog.h \
++- auto_clnt.h attr_clnt.h sane_connect.h name_code.h
+++ auto_clnt.h attr_clnt.h sane_connect.h name_code.h dict_sdbm.h sdbm.h
++ TESTSRC = fifo_open.c fifo_rdwr_bug.c fifo_rdonly_bug.c select_bug.c \
++ stream_test.c dup2_pass_on_exec.c
++ DEFS = -I. -D$(SYSTYPE)
++@@ -690,6 +690,7 @@
++ dict_open.o: dict_unix.h
++ dict_open.o: dict_tcp.h
++ dict_open.o: dict_dbm.h
+++dict_open.o: dict_sdbm.h
++ dict_open.o: dict_db.h
++ dict_open.o: dict_nis.h
++ dict_open.o: dict_nisplus.h
++@@ -1365,3 +1366,9 @@
++ write_wait.o: sys_defs.h
++ write_wait.o: msg.h
++ write_wait.o: iostuff.h
+++sdbm.o: sdbm.c
+++sdbm.o: sdbm.h
+++dict_sdbm.o: sdbm.h
+++dict_sdbm.o: dict_sdbm.c
+++dict_sdbm.o: dict_sdbm.h
+++dict_sdbm.o: sys_defs.h
++diff -ruN postfix-2.1.0-vanilla/src/util/dict_open.c postfix-2.1.0/src/util/dict_open.c
++--- postfix-2.1.0-vanilla/src/util/dict_open.c Mon Jan 5 21:55:18 2004
+++++ postfix-2.1.0/src/util/dict_open.c Sat Apr 24 14:35:29 2004
++@@ -167,6 +167,7 @@
++ #include <dict_env.h>
++ #include <dict_unix.h>
++ #include <dict_tcp.h>
+++#include <dict_sdbm.h>
++ #include <dict_dbm.h>
++ #include <dict_db.h>
++ #include <dict_nis.h>
++@@ -194,6 +195,7 @@
++ #ifdef SNAPSHOT
++ DICT_TYPE_TCP, dict_tcp_open,
++ #endif
+++ DICT_TYPE_SDBM, dict_sdbm_open,
++ #ifdef HAS_DBM
++ DICT_TYPE_DBM, dict_dbm_open,
++ #endif
++diff -ruN postfix-2.1.0-vanilla/src/util/dict_sdbm.c postfix-2.1.0/src/util/dict_sdbm.c
++--- postfix-2.1.0-vanilla/src/util/dict_sdbm.c Thu Jan 1 01:00:00 1970
+++++ postfix-2.1.0/src/util/dict_sdbm.c Sat Apr 24 14:35:29 2004
++@@ -0,0 +1,408 @@
+++/*++
+++/* NAME
+++/* dict_sdbm 3
+++/* SUMMARY
+++/* dictionary manager interface to SDBM files
+++/* SYNOPSIS
+++/* #include <dict_sdbm.h>
+++/*
+++/* DICT *dict_sdbm_open(path, open_flags, dict_flags)
+++/* const char *name;
+++/* const char *path;
+++/* int open_flags;
+++/* int dict_flags;
+++/* DESCRIPTION
+++/* dict_sdbm_open() opens the named SDBM database and makes it available
+++/* via the generic interface described in dict_open(3).
+++/* DIAGNOSTICS
+++/* Fatal errors: cannot open file, file write error, out of memory.
+++/* SEE ALSO
+++/* dict(3) generic dictionary manager
+++/* sdbm(3) data base subroutines
+++/* LICENSE
+++/* .ad
+++/* .fi
+++/* The Secure Mailer license must be distributed with this software.
+++/* AUTHOR(S)
+++/* Wietse Venema
+++/* IBM T.J. Watson Research
+++/* P.O. Box 704
+++/* Yorktown Heights, NY 10598, USA
+++/*--*/
+++
+++#include "sys_defs.h"
+++
+++/* System library. */
+++
+++#include <sys/stat.h>
+++#include <string.h>
+++#include <unistd.h>
+++
+++/* Utility library. */
+++
+++#include "msg.h"
+++#include "mymalloc.h"
+++#include "htable.h"
+++#include "iostuff.h"
+++#include "vstring.h"
+++#include "myflock.h"
+++#include "stringops.h"
+++#include "dict.h"
+++#include "dict_sdbm.h"
+++#include "sdbm.h"
+++
+++/* Application-specific. */
+++
+++typedef struct {
+++ DICT dict; /* generic members */
+++ SDBM *dbm; /* open database */
+++ char *path; /* pathname */
+++} DICT_SDBM;
+++
+++/* dict_sdbm_lookup - find database entry */
+++
+++static const char *dict_sdbm_lookup(DICT *dict, const char *name)
+++{
+++ DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
+++ datum dbm_key;
+++ datum dbm_value;
+++ static VSTRING *buf;
+++ const char *result = 0;
+++
+++ dict_errno = 0;
+++
+++ /*
+++ * Acquire an exclusive lock.
+++ */
+++ if ((dict->flags & DICT_FLAG_LOCK)
+++ && myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_SHARED) < 0)
+++ msg_fatal("%s: lock dictionary: %m", dict_sdbm->path);
+++
+++ /*
+++ * See if this DBM file was written with one null byte appended to key
+++ * and value.
+++ */
+++ if (dict->flags & DICT_FLAG_TRY1NULL) {
+++ dbm_key.dptr = (void *) name;
+++ dbm_key.dsize = strlen(name) + 1;
+++ dbm_value = sdbm_fetch(dict_sdbm->dbm, dbm_key);
+++ if (dbm_value.dptr != 0) {
+++ dict->flags &= ~DICT_FLAG_TRY0NULL;
+++ result = dbm_value.dptr;
+++ }
+++ }
+++
+++ /*
+++ * See if this DBM file was written with no null byte appended to key and
+++ * value.
+++ */
+++ if (result == 0 && (dict->flags & DICT_FLAG_TRY0NULL)) {
+++ dbm_key.dptr = (void *) name;
+++ dbm_key.dsize = strlen(name);
+++ dbm_value = sdbm_fetch(dict_sdbm->dbm, dbm_key);
+++ if (dbm_value.dptr != 0) {
+++ if (buf == 0)
+++ buf = vstring_alloc(10);
+++ vstring_strncpy(buf, dbm_value.dptr, dbm_value.dsize);
+++ dict->flags &= ~DICT_FLAG_TRY1NULL;
+++ result = vstring_str(buf);
+++ }
+++ }
+++
+++ /*
+++ * Release the exclusive lock.
+++ */
+++ if ((dict->flags & DICT_FLAG_LOCK)
+++ && myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
+++ msg_fatal("%s: unlock dictionary: %m", dict_sdbm->path);
+++
+++ return (result);
+++}
+++
+++/* dict_sdbm_update - add or update database entry */
+++
+++static void dict_sdbm_update(DICT *dict, const char *name, const char *value)
+++{
+++ DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
+++ datum dbm_key;
+++ datum dbm_value;
+++ int status;
+++
+++ dbm_key.dptr = (void *) name;
+++ dbm_value.dptr = (void *) value;
+++ dbm_key.dsize = strlen(name);
+++ dbm_value.dsize = strlen(value);
+++
+++ /*
+++ * If undecided about appending a null byte to key and value, choose a
+++ * default depending on the platform.
+++ */
+++ if ((dict->flags & DICT_FLAG_TRY1NULL)
+++ && (dict->flags & DICT_FLAG_TRY0NULL)) {
+++#ifdef DBM_NO_TRAILING_NULL
+++ dict->flags &= ~DICT_FLAG_TRY1NULL;
+++#else
+++ dict->flags &= ~DICT_FLAG_TRY0NULL;
+++#endif
+++ }
+++
+++ /*
+++ * Optionally append a null byte to key and value.
+++ */
+++ if (dict->flags & DICT_FLAG_TRY1NULL) {
+++ dbm_key.dsize++;
+++ dbm_value.dsize++;
+++ }
+++
+++ /*
+++ * Acquire an exclusive lock.
+++ */
+++ if ((dict->flags & DICT_FLAG_LOCK)
+++ && myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) < 0)
+++ msg_fatal("%s: lock dictionary: %m", dict_sdbm->path);
+++
+++ /*
+++ * Do the update.
+++ */
+++ if ((status = sdbm_store(dict_sdbm->dbm, dbm_key, dbm_value,
+++ (dict->flags & DICT_FLAG_DUP_REPLACE) ? DBM_REPLACE : DBM_INSERT)) < 0)
+++ msg_fatal("error writing SDBM database %s: %m", dict_sdbm->path);
+++ if (status) {
+++ if (dict->flags & DICT_FLAG_DUP_IGNORE)
+++ /* void */ ;
+++ else if (dict->flags & DICT_FLAG_DUP_WARN)
+++ msg_warn("%s: duplicate entry: \"%s\"", dict_sdbm->path, name);
+++ else
+++ msg_fatal("%s: duplicate entry: \"%s\"", dict_sdbm->path, name);
+++ }
+++
+++ /*
+++ * Release the exclusive lock.
+++ */
+++ if ((dict->flags & DICT_FLAG_LOCK)
+++ && myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
+++ msg_fatal("%s: unlock dictionary: %m", dict_sdbm->path);
+++}
+++
+++
+++/* dict_sdbm_delete - delete one entry from the dictionary */
+++
+++static int dict_sdbm_delete(DICT *dict, const char *name)
+++{
+++ DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
+++ datum dbm_key;
+++ int status = 1;
+++ int flags = 0;
+++
+++ /*
+++ * Acquire an exclusive lock.
+++ */
+++ if ((dict->flags & DICT_FLAG_LOCK)
+++ && myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) < 0)
+++ msg_fatal("%s: lock dictionary: %m", dict_sdbm->path);
+++
+++ /*
+++ * See if this DBM file was written with one null byte appended to key
+++ * and value.
+++ */
+++ if (dict->flags & DICT_FLAG_TRY1NULL) {
+++ dbm_key.dptr = (void *) name;
+++ dbm_key.dsize = strlen(name) + 1;
+++ sdbm_clearerr(dict_sdbm->dbm);
+++ if ((status = sdbm_delete(dict_sdbm->dbm, dbm_key)) < 0) {
+++ if (sdbm_error(dict_sdbm->dbm) != 0) /* fatal error */
+++ msg_fatal("error deleting from %s: %m", dict_sdbm->path);
+++ status = 1; /* not found */
+++ } else {
+++ dict->flags &= ~DICT_FLAG_TRY0NULL; /* found */
+++ }
+++ }
+++
+++ /*
+++ * See if this DBM file was written with no null byte appended to key and
+++ * value.
+++ */
+++ if (status > 0 && (dict->flags & DICT_FLAG_TRY0NULL)) {
+++ dbm_key.dptr = (void *) name;
+++ dbm_key.dsize = strlen(name);
+++ sdbm_clearerr(dict_sdbm->dbm);
+++ if ((status = sdbm_delete(dict_sdbm->dbm, dbm_key)) < 0) {
+++ if (sdbm_error(dict_sdbm->dbm) != 0) /* fatal error */
+++ msg_fatal("error deleting from %s: %m", dict_sdbm->path);
+++ status = 1; /* not found */
+++ } else {
+++ dict->flags &= ~DICT_FLAG_TRY1NULL; /* found */
+++ }
+++ }
+++
+++ /*
+++ * Release the exclusive lock.
+++ */
+++ if ((dict->flags & DICT_FLAG_LOCK)
+++ && myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
+++ msg_fatal("%s: unlock dictionary: %m", dict_sdbm->path);
+++
+++ return (status);
+++}
+++
+++/* traverse the dictionary */
+++
+++static int dict_sdbm_sequence(DICT *dict, const int function,
+++ const char **key, const char **value)
+++{
+++ char *myname = "dict_sdbm_sequence";
+++ DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
+++ datum dbm_key;
+++ datum dbm_value;
+++ int status = 0;
+++ static VSTRING *key_buf;
+++ static VSTRING *value_buf;
+++
+++ /*
+++ * Acquire an exclusive lock.
+++ */
+++ if ((dict->flags & DICT_FLAG_LOCK)
+++ && myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) < 0)
+++ msg_fatal("%s: lock dictionary: %m", dict_sdbm->path);
+++
+++ /*
+++ * Determine and execute the seek function. It returns the key.
+++ */
+++ switch (function) {
+++ case DICT_SEQ_FUN_FIRST:
+++ dbm_key = sdbm_firstkey(dict_sdbm->dbm);
+++ break;
+++ case DICT_SEQ_FUN_NEXT:
+++ dbm_key = sdbm_nextkey(dict_sdbm->dbm);
+++ break;
+++ default:
+++ msg_panic("%s: invalid function: %d", myname, function);
+++ }
+++
+++ /*
+++ * Release the exclusive lock.
+++ */
+++ if ((dict->flags & DICT_FLAG_LOCK)
+++ && myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
+++ msg_fatal("%s: unlock dictionary: %m", dict_sdbm->path);
+++
+++ if (dbm_key.dptr != 0 && dbm_key.dsize > 0) {
+++
+++ /*
+++ * See if this DB file was written with one null byte appended to key
+++ * an d value or not. If necessary, copy the key.
+++ */
+++ if (((char *) dbm_key.dptr)[dbm_key.dsize - 1] == 0) {
+++ *key = dbm_key.dptr;
+++ } else {
+++ if (key_buf == 0)
+++ key_buf = vstring_alloc(10);
+++ vstring_strncpy(key_buf, dbm_key.dptr, dbm_key.dsize);
+++ *key = vstring_str(key_buf);
+++ }
+++
+++ /*
+++ * Fetch the corresponding value.
+++ */
+++ dbm_value = sdbm_fetch(dict_sdbm->dbm, dbm_key);
+++
+++ if (dbm_value.dptr != 0 && dbm_value.dsize > 0) {
+++
+++ /*
+++ * See if this DB file was written with one null byte appended to
+++ * key and value or not. If necessary, copy the key.
+++ */
+++ if (((char *) dbm_value.dptr)[dbm_value.dsize - 1] == 0) {
+++ *value = dbm_value.dptr;
+++ } else {
+++ if (value_buf == 0)
+++ value_buf = vstring_alloc(10);
+++ vstring_strncpy(value_buf, dbm_value.dptr, dbm_value.dsize);
+++ *value = vstring_str(value_buf);
+++ }
+++ } else {
+++
+++ /*
+++ * Determine if we have hit the last record or an error
+++ * condition.
+++ */
+++ if (sdbm_error(dict_sdbm->dbm))
+++ msg_fatal("error seeking %s: %m", dict_sdbm->path);
+++ return (1); /* no error: eof/not found
+++ * (should not happen!) */
+++ }
+++ } else {
+++
+++ /*
+++ * Determine if we have hit the last record or an error condition.
+++ */
+++ if (sdbm_error(dict_sdbm->dbm))
+++ msg_fatal("error seeking %s: %m", dict_sdbm->path);
+++ return (1); /* no error: eof/not found */
+++ }
+++ return (0);
+++}
+++
+++/* dict_sdbm_close - disassociate from data base */
+++
+++static void dict_sdbm_close(DICT *dict)
+++{
+++ DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
+++
+++ sdbm_close(dict_sdbm->dbm);
+++ myfree(dict_sdbm->path);
+++ myfree((char *) dict_sdbm);
+++}
+++
+++/* dict_sdbm_open - open SDBM data base */
+++
+++DICT *dict_sdbm_open(const char *path, int open_flags, int dict_flags)
+++{
+++ DICT_SDBM *dict_sdbm;
+++ struct stat st;
+++ SDBM *dbm;
+++ char *dbm_path;
+++ int lock_fd;
+++
+++ if (dict_flags & DICT_FLAG_LOCK) {
+++ dbm_path = concatenate(path, ".pag", (char *) 0);
+++ if ((lock_fd = open(dbm_path, open_flags, 0644)) < 0)
+++ msg_fatal("open database %s: %m", dbm_path);
+++ if (myflock(lock_fd, INTERNAL_LOCK, MYFLOCK_OP_SHARED) < 0)
+++ msg_fatal("shared-lock database %s for open: %m", dbm_path);
+++ }
+++
+++ /*
+++ * XXX SunOS 5.x has no const in dbm_open() prototype.
+++ */
+++ if ((dbm = sdbm_open((char *) path, open_flags, 0644)) == 0)
+++ msg_fatal("open database %s.{dir,pag}: %m", path);
+++
+++ if (dict_flags & DICT_FLAG_LOCK) {
+++ if (myflock(lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
+++ msg_fatal("unlock database %s for open: %m", dbm_path);
+++ if (close(lock_fd) < 0)
+++ msg_fatal("close database %s: %m", dbm_path);
+++ myfree(dbm_path);
+++ }
+++ dict_sdbm = (DICT_SDBM *) mymalloc(sizeof(*dict_sdbm));
+++ dict_sdbm->dict.lookup = dict_sdbm_lookup;
+++ dict_sdbm->dict.update = dict_sdbm_update;
+++ dict_sdbm->dict.delete = dict_sdbm_delete;
+++ dict_sdbm->dict.sequence = dict_sdbm_sequence;
+++ dict_sdbm->dict.close = dict_sdbm_close;
+++ dict_sdbm->dict.lock_fd = sdbm_dirfno(dbm);
+++ dict_sdbm->dict.stat_fd = sdbm_pagfno(dbm);
+++ if (fstat(dict_sdbm->dict.stat_fd, &st) < 0)
+++ msg_fatal("dict_sdbm_open: fstat: %m");
+++ dict_sdbm->dict.mtime = st.st_mtime;
+++ close_on_exec(sdbm_pagfno(dbm), CLOSE_ON_EXEC);
+++ close_on_exec(sdbm_dirfno(dbm), CLOSE_ON_EXEC);
+++ dict_sdbm->dict.flags = dict_flags | DICT_FLAG_FIXED;
+++ if ((dict_flags & (DICT_FLAG_TRY0NULL | DICT_FLAG_TRY1NULL)) == 0)
+++ dict_sdbm->dict.flags |= (DICT_FLAG_TRY0NULL | DICT_FLAG_TRY1NULL);
+++ dict_sdbm->dbm = dbm;
+++ dict_sdbm->path = mystrdup(path);
+++
+++ return (&dict_sdbm->dict);
+++}
++diff -ruN postfix-2.1.0-vanilla/src/util/dict_sdbm.h postfix-2.1.0/src/util/dict_sdbm.h
++--- postfix-2.1.0-vanilla/src/util/dict_sdbm.h Thu Jan 1 01:00:00 1970
+++++ postfix-2.1.0/src/util/dict_sdbm.h Sat Apr 24 14:35:29 2004
++@@ -0,0 +1,37 @@
+++#ifndef _DICT_SDBM_H_INCLUDED_
+++#define _DICT_SDBM_H_INCLUDED_
+++
+++/*++
+++/* NAME
+++/* dict_dbm 3h
+++/* SUMMARY
+++/* dictionary manager interface to DBM files
+++/* SYNOPSIS
+++/* #include <dict_dbm.h>
+++/* DESCRIPTION
+++/* .nf
+++
+++ /*
+++ * Utility library.
+++ */
+++#include <dict.h>
+++
+++ /*
+++ * External interface.
+++ */
+++#define DICT_TYPE_SDBM "sdbm"
+++
+++extern DICT *dict_sdbm_open(const char *, int, int);
+++
+++/* LICENSE
+++/* .ad
+++/* .fi
+++/* The Secure Mailer license must be distributed with this software.
+++/* AUTHOR(S)
+++/* Wietse Venema
+++/* IBM T.J. Watson Research
+++/* P.O. Box 704
+++/* Yorktown Heights, NY 10598, USA
+++/*--*/
+++
+++#endif
++diff -ruN postfix-2.1.0-vanilla/src/util/sdbm.c postfix-2.1.0/src/util/sdbm.c
++--- postfix-2.1.0-vanilla/src/util/sdbm.c Thu Jan 1 01:00:00 1970
+++++ postfix-2.1.0/src/util/sdbm.c Sat Apr 24 14:35:29 2004
++@@ -0,0 +1,971 @@
+++/*++
+++/* NAME
+++/* sdbm 3h
+++/* SUMMARY
+++/* SDBM Simple DBM: ndbm work-alike hashed database library
+++/* SYNOPSIS
+++/* include "sdbm.h"
+++/* DESCRIPTION
+++/* This file includes the public domain SDBM (ndbm work-alike hashed
+++/* database library), based on Per-Aake Larson's Dynamic Hashing
+++/* algorithms. BIT 18 (1978).
+++/* author: oz at nexus.yorku.ca
+++/* status: public domain
+++/* The file has been patched following the advice of Uwe Ohse
+++/* <uwe at ohse.de>:
+++/* --------------------------------------------------------------
+++/* this patch fixes a problem with sdbms .dir file, which arrises when
+++/* a second .dir block is needed for the first time. read() returns 0
+++/* in that case, and the library forgot to initialize that new block.
+++/*
+++/* A related problem is that the calculation of db->maxbno is wrong.
+++/* It just appends 4096*BYTESIZ bits, which is not enough except for
+++/* small databases (.dir basically doubles everytime it's too small).
+++/* --------------------------------------------------------------
+++/* According to Uwe Ohse, the patch has also been submitted to the
+++/* author of SDBM. (The 4096*BYTESIZ bits comment may apply with a
+++/* different size for Postfix/TLS, as the patch was sent against the
+++/* original SDBM distributiona and for Postfix/TLS I have changed the
+++/* default sizes.
+++/* .nf
+++/*--*/
+++
+++/*
+++ * sdbm - ndbm work-alike hashed database library
+++ * based on Per-Aake Larson's Dynamic Hashing algorithms. BIT 18 (1978).
+++ * author: oz at nexus.yorku.ca
+++ * status: public domain.
+++ *
+++ * core routines
+++ */
+++
+++#include <stdio.h>
+++#include <stdlib.h>
+++#ifdef WIN32
+++#include <io.h>
+++#include <errno.h>
+++#else
+++#include <unistd.h>
+++#endif
+++#include <sys/types.h>
+++#include <sys/stat.h>
+++#include <fcntl.h>
+++#include <errno.h>
+++#include <string.h>
+++#ifdef __STDC__
+++#include <stddef.h>
+++#endif
+++
+++#include <sdbm.h>
+++
+++/*
+++ * useful macros
+++ */
+++#define bad(x) ((x).dptr == NULL || (x).dsize <= 0)
+++#define exhash(item) sdbm_hash((item).dptr, (item).dsize)
+++#define ioerr(db) ((db)->flags |= DBM_IOERR)
+++
+++#define OFF_PAG(off) (long) (off) * PBLKSIZ
+++#define OFF_DIR(off) (long) (off) * DBLKSIZ
+++
+++static long masks[] =
+++{
+++ 000000000000, 000000000001, 000000000003, 000000000007,
+++ 000000000017, 000000000037, 000000000077, 000000000177,
+++ 000000000377, 000000000777, 000000001777, 000000003777,
+++ 000000007777, 000000017777, 000000037777, 000000077777,
+++ 000000177777, 000000377777, 000000777777, 000001777777,
+++ 000003777777, 000007777777, 000017777777, 000037777777,
+++ 000077777777, 000177777777, 000377777777, 000777777777,
+++ 001777777777, 003777777777, 007777777777, 017777777777
+++};
+++
+++datum nullitem =
+++{NULL, 0};
+++
+++typedef struct
+++{
+++ int dirf; /* directory file descriptor */
+++ int pagf; /* page file descriptor */
+++ int flags; /* status/error flags, see below */
+++ long maxbno; /* size of dirfile in bits */
+++ long curbit; /* current bit number */
+++ long hmask; /* current hash mask */
+++ long blkptr; /* current block for nextkey */
+++ int keyptr; /* current key for nextkey */
+++ long blkno; /* current page to read/write */
+++ long pagbno; /* current page in pagbuf */
+++ char *pagbuf; /* page file block buffer */
+++ long dirbno; /* current block in dirbuf */
+++ char *dirbuf; /* directory file block buffer */
+++} DBM;
+++
+++
+++/* ************************* */
+++
+++/*
+++ * sdbm - ndbm work-alike hashed database library
+++ * based on Per-Aake Larson's Dynamic Hashing algorithms. BIT 18 (1978).
+++ * author: oz at nexus.yorku.ca
+++ * status: public domain. keep it that way.
+++ *
+++ * hashing routine
+++ */
+++
+++/*
+++ * polynomial conversion ignoring overflows
+++ * [this seems to work remarkably well, in fact better
+++ * then the ndbm hash function. Replace at your own risk]
+++ * use: 65599 nice.
+++ * 65587 even better.
+++ */
+++static long sdbm_hash (char *str, int len)
+++{
+++ unsigned long n = 0;
+++
+++#ifdef DUFF
+++#define HASHC n = *str++ + 65599 * n
+++ if (len > 0)
+++ {
+++ int loop = (len + 8 - 1) >> 3;
+++
+++ switch (len & (8 - 1))
+++ {
+++ case 0:
+++ do
+++ {
+++ HASHC;
+++ case 7:
+++ HASHC;
+++ case 6:
+++ HASHC;
+++ case 5:
+++ HASHC;
+++ case 4:
+++ HASHC;
+++ case 3:
+++ HASHC;
+++ case 2:
+++ HASHC;
+++ case 1:
+++ HASHC;
+++ }
+++ while (--loop);
+++ }
+++
+++ }
+++#else
+++ while (len--)
+++ n = *str++ + 65599 * n;
+++#endif
+++ return n;
+++}
+++
+++/*
+++ * check page sanity:
+++ * number of entries should be something
+++ * reasonable, and all offsets in the index should be in order.
+++ * this could be made more rigorous.
+++ */
+++static int chkpage (char *pag)
+++{
+++ int n;
+++ int off;
+++ short *ino = (short *) pag;
+++
+++ if ((n = ino[0]) < 0 || n > PBLKSIZ / sizeof (short))
+++ return 0;
+++
+++ if (n > 0)
+++ {
+++ off = PBLKSIZ;
+++ for (ino++; n > 0; ino += 2)
+++ {
+++ if (ino[0] > off || ino[1] > off ||
+++ ino[1] > ino[0])
+++ return 0;
+++ off = ino[1];
+++ n -= 2;
+++ }
+++ }
+++ return 1;
+++}
+++
+++/*
+++ * search for the key in the page.
+++ * return offset index in the range 0 < i < n.
+++ * return 0 if not found.
+++ */
+++static int seepair (char *pag, int n, char *key, int siz)
+++{
+++ int i;
+++ int off = PBLKSIZ;
+++ short *ino = (short *) pag;
+++
+++ for (i = 1; i < n; i += 2)
+++ {
+++ if (siz == off - ino[i] &&
+++ memcmp (key, pag + ino[i], siz) == 0)
+++ return i;
+++ off = ino[i + 1];
+++ }
+++ return 0;
+++}
+++
+++#ifdef SEEDUPS
+++static int duppair (char *pag, datum key)
+++{
+++ short *ino = (short *) pag;
+++
+++ return ino[0] > 0 && seepair (pag, ino[0], key.dptr, key.dsize) > 0;
+++}
+++
+++#endif
+++
+++/* ************************* */
+++
+++/*
+++ * sdbm - ndbm work-alike hashed database library
+++ * based on Per-Aake Larson's Dynamic Hashing algorithms. BIT 18 (1978).
+++ * author: oz at nexus.yorku.ca
+++ * status: public domain.
+++ *
+++ * page-level routines
+++ */
+++
+++/*
+++ * page format:
+++ * +------------------------------+
+++ * ino | n | keyoff | datoff | keyoff |
+++ * +------------+--------+--------+
+++ * | datoff | - - - ----> |
+++ * +--------+---------------------+
+++ * | F R E E A R E A |
+++ * +--------------+---------------+
+++ * | <---- - - - | data |
+++ * +--------+-----+----+----------+
+++ * | key | data | key |
+++ * +--------+----------+----------+
+++ *
+++ * calculating the offsets for free area: if the number
+++ * of entries (ino[0]) is zero, the offset to the END of
+++ * the free area is the block size. Otherwise, it is the
+++ * nth (ino[ino[0]]) entry's offset.
+++ */
+++
+++static int fitpair (char *pag, int need)
+++{
+++ int n;
+++ int off;
+++ int avail;
+++ short *ino = (short *) pag;
+++
+++ off = ((n = ino[0]) > 0) ? ino[n] : PBLKSIZ;
+++ avail = off - (n + 1) * sizeof (short);
+++ need += 2 * sizeof (short);
+++
+++ return need <= avail;
+++}
+++
+++static void putpair (char *pag, datum key, datum val)
+++{
+++ int n;
+++ int off;
+++ short *ino = (short *) pag;
+++
+++ off = ((n = ino[0]) > 0) ? ino[n] : PBLKSIZ;
+++/*
+++ * enter the key first
+++ */
+++ off -= key.dsize;
+++ (void) memcpy (pag + off, key.dptr, key.dsize);
+++ ino[n + 1] = off;
+++/*
+++ * now the data
+++ */
+++ off -= val.dsize;
+++ (void) memcpy (pag + off, val.dptr, val.dsize);
+++ ino[n + 2] = off;
+++/*
+++ * adjust item count
+++ */
+++ ino[0] += 2;
+++}
+++
+++static datum getpair (char *pag, datum key)
+++{
+++ int i;
+++ int n;
+++ datum val;
+++ short *ino = (short *) pag;
+++
+++ if ((n = ino[0]) == 0)
+++ return nullitem;
+++
+++ if ((i = seepair (pag, n, key.dptr, key.dsize)) == 0)
+++ return nullitem;
+++
+++ val.dptr = pag + ino[i + 1];
+++ val.dsize = ino[i] - ino[i + 1];
+++ return val;
+++}
+++
+++static datum getnkey (char *pag, int num)
+++{
+++ datum key;
+++ int off;
+++ short *ino = (short *) pag;
+++
+++ num = num * 2 - 1;
+++ if (ino[0] == 0 || num > ino[0])
+++ return nullitem;
+++
+++ off = (num > 1) ? ino[num - 1] : PBLKSIZ;
+++
+++ key.dptr = pag + ino[num];
+++ key.dsize = off - ino[num];
+++
+++ return key;
+++}
+++
+++static int delpair (char *pag, datum key)
+++{
+++ int n;
+++ int i;
+++ short *ino = (short *) pag;
+++
+++ if ((n = ino[0]) == 0)
+++ return 0;
+++
+++ if ((i = seepair (pag, n, key.dptr, key.dsize)) == 0)
+++ return 0;
+++/*
+++ * found the key. if it is the last entry
+++ * [i.e. i == n - 1] we just adjust the entry count.
+++ * hard case: move all data down onto the deleted pair,
+++ * shift offsets onto deleted offsets, and adjust them.
+++ * [note: 0 < i < n]
+++ */
+++ if (i < n - 1)
+++ {
+++ int m;
+++ char *dst = pag + (i == 1 ? PBLKSIZ : ino[i - 1]);
+++ char *src = pag + ino[i + 1];
+++ int zoo = dst - src;
+++
+++/*
+++ * shift data/keys down
+++ */
+++ m = ino[i + 1] - ino[n];
+++#ifdef DUFF
+++#define MOVB *--dst = *--src
+++ if (m > 0)
+++ {
+++ int loop = (m + 8 - 1) >> 3;
+++
+++ switch (m & (8 - 1))
+++ {
+++ case 0:
+++ do
+++ {
+++ MOVB;
+++ case 7:
+++ MOVB;
+++ case 6:
+++ MOVB;
+++ case 5:
+++ MOVB;
+++ case 4:
+++ MOVB;
+++ case 3:
+++ MOVB;
+++ case 2:
+++ MOVB;
+++ case 1:
+++ MOVB;
+++ }
+++ while (--loop);
+++ }
+++ }
+++#else
+++ dst -= m;
+++ src -= m;
+++ memmove (dst, src, m);
+++#endif
+++/*
+++ * adjust offset index up
+++ */
+++ while (i < n - 1)
+++ {
+++ ino[i] = ino[i + 2] + zoo;
+++ i++;
+++ }
+++ }
+++ ino[0] -= 2;
+++ return 1;
+++}
+++
+++static void splpage (char *pag, char *new, long sbit)
+++{
+++ datum key;
+++ datum val;
+++
+++ int n;
+++ int off = PBLKSIZ;
+++ char cur[PBLKSIZ];
+++ short *ino = (short *) cur;
+++
+++ (void) memcpy (cur, pag, PBLKSIZ);
+++ (void) memset (pag, 0, PBLKSIZ);
+++ (void) memset (new, 0, PBLKSIZ);
+++
+++ n = ino[0];
+++ for (ino++; n > 0; ino += 2)
+++ {
+++ key.dptr = cur + ino[0];
+++ key.dsize = off - ino[0];
+++ val.dptr = cur + ino[1];
+++ val.dsize = ino[0] - ino[1];
+++/*
+++ * select the page pointer (by looking at sbit) and insert
+++ */
+++ (void) putpair ((exhash (key) & sbit) ? new : pag, key, val);
+++
+++ off = ino[1];
+++ n -= 2;
+++ }
+++}
+++
+++static int getdbit (DBM * db, long dbit)
+++{
+++ long c;
+++ long dirb;
+++
+++ c = dbit / BYTESIZ;
+++ dirb = c / DBLKSIZ;
+++
+++ if (dirb != db->dirbno)
+++ {
+++ int got;
+++ if (lseek (db->dirf, OFF_DIR (dirb), SEEK_SET) < 0
+++ || (got = read(db->dirf, db->dirbuf, DBLKSIZ)) < 0)
+++ return 0;
+++ if (got==0)
+++ memset(db->dirbuf,0,DBLKSIZ);
+++ db->dirbno = dirb;
+++ }
+++
+++ return db->dirbuf[c % DBLKSIZ] & (1 << dbit % BYTESIZ);
+++}
+++
+++static int setdbit (DBM * db, long dbit)
+++{
+++ long c;
+++ long dirb;
+++
+++ c = dbit / BYTESIZ;
+++ dirb = c / DBLKSIZ;
+++
+++ if (dirb != db->dirbno)
+++ {
+++ int got;
+++ if (lseek (db->dirf, OFF_DIR (dirb), SEEK_SET) < 0
+++ || (got = read(db->dirf, db->dirbuf, DBLKSIZ)) < 0)
+++ return 0;
+++ if (got==0)
+++ memset(db->dirbuf,0,DBLKSIZ);
+++ db->dirbno = dirb;
+++ }
+++
+++ db->dirbuf[c % DBLKSIZ] |= (1 << dbit % BYTESIZ);
+++
+++#if 0
+++ if (dbit >= db->maxbno)
+++ db->maxbno += DBLKSIZ * BYTESIZ;
+++#else
+++ if (OFF_DIR((dirb+1))*BYTESIZ > db->maxbno)
+++ db->maxbno=OFF_DIR((dirb+1))*BYTESIZ;
+++#endif
+++
+++ if (lseek (db->dirf, OFF_DIR (dirb), SEEK_SET) < 0
+++ || write (db->dirf, db->dirbuf, DBLKSIZ) < 0)
+++ return 0;
+++
+++ return 1;
+++}
+++
+++/*
+++ * getnext - get the next key in the page, and if done with
+++ * the page, try the next page in sequence
+++ */
+++static datum getnext (DBM * db)
+++{
+++ datum key;
+++
+++ for (;;)
+++ {
+++ db->keyptr++;
+++ key = getnkey (db->pagbuf, db->keyptr);
+++ if (key.dptr != NULL)
+++ return key;
+++/*
+++ * we either run out, or there is nothing on this page..
+++ * try the next one... If we lost our position on the
+++ * file, we will have to seek.
+++ */
+++ db->keyptr = 0;
+++ if (db->pagbno != db->blkptr++)
+++ if (lseek (db->pagf, OFF_PAG (db->blkptr), SEEK_SET) < 0)
+++ break;
+++ db->pagbno = db->blkptr;
+++ if (read (db->pagf, db->pagbuf, PBLKSIZ) <= 0)
+++ break;
+++ if (!chkpage (db->pagbuf))
+++ break;
+++ }
+++
+++ return ioerr (db), nullitem;
+++}
+++
+++/*
+++ * all important binary trie traversal
+++ */
+++static int getpage (DBM * db, long hash)
+++{
+++ int hbit;
+++ long dbit;
+++ long pagb;
+++
+++ dbit = 0;
+++ hbit = 0;
+++ while (dbit < db->maxbno && getdbit (db, dbit))
+++ dbit = 2 * dbit + ((hash & (1 << hbit++)) ? 2 : 1);
+++
+++ db->curbit = dbit;
+++ db->hmask = masks[hbit];
+++
+++ pagb = hash & db->hmask;
+++/*
+++ * see if the block we need is already in memory.
+++ * note: this lookaside cache has about 10% hit rate.
+++ */
+++ if (pagb != db->pagbno)
+++ {
+++/*
+++ * note: here, we assume a "hole" is read as 0s.
+++ * if not, must zero pagbuf first.
+++ */
+++ if (lseek (db->pagf, OFF_PAG (pagb), SEEK_SET) < 0
+++ || read (db->pagf, db->pagbuf, PBLKSIZ) < 0)
+++ return 0;
+++ if (!chkpage (db->pagbuf))
+++ return 0;
+++ db->pagbno = pagb;
+++ }
+++ return 1;
+++}
+++
+++/*
+++ * makroom - make room by splitting the overfull page
+++ * this routine will attempt to make room for SPLTMAX times before
+++ * giving up.
+++ */
+++static int makroom (DBM * db, long hash, int need)
+++{
+++ long newp;
+++ char twin[PBLKSIZ];
+++ char *pag = db->pagbuf;
+++ char *new = twin;
+++ int smax = SPLTMAX;
+++
+++ do
+++ {
+++/*
+++ * split the current page
+++ */
+++ (void) splpage (pag, new, db->hmask + 1);
+++/*
+++ * address of the new page
+++ */
+++ newp = (hash & db->hmask) | (db->hmask + 1);
+++
+++/*
+++ * write delay, read avoidence/cache shuffle:
+++ * select the page for incoming pair: if key is to go to the new page,
+++ * write out the previous one, and copy the new one over, thus making
+++ * it the current page. If not, simply write the new page, and we are
+++ * still looking at the page of interest. current page is not updated
+++ * here, as sdbm_store will do so, after it inserts the incoming pair.
+++ */
+++ if (hash & (db->hmask + 1))
+++ {
+++ if (lseek (db->pagf, OFF_PAG (db->pagbno), SEEK_SET) < 0
+++ || write (db->pagf, db->pagbuf, PBLKSIZ) < 0)
+++ return 0;
+++ db->pagbno = newp;
+++ (void) memcpy (pag, new, PBLKSIZ);
+++ }
+++ else if (lseek (db->pagf, OFF_PAG (newp), SEEK_SET) < 0
+++ || write (db->pagf, new, PBLKSIZ) < 0)
+++ return 0;
+++
+++ if (!setdbit (db, db->curbit))
+++ return 0;
+++/*
+++ * see if we have enough room now
+++ */
+++ if (fitpair (pag, need))
+++ return 1;
+++/*
+++ * try again... update curbit and hmask as getpage would have
+++ * done. because of our update of the current page, we do not
+++ * need to read in anything. BUT we have to write the current
+++ * [deferred] page out, as the window of failure is too great.
+++ */
+++ db->curbit = 2 * db->curbit +
+++ ((hash & (db->hmask + 1)) ? 2 : 1);
+++ db->hmask |= db->hmask + 1;
+++
+++ if (lseek (db->pagf, OFF_PAG (db->pagbno), SEEK_SET) < 0
+++ || write (db->pagf, db->pagbuf, PBLKSIZ) < 0)
+++ return 0;
+++
+++ }
+++ while (--smax);
+++/*
+++ * if we are here, this is real bad news. After SPLTMAX splits,
+++ * we still cannot fit the key. say goodnight.
+++ */
+++#ifdef BADMESS
+++ (void) write (2, "sdbm: cannot insert after SPLTMAX attempts.\n", 44);
+++#endif
+++ return 0;
+++
+++}
+++
+++static SDBM *sdbm_prep (char *dirname, char *pagname, int flags, int mode)
+++{
+++ SDBM *db;
+++ struct stat dstat;
+++
+++ if ((db = (SDBM *) mymalloc (sizeof (SDBM))) == NULL)
+++ return errno = ENOMEM, (SDBM *) NULL;
+++
+++ db->flags = 0;
+++ db->blkptr = 0;
+++ db->keyptr = 0;
+++/*
+++ * adjust user flags so that WRONLY becomes RDWR,
+++ * as required by this package. Also set our internal
+++ * flag for RDONLY if needed.
+++ */
+++ if (flags & O_WRONLY)
+++ flags = (flags & ~O_WRONLY) | O_RDWR;
+++ else if ((flags & 03) == O_RDONLY)
+++ db->flags = DBM_RDONLY;
+++#if defined(OS2) || defined(MSDOS) || defined(WIN32)
+++ flags |= O_BINARY;
+++#endif
+++
+++/*
+++ * Make sure to ignore the O_EXCL option, as the file might exist due
+++ * to the locking.
+++ */
+++ flags &= ~O_EXCL;
+++
+++/*
+++ * open the files in sequence, and stat the dirfile.
+++ * If we fail anywhere, undo everything, return NULL.
+++ */
+++
+++ if ((db->pagf = open (pagname, flags, mode)) > -1)
+++ {
+++ if ((db->dirf = open (dirname, flags, mode)) > -1)
+++ {
+++/*
+++ * need the dirfile size to establish max bit number.
+++ */
+++ if (fstat (db->dirf, &dstat) == 0)
+++ {
+++ /*
+++ * success
+++ */
+++ return db;
+++ }
+++ msg_info ("closing dirf");
+++ (void) close (db->dirf);
+++ }
+++ msg_info ("closing pagf");
+++ (void) close (db->pagf);
+++ }
+++ myfree ((char *) db);
+++ return (SDBM *) NULL;
+++}
+++
+++static DBM *sdbm_internal_open (SDBM * sdbm)
+++{
+++ DBM *db;
+++ struct stat dstat;
+++
+++ if ((db = (DBM *) mymalloc (sizeof (DBM))) == NULL)
+++ return errno = ENOMEM, (DBM *) NULL;
+++
+++ db->flags = sdbm->flags;
+++ db->hmask = 0;
+++ db->blkptr = sdbm->blkptr;
+++ db->keyptr = sdbm->keyptr;
+++ db->pagf = sdbm->pagf;
+++ db->dirf = sdbm->dirf;
+++ db->pagbuf = sdbm->pagbuf;
+++ db->dirbuf = sdbm->dirbuf;
+++
+++/*
+++ * need the dirfile size to establish max bit number.
+++ */
+++ if (fstat (db->dirf, &dstat) == 0)
+++ {
+++/*
+++ * zero size: either a fresh database, or one with a single,
+++ * unsplit data page: dirpage is all zeros.
+++ */
+++ db->dirbno = (!dstat.st_size) ? 0 : -1;
+++ db->pagbno = -1;
+++ db->maxbno = dstat.st_size * BYTESIZ;
+++
+++ (void) memset (db->pagbuf, 0, PBLKSIZ);
+++ (void) memset (db->dirbuf, 0, DBLKSIZ);
+++ return db;
+++ }
+++ myfree ((char *) db);
+++ return (DBM *) NULL;
+++}
+++
+++static void sdbm_internal_close (DBM * db)
+++{
+++ if (db == NULL)
+++ errno = EINVAL;
+++ else
+++ {
+++ myfree ((char *) db);
+++ }
+++}
+++
+++datum sdbm_fetch (SDBM * sdb, datum key)
+++{
+++ datum retval;
+++ DBM *db;
+++
+++ if (sdb == NULL || bad (key))
+++ return errno = EINVAL, nullitem;
+++
+++ if (!(db = sdbm_internal_open (sdb)))
+++ return errno = EINVAL, nullitem;
+++
+++ if (getpage (db, exhash (key)))
+++ {
+++ retval = getpair (db->pagbuf, key);
+++ sdbm_internal_close (db);
+++ return retval;
+++ }
+++
+++ sdbm_internal_close (db);
+++
+++ return ioerr (sdb), nullitem;
+++}
+++
+++int sdbm_delete (SDBM * sdb, datum key)
+++{
+++ int retval;
+++ DBM *db;
+++
+++ if (sdb == NULL || bad (key))
+++ return errno = EINVAL, -1;
+++ if (sdbm_rdonly (sdb))
+++ return errno = EPERM, -1;
+++
+++ if (!(db = sdbm_internal_open (sdb)))
+++ return errno = EINVAL, -1;
+++
+++ if (getpage (db, exhash (key)))
+++ {
+++ if (!delpair (db->pagbuf, key))
+++ retval = -1;
+++/*
+++ * update the page file
+++ */
+++ else if (lseek (db->pagf, OFF_PAG (db->pagbno), SEEK_SET) < 0
+++ || write (db->pagf, db->pagbuf, PBLKSIZ) < 0)
+++ retval = ioerr (sdb), -1;
+++ else
+++ retval = 0;
+++ }
+++ else
+++ retval = ioerr (sdb), -1;
+++
+++ sdbm_internal_close (db);
+++
+++ return retval;
+++}
+++
+++int sdbm_store (SDBM * sdb, datum key, datum val, int flags)
+++{
+++ int need;
+++ int retval;
+++ long hash;
+++ DBM *db;
+++
+++ if (sdb == NULL || bad (key))
+++ return errno = EINVAL, -1;
+++ if (sdbm_rdonly (sdb))
+++ return errno = EPERM, -1;
+++
+++ need = key.dsize + val.dsize;
+++/*
+++ * is the pair too big (or too small) for this database ??
+++ */
+++ if (need < 0 || need > PAIRMAX)
+++ return errno = EINVAL, -1;
+++
+++ if (!(db = sdbm_internal_open (sdb)))
+++ return errno = EINVAL, -1;
+++
+++ if (getpage (db, (hash = exhash (key))))
+++ {
+++/*
+++ * if we need to replace, delete the key/data pair
+++ * first. If it is not there, ignore.
+++ */
+++ if (flags == DBM_REPLACE)
+++ (void) delpair (db->pagbuf, key);
+++#ifdef SEEDUPS
+++ else if (duppair (db->pagbuf, key))
+++ {
+++ sdbm_internal_close (db);
+++ return 1;
+++ }
+++#endif
+++/*
+++ * if we do not have enough room, we have to split.
+++ */
+++ if (!fitpair (db->pagbuf, need))
+++ if (!makroom (db, hash, need))
+++ {
+++ sdbm_internal_close (db);
+++ return ioerr (db), -1;
+++ }
+++/*
+++ * we have enough room or split is successful. insert the key,
+++ * and update the page file.
+++ */
+++ (void) putpair (db->pagbuf, key, val);
+++
+++ if (lseek (db->pagf, OFF_PAG (db->pagbno), SEEK_SET) < 0
+++ || write (db->pagf, db->pagbuf, PBLKSIZ) < 0)
+++ {
+++ sdbm_internal_close (db);
+++ return ioerr (db), -1;
+++ }
+++ /*
+++ * success
+++ */
+++ sdbm_internal_close (db);
+++ return 0;
+++ }
+++
+++ sdbm_internal_close (db);
+++ return ioerr (sdb), -1;
+++}
+++
+++/*
+++ * the following two routines will break if
+++ * deletions aren't taken into account. (ndbm bug)
+++ */
+++datum sdbm_firstkey (SDBM * sdb)
+++{
+++ datum retval;
+++ DBM *db;
+++
+++ if (sdb == NULL)
+++ return errno = EINVAL, nullitem;
+++
+++ if (!(db = sdbm_internal_open (sdb)))
+++ return errno = EINVAL, nullitem;
+++
+++/*
+++ * start at page 0
+++ */
+++ if (lseek (db->pagf, OFF_PAG (0), SEEK_SET) < 0
+++ || read (db->pagf, db->pagbuf, PBLKSIZ) < 0)
+++ {
+++ sdbm_internal_close (db);
+++ return ioerr (sdb), nullitem;
+++ }
+++ db->pagbno = 0;
+++ db->blkptr = 0;
+++ db->keyptr = 0;
+++
+++ retval = getnext (db);
+++ sdb->blkptr = db->blkptr;
+++ sdb->keyptr = db->keyptr;
+++ sdbm_internal_close (db);
+++ return retval;
+++}
+++
+++datum sdbm_nextkey (SDBM * sdb)
+++{
+++ datum retval;
+++ DBM *db;
+++
+++ if (sdb == NULL)
+++ return errno = EINVAL, nullitem;
+++
+++ if (!(db = sdbm_internal_open (sdb)))
+++ return errno = EINVAL, nullitem;
+++
+++ retval = getnext (db);
+++ sdb->blkptr = db->blkptr;
+++ sdb->keyptr = db->keyptr;
+++ sdbm_internal_close (db);
+++ return retval;
+++}
+++
+++void sdbm_close (SDBM * db)
+++{
+++ if (db == NULL)
+++ errno = EINVAL;
+++ else
+++ {
+++ (void) close (db->dirf);
+++ (void) close (db->pagf);
+++ myfree ((char *) db);
+++ }
+++}
+++
+++SDBM *sdbm_open (char *file, int flags, int mode)
+++{
+++ SDBM *db;
+++ char *dirname;
+++ char *pagname;
+++ int n;
+++
+++ if (file == NULL || !*file)
+++ return errno = EINVAL, (SDBM *) NULL;
+++/*
+++ * need space for two seperate filenames
+++ */
+++ n = strlen (file) * 2 + strlen (DIRFEXT) + strlen (PAGFEXT) + 2;
+++
+++ if ((dirname = (char *) mymalloc ((unsigned) n)) == NULL)
+++ return errno = ENOMEM, (SDBM *) NULL;
+++/*
+++ * build the file names
+++ */
+++ dirname = strcat (strcpy (dirname, file), DIRFEXT);
+++ pagname = strcpy (dirname + strlen (dirname) + 1, file);
+++ pagname = strcat (pagname, PAGFEXT);
+++
+++ db = sdbm_prep (dirname, pagname, flags, mode);
+++ myfree ((char *) dirname);
+++ return db;
+++}
+++
++diff -ruN postfix-2.1.0-vanilla/src/util/sdbm.h postfix-2.1.0/src/util/sdbm.h
++--- postfix-2.1.0-vanilla/src/util/sdbm.h Thu Jan 1 01:00:00 1970
+++++ postfix-2.1.0/src/util/sdbm.h Sat Apr 24 14:35:29 2004
++@@ -0,0 +1,97 @@
+++/*++
+++/* NAME
+++/* sdbm 3h
+++/* SUMMARY
+++/* SDBM Simple DBM: ndbm work-alike hashed database library
+++/* SYNOPSIS
+++/* include "sdbm.h"
+++/* DESCRIPTION
+++/* .nf
+++/*--*/
+++
+++#ifndef UTIL_SDBM_H
+++#define UTIL_SDBM_H
+++
+++/*
+++ * sdbm - ndbm work-alike hashed database library
+++ * based on Per-Ake Larson's Dynamic Hashing algorithms. BIT 18 (1978).
+++ * author: oz at nexus.yorku.ca
+++ * status: public domain.
+++ */
+++
+++#define DUFF /* go ahead and use the loop-unrolled version */
+++
+++#include <stdio.h>
+++
+++#define DBLKSIZ 16384 /* SSL cert chains require more */
+++#define PBLKSIZ 8192 /* SSL cert chains require more */
+++#define PAIRMAX 8008 /* arbitrary on PBLKSIZ-N */
+++#define SPLTMAX 10 /* maximum allowed splits */
+++ /* for a single insertion */
+++#define DIRFEXT ".dir"
+++#define PAGFEXT ".pag"
+++
+++typedef struct {
+++ int dirf; /* directory file descriptor */
+++ int pagf; /* page file descriptor */
+++ int flags; /* status/error flags, see below */
+++ long blkptr; /* current block for nextkey */
+++ int keyptr; /* current key for nextkey */
+++ char pagbuf[PBLKSIZ]; /* page file block buffer */
+++ char dirbuf[DBLKSIZ]; /* directory file block buffer */
+++} SDBM;
+++
+++#define DBM_RDONLY 0x1 /* data base open read-only */
+++#define DBM_IOERR 0x2 /* data base I/O error */
+++
+++/*
+++ * utility macros
+++ */
+++#define sdbm_rdonly(db) ((db)->flags & DBM_RDONLY)
+++#define sdbm_error(db) ((db)->flags & DBM_IOERR)
+++
+++#define sdbm_clearerr(db) ((db)->flags &= ~DBM_IOERR) /* ouch */
+++
+++#define sdbm_dirfno(db) ((db)->dirf)
+++#define sdbm_pagfno(db) ((db)->pagf)
+++
+++typedef struct {
+++ char *dptr;
+++ int dsize;
+++} datum;
+++
+++extern datum nullitem;
+++
+++/*
+++ * flags to sdbm_store
+++ */
+++#define DBM_INSERT 0
+++#define DBM_REPLACE 1
+++
+++/*
+++ * ndbm interface
+++ */
+++extern SDBM *sdbm_open(char *, int, int);
+++extern void sdbm_close(SDBM *);
+++extern datum sdbm_fetch(SDBM *, datum);
+++extern int sdbm_delete(SDBM *, datum);
+++extern int sdbm_store(SDBM *, datum, datum, int);
+++extern datum sdbm_firstkey(SDBM *);
+++extern datum sdbm_nextkey(SDBM *);
+++
+++/*
+++ * sdbm - ndbm work-alike hashed database library
+++ * tuning and portability constructs [not nearly enough]
+++ * author: oz at nexus.yorku.ca
+++ */
+++
+++#define BYTESIZ 8
+++
+++/*
+++ * important tuning parms (hah)
+++ */
+++
+++#define SEEDUPS /* always detect duplicates */
+++#define BADMESS /* generate a message for worst case:
+++ cannot make room after SPLTMAX splits */
+++#endif /* UTIL_SDBM_H */
+diff -urNad postfix-release/tls/README /tmp/dpep.cXJuVH/postfix-release/tls/README
+--- postfix-release/tls/README 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/README 2005-02-03 10:22:13.116084199 -0700
+@@ -0,0 +1,42 @@
++Overview:
++=========
++
++- This is an SSL/TLS enhancement package for postfix.
++ It realizes (well, or at least should, once it is finished) the
++ STARTTLS extension to SMTP as described in RFC2487 and used
++ by Netscape 4.5x.
++- For instructions on how to install the kit, please read the installation
++ section in the "html" manual in the "doc/" subdirectory.
++
++License:
++========
++- This software is free. You can do with it whatever you want.
++ I would however kindly ask you to acknowledge the use of this
++ package, if you are going use it in your software, which you might
++ be going to distribute. I would also like to receive a note if you
++ are a satisfied user :-)
++
++Acknowledgements:
++=================
++- This package is based on the OpenSSL package as provided by the
++ ``OpenSSL Project''.
++
++Disclaimer:
++===========
++- This software is provided ``as is''. You are using it at your own risk.
++ I will take no liability in any case.
++- This software package uses strong cryptography, so even if it is created,
++ maintained and distributed from liberal countries in Europe (where it is
++ legal to do this), it falls under certain export/import and/or use
++ restrictions in some other parts of the world.
++- PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG
++ CRYPTOGRAPHY SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST
++ COMMUNICATING TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS
++ ILLEGAL IN SOME PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE
++ TO YOUR COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL
++ TECHNICAL SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR
++ OTHER PEOPLE YOU ARE STRONGLY ADVICED TO PAY CLOSE ATTENTION TO ANY
++ EXPORT/IMPORT AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHOR OF
++ PFIXTLS IS NOT LIABLE FOR ANY VIOLATIONS YOU MAKE HERE. SO BE
++ CAREFULLY YOURSELF, IT IS YOUR RESPONSIBILITY.
++
+diff -urNad postfix-release/tls/TODO /tmp/dpep.cXJuVH/postfix-release/tls/TODO
+--- postfix-release/tls/TODO 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/TODO 2005-02-03 10:22:13.116084199 -0700
+@@ -0,0 +1,36 @@
++This list does not really follow priority.
++
++* Implement support of CRL checking. OpenSSL 0.9.7 finally supports CRLs,
++ so Postfix/TLS should support loading CRLs.
++
++* Cleanup the "pfixtls" special logging, so that it fits Wietses original
++ "per site" decision to make debugging easier.
++
++* Move TLS based information from separate lines into Postfix's smtpd
++ logging lines to make logfile analysis easier.
++
++* Check the "info_callback" for sensitive use. I already had to remove the
++ "warning alert" issued on normal shutdown. Why is a warning issued for
++ a normal shutdown??
++
++* Allow to specify the protocol used globally: SSLv2, SSLv3, TLSv1.
++
++* Enhance tls_per_site feature, such that not only MAY, MUST, NONE flags
++ are supported. It should also be possible to influence the behaviour:
++ choose the SSLv2/SSLv3/TLSv1 protocols.
++ [A compatible way to upgrad the tls_per_site table would be to add the
++ keywords:
++ MUST,SSLv2
++ MAY,NO_TLSv1
++ ]
++
++* Introduce new tls_per_client table to achieve the same selective behaviour
++ for incoming connections.
++
++* Introduce better support for "opportunistic" encryption: collect information
++ about peers connecting; log warnings when the key changed etc.
++ [I am not sure that I already have the best answers available.]
++
++* Find a way to use the certificates themselves instead of the fingerprints
++ to allow certificate based relaying. The maintenance of the fingerprints
++ is a nightmare.
Added: trunk/kolab-postfix/debian/patches/60hpux.dpatch
===================================================================
--- trunk/kolab-postfix/debian/patches/60hpux.dpatch 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/patches/60hpux.dpatch 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,26 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 60hpux.dpatch by LaMont Jones <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad postfix-2.1.5/src/global/mail_params.c /tmp/dpep.V1hFGZ/postfix-2.1.5/src/global/mail_params.c
+--- postfix-2.1.5/src/global/mail_params.c 2004-12-27 22:21:44.686106036 -0700
++++ /tmp/dpep.V1hFGZ/postfix-2.1.5/src/global/mail_params.c 2004-12-27 22:21:44.958047580 -0700
+@@ -77,6 +77,7 @@
+ /* char *var_export_environ;
+ /* char *var_debug_peer_list;
+ /* int var_debug_peer_level;
++/* int var_command_maxtime;
+ /* int var_in_flow_delay;
+ /* int var_fault_inj_code;
+ /* char *var_bounce_service;
+@@ -268,6 +269,7 @@
+ char *var_export_environ;
+ char *var_debug_peer_list;
+ int var_debug_peer_level;
++int var_command_maxtime;
+ int var_fault_inj_code;
+ char *var_bounce_service;
+ char *var_cleanup_service;
Added: trunk/kolab-postfix/debian/patches/master.cf.local
===================================================================
--- trunk/kolab-postfix/debian/patches/master.cf.local 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/patches/master.cf.local 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,12 @@
+--- conf/master.cf.local 2004-07-28 09:38:42.000000000 -0600
++++ conf/master.cf.local 2004-08-05 09:42:37.000000000 -0600
+@@ -77,7 +77,8 @@
+ # service type private unpriv chroot wakeup maxproc command + args
+ # (yes) (yes) (yes) (never) (100)
+ # ==========================================================================
+-smtp inet n - - - - smtpd
++127.0.0.1:smtp inet n - - - - smtpd
++::1:smtp inet n - - - - smtpd
+ #submission inet n - - - - smtpd
+ # -o smtpd_etrn_restrictions=reject
+ #628 inet n - - - - qmqpd
Added: trunk/kolab-postfix/debian/po/POTFILES.in
===================================================================
--- trunk/kolab-postfix/debian/po/POTFILES.in 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/po/POTFILES.in 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1 @@
+[type: gettext/rfc822deb] templates
Added: trunk/kolab-postfix/debian/po/cs.po
===================================================================
--- trunk/kolab-postfix/debian/po/cs.po 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/po/cs.po 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,657 @@
+#
+# Translators, if you are not familiar with the PO format, gettext
+# documentation is worth reading, especially sections dedicated to
+# this format, e.g. by running:
+# info -n '(gettext)PO Files'
+# info -n '(gettext)Header Entry'
+#
+# Some information specific to po-debconf are available at
+# /usr/share/doc/po-debconf/README-trans
+# or http://www.debian.org/intl/l10n/po-debconf/README-trans
+#
+# Developers do not need to manually edit POT or PO files.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: postfix\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2004-10-30 21:06-0600\n"
+"PO-Revision-Date: 2004-10-07 15:45+0200\n"
+"Last-Translator: Miroslav Kure <kurem at debian.cz>\n"
+"Language-Team: Czech <provoz at debian.cz>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=ISO-8859-2\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+msgid "Correct dynamicmaps.cf for upgrade?"
+msgstr "Opravit dynamicmaps.cf pro aktualizaci?"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Postfix version 2.0.2 and later require changes in dynamicmaps.cf. "
+"Specifically, wildcard support is gone, and with it, %s expansion. Any "
+"changes that you made to dynamicmaps.cf that relied on these features will "
+"need to be fixed by you. Failure to correct these will result in a broken "
+"mailer."
+msgstr ""
+"Postfix verze 2.0.2 a pozdìj¹í vy¾adují zmìny v dynamicmaps.cf. Konkrétnì je "
+"pryè podpora zástupných znakù a s ní expanze %s. Jakékoliv zmìny, které jste "
+"provedli v dynamicmaps.cf a které se spoléhají na tyto vlastnosti, bude "
+"potøeba opravit. Pokud je neopravíte, bude výsledkem nefunkèní po¹ta."
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Should dynamicmaps.cf be automatically changed? Decline this option to "
+"abort the upgrade, giving you the opportunity to eliminate wildcard and %s-"
+"expansion-dependent configuration. Accept this option if you have no such "
+"configuration, and automatically make dynamicmaps.cf compatible with Postfix "
+"2.0.2 in this respect."
+msgstr ""
+"Má být dynamicmaps.cf automaticky zmìnìn? Odmítnìte tuto volbu pro pøeru¹ení "
+"aktualizace, dostanete tak ¹anci odstranit zástupné znaky a konfiguraci "
+"závislou na %s-expanzi. Pøijmìte tuto volbu, pokud ¾ádnou takovou "
+"konfiguraci nemáte a chcete mít dynamicmaps.cf po této stránce automaticky "
+"kompatibilní s Postfixem 2.0.2."
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid "Postfix version 2.1 and later require new services in master.cf."
+msgstr "Postfix verze 2.1 a vy¹¹í vy¾adují nové slu¾by v master.cf."
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid ""
+"Should this configuration be automatically added to master.cf? Decline this "
+"option to abort the upgrade, giving you the opportunity to add this "
+"configuration yourself. Accept this option to automatically make master.cf "
+"compatible with Postfix 2.1 in this respect."
+msgstr ""
+"Má být tato konfigurace automaticky pøidána do master.cf? Odmítnìte tuto "
+"volbu pro pøeru¹ení aktualizace, dostanete tak ¹anci pøidat tuto konfiguraci "
+"sami. Pøijmìte tuto volbu, pokud chcete mít master.cf po této stránce "
+"automaticky kompatibilní s Postfix 2.1."
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid "Correct master.cf for upgrade?"
+msgstr "Opravit master.cf pro aktualizaci?"
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Postfix version 2.1 renamed \"nqmgr\" to \"qmgr\", and you are using \"nqmgr"
+"\"."
+msgstr ""
+"Postfix verze 2.1 pøejmenoval \"nqmgr\" na \"qmgr\" a vy pou¾íváte \"nqmgr\"."
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Failure to fix this will result in a broken mailer. Decline this option to "
+"abort the upgrade, giving you the opportunity to add this configuration "
+"yourself. Accept this option to automatically make master.cf compatible "
+"with Postfix 2.1 in this respect."
+msgstr ""
+"Opomenutí této opravy bude mít za následek nefunkèní po¹tu. Odmítnìte tuto "
+"volbu pro pøeru¹ení aktualizace, dostanete tak ¹anci pøidat tuto konfiguraci "
+"sami. Pøijmìte tuto volbu, pokud chcete mít master.cf po této stránce "
+"automaticky kompatibilní s Postfix 2.1."
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Should Postfix upgrade hash and btree maps?"
+msgstr "Má Postfix aktualizovat hash a btree mapy?"
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Postfix has switched to db4, and this may require maps to be upgraded."
+msgstr "Postfix pøe¹el na db4, co¾ mù¾e vy¾adovat aktualizaci map."
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Do you want to automatically attempt the conversion?"
+msgstr "Chcete se pokusit o automatickou konverzi?"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid "Transport map incompatibility"
+msgstr "Nekompatibilita transportní mapy"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"You have a transport map defined, and there is an incompatible change in how "
+"transport maps are used. Postfix will not be restarted automatically."
+msgstr ""
+"Máte definovánu transportní mapu a v této verzi se nachází nekompatibilní "
+"zmìna ve zpùsobu pou¾ívání transportních map. Postfix nebude automaticky "
+"restartován."
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"Transport map entries override $mydestination. If you use transport maps, "
+"it is better to always have explicit entries for all domain names you have "
+"in $mydestination. See the html/faq.html sections for firewalls and "
+"intranets. If you have transport entries for parent domains of anything "
+"delivered locally, you will probably need to add specific entries for the "
+"destination domains before you restart Postfix."
+msgstr ""
+"Polo¾ky trasportní mapy pøebíjejí $mydestination. Pokud pou¾íváte "
+"transportní mapy, je lep¹í mít v¾dy explicitní polo¾ky pro v¹echna doménová "
+"jména, která máte uvedena v $mydestination. Viz sekce pro firewally a "
+"intranety v html/faq.html. Pokud máte transportní polo¾ky pro nadøazené "
+"domény èehokoliv doruèovaného lokálnì, budete pravdìpodobnì muset pøed "
+"restartováním Postfixu pøidat konkrétní polo¾ky pro cílové domény."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Bad entry, try again?"
+msgstr "Chybný záznam. Zkusit znovu?"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "The string you have entered"
+msgstr "Øetìzec, který jste zadali"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "does not follow RFC 1035 and does not appear to be a valid IP address."
+msgstr "ani nevyhovuje RFC 1035, ani nevypadá jako platná IP adresa."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid ""
+"RFC 1035 states that \"each component must start with an alphanum, end with "
+"an alphanum and contain only alphanums and hyphens. Components must be "
+"separated by full stops.\""
+msgstr ""
+"RFC 1035 øíká, ¾e: \"Ka¾dá èást musí zaèínat a konèit alfanumerickým znakem "
+"a mù¾e obsahovat pouze alfanumerické znaky a pomlèky. Jednotlivé èáasti musí "
+"být oddìleny teèkami."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Do you want to keep it anyways?"
+msgstr "Chcete to tak pøesto ponechat?"
+
+#. Type: select
+#. Choices
+#: ../templates:75
+#, fuzzy
+msgid ""
+"No configuration, Internet Site, Internet with smarthost, Satellite system, "
+"Local only"
+msgstr ""
+"®ádné nastavení, Internetový server, Internet se smarthostem, Satelitní "
+"systém, Pouze lokální, HP"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid "General type of configuration?"
+msgstr "Obecný typ nastavení?"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"You have several choices for general configuration at this point. If you "
+"have your debconf priority set to 'low' or 'medium', you will be asked more "
+"questions later. You can always run \"dpkg-reconfigure --priority=low "
+"postfix\" at a later point if you want to see these questions again."
+msgstr ""
+"Nyní si mù¾ete zvolit z nìkolika základních typù nastavení. Pokud máte "
+"priritu debconf otázek nastavenu na nízkou nebo støední, budete dotázáni na "
+"více otázek. Budete-li si chtít tyto otázky projít pozdìji, mù¾ete pou¾ít "
+"pøíkaz \"dpkg-reconfigure --priority=low postfix\"."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"No configuration - IF YOU WANT THE INSTALL TO LEAVE YOUR CONFIG ALONE, "
+"CHOOSE THIS OPTION. No configuration changes will be done now: If you have "
+"not already configured Postfix, your mail system will be broken and should "
+"not be used. You must then do the configuration yourself by editing /usr/"
+"share/postfix/main.cf.dist and saving your changes as /etc/postfix/main.cf, "
+"or by running dpkg-reconfigure Postfix. main.cf will not be modified by the "
+"Postfix install process."
+msgstr ""
+"®ádné nastavení - POKUD CHCETE, ABY INSTALÁTOR NECHAL VA©E NASTAVENÍ NA "
+"POKOJI, VYBERTE TUTO MO®NOST. ®ádné konfiguraèní zmìny nebudou nyní "
+"provedeny: Pokud ji¾ nemáte Postfix zkonfigurovaný, vá¹ po¹tovní systém bude "
+"nefunkèní a nemìl by se pou¾ívat. Potom musíte provést konfiguraci ruènì "
+"editováním /usr/share/postfix/main.cf.dist a ulo¾ením zmìn jako /etc/postfix/"
+"main.cf, nebo spu¹tìním dpkg-reconfigure postfix. Soubor main.cf nebude "
+"instalaèním procesem Postfixu zmìnìn."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site - mail is sent and received directly using SMTP. If your needs "
+"don't fit neatly into any category, you probably want to start with this one "
+"and then edit the config file by hand."
+msgstr ""
+"Internetový server - po¹ta je zasílána a pøijímána pøímo pomocí SMTP. Pokud "
+"va¹e potøeby poøádnì nezapadají do ¾ádné kategorie, bude nejlep¹í zaèít s "
+"touto a potom upravit konfiguraèní soubor ruènì."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site using smarthost - You receive Internet mail on this machine, "
+"either directly by SMTP or by running a utility such as fetchmail. Outgoing "
+"mail is sent using a smarthost. optionally with addresses rewritten. This is "
+"probably what you want for a dialup system."
+msgstr ""
+"Internetový poèítaè pou¾ívající smarthost - Pøijímáte internetovou po¹tu na "
+"tomto stroji buï pøímo pomocí SMTP nebo spu¹tìním nástroje jako je "
+"fetchmail. Odchozí po¹ta je zasílána pomocí smarthosta, volitelnì s "
+"pøepsanými adresami. Toto je nejlep¹í volba pro vytáèený (dialup) systém."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Satellite system - All mail is sent to another machine, called a \"smart host"
+"\" for delivery. root and postmaster mail is delivered according to /etc/"
+"aliases. No mail is received locally."
+msgstr ""
+"Satelitní systém - Ve¹kerá po¹ta je zaslána na jiný stroj, nazývaný \"smart "
+"host\", který ji doruèí. Po¹ta pro u¾ivatele root a postmaster je doruèována "
+"podle /etc/aliases. ®ádná po¹ta není doruèována lokálnì."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Local delivery only - You are not on a network. Mail for local users is "
+"delivered."
+msgstr ""
+"Pouze lokální doruèování - Nejste na síti. Doruèuje se pouze po¹ta mezi "
+"lokálními u¾ivateli."
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "WARNING: Postfix not configured"
+msgstr "VAROVÁNÍ: Postfix nebyl nastaven"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid ""
+"You have chosen \"No Configuration\" - Postfix will not be configured and "
+"will not be started by default. Please run 'dpkg-reconfigure postfix' at a "
+"later date, or configure it yourself by:"
+msgstr ""
+"Zvolili jste \"®ádné nastavení\" - Postfix nyní nebude nastaven a proto také "
+"nebude spu¹tìn. Pozdìji to mù¾ete napravit pøíkazem 'dpkg-reconfigure "
+"postfix', nebo ruèním nastavením:"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "1) Editing /etc/postfix/main.cf to your liking"
+msgstr "1) Upravte /etc/postfix/main.cf dle potøeb"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "2) Running /etc/init.d/postfix start"
+msgstr "2) Spus»te /etc/init.d/postfix start"
+
+#. Type: string
+#. Default
+#: ../templates:120
+msgid "/etc/mailname"
+msgstr "/etc/mailname"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid "Mail name?"
+msgstr "Po¹tovní jméno?"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"Your `mail name' is the hostname portion of the address to be shown on "
+"outgoing news and mail messages (following the username and @ sign)."
+msgstr ""
+"Va¹e po¹tovní jméno je adresa poèítaèe, která se bude zobrazovat na "
+"odchozích zprávách (následuje za jménem u¾ivatele a znakem @)."
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"This name will be used by other programs besides Postfix; it should be the "
+"single, full domain name (FQDN) from which mail will appear to originate."
+msgstr ""
+"Toto jméno budou kromì Postfixu vyu¾ívat i jiné programy; mìlo by se jednat "
+"o plnì kvalifikované doménové jméno (FQDN)."
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid "Other destinations to accept mail for? (blank for none)"
+msgstr "Dal¹í místa, pro která pøijímat po¹tu? (nebo ponechte prázdné)"
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid ""
+"Give a comma-separated list of domains that this machine should consider "
+"itself the final destination for. If this is a mail domain gateway, you "
+"probably want to include the top-level domain."
+msgstr ""
+"Zadejte èárkami oddìlený seznam domén, pro které má Postfix pøedpokládat, ¾e "
+"po¹ta z nich skonèí na tomto poèítaèi. Pokud je poèítaè bránou pro po¹tovní "
+"doménu, mìli byste zahrnout vrcholovou doménu."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid "SMTP relay host? (blank for none)"
+msgstr "Poèítaè pro SMTP relay? (nebo prázdné)"
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"Specify a domain, host, host:port, [address] or [address]:port. Use the form "
+"[destination] to turn off MX lookups. Leave this blank for no relay host."
+msgstr ""
+"Zadejte doménu, poèítaè, poèítaè:port, [adresu] nebo [adresu]:port. Variantu "
+"[cíl] mù¾ete pou¾ít pro vypnutí MX dotazù. Pokud nepou¾íváte poèítaè pro "
+"pøeposílání (relay) po¹ty, ponechte prázdné."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"The relayhost parameter specifies the default host to send mail to when no "
+"entry is matched in the optional transport(5) table. When no relayhost is "
+"given, mail is routed directly to the destination."
+msgstr ""
+"Parametr relayhost zadává implicitní poèítaè, pøes který se zasílá po¹ta, "
+"která nevyhoví ¾ádnému pravidlu ve volitelné tabulce transport(5). Pokud je "
+"parametr relayhost prázdný, po¹ta je smìrována rovnou k cíli."
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Use procmail for local delivery?"
+msgstr "Pou¾ít pro lokální doruèování procmail?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Do you want to use procmail to deliver local mail?"
+msgstr "Chcete pro doruèování lokální po¹ty pou¾ít procmail?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid ""
+"Note that if you use procmail to deliver mail system-wide, you should set up "
+"an alias that forwards mail for root to a real user."
+msgstr ""
+"Pokud budete pro doruèování po¹ty v celém systému pou¾ívat procmail, mìli "
+"byste vytvoøit alias, který bude pøeposílat rootovu po¹tu reálnému u¾ivateli."
+
+#. Type: string
+#. Default
+#: ../templates:156
+msgid "+"
+msgstr "+"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "Local address extension character?"
+msgstr "Znak pro pøíponu lokální adresy?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "What character defines a local address extension?"
+msgstr "Který znak definuje pøíponu lokální adresy?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "To not use address extensions, leave the string blank."
+msgstr "Pokud nechcete pou¾ívat pøípony adres, ponechte prázdné."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "Bad recipient delimiter"
+msgstr "Chybný oddìlovaè pøíjemcù"
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid ""
+"The recipient delimiter is a single character, you entered too many "
+"characters. Please try again."
+msgstr ""
+"Oddìlovaè pøíjemcù je jeden znak, ale vy jste zadali znakù nìkolik. Zkuste "
+"to prosím znovu."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "\"${enteredstring}\""
+msgstr "\"${enteredstring}\""
+
+#. Type: boolean
+#. Default
+#: ../templates:172
+msgid "false"
+msgstr "false"
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "Force synchronous updates on mail queue?"
+msgstr "Vynutit synchronní aktualizaci po¹tovní fronty?"
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+#, fuzzy
+msgid ""
+"If synchronous updates are forced, then mail is processed more slowly. If "
+"not forced, then there is a remote chance of losing some mail if the system "
+"crashes at an inopportune time, and you are not using a journaled filesystem "
+"(such as ext3)."
+msgstr ""
+"Pokud je vynucena synchronní aktualizace, bude se po¹ta zpracovávat "
+"pomaleji. Pokud není vynucena, existuje ¹ance, ¾e kdy¾ systém spadne v "
+"nevhodný okam¾ik, mù¾e se ztratit nìkterá po¹ta."
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "The default is \"off\"."
+msgstr ""
+
+#. Type: string
+#. Default
+#: ../templates:183
+msgid "127.0.0.0/8"
+msgstr "127.0.0.0/8"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid "Local networks?"
+msgstr "Lokální sítì?"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"For what network blocks should this machine relay mail? The default is just "
+"the local host, which is needed by some mail user agents."
+msgstr ""
+"Pro které bloky adres má tento poèítaè pøedávat po¹tu? Implicitní je pouze "
+"tento poèítaè, co¾ je vy¾adováno nìkterými po¹tovními agenty."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"If this is a smarthost for a block of machines, you need to specify the "
+"netblocks here, or mail will be rejected rather than relayed."
+msgstr ""
+"Pokud tento poèítaè slou¾í jako smarthost pro skupinu poèítaèù, musíte je "
+"zde zadat, nebo bude jejich po¹ta odmítnuta."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"To use the postfix default (which is based on connected networks), enter an "
+"empty string."
+msgstr ""
+"Chcete-li pou¾ít implicitní nastavení (které je zalo¾eno na pøipojených "
+"sítích), zadejte prázdný øetìzec."
+
+#. Type: string
+#. Default
+#: ../templates:196
+msgid "0"
+msgstr "0"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid "Mailbox size limit"
+msgstr "Limit po¹tovní schránky"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid ""
+"What limit should Postfix place on mailbox files to prevent runaway software "
+"errors. A value of zero (0) means no limit. (The upstream default is "
+"51200000.)"
+msgstr ""
+"Jaký limit má Postfix uplatòovat na velikost po¹tovní schránky? Hodnota nula "
+"(0) znamená bez omezení. (Autor programu nastavuje 51200000.)"
+
+#. Type: string
+#. Default
+#: ../templates:204
+msgid "NONE"
+msgstr "NIC"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid "Where should mail for root go"
+msgstr "Kam má chodit po¹ta pro roota?"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"The user root (and any other users with a uid of 0) must have mail "
+"redirected via an alias, or their mail may be delivered to /var/mail/"
+"nobody. This is by design: mail is not delivered to external delivery "
+"agents as root."
+msgstr ""
+"U¾ivatel root (nebo jiný u¾ivatel s uid 0) musí mít po¹tu pøesmìrovánu pøes "
+"alias, nebo bude jeho po¹ta doruèena do /var/mail/nobody. To je vìc návrhu, "
+"proto¾e po¹ta není pøedávána externím doruèovacím programùm pod u¾ivatelem "
+"root."
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"If you already have a /etc/aliases file, then you possibly need to add this "
+"entry. (I will only add it if I am creating a new /etc/aliases.)"
+msgstr ""
+"Pokud ji¾ soubor /etc/aliases máte, zkontrolujte, ¾e tam je i pøíslu¹ný "
+"záznam. (Pøidám jej pouze pokud vytvoøím nový /etc/aliases.)"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"What address should I add to /etc/aliases, if I create the file? (Enter "
+"NONE to not add one.)"
+msgstr ""
+"Pokud vytvoøím soubor /etc/aliases, jakou adresu mám do nìj pøidat? (Pokud "
+"nechcete pøidat ¾ádnou, napi¹te NIC)."
+
+#~ msgid ""
+#~ "HP - Configuration used inside of HP. This just hardcodes several "
+#~ "configuration parameters based on the final components of the hostname, "
+#~ "but looks largely like 'Internet site using smarthost'. This option will "
+#~ "modify /etc/postfix/transport and install it as a transport map."
+#~ msgstr ""
+#~ "HP - Konfigurace pou¾ívaná uvnitø HP. Toto jen napevno nastaví nìkolik "
+#~ "konfiguraèních parametrù na základì koneèných èástí jména poèítaèe, ale "
+#~ "celkovì vypadá jako 'Internetový server pou¾ívající smarthosta'. Tato "
+#~ "volba zmìní /etc/postfix/transport a nainstaluje jej jako trasportní mapu."
+
+#~ msgid "The default is \"off\", see the changelog for an explanation."
+#~ msgstr "Implicitnì je \"vypnuto\", vysvìtlení viz seznam zmìn balíku."
+
+#~ msgid "Append .domain to simple addresses"
+#~ msgstr "Pøidávat doménu k jednoduchým adresám"
+
+#~ msgid ""
+#~ "When Postfix sees an address with only one component in the hostname, "
+#~ "should it append .$mydomain? Appending .$mydomain means that you don't "
+#~ "need to qualify destinations in your own domain, but breaks mail bound "
+#~ "for users at top-level domain addresses. (yes, there are some of these.)"
+#~ msgstr ""
+#~ "Kdy¾ Postfix vidí adresu s pouze první èástí jména poèítaèe, má k ní "
+#~ "pøipojit .$mydomain? Pøipojení .$mydomain znamená, ¾e pro poèítaèe ve "
+#~ "vlastní doménì nemusíte zadávat plnì kvalifikované doménové jméno, ale "
+#~ "mù¾e to poru¹it po¹tu pro u¾ivatele ve vrcholových doménách (ano, i tací "
+#~ "existují)."
+
+#~ msgid ""
+#~ "If you are forwarding mail out of your organization, you should almost "
+#~ "certainly not append .$mydomain. If you're the only user of mail on your "
+#~ "system, choose whichever is more convenient for you."
+#~ msgstr ""
+#~ "Posíláte-li po¹tu ven z organizace, mìli byste zamítnout. Pokud jste "
+#~ "domácí u¾ivatel, vyberte si, co je pro vás vhodnìj¹í."
Added: trunk/kolab-postfix/debian/po/de.po
===================================================================
--- trunk/kolab-postfix/debian/po/de.po 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/po/de.po 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,703 @@
+#
+# Translators, if you are not familiar with the PO format, gettext
+# documentation is worth reading, especially sections dedicated to
+# this format, e.g. by running:
+# info -n '(gettext)PO Files'
+# info -n '(gettext)Header Entry'
+#
+# Some information specific to po-debconf are available at
+# /usr/share/doc/po-debconf/README-trans
+# or http://www.debian.org/intl/l10n/po-debconf/README-trans
+#
+# Developers do not need to manually edit POT or PO files.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: postfix 2.0.6-1\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2004-10-30 21:06-0600\n"
+"PO-Revision-Date: 2003-03-19 21:02+0100\n"
+"Last-Translator: Martin A. Godisch <godisch at debian.org>\n"
+"Language-Team: German <debian-l10n-german at lists.debian.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=iso-8859-15\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+msgid "Correct dynamicmaps.cf for upgrade?"
+msgstr "Möchten Sie dynamicmaps.cf aktualisieren?"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Postfix version 2.0.2 and later require changes in dynamicmaps.cf. "
+"Specifically, wildcard support is gone, and with it, %s expansion. Any "
+"changes that you made to dynamicmaps.cf that relied on these features will "
+"need to be fixed by you. Failure to correct these will result in a broken "
+"mailer."
+msgstr ""
+"Für Postfix, Version 2.0.2 und folgende, sind Änderungen in der Datei "
+"dynamicmaps.cf erforderlich. Insbesondere gibt es keine Unterstützung mehr "
+"für Platzhalter und %s Expansionen. Alle Anpassungen in dynamicmaps.cf, die "
+"auf diesen basieren, müssen Sie korrigieren, ansonsten haben Sie einen "
+"unbrauchbaren Mail-Server."
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Should dynamicmaps.cf be automatically changed? Decline this option to "
+"abort the upgrade, giving you the opportunity to eliminate wildcard and %s-"
+"expansion-dependent configuration. Accept this option if you have no such "
+"configuration, and automatically make dynamicmaps.cf compatible with Postfix "
+"2.0.2 in this respect."
+msgstr ""
+"Die Datei dynamicmaps.cf kann automatisch übernommen werden. Verneinen Sie "
+"diese Frage, um das Upgrade abzubrechen und sämtliche Platzhalter und %s "
+"Expansionen zu entfernen. Akzeptieren Sie diese Frage, wenn Sie keine solche "
+"Konfiguration haben, um die Datei dynamicmaps.cf in ein zu Postfix 2.0.2 "
+"kompatibles Format zu bringen."
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+#, fuzzy
+msgid "Postfix version 2.1 and later require new services in master.cf."
+msgstr ""
+"Postfix, Version 2.0.2 und folgende, erfordert die Angabe eines Proxy-"
+"Servers in der Datei master.cf."
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+#, fuzzy
+msgid ""
+"Should this configuration be automatically added to master.cf? Decline this "
+"option to abort the upgrade, giving you the opportunity to add this "
+"configuration yourself. Accept this option to automatically make master.cf "
+"compatible with Postfix 2.1 in this respect."
+msgstr ""
+"Der Proxy-Server kann automatisch zur Datei master.cf hinzugefügt werden. "
+"Verneinen Sie, um das Upgrade abzubrechen und diese Änderung selbst "
+"vorzunehmen. Akzeptieren Sie, um die Datei master.cf automatisch in ein zu "
+"Postfix 2.0.2 kompatibles Format zu bringen."
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid "Correct master.cf for upgrade?"
+msgstr "Möchten Sie master.cf aktualisieren?"
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Postfix version 2.1 renamed \"nqmgr\" to \"qmgr\", and you are using \"nqmgr"
+"\"."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+#, fuzzy
+msgid ""
+"Failure to fix this will result in a broken mailer. Decline this option to "
+"abort the upgrade, giving you the opportunity to add this configuration "
+"yourself. Accept this option to automatically make master.cf compatible "
+"with Postfix 2.1 in this respect."
+msgstr ""
+"Der Proxy-Server kann automatisch zur Datei master.cf hinzugefügt werden. "
+"Verneinen Sie, um das Upgrade abzubrechen und diese Änderung selbst "
+"vorzunehmen. Akzeptieren Sie, um die Datei master.cf automatisch in ein zu "
+"Postfix 2.0.2 kompatibles Format zu bringen."
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Should Postfix upgrade hash and btree maps?"
+msgstr "Möchten Sie die Hash- und BTree-Tabellen aktualisieren?"
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Postfix has switched to db4, and this may require maps to be upgraded."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Do you want to automatically attempt the conversion?"
+msgstr "Möchten Sie eine automatische Konvertierung veranlassen?"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid "Transport map incompatibility"
+msgstr "Inkompatible Transport-Tabelle"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"You have a transport map defined, and there is an incompatible change in how "
+"transport maps are used. Postfix will not be restarted automatically."
+msgstr ""
+"Sie haben eine Transport-Tabelle definiert, jedoch gibt es inkompatible "
+"Änderungen in der Art, wie diese genutzt werden. Postfix wird nicht "
+"automatisch neu gestartet werden."
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"Transport map entries override $mydestination. If you use transport maps, "
+"it is better to always have explicit entries for all domain names you have "
+"in $mydestination. See the html/faq.html sections for firewalls and "
+"intranets. If you have transport entries for parent domains of anything "
+"delivered locally, you will probably need to add specific entries for the "
+"destination domains before you restart Postfix."
+msgstr ""
+"Transport-Tabellen-Einträge überschreiben $mydestination. Nutzen Sie "
+"Transport-Tabellen, ist es besser, jeweils explizite Einträge für alle "
+"Domains in $mydestination zu definieren. Beachten Sie in html/faq.html die "
+"Abschnitte über Firewalls und Intranets. Haben Sie Transport-Einträge für "
+"Eltern-Domains lokal zugestellter Domains, müssen Sie wahrscheinlich "
+"konkrete Einträge für diese Domains hinzufügen, bevor Sie Postfix neu "
+"starten."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Bad entry, try again?"
+msgstr "Ungültiger Eintrag, möchten Sie es noch einmal probieren?"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "The string you have entered"
+msgstr "Die von Ihnen gemachte Eingabe"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "does not follow RFC 1035 and does not appear to be a valid IP address."
+msgstr "ist nicht RFC 1035 kompatibel und ist keine gültige IP-Adresse."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid ""
+"RFC 1035 states that \"each component must start with an alphanum, end with "
+"an alphanum and contain only alphanums and hyphens. Components must be "
+"separated by full stops.\""
+msgstr ""
+"RFC 1035 fordert, daß jede Komponente mit einem alphanumerischen Zeichen "
+"beginnen und enden muß, und ansonsten auch nur aus alphanumerischen Zeichen "
+"und Bindestrichen bestehen darf. Alle Komponenten werden jeweils durch einen "
+"Punkt getrennt."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Do you want to keep it anyways?"
+msgstr "Bestehen Sie auf Ihrer Eingabe?"
+
+#. Type: select
+#. Choices
+#: ../templates:75
+#, fuzzy
+msgid ""
+"No configuration, Internet Site, Internet with smarthost, Satellite system, "
+"Local only"
+msgstr ""
+"Keine Konfiguration, Internet-Server, Internet mit Relay-Host, Satelliten-"
+"System, Nur lokale Zustellung, Hewlett Packard"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid "General type of configuration?"
+msgstr "Allgemeine Konfiguration?"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"You have several choices for general configuration at this point. If you "
+"have your debconf priority set to 'low' or 'medium', you will be asked more "
+"questions later. You can always run \"dpkg-reconfigure --priority=low "
+"postfix\" at a later point if you want to see these questions again."
+msgstr ""
+"Sie haben an dieser Stelle verschiedene Wahlmöglichkeiten der "
+"grundsätzlichen Konfiguration. Ist Ihre Debconf-Priorität auf 'niedrig' oder "
+"'mittel' gesetzt, werden Sie im folgenden mit weiteren Fragen gequält. ;-) "
+"Sie können diese Fragen später mittels 'dpkg-reconfigure --priority=low "
+"postfix' jederzeit erneut durchgehen."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"No configuration - IF YOU WANT THE INSTALL TO LEAVE YOUR CONFIG ALONE, "
+"CHOOSE THIS OPTION. No configuration changes will be done now: If you have "
+"not already configured Postfix, your mail system will be broken and should "
+"not be used. You must then do the configuration yourself by editing /usr/"
+"share/postfix/main.cf.dist and saving your changes as /etc/postfix/main.cf, "
+"or by running dpkg-reconfigure Postfix. main.cf will not be modified by the "
+"Postfix install process."
+msgstr ""
+"Keine Konfiguration - WENN SIE IHRE MOMENTANE KONFIGURATION ERHALTEN "
+"MÖCHTEN, WÄHLEN SIE DIESE OPTION! Es werden keine Änderungen vorgenommen. "
+"Sollten Sie Postfix nicht bereits konfiguriert haben, ist Ihr Mail-System "
+"unbrauchbar und sollte nicht genutzt werden. In diesem Fall müssen Sie die "
+"Konfiguration selbst vornehmen, indem Sie die Datei /usr/share/postfix/main."
+"cf.dist nach/etc/postfix/main.cf kopieren und dort Ihren Gegebenheiten "
+"anpassen, oder indem Sie dpkg-reconfigure ausführen. Diese Installation wird "
+"main.cf nicht modifizieren."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site - mail is sent and received directly using SMTP. If your needs "
+"don't fit neatly into any category, you probably want to start with this one "
+"and then edit the config file by hand."
+msgstr ""
+"Internet-Server - Mail wird über SMTP versandt und empfangen. Sollten Ihre "
+"Anforderungen nicht ganz dieser Kategorie entsprechen, sollten Sie die "
+"erzeugte Konfigurationsdatei im Anschluß per Hand anpassen."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site using smarthost - You receive Internet mail on this machine, "
+"either directly by SMTP or by running a utility such as fetchmail. Outgoing "
+"mail is sent using a smarthost. optionally with addresses rewritten. This is "
+"probably what you want for a dialup system."
+msgstr ""
+"Internet-Server mit Relay-Host - Sie empfangen auf diesem Rechner Mails, "
+"entweder direkt über SMTP oder mittels eines Programmes wie z.B. fetchmail. "
+"Ausgehende Mails werden an einen Relay-Server (Smarthost) weitergeleitet, "
+"nachdem (optional) Adressen umgeschrieben wurden. Diese Konfiguration wird "
+"vorrangig für Einwahl-Verbindungen genutzt."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Satellite system - All mail is sent to another machine, called a \"smart host"
+"\" for delivery. root and postmaster mail is delivered according to /etc/"
+"aliases. No mail is received locally."
+msgstr ""
+"Satelliten-System - Alle Mails werden an einen entfernten Server, den "
+"sogenannten Smarthost zwecks Zustellung übergeben. Mails an root und "
+"postmaster werden entsprechend der Datei /etc/aliases ausgeliefert, es "
+"werden keine Mails lokal zugestellt."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Local delivery only - You are not on a network. Mail for local users is "
+"delivered."
+msgstr ""
+"Nur lokale Zustellung - Sie sind mit keinem Netzwerk verbunden. Mails an "
+"lokale Nutzer werden zugestellt."
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "WARNING: Postfix not configured"
+msgstr "ACHTUNG: Postfix ist nicht konfiguriert."
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid ""
+"You have chosen \"No Configuration\" - Postfix will not be configured and "
+"will not be started by default. Please run 'dpkg-reconfigure postfix' at a "
+"later date, or configure it yourself by:"
+msgstr ""
+"Sie haben 'Keine Konfiguration' gewählt - Postfix wird nicht konfiguriert "
+"oder automatisch gestartet. Rufen Sie bitte 'dpkg-reconfigure postfix' zu "
+"einem späteren Zeitpunkt auf oder konfigurieren Sie Postfix manuell wie "
+"folgt:"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "1) Editing /etc/postfix/main.cf to your liking"
+msgstr "1. Passen Sie /etc/postfix/main.cf Ihren Wünschen an."
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "2) Running /etc/init.d/postfix start"
+msgstr "2. Führen Sie '/etc/init.d/postfix start' aus."
+
+#. Type: string
+#. Default
+#: ../templates:120
+msgid "/etc/mailname"
+msgstr "/etc/mailname"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid "Mail name?"
+msgstr "Wie lautet der Mailname Ihres Systems?"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"Your `mail name' is the hostname portion of the address to be shown on "
+"outgoing news and mail messages (following the username and @ sign)."
+msgstr ""
+"Ihr 'Mailname' ist der Hostname aller ausgehenden News-Artikel und Mails, "
+"der dem Nutzernamen und '@'-Zeichen folgende Teil der Adresse."
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"This name will be used by other programs besides Postfix; it should be the "
+"single, full domain name (FQDN) from which mail will appear to originate."
+msgstr ""
+"Dieser Name wird auch von anderen Programmen als nur Postfix genutzt, es "
+"sollte dies der eindeutige voll-qualifizierte Domainname (FQDN) dieses "
+"Rechners sein, er ist i.d.R. Teil der Absender-Adresse lokal generierter "
+"Mails."
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid "Other destinations to accept mail for? (blank for none)"
+msgstr ""
+"Für welche weiteren Rechner möchten Sie Mails akzeptieren (leere Eingabe: "
+"keine)?"
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid ""
+"Give a comma-separated list of domains that this machine should consider "
+"itself the final destination for. If this is a mail domain gateway, you "
+"probably want to include the top-level domain."
+msgstr ""
+"Spezifizieren Sie bitte eine durch Kommata getrennte Liste der Rechner, für "
+"die dieser Rechner das Zielsystem darstellt. Ist dieser Rechner für eine "
+"gesamte Mail-Domain zuständig, sollten Sie möglicherweise die Top-Level "
+"Domain (TLD) hinzufügen."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid "SMTP relay host? (blank for none)"
+msgstr "Welches ist Ihr SMTP Relay-Server (leere Eingabe: keiner)?"
+
+#. Type: string
+#. Description
+#: ../templates:137
+#, fuzzy
+msgid ""
+"Specify a domain, host, host:port, [address] or [address]:port. Use the form "
+"[destination] to turn off MX lookups. Leave this blank for no relay host."
+msgstr ""
+"Geben Sie bitte Ihren Smarthost in einer der folgenden Formen an: Domain, "
+"Host, Host:Port, [Adresse] oder [Adresse:Port]. Nutzen Sie die Form [Ziel], "
+"um MX-Abfragen zu verhindern. Lassen Sie dieses Feld leer, wenn Sie keinen "
+"Relay-Server angeben möchten."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"The relayhost parameter specifies the default host to send mail to when no "
+"entry is matched in the optional transport(5) table. When no relayhost is "
+"given, mail is routed directly to the destination."
+msgstr ""
+"Mails, für die kein Eintrag in der optionalen Transport-Tabelle gefunden "
+"wird, werden standardmäßig an den Relay-Server, weitergeleitet. Geben Sie "
+"keinen Relay-Server an, erfolgen für die einzelnen Mails entsprechende "
+"Zielanfragen (MX-Lookups)."
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Use procmail for local delivery?"
+msgstr "Möchten Sie procmail zur lokalen Mail-Zustellung nutzen?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Do you want to use procmail to deliver local mail?"
+msgstr "Möchten Sie lokale Mails mittels procmail zustellen?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid ""
+"Note that if you use procmail to deliver mail system-wide, you should set up "
+"an alias that forwards mail for root to a real user."
+msgstr ""
+"Beachten Sie, daß bei systemweiter Mail-Zustellung mittels procmail ein "
+"Alias genutzt werden sollte, um an root adressierte Mails an einen normalen "
+"Nutzer weiterzuleiten."
+
+#. Type: string
+#. Default
+#: ../templates:156
+msgid "+"
+msgstr "+"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "Local address extension character?"
+msgstr "Zeichen für lokale Adreß-Erweiterung?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "What character defines a local address extension?"
+msgstr "Welches Zeichen definiert eine lokale Adreß-Erweiterung?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "To not use address extensions, leave the string blank."
+msgstr ""
+"Lassen Sie die Eingabe leer, wenn Sie keine Adreß-Erweiterungen nutzen "
+"möchten."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "Bad recipient delimiter"
+msgstr "Ungültiges Adreß-Trennzeichen"
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid ""
+"The recipient delimiter is a single character, you entered too many "
+"characters. Please try again."
+msgstr ""
+"Das Adreß-Trennzeichen ist ein einzelnes Zeichen, Sie haben zu viele Zeichen "
+"eingegeben. Versuchen Sie es bitte noch einmal."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "\"${enteredstring}\""
+msgstr "\"${enteredstring}\""
+
+#. Type: boolean
+#. Default
+#: ../templates:172
+msgid "false"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "Force synchronous updates on mail queue?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid ""
+"If synchronous updates are forced, then mail is processed more slowly. If "
+"not forced, then there is a remote chance of losing some mail if the system "
+"crashes at an inopportune time, and you are not using a journaled filesystem "
+"(such as ext3)."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "The default is \"off\"."
+msgstr ""
+
+#. Type: string
+#. Default
+#: ../templates:183
+msgid "127.0.0.0/8"
+msgstr "127.0.0.0/8"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid "Local networks?"
+msgstr "Lokale Netzwerke?"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"For what network blocks should this machine relay mail? The default is just "
+"the local host, which is needed by some mail user agents."
+msgstr ""
+"Für welche Teilnetze soll dieser Rechner Mails weiterleiten? Standardmäßig "
+"ist dies nur der lokale Rechner, dieser wird für einige Mail-Programme "
+"benötigt."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"If this is a smarthost for a block of machines, you need to specify the "
+"netblocks here, or mail will be rejected rather than relayed."
+msgstr ""
+"Wenn dieser Rechner ein Relay-Server für ein Teilnetz anderer Rechner ist, "
+"muß dieses Teilnetz hier spezifiziert werden, ansonsten werden "
+"weiterzuleitende Mails abgewiesen."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"To use the postfix default (which is based on connected networks), enter an "
+"empty string."
+msgstr ""
+
+#. Type: string
+#. Default
+#: ../templates:196
+msgid "0"
+msgstr "0"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid "Mailbox size limit"
+msgstr "Maximale Mailbox-Größe"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid ""
+"What limit should Postfix place on mailbox files to prevent runaway software "
+"errors. A value of zero (0) means no limit. (The upstream default is "
+"51200000.)"
+msgstr ""
+"Welches Limit (in Bytes) soll für Mailbox-Dateien gelten, um Software-"
+"Fehlern eine Grenze zu setzen? Null (0) bedeutet: kein Limit, der Postfix-"
+"Standard beträgt 51200000 (etwa 50 MB)."
+
+#. Type: string
+#. Default
+#: ../templates:204
+msgid "NONE"
+msgstr "NONE"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid "Where should mail for root go"
+msgstr "An wen sollen an root adressierte Mails weitergeleitet werden?"
+
+#. Type: string
+#. Description
+#: ../templates:205
+#, fuzzy
+msgid ""
+"The user root (and any other users with a uid of 0) must have mail "
+"redirected via an alias, or their mail may be delivered to /var/mail/"
+"nobody. This is by design: mail is not delivered to external delivery "
+"agents as root."
+msgstr ""
+"Mails an den Nutzer 'root', sowie an jeden anderen Nutzer mit der Nutzer-ID "
+"0, müssen mittels eines Aliases weitergeleitet werden, ansonsten werden Sie "
+"nach /var/spool/mail/nobody ausgeliefert. Dies ist durch das Design "
+"vorgegeben: Mails werden niemals als Nutzer root ausgeliefert."
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"If you already have a /etc/aliases file, then you possibly need to add this "
+"entry. (I will only add it if I am creating a new /etc/aliases.)"
+msgstr ""
+"Falls Sie bereits eine /etc/aliases Datei haben, müssen Sie möglicherweise "
+"diesen Eintrag hinzufügen. Automatisch wird er nur dann hinzugefügt, wenn /"
+"etc/aliases neu erzeugt wird."
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"What address should I add to /etc/aliases, if I create the file? (Enter "
+"NONE to not add one.)"
+msgstr ""
+"Welche Adresse möchten Sie zu /etc/aliases hinzufügen, wenn diese Datei "
+"erzeugt wird? Geben Sie 'NONE' ein, um keine hinzuzufügen."
+
+#, fuzzy
+#~ msgid ""
+#~ "HP - Configuration used inside of HP. This just hardcodes several "
+#~ "configuration parameters based on the final components of the hostname, "
+#~ "but looks largely like 'Internet site using smarthost'. This option will "
+#~ "modify /etc/postfix/transport and install it as a transport map."
+#~ msgstr ""
+#~ "Hewlett Packard - von HP genutzte Konfiguration. Hier werden einige "
+#~ "Parameter fest kodiert, ansonsten entspricht diese Konfiguration dem "
+#~ "'Internet mit Relay-Host'. Bei dieser Konfiguration wird die Datei /etc/"
+#~ "postfix/transport modifiziert und als Transport-Tabelle installiert."
+
+#~ msgid "Append .domain to simple addresses"
+#~ msgstr "Möchten Sie .domain an einfache Adressen anfügen lassen?"
+
+#, fuzzy
+#~ msgid ""
+#~ "When Postfix sees an address with only one component in the hostname, "
+#~ "should it append .$mydomain? Appending .$mydomain means that you don't "
+#~ "need to qualify destinations in your own domain, but breaks mail bound "
+#~ "for users at top-level domain addresses. (yes, there are some of these.)"
+#~ msgstr ""
+#~ "Sieht Postfix Adressen mit nur einer Komponente im Hostnamen, kann ."
+#~ "$mydomain angehangen werden. Falls Sie dies wünschen, müssen Sie Ziele "
+#~ "innerhalb Ihrer eigenen Domain nicht vervollständigen (qualifizieren), "
+#~ "erhalten aber ungültige Adressen für Nutzer von Top-Level Domain (TLD) "
+#~ "Adressen. Ja, es gibt ein paar solche..."
+
+#, fuzzy
+#~ msgid ""
+#~ "If you are forwarding mail out of your organization, you should almost "
+#~ "certainly not append .$mydomain. If you're the only user of mail on your "
+#~ "system, choose whichever is more convenient for you."
+#~ msgstr ""
+#~ "Leiten Sie Mails nach außerhalb Ihrer Organisation weiter, sollten Sie "
+#~ "dies wahrscheinlich verneinen. Sind Sie der einzige Nutzer Ihres Mail-"
+#~ "Systems, wählen Sie, was immer Ihnen geeigneter erscheint."
+
+#~ msgid ""
+#~ "If you answer no, you almost certainly need to add 'localhost' to the "
+#~ "list of local destinations."
+#~ msgstr ""
+#~ "Falls Sie verneinen, werden Sie 'localhost' zu der Liste Ihrer lokalen "
+#~ "Ziele hinzufügen müssen."
+
+#~ msgid ""
+#~ "Postfix has converted from libdb2 format to libdb3 format. This change "
+#~ "requires that all Postfix hash and btree maps be regenerated."
+#~ msgstr ""
+#~ "Postfix wurde vom libdb2 zum libdb3-Format konvertiert. Diese Änderung "
+#~ "erfordert eine Regenerierung sämtlicher Hash- und BTree-Tabellen."
+
+#~ msgid ""
+#~ "If you answer no, Postfix will be restarted, but may fail if your db "
+#~ "files still need to be converted. If you answer yes, all hash and btree "
+#~ "maps used by Postfix will be rebuilt prior to restarting Postfix."
+#~ msgstr ""
+#~ "Verneinen Sie, wird ein Neustart von Postfix möglicherweise versagen, "
+#~ "falls Ihre Datenbank-Dateien noch konvertiert werden müssen. Antworten "
+#~ "Sie mit ja, werden zuvor alle Hash- und BTree-Tabellen regeneriert."
Added: trunk/kolab-postfix/debian/po/es.po
===================================================================
--- trunk/kolab-postfix/debian/po/es.po 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/po/es.po 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,697 @@
+# postfix translation to spanish
+# Copyright (C) 2004 Software in the Public Interest
+# This file is distributed under the same license as the postfix package.
+#
+# Changes:
+# - Initial translation
+# Rudy Godoy <rudy at kernel-panik.org>, 2004
+#
+#
+# Traductores, si no conoce el formato PO, merece la pena leer la
+# documentación de gettext, especialmente las secciones dedicadas a este
+# formato, por ejemplo ejecutando:
+# info -n '(gettext)PO Files'
+# info -n '(gettext)Header Entry'
+#
+# Equipo de traducción al español, por favor lean antes de traducir
+# los siguientes documentos:
+#
+# - El proyecto de traducción de Debian al español
+# http://www.debian.org/intl/spanish/coordinacion
+# especialmente las notas de traducción en
+# http://www.debian.org/intl/spanish/notas
+#
+# - La guía de traducción de po's de debconf:
+# /usr/share/doc/po-debconf/README-trans
+# o http://www.debian.org/intl/l10n/po-debconf/README-trans
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: postfix 2.0.18\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2004-10-30 21:06-0600\n"
+"PO-Revision-Date: 2004-11-20 19:29-0500\n"
+"Last-Translator: Rudy Godoy <rudy at kernel-panik.org>\n"
+"Language-Team: Debian Spanish <debian-l10n-spanish at lists.debian.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=ISO-8859-15\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+msgid "Correct dynamicmaps.cf for upgrade?"
+msgstr "¿Corregir dynamicmaps.cf para la actualización?"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Postfix version 2.0.2 and later require changes in dynamicmaps.cf. "
+"Specifically, wildcard support is gone, and with it, %s expansion. Any "
+"changes that you made to dynamicmaps.cf that relied on these features will "
+"need to be fixed by you. Failure to correct these will result in a broken "
+"mailer."
+msgstr ""
+"Postfix versión 2.0.2 y posterior requiere cambios en dynamicmaps.cf. "
+"Específicamente, el soporte de comodines se ha eliminado, y con éste, la "
+"expansión %s. Cualquier cambio que usted haya hecho a dynamicmaps.cf que "
+"haga uso de estas características deberá ser corregido por usted. Los "
+"errores al corregirlos harán que su sistema de correo deje de funcionar."
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Should dynamicmaps.cf be automatically changed? Decline this option to "
+"abort the upgrade, giving you the opportunity to eliminate wildcard and %s-"
+"expansion-dependent configuration. Accept this option if you have no such "
+"configuration, and automatically make dynamicmaps.cf compatible with Postfix "
+"2.0.2 in this respect."
+msgstr ""
+"¿Se debe cambiar automáticamente «dynamicmaps.cf»? Rechace esta opción para "
+"cancelar la actualización, dándole la oportunidad de eliminar los comodines "
+"y configuración dependiente de expansión %s. Acepte esta opción si no tiene "
+"este tipo de configuración, y quiere hacer compatible automáticamente el "
+"fichero «dynamicmaps.cf» con Postfix 2.0.2 en este aspecto."
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid "Postfix version 2.1 and later require new services in master.cf."
+msgstr ""
+"La versión de Postfix 2.1 y posteriores requieren nuevos servicios en "
+"«master.cf»"
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid ""
+"Should this configuration be automatically added to master.cf? Decline this "
+"option to abort the upgrade, giving you the opportunity to add this "
+"configuration yourself. Accept this option to automatically make master.cf "
+"compatible with Postfix 2.1 in this respect."
+msgstr ""
+"¿Se debe añadir automáticamente la configuración a master.cf? Rechace esta "
+"opción para cancelar la actualización, dándole la oportunidad de añadirla "
+"usted mismo. Acepte esta opción para automáticamente hacer master.cf "
+"compatible con Postfix 2.1 en este aspecto."
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid "Correct master.cf for upgrade?"
+msgstr "¿Corregir master.cf para la actualización?"
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Postfix version 2.1 renamed \"nqmgr\" to \"qmgr\", and you are using \"nqmgr"
+"\"."
+msgstr ""
+"La versión 2.1 de Postfix ha renombrado «nqmgr» a «qmgr» y está usando "
+"«qmgr»."
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Failure to fix this will result in a broken mailer. Decline this option to "
+"abort the upgrade, giving you the opportunity to add this configuration "
+"yourself. Accept this option to automatically make master.cf compatible "
+"with Postfix 2.1 in this respect."
+msgstr ""
+"En caso de fallo al corregir esto, resultará en un sistema de correo "
+"disfuncional. Rechace esta opción para cancelar la actualización, dándole la "
+"oportunidad de añadirla usted mismo. Acepte esta opción para automáticamente "
+"hacer master.cf compatible con Postfix 2.1 en este aspecto."
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Should Postfix upgrade hash and btree maps?"
+msgstr "¿Debe Postfix actualizar los mapas hash y btree?"
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Postfix has switched to db4, and this may require maps to be upgraded."
+msgstr "Postfix ha cambiado a db4 y esto podría requerir actualizar los mapas."
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Do you want to automatically attempt the conversion?"
+msgstr "¿Desea que se intente la conversión automáticamente?"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid "Transport map incompatibility"
+msgstr "Incompatibilidad en el mapa de transporte"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"You have a transport map defined, and there is an incompatible change in how "
+"transport maps are used. Postfix will not be restarted automatically."
+msgstr ""
+"Tiene un mapa de transporte definido y existe un cambio incompatible en como "
+"se usan los mapas de transporte. Postfix no se reiniciará automáticamente."
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"Transport map entries override $mydestination. If you use transport maps, "
+"it is better to always have explicit entries for all domain names you have "
+"in $mydestination. See the html/faq.html sections for firewalls and "
+"intranets. If you have transport entries for parent domains of anything "
+"delivered locally, you will probably need to add specific entries for the "
+"destination domains before you restart Postfix."
+msgstr ""
+"Las entradas del mapa de transporte anulan «$mydestination». Si usa mapas de "
+"transporte, es mejor tener siempre entradas explícitas para todos los "
+"nombres de dominio que usted tenga en $mydestination. Vea las secciones de "
+"cortafuegos e intranets en html/faq.html. Si tiene entradas de transporte "
+"para dominios padres de cualquier cosa que se entregue localmente, "
+"probablemente necesite añadir entradas específicas para los dominios destino "
+"antes de reiniciar Postfix."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Bad entry, try again?"
+msgstr "Entrada incorrecta, ¿intentar nuevamente?"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "The string you have entered"
+msgstr "La cadena que ha ingresado"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "does not follow RFC 1035 and does not appear to be a valid IP address."
+msgstr "no cumple con la RFC 1035 y no parece ser una dirección IP válida."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid ""
+"RFC 1035 states that \"each component must start with an alphanum, end with "
+"an alphanum and contain only alphanums and hyphens. Components must be "
+"separated by full stops.\""
+msgstr ""
+"RFC 1035 indica que «cada componente debe empezar con un caracter "
+"alfanumérico, finalizar con un alfanumérico y solamente contener "
+"alfanuméricos y guiones»."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Do you want to keep it anyways?"
+msgstr "¿Desea mantenerlo de todas maneras?"
+
+#. Type: select
+#. Choices
+#: ../templates:75
+#, fuzzy
+msgid ""
+"No configuration, Internet Site, Internet with smarthost, Satellite system, "
+"Local only"
+msgstr ""
+"Sin configuración, Sitio de Internet, Internet con smarthost, Sistema "
+"satélite, Sólo entrega local"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid "General type of configuration?"
+msgstr "Tipo genérico de configuración"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"You have several choices for general configuration at this point. If you "
+"have your debconf priority set to 'low' or 'medium', you will be asked more "
+"questions later. You can always run \"dpkg-reconfigure --priority=low "
+"postfix\" at a later point if you want to see these questions again."
+msgstr ""
+"En este momento tiene diversas opciones para la configuración general. Si "
+"tiene configurada la prioridad de debconf en «low» o «medium», se le harán "
+"mas preguntas luego. Cuando lo desee puede ejecutar «dpkg-reconfigure --"
+"priority=low postfix» si quiere ver estas preguntas nuevamente."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"No configuration - IF YOU WANT THE INSTALL TO LEAVE YOUR CONFIG ALONE, "
+"CHOOSE THIS OPTION. No configuration changes will be done now: If you have "
+"not already configured Postfix, your mail system will be broken and should "
+"not be used. You must then do the configuration yourself by editing /usr/"
+"share/postfix/main.cf.dist and saving your changes as /etc/postfix/main.cf, "
+"or by running dpkg-reconfigure Postfix. main.cf will not be modified by the "
+"Postfix install process."
+msgstr ""
+"Sin configuración - SI DESEA QUE EL PROGRAMA DE INSTALACIÓN NO TOQUE SU "
+"CONFIGURACIÓN, ELIJA ESTA OPCIÓN. No se realizará ningún cambio en la "
+"configuración ahora: Si usted todavía no ha configurado Postfix, su sistema "
+"de correo no funcionará y no deberá usarse. En ese caso debe efectuar la "
+"configuración editando el fichero «/usr/share/postfix/main.cf.dist» y "
+"guardando sus cambios como «/etc/postfix/main.cf», o ejecutando «dpkg-"
+"reconfigure postfix». «main.cf» no será modificado por el proceso de "
+"instalación de postfix."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site - mail is sent and received directly using SMTP. If your needs "
+"don't fit neatly into any category, you probably want to start with this one "
+"and then edit the config file by hand."
+msgstr ""
+"Sitio Internet - el correo se envía y se recibe directamente usando SMTP. Si "
+"sus necesidades no se adaptan a ninguna categoría, probablemente quiera "
+"empezar con ésta y luego modificar el fichero de configuración en forma "
+"manual."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site using smarthost - You receive Internet mail on this machine, "
+"either directly by SMTP or by running a utility such as fetchmail. Outgoing "
+"mail is sent using a smarthost. optionally with addresses rewritten. This is "
+"probably what you want for a dialup system."
+msgstr ""
+"Sitio Internet usando smarthost - Recibe correo de internet en esta máquina "
+"ya sea directamente a través de SMTP o ejecutando una herramienta como "
+"fetchmail. El correo saliente se envía usando un smarthost, opcionalmente "
+"con las direcciones reescritas. Esto es probablemente lo que querría para "
+"una conexión a través de línea telefónica."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Satellite system - All mail is sent to another machine, called a \"smart host"
+"\" for delivery. root and postmaster mail is delivered according to /etc/"
+"aliases. No mail is received locally."
+msgstr ""
+"Sistema satélite - Todo el correo se envía a otra máquina, llamada «smart "
+"host». El correo de root y postmaster se envía de acuerdo a «/etc/aliases». "
+"No se recibe correo localmente."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Local delivery only - You are not on a network. Mail for local users is "
+"delivered."
+msgstr ""
+"Sólo entrega local - No forma parte de una red. Se envía correo a los "
+"usuarios locales."
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "WARNING: Postfix not configured"
+msgstr "ADVERTENCIA: Postfix no esta configurado"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid ""
+"You have chosen \"No Configuration\" - Postfix will not be configured and "
+"will not be started by default. Please run 'dpkg-reconfigure postfix' at a "
+"later date, or configure it yourself by:"
+msgstr ""
+"Ha elegido «Sin configuración» - Postfix no será configurado y no será "
+"iniciado automáticamente. Por favor, ejecute «dpkg-reconfigure postfix» en "
+"cualquier momento o configúrelo usted mismo mediante los siguientes pasos:"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "1) Editing /etc/postfix/main.cf to your liking"
+msgstr "1) Modificando «/etc/postfix/main.cf» a su gusto"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "2) Running /etc/init.d/postfix start"
+msgstr "2) Ejecutando «/etc/init.d/postfix start»"
+
+#. Type: string
+#. Default
+#: ../templates:120
+msgid "/etc/mailname"
+msgstr "/etc/mailname"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid "Mail name?"
+msgstr "¿Nombre de correo?"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"Your `mail name' is the hostname portion of the address to be shown on "
+"outgoing news and mail messages (following the username and @ sign)."
+msgstr ""
+"El «nombre de correo» es la porción del nombre de máquina de la dirección "
+"que será mostrada en las noticias y correos salientes (despues del nombre de "
+"usuario y el signo @)."
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"This name will be used by other programs besides Postfix; it should be the "
+"single, full domain name (FQDN) from which mail will appear to originate."
+msgstr ""
+"Este nombre será usado por otros programas además de Postfix; deberá ser un "
+"único nombre de dominio completo (FDQN) desde el que parecerá originarse el "
+"correo."
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid "Other destinations to accept mail for? (blank for none)"
+msgstr ""
+"¿Otros destinos para los cuales aceptar correo? (en blanco para ninguno)"
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid ""
+"Give a comma-separated list of domains that this machine should consider "
+"itself the final destination for. If this is a mail domain gateway, you "
+"probably want to include the top-level domain."
+msgstr ""
+"Ingrese una lista, separada por comas, de dominios de los que esta máquina "
+"deberá considerarse destino final. Si ésta es una pasarela de correo del "
+"dominio, probablemente querrá incluir el dominio padre."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid "SMTP relay host? (blank for none)"
+msgstr "¿Máquina de pasarela SMTP? (en blanco para ninguna)"
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"Specify a domain, host, host:port, [address] or [address]:port. Use the form "
+"[destination] to turn off MX lookups. Leave this blank for no relay host."
+msgstr ""
+"Especifique un dominio, máquina, máquina:puerto, [dirección] o [dirección:"
+"puerto]. Use la forma [destino] para desactivar las búsquedas de MX. Deje "
+"esto en blanco para ninguna máquina de reenvío."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"The relayhost parameter specifies the default host to send mail to when no "
+"entry is matched in the optional transport(5) table. When no relayhost is "
+"given, mail is routed directly to the destination."
+msgstr ""
+"El parámetro relayhost especifica la máquina predeterminada a donde enviar "
+"correo cuando ninguna entrada coincide en la tabla opcional transport(5). "
+"Cuando no se especifica el relayhost, el correo se enruta directamente a su "
+"destino."
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Use procmail for local delivery?"
+msgstr "¿Usar procmail para la entrega local?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Do you want to use procmail to deliver local mail?"
+msgstr "¿Desea usar procmail para entregar el correo local?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid ""
+"Note that if you use procmail to deliver mail system-wide, you should set up "
+"an alias that forwards mail for root to a real user."
+msgstr ""
+"Note que si usa procmail para entregar el correo de todo el sistema, deberá "
+"configurar un alias que reenvíe el correo de root a un usuario real."
+
+#. Type: string
+#. Default
+#: ../templates:156
+msgid "+"
+msgstr "+"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "Local address extension character?"
+msgstr "¿Caracter de extensión de direcciones locales?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "What character defines a local address extension?"
+msgstr "¿Qué caracter define una extensión de dirección local?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "To not use address extensions, leave the string blank."
+msgstr "Para no usar extensiones de dirección, deje la cadena en blanco."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "Bad recipient delimiter"
+msgstr "Delimitador de destinatario incorrecto"
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid ""
+"The recipient delimiter is a single character, you entered too many "
+"characters. Please try again."
+msgstr ""
+"El delimitador de destinatario es sólo un caracter. Por favor inténtelo "
+"nuevamente."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "\"${enteredstring}\""
+msgstr "«${enteredstring}»"
+
+#. Type: boolean
+#. Default
+#: ../templates:172
+msgid "false"
+msgstr "falso"
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "Force synchronous updates on mail queue?"
+msgstr "¿Forzar actualizaciones síncronas en la cola de correo?"
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid ""
+"If synchronous updates are forced, then mail is processed more slowly. If "
+"not forced, then there is a remote chance of losing some mail if the system "
+"crashes at an inopportune time, and you are not using a journaled filesystem "
+"(such as ext3)."
+msgstr ""
+"Si se fuerzan las actualizaciones síncronas, el correo será procesado más "
+"lentamente. Si no se fuerzan, existe la posibilidad remota de perder algunos "
+"correos si el sistema se colapsa en un momento inoportuno y no está usando "
+"un sistema de ficheros transaccional (como ext3)."
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "The default is \"off\"."
+msgstr "El predeterminado es «off»."
+
+#. Type: string
+#. Default
+#: ../templates:183
+msgid "127.0.0.0/8"
+msgstr "127.0.0.0/8"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid "Local networks?"
+msgstr "¿Redes locales?"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"For what network blocks should this machine relay mail? The default is just "
+"the local host, which is needed by some mail user agents."
+msgstr ""
+"¿Para cuales bloques de la red esta máquina deberá reenviar el correo?. El "
+"predeterminado es simplemente a la máquina local, lo cual necesitan algunos "
+"agentes de correo de usuario."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"If this is a smarthost for a block of machines, you need to specify the "
+"netblocks here, or mail will be rejected rather than relayed."
+msgstr ""
+"Si éste es un smarthost para un bloque de máquinas, debe especificar los "
+"bloques de red aquí, o el correo será rechazado en lugar de reenviado."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"To use the postfix default (which is based on connected networks), enter an "
+"empty string."
+msgstr ""
+"Para usar el predeterminado de postfix (que se basa en las redes "
+"conectadas), ingrese una cadena vacía."
+
+#. Type: string
+#. Default
+#: ../templates:196
+msgid "0"
+msgstr "0"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid "Mailbox size limit"
+msgstr "Límite de tamaño de buzón de correo"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid ""
+"What limit should Postfix place on mailbox files to prevent runaway software "
+"errors. A value of zero (0) means no limit. (The upstream default is "
+"51200000.)"
+msgstr ""
+"¿Qué límite deberá colocar Postfix en los ficheros de buzón de correo para "
+"prevenir errores de software? El valor de cero (0) significa ilimitado. (El "
+"predeterminado por el desarrollador principal es 51200000.)"
+
+#. Type: string
+#. Default
+#: ../templates:204
+msgid "NONE"
+msgstr "NINGUNA"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid "Where should mail for root go"
+msgstr "Dónde debe enviarse el correo para el superusuario"
+
+#. Type: string
+#. Description
+#: ../templates:205
+#, fuzzy
+msgid ""
+"The user root (and any other users with a uid of 0) must have mail "
+"redirected via an alias, or their mail may be delivered to /var/mail/"
+"nobody. This is by design: mail is not delivered to external delivery "
+"agents as root."
+msgstr ""
+"El superusuario (y cualquier otro usuario con un uid 0) deberá tener el "
+"correo redirigido a través de un alias, o su correo será entregado a «/var/"
+"mail/nobody». Esto es por diseño: no se entrega correo como superusuario."
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"If you already have a /etc/aliases file, then you possibly need to add this "
+"entry. (I will only add it if I am creating a new /etc/aliases.)"
+msgstr ""
+"Si ya tiene un fichero /etc/aliases, entonces posiblemente necesite añadir "
+"esta entrada (Solamente se añadirá si se crea un nuevo /etc/aliases)."
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"What address should I add to /etc/aliases, if I create the file? (Enter "
+"NONE to not add one.)"
+msgstr ""
+"¿Que dirección se deberá añadir a /etc/aliases, si se crea el fichero? "
+"(Ingrese NONE para no añadir ninguna)."
+
+#~ msgid ""
+#~ "HP - Configuration used inside of HP. This just hardcodes several "
+#~ "configuration parameters based on the final components of the hostname, "
+#~ "but looks largely like 'Internet site using smarthost'. This option will "
+#~ "modify /etc/postfix/transport and install it as a transport map."
+#~ msgstr ""
+#~ "HP - Configuración usada dentro de HP. Simplemente escribe diversos "
+#~ "parámetros de configuración basados en los componentes finales del nombre "
+#~ "de la máquina, pero es muy parecido a 'Sitio Internet usando smarthost'. "
+#~ "Esta opción modificará /etc/postfix/transport y lo instalará como un mapa "
+#~ "de transporte."
+
+#~ msgid "The default is \"off\", see the changelog for an explanation."
+#~ msgstr ""
+#~ "El predeterminado es \"off\", vea el registro de cambios para más "
+#~ "detalles."
+
+#~ msgid "Append .domain to simple addresses"
+#~ msgstr "Añadir .dominio a direcciones simples"
+
+#, fuzzy
+#~ msgid ""
+#~ "When Postfix sees an address with only one component in the hostname, "
+#~ "should it append .$mydomain? Appending .$mydomain means that you don't "
+#~ "need to qualify destinations in your own domain, but breaks mail bound "
+#~ "for users at top-level domain addresses. (yes, there are some of these.)"
+#~ msgstr ""
+#~ "Cuando postfix encuentra una dirección con solamente un componente en el "
+#~ "nombre de máquina, ¿deberá añadir .$mydomain? Si elige que sí, significa "
+#~ "que no necesitará verificar destinos en su propio dominio, pero rompe el "
+#~ "límite de correo para usuarios con direcciones de dominio padre. (Si, hay "
+#~ "algunas de éstas)."
+
+#, fuzzy
+#~ msgid ""
+#~ "If you are forwarding mail out of your organization, you should almost "
+#~ "certainly not append .$mydomain. If you're the only user of mail on your "
+#~ "system, choose whichever is more convenient for you."
+#~ msgstr ""
+#~ "Si usted está reenviando correo fuera de su organización, deberá decir "
+#~ "«no» aquí con casi toda seguridad. Si usted es el único usuario de correo "
+#~ "en su sistema, elija lo que sea más adecuado para usted."
+
+#~ msgid ""
+#~ "If you answer no, you almost certainly need to add 'localhost' to the "
+#~ "list of local destinations."
+#~ msgstr ""
+#~ "Si su respuesta es no, seguramente necesitará añadir 'localhost' a la "
+#~ "lista de destinos locales."
Added: trunk/kolab-postfix/debian/po/fr.po
===================================================================
--- trunk/kolab-postfix/debian/po/fr.po 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/po/fr.po 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,707 @@
+#
+# Translators, if you are not familiar with the PO format, gettext
+# documentation is worth reading, especially sections dedicated to
+# this format, e.g. by running:
+# info -n '(gettext)PO Files'
+# info -n '(gettext)Header Entry'
+#
+# Some information specific to po-debconf are available at
+# /usr/share/doc/po-debconf/README-trans
+# or http://www.debian.org/intl/l10n/po-debconf/README-trans
+#
+# Developers do not need to manually edit POT or PO files.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: postfix 2.1.5-1\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2004-10-30 21:06-0600\n"
+"PO-Revision-Date: 2004-11-07 21:30+0100\n"
+"Last-Translator: Philippe Batailler <philippe.batailler at free.fr>\n"
+"Language-Team: French <debian-l10n-french at lists.debian.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=ISO-8859-15\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+msgid "Correct dynamicmaps.cf for upgrade?"
+msgstr "Faut-il corriger le fichier dynamicmaps.cf pour faire la mise à jour ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Postfix version 2.0.2 and later require changes in dynamicmaps.cf. "
+"Specifically, wildcard support is gone, and with it, %s expansion. Any "
+"changes that you made to dynamicmaps.cf that relied on these features will "
+"need to be fixed by you. Failure to correct these will result in a broken "
+"mailer."
+msgstr ""
+"À partir de la version 2.0.2, Postfix demande des modifications du fichier "
+"dynamicmaps.cf. En particulier, l'utilisation de joker n'est plus possible "
+"et avec elle, l'expansion de %s. Il vous faudra corriger tout ce qui "
+"utilisait ces possibilités. Ne pas le faire rendra le programme défectueux."
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Should dynamicmaps.cf be automatically changed? Decline this option to "
+"abort the upgrade, giving you the opportunity to eliminate wildcard and %s-"
+"expansion-dependent configuration. Accept this option if you have no such "
+"configuration, and automatically make dynamicmaps.cf compatible with Postfix "
+"2.0.2 in this respect."
+msgstr ""
+"Souhaitez-vous une modification automatique du fichier dynamicmaps.cf ? "
+"Refusez cette option pour interrompre la mise à jour : cela vous donne "
+"l'occasion de supprimer l'utilisation de joker et l'expansion des %s dans "
+"votre configuration. Si votre configuration n'utilise pas ces possibilités, "
+"accepter l'option rendra le fichier dynamicmaps.cf compatible avec la "
+"version 2.0.2 de Postfix."
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid "Postfix version 2.1 and later require new services in master.cf."
+msgstr ""
+"À partir de la version 2.1, Postfix demande de nouvelles définitions dans le "
+"fichier master.cf."
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid ""
+"Should this configuration be automatically added to master.cf? Decline this "
+"option to abort the upgrade, giving you the opportunity to add this "
+"configuration yourself. Accept this option to automatically make master.cf "
+"compatible with Postfix 2.1 in this respect."
+msgstr ""
+"Souhaitez-vous ajouter automatiquement ces services dans le fichier master."
+"cf ? Refusez cette option pour interrompre la mise à jour : cela vous donne "
+"l'occasion de faire vous-même cette configuration. Accepter l'option rendra "
+"le fichier master.cf compatible avec la version 2.1 de Postfix."
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid "Correct master.cf for upgrade?"
+msgstr "Faut-il corriger le fichier master.cf pour la mise à jour ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Postfix version 2.1 renamed \"nqmgr\" to \"qmgr\", and you are using \"nqmgr"
+"\"."
+msgstr ""
+"Le fichier « nqmgr », que vous utilisez, s'appelle maintenant « qmgr », "
+"depuis la version 2.1 de Postfix."
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Failure to fix this will result in a broken mailer. Decline this option to "
+"abort the upgrade, giving you the opportunity to add this configuration "
+"yourself. Accept this option to automatically make master.cf compatible "
+"with Postfix 2.1 in this respect."
+msgstr ""
+"Si vous ne changez pas ce nom, le serveur de courriel ne fonctionnera pas. "
+"Refusez cette option pour interrompre la mise à jour : cela vous donne "
+"l'occasion de faire vous-même cette configuration. Accepter l'option rendra "
+"le fichier master.cf compatible avec la version 2.1 de Postfix."
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Should Postfix upgrade hash and btree maps?"
+msgstr "Faut-il mettre à jour les tables de type hash et btree ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Postfix has switched to db4, and this may require maps to be upgraded."
+msgstr ""
+"Postfix est passé à db4, ce qui peut nécessiter la mise à jour des tables."
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Do you want to automatically attempt the conversion?"
+msgstr "Voulez-vous procéder automatiquement à cette conversion ?"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid "Transport map incompatibility"
+msgstr "Incompatibilité dans la table de transport"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"You have a transport map defined, and there is an incompatible change in how "
+"transport maps are used. Postfix will not be restarted automatically."
+msgstr ""
+"Vous avez défini une table de transport ; mais la façon d'utiliser les "
+"tables de transport a changé. Postfix ne sera pas relancé automatiquement."
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"Transport map entries override $mydestination. If you use transport maps, "
+"it is better to always have explicit entries for all domain names you have "
+"in $mydestination. See the html/faq.html sections for firewalls and "
+"intranets. If you have transport entries for parent domains of anything "
+"delivered locally, you will probably need to add specific entries for the "
+"destination domains before you restart Postfix."
+msgstr ""
+"Les entrées de la table de transport annulent « $mydestination ». Si vous "
+"utilisez une table de transport, il vaut mieux créer explicitement une "
+"entrée pour chaque nom de domaine listé dans $mydestination. Voyez les "
+"sections dans html/faq.html sur les pare-feux et les intranets. Si vous avez "
+"des entrées pour les domaines parents de tout ce qui est distribué "
+"localement, vous avez sans doute besoin d'ajouter des entrées spécifiques "
+"pour les domaines de destination avant de relancer Postfix."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Bad entry, try again?"
+msgstr "Mauvaise entrée, faut-il réessayer ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "The string you have entered"
+msgstr "La chaîne saisie"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "does not follow RFC 1035 and does not appear to be a valid IP address."
+msgstr "ne suit pas la RFC 1035 et ne semble pas être une adresse IP valable."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid ""
+"RFC 1035 states that \"each component must start with an alphanum, end with "
+"an alphanum and contain only alphanums and hyphens. Components must be "
+"separated by full stops.\""
+msgstr ""
+"La RFC 1035 stipule : « Chaque élément doit commencer par un caractère "
+"alphanumérique, se terminer par un caractère alphanumérique et ne contenir "
+"que des caractères alphanumériques et des traits d'union. Les éléments "
+"doivent être séparés par des points. »"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Do you want to keep it anyways?"
+msgstr "Voulez-vous quand même la garder ?"
+
+#. Type: select
+#. Choices
+#: ../templates:75
+msgid ""
+"No configuration, Internet Site, Internet with smarthost, Satellite system, "
+"Local only"
+msgstr ""
+"Pas de configuration, Site Internet, Internet par un FAI, Système satellite, "
+"Utilisation locale seulement"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid "General type of configuration?"
+msgstr "Type de configuration :"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"You have several choices for general configuration at this point. If you "
+"have your debconf priority set to 'low' or 'medium', you will be asked more "
+"questions later. You can always run \"dpkg-reconfigure --priority=low "
+"postfix\" at a later point if you want to see these questions again."
+msgstr ""
+"Vous pouvez maintenant choisir entre plusieurs types de configuration. Si la "
+"priorité de debconf est fixée à « low » ou à « medium », des questions "
+"supplémentaires vous seront proposées. Vous pourrez exécuter « dpkg-"
+"reconfigure --priority=low postfix » quand vous voudrez revoir ces questions."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"No configuration - IF YOU WANT THE INSTALL TO LEAVE YOUR CONFIG ALONE, "
+"CHOOSE THIS OPTION. No configuration changes will be done now: If you have "
+"not already configured Postfix, your mail system will be broken and should "
+"not be used. You must then do the configuration yourself by editing /usr/"
+"share/postfix/main.cf.dist and saving your changes as /etc/postfix/main.cf, "
+"or by running dpkg-reconfigure Postfix. main.cf will not be modified by the "
+"Postfix install process."
+msgstr ""
+"Pas de configuration. SI VOUS NE VOULEZ PAS QUE L'INSTALLATION TOUCHE À "
+"VOTRE CONFIGURATION, CHOISISSEZ CETTE OPTION. Aucune configuration ne sera "
+"faite. Si Postfix n'est pas déjà configuré, votre système de courrier sera "
+"défectueux et ne devrait pas être utilisé. Vous devez alors vous-même "
+"modifier le fichier /usr/share/postfix/main.cf.dist et sauvegarder votre "
+"configuration dans /etc/postfix/main.cf. Vous pouvez aussi lancer « dpkg-"
+"reconfigure postfix ». Le processus d'installation de Postfix ne modifiera "
+"pas le fichier main.cf."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site - mail is sent and received directly using SMTP. If your needs "
+"don't fit neatly into any category, you probably want to start with this one "
+"and then edit the config file by hand."
+msgstr ""
+"Site Internet. Le courrier est expédié et reçu directement, en utilisant "
+"SMTP. Si aucun des choix proposés ne décrit nettement vos besoins, il vaut "
+"mieux commencer avec cette option et modifier par la suite le fichier de "
+"configuration."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site using smarthost - You receive Internet mail on this machine, "
+"either directly by SMTP or by running a utility such as fetchmail. Outgoing "
+"mail is sent using a smarthost. optionally with addresses rewritten. This is "
+"probably what you want for a dialup system."
+msgstr ""
+"Site Internet utilisant un « smarthost » (machine relais). Vous recevez le "
+"courrier internet sur cette machine soit directement par SMTP soit grâce à "
+"un utilitaire comme fetchmail. Le courrier sortant est envoyé grâce au "
+"« smarthost ». Les adresses ont pu être réécrites. C'est sans doute l'option "
+"adaptée à un système connecté par le réseau téléphonique."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Satellite system - All mail is sent to another machine, called a \"smart host"
+"\" for delivery. root and postmaster mail is delivered according to /etc/"
+"aliases. No mail is received locally."
+msgstr ""
+"Système satellite. Tout le courrier est envoyé à une autre machine, le "
+"« smarthost », qui le distribue. Le courrier pour root ou pour postmaster "
+"est distribué selon /etc/aliases. Aucun courrier n'est reçu localement."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Local delivery only - You are not on a network. Mail for local users is "
+"delivered."
+msgstr ""
+"Distribution locale seulement. Vous n'êtes pas sur un réseau. Le courrier "
+"est distribué aux utilisateurs locaux."
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "WARNING: Postfix not configured"
+msgstr "ATTENTION : Postfix n'est pas configuré"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid ""
+"You have chosen \"No Configuration\" - Postfix will not be configured and "
+"will not be started by default. Please run 'dpkg-reconfigure postfix' at a "
+"later date, or configure it yourself by:"
+msgstr ""
+"Vous avez choisi l'option « pas de configuration ». Postfix ne sera pas "
+"configuré ni lancé. Vous pourrez plus tard exécuter « dpkg-reconfigure "
+"postfix » ou bien vous pouvez le configurer vous-même :"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "1) Editing /etc/postfix/main.cf to your liking"
+msgstr "1) en faisant les modifications que vous voulez à /etc/postfix/main.cf"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "2) Running /etc/init.d/postfix start"
+msgstr "2) puis en exécutant : /etc/init.d/postfix start"
+
+#. Type: string
+#. Default
+#: ../templates:120
+msgid "/etc/mailname"
+msgstr "/etc/mailname"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid "Mail name?"
+msgstr "Nom de courrier :"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"Your `mail name' is the hostname portion of the address to be shown on "
+"outgoing news and mail messages (following the username and @ sign)."
+msgstr ""
+"Votre « nom de courrier » est la partie de l'adresse contenant le nom de "
+"machine qui doit être écrite sur les courriers électroniques ou sur les "
+"articles des forums de discussion que vous postez ; elle suit le nom "
+"d'utilisateur et le caractère @."
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"This name will be used by other programs besides Postfix; it should be the "
+"single, full domain name (FQDN) from which mail will appear to originate."
+msgstr ""
+"D'autres programmes que Postfix se servent de ce nom ; il doit correspondre "
+"au domaine unique et complètement qualifié (FQDN) d'où le courrier semblera "
+"provenir."
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid "Other destinations to accept mail for? (blank for none)"
+msgstr ""
+"Pour quelles autres destinations accepter le courrier ? (ou laisser le champ "
+"vide)"
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid ""
+"Give a comma-separated list of domains that this machine should consider "
+"itself the final destination for. If this is a mail domain gateway, you "
+"probably want to include the top-level domain."
+msgstr ""
+"Donnez une liste des domaines, séparés par des virgules, que cette machine "
+"reconnaîtra comme lui appartenant. Si la machine est un serveur de courrier, "
+"vous voudrez sans doute inclure le domaine de plus haut niveau."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid "SMTP relay host? (blank for none)"
+msgstr "Machine de relais SMTP :"
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"Specify a domain, host, host:port, [address] or [address]:port. Use the form "
+"[destination] to turn off MX lookups. Leave this blank for no relay host."
+msgstr ""
+"Indiquez un domaine, une machine hôte, machine_hôte:port, [adresse] ou "
+"[adresse:port]. Utilisez la forme [destination] pour désactiver la recherche "
+"de MX (Mail eXchange). Laissez ce champ vide s'il n'y a pas de machine "
+"relais."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"The relayhost parameter specifies the default host to send mail to when no "
+"entry is matched in the optional transport(5) table. When no relayhost is "
+"given, mail is routed directly to the destination."
+msgstr ""
+"Ce paramètre indique la machine par défaut où envoyer le courrier quand "
+"aucune entrée correspondante n'existe dans la table optionnelle de transport"
+"(5). Quand aucune machine relais n'est donnée, le courrier est routé "
+"directement vers sa destination."
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Use procmail for local delivery?"
+msgstr "Faut-il utiliser procmail pour la distribution locale ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Do you want to use procmail to deliver local mail?"
+msgstr "Voulez-vous utiliser procmail pour la distribution locale ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid ""
+"Note that if you use procmail to deliver mail system-wide, you should set up "
+"an alias that forwards mail for root to a real user."
+msgstr ""
+"Remarque : si vous utilisez procmail pour distribuer le courrier sur tout un "
+"système, vous devriez créer un alias, représentant un utilisateur réel, vers "
+"lequel faire suivre le courrier de l'utilisateur root."
+
+#. Type: string
+#. Default
+#: ../templates:156
+msgid "+"
+msgstr "+"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "Local address extension character?"
+msgstr "Quel caractère signifie une adresse locale ?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "What character defines a local address extension?"
+msgstr "Quel caractère signifie une extension d'adresse locale ?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "To not use address extensions, leave the string blank."
+msgstr ""
+"Pour ne pas utiliser d'extension pour les adresses locales, laissez le champ "
+"vide."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "Bad recipient delimiter"
+msgstr "Mauvais délimiteur du destinataire"
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid ""
+"The recipient delimiter is a single character, you entered too many "
+"characters. Please try again."
+msgstr ""
+"Le délimiteur du destinataire ne doit comporter qu'un seul caractère, vous "
+"en avez donné trop. Veuillez recommencer."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "\"${enteredstring}\""
+msgstr "« ${enteredstring} »"
+
+#. Type: boolean
+#. Default
+#: ../templates:172
+msgid "false"
+msgstr "Faux"
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "Force synchronous updates on mail queue?"
+msgstr ""
+"Forcer des mises à jour synchronisées de la file d'attente des courriels ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid ""
+"If synchronous updates are forced, then mail is processed more slowly. If "
+"not forced, then there is a remote chance of losing some mail if the system "
+"crashes at an inopportune time, and you are not using a journaled filesystem "
+"(such as ext3)."
+msgstr ""
+"Quand on impose des mises à jour synchronisées, l'envoi des courriels se "
+"fait plus lentement. Dans le cas contraire, il y a des risques de perdre des "
+"courriels si le système meurt inopinément et si vous n'utilisez pas un "
+"système de fichiers journalisé, comme ext3."
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "The default is \"off\"."
+msgstr "La valeur par défaut est « off »."
+
+#. Type: string
+#. Default
+#: ../templates:183
+msgid "127.0.0.0/8"
+msgstr "127.0.0.0/8"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid "Local networks?"
+msgstr "Réseaux internes :"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"For what network blocks should this machine relay mail? The default is just "
+"the local host, which is needed by some mail user agents."
+msgstr ""
+"Pour quels réseaux cette machine relaye-t-elle le courrier ? Par défaut, les "
+"courriels du réseau local sont acceptés, ce qui est demandé par certains "
+"lecteurs de courrier."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"If this is a smarthost for a block of machines, you need to specify the "
+"netblocks here, or mail will be rejected rather than relayed."
+msgstr ""
+"Si c'est un « smarthost » pour un ensemble de machines, vous devez indiquer "
+"l'ensemble des réseaux, sinon le courrier sera rejeté plutôt qu'expédié."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"To use the postfix default (which is based on connected networks), enter an "
+"empty string."
+msgstr ""
+"Pour utiliser les valeurs par défaut de postfix (basées sur des réseaux "
+"connectés), veuillez entrer une valeur vide."
+
+#. Type: string
+#. Default
+#: ../templates:196
+msgid "0"
+msgstr "0"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid "Mailbox size limit"
+msgstr "Taille maximale des boîtes aux lettres :"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid ""
+"What limit should Postfix place on mailbox files to prevent runaway software "
+"errors. A value of zero (0) means no limit. (The upstream default is "
+"51200000.)"
+msgstr ""
+"Quelle limite Postfix doit-il mettre à la taille des boîtes aux lettres pour "
+"empêcher les erreurs des logiciels incontrôlables ? Une valeur nulle "
+"signifie aucune limite. Les créateurs du logiciel ont mis par défaut "
+"51200000."
+
+#. Type: string
+#. Default
+#: ../templates:204
+msgid "NONE"
+msgstr "NONE"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid "Where should mail for root go"
+msgstr "À qui envoyer le courrier pour root ?"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"The user root (and any other users with a uid of 0) must have mail "
+"redirected via an alias, or their mail may be delivered to /var/mail/"
+"nobody. This is by design: mail is not delivered to external delivery "
+"agents as root."
+msgstr ""
+"Le courrier pour l'utilisateur root (et pour tout utilisateur avec un uid "
+"égal à 0) doit être dirigé vers un alias. Sinon le courrier est distribué à /"
+"var/mail/nobody. Cela est voulu, le courrier n'est pas distribué à des "
+"agents de distribution externes tel que root."
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"If you already have a /etc/aliases file, then you possibly need to add this "
+"entry. (I will only add it if I am creating a new /etc/aliases.)"
+msgstr ""
+"Si le fichier /etc/aliases existe déjà, vous devrez sans doute ajouter cette "
+"entrée (elle n'est ajoutée que lors de la création d'un fichier /etc/"
+"aliases)."
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"What address should I add to /etc/aliases, if I create the file? (Enter "
+"NONE to not add one.)"
+msgstr ""
+"Quelle adresse faut-il ajouter dans /etc/aliases si ce fichier est créé ? "
+"Choisissez NONE pour ne rien ajouter."
+
+#~ msgid ""
+#~ "HP - Configuration used inside of HP. This just hardcodes several "
+#~ "configuration parameters based on the final components of the hostname, "
+#~ "but looks largely like 'Internet site using smarthost'. This option will "
+#~ "modify /etc/postfix/transport and install it as a transport map."
+#~ msgstr ""
+#~ "HP. Configuration utilisée au sein de HP. Cela code en dur quelques "
+#~ "paramètres de configuration qui sont basés sur les derniers éléments du "
+#~ "nom de machine, mais cela ressemble en grande partie au site Internet "
+#~ "utilisant un « smarthost ». Cette option va modifier /etc/postfix/"
+#~ "transport pour l'utiliser comme table de transport."
+
+#~ msgid "The default is \"off\", see the changelog for an explanation."
+#~ msgstr ""
+#~ "Par défaut, la valeur est « off ». Voyez le fichier changelog pour des "
+#~ "explications."
+
+#~ msgid "Append .domain to simple addresses"
+#~ msgstr "Faut-il ajouter .domaine aux adresses simples ?"
+
+#~ msgid ""
+#~ "When Postfix sees an address with only one component in the hostname, "
+#~ "should it append .$mydomain? Appending .$mydomain means that you don't "
+#~ "need to qualify destinations in your own domain, but breaks mail bound "
+#~ "for users at top-level domain addresses. (yes, there are some of these.)"
+#~ msgstr ""
+#~ "Postfix doit-il ajouter .$mydomain quand il rencontre une adresse dont le "
+#~ "nom de domaine ne comporte qu'un élément ? Ajouter .$mydomain signifie "
+#~ "que vous n'avez pas besoin de qualifier les destinations dans votre "
+#~ "propre domaine. Mais le courrier pour des utilisateurs situés dans des "
+#~ "domaines supérieurs (oui, cela existe) devient mal formé."
+
+#~ msgid ""
+#~ "If you are forwarding mail out of your organization, you should almost "
+#~ "certainly not append .$mydomain. If you're the only user of mail on your "
+#~ "system, choose whichever is more convenient for you."
+#~ msgstr ""
+#~ "Si vous réexpédiez le courrier à l'extérieur de votre organisation, il "
+#~ "vous faut certainement ne pas rajouter .$mydomain. Si vous êtes le seul "
+#~ "utilisateur de votre système, choisissez ce que vous voulez."
+
+#~ msgid ""
+#~ "If you answer no, you almost certainly need to add 'localhost' to the "
+#~ "list of local destinations."
+#~ msgstr ""
+#~ "Si vous ne choisissez pas cette option, vous devez ajouter « localhost » "
+#~ "comme destination locale."
+
+#~ msgid ""
+#~ "Postfix has converted from libdb2 format to libdb3 format. This change "
+#~ "requires that all Postfix hash and btree maps be regenerated."
+#~ msgstr ""
+#~ "Postfix est passé du format libdb2 au format libdb3. Cette modification "
+#~ "impose que toutes les tables de type hash et btree soient reconstruites."
+
+#~ msgid ""
+#~ "If you answer no, Postfix will be restarted, but may fail if your db "
+#~ "files still need to be converted. If you answer yes, all hash and btree "
+#~ "maps used by Postfix will be rebuilt prior to restarting Postfix."
+#~ msgstr ""
+#~ "Si vous répondez négativement, Postfix sera relancé mais échouera sans "
+#~ "doute si les fichiers db n'ont pas été modifiés. Si vous acceptez, toutes "
+#~ "les tables seront reconstruites avant le lancement de Postfix."
Added: trunk/kolab-postfix/debian/po/it.po
===================================================================
--- trunk/kolab-postfix/debian/po/it.po 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/po/it.po 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,675 @@
+# Italian translation of the postfix debconf template
+# This file is distributed under the same license as the postfix package
+# Cristian Rigamonti <cri at linux.it>, 2004.
+msgid ""
+msgstr ""
+"Project-Id-Version: postfix 2.1.4-3\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2004-10-30 21:06-0600\n"
+"PO-Revision-Date: 2004-08-01 18:13+0200\n"
+"Last-Translator: Cristian Rigamonti <cri at linux.it>\n"
+"Language-Team: Italian <tp at lists.linux.it>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=ISO-8859-1\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+msgid "Correct dynamicmaps.cf for upgrade?"
+msgstr "Correggere dynamicmaps.cf per l'aggiornamento?"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Postfix version 2.0.2 and later require changes in dynamicmaps.cf. "
+"Specifically, wildcard support is gone, and with it, %s expansion. Any "
+"changes that you made to dynamicmaps.cf that relied on these features will "
+"need to be fixed by you. Failure to correct these will result in a broken "
+"mailer."
+msgstr ""
+"Postfix dalla versione 2.0.2 in poi richiede delle modifiche a dynamicmaps."
+"cf. In particolare, i caratteri jolly non sono più supportati, come neanche "
+"l'espansione %s . Ogni modifica fatta a dynamicmaps.cf che si basa su "
+"queste funzionalità deve essere corretta, altrimenti il sistema di posta non "
+"funzionerà correttamente."
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Should dynamicmaps.cf be automatically changed? Decline this option to "
+"abort the upgrade, giving you the opportunity to eliminate wildcard and %s-"
+"expansion-dependent configuration. Accept this option if you have no such "
+"configuration, and automatically make dynamicmaps.cf compatible with Postfix "
+"2.0.2 in this respect."
+msgstr ""
+"Si desidera la correzione automatica di dynamicmaps.cf? Rifiutando questa "
+"proposta, l'aggiornamento verrà annullato e si avrà la possibilità di "
+"eliminare le configurazioni che dipendono dai caratteri jolly e dalle "
+"espansioni %s. Se non si usano configurazioni di questo tipo, accettando la "
+"proposta si renderà dynamicmaps.cf compatibile con Postfix 2.0.2 in modo "
+"automatico."
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid "Postfix version 2.1 and later require new services in master.cf."
+msgstr ""
+"Postfix dalla versione 2.1 in poi richiede che siano aggiunti nuovi servizi "
+"in master.cf."
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid ""
+"Should this configuration be automatically added to master.cf? Decline this "
+"option to abort the upgrade, giving you the opportunity to add this "
+"configuration yourself. Accept this option to automatically make master.cf "
+"compatible with Postfix 2.1 in this respect."
+msgstr ""
+"Si desidera modificare automaticamente la configurazione di master.cf? "
+"Rifiutando questa proposta, l'aggiornamento verrà annullato e si avrà la "
+"possibilità di eseguire manualmente la configurazione. Accettando la "
+"proposta si renderà master.cf compatibile con Postfix 2.1 in modo automatico."
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid "Correct master.cf for upgrade?"
+msgstr "Correggere master.cf per l'aggiornamento?"
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Postfix version 2.1 renamed \"nqmgr\" to \"qmgr\", and you are using \"nqmgr"
+"\"."
+msgstr ""
+"A partire dalla versione 2.1 di Postfix, \"nqmgr\" è stato rinominato \"qmgr"
+"\" ma sul sistema è ancora in uso \"nqmgr\"."
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Failure to fix this will result in a broken mailer. Decline this option to "
+"abort the upgrade, giving you the opportunity to add this configuration "
+"yourself. Accept this option to automatically make master.cf compatible "
+"with Postfix 2.1 in this respect."
+msgstr ""
+"Se non si effettua questa correzione, il programma sarà inutilizzabile. "
+"Rifiutando questa proposta, l'aggiornamento verrà annullato e si avrà la "
+"possibilità di eseguire manualmente la configurazione. Accettando la "
+"proposta si renderà master.cf compatibile con Postfix 2.1 in modo automatico."
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Should Postfix upgrade hash and btree maps?"
+msgstr "Si desidera aggiornare le mappe hash e btree di Postfix?"
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Postfix has switched to db4, and this may require maps to be upgraded."
+msgstr ""
+"Postfix ha adottato db4; ciò può richiedere un aggiornamento delle mappe."
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Do you want to automatically attempt the conversion?"
+msgstr "Si desidera tentare la conversione automatica?"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid "Transport map incompatibility"
+msgstr "Incompatibilità nella mappa transport"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"You have a transport map defined, and there is an incompatible change in how "
+"transport maps are used. Postfix will not be restarted automatically."
+msgstr ""
+"È stata rilevata una mappa transport; poiché la modalità di uso delle mappe "
+"transport è cambiata in modo incompatibile, Postfix non sarà riavviato "
+"automaticamente."
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"Transport map entries override $mydestination. If you use transport maps, "
+"it is better to always have explicit entries for all domain names you have "
+"in $mydestination. See the html/faq.html sections for firewalls and "
+"intranets. If you have transport entries for parent domains of anything "
+"delivered locally, you will probably need to add specific entries for the "
+"destination domains before you restart Postfix."
+msgstr ""
+"Le voci della mappa transport prevalgono su $mydestination. Se si usano le "
+"mappe transport è meglio includere sempre delle voci esplicite per tutti i "
+"nomi di dominio contenuti in $mydestination. Si vedano le sezioni di html/"
+"faq.html riguardanti i firewall e le intranet. Se transport contiene delle "
+"voci per domini gerarchicamente superiori a quelli per cui avviene la "
+"consegna locale, prima di riavviare Postfix è opportuno aggiungere delle "
+"voci specifiche anche per i domini di destinazione."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Bad entry, try again?"
+msgstr "Valore errato, riprovare?"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "The string you have entered"
+msgstr "La stringa immessa"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "does not follow RFC 1035 and does not appear to be a valid IP address."
+msgstr ""
+"non è conforme alla RFC 1035 e non sembra essere un indirizzo IP valido."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid ""
+"RFC 1035 states that \"each component must start with an alphanum, end with "
+"an alphanum and contain only alphanums and hyphens. Components must be "
+"separated by full stops.\""
+msgstr ""
+"La RFC 1035 richiede che ogni componente inizi e finisca con un carattere "
+"alfanumerico e contenga solo caratteri alfanumerici o il trattino \"-\". Le "
+"componenti devono essere separate da punti."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Do you want to keep it anyways?"
+msgstr "Si desidera mantenerlo comunque?"
+
+#. Type: select
+#. Choices
+#: ../templates:75
+#, fuzzy
+msgid ""
+"No configuration, Internet Site, Internet with smarthost, Satellite system, "
+"Local only"
+msgstr ""
+"Nessuna configurazione, Sito Internet, Sito Internet con \"smarthost\", "
+"Sistema satellite, Solo consegna locale, HP"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid "General type of configuration?"
+msgstr "Profilo generale di configurazione?"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"You have several choices for general configuration at this point. If you "
+"have your debconf priority set to 'low' or 'medium', you will be asked more "
+"questions later. You can always run \"dpkg-reconfigure --priority=low "
+"postfix\" at a later point if you want to see these questions again."
+msgstr ""
+"Sono disponibili vari profili di configurazione. Se il livello di priorità "
+"di debconf è impostato a \"low\" o \"medium\", verranno poste ulteriori "
+"domande in seguito. È sempre possibile eseguire \"dpkg-reconfigure --"
+"priority=low postfix\" in futuro, per rivedere queste domande."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"No configuration - IF YOU WANT THE INSTALL TO LEAVE YOUR CONFIG ALONE, "
+"CHOOSE THIS OPTION. No configuration changes will be done now: If you have "
+"not already configured Postfix, your mail system will be broken and should "
+"not be used. You must then do the configuration yourself by editing /usr/"
+"share/postfix/main.cf.dist and saving your changes as /etc/postfix/main.cf, "
+"or by running dpkg-reconfigure Postfix. main.cf will not be modified by the "
+"Postfix install process."
+msgstr ""
+"Nessuna configurazione - SE SI VUOLE CHE LA PROCEDURA DI INSTALLAZIONE NON "
+"MODIFICHI I FILE DI CONFIGURAZIONE, SI SCELGA QUESTA OPZIONE. Non verranno "
+"eseguite modifiche alla configurazione: se Postfix non è stato ancora "
+"configurato, il sistema di posta non funzionerà e non deve essere usato. "
+"Occorre eseguire la configurazione manualmente, modificando /usr/share/"
+"postfix/main.cf.dist e salvandolo come /etc/postfix/main.cf, o eseguendo "
+"dpkg-reconfigure Postfix. main.cf non sarà modificato dalla procedura di "
+"installazione di Postfix."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site - mail is sent and received directly using SMTP. If your needs "
+"don't fit neatly into any category, you probably want to start with this one "
+"and then edit the config file by hand."
+msgstr ""
+"Sito internet - la posta viene ricevuta e inviata direttamente, usando SMTP. "
+"Se nessuna delle altre opzioni corrisponde perfettamente alle proprie "
+"esigenze, conviene scegliere questa opzione e modificare poi manualmente il "
+"file di configurazione."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site using smarthost - You receive Internet mail on this machine, "
+"either directly by SMTP or by running a utility such as fetchmail. Outgoing "
+"mail is sent using a smarthost. optionally with addresses rewritten. This is "
+"probably what you want for a dialup system."
+msgstr ""
+"Sito internet con \"smarthost\" - Questo computer riceve posta da internet, "
+"direttamente con SMTP o usando un programma come fetchmail. La posta in "
+"uscita viene inoltrata a un altro computer (\"smarthost\"), eventualmente "
+"dopo una riscrittura degli indirizzi. Probabilmente è la soluzione migliore "
+"per un sistema con una connessione dialup."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Satellite system - All mail is sent to another machine, called a \"smart host"
+"\" for delivery. root and postmaster mail is delivered according to /etc/"
+"aliases. No mail is received locally."
+msgstr ""
+"Sistema satellite - Tutta la posta viene inoltrata a un altro computer "
+"(\"smart host\"). La posta per \"root\" e \"postmaster\" è consegnata "
+"secondo /etc/aliases. Non viene ricevuta posta localmente."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Local delivery only - You are not on a network. Mail for local users is "
+"delivered."
+msgstr ""
+"Solo consegna locale - Il computer non è in rete. Viene consegnata solo la "
+"posta per gli utenti locali."
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "WARNING: Postfix not configured"
+msgstr "ATTENZIONE: Postfix non è configurato"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid ""
+"You have chosen \"No Configuration\" - Postfix will not be configured and "
+"will not be started by default. Please run 'dpkg-reconfigure postfix' at a "
+"later date, or configure it yourself by:"
+msgstr ""
+"Si è scelto \"Nessuna configurazione\" - Postfix non sarà configurato e non "
+"sarà avviato. Si prega di eseguire \"dpkg-reconfigure postfix\" in seguito, "
+"o di eseguire la seguente procedura manuale:"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "1) Editing /etc/postfix/main.cf to your liking"
+msgstr "1) Modificare /etc/postfix/main.cf a proprio piacimento"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "2) Running /etc/init.d/postfix start"
+msgstr "2) Eseguire \"/etc/init.d/postfix start\""
+
+#. Type: string
+#. Default
+#: ../templates:120
+msgid "/etc/mailname"
+msgstr "/etc/mailname"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid "Mail name?"
+msgstr "Scegliere il \"mail name\""
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"Your `mail name' is the hostname portion of the address to be shown on "
+"outgoing news and mail messages (following the username and @ sign)."
+msgstr ""
+"Il \"mail name\" è la parte host dell'indirizzo che verrà usato per i "
+"messaggi di posta e news in uscita da questo computer (ossia la parte che "
+"segue il nome dell'utente e il segno \"@\")."
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"This name will be used by other programs besides Postfix; it should be the "
+"single, full domain name (FQDN) from which mail will appear to originate."
+msgstr ""
+"Questo nome verrà usato da altri programmi oltre a Postfix; dovrebbe essere "
+"il nome univoco e completo di dominio (FQDN: fully qualified domain name) da "
+"cui la posta apparirà originata."
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid "Other destinations to accept mail for? (blank for none)"
+msgstr ""
+"Altre destinazioni per cui accettare posta? Lasciare in bianco se non ce ne "
+"sono."
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid ""
+"Give a comma-separated list of domains that this machine should consider "
+"itself the final destination for. If this is a mail domain gateway, you "
+"probably want to include the top-level domain."
+msgstr ""
+"Indicare una lista (separata da virgole) di domini per cui questo computer "
+"si deve considerare come la destinazione finale. Se questo computer è un "
+"gateway di posta per un intero dominio, è consigliabile includere anche il "
+"top-level domain."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid "SMTP relay host? (blank for none)"
+msgstr "Host da usare come relay SMTP? Lasciare in bianco se non viene usato."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"Specify a domain, host, host:port, [address] or [address]:port. Use the form "
+"[destination] to turn off MX lookups. Leave this blank for no relay host."
+msgstr ""
+"Indicare un dominio, host, host:porta, [indirizzo] o [indirizzo:porta]. "
+"Usando la forma [destinazione] vengono disabilitate le ricerche MX. Lasciare "
+"in bianco se non si usa alcun relay."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"The relayhost parameter specifies the default host to send mail to when no "
+"entry is matched in the optional transport(5) table. When no relayhost is "
+"given, mail is routed directly to the destination."
+msgstr ""
+"Il parametro \"relayhost\" indica l'host a cui inviare la posta quando non "
+"viene trovata alcuna corrispondenza nella tabella opzionale transport(5). Se "
+"non viene indicato, la posta è instradata direttamente alla destinazione."
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Use procmail for local delivery?"
+msgstr "Usare procmail per la consegna locale?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Do you want to use procmail to deliver local mail?"
+msgstr "Si vuole usare procmail per consegnare la posta locale?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid ""
+"Note that if you use procmail to deliver mail system-wide, you should set up "
+"an alias that forwards mail for root to a real user."
+msgstr ""
+"Nota: se si usa procmail per consegnare la posta di tutto il sistema, è "
+"consigliabile impostare un alias per inoltrare a un altro utente la posta "
+"diretta a \"root\"."
+
+#. Type: string
+#. Default
+#: ../templates:156
+msgid "+"
+msgstr "+"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "Local address extension character?"
+msgstr "Carattere per le estensioni degli indirizzi locali?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "What character defines a local address extension?"
+msgstr "Quale carattere definisce un'estensione degli indirizzi locali?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "To not use address extensions, leave the string blank."
+msgstr "Per non usare le estensioni di indirizzi, lasciare in bianco."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "Bad recipient delimiter"
+msgstr "Delimitatore errato."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid ""
+"The recipient delimiter is a single character, you entered too many "
+"characters. Please try again."
+msgstr ""
+"Il delimitatore dei destinatari deve essere un carattere singolo, ma sono "
+"stati immessi più caratteri. Riprovare."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "\"${enteredstring}\""
+msgstr "\"${enteredstring}\""
+
+#. Type: boolean
+#. Default
+#: ../templates:172
+msgid "false"
+msgstr "false"
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "Force synchronous updates on mail queue?"
+msgstr "Forzare gli aggiornamenti sincroni della coda di posta?"
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+#, fuzzy
+msgid ""
+"If synchronous updates are forced, then mail is processed more slowly. If "
+"not forced, then there is a remote chance of losing some mail if the system "
+"crashes at an inopportune time, and you are not using a journaled filesystem "
+"(such as ext3)."
+msgstr ""
+"Se viene forzato l'uso degli aggiornamenti sincroni, la posta verrà "
+"processata più lentamente. In caso contrario, potrebbe esserci la "
+"possibilità di perdere dei messaggi, nel caso il sistema cada in un momento "
+"particolarmente inopportuno."
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "The default is \"off\"."
+msgstr ""
+
+#. Type: string
+#. Default
+#: ../templates:183
+msgid "127.0.0.0/8"
+msgstr "127.0.0.0/8"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid "Local networks?"
+msgstr "Reti locali?"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"For what network blocks should this machine relay mail? The default is just "
+"the local host, which is needed by some mail user agents."
+msgstr ""
+"Per quali blocchi di rete questo computer deve fare da relay? Il valore "
+"predefinito è solo l'host locale, che può essere richiesto da alcuni client "
+"di posta."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"If this is a smarthost for a block of machines, you need to specify the "
+"netblocks here, or mail will be rejected rather than relayed."
+msgstr ""
+"Se questo computer deve fare da \"smarthost\" per un gruppo di altri "
+"computer, occorre indicare il blocco di rete opportuno, altrimenti la posta "
+"verrà rifiutata."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"To use the postfix default (which is based on connected networks), enter an "
+"empty string."
+msgstr ""
+"Per usare il valore predefinito di postfix (che è basato sulle reti a cui il "
+"computer è connesso), indicare una stringa vuota."
+
+#. Type: string
+#. Default
+#: ../templates:196
+msgid "0"
+msgstr "0"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid "Mailbox size limit"
+msgstr "Limite di dimensione delle mailbox"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid ""
+"What limit should Postfix place on mailbox files to prevent runaway software "
+"errors. A value of zero (0) means no limit. (The upstream default is "
+"51200000.)"
+msgstr ""
+"Limite che deve essere imposto da Postfix alla dimensione dei file delle "
+"mailbox per prevenire errori in caso di programmi incontrollabili. Il valore "
+"zero (0) indica nessun limite. Il valore predefinito nella distribuzione "
+"originale di Postfix è 51200000."
+
+#. Type: string
+#. Default
+#: ../templates:204
+msgid "NONE"
+msgstr "NONE"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid "Where should mail for root go"
+msgstr "Dove inoltrare la posta di \"root\""
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"The user root (and any other users with a uid of 0) must have mail "
+"redirected via an alias, or their mail may be delivered to /var/mail/"
+"nobody. This is by design: mail is not delivered to external delivery "
+"agents as root."
+msgstr ""
+"La posta destinata all'utente \"root\" (o a qualsiasi altro utente con UID "
+"0) deve essere rediretta usando un alias, altrimenti verrà consegnata a /var/"
+"mail/nobody. Questa è una scelta progettuale: la posta non viene consegnata "
+"come root a programmi esterni di consegna."
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"If you already have a /etc/aliases file, then you possibly need to add this "
+"entry. (I will only add it if I am creating a new /etc/aliases.)"
+msgstr ""
+"Se si ha già un file /etc/aliases, occorre aggiungervi manualmente una voce. "
+"Questa procedura lo farà automaticamente solo nel caso si debba creare un "
+"nuovo /etc/aliases."
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"What address should I add to /etc/aliases, if I create the file? (Enter "
+"NONE to not add one.)"
+msgstr ""
+"Che indirizzo si desidera aggiungere in /etc/aliases, nel caso si voglia "
+"creare il file? Indicare \"NONE\" per non aggiungerne alcuno."
+
+#~ msgid ""
+#~ "HP - Configuration used inside of HP. This just hardcodes several "
+#~ "configuration parameters based on the final components of the hostname, "
+#~ "but looks largely like 'Internet site using smarthost'. This option will "
+#~ "modify /etc/postfix/transport and install it as a transport map."
+#~ msgstr ""
+#~ "HP - Configurazione usata all'interno di HP. Vari parametri di "
+#~ "configurazione vengono impostati a seconda delle componenti finali "
+#~ "dell'hostname, ma in pratica assomiglia molto a \"Sito internet con "
+#~ "smarthost\". /etc/postfix/transport verrà modificato e installato come "
+#~ "mappa transport."
+
+#~ msgid "The default is \"off\", see the changelog for an explanation."
+#~ msgstr ""
+#~ "Il valore predefinito è \"off\", si veda il changelog per una spiegazione."
+
+#~ msgid "Append .domain to simple addresses"
+#~ msgstr "Appendere \".dominio\" agli indirizzi semplici"
+
+#~ msgid ""
+#~ "When Postfix sees an address with only one component in the hostname, "
+#~ "should it append .$mydomain? Appending .$mydomain means that you don't "
+#~ "need to qualify destinations in your own domain, but breaks mail bound "
+#~ "for users at top-level domain addresses. (yes, there are some of these.)"
+#~ msgstr ""
+#~ "Quando Postfix trova un indirizzo con un'unica componente nel nome "
+#~ "dell'host deve appendere \".$mydomain\"? In caso positivo non occorrerà "
+#~ "usare degli indirizzi pienamente qualificati per per la posta destinata "
+#~ "al proprio dominio, ma in questo caso gli indirizzi che hanno come unica "
+#~ "componente il dominio principale (sì, ce ne sono) risulternno riscritti "
+#~ "in modo errato."
+
+#~ msgid ""
+#~ "If you are forwarding mail out of your organization, you should almost "
+#~ "certainly not append .$mydomain. If you're the only user of mail on your "
+#~ "system, choose whichever is more convenient for you."
+#~ msgstr ""
+#~ "Se si inoltrano messaggi al di fuori della propria organizzazione, quasi "
+#~ "certamente si vorrà rispondere no a questa domanda. Se si è l'unico "
+#~ "utente di posta su questo sistema, si può scegliere la soluzione più "
+#~ "comoda."
Added: trunk/kolab-postfix/debian/po/ja.po
===================================================================
--- trunk/kolab-postfix/debian/po/ja.po 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/po/ja.po 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,661 @@
+#
+# Translators, if you are not familiar with the PO format, gettext
+# documentation is worth reading, especially sections dedicated to
+# this format, e.g. by running:
+# info -n '(gettext)PO Files'
+# info -n '(gettext)Header Entry'
+#
+# Some information specific to po-debconf are available at
+# /usr/share/doc/po-debconf/README-trans
+# or http://www.debian.org/intl/l10n/po-debconf/README-trans
+#
+# Developers do not need to manually edit POT or PO files.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: postfix\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2004-10-30 21:06-0600\n"
+"PO-Revision-Date: 2004-11-07 19:45+0900\n"
+"Last-Translator: Kenshi Muto <kmuto at debian.org>\n"
+"Language-Team: Japanese <debian-japanese at lists.debian.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=EUC-JP\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+msgid "Correct dynamicmaps.cf for upgrade?"
+msgstr "¹¹¿·¤Î¤¿¤á¤Ë dynamicmaps.cf ¤òÄûÀµ¤·¤Þ¤¹¤«?"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Postfix version 2.0.2 and later require changes in dynamicmaps.cf. "
+"Specifically, wildcard support is gone, and with it, %s expansion. Any "
+"changes that you made to dynamicmaps.cf that relied on these features will "
+"need to be fixed by you. Failure to correct these will result in a broken "
+"mailer."
+msgstr ""
+"Postfix ¥Ð¡¼¥¸¥ç¥ó 2.0.2 °Ê¹ß¤Ç¤Ï dynamicmaps.cf ¤ÎÊѹ¹¤¬É¬ÍפǤ¹¡£Æä˥磻¥ë"
+"¥É¥«¡¼¥É¥µ¥Ý¡¼¥È¡¢¤ª¤è¤ÓÉտ路¤Æ %s ³ÈÄ¥¤¬¤Ê¤¯¤Ê¤Ã¤Æ¤¤¤Þ¤¹¡£¤³¤ì¤é¤Îµ¡Ç½¤ò»È"
+"¤¦¤è¤¦¤¢¤Ê¤¿¤¬ dynamicmaps.cf ¤Ë¹Ô¤Ã¤¿Êѹ¹¤Ï¤¹¤Ù¤Æ¡¢¤¢¤Ê¤¿¼«¿È¤Ç½¤Àµ¤¹¤ëɬÍ×"
+"¤¬¤¢¤ê¤Þ¤¹¡£ÄûÀµ¤Ë¼ºÇÔ¤¹¤ë¤È¡¢²õ¤ì¤¿¥á¡¼¥é¤Ë¤Ê¤Ã¤Æ¤·¤Þ¤¤¤Þ¤¹¡£"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Should dynamicmaps.cf be automatically changed? Decline this option to "
+"abort the upgrade, giving you the opportunity to eliminate wildcard and %s-"
+"expansion-dependent configuration. Accept this option if you have no such "
+"configuration, and automatically make dynamicmaps.cf compatible with Postfix "
+"2.0.2 in this respect."
+msgstr ""
+"dynamicmaps.cf ¤ò¼«Æ°Åª¤ËÊѹ¹¤·¤Þ¤¹¤«? ¹¹¿·¤òÃæ»ß¤¹¤ë¤Ë¤Ï¤³¤ÎÁªÂò»è¤Ë¡Ö¤¤¤¤"
+"¤¨¡×¤È¤·¡¢¥ï¥¤¥ë¥É¥«¡¼¥É¤ª¤è¤Ó %s ³ÈÄ¥°Í¸¤ÎÀßÄê¤ò¤¢¤Ê¤¿¤¬½üµî¤·¤Þ¤¹¡£¤½¤Î¤è"
+"¤¦¤ÊÀßÄ꤬¤Ê¤¤¤Î¤Ç¤¢¤ì¤Ð¡¢¤³¤ÎÁªÂò»è¤Ç¡Ö¤Ï¤¤¡×¤ÈÅú¤¨¤ì¤Ð¡¢¼«Æ°Åª¤Ë "
+"dynamicmaps.cf ¤Ï Postfix 2.0.2 ¤È¤³¤ÎÅÀ¤Ç¸ß´¹À¤ò»ý¤Ä¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹¡£"
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid "Postfix version 2.1 and later require new services in master.cf."
+msgstr ""
+"Postfix ¥Ð¡¼¥¸¥ç¥ó 2.1 °Ê¹ß¤Ç¤Ï¡¢master.cf ¤Ë¿·¤·¤¤¥µ¡¼¥Ó¥¹¤¬É¬ÍפǤ¹¡£"
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid ""
+"Should this configuration be automatically added to master.cf? Decline this "
+"option to abort the upgrade, giving you the opportunity to add this "
+"configuration yourself. Accept this option to automatically make master.cf "
+"compatible with Postfix 2.1 in this respect."
+msgstr ""
+"¤³¤ÎÀßÄê¤ò¼«Æ°Åª¤Ë master.cf ¤ËÄɲä·¤Þ¤¹¤«? ¹¹¿·¤òÃæ»ß¤¹¤ë¤Ë¤Ï¤³¤ÎÁªÂò»è¤Ë"
+"¡Ö¤¤¤¤¤¨¡×¤È¤·¡¢¤³¤ÎÀßÄê¤ò¤¢¤Ê¤¿¼«¿È¤ÇÄɲä·¤Þ¤¹¡£¤³¤ÎÁªÂò»è¤Ç¡Ö¤Ï¤¤¡×¤ÈÅú¤¨"
+"¤ì¤Ð¡¢¼«Æ°Åª¤Ë master.cf ¤Ï Postfix 2.1 ¤È¤³¤ÎÅÀ¤Ç¸ß´¹À¤ò»ý¤Ä¤è¤¦¤Ë¤Ê¤ê¤Þ"
+"¤¹¡£"
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid "Correct master.cf for upgrade?"
+msgstr "¹¹¿·¤Î¤¿¤á¤Ë master.cf ¤òÄûÀµ¤·¤Þ¤¹¤«?"
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Postfix version 2.1 renamed \"nqmgr\" to \"qmgr\", and you are using \"nqmgr"
+"\"."
+msgstr ""
+"Postfix ¥Ð¡¼¥¸¥ç¥ó 2.1 ¤Ç¤Ï¡¢\"nqmgr\" ¤«¤é \"qmgr\" ¤Ë̾Á°¤¬ÊѤï¤Ã¤Æ¤¤¤Þ¤¹"
+"¤¬¡¢¤¢¤Ê¤¿¤Ï \"nqmgr\" ¤ò»È¤Ã¤Æ¤¤¤Þ¤¹¡£"
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Failure to fix this will result in a broken mailer. Decline this option to "
+"abort the upgrade, giving you the opportunity to add this configuration "
+"yourself. Accept this option to automatically make master.cf compatible "
+"with Postfix 2.1 in this respect."
+msgstr ""
+"¤³¤ì¤ò½¤Àµ¤¹¤ë¤Î¤Ë¼ºÇÔ¤¹¤ë¤È¡¢²õ¤ì¤¿¥á¡¼¥é¤È¤Ê¤Ã¤Æ¤·¤Þ¤¤¤Þ¤¹¡£¹¹¿·¤òÃæ»ß¤¹¤ë"
+"¤Ë¤Ï¤³¤ÎÁªÂò»è¤Ë¡Ö¤¤¤¤¤¨¡×¤È¤·¡¢¤³¤ÎÀßÄê¤ò¤¢¤Ê¤¿¼«¿È¤ÇÄɲä·¤Þ¤¹¡£¤³¤ÎÁªÂò»è"
+"¤Ç¡Ö¤Ï¤¤¡×¤ÈÅú¤¨¤ì¤Ð¡¢¼«Æ°Åª¤Ë master.cf ¤Ï Postfix 2.1 ¤È¤³¤ÎÅÀ¤Ç¸ß´¹À¤ò»ý"
+"¤Ä¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹¡£"
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Should Postfix upgrade hash and btree maps?"
+msgstr "Postfix ¤Î¥Ï¥Ã¥·¥å¤È btree ¥Þ¥Ã¥×¤ò¹¹¿·¤·¤Þ¤¹¤«?"
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Postfix has switched to db4, and this may require maps to be upgraded."
+msgstr "Postfix ¤Ï db4 ¤ËÀÚ¤êÂؤï¤Ã¤Æ¤ª¤ê¡¢¥Þ¥Ã¥×¤Î¹¹¿·¤¬É¬ÍפǤ¹¡£"
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Do you want to automatically attempt the conversion?"
+msgstr "¼«Æ°Å¾´¹¤ò»î¤ß¤Þ¤¹¤«?"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid "Transport map incompatibility"
+msgstr "transport ¥Þ¥Ã¥×¤¬Èó¸ß´¹¤Ç¤¹"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"You have a transport map defined, and there is an incompatible change in how "
+"transport maps are used. Postfix will not be restarted automatically."
+msgstr ""
+"transport ¥Þ¥Ã¥×¤òÄêµÁ¤·¤Æ¤¤¤Þ¤¹¤¬¡¢¤É¤Î¤è¤¦¤Ë transport ¥Þ¥Ã¥×¤¬»È¤ï¤ì¤ë¤«¤Ë"
+"¤Ä¤¤¤Æ¤ÎÈó¸ß´¹¤ÎÊѹ¹¤¬¤¢¤ê¤Þ¤¹¡£Postfix ¤Ï¼«Æ°Åª¤Ë¤ÏºÆµ¯Æ°¤µ¤ì¤Þ¤»¤ó¡£"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"Transport map entries override $mydestination. If you use transport maps, "
+"it is better to always have explicit entries for all domain names you have "
+"in $mydestination. See the html/faq.html sections for firewalls and "
+"intranets. If you have transport entries for parent domains of anything "
+"delivered locally, you will probably need to add specific entries for the "
+"destination domains before you restart Postfix."
+msgstr ""
+"transport ¥Þ¥Ã¥×¤Î¥¨¥ó¥È¥ê¤Ï $mydestination ¤ËÍ¥À褷¤Þ¤¹¡£transport ¥Þ¥Ã¥×¤ò"
+"»È¤¦¾ì¹ç¡¢¾ï¤Ë $mydesination ¤Ë¤¢¤ë¤¹¤Ù¤Æ¤Î¥É¥á¥¤¥ó̾¤ËÂФ¹¤ëÌÀ³Î¤Ê¥¨¥ó¥È¥ê¤ò"
+"»ý¤Ä¤Û¤¦¤¬ÌµÆñ¤Ç¤¹¡£html/faq.html ¤Î¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤È¥¤¥ó¥È¥é¥Í¥Ã¥È¤Ë´Ø¤¹¤ë"
+"¥»¥¯¥·¥ç¥ó¤ò»²¾È¤·¤Æ¤¯¤À¤µ¤¤¡£¥í¡¼¥«¥ë¤ËÇÛÁ÷¤µ¤ì¤ë¤¹¤Ù¤Æ¤Î¿Æ¥É¥á¥¤¥ó¤Ë¤Ä¤¤¤Æ"
+"¤Î transport ¥¨¥ó¥È¥ê¤¬¤¢¤ë¾ì¹ç¡¢Postfix ¤òºÆµ¯Æ°¤¹¤ëÁ°¤Ë¤ª¤½¤é¤¯°¸Àè¥É¥á¥¤¥ó"
+"¤Ø¤Î¸ÇͤΥ¨¥ó¥È¥ê¤òÄɲ乤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Bad entry, try again?"
+msgstr "¸í¤Ã¤¿¥¨¥ó¥È¥ê¤Ç¤¹¡£ºÆ»î¹Ô¤·¤Þ¤¹¤«?"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "The string you have entered"
+msgstr "¤¢¤Ê¤¿¤ÎÆþÎϤ·¤¿Ê¸»úÎó"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "does not follow RFC 1035 and does not appear to be a valid IP address."
+msgstr "RFC 1035 ¤Ë½¾¤Ã¤Æ¤¤¤Ê¤¤¤«¡¢Í¸ú¤Ê IP ¥¢¥É¥ì¥¹¤¬¸«Åö¤¿¤ê¤Þ¤»¤ó¡£"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid ""
+"RFC 1035 states that \"each component must start with an alphanum, end with "
+"an alphanum and contain only alphanums and hyphens. Components must be "
+"separated by full stops.\""
+msgstr ""
+"RFC 1035 ¤Ç¤Ï¡Ö³ÆÍ×ÁǤϱѻú¥¢¥ë¥Õ¥¡¥Ù¥Ã¥È¤Þ¤¿¤Ï¿ô»ú¤Ç³«»Ï¤ª¤è¤Ó½ªÎ»¤·¡¢¤½¤ÎÃæ"
+"¤Ï±Ñ»ú¥¢¥ë¥Õ¥¡¥Ù¥Ã¥È¤È¿ô»ú¡¢¥Ï¥¤¥Õ¥ó¤À¤±¤ò´Þ¤à¡£Í×ÁǤϥԥꥪ¥É (.) ¤Ç¶èÀÚ¤é¤ì"
+"¤Æ¤¤¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£¡×¤È½Ò¤Ù¤Æ¤¤¤Þ¤¹¡£"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Do you want to keep it anyways?"
+msgstr "¤½¤ì¤Ç¤â¤³¤ì¤òÊÝ»ý¤·¤Þ¤¹¤«?"
+
+#. Type: select
+#. Choices
+#: ../templates:75
+msgid ""
+"No configuration, Internet Site, Internet with smarthost, Satellite system, "
+"Local only"
+msgstr ""
+"ÀßÄꤷ¤Ê¤¤, ¥¤¥ó¥¿¡¼¥Í¥Ã¥È¥µ¥¤¥È, ¥¹¥Þ¡¼¥È¥Û¥¹¥ÈÉÕ¤¥¤¥ó¥¿¡¼¥Í¥Ã¥È, ¥µ¥Æ¥é¥¤"
+"¥È¥·¥¹¥Æ¥à, ¥í¡¼¥«¥ë¤Î¤ß"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid "General type of configuration?"
+msgstr "ÀßÄê¤Î°ìÈÌŪ¤Ê¥¿¥¤¥×¤Ï¤É¤ì¤Ç¤¹¤«?"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"You have several choices for general configuration at this point. If you "
+"have your debconf priority set to 'low' or 'medium', you will be asked more "
+"questions later. You can always run \"dpkg-reconfigure --priority=low "
+"postfix\" at a later point if you want to see these questions again."
+msgstr ""
+"¤³¤³¤Ç¡¢°ìÈÌŪ¤ÊÀßÄê¤Î¤¤¤¯¤Ä¤«¤ÎÁªÂò»è¤¬¤¢¤ê¤Þ¤¹¡£debconf ¤ÎÍ¥ÀèÅÙ¤ò 'Äã' ¤Þ"
+"¤¿¤Ï 'ɸ½à' ¤ËÀßÄꤷ¤Æ¤¤¤ë¾ì¹ç¤Ë¤Ï¡¢¤è¤ê¿¤¯¤Î¼ÁÌä¤ò¤¢¤È¤Ç¿Ò¤Í¤é¤ì¤Þ¤¹¡£¤³¤ì"
+"¤é¤Î¼ÁÌä¤òºÆ¤Ó¸«¤¿¤±¤ì¤Ð¡¢\"dpkg-reconfigure --priority=low postfix\" ¤ò¤¢¤È"
+"¤Ç¤¤¤Ä¤Ç¤â¼Â¹Ô¤Ç¤¤Þ¤¹¡£"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"No configuration - IF YOU WANT THE INSTALL TO LEAVE YOUR CONFIG ALONE, "
+"CHOOSE THIS OPTION. No configuration changes will be done now: If you have "
+"not already configured Postfix, your mail system will be broken and should "
+"not be used. You must then do the configuration yourself by editing /usr/"
+"share/postfix/main.cf.dist and saving your changes as /etc/postfix/main.cf, "
+"or by running dpkg-reconfigure Postfix. main.cf will not be modified by the "
+"Postfix install process."
+msgstr ""
+"ÀßÄꤷ¤Ê¤¤ - *¤¢¤Ê¤¿¤ÎÀßÄê¤ò¤½¤Î¤Þ¤Þ¤Ë¤·¤Æ¤ª¤¤¿¤¤¤Î¤Ç¤¢¤ì¤Ð¡¢¤³¤Î¥ª¥×¥·¥ç¥ó"
+"¤òÁªÂò¤·¤Æ¤¯¤À¤µ¤¤¡£* ÀßÄêÊѹ¹¤ò²¿¤â¹Ô¤¤¤Þ¤»¤ó¡£Postfix ¤òÀßÄêºÑ¤ß¤Ç¤Ê¤¤¾ì¹ç"
+"¤Ë¤Ï¡¢¥á¡¼¥ë¥·¥¹¥Æ¥à¤ÏÉÔ´°Á´¤Ç¡¢ÍøÍѤǤ¤Ê¤¤¤Ç¤·¤ç¤¦¡£/usr/share/postfix/"
+"main.cf.dist ¤òÊÔ½¸¤·¡¢etc/postfix/main.cf ¤È¤·¤ÆÊѹ¹¤òÊݸ¤¹¤ë¡¢¤È¤¤¤¦ÀßÄê¤ò"
+"¤¢¤Ê¤¿¼«¿È¤Ç¹Ô¤¦¤«¡¢¤¢¤ë¤¤¤Ï dpkg-reconfigure Postfix ¤ò¼Â¹Ô¤¹¤ëɬÍפ¬¤¢¤ê¤Þ"
+"¤¹¡£main.cf ¤Ï Postfix ¤Î¥¤¥ó¥¹¥È¡¼¥ë¼ê½ç¤Ç¤ÏÊѹ¹¤µ¤ì¤Þ¤»¤ó¡£"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site - mail is sent and received directly using SMTP. If your needs "
+"don't fit neatly into any category, you probably want to start with this one "
+"and then edit the config file by hand."
+msgstr ""
+"¥¤¥ó¥¿¡¼¥Í¥Ã¥È¥µ¥¤¥È - ¥á¡¼¥ë¤Ï SMTP ¤ò»È¤Ã¤ÆľÀÜÁ÷¼õ¿®¤µ¤ì¤Þ¤¹¡£¤¤¤º¤ì¤Î¥«¥Æ"
+"¥´¥ê¤â¤¢¤Ê¤¿¤Î¥Ë¡¼¥º¤Ë¤Ô¤Ã¤¿¤ê¤È¤ÏÅö¤Æ¤Ï¤Þ¤é¤Ê¤¤¾ì¹ç¤Ë¤Ï¡¢¤ª¤½¤é¤¯¤³¤ì¤òÁª¤ó"
+"¤Ç³«»Ï¤·¡¢¤½¤ì¤«¤é¼ê¤ÇÀßÄê¥Õ¥¡¥¤¥ë¤òÊÔ½¸¤¹¤ë¤Î¤¬¤è¤¤¤Ç¤·¤ç¤¦¡£"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site using smarthost - You receive Internet mail on this machine, "
+"either directly by SMTP or by running a utility such as fetchmail. Outgoing "
+"mail is sent using a smarthost. optionally with addresses rewritten. This is "
+"probably what you want for a dialup system."
+msgstr ""
+"¥¹¥Þ¡¼¥È¥Û¥¹¥ÈÉÕ¤¥¤¥ó¥¿¡¼¥Í¥Ã¥È¥µ¥¤¥È - SMTP ¤ÇľÀÜ¡¢¤Þ¤¿¤Ï fetchmail ¤Î¤è¤¦"
+"¤Ê¥æ¡¼¥Æ¥£¥ê¥Æ¥£¤ò¼Â¹Ô¤·¤Æ¡¢¤³¤Î¥Þ¥·¥ó¤Ç¥¤¥ó¥¿¡¼¥Í¥Ã¥È¥á¡¼¥ë¤ò¼õ¿®¤·¤Þ¤¹¡£³°"
+"¤ËÁ÷¤é¤ì¤ë¥á¡¼¥ë¤Ï¡¢¥¹¥Þ¡¼¥È¥Û¥¹¥È¤ò»È¤Ã¤Æ¡¢Ç¤°Õ¤Î¥¢¥É¥ì¥¹¤Ë½ñ¤´¹¤¨¤é¤ì¤ÆÁ÷"
+"¿®¤µ¤ì¤Þ¤¹¡£¤³¤ì¤Ï¤ª¤½¤é¤¯¥À¥¤¥¢¥ë¥¢¥Ã¥×¥·¥¹¥Æ¥à¤Ç˾¤Þ¤ì¤ë¤â¤Î¤Ç¤¹¡£"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Satellite system - All mail is sent to another machine, called a \"smart host"
+"\" for delivery. root and postmaster mail is delivered according to /etc/"
+"aliases. No mail is received locally."
+msgstr ""
+"¥µ¥Æ¥é¥¤¥È¥·¥¹¥Æ¥à - ¤¹¤Ù¤Æ¤Î¥á¡¼¥ë¤ÏÇÛ¿®ÍѤΡ֥¹¥Þ¡¼¥È¥Û¥¹¥È¡×¤È¸Æ¤Ð¤ì¤ëÊ̤Î"
+"¥Þ¥·¥ó¤ËÁ÷¤é¤ì¤Þ¤¹¡£root ¤È postmaster ¤Î¥á¡¼¥ë¤Ï /etc/aliases ¤Ë½¾¤Ã¤ÆÇÛ¿®¤µ"
+"¤ì¤Þ¤¹¡£¥í¡¼¥«¥ë¤Ç¤Ï¥á¡¼¥ë¤ò¼õ¿®¤·¤Þ¤»¤ó¡£"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Local delivery only - You are not on a network. Mail for local users is "
+"delivered."
+msgstr ""
+"¥í¡¼¥«¥ëÇÛ¿®¤Î¤ß - ¤¢¤Ê¤¿¤Ï¥Í¥Ã¥È¥ï¡¼¥¯¤ËÀܳ¤·¤Æ¤¤¤Þ¤»¤ó¡£¥í¡¼¥«¥ë¥æ¡¼¥¶¸þ¤±"
+"¤Î¥á¡¼¥ë¤¬ÇÛ¿®¤µ¤ì¤Þ¤¹¡£"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "WARNING: Postfix not configured"
+msgstr "·Ù¹ð: Postfix ¤¬ÀßÄꤵ¤ì¤Æ¤¤¤Þ¤»¤ó"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid ""
+"You have chosen \"No Configuration\" - Postfix will not be configured and "
+"will not be started by default. Please run 'dpkg-reconfigure postfix' at a "
+"later date, or configure it yourself by:"
+msgstr ""
+"¤¢¤Ê¤¿¤Ï¡ÖÀßÄꤷ¤Ê¤¤¡×¤òÁª¤Ó¤Þ¤·¤¿ - Postfix ¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤ÏÀßÄꤵ¤ì¤Æ¤ª¤é"
+"¤º¡¢³«»Ï¤â¤·¤Þ¤»¤ó¡£¸åÆü 'dpkg-reconfigure postfix' ¤ò¼Â¹Ô¤¹¤ë¤«¡¢¼¡¤Î¤È¤ª¤ê"
+"¤¢¤Ê¤¿¼«¿È¤ÇÊѹ¹¤·¤Æ¤¯¤À¤µ¤¤:"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "1) Editing /etc/postfix/main.cf to your liking"
+msgstr "1) /etc/postfix/main.cf ¤ò¹¥¤¤Ê¤è¤¦¤ËÊÔ½¸¤¹¤ë"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "2) Running /etc/init.d/postfix start"
+msgstr "2) /etc/init.d/postfix start ¤ò¼Â¹Ô¤¹¤ë"
+
+#. Type: string
+#. Default
+#: ../templates:120
+msgid "/etc/mailname"
+msgstr "/etc/mailname"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid "Mail name?"
+msgstr "¥á¡¼¥ë̾¤Ï?"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"Your `mail name' is the hostname portion of the address to be shown on "
+"outgoing news and mail messages (following the username and @ sign)."
+msgstr ""
+"`¥á¡¼¥ë̾' ¤Ï¡¢Á÷½Ð¤µ¤ì¤ë¥Ë¥å¡¼¥¹¤ª¤è¤Ó¥á¡¼¥ë¤Î¥á¥Ã¥»¡¼¥¸ (¥æ¡¼¥¶Ì¾¤È @ µ¹æ"
+"¤Î¤¢¤È¤ËÉÕ¤¯) ¤Çɽ¼¨¤µ¤ì¤ë¥¢¥É¥ì¥¹¤Î¥Û¥¹¥È̾Éôʬ¤Ç¤¹¡£"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"This name will be used by other programs besides Postfix; it should be the "
+"single, full domain name (FQDN) from which mail will appear to originate."
+msgstr ""
+"¤³¤Î̾Á°¤Ï Postfix ¤À¤±¤Ç¤Ê¤¯¤Û¤«¤Î¥×¥í¥°¥é¥à¤Ë¤è¤Ã¤Æ¤â»È¤ï¤ì¤Þ¤¹¡£¤³¤ì¤Ï¡¢"
+"¥á¡¼¥ë¤¬¤½¤³¤«¤éÁ÷½Ð¤µ¤ì¤ë¤³¤È¤Ë¤Ê¤ëñ°ì¤Î´°Á´½¤¾þ¥É¥á¥¤¥ó̾ (FQDN) ¤Ë¤¹¤Ù¤"
+"¤Ç¤¹¡£"
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid "Other destinations to accept mail for? (blank for none)"
+msgstr ""
+"¥á¡¼¥ë¤ò¼õ¤±¼è¤ë¤Û¤«¤Î°¸Àè¤Ï¤¢¤ê¤Þ¤¹¤«? (¤Ê¤±¤ì¤Ð¶õ¤Î¤Þ¤Þ¤Ë¤·¤Æ¤ª¤¤Þ¤¹)"
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid ""
+"Give a comma-separated list of domains that this machine should consider "
+"itself the final destination for. If this is a mail domain gateway, you "
+"probably want to include the top-level domain."
+msgstr ""
+"¤³¤Î¥Þ¥·¥ó¤¬ºÇ½ªÅª¤Ê°¸Àè¤È¸«¤Ê¤µ¤ì¤ë¥É¥á¥¤¥ó¤Î¥ê¥¹¥È¤ò¡¢¥³¥ó¥Þ¤Ç¶èÀڤäƻØÄê"
+"¤·¤Æ¤¯¤À¤µ¤¤¡£¤³¤ì¤¬¥á¡¼¥ë¥É¥á¥¤¥ó¤Î¥²¡¼¥È¥¦¥§¥¤¤Ç¤¢¤ë¤Ê¤é¡¢¤ª¤½¤é¤¯¥È¥Ã¥×¥ì"
+"¥Ù¥ë¥É¥á¥¤¥ó¤ò´Þ¤á¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£"
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid "SMTP relay host? (blank for none)"
+msgstr "SMTP ¥ê¥ì¡¼¥Û¥¹¥È¤Ï²¿¤Ç¤¹¤«? (¤Ê¤±¤ì¤Ð¶õ¤Î¤Þ¤Þ¤Ë¤·¤Æ¤ª¤¤Þ¤¹)"
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"Specify a domain, host, host:port, [address] or [address]:port. Use the form "
+"[destination] to turn off MX lookups. Leave this blank for no relay host."
+msgstr ""
+"¥É¥á¥¤¥ó¡¢¥Û¥¹¥È¡¢¥Û¥¹¥È:¥Ý¡¼¥È¡¢[¥¢¥É¥ì¥¹] ¤Þ¤¿¤Ï [¥¢¥É¥ì¥¹:¥Ý¡¼¥È] ¤ò»ØÄꤷ"
+"¤Æ¤¯¤À¤µ¤¤¡£MX õº÷¤ò¹Ô¤ï¤Ê¤¤¤è¤¦¤Ë¤¹¤ë¤Ë¤Ï [°¸Àè] ·Á¼°¤ò»È¤¤¤Þ¤¹¡£¥ê¥ì¡¼¥Û¥¹"
+"¥È¤¬¤Ê¤±¤ì¤Ð¤³¤³¤Ï¶õ¤Î¤Þ¤Þ¤Ë¤·¤Æ¤ª¤¤Þ¤¹¡£"
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"The relayhost parameter specifies the default host to send mail to when no "
+"entry is matched in the optional transport(5) table. When no relayhost is "
+"given, mail is routed directly to the destination."
+msgstr ""
+"¥ê¥ì¡¼¥Û¥¹¥È¥Ñ¥é¥á¡¼¥¿¤Ï¡¢¥ª¥×¥·¥ç¥ó¤Î transport(5) ¥Æ¡¼¥Ö¥ë¤ËŬ¹ç¤¹¤ë¥¨¥ó¥È"
+"¥ê¤¬¤Ê¤¤¤È¤¤Ë¥á¡¼¥ë¤òÁ÷¤ë¥Ç¥Õ¥©¥ë¥È¤Î¥Û¥¹¥È¤ò»ØÄꤷ¤Þ¤¹¡£¥ê¥ì¡¼¥Û¥¹¥È¤¬Í¿¤¨"
+"¤é¤ì¤Æ¤¤¤Ê¤¤¤È¤¤Ë¤Ï¡¢¥á¡¼¥ë¤ÏľÀÜ°¸Àè¤ËȯÁ÷¤µ¤ì¤Þ¤¹¡£"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Use procmail for local delivery?"
+msgstr "¥í¡¼¥«¥ëÇÛÁ÷¤Ë procmail ¤ò»È¤¤¤Þ¤¹¤«?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Do you want to use procmail to deliver local mail?"
+msgstr "¥í¡¼¥«¥ë¥á¡¼¥ë¤ÎÇÛÁ÷¤Ë procmail ¤ò»È¤¤¤Þ¤¹¤«?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid ""
+"Note that if you use procmail to deliver mail system-wide, you should set up "
+"an alias that forwards mail for root to a real user."
+msgstr ""
+"¥·¥¹¥Æ¥àÁ´ÂΤΠ¥á¡¼¥ëÇÛÁ÷¤Ë procmail ¤ò»È¤¦¾ì¹ç¡¢root¤Ø¤Î¥á¡¼¥ë¤ò¼Â¥æ¡¼¥¶¤Ëž"
+"Á÷¤¹¤ë¥¨¥¤¥ê¥¢¥¹¤ò¥»¥Ã¥È¥¢¥Ã¥×¤¹¤Ù¤¤³¤È¤ËÃí°Õ¤·¤Æ¤¯¤À¤µ¤¤¡£"
+
+#. Type: string
+#. Default
+#: ../templates:156
+msgid "+"
+msgstr "+"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "Local address extension character?"
+msgstr "¥í¡¼¥«¥ë¥¢¥É¥ì¥¹³Èĥʸ»ú¤ò²¿¤Ë¤·¤Þ¤¹¤«?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "What character defines a local address extension?"
+msgstr "¥í¡¼¥«¥ë¥¢¥É¥ì¥¹³ÈÄ¥¤òÄêµÁ¤¹¤ëʸ»ú¤Ï²¿¤Ç¤¹¤«?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "To not use address extensions, leave the string blank."
+msgstr "¥¢¥É¥ì¥¹³ÈÄ¥¤ò»È¤ï¤Ê¤¤¤Î¤Ç¤¢¤ì¤Ð¡¢¤³¤Îʸ»úÎó¤ò¶õ¤Ë¤·¤Æ¤¯¤À¤µ¤¤¡£"
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "Bad recipient delimiter"
+msgstr "¸í¤Ã¤¿¼õ¿®¼Ô¶èÀÚ¤êʸ»ú¤Ç¤¹"
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid ""
+"The recipient delimiter is a single character, you entered too many "
+"characters. Please try again."
+msgstr ""
+"¼õ¿®¼Ô¶èÀÚ¤êʸ»ú¤Ïñ°ì¤Îʸ»ú¤Ç¤¹¤¬¡¢Â¿¤¹¤®¤ëʸ»ú·²¤¬ÆþÎϤµ¤ì¤Æ¤¤¤Þ¤¹¡£ºÆ»î¹Ô"
+"¤·¤Æ¤¯¤À¤µ¤¤¡£"
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "\"${enteredstring}\""
+msgstr "\"${enteredstring}\""
+
+#. Type: boolean
+#. Default
+#: ../templates:172
+msgid "false"
+msgstr "false"
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "Force synchronous updates on mail queue?"
+msgstr "¥á¡¼¥ë¥¥å¡¼¤ÎƱ´ü¹¹¿·¤ò¶¯À©¤·¤Þ¤¹¤«?"
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid ""
+"If synchronous updates are forced, then mail is processed more slowly. If "
+"not forced, then there is a remote chance of losing some mail if the system "
+"crashes at an inopportune time, and you are not using a journaled filesystem "
+"(such as ext3)."
+msgstr ""
+"Ʊ´ü¹¹¿·¤ò¶¯À©¤¹¤ë¤È¡¢¥á¡¼¥ë¤Î½èÍý¤¬¼ã´³ÃÙ¤¯¤Ê¤ê¤Þ¤¹¡£¶¯À©¤·¤Ê¤¤¾ì¹ç¤Ï¡¢"
+"¥¸¥ã¡¼¥Ê¥ê¥ó¥°¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à (ext3 ¤Ê¤É) ¤ò»È¤Ã¤Æ¤¤¤Ê¤¤¾õÂ֤ǥ·¥¹¥Æ¥à¤¬±¿°"
+"¤¯¥¯¥é¥Ã¥·¥å¤·¤¿¤È¤¤Ë¡¢¥ê¥â¡¼¥È¤«¤é¤Î¤¯¤Ä¤«¤Î¥á¡¼¥ë¤¬¼º¤ï¤ì¤ë²ÄǽÀ¤¬¤¢¤ê¤Þ"
+"¤¹¡£"
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "The default is \"off\"."
+msgstr "¥Ç¥Õ¥©¥ë¥È¤Ï \"off\" ¤Ç¤¹¡£"
+
+#. Type: string
+#. Default
+#: ../templates:183
+msgid "127.0.0.0/8"
+msgstr "127.0.0.0/8"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid "Local networks?"
+msgstr "¥í¡¼¥«¥ë¥Í¥Ã¥È¥ï¡¼¥¯¤Ï²¿¤Ç¤¹¤«?"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"For what network blocks should this machine relay mail? The default is just "
+"the local host, which is needed by some mail user agents."
+msgstr ""
+"¤³¤Î¥Þ¥·¥ó¤¬¥á¡¼¥ë¤ò¥ê¥ì¡¼¤¹¤Ù¤¥Í¥Ã¥È¥ï¡¼¥¯¥Ö¥í¥Ã¥¯¤Ï²¿¤Ç¤¹¤«? ¥Ç¥Õ¥©¥ë¥È¤Ç"
+"¤Ï¡¢¤¤¤¯¤Ä¤«¤Î¥á¡¼¥ë¥æ¡¼¥¶¥¨¡¼¥¸¥§¥ó¥È¤Ë¤è¤Ã¤ÆɬÍפȤµ¤ì¤ë¥í¡¼¥«¥ë¥Û¥¹¥È¤À¤±"
+"¤Ç¤¹¡£"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"If this is a smarthost for a block of machines, you need to specify the "
+"netblocks here, or mail will be rejected rather than relayed."
+msgstr ""
+"¤³¤ì¤Ï¥Þ¥·¥ó¥Ö¥í¥Ã¥¯¸þ¤±¤Î¥¹¥Þ¡¼¥È¥Û¥¹¥È¤Ê¤Î¤Ç¡¢¥Í¥Ã¥È¥ï¡¼¥¯¥Ö¥í¥Ã¥¯¤ò¤³¤³¤Ç"
+"»ØÄꤹ¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£¤µ¤â¤Ê¤±¤ì¤Ð¡¢¥á¡¼¥ë¤Ï¥ê¥ì¡¼¤µ¤ì¤º¡¢µñÈݤµ¤ì¤Þ¤¹¡£"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"To use the postfix default (which is based on connected networks), enter an "
+"empty string."
+msgstr ""
+"postfix ¤Î¥Ç¥Õ¥©¥ë¥È (Àܳ¤µ¤ì¤Æ¤¤¤ë¥Í¥Ã¥È¥ï¡¼¥¯¤Ë´ð¤Å¤¯) ¤ò»È¤¦¤Ë¤Ï¡¢¶õ¤Îʸ"
+"»úÎó¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£"
+
+#. Type: string
+#. Default
+#: ../templates:196
+msgid "0"
+msgstr "0"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid "Mailbox size limit"
+msgstr "¥á¡¼¥ë¥Ü¥Ã¥¯¥¹¤Î¥µ¥¤¥º¤ÎÀ©¸Â"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid ""
+"What limit should Postfix place on mailbox files to prevent runaway software "
+"errors. A value of zero (0) means no limit. (The upstream default is "
+"51200000.)"
+msgstr ""
+"¼ê¤ËÉ館¤Ê¤¤¥½¥Õ¥È¥¦¥§¥¢¥¨¥é¡¼¤òËɤ°¤¿¤á¤Ë¡¢¥á¡¼¥ë¥Ü¥Ã¥¯¥¹¥Õ¥¡¥¤¥ë¤Î¾å¸Â¤òÀß"
+"Äê¤Ç¤¤Þ¤¹¡£¥¼¥í (0) ¤È¤¤¤¦ÃͤÏÀ©¸Â¤·¤Ê¤¤¤³¤È¤ò°ÕÌ£¤·¤Þ¤¹¡£(upstream ¤Î¥Ç¥Õ¥©"
+"¥ë¥È¤Ï 51200000 ¤Ç¤¹¡£)"
+
+#. Type: string
+#. Default
+#: ../templates:204
+msgid "NONE"
+msgstr "NONE"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid "Where should mail for root go"
+msgstr "root ¤Ø¤Î¥á¡¼¥ë¤ò¤É¤³¤ËÁ÷¤ê¤Þ¤¹¤«?"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"The user root (and any other users with a uid of 0) must have mail "
+"redirected via an alias, or their mail may be delivered to /var/mail/"
+"nobody. This is by design: mail is not delivered to external delivery "
+"agents as root."
+msgstr ""
+"¥æ¡¼¥¶ root (¤¢¤ë¤¤¤Ï uid 0 ¤ò»ý¤Ä¤½¤Î¾¤Î¥æ¡¼¥¶) ¤Ï¥¨¥¤¥ê¥¢¥¹¤ò·Ðͳ¤·¤Æ¥á¡¼"
+"¥ë¤ò¥ê¥À¥¤¥ì¥¯¥È¤¹¤ë¤«¡¢¤½¤ì¤é¤Î¥á¡¼¥ë¤ò /var/mail/nobody ¤ËÇÛ¿®¤·¤Þ¤¹¡£¤³¤ì"
+"¤Ï»ÅÍͤǤ¹: ¥á¡¼¥ë¤Ï³°Éô¤ÎÇÛÁ÷¥¨¡¼¥¸¥§¥ó¥È¤Ë root ¤È¤·¤ÆÇÛ¿®¤µ¤ì¤ë¤³¤È¤Ï¤¢¤ê"
+"¤Þ¤»¤ó¡£"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"If you already have a /etc/aliases file, then you possibly need to add this "
+"entry. (I will only add it if I am creating a new /etc/aliases.)"
+msgstr ""
+"´û¸¤Î /etc/aliases ¥Õ¥¡¥¤¥ë¤¬¤¢¤ë¾ì¹ç¤Ï¡¢¤³¤Î¥¨¥ó¥È¥ê¤òÄɲ乤ëɬÍפ¬¤¢¤ë¤«"
+"¤â¤·¤ì¤Þ¤»¤ó (¿·¤·¤¤ /etc/aliases ¤òºîÀ®¤¹¤ë¤È¤¤Î¤ß¤³¤ì¤ÏÄɲ䵤ì¤Þ¤¹)¡£"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"What address should I add to /etc/aliases, if I create the file? (Enter "
+"NONE to not add one.)"
+msgstr ""
+"¥Õ¥¡¥¤¥ë¤òºîÀ®¤¹¤ë¾ì¹ç¡¢/etc/aliases ¤ËÄɲ乤륢¥É¥ì¥¹¤Ï²¿¤Ç¤¹¤«? (Äɲä·¤Ê"
+"¤¤¾ì¹ç¤Ë¤Ï NONE ¤ÈÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£)"
+
+#~ msgid ""
+#~ "HP - Configuration used inside of HP. This just hardcodes several "
+#~ "configuration parameters based on the final components of the hostname, "
+#~ "but looks largely like 'Internet site using smarthost'. This option will "
+#~ "modify /etc/postfix/transport and install it as a transport map."
+#~ msgstr ""
+#~ "HP - HP ¤ÎÆâÉô¤Ç»È¤ï¤ì¤Æ¤¤¤ëÀßÄê¡£¤³¤ì¤Ïñ¤Ë¥Û¥¹¥È̾¤ÎºÇ¸å¤ÎÍ×ÁǤ˴𤤤Ƥ¤"
+#~ "¤¯¤Ä¤«¤ÎÀßÄê¥Ñ¥é¥á¡¼¥¿¤ò¥Ï¡¼¥É¥³¡¼¥É¤¹¤ë¤â¤Î¤Ç¡¢ÂçÉôʬ¤Ï¡Ö¥¹¥Þ¡¼¥È¥Û¥¹¥ÈÉÕ"
+#~ "¤¥¤¥ó¥¿¡¼¥Í¥Ã¥È¥µ¥¤¥È¡×¤Ë»÷¤Æ¤¤¤Þ¤¹¡£¤³¤ÎÁªÂò»è¤Ï /etc/postfix/transport "
+#~ "¤òÊѹ¹¤·¡¢transport ¥Þ¥Ã¥×¤È¤·¤Æ¤½¤ì¤ò¥¤¥ó¥¹¥È¡¼¥ë¤·¤Þ¤¹¡£"
+
+#~ msgid "The default is \"off\", see the changelog for an explanation."
+#~ msgstr ""
+#~ "¥Ç¥Õ¥©¥ë¥È¤Ï \"off\" ¤Ç¤¹¡£¾ÜºÙ¤Ë¤Ä¤¤¤Æ¤Ï changelog ¤ò»²¾È¤·¤Æ¤¯¤À¤µ¤¤¡£"
+
+#~ msgid "Append .domain to simple addresses"
+#~ msgstr "´Ê°×¥¢¥É¥ì¥¹¤Ë¡Ö.¥É¥á¥¤¥ó¡×¤òÄɲÃ"
+
+#~ msgid ""
+#~ "When Postfix sees an address with only one component in the hostname, "
+#~ "should it append .$mydomain? Appending .$mydomain means that you don't "
+#~ "need to qualify destinations in your own domain, but breaks mail bound "
+#~ "for users at top-level domain addresses. (yes, there are some of these.)"
+#~ msgstr ""
+#~ "Postfix ¤¬¥Û¥¹¥È̾¤Î 1 ¤Ä¤ÎÍ×ÁǤ·¤«¥¢¥É¥ì¥¹¤Ë¤Ê¤¤¤È²ò¼á¤·¤¿¤È¤¤Ë¡¢."
+#~ "$mydomain ¤ò¤½¤ì¤ËÄɲä·¤Þ¤¹¤«? .$mydomain ¤òÄɲ乤ë¤È¡¢¤¢¤Ê¤¿¼«¿È¤Î¥É¥á"
+#~ "¥¤¥ó¤Ø¤Î°¸Àè¤ò½¤¾þ¤¹¤ëɬÍפϤʤ¯¤Ê¤ë¤â¤Î¤Î¡¢¥È¥Ã¥×¥ì¥Ù¥ë¥É¥á¥¤¥ó¥¢¥É¥ì¥¹¤Î"
+#~ "¥æ¡¼¥¶¤Ø¤Î¥á¡¼¥ë¥Ð¥¦¥ó¥É¤¬»È¤¨¤Ê¤¯¤Ê¤ë¤³¤È¤Ë¤Ê¤ê¤Þ¤¹ (½¤¾þ¤µ¤ì¤¿¤â¤Î¤Ï¥È¥Ã"
+#~ "¥×¥ì¥Ù¥ë¥É¥á¥¤¥ó¤ÎÃæ¤Î¤â¤Î¤Ê¤Î¤Ç)¡£"
+
+#~ msgid ""
+#~ "If you are forwarding mail out of your organization, you should almost "
+#~ "certainly not append .$mydomain. If you're the only user of mail on your "
+#~ "system, choose whichever is more convenient for you."
+#~ msgstr ""
+#~ "¤¢¤Ê¤¿¤ÎÁÈ¿¥¤Î³°¤Ë¥á¡¼¥ë¤òžÁ÷¤·¤Æ¤¤¤ë¤Î¤Ç¤¢¤ì¤Ð¡¢¤Û¤Ü³Î¼Â¤Ë .$mydomain ¤Ï"
+#~ "ÉÕ¤±¤Ê¤¤¤Û¤¦¤¬¤è¤¤¤Ç¤·¤ç¤¦¡£¤¢¤Ê¤¿¤¬¥·¥¹¥Æ¥à¤ÎÍ£°ì¤Î¥á¡¼¥ë¥æ¡¼¥¶¤Ç¤¢¤ë¤Ê"
+#~ "¤é¡¢¤¢¤Ê¤¿¤Ë¤È¤Ã¤ÆÊØÍø¤À¤È»×¤ï¤ì¤ë¤Û¤¦¤ò¤¤¤º¤ì¤«Áª¤Ù¤Ð¤è¤¤¤Ç¤·¤ç¤¦¡£"
Added: trunk/kolab-postfix/debian/po/nl.po
===================================================================
--- trunk/kolab-postfix/debian/po/nl.po 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/po/nl.po 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,689 @@
+#
+# Translators, if you are not familiar with the PO format, gettext
+# documentation is worth reading, especially sections dedicated to
+# this format, e.g. by running:
+# info -n '(gettext)PO Files'
+# info -n '(gettext)Header Entry'
+#
+# Some information specific to po-debconf are available at
+# /usr/share/doc/po-debconf/README-trans
+# or http://www.debian.org/intl/l10n/po-debconf/README-trans
+#
+# Developers do not need to manually edit POT or PO files.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: postfix\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2004-10-30 21:06-0600\n"
+"PO-Revision-Date: 2004-07-04 15:58-0500\n"
+"Last-Translator: Bart Cornelis <cobaco at linux.be>\n"
+"Language-Team: dutch <debian-l10n-dutch at lists.debian.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=iso-8859-1\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+# Description
+#. Type: boolean
+#. Description
+#: ../templates:3
+msgid "Correct dynamicmaps.cf for upgrade?"
+msgstr "dynamicmaps.cf verbeteren voor de actualisering?"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Postfix version 2.0.2 and later require changes in dynamicmaps.cf. "
+"Specifically, wildcard support is gone, and with it, %s expansion. Any "
+"changes that you made to dynamicmaps.cf that relied on these features will "
+"need to be fixed by you. Failure to correct these will result in a broken "
+"mailer."
+msgstr ""
+"Versie 2.0.2 en later van Postfix vereisen aanpassingen in dynamicmaps.cf. "
+"Meer precies: de ondersteuning voor jokertekens, en daarmee ook de %s-"
+"uitbreiding is niet meer. Alle door u gemaakte aanpassingen in dynamicmaps."
+"cf die hiervan gebruik maakten dient u te verbeteren. Dit nalaten resulteert "
+"in een niet-werkend postsysteem."
+
+# Description
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Should dynamicmaps.cf be automatically changed? Decline this option to "
+"abort the upgrade, giving you the opportunity to eliminate wildcard and %s-"
+"expansion-dependent configuration. Accept this option if you have no such "
+"configuration, and automatically make dynamicmaps.cf compatible with Postfix "
+"2.0.2 in this respect."
+msgstr ""
+"Wilt u dynamicmaps.cf automatisch aanpassen? Sla dit af om de actualisering "
+"af te breken, waardoor u de mogelijkheid krijgt om de jokerteken- en %s-"
+"uitbreiding-afhankelijke configuratie te verwijderen. Aanvaard deze optie, "
+"indien u dit niet in uw configuratie gebruikt, en maak dynamicmaps.cf "
+"automatisch compatibel met Postfix 2.0.2."
+
+# Description
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid "Postfix version 2.1 and later require new services in master.cf."
+msgstr "Versie 2.1 en later van Postfix vereisen nieuwe services in master.cf."
+
+# Description
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid ""
+"Should this configuration be automatically added to master.cf? Decline this "
+"option to abort the upgrade, giving you the opportunity to add this "
+"configuration yourself. Accept this option to automatically make master.cf "
+"compatible with Postfix 2.1 in this respect."
+msgstr ""
+"Wilt u deze configuratie automatisch toevoegen in master.cf? Sla dit af om "
+"de actualisering af te breken, waardoor u de mogelijkheid heeft om dit zelf "
+"te doen. Aanvaard dit voorstel om master.cf in dit opzicht automatisch "
+"compatibel te maken met Postfix 2.1 "
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid "Correct master.cf for upgrade?"
+msgstr "master.cf verbeteren voor de aktualisering?"
+
+# Description
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Postfix version 2.1 renamed \"nqmgr\" to \"qmgr\", and you are using \"nqmgr"
+"\"."
+msgstr ""
+"In Postfix versie 2.1 is 'nqmgr' hernoemd naar 'qmgr'; u maakt echter "
+"gebruikt van 'ngmgr'."
+
+# Description
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Failure to fix this will result in a broken mailer. Decline this option to "
+"abort the upgrade, giving you the opportunity to add this configuration "
+"yourself. Accept this option to automatically make master.cf compatible "
+"with Postfix 2.1 in this respect."
+msgstr ""
+"Dit nalaten resulteert in een niet-werkend postsysteem. Sla dit af om de "
+"actualisering af te breken, waardoor u de mogelijkheid heeft om dit zelf te "
+"doen. Aanvaard dit voorstel om master.cf in dit opzicht automatisch "
+"compatibel te maken met Postfix 2.1."
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Should Postfix upgrade hash and btree maps?"
+msgstr "Dient Postfix de hash en btree toewijzingen te actualiseren?"
+
+# Description
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Postfix has switched to db4, and this may require maps to be upgraded."
+msgstr ""
+"Postfix is overgeschakeld naar db4, hierdoor kan het nodig zijn om "
+"toewijzigingen te aktualiseren."
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Do you want to automatically attempt the conversion?"
+msgstr "Wilt u de automatische conversie proberen?"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid "Transport map incompatibility"
+msgstr "Overzetkaart incompatibiliteit"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"You have a transport map defined, and there is an incompatible change in how "
+"transport maps are used. Postfix will not be restarted automatically."
+msgstr ""
+"U heeft een overzetrelaties gedefiniëerd; er is echter een incompatibele "
+"verandering in het gebruik van overzetrelaties. Postfix zal niet automatisch "
+"herstart worden."
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"Transport map entries override $mydestination. If you use transport maps, "
+"it is better to always have explicit entries for all domain names you have "
+"in $mydestination. See the html/faq.html sections for firewalls and "
+"intranets. If you have transport entries for parent domains of anything "
+"delivered locally, you will probably need to add specific entries for the "
+"destination domains before you restart Postfix."
+msgstr ""
+"$mydestination wordt overstegen door overzetrelatieingangen. Bij gebruik van "
+"overzetrelaties is het best om altijd expliciete ingangen voor alle "
+"domeinnamen in $mydestination te gebruiken. Zie in html/faq.html de secties "
+"bereffende firewalls en intranetten. Indien u overzetingangen heeft voor "
+"ouderdomeinen van al wat lokaal afgeleverd wordt, kunt u best specifieke "
+"ingangen voor alle bestemmingsdomeinen toevoegen alvorens u Postfix herstart."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Bad entry, try again?"
+msgstr "Slechte invoer, opnieuw proberen?"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "The string you have entered"
+msgstr "De ingevoerde string"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "does not follow RFC 1035 and does not appear to be a valid IP address."
+msgstr "voldoet niet aan RFC 1035, en lijkt geen geldig IP-adres te zijn."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid ""
+"RFC 1035 states that \"each component must start with an alphanum, end with "
+"an alphanum and contain only alphanums and hyphens. Components must be "
+"separated by full stops.\""
+msgstr ""
+"RFC 1035 stelt dat \"Elk onderdeel dient te starten met een alphanumeriek "
+"karakter, en mag slechts alphanumerieke karakters en koppeltekens bevatten. "
+"Onderdelen dienen van elkaar gescheiden te worden met punten.\"."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Do you want to keep it anyways?"
+msgstr "Wilt u dit toch behouden?"
+
+#. Type: select
+#. Choices
+#: ../templates:75
+#, fuzzy
+msgid ""
+"No configuration, Internet Site, Internet with smarthost, Satellite system, "
+"Local only"
+msgstr ""
+"Geen configuratie, Internet site, Internet site die gebruik maakt van "
+"smarthost, Satelliet systeem, Enkel lokale aflevering, HP"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid "General type of configuration?"
+msgstr "Welk type algemene configuratie?"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"You have several choices for general configuration at this point. If you "
+"have your debconf priority set to 'low' or 'medium', you will be asked more "
+"questions later. You can always run \"dpkg-reconfigure --priority=low "
+"postfix\" at a later point if you want to see these questions again."
+msgstr ""
+"U heeft verschillende mogelijkheden voor de algemene configuratie. Indien uw "
+"debconf prioriteit ingesteld is op 'laag' of 'medium' zullen u later meer "
+"vragen gesteld worden. U kunt later ook altijd nog \"dpkg-reconfigure --"
+"priority=low postfix\" uitvoeren indien u deze vragen (opnieuw) wilt "
+"beantwoorden."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"No configuration - IF YOU WANT THE INSTALL TO LEAVE YOUR CONFIG ALONE, "
+"CHOOSE THIS OPTION. No configuration changes will be done now: If you have "
+"not already configured Postfix, your mail system will be broken and should "
+"not be used. You must then do the configuration yourself by editing /usr/"
+"share/postfix/main.cf.dist and saving your changes as /etc/postfix/main.cf, "
+"or by running dpkg-reconfigure Postfix. main.cf will not be modified by the "
+"Postfix install process."
+msgstr ""
+"Geen configuratie - KIES DEZE OPTIE INDIEN DEBCONF UW CONFIGURATIE MET RUST "
+"MOET LATEN. De configuratie wordt niet aangepast: als u postfix nog niet "
+"geconfigureerd hebt zal uw postsysteem niet werken. U dient de configuratie "
+"zelf te doen door het bestand /usr/share/postfix/main.cf.dist aan te passen, "
+"en de gewijzigde versie op te slaan als /etc/postfix/main.cf, of door \"dpkg-"
+"reconfigure postfix\" uit te voeren. main.cf wordt niet aangepast door het "
+"postfix installatieproces."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site - mail is sent and received directly using SMTP. If your needs "
+"don't fit neatly into any category, you probably want to start with this one "
+"and then edit the config file by hand."
+msgstr ""
+"Internet site - post wordt rechtstreeks via SMTP verzonden en ontvangen. "
+"Indien uw wensen niet netjes in een van de mogelijkheden passen, kunt u best "
+"van deze optie starten, en het configuratiebestand vervolgens handmatig "
+"aanpassen."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site using smarthost - You receive Internet mail on this machine, "
+"either directly by SMTP or by running a utility such as fetchmail. Outgoing "
+"mail is sent using a smarthost. optionally with addresses rewritten. This is "
+"probably what you want for a dialup system."
+msgstr ""
+"Internet site die gebruik maakt van smarthost - U ontvangt berichten op deze "
+"machine ofwel rechtstreeks via SMTP, ofwel door middel van een hulpprogramma "
+"zoals fetchmail. Uitgaande post wordt verzonden via een smarthost, en "
+"mogelijks met aangepaste adressen. Op inbellende systemen is dit de normale "
+"keuze."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Satellite system - All mail is sent to another machine, called a \"smart host"
+"\" for delivery. root and postmaster mail is delivered according to /etc/"
+"aliases. No mail is received locally."
+msgstr ""
+"Satellietsysteem - alle post wordt verzonden naar een andere machine, een "
+"zogenaamde \"smart host\" voor aflevering. De post voor root en postmaster "
+"wordt afgeleverd zoals aangegeven in /etc/aliases. Er wordt lokaal geen post "
+"ontvangen."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Local delivery only - You are not on a network. Mail for local users is "
+"delivered."
+msgstr ""
+"Enkel lokale aflevering - U zit niet op een netwerk. Post voor lokale "
+"gebruikers wordt afgeleverd."
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "WARNING: Postfix not configured"
+msgstr "WAARSCHUWING: Postfix is niet geconfigureerd"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid ""
+"You have chosen \"No Configuration\" - Postfix will not be configured and "
+"will not be started by default. Please run 'dpkg-reconfigure postfix' at a "
+"later date, or configure it yourself by:"
+msgstr ""
+"U heeft gekozen voor \"Geen configuratie\" - Postfix wordt dus niet "
+"geconfigureerd en zal standaard niet gestart worden. Gelieve later 'dpkg-"
+"reconfigure postfix' uit te voeren, of postfix handmatig te configureren "
+"door:"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "1) Editing /etc/postfix/main.cf to your liking"
+msgstr "1) Het bestand /etc/postfix/main.cf naar uw wensen aan te passen"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "2) Running /etc/init.d/postfix start"
+msgstr "2) /etc/init.d/postfix start uit te voeren"
+
+#. Type: string
+#. Default
+#: ../templates:120
+msgid "/etc/mailname"
+msgstr "/etc/mailname"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid "Mail name?"
+msgstr "Wat is de postnaam?"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"Your `mail name' is the hostname portion of the address to be shown on "
+"outgoing news and mail messages (following the username and @ sign)."
+msgstr ""
+"Uw `postnaam' is het computernaam-gedeelte van het adres dat getoond wordt "
+"op uitgaande niews- en emailberichten (i.e. dit volgt de gebruikersnaam en "
+"het @ teken)."
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"This name will be used by other programs besides Postfix; it should be the "
+"single, full domain name (FQDN) from which mail will appear to originate."
+msgstr ""
+"Deze naam wordt niet alleen door Postfix gebruikt; het dient dan ook een "
+"enkele, volledige domeinnaam (FQDN) te zijn waarvan berichten zullen lijken "
+"te komen."
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid "Other destinations to accept mail for? (blank for none)"
+msgstr ""
+"Andere bestemmingen waarvoor post aanvaard wordt? (laat leeg indien geen)"
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid ""
+"Give a comma-separated list of domains that this machine should consider "
+"itself the final destination for. If this is a mail domain gateway, you "
+"probably want to include the top-level domain."
+msgstr ""
+"Gelieve een komma-gescheiden lijst van domeinen op te geven waarvoor deze "
+"machine zichzelf als de eindbestemming moet beschouwen. Indien dit een post-"
+"domein gateway is kunt u best het top-niveau domein toevoegen."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid "SMTP relay host? (blank for none)"
+msgstr "SMTP doorvoerserver? (laat leeg indien geen)"
+
+#. Type: string
+#. Description
+#: ../templates:137
+#, fuzzy
+msgid ""
+"Specify a domain, host, host:port, [address] or [address]:port. Use the form "
+"[destination] to turn off MX lookups. Leave this blank for no relay host."
+msgstr ""
+"Geef een domein, computer, computer:poort, [adres] of [adres:poort] op. "
+"Gebruik de vorm [bestemming] om MX-opzoekingen te vermijden. Laat dit blanco "
+"indien er geen doorvoerserver gebruikt wordt."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"The relayhost parameter specifies the default host to send mail to when no "
+"entry is matched in the optional transport(5) table. When no relayhost is "
+"given, mail is routed directly to the destination."
+msgstr ""
+"De doorvoerserver-parameter geeft een standaard server op waarnaar post "
+"gestuurd word indien geen enkele ingang in de optionele overzetrelatie "
+"(transport(5)) overeenkomt. Indien er geen doorvoerserver opgegeven is wordt "
+"post rechtstreeks naar de bestemming gestuurd."
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Use procmail for local delivery?"
+msgstr "Procmail gebruiken voor lokale aflevering?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Do you want to use procmail to deliver local mail?"
+msgstr "Wilt u procmail gebruiken voor het afleveren van lokale post?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid ""
+"Note that if you use procmail to deliver mail system-wide, you should set up "
+"an alias that forwards mail for root to a real user."
+msgstr ""
+"Merk op dat u, bij gebruik van procmail voor systeemwijde aflevering, een "
+"alias dient in te stellen zodat post voor root naar een echte gebruiker "
+"gestuurd wordt."
+
+#. Type: string
+#. Default
+#: ../templates:156
+msgid "+"
+msgstr "+"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "Local address extension character?"
+msgstr "Lokaal adres-uitbreidingskarakter?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "What character defines a local address extension?"
+msgstr "Welk karakter geeft een lokale adresuitbreiding aan?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "To not use address extensions, leave the string blank."
+msgstr "Laat dit leeg indien u geen adres-uitbreidingen wilt gebruiken."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "Bad recipient delimiter"
+msgstr "Slecht ontvanger-scheidingsteken"
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid ""
+"The recipient delimiter is a single character, you entered too many "
+"characters. Please try again."
+msgstr ""
+"Het ontvanger-scheidingsteken is een enkel karakter, u heeft meerdere "
+"karakters ingevoerd. Gelieve opnieuw te proberen."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "\"${enteredstring}\""
+msgstr "\"${enteredstring}\""
+
+#. Type: boolean
+#. Default
+#: ../templates:172
+msgid "false"
+msgstr "false"
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "Force synchronous updates on mail queue?"
+msgstr "Synchroon bijwerken van de post-wachtrij afdwingen?"
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+#, fuzzy
+msgid ""
+"If synchronous updates are forced, then mail is processed more slowly. If "
+"not forced, then there is a remote chance of losing some mail if the system "
+"crashes at an inopportune time, and you are not using a journaled filesystem "
+"(such as ext3)."
+msgstr ""
+"Wanneer synchrone bijwerking afgedwongen wordt, verloopt het verwerken van "
+"berichten trager. Daar staat tegenover dat er mogelijks berichten verloren "
+"gaan wanneer dit niet afgedwongen wordt en het systeem op het verkeerde "
+"moment vastloopt."
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "The default is \"off\"."
+msgstr ""
+
+#. Type: string
+#. Default
+#: ../templates:183
+msgid "127.0.0.0/8"
+msgstr "127.0.0.0/8"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid "Local networks?"
+msgstr "Lokale netwerken?"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"For what network blocks should this machine relay mail? The default is just "
+"the local host, which is needed by some mail user agents."
+msgstr ""
+"Voor welke netwerkblokken dient deze machine post door te geven? Standaard "
+"is dit enkel de lokale computer, wat noodzakelijk is voor sommige post-"
+"gebruiker-agenten."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"If this is a smarthost for a block of machines, you need to specify the "
+"netblocks here, or mail will be rejected rather than relayed."
+msgstr ""
+"Indien dit een smarthost is voor een groep machines dient u hier de "
+"netblokken op te geven om te vermijden dat post geweigerd wordt, in plaats "
+"van doorgegeven."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"To use the postfix default (which is based on connected networks), enter an "
+"empty string."
+msgstr ""
+"Om de postfix-standaard te gebruiken (die gebaseerd is op verbonden "
+"netwerken) laat u dit leeg."
+
+#. Type: string
+#. Default
+#: ../templates:196
+msgid "0"
+msgstr "0"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid "Mailbox size limit"
+msgstr "Grootte limiet voor postvak"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid ""
+"What limit should Postfix place on mailbox files to prevent runaway software "
+"errors. A value of zero (0) means no limit. (The upstream default is "
+"51200000.)"
+msgstr ""
+"Welke limiet dient Postfix op postvakken te plaatsen om fouten van op hol "
+"geslagen software te voorkomen. Waarde 0 betekent geen limiet. (de "
+"standaardwaarde is 51200000)"
+
+#. Type: string
+#. Default
+#: ../templates:204
+msgid "NONE"
+msgstr "GEEN"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid "Where should mail for root go"
+msgstr "Naar waar dient de post voor root gestuurd te worden"
+
+# Description
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"The user root (and any other users with a uid of 0) must have mail "
+"redirected via an alias, or their mail may be delivered to /var/mail/"
+"nobody. This is by design: mail is not delivered to external delivery "
+"agents as root."
+msgstr ""
+"Voor de gebruiker root (en alle andere gebruikers met uid 0) moet de post "
+"omgeleid worden via een alias, anders wordt hun post afgeleverd bij /var/"
+"spool/mail/nobody. Dit is zo ontworpen: post wordt niet afgeleverd aan "
+"externe afleveringsagenten als root."
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"If you already have a /etc/aliases file, then you possibly need to add this "
+"entry. (I will only add it if I am creating a new /etc/aliases.)"
+msgstr ""
+"Indien u reeds een /etc/aliases bestand hebt dient u mogelijks deze ingang "
+"toe te voegen. (Ik doe dit enkel indien het bestand /etc/aliases nog niet "
+"bestaat)"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"What address should I add to /etc/aliases, if I create the file? (Enter "
+"NONE to not add one.)"
+msgstr ""
+"Welk adres dien ik in /etc/aliases toe te voegen, bij het aanmaken van dit "
+"bestand? (laat leeg om niemand toe te voegen)"
+
+#~ msgid ""
+#~ "HP - Configuration used inside of HP. This just hardcodes several "
+#~ "configuration parameters based on the final components of the hostname, "
+#~ "but looks largely like 'Internet site using smarthost'. This option will "
+#~ "modify /etc/postfix/transport and install it as a transport map."
+#~ msgstr ""
+#~ "HP - configuratie gebruikt binnen HP. Dit past een aantal parameters aan "
+#~ "naargelang de laatste onderdelen van de computernaam, maar komt verder "
+#~ "grotendeels overeen met 'Internet site die gebruik maakt van smarthost'. "
+#~ "Deze optie zal /etc/postfix/transport aanpassen, en dit bestand als een "
+#~ "overzetrelatie installeren."
+
+#~ msgid "The default is \"off\", see the changelog for an explanation."
+#~ msgstr "Standaard staat dit uit, zie het veranderingslog voor de reden."
+
+#~ msgid "Append .domain to simple addresses"
+#~ msgstr "Voeg .domein toe aan eenvoudige adressen"
+
+# Description
+#~ msgid ""
+#~ "When Postfix sees an address with only one component in the hostname, "
+#~ "should it append .$mydomain? Appending .$mydomain means that you don't "
+#~ "need to qualify destinations in your own domain, but breaks mail bound "
+#~ "for users at top-level domain addresses. (yes, there are some of these.)"
+#~ msgstr ""
+#~ "Dient Postfix .$mydomein toe te voegen wanneer een adres met slechts een "
+#~ "computernaam component tegengekomen wordt? Het toevoegen van .$mydomain "
+#~ "betekent dat u bestemmingen in uw eigen domein niet dient te "
+#~ "qualificeren, maar breekt post bestemd voor gebruikers op top-niveau "
+#~ "domein adressen. (Ja, deze bestaan.)"
+
+# Description
+#~ msgid ""
+#~ "If you are forwarding mail out of your organization, you should almost "
+#~ "certainly not append .$mydomain. If you're the only user of mail on your "
+#~ "system, choose whichever is more convenient for you."
+#~ msgstr ""
+#~ "Indien u mail doorsluist buiten uw organisatie, dient u bijna zeker geen ."
+#~ "$mydomain toe te voegen. Indien u de enige postgebruiker bent op dit "
+#~ "systeem kunt u kiezen wat u het beste uitkomt."
Added: trunk/kolab-postfix/debian/po/pt_BR.po
===================================================================
--- trunk/kolab-postfix/debian/po/pt_BR.po 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/po/pt_BR.po 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,712 @@
+#
+# Translators, if you are not familiar with the PO format, gettext
+# documentation is worth reading, especially sections dedicated to
+# this format, e.g. by running:
+# info -n '(gettext)PO Files'
+# info -n '(gettext)Header Entry'
+#
+# Some information specific to po-debconf are available at
+# /usr/share/doc/po-debconf/README-trans
+# or http://www.debian.org/intl/l10n/po-debconf/README-trans
+#
+# Developers do not need to manually edit POT or PO files.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: postfix\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2004-10-30 21:06-0600\n"
+"PO-Revision-Date: 2004-11-18 21:34-0300\n"
+"Last-Translator: André Luís Lopes <andrelop at debian.org>\n"
+"Language-Team: Debian-BR Project <debian-l10n-portuguese at lsts.debian.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=ISO-8859-1\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+msgid "Correct dynamicmaps.cf for upgrade?"
+msgstr "Corrigir dynamicmaps.cf para atualização ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Postfix version 2.0.2 and later require changes in dynamicmaps.cf. "
+"Specifically, wildcard support is gone, and with it, %s expansion. Any "
+"changes that you made to dynamicmaps.cf that relied on these features will "
+"need to be fixed by you. Failure to correct these will result in a broken "
+"mailer."
+msgstr ""
+"O Postfix versão 2.0.2 ou superior requer mudanças no arquivo dynamicmaps."
+"cf. Especificamente, o suporte a caracteres curingas não existe mais e, "
+"devido a isso, a expansão %s não é mais válida. Quaisquer mudanças que você "
+"tenha feito no arquivo dynamicmaps.cf que dependiam destes recursos "
+"precisarão ser corrigidas manualmente. A não correção das mesmas resultará "
+"um servidor de mensagens não funcional."
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Should dynamicmaps.cf be automatically changed? Decline this option to "
+"abort the upgrade, giving you the opportunity to eliminate wildcard and %s-"
+"expansion-dependent configuration. Accept this option if you have no such "
+"configuration, and automatically make dynamicmaps.cf compatible with Postfix "
+"2.0.2 in this respect."
+msgstr ""
+"O arquivo dynamicmaps.cf deve ser modificado automaticamente ? Não aceite "
+"esta opção caso queira abortar a atualização, o que lhe dará a oportunidade "
+"de eliminar a configuração dependente de caracteres curingas e da expansão %"
+"s. Aceite esta opção caso você não possua nenhuma configuração personalizada "
+"e automaticamente permita que o arquivo dynamicmaps.cf seja compatível com o "
+"Postfix 2.0.2 em relação a esse detalhe."
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid "Postfix version 2.1 and later require new services in master.cf."
+msgstr "O Postfix, a partir da versão 2.1, requer novos serviços no master.cf."
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid ""
+"Should this configuration be automatically added to master.cf? Decline this "
+"option to abort the upgrade, giving you the opportunity to add this "
+"configuration yourself. Accept this option to automatically make master.cf "
+"compatible with Postfix 2.1 in this respect."
+msgstr ""
+"Essa configuração deve ser adicionada automaticamente no master.cf ? Não "
+"aceite esta opção caso você queira abortar a atualização, o que lhe dará a "
+"oportunidade de adicionar a configuração manualmente. Aceite esta opção para "
+"automaticamente tornar o master.cf compatível com o Postfix 2.1 em relação a "
+"esse detalhe."
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid "Correct master.cf for upgrade?"
+msgstr "Corrigir master.cf para atualização ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Postfix version 2.1 renamed \"nqmgr\" to \"qmgr\", and you are using \"nqmgr"
+"\"."
+msgstr ""
+"O Postfix versão 2.1 renomeou o \"nqmgr\" para \"qmgr\" e você está usando o "
+"\"nqmgr\"."
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Failure to fix this will result in a broken mailer. Decline this option to "
+"abort the upgrade, giving you the opportunity to add this configuration "
+"yourself. Accept this option to automatically make master.cf compatible "
+"with Postfix 2.1 in this respect."
+msgstr ""
+"Caso isto não seja corrigido, você terá um servidor de e-mail quebrado. Não "
+"aceite esta opção para abortar a atualização, o que lhe dará a oportunidade "
+"de adicionar a configuração manualmente. Aceite esta opção para "
+"automaticamente tornar o master.cf compatível com o Postfix 2.1 em relação a "
+"esse detalhe."
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Should Postfix upgrade hash and btree maps?"
+msgstr "O Postfix deve atualizar os mapas hash e btree ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Postfix has switched to db4, and this may require maps to be upgraded."
+msgstr ""
+"O Postfix mudou para o db4 e isso pode requerer que os mapas sejam "
+"atualizados."
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Do you want to automatically attempt the conversion?"
+msgstr "Você deseja tentar a conversão automática ?"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid "Transport map incompatibility"
+msgstr "Incompatibilidade de mapa de transporte"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"You have a transport map defined, and there is an incompatible change in how "
+"transport maps are used. Postfix will not be restarted automatically."
+msgstr ""
+"Você tem um mapa de transporte definido e existe uma mudança incompatível na "
+"maneira como os mapas de transporte são usados. O Postfix não será "
+"reiniciado automaticamente."
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"Transport map entries override $mydestination. If you use transport maps, "
+"it is better to always have explicit entries for all domain names you have "
+"in $mydestination. See the html/faq.html sections for firewalls and "
+"intranets. If you have transport entries for parent domains of anything "
+"delivered locally, you will probably need to add specific entries for the "
+"destination domains before you restart Postfix."
+msgstr ""
+"Entradas de mapa de transporte sobrepõem $mydestination. Caso você utilize "
+"mapas de transporte, é melhor ter sempre entradas explícitas para todos os "
+"nomes de domínios que você possui em $mydestination. Consulte as seções html/"
+"faq.html para firewalls e intranets. Caso você possua entradas de transporte "
+"para domínios pais de qualquer coisa entregue localmente, você provavelmente "
+"precisará adicionar entradas específicas para os domínios de destino antes "
+"de reiniciar o Postfix."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Bad entry, try again?"
+msgstr "Entrada ruim, tentar novamente ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "The string you have entered"
+msgstr "A string que você informou"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "does not follow RFC 1035 and does not appear to be a valid IP address."
+msgstr "não segue a RFC 1035 e não parece ser um endereço IP válido."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid ""
+"RFC 1035 states that \"each component must start with an alphanum, end with "
+"an alphanum and contain only alphanums and hyphens. Components must be "
+"separated by full stops.\""
+msgstr ""
+"A RFC 1035 determina que \"cada componente deve iniciar com um valor "
+"alfanumérico, finalizar com um valor alfanumérico e conter somente valores "
+"alfanuméricos e hífens. Componentes devem ser separados por pontos.\""
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Do you want to keep it anyways?"
+msgstr "Você deseja manter essa valor de qualquer forma ?"
+
+#. Type: select
+#. Choices
+#: ../templates:75
+msgid ""
+"No configuration, Internet Site, Internet with smarthost, Satellite system, "
+"Local only"
+msgstr ""
+"Sem configuração, Internet Site, Internet com smarthost, Sistema satélite, "
+"Somente local"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid "General type of configuration?"
+msgstr "Tipo geral de configuração ?"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"You have several choices for general configuration at this point. If you "
+"have your debconf priority set to 'low' or 'medium', you will be asked more "
+"questions later. You can always run \"dpkg-reconfigure --priority=low "
+"postfix\" at a later point if you want to see these questions again."
+msgstr ""
+"Você possui diversas opções para configuração geral neste ponto. Caso você "
+"possua a configuração de prioridades de seu debconf definida como 'baixa' ou "
+"'média', um número maior de perguntas serão exibidas posteriormente. Você "
+"poderá sempre executar o comando \"dpkg-reconfigure --priority=low postfix\" "
+"posteriormente caso queira ver essas perguntas novamente."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"No configuration - IF YOU WANT THE INSTALL TO LEAVE YOUR CONFIG ALONE, "
+"CHOOSE THIS OPTION. No configuration changes will be done now: If you have "
+"not already configured Postfix, your mail system will be broken and should "
+"not be used. You must then do the configuration yourself by editing /usr/"
+"share/postfix/main.cf.dist and saving your changes as /etc/postfix/main.cf, "
+"or by running dpkg-reconfigure Postfix. main.cf will not be modified by the "
+"Postfix install process."
+msgstr ""
+"Sem configuração - CASO VOCÊ QUEIRA QUE A INSTALAÇÂO DEIXE SUA CONFIGURAÇÂO "
+"INTOCADA, ESCOLHA ESTA OPÇÃO. Nenhuma mudança de configuração será feita "
+"agora. Caso você já não tenha configurado o Postfix, seu sistema de e-mail "
+"ficará em um estado não funcional e não poderá ser usado. Você deverá então "
+"fazer a configuração manualmente editando o arquivo de configuração /usr/"
+"share/postfix/main.cf.dist e salvando suas modificações como /etc/postfix/"
+"main.cf ou executando o comando 'dpkg-reconfigure postfix'. O arquivo main."
+"cf não será modificado pelo processo de instalação do Postfix quando esta "
+"opção for escolhida."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site - mail is sent and received directly using SMTP. If your needs "
+"don't fit neatly into any category, you probably want to start with this one "
+"and then edit the config file by hand."
+msgstr ""
+"Internet Site - as mensagens são enviadas e recebidas diretamente usando o "
+"protocolo SMTP. Caso suas necessidades não se encaixem em nenhuma outra "
+"opção apresentada, você provavelmente iniciará com esta opção e então poderá "
+"editar o arquivo de configuração manualmente para personalizá-lo."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site using smarthost - You receive Internet mail on this machine, "
+"either directly by SMTP or by running a utility such as fetchmail. Outgoing "
+"mail is sent using a smarthost. optionally with addresses rewritten. This is "
+"probably what you want for a dialup system."
+msgstr ""
+"Internet site usando smarthost - Você recebe e-mail Internet nesta máquina "
+"diretamente via SMTP ou executando um utilitário como o fetchmail. As "
+"mensagens com destino externo são enviadas usando um smarthost, "
+"opcionalmente com os endereços reescritos. Esta é provavelmente a opção que "
+"você precisa para um sistema com conexão discada (dialup)."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Satellite system - All mail is sent to another machine, called a \"smart host"
+"\" for delivery. root and postmaster mail is delivered according to /etc/"
+"aliases. No mail is received locally."
+msgstr ""
+"Sistema satélite - Todas as mensagens serão enviadas para uma outra máquina, "
+"conhecida como \"smart host\" para entrega. As mensagens para o root e para "
+"o postmaster serão entregues de acordo com o arquivo /etc/aliases. Nenhuma "
+"mensagem será recebida localmente."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Local delivery only - You are not on a network. Mail for local users is "
+"delivered."
+msgstr ""
+"Entrega somente local - Você não está em uma rede. As mensagens para "
+"usuários locais serão entregues."
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "WARNING: Postfix not configured"
+msgstr "AVISO: Postfix não configurado"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid ""
+"You have chosen \"No Configuration\" - Postfix will not be configured and "
+"will not be started by default. Please run 'dpkg-reconfigure postfix' at a "
+"later date, or configure it yourself by:"
+msgstr ""
+"Vocè escolheu \"Sem configuração\" - o Postfix não será configurado e não "
+"será iniciado por padrão. Por favor, execute o comando 'dpkg-reconfigure "
+"postfix' posteriormente ou configure o Postfix manualmente da seguinte "
+"maneira :"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "1) Editing /etc/postfix/main.cf to your liking"
+msgstr ""
+"1) Edite o arquivo /etc/postfix/main.cf de acordo com suas necessidades"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "2) Running /etc/init.d/postfix start"
+msgstr "2) Execute o comando /etc/init.d/postfix start"
+
+#. Type: string
+#. Default
+#: ../templates:120
+msgid "/etc/mailname"
+msgstr "/etc/mailname"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid "Mail name?"
+msgstr "Nome de mensagens ?"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"Your `mail name' is the hostname portion of the address to be shown on "
+"outgoing news and mail messages (following the username and @ sign)."
+msgstr ""
+"Seu `nome de mensagens' (mail name) é a porção nome de máquina (hostname) do "
+"endereço que será exibido em mensagens de e-mail (após o nome de usuário e o "
+"símbolo @)."
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"This name will be used by other programs besides Postfix; it should be the "
+"single, full domain name (FQDN) from which mail will appear to originate."
+msgstr ""
+"Esse nome será usado por outros programas além do Postfix. Por isso, ele "
+"deverá ser único. Deverá ser o nome de domínio completo (FQDN) a partir do "
+"qual as mensagens parecerão ter originado."
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid "Other destinations to accept mail for? (blank for none)"
+msgstr ""
+"Outros destinos para os quais aceitar mensagens ? (em branco para nenhum)"
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid ""
+"Give a comma-separated list of domains that this machine should consider "
+"itself the final destination for. If this is a mail domain gateway, you "
+"probably want to include the top-level domain."
+msgstr ""
+"Forneça uma lista de domínios separados por vírgulas os quais esta máquina "
+"deve considerar como sendo ela mesma o destino final. Caso este seja um "
+"gateway de mensagens do domínio, você provavelmente desejará incluir o "
+"domínio de nível mais alto (top-level)."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid "SMTP relay host? (blank for none)"
+msgstr "SMTP relay host ? (branco para nenhum)"
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"Specify a domain, host, host:port, [address] or [address]:port. Use the form "
+"[destination] to turn off MX lookups. Leave this blank for no relay host."
+msgstr ""
+"Especifique um domínio, host, host:porta, [endereço] ou [endereço:porta]. "
+"Use o formato [destino] para desligar lookups MX. Mantenha em branco para "
+"não especificar nenhum host para relay."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"The relayhost parameter specifies the default host to send mail to when no "
+"entry is matched in the optional transport(5) table. When no relayhost is "
+"given, mail is routed directly to the destination."
+msgstr ""
+"O parâmetro relayhost especifica o host padrão para o qual enviar mensagens "
+"quando não existe nenhuma entrada correspondente (nenhum match) na tabela "
+"opcional de transporte - transport(5). Quando nenhum relayhost é informado, "
+"as mensagens são roteadas diretamente para o destino."
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Use procmail for local delivery?"
+msgstr "Usar procmail para entrega local ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Do you want to use procmail to deliver local mail?"
+msgstr "Você deseja usar o procmail para entrega local de mensagens ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid ""
+"Note that if you use procmail to deliver mail system-wide, you should set up "
+"an alias that forwards mail for root to a real user."
+msgstr ""
+"Note que, caso você use o procmail para entregar mensagens para todo o "
+"sistema (system-wide), você deverá configurar um alias que encaminhará as "
+"mensages enviadas para o root para um usuário real."
+
+#. Type: string
+#. Default
+#: ../templates:156
+msgid "+"
+msgstr "+"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "Local address extension character?"
+msgstr "Caracter de extensão de endereço local ?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "What character defines a local address extension?"
+msgstr "Qual caracter define uma extensão de endereço local ?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "To not use address extensions, leave the string blank."
+msgstr "Para não usar extensões de endereços, deixe a string em branco."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "Bad recipient delimiter"
+msgstr "Delimitador de recipiente ruim"
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid ""
+"The recipient delimiter is a single character, you entered too many "
+"characters. Please try again."
+msgstr ""
+"O delimitador de recipiente é um caracter único, você informou muitos "
+"caracteres. Por favor, tente novamente."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "\"${enteredstring}\""
+msgstr "\"${enteredstring}\""
+
+#. Type: boolean
+#. Default
+#: ../templates:172
+msgid "false"
+msgstr "false"
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "Force synchronous updates on mail queue?"
+msgstr "Forçar atualizações síncronas na fila de mensagens ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid ""
+"If synchronous updates are forced, then mail is processed more slowly. If "
+"not forced, then there is a remote chance of losing some mail if the system "
+"crashes at an inopportune time, and you are not using a journaled filesystem "
+"(such as ext3)."
+msgstr ""
+"Caso atualizações síncronas sejam forçadas, as mensagens serão processadas "
+"mais lentamente. Caso não sejam forçadas, existe a chance de perda de "
+"algumas mensagens caso o sistema trave em um momento inoportuno e você não "
+"esteja utilizando um sitema de arquivo com suporte a journalling (como o "
+"ext3)."
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "The default is \"off\"."
+msgstr "O padrão é \"off\" (não forçar atualizações síncronas)."
+
+#. Type: string
+#. Default
+#: ../templates:183
+msgid "127.0.0.0/8"
+msgstr "127.0.0.0/8"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid "Local networks?"
+msgstr "Redes locais ?"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"For what network blocks should this machine relay mail? The default is just "
+"the local host, which is needed by some mail user agents."
+msgstr ""
+"Para quais blocos de rede esta máquina oferecerá 'relay' de mensagens ? O "
+"padrão é somente oferecer relay para o host local, o que é necessário para "
+"alguns clientes de e-mail."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"If this is a smarthost for a block of machines, you need to specify the "
+"netblocks here, or mail will be rejected rather than relayed."
+msgstr ""
+"Caso esta máquina seja um smarthost para um bloco de máquinas, você "
+"precisará especificar os blocos de rede aqui ou as mensages serão rejeitadas "
+"ao invés do relay ocorrer."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"To use the postfix default (which is based on connected networks), enter an "
+"empty string."
+msgstr ""
+"Para usar o padrão do Postfix (o qual é baseado nas redes conectadas), "
+"informe uma string vazia."
+
+#. Type: string
+#. Default
+#: ../templates:196
+msgid "0"
+msgstr "0"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid "Mailbox size limit"
+msgstr "Tamanho máximo das caixas de mensagens"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid ""
+"What limit should Postfix place on mailbox files to prevent runaway software "
+"errors. A value of zero (0) means no limit. (The upstream default is "
+"51200000.)"
+msgstr ""
+"Qual limite deverá ser usado pelo Postfix em arquivos de caixas-postais para "
+"evitar erros de software. Um valor de zero (0) significa que nenhum limite "
+"será usado. (O padrão do Postfix é de 51200000 bytes, o que corresponde a, "
+"aproximadamente, 50 MB.)"
+
+#. Type: string
+#. Default
+#: ../templates:204
+msgid "NONE"
+msgstr "NONE"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid "Where should mail for root go"
+msgstr "Onde as mensagens para o root devem ser entregues ?"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"The user root (and any other users with a uid of 0) must have mail "
+"redirected via an alias, or their mail may be delivered to /var/mail/"
+"nobody. This is by design: mail is not delivered to external delivery "
+"agents as root."
+msgstr ""
+"Todas as mensagens destinadas ao usuário root (e quaisquer outros usuários "
+"com um uid 0) devem ser redirecionadas através de um alias, ou as mensagens "
+"serão entregues em /var/spool/mail/nobody. Este comportamento é o padrão : "
+"nenhuma mensagem é entregue para agentes de entrega externa como root."
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"If you already have a /etc/aliases file, then you possibly need to add this "
+"entry. (I will only add it if I am creating a new /etc/aliases.)"
+msgstr ""
+"Caso você já possua um arquivo /etc/aliases, você possivelmente precisará "
+"adicionar essa entrada. (Este sistema de configuração irá adicioná-la "
+"somente caso um novo arquivo /etc/aliases esteja sendo criado.)"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"What address should I add to /etc/aliases, if I create the file? (Enter "
+"NONE to not add one.)"
+msgstr ""
+"Qual endereço deverá ser adicionado ao arquivo /etc/aliases caso o arquivo "
+"seja criado ? (Informe NONE para não adicionar nenhum.)"
+
+#~ msgid ""
+#~ "HP - Configuration used inside of HP. This just hardcodes several "
+#~ "configuration parameters based on the final components of the hostname, "
+#~ "but looks largely like 'Internet site using smarthost'. This option will "
+#~ "modify /etc/postfix/transport and install it as a transport map."
+#~ msgstr ""
+#~ "HP - Configuração usada internamente na HP. Esta opção somente força "
+#~ "diversos parâmetros de configuração baseados nos componentes finais do "
+#~ "hostname, mas se parece principalmente com a opção 'Internet site usando "
+#~ "smarthost'. Esta opção irá modificar o arquivo /etc/postfix/transport e "
+#~ "instalá-lo como uma mapa de transporte."
+
+#~ msgid "The default is \"off\", see the changelog for an explanation."
+#~ msgstr "O padrão é \"off\", consulte o changelog para uma explicação."
+
+#~ msgid "Append .domain to simple addresses"
+#~ msgstr "Incluir .domínio para endereços simples"
+
+#~ msgid ""
+#~ "When Postfix sees an address with only one component in the hostname, "
+#~ "should it append .$mydomain? Appending .$mydomain means that you don't "
+#~ "need to qualify destinations in your own domain, but breaks mail bound "
+#~ "for users at top-level domain addresses. (yes, there are some of these.)"
+#~ msgstr ""
+#~ "Quando o Postfix vê um endereço com somente um componente no hostname, ."
+#~ "$mydomain deve ser adicionado ? Aceitar a inclusão de .$mydomain signfica "
+#~ "que você não precisará qualificar destinos em seu próprio domínio, mas "
+#~ "fará com que o envio de mensagens para usuários em endereços de domínios "
+#~ "de alto nível não funcione. (sim, existem alguns desses.)"
+
+#~ msgid ""
+#~ "If you are forwarding mail out of your organization, you should almost "
+#~ "certainly not append .$mydomain. If you're the only user of mail on your "
+#~ "system, choose whichever is more convenient for you."
+#~ msgstr ""
+#~ "Caso você esteja encaminhando mensagens para fora de sua organização você "
+#~ "certmamente não deverá incluir .$mydomain. Caso você seja o único usuário "
+#~ "de e-mail em seu sistema, escolha qualquer opção que lhe seja mais "
+#~ "conveniente."
+
+#~ msgid ""
+#~ "If you answer no, you almost certainly need to add 'localhost' to the "
+#~ "list of local destinations."
+#~ msgstr ""
+#~ "Caso você não responda positivamente, você certamente precisará adicionar "
+#~ "'localhost' a lista de destinos locais."
+
+#~ msgid ""
+#~ "Postfix has converted from libdb2 format to libdb3 format. This change "
+#~ "requires that all Postfix hash and btree maps be regenerated."
+#~ msgstr ""
+#~ "O Postfix converteu do formato libdb2 para o formato libdb3. Esta mudança "
+#~ "requer que todos os mapas hash e btree do Postfix sejam gerados novamente."
+
+#~ msgid ""
+#~ "If you answer no, Postfix will be restarted, but may fail if your db "
+#~ "files still need to be converted. If you answer yes, all hash and btree "
+#~ "maps used by Postfix will be rebuilt prior to restarting Postfix."
+#~ msgstr ""
+#~ "Se você responder não, o Postfix será reiniciado, mas pode falhar caso "
+#~ "seus arquivos db continuem precisando ser convertidos. Se você responder "
+#~ "sim, todos os mapas hash e btree usados pelo Postfix serão reconstruídos "
+#~ "antes que o Postfix seja reiniciado."
Added: trunk/kolab-postfix/debian/po/ru.po
===================================================================
--- trunk/kolab-postfix/debian/po/ru.po 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/po/ru.po 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,637 @@
+#
+# Translators, if you are not familiar with the PO format, gettext
+# documentation is worth reading, especially sections dedicated to
+# this format, e.g. by running:
+# info -n '(gettext)PO Files'
+# info -n '(gettext)Header Entry'
+#
+# Some information specific to po-debconf are available at
+# /usr/share/doc/po-debconf/README-trans
+# or http://www.debian.org/intl/l10n/po-debconf/README-trans
+#
+# Developers do not need to manually edit POT or PO files.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2004-10-30 21:06-0600\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL at ADDRESS>\n"
+"Language-Team: LANGUAGE <LL at li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=KOI8-R\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+msgid "Correct dynamicmaps.cf for upgrade?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Postfix version 2.0.2 and later require changes in dynamicmaps.cf. "
+"Specifically, wildcard support is gone, and with it, %s expansion. Any "
+"changes that you made to dynamicmaps.cf that relied on these features will "
+"need to be fixed by you. Failure to correct these will result in a broken "
+"mailer."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Should dynamicmaps.cf be automatically changed? Decline this option to "
+"abort the upgrade, giving you the opportunity to eliminate wildcard and %s-"
+"expansion-dependent configuration. Accept this option if you have no such "
+"configuration, and automatically make dynamicmaps.cf compatible with Postfix "
+"2.0.2 in this respect."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid "Postfix version 2.1 and later require new services in master.cf."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid ""
+"Should this configuration be automatically added to master.cf? Decline this "
+"option to abort the upgrade, giving you the opportunity to add this "
+"configuration yourself. Accept this option to automatically make master.cf "
+"compatible with Postfix 2.1 in this respect."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid "Correct master.cf for upgrade?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Postfix version 2.1 renamed \"nqmgr\" to \"qmgr\", and you are using \"nqmgr"
+"\"."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Failure to fix this will result in a broken mailer. Decline this option to "
+"abort the upgrade, giving you the opportunity to add this configuration "
+"yourself. Accept this option to automatically make master.cf compatible "
+"with Postfix 2.1 in this respect."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Should Postfix upgrade hash and btree maps?"
+msgstr "äÏÌÖÅÎ ÌÉ Postfix ÏÂÎÏ×ÉÔØ ËÁÒÔÙ hash É btree?"
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Postfix has switched to db4, and this may require maps to be upgraded."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Do you want to automatically attempt the conversion?"
+msgstr "÷Ù ÈÏÔÉÔÅ ÐÏÐÙÔÁÔØÓÑ ÚÁÐÕÓÔÉÔØ Á×ÔÏÍÁÔÉÞÅÓËÕÀ ÐÅÒÅÇÅÎÅÒÁÃÉÀ?"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid "Transport map incompatibility"
+msgstr "îÅÓÏ×ÍÅÓÔÉÍÁÑ ËÁÒÔÁ ÔÒÁÎÓÐÏÒÔÁ"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"You have a transport map defined, and there is an incompatible change in how "
+"transport maps are used. Postfix will not be restarted automatically."
+msgstr ""
+"õ ×ÁÓ ÏÐÒÅÄÅÌÅÎÁ ËÁÒÔÁ ÔÒÁÎÓÐÏÒÔÁ, É ××ÅÄÅÎÏ ÎÅÓÏ×ÍÅÓÔÉÍÏÅ ÉÚÍÅÎÅÎÉÅ ÐÒÉ "
+"ÉÓÐÏÌØÚÏ×ÁÎÉÉ ÄÁÎÎÏÇÏ ÆÁÊÌÁ. Postfix ÎÅ ÐÅÒÅÚÁÐÕÓÔÉÔÓÑ "
+"Á×ÔÏÍÁÔÉÞÅÓËÉ."
+
+#. Type: note
+#. Description
+#: ../templates:46
+#, fuzzy
+msgid ""
+"Transport map entries override $mydestination. If you use transport maps, "
+"it is better to always have explicit entries for all domain names you have "
+"in $mydestination. See the html/faq.html sections for firewalls and "
+"intranets. If you have transport entries for parent domains of anything "
+"delivered locally, you will probably need to add specific entries for the "
+"destination domains before you restart Postfix."
+msgstr ""
+"úÁÐÉÓÉ ËÁÒÔÙ ÔÒÁÎÓÐÏÒÔÁ ÐÅÒÅËÒÙ×ÁÀÔ mydestination. åÓÌÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ ËÁÒÔÙ "
+"ÔÒÁÎÓÐÏÒÔÁ, ÔÏ ×ÓÅÇÄÁ ÌÕÞÛÅ ÉÍÅÔØ ÔÏÞÎÙÅ ÚÁÐÉÓÉ ÄÌÑ ×ÓÅÈ ×ÁÛÉÈ ÄÏÍÅÎÏ× × "
+"$mydestination. óÍ. ÒÁÚÄÅÌÙ html/faq.html Ï ÆÁÊÅÒ×ÏÌÁÈ É ÉÎÔÒÁÎÅÔÁÈ. "
+"åÓÌÉ ×Ù ÉÍÅÅÔÅ ÔÒÁÎÓÐÏÒÔÎÙÅ ÚÁÐÉÓÉ ÄÌÑ ÒÏÄÉÔÅÌØÓËÉÈ ÄÏÍÅÎÏ× ×ÓÅÇÏ, "
+"ÞÔÏ ÏÔÐÒÁ×ÑÌÅÔÓÑ ÌÏËÁÌØÎÏ, ÔÏ ×ÁÍ ×ÅÒÏÑÔÎÏ ÎÕÖÎÏ ÄÏÂÁ×ÉÔØ ×ÓÅ "
+"ÕËÁÚÁÎÎÙÅ ÚÁÐÉÓÉ ÄÌÑ ÄÏÍÅÎÏ× ÎÁÚÎÁÞÅÎÉÑ ÐÅÒÅÄ ÐÅÒÅÚÁÐÕÓËÏÍ Postfix."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Bad entry, try again?"
+msgstr "îÅ×ÅÒÎÁÑ ÚÁÐÉÓØ, ÐÏÐÒÏÂÏ×ÁÔØ ÓÎÏ×Á?"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "The string you have entered"
+msgstr "÷Ù ××ÅÌÉ ÓÔÒÏËÕ"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "does not follow RFC 1035 and does not appear to be a valid IP address."
+msgstr "ÎÅ ÓÏ×ÍÅÓÔÉÍÕÀ Ó RFC 1035 É ÎÅ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÕÀ ÐÒÁ×ÉÌØÎÏÍÕ IP ÁÄÒÅÓÕ."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid ""
+"RFC 1035 states that \"each component must start with an alphanum, end with "
+"an alphanum and contain only alphanums and hyphens. Components must be "
+"separated by full stops.\""
+msgstr ""
+"RFC 1035 ÕËÁÚÙ×ÁÅÔ, ÞÔÏ \"each component must start with an alphanum, end "
+"with an alphanum and contain only alphanums and hyphens. Components "
+"must be separated by full stops.\""
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Do you want to keep it anyways?"
+msgstr "÷ÓÅ ÒÁ×ÎÏ ÏÓÔÁ×ÉÔØ ××ÅÄÅÎÎÕÀ ×ÁÍÉ ÓÔÒÏËÕ?"
+
+#. Type: select
+#. Choices
+#: ../templates:75
+#, fuzzy
+msgid ""
+"No configuration, Internet Site, Internet with smarthost, Satellite system, "
+"Local only"
+msgstr ""
+"éÎÔÅÒÎÅÔ-ÓÁÊÔ, éÎÔÅÒÎÅÔ-ÓÁÊÔ ÓÏ ÓÍÁÒÔÈÏÓÔÏÍ, óÉÓÔÅÍÁ-ÓÐÕÔÎÉË, ôÏÌØËÏ "
+"ÌÏËÁÌØÎÏ, âÅÚ ÎÁÓÔÒÏÊËÉ"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid "General type of configuration?"
+msgstr "ïÓÎÏ×ÎÏÊ ×ÉÄ ÎÁÓÔÒÏÊËÉ?"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"You have several choices for general configuration at this point. If you "
+"have your debconf priority set to 'low' or 'medium', you will be asked more "
+"questions later. You can always run \"dpkg-reconfigure --priority=low "
+"postfix\" at a later point if you want to see these questions again."
+msgstr ""
+"óÅÊÞÁÓ ×Ù ÍÏÖÅÔÅ ×ÙÂÒÁÔØ ÏÄÉÎ ÉÚ ÎÅÓËÏÌØËÉÈ ×ÁÒÉÁÎÔÏ× ÏÂÝÅÊ ÎÁÓÔÒÏÊËÉ. åÓÌÉ "
+"×Ù ÕÓÔÁÎÏ×ÉÌÉ ÐÒÉÏÒÉÔÅÔ debconf 'ÎÉÚËÉÊ' ÉÌÉ 'ÓÒÅÄÎÉÊ', ÔÏ ÄÁÌÅÅ ×ÁÍ "
+"ÂÕÄÕÔ ÚÁÄÁÎÙ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ×ÏÐÒÏÓÙ. ðÏÔÏÍ ×Ù ×ÓÅÇÄÁ ÍÏÖÅÔÅ ÚÁÐÕÓÔÉÔØ "
+"\"dpkg-reconfigure --priority=low postfix\", ÅÓÌÉ ×Ù ÈÏÔÉÔÅ ÏÔ×ÅÔÉÔØ ÎÁ "
+"ÜÔÉ ×ÏÐÒÏÓÙ ÅÝÅ ÒÁÚ."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"No configuration - IF YOU WANT THE INSTALL TO LEAVE YOUR CONFIG ALONE, "
+"CHOOSE THIS OPTION. No configuration changes will be done now: If you have "
+"not already configured Postfix, your mail system will be broken and should "
+"not be used. You must then do the configuration yourself by editing /usr/"
+"share/postfix/main.cf.dist and saving your changes as /etc/postfix/main.cf, "
+"or by running dpkg-reconfigure Postfix. main.cf will not be modified by the "
+"Postfix install process."
+msgstr ""
+"âÅÚ ÎÁÓÔÒÏÊËÉ - åóìé ÷ù èïôéôå ïóôá÷éôø ÷áûé îáóôòïêëé âåú éúíåîåîéê, ôï "
+"÷ùâåòéôå üôõ ïðãéà. óÅÊÞÁÓ ÉÚÍÅÎÅÎÉÊ ÎÁÓÔÒÏÅË ÎÅ ÂÕÄÅÔ: ÅÓÌÉ Õ ×ÁÓ ÕÖÅ ÎÅ "
+"ÕÓÔÁÎÏ×ÌÅÎ Postfix, ÔÏ ×ÁÛÁ ÐÏÞÔÏ×ÁÑ ÓÉÓÔÅÍÁ ÂÕÄÅÔ ÎÅÒÁÂÏÞÅÊ. äÁÌÅÅ "
+"×Ù ÄÏÌÖÎÙ ÓÁÍÏÓÔÏÑÔÅÌØÎÏ ÏÔÒÅÄÁËÔÉÒÏ×ÁÔØ ÆÁÊÌ /usr/share/"
+"postfix/main.cf.dist É ÓÏÈÒÁÎÉÔØ ËÁË /etc/postfix/main.cf, ÌÉÂÏÚÁÐÕÓÔÉÔØ "
+"dpkg-reconfigure Postfix. main.cf ÎÅ ÂÕÄÅÔ ÉÚÍÅÎÅÎ × ÐÒÏÃÅÓÓÅ ÕÓÔÁÎÏ×ËÉ "
+"Postfix."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site - mail is sent and received directly using SMTP. If your needs "
+"don't fit neatly into any category, you probably want to start with this one "
+"and then edit the config file by hand."
+msgstr ""
+"éÎÔÅÒÎÅÔ-ÓÁÊÔ - ÐÏÞÔÁ ÏÔÐÒÁ×ÌÑÅÔÓÑ É ÐÒÉÎÉÍÁÅÔÓÑ ÎÁÐÒÑÍÕÀ ÐÏ SMTP. åÓÌÉ "
+"×Ù ÎÅ ÐÏÄÐÁÄÁÅÔÅ ÔÏÞÎÏ ÐÏÄ ÜÔÕ ËÁÔÅÇÏÒÉÀ, ÔÏ ×ÅÒÏÑÔÎÏ ×ÁÍ ÌÕÞÛÅ ÎÁÞÁÔØ Ó "
+"ÎÅÅ É ÚÁÔÅÍ ÏÔÒÅÄÁËÔÉÒÏ×ÁÔØ ÆÁÊÌ ÎÁÓÔÒÏÅË ×ÒÕÞÎÕÀ."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site using smarthost - You receive Internet mail on this machine, "
+"either directly by SMTP or by running a utility such as fetchmail. Outgoing "
+"mail is sent using a smarthost. optionally with addresses rewritten. This is "
+"probably what you want for a dialup system."
+msgstr ""
+"éÎÔÅÒÎÅÔ-ÓÁÊÔ ÓÏ ÓÍÁÒÔÈÏÓÔÏÍ - ÷Ù ÐÒÉÎÉÍÁÅÔÅ ÐÏÞÔÕ ÉÚ ÉÎÔÅÒÎÅÔ ÎÁ ÜÔÕ "
+"ÍÁÛÉÎÕ ÌÉÂÏ ÎÁÐÒÑÍÕÀ ÐÏ SMTP, ÌÉÂÏ Ó ÐÏÍÏÝØÀ ÔÁËÏÊ ÕÔÉÌÉÔÙ ËÁË "
+"fetchmail. éÓÈÏÄÑÝÁÑ ÐÏÞÔÁ ÏÔÐÒÁ×ÌÑÅÔÓÑ ÎÁ ÓÍÁÒÔÈÏÓÔ. ÷ÏÚÍÏÖÎÏ Ó "
+"ÐÅÒÅÚÁÐÉÓØÀ ÁÄÒÅÓÁ. ïÞÅ×ÉÄÎÏ, ÜÔÏ ÎÁÉÂÏÌÅÅ ÐÏÄÈÏÄÉÔ ÄÌÑ ÓÉÓÔÅÍÙ Ó "
+"ËÏÍÍÕÔÉÒÕÅÍÙÍ ËÁÎÁÌÏÍ."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Satellite system - All mail is sent to another machine, called a \"smart host"
+"\" for delivery. root and postmaster mail is delivered according to /etc/"
+"aliases. No mail is received locally."
+msgstr ""
+"óÉÓÔÅÍÁ-ÓÐÕÔÎÉË - ÷ÓÑ ÐÏÄÇÏÔÏ×ÌÅÎÎÁÑ ÄÌÑ ÏÔÐÒÁ×ËÉ ÐÏÞÔÁ ÏÔÐÒÁ×ÌÑÅÔÓÑ ÎÁ "
+"ÄÒÕÇÕÀ ÍÁÛÉÎÕ, ÎÁÚÙ×ÁÅÍÕÀ \"ÓÍÁÒÔÈÏÓÔ\". ðÏÞÔÁ ÐÏÌØÚÏ×ÁÔÅÌÅÊ root É "
+"postmaster ÏÔÐÒÁ×ÌÑÅÔÓÑ × ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó /etc/aliases."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Local delivery only - You are not on a network. Mail for local users is "
+"delivered."
+msgstr ""
+"ôÏÌØËÏ ÌÏËÁÌØÎÏ - ÷Ù ÎÅ × ÓÅÔÉ. ðÏÞÔÁ ÄÏÓÔÁ×ÌÑÅÔÓÑ ÔÏÌØËÏ ÌÏËÁÌØÎÙÍ "
+"ÐÏÌØÚÏ×ÁÔÅÌÑÍ."
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "WARNING: Postfix not configured"
+msgstr "ðòåäõðòåöäåîéå: Postfix ÎÅ ÎÁÓÔÒÏÅÎ"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid ""
+"You have chosen \"No Configuration\" - Postfix will not be configured and "
+"will not be started by default. Please run 'dpkg-reconfigure postfix' at a "
+"later date, or configure it yourself by:"
+msgstr ""
+"÷Ù ×ÙÂÒÁÌÉ \"âÅÚ ÎÁÓÔÒÏÊËÉ\" - Postfix ÎÅ ÂÕÄÅÔ ÎÁÓÔÒÏÅÎ É ÐÏ ÕÍÏÌÞÁÎÉÀ "
+"ÎÅ ÂÕÄÅÔ ÚÁÐÕÓËÁÔØÓÑ. ðÏÚÖÅ ×ÙÐÏÌÎÉÔÅ ËÏÍÁÎÄÕ 'dpkg-reconfigure "
+"postfix', ÉÌÉ ÎÁÓÔÒÏÊÔÅ ÅÇÏ ÓÁÍÏÓÔÏÑÔÅÌØÎÏ ÓÌÅÄÕÀÝÉÍ ÏÂÒÁÚÏÍ:"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "1) Editing /etc/postfix/main.cf to your liking"
+msgstr "1) ïÔÒÅÄÁËÔÉÒÕÊÔÅ ÆÁÊÌ /etc/postfix/main.cf ËÁË ×ÁÍ ÎÕÖÎÏ"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "2) Running /etc/init.d/postfix start"
+msgstr "2) ÷ÙÐÏÌÎÉÔÅ ËÏÍÁÎÄÕ /etc/init.d/postfix start"
+
+#. Type: string
+#. Default
+#: ../templates:120
+#, fuzzy
+msgid "/etc/mailname"
+msgstr "ðÏÞÔÏ×ÏÅ ÉÍÑ?"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid "Mail name?"
+msgstr "ðÏÞÔÏ×ÏÅ ÉÍÑ?"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"Your `mail name' is the hostname portion of the address to be shown on "
+"outgoing news and mail messages (following the username and @ sign)."
+msgstr ""
+"÷ÁÛÅ 'ÐÏÞÔÏ×ÏÅ ÉÍÑ' - ÜÔÏ ÉÍÑ ÈÏÓÔÁ × ÁÄÒÅÓÅ, ËÏÔÏÒÏÅ ÂÕÄÅÔ ÐÏËÁÚÁÎÏ × "
+"ÉÓÈÏÄÑÝÉÈ ÓÏÏÂÝÅÎÉÑÈ ÐÏÞÔÙ É ÇÒÕÐÐ ÎÏ×ÏÓÔÅÊ (×ÍÅÓÔÅ Ó ÉÍÅÎÅÍ "
+"ÐÏÌØÚÏ×ÁÔÅÌÑ É ÚÎÁËÏÍ @)."
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"This name will be used by other programs besides Postfix; it should be the "
+"single, full domain name (FQDN) from which mail will appear to originate."
+msgstr ""
+"üÔÏ ÉÍÑ ÐÏÍÉÍÏ Postfix ÂÕÄÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÒÕÇÉÍÉ ÐÒÏÇÒÁÍÍÁÍÉ; ÅÇÏ "
+"ÒÅËÏÍÅÎÄÕÅÔÓÑ ÄÅÌÁÔØ ÎÅÒÁÚÄÅÌØÎÙÍ, ÏÔ ÐÏÌÎÏÇÏ ÄÏÍÅÎÎÏÇÏ ÉÍÅÎÉ (FQDN) "
+"ËÏÔÏÒÏÇÏ ÂÕÄÅÔ ÏÔÐÒÁ×ÌÑÔØÓÑ ÐÏÞÔÁ."
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid "Other destinations to accept mail for? (blank for none)"
+msgstr ""
+"äÒÕÇÉÅ ÄÏÍÅÎÙ ÄÌÑ ËÏÔÏÒÙÈ ÐÒÉÎÉÍÁÅÔÓÑ ÐÏÞÔÁ? (ÏÓÔÁ×ÉÔØ ÐÕÓÔÙÍ, ÅÓÌÉ ÎÅÔÕ)"
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid ""
+"Give a comma-separated list of domains that this machine should consider "
+"itself the final destination for. If this is a mail domain gateway, you "
+"probably want to include the top-level domain."
+msgstr ""
+"úÁÄÁÊÔÅ ÒÁÚÄÅÌÅÎÎÙÊ ÚÁÐÑÔÙÍÉ ÓÐÉÓÏË ÄÏÍÅÎÏ×, ËÏÔÏÒÙÅ ÜÔÁ ÍÁÛÉÎÁ ÄÏÌÖÎÁ "
+"ÕÞÉÔÙ×ÁÔØ × ËÁÞÅÓÔ×Å ËÏÎÅÞÎÏÇÏ ÐÕÎËÔÁ ÄÏÓÔÁ×ËÉ. åÓÌÉ ÜÔÏ ÐÏÞÔÏ×ÙÊ ÛÌÀÚ ÔÏ "
+"×ÁÍ ×ÅÒÏÑÔÎÏ ÓÔÏÉÔ ×ËÌÀÞÉÔØ ÄÏÍÅÎ ×ÅÒÈÎÅÇÏ ÕÒÏ×ÎÑ."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid "SMTP relay host? (blank for none)"
+msgstr "òÅÌÅÊÎÙÊ ÈÏÓÔ SMTP? (ÏÓÔÁ×ÉÔØ ÐÕÓÔÙÍ, ÅÓÌÉ ÎÅÔÕ)"
+
+#. Type: string
+#. Description
+#: ../templates:137
+#, fuzzy
+msgid ""
+"Specify a domain, host, host:port, [address] or [address]:port. Use the form "
+"[destination] to turn off MX lookups. Leave this blank for no relay host."
+msgstr ""
+"õËÁÖÉÔÅ ÄÏÍÅÎ, ÈÏÓÔ, ÈÏÓÔ:ÐÏÒÔ, [ÁÄÒÅÓ] ÉÌÉ [ÁÄÒÅÓ:ÐÏÒÔ]. þÔÏÂÙ ÉÚÂÅÖÁÔØ "
+"ÐÒÏÓÍÏÔÒÏ× íè-ÚÁÐÉÓÅÊ, ÉÓÐÏÌØÚÕÊÔÅ ÆÏÒÍÕ [ÎÁÚÎÁÞÅÎÉÅ]. åÓÌÉ ÒÅÌÅÊÎÏÇÏ ÈÏÓÔÁ "
+"ÎÅÔ, ÔÏ ÏÓÔÁ×ØÔÅ ÐÏÌÅ ÐÕÓÔÙÍ."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"The relayhost parameter specifies the default host to send mail to when no "
+"entry is matched in the optional transport(5) table. When no relayhost is "
+"given, mail is routed directly to the destination."
+msgstr ""
+"ðÁÒÁÍÅÔÒ relayhost ÕËÁÚÙ×ÁÅÔ ÈÏÓÔ ÐÏ ÕÍÏÌÞÁÎÉÀ ÄÌÑ ÏÔÐÒÁ×ËÉ ÐÏÞÔÙ ÔÏÍÕ, ÞØÑ "
+"ÚÁÐÉÓØ ÏÔÓÕÔÓÔ×ÕÅÔ × ÎÅÏÂÑÚÁÔÅÌØÎÏÊ ÔÁÂÌÉÃÅ transport(5). åÓÌÉ relayhost ÎÅ "
+"ÚÁÄÁÎ, ÔÏ ÐÏÞÔÁ ÐÅÒÅÓÙÌÁÅÔÓÑ ÎÁÐÒÑÍÕÀ ÁÄÒÅÓÁÔÕ."
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Use procmail for local delivery?"
+msgstr "éÓÐÏÌØÚÏ×ÁÔØ procmail ÄÌÑ ÌÏËÁÌØÎÏÊ ÄÏÓÔÁ×ËÉ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Do you want to use procmail to deliver local mail?"
+msgstr "÷Ù ÈÏÔÉÔÅ ÉÓÐÏÌØÚÏ×ÁÔØ procmail ÄÌÑ ÌÏËÁÌØÎÏÊ ÄÏÓÔÁ×ËÉ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid ""
+"Note that if you use procmail to deliver mail system-wide, you should set up "
+"an alias that forwards mail for root to a real user."
+msgstr ""
+"ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ, ÞÔÏ ÅÓÌÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ procmail ÄÌÑ ÏÔÐÒÁ×ËÉ ÐÏÞÔÙ ÐÏ "
+"ÓÉÓÔÅÍÅ, ÔÏ ×ÁÍ ÒÅËÏÍÅÎÄÕÅÔÓÑ ÕÔÁÎÏ×ÉÔØ ÐÓÅ×ÄÏÎÉÍ, ËÏÔÏÒÙÊ ÂÕÄÅÔ ÐÅÒÅÓÙÌÁÔØ "
+"ÐÏÞÔÕ ÄÌÑ root ÒÅÁÌØÎÏÍÕ ÐÏÌØÚÏ×ÁÔÅÌÀ."
+
+#. Type: string
+#. Default
+#: ../templates:156
+msgid "+"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "Local address extension character?"
+msgstr "óÉÍ×ÏÌ ÒÁÓÛÉÒÅÎÉÑ ÌÏËÁÌØÎÙÈ ÁÄÒÅÓÏ×?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "What character defines a local address extension?"
+msgstr "ëÁËÏÊ ÓÉÍ×ÏÌ ÏÔÐÒÅÄÅÌÑÅÔ ÒÁÓÛÉÒÅÎÉÅ ÌÏËÁÌØÎÙÈ ÁÄÒÅÓÏ×?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "To not use address extensions, leave the string blank."
+msgstr ""
+"þÔÏÂÙ ÎÅ ÉÓÐÏÌØÚÏ×ÁÔØ ÒÁÓÛÉÒÅÎÉÅ ÌÏËÁÌØÎÙÈ ÁÄÒÅÓÏ×, ÏÓÔÁ×ØÔÅ ÐÏÌÅ ÐÕÓÔÙÍ."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "Bad recipient delimiter"
+msgstr "îÅÐÒÁ×ÉÌØÎÙÊ ÒÁÚÄÅÌÉÔÅÌØ ÁÄÒÅÓÁÔÁ"
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid ""
+"The recipient delimiter is a single character, you entered too many "
+"characters. Please try again."
+msgstr ""
+"òÁÚÄÅÌÉÔÅÌØ ÁÄÒÅÓÁÔÁ - ÜÔÏ ÏÄÉÎ ÓÉÍ×ÏÌ, Á ×Ù ××ÅÌÉ ÎÅÓËÏÌØËÏ. ðÏÐÒÏÂÕÊÔÅ ÅÝÅ "
+"ÒÁÚ."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "\"${enteredstring}\""
+msgstr "\"${enteredstring}\""
+
+#. Type: boolean
+#. Default
+#: ../templates:172
+msgid "false"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "Force synchronous updates on mail queue?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid ""
+"If synchronous updates are forced, then mail is processed more slowly. If "
+"not forced, then there is a remote chance of losing some mail if the system "
+"crashes at an inopportune time, and you are not using a journaled filesystem "
+"(such as ext3)."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "The default is \"off\"."
+msgstr ""
+
+#. Type: string
+#. Default
+#: ../templates:183
+msgid "127.0.0.0/8"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid "Local networks?"
+msgstr "ìÏËÁÌØÎÙÅ ÓÅÔÉ?"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"For what network blocks should this machine relay mail? The default is just "
+"the local host, which is needed by some mail user agents."
+msgstr ""
+"äÌÑ ËÁËÉÈ ÂÌÏËÏ× ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× ÎÁ ÜÔÏÊ ÍÁÛÉÎÅ ÒÁÚÒÅÛÅÎ ÐÏÞÔÏ×ÙÊ "
+"ÒÅÌÅÊ? ðÏ ÕÍÏÌÞÁÎÉÀ ÜÔÏ ÔÏÌØËÏ localhost, ÞÔÏ ÎÅÏÂÈÏÄÉÍÏ ÎÅËÏÔÏÒÙÍ "
+"ÐÏÞÔÏ×ÙÍ ÁÇÅÎÔÁÍ ÐÏÌØÚÏ×ÁÔÅÌÑ."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"If this is a smarthost for a block of machines, you need to specify the "
+"netblocks here, or mail will be rejected rather than relayed."
+msgstr ""
+"åÓÌÉ ÜÔÏ ÓÍÁÒÔÈÏÓÔ ÄÌÑ ÂÌÏËÁ ÍÁÛÉÎ, ÔÏ ×ÁÍ ÎÕÖÎÏ ÕËÁÚÁÔØ ÚÄÅÓØ ÂÌÏËÉ "
+"ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ×, ÌÉÂÏ ÐÏÞÔÁ ÂÕÄÅÔ ÏÔ×ÅÒÇÎÕÔÁ, ÎÅ ÂÕÄÅÔ ÐÅÒÅÄÁÎÁ."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"To use the postfix default (which is based on connected networks), enter an "
+"empty string."
+msgstr ""
+
+#. Type: string
+#. Default
+#: ../templates:196
+msgid "0"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid "Mailbox size limit"
+msgstr "ïÇÒÁÎÉÞÅÎÉÅ ÒÁÚÍÅÒÁ ÐÏÞÔÏ×ÏÇÏ ÑÝÉËÁ"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid ""
+"What limit should Postfix place on mailbox files to prevent runaway software "
+"errors. A value of zero (0) means no limit. (The upstream default is "
+"51200000.)"
+msgstr ""
+"ëÁË ÏÇÒÁÎÉÞÉÔØ ÆÁÊÌÙ ÐÏÞÔÏ×ÙÈ ÑÝÉËÏ×, ÞÔÏÂÙ ÉÚÂÅÖÁÔØ ÓÂÏÅ× × ÒÁÂÏÔÅ "
+"ÐÒÏÇÒÁÍÍÎÏÇÏ ÏÂÅÓÐÅÞÅÎÉÑ. ðÏ ÕÍÏÌÞÁÎÉÀ ÓÔÏÉÔ (0) - ÂÅÚ ÏÇÒÁÎÉÞÅÎÉÊ. (÷ "
+"ÏÒÉÇÉÎÁÌØÎÏÍ ÉÓÈÏÄÎÏÍ ÔÅËÓÔÅ ÓÔÏÉÔ 51200000.)"
+
+#. Type: string
+#. Default
+#: ../templates:204
+msgid "NONE"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid "Where should mail for root go"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"The user root (and any other users with a uid of 0) must have mail "
+"redirected via an alias, or their mail may be delivered to /var/mail/"
+"nobody. This is by design: mail is not delivered to external delivery "
+"agents as root."
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"If you already have a /etc/aliases file, then you possibly need to add this "
+"entry. (I will only add it if I am creating a new /etc/aliases.)"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"What address should I add to /etc/aliases, if I create the file? (Enter "
+"NONE to not add one.)"
+msgstr ""
+
+#~ msgid "Postfix needs to correct master.cf"
+#~ msgstr "Postfix'Õ ÎÕÖÅÎ ÐÒÁ×ÉÌØÎÙÊ ÆÁÊÌ master.cf"
+
+#~ msgid ""
+#~ "Postfix version 0.0.20020113 and later requires changes in how the "
+#~ "pickup, cleanup and flush daemons are launched. Since failure to correct "
+#~ "these will result in a broken mailer, the upgrade process will make the "
+#~ "changes. You can safely answer 'NO' when dpkg asks about installing "
+#~ "master.cf."
+#~ msgstr ""
+#~ "÷ Postfix ×ÅÒÓÉÉ 0.0.20020113 É ÂÏÌÅÅ ÐÏÚÄÎÉÈ ÔÒÅÂÕÀÔÓÑ ÉÚÍÅÎÅÎÉÑ ÐÒÉ "
+#~ "ÚÁÐÕÓËÅ ÄÅÍÏÎÏ× pickup, cleanup É flush. ôÁË ËÁË ÎÅÕÄÁÞÎÙÊ ÚÁÐÕÓË ÜÔÉÈ "
+#~ "ÄÅÍÏÎÏ× ÎÁÒÕÛÉÔ ÒÁÂÏÔÕ ÐÏÞÔÏ×ÏÊ ÓÉÓÔÅÍÙ, ÔÏ ÐÒÏÃÅÓÓ ÏÂÎÏ×ÌÅÎÉÑ ÓÅÊÞÁÓ "
+#~ "ÐÒÏÉÚ×ÅÄÅÔ ÉÚÍÅÎÅÎÉÑ. ÷Ù ÍÏÖÅÔÅ ÓÐÏËÏÊÎÏ ÏÔ×ÅÔÉÔØ 'îåô', ËÏÇÄÁ dpkg "
+#~ "ÐÒÅÄÌÏÖÉÔ ÕÓÔÁÎÏ×ÉÔØ master.cf."
+
+#~ msgid ""
+#~ "Postfix has converted from libdb2 format to libdb3 format. This change "
+#~ "requires that all Postfix hash and btree maps be regenerated."
+#~ msgstr ""
+#~ "Postfix ÔÅÐÅÒØ ÉÓÐÏÌØÚÕÅÔ ÆÏÒÍÁÔ libdb3 ×ÍÅÓÔÏ libdb3. üÔÏ ÉÚÍÅÎÅÎÉÅ "
+#~ "ÔÒÅÂÕÅÔ ÐÅÒÅÇÅÎÅÒÁÃÉÉ ×ÓÅÈ ËÁÒÔ hash É btree, ÉÓÐÏÌØÚÕÅÍÙÈ Postfix."
+
+#~ msgid ""
+#~ "If you answer no, Postfix will be restarted, but may fail if your db "
+#~ "files still need to be converted. If you answer yes, all hash and btree "
+#~ "maps used by Postfix will be rebuilt prior to restarting Postfix."
+#~ msgstr ""
+#~ "åÓÌÉ ×Ù ÏÔ×ÅÔÉÔÅ îåô, ÔÏ Postfix ÐÏÐÒÏÂÕÅÔ ÚÁÐÕÓÔÉÔØÓÑ, ÎÏ ÜÔÏ ÍÏÖÅÔ ÎÅ "
+#~ "ÐÏÌÕÞÉÔØÓÑ, ÅÓÌÉ ×ÁÛÉ ËÁÒÔÙ ÎÅ ÂÕÄÕÔ ÐÅÒÅÇÅÎÅÒÉÒÏ×ÁÎÙ. åÓÌÉ ×Ù "
+#~ "ÏÔ×ÅÔÉÔÅ äá, ÔÏ ÐÅÒÅÄ ÐÅÒÅÚÁÐÕÓËÏÍ Postfix ÜÔÉ ËÁÒÔÙ ÂÕÄÕÔ ÓÏÚÄÁÎÙ "
+#~ "ÚÁÎÏ×Ï."
+
+#~ msgid "Internet Site"
+#~ msgstr "éÎÔÅÒÎÅÔ-ÓÁÊÔ"
Added: trunk/kolab-postfix/debian/po/templates.pot
===================================================================
--- trunk/kolab-postfix/debian/po/templates.pot 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/po/templates.pot 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,525 @@
+#
+# Translators, if you are not familiar with the PO format, gettext
+# documentation is worth reading, especially sections dedicated to
+# this format, e.g. by running:
+# info -n '(gettext)PO Files'
+# info -n '(gettext)Header Entry'
+#
+# Some information specific to po-debconf are available at
+# /usr/share/doc/po-debconf/README-trans
+# or http://www.debian.org/intl/l10n/po-debconf/README-trans
+#
+# Developers do not need to manually edit POT or PO files.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2004-10-30 21:06-0600\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL at ADDRESS>\n"
+"Language-Team: LANGUAGE <LL at li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+msgid "Correct dynamicmaps.cf for upgrade?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Postfix version 2.0.2 and later require changes in dynamicmaps.cf. "
+"Specifically, wildcard support is gone, and with it, %s expansion. Any "
+"changes that you made to dynamicmaps.cf that relied on these features will "
+"need to be fixed by you. Failure to correct these will result in a broken "
+"mailer."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Should dynamicmaps.cf be automatically changed? Decline this option to "
+"abort the upgrade, giving you the opportunity to eliminate wildcard and %s-"
+"expansion-dependent configuration. Accept this option if you have no such "
+"configuration, and automatically make dynamicmaps.cf compatible with Postfix "
+"2.0.2 in this respect."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid "Postfix version 2.1 and later require new services in master.cf."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid ""
+"Should this configuration be automatically added to master.cf? Decline this "
+"option to abort the upgrade, giving you the opportunity to add this "
+"configuration yourself. Accept this option to automatically make master.cf "
+"compatible with Postfix 2.1 in this respect."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid "Correct master.cf for upgrade?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Postfix version 2.1 renamed \"nqmgr\" to \"qmgr\", and you are using \"nqmgr"
+"\"."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Failure to fix this will result in a broken mailer. Decline this option to "
+"abort the upgrade, giving you the opportunity to add this configuration "
+"yourself. Accept this option to automatically make master.cf compatible "
+"with Postfix 2.1 in this respect."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Should Postfix upgrade hash and btree maps?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Postfix has switched to db4, and this may require maps to be upgraded."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Do you want to automatically attempt the conversion?"
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid "Transport map incompatibility"
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"You have a transport map defined, and there is an incompatible change in how "
+"transport maps are used. Postfix will not be restarted automatically."
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"Transport map entries override $mydestination. If you use transport maps, "
+"it is better to always have explicit entries for all domain names you have "
+"in $mydestination. See the html/faq.html sections for firewalls and "
+"intranets. If you have transport entries for parent domains of anything "
+"delivered locally, you will probably need to add specific entries for the "
+"destination domains before you restart Postfix."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Bad entry, try again?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "The string you have entered"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "does not follow RFC 1035 and does not appear to be a valid IP address."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid ""
+"RFC 1035 states that \"each component must start with an alphanum, end with "
+"an alphanum and contain only alphanums and hyphens. Components must be "
+"separated by full stops.\""
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Do you want to keep it anyways?"
+msgstr ""
+
+#. Type: select
+#. Choices
+#: ../templates:75
+msgid ""
+"No configuration, Internet Site, Internet with smarthost, Satellite system, "
+"Local only"
+msgstr ""
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid "General type of configuration?"
+msgstr ""
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"You have several choices for general configuration at this point. If you "
+"have your debconf priority set to 'low' or 'medium', you will be asked more "
+"questions later. You can always run \"dpkg-reconfigure --priority=low "
+"postfix\" at a later point if you want to see these questions again."
+msgstr ""
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"No configuration - IF YOU WANT THE INSTALL TO LEAVE YOUR CONFIG ALONE, "
+"CHOOSE THIS OPTION. No configuration changes will be done now: If you have "
+"not already configured Postfix, your mail system will be broken and should "
+"not be used. You must then do the configuration yourself by editing /usr/"
+"share/postfix/main.cf.dist and saving your changes as /etc/postfix/main.cf, "
+"or by running dpkg-reconfigure Postfix. main.cf will not be modified by the "
+"Postfix install process."
+msgstr ""
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site - mail is sent and received directly using SMTP. If your needs "
+"don't fit neatly into any category, you probably want to start with this one "
+"and then edit the config file by hand."
+msgstr ""
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site using smarthost - You receive Internet mail on this machine, "
+"either directly by SMTP or by running a utility such as fetchmail. Outgoing "
+"mail is sent using a smarthost. optionally with addresses rewritten. This is "
+"probably what you want for a dialup system."
+msgstr ""
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Satellite system - All mail is sent to another machine, called a \"smart host"
+"\" for delivery. root and postmaster mail is delivered according to /etc/"
+"aliases. No mail is received locally."
+msgstr ""
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Local delivery only - You are not on a network. Mail for local users is "
+"delivered."
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "WARNING: Postfix not configured"
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid ""
+"You have chosen \"No Configuration\" - Postfix will not be configured and "
+"will not be started by default. Please run 'dpkg-reconfigure postfix' at a "
+"later date, or configure it yourself by:"
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "1) Editing /etc/postfix/main.cf to your liking"
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "2) Running /etc/init.d/postfix start"
+msgstr ""
+
+#. Type: string
+#. Default
+#: ../templates:120
+msgid "/etc/mailname"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid "Mail name?"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"Your `mail name' is the hostname portion of the address to be shown on "
+"outgoing news and mail messages (following the username and @ sign)."
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"This name will be used by other programs besides Postfix; it should be the "
+"single, full domain name (FQDN) from which mail will appear to originate."
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid "Other destinations to accept mail for? (blank for none)"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid ""
+"Give a comma-separated list of domains that this machine should consider "
+"itself the final destination for. If this is a mail domain gateway, you "
+"probably want to include the top-level domain."
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid "SMTP relay host? (blank for none)"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"Specify a domain, host, host:port, [address] or [address]:port. Use the form "
+"[destination] to turn off MX lookups. Leave this blank for no relay host."
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"The relayhost parameter specifies the default host to send mail to when no "
+"entry is matched in the optional transport(5) table. When no relayhost is "
+"given, mail is routed directly to the destination."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Use procmail for local delivery?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Do you want to use procmail to deliver local mail?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid ""
+"Note that if you use procmail to deliver mail system-wide, you should set up "
+"an alias that forwards mail for root to a real user."
+msgstr ""
+
+#. Type: string
+#. Default
+#: ../templates:156
+msgid "+"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "Local address extension character?"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "What character defines a local address extension?"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "To not use address extensions, leave the string blank."
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "Bad recipient delimiter"
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid ""
+"The recipient delimiter is a single character, you entered too many "
+"characters. Please try again."
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "\"${enteredstring}\""
+msgstr ""
+
+#. Type: boolean
+#. Default
+#: ../templates:172
+msgid "false"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "Force synchronous updates on mail queue?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid ""
+"If synchronous updates are forced, then mail is processed more slowly. If "
+"not forced, then there is a remote chance of losing some mail if the system "
+"crashes at an inopportune time, and you are not using a journaled filesystem "
+"(such as ext3)."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "The default is \"off\"."
+msgstr ""
+
+#. Type: string
+#. Default
+#: ../templates:183
+msgid "127.0.0.0/8"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid "Local networks?"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"For what network blocks should this machine relay mail? The default is just "
+"the local host, which is needed by some mail user agents."
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"If this is a smarthost for a block of machines, you need to specify the "
+"netblocks here, or mail will be rejected rather than relayed."
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"To use the postfix default (which is based on connected networks), enter an "
+"empty string."
+msgstr ""
+
+#. Type: string
+#. Default
+#: ../templates:196
+msgid "0"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid "Mailbox size limit"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid ""
+"What limit should Postfix place on mailbox files to prevent runaway software "
+"errors. A value of zero (0) means no limit. (The upstream default is "
+"51200000.)"
+msgstr ""
+
+#. Type: string
+#. Default
+#: ../templates:204
+msgid "NONE"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid "Where should mail for root go"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"The user root (and any other users with a uid of 0) must have mail "
+"redirected via an alias, or their mail may be delivered to /var/mail/"
+"nobody. This is by design: mail is not delivered to external delivery "
+"agents as root."
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"If you already have a /etc/aliases file, then you possibly need to add this "
+"entry. (I will only add it if I am creating a new /etc/aliases.)"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"What address should I add to /etc/aliases, if I create the file? (Enter "
+"NONE to not add one.)"
+msgstr ""
Added: trunk/kolab-postfix/debian/postinst
===================================================================
--- trunk/kolab-postfix/debian/postinst 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/postinst 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,487 @@
+#!/bin/sh -e
+
+# Debian Postfix postinst
+# LaMont Jones <lamont at debian.org>
+# Based on debconf code by Colin Walters <walters at cis.ohio-state.edu>,
+# and John Goerzen <jgoerzen at progenylinux.com>.
+
+# Use debconf.
+. /usr/share/debconf/confmodule
+CHROOT=/var/spool/kolab-postfix
+config_directory="/etc/kolab-postfix" # make variable expansion easier...
+
+. /usr/share/postfix/postinst.functions
+
+set_maildrop_perms() {
+ MAILDROP=${CHROOT}/maildrop
+ SCRIPT=/etc/kolab-postfix/postfix-script
+ POSTDROP=/usr/sbin/postdrop
+ mkdir -p $MAILDROP
+ if ! chown postfix:postdrop $MAILDROP 2>/dev/null; then
+ addgroup --system postdrop
+ chown postfix:postdrop $MAILDROP
+ fi
+ dpkg-statoverride --remove $POSTDROP >/dev/null 2>&1 || true
+ dpkg-statoverride --remove /var/spool/postfix/public >/dev/null 2>&1 || true
+ dpkg-statoverride --remove /usr/sbin/postqueue >/dev/null 2>&1 || true
+ dpkg-statoverride --update --add root postdrop 02555 $POSTDROP
+ dpkg-statoverride --update --add postfix postdrop 02710 /var/spool/postfix/public
+ dpkg-statoverride --update --add root postdrop 02555 /usr/sbin/postqueue
+ chmod 1730 $MAILDROP
+}
+
+fset_all_changed() {
+ db_fset postfix/main_mailer_type changed $1
+ db_fset postfix/root_address changed $1
+ db_fset postfix/destinations changed $1
+ db_fset postfix/mailname changed $1
+ db_fset postfix/relayhost changed $1
+ db_fset postfix/chattr changed $1
+ db_fset postfix/mynetworks changed $1
+ db_fset postfix/procmail changed $1
+ db_fset postfix/mailbox_limit changed $1
+ db_fset postfix/recipient_delim changed $1
+}
+
+set_postconf() {
+ CHANGES=true
+ postconf -e "$@"
+}
+
+get_postconf() {
+ postconf -h "$@"
+}
+
+makedir() {
+ if [ ! -d $1 ]; then
+ mkdir $1
+ fi
+ chown $2 $1 && chmod $3 $1
+}
+
+convert_dbs() {
+ # get all of the hash and btree maps.
+ maps=$(postconf -h | sed -e 's/[,[:space:]]/\
+/g' -e 's/^proxy://' -e '/:/p' | sort -u )
+ for i in $maps; do
+ case $i in
+ hash:*|btree:*)
+ f=${i#*:}.db
+ if [ -f $f ]; then
+ echo "attempting conversion of $i"
+ echo " saving old db in ${f}.db3"
+ cp $f ${f}.db3
+ postmap -u $i
+ fi
+ ;;
+ esac
+ done
+}
+
+fix_master() {
+ echoed=""
+ # Need to handle some changes in services.
+ MASTER=/etc/kolab-postfix/master.cf
+ if grep -qE '^cleanup[[:space:]]+unix[[:space:]]+-' ${MASTER}; then
+ echo "in master.cf:"; echoed=y
+ echo " forcing pickup=unprivileged, cleanup=public, flush=public"
+ sed 's/^\(cleanup[[:space:]]*unix[[:space:]]*\)-/\1n/
+ s/^\(flush[[:space:]]*unix[[:space:]]*\)-/\1n/
+ s/^\(pickup[[:space:]]*fifo[[:space:]]*.[[:space:]]*\)n/\1-/
+ ' ${MASTER} > ${MASTER}.$$
+ mv ${MASTER}.$$ ${MASTER}
+ fi
+
+ if ! grep -qE '^flush[[:space:]]' ${MASTER}; then
+ [ -n $echoed ] || echo "in master.cf:"; echoed=y
+ echo " adding missing entry for flush service"
+ echo "flush unix n - - 1000? 0 flush" \
+ >> ${MASTER}
+ fi
+
+ if ! grep -qE '^proxymap[[:space:]]' ${MASTER}; then
+ [ -n $echoed ] || echo "in master.cf:"; echoed=y
+ echo " adding missing entry for proxymap service"
+ echo "proxymap unix - - n - - proxymap" \
+ >> ${MASTER}
+ fi
+ if ! grep -qE '^trace[[:space:]]' ${MASTER}; then
+ [ -n $echoed ] || echo "in master.cf:"; echoed=y
+ echo " adding missing entry for trace service"
+ echo "trace unix - - - - 0 bounce" \
+ >> ${MASTER}
+ fi
+
+ if ! grep -qE '^verify[[:space:]]' ${MASTER}; then
+ [ -n $echoed ] || echo "in master.cf:"; echoed=y
+ echo " adding missing entry for verify service"
+ echo "verify unix - - - - 1 verify" \
+ >> ${MASTER}
+ fi
+
+ if ! grep -qE '^relay[[:space:]]' ${MASTER}; then
+ [ -n $echoed ] || echo "in master.cf:"; echoed=y
+ echo " adding missing entry for relay service"
+ echo "relay unix - - n - - smtp" \
+ >> ${MASTER}
+ echo "# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5" \
+ >> ${MASTER}
+ fi
+}
+
+umask 022
+
+# postinst processing
+
+#DEBHELPER#
+
+case "$1" in
+ configure)
+ OLDVERSION="$2"
+ # see below
+ ;;
+
+ abort-upgrade)
+ fix_master
+ exit 0
+ ;;
+
+ abort-remove|abort-deconfigure)
+ exit 0
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+CHANGES=""
+NEWALIASES="y"
+
+update-rc.d postfix defaults > /dev/null
+update-inetd --disable smtp
+
+ldconfig
+
+dpkg-divert --package kolab-postfix --remove --rename \
+ --divert /usr/share/man/man8/smtpd.real.8.gz \
+ /usr/share/man/man8/smtpd.8.gz > /dev/null 2>&1
+
+cd ${CHROOT}
+# make sure that the postfix user exists. Simplest portable way to check is to
+# chown something, so we'll create the directories that we need here.
+makedir private root:root 700
+chgrp postfix private 2>/dev/null ||
+ addgroup --system postfix
+chown postfix private 2>/dev/null ||
+ adduser --system --home ${CHROOT} --no-create-home --disabled-password --ingroup postfix postfix
+
+# need to have postfix in the right group, but old revs do it wrong..
+if [ "$(id -gn postfix)" != "postfix" ]; then
+ usermod -g postfix postfix
+fi
+
+chown postfix:root private
+
+db_fget postfix/chattr changed
+if [ "$RET" = "true" ]; then
+ db_get postfix/chattr && chat="$RET"
+ echo "setting synchronous mail queue updates: $chat"
+ if [ "$chat" = "true" ]; then
+ chat="+S"
+ else
+ chat="-S"
+ fi
+fi
+
+for dir in pid public; do
+ makedir ${dir} postfix:root 755
+done
+for dir in incoming active bounce defer deferred flush saved corrupt; do
+ makedir ${dir} postfix:root 700
+ if [ -n "$chat" ]; then
+ chattr $chat $dir 2>/dev/null || true
+ fi
+done
+
+cd /etc/kolab-postfix
+
+if [ ! -f dynamicmaps.cf ]; then
+ echo "Creating /etc/kolab-postfix/dynamicmaps.cf"
+ cat << EOF > dynamicmaps.cf
+# Postfix dynamic maps configuration file.
+#
+# The first match found is the one that is used. Wildcards are not supported
+# as of postfix 2.0.2
+#
+#type location of .so file open function (mkmap func)
+#==== ================================ ============= ============
+EOF
+ addmap tcp
+else
+ # handle dynamicmaps.cf upgrade - we checked with the user in preinst.
+ if [ -f /var/spool/kolab-postfix/dynamicmaps_upgrade ]; then
+ (
+ if ! grep -qi 'wildcards are not supported' dynamicmaps.cf; then
+ echo '# *** Wildcards are not supported as of postfix 2.0.2 ***'
+ echo '#'
+ fi
+ sed '/^\*[[:space:]]/d' dynamicmaps.cf
+ ) > dynamicmaps.cf.$$
+ mv dynamicmaps.cf.$$ dynamicmaps.cf
+ # Need to add all of them, since we may need them to configure... sigh.
+ addmap tcp
+ addmap ldap
+ addmap pcre
+ addmap mysql
+ addmap pgsql
+ addmap sdbm mkmap_sdbm_open
+ fi
+fi
+
+db_get postfix/main_mailer_type && mailer="$RET"
+
+[ -f master.cf ] || cp /usr/share/kolab-postfix/master.cf.dist master.cf
+
+if [ "$mailer" != "No configuration" ]; then # [
+ if [ -f main.cf ]; then
+ NEWCONF=""
+ else
+ cp /usr/share/kolab-postfix/main.cf.debian main.cf
+ NEWCONF=yes
+ fi
+
+ # This is the braindead local-only master.cf from elsewhen
+ # we now deal with this in main.cf, so mark the mailer_type changed.
+ md5sum=$(md5sum /etc/kolab-postfix/master.cf)
+ if [ "${md5sum%% *}" = "fadb677a071ea2851cc2b8a12345823d" ]; then
+ cp /usr/share/kolab-postfix/master.cf.dist master.cf
+ db_fset postfix/main_mailer_type changed true
+ fi
+fi # !No configuration ]
+
+# cleanup from braindamage.
+if [ -d /etc/kolab-postfix/maildrop ]; then
+ rmdir /etc/kolab-postfix/maildrop 2>/dev/null
+fi
+
+set_maildrop_perms postdrop
+if [ -f /var/spool/kolab-postfix/db-upgrade ]; then
+ rm /var/spool/kolab-postfix/db-upgrade
+ db_get postfix/db_upgrade_warning && convert="$RET"
+ if [ "$convert" = "true" ]; then
+ convert_dbs
+ else
+ echo "DB files not converted, Postfix restart may fail."
+ fi
+fi
+
+if [ "$mailer" != "No configuration" ]; then # [
+ myhostname=$(hostname --fqdn 2>/dev/null || echo "")
+ if [ -z "$myhostname" ]; then
+ if [ -r /etc/hostname ];then
+ myhostname=$(cat /etc/hostname)
+ if [ $hostname = ${hostname%.*} -a -f /etc/resolv.conf ]; then
+ mydom=$(awk '/^(search|domain)/ { print $2;quit;}' \
+ /etc/resolv.conf)
+ myhostname="$myhostname${mydom:+.$mydom}"
+ fi
+ else
+ myhostname="UNKNOWN"
+ fi
+ fi
+ mydomain=${myhostname#*.}
+
+ if [ -n "$NEWCONF" ]; then
+ fset_all_changed true
+ alias_maps=hash:/etc/aliases
+ nis_status=$(dpkg -l nis 2>/dev/null | sed -n '$p')
+ if [ "X$nis_status" != "X${nis_status#i}" ] && [ -x /usr/bin/ypcat ] &&
+ /usr/bin/ypcat mail.aliases >/dev/null 2>&1; then
+ alias_maps="hash:/etc/aliases, nis:mail.aliases"
+ cat << EOF
+It appears that you have an NIS map for mail aliases; using that in
+addition to /etc/aliases.
+
+EOF
+ fi
+ if [ -n "$myhostname" ]; then
+ echo "setting myhostname: $myhostname"
+ set_postconf "myhostname=$myhostname"
+ fi
+ echo "setting alias maps"
+ set_postconf "alias_maps=$alias_maps"
+ echo "setting alias database"
+ set_postconf "alias_database=hash:/etc/aliases"
+ fi
+
+ db_fget postfix/mailname changed
+ if [ "$RET" = "true" ]; then
+ db_get postfix/mailname && mailname="$RET"
+ if [ -f /etc/mailname ] && [ "X$(cat /etc/mailname)" = "X$mailname" ]; then
+ MAILNAME=""
+ else
+ MAILNAME=yes
+ fi
+ if [ "X${mailname%.*}" != "X${mailname}" ]; then
+ if [ -n "$MAILNAME" ]; then
+ echo "changing /etc/mailname"
+ echo $mailname > /etc/mailname
+ fi
+ echo "setting myorigin"
+ set_postconf "myorigin=/etc/mailname"
+ else
+ echo "mailname is not a fully qualified domain name. Not changing /etc/mailname."
+ fi
+ fi
+ db_fget postfix/destinations changed
+ if [ "$RET" = "true" ]; then
+ db_get postfix/destinations && destinations="$RET"
+ echo "setting destinations: $destinations"
+ set_postconf "mydestination=$destinations"
+ fi
+ db_fget postfix/relayhost changed
+ if [ "$RET" = "true" ]; then
+ db_get postfix/relayhost && relayhost="$RET"
+ echo "setting relayhost: $relayhost"
+ set_postconf "relayhost=$relayhost"
+ fi
+ db_fget postfix/mynetworks changed
+ if [ "$RET" = "true" ]; then
+ db_get postfix/mynetworks && mynetworks="$RET"
+ if [ -z "$RET" ]; then
+ echo "deleting mynetworks"
+ if grep -q '^mynetworks[[:space:]]*=' main.cf; then
+ # need to remove it, get postconf to do the hard part.
+ postconf -e 'mynetworks=127.0.0.0/8'
+ perl -i -ne 'print unless /^mynetworks\s*=/' main.cf
+ fi
+ else
+ echo "setting mynetworks: $mynetworks"
+ set_postconf "mynetworks=$mynetworks"
+ fi
+ fi
+ db_fget postfix/procmail changed
+ if [ "$RET" = "true" ]; then
+ db_get postfix/procmail && useprocmail="$RET"
+ if [ "x$useprocmail" = "xtrue" ]; then
+ echo "setting mailbox_command"
+ set_postconf 'mailbox_command=procmail -a "$EXTENSION"'
+ else
+ if grep -q ^mailbox_command /etc/kolab-postfix/main.cf; then
+ echo "clearing mailbox_command"
+ set_postconf "mailbox_command="
+ fi
+ fi
+ fi
+ db_fget postfix/mailbox_limit changed
+ if [ "$RET" = "true" ]; then
+ db_get postfix/mailbox_limit && mailbox_limit="$RET"
+ echo "setting mailbox_size_limit: $mailbox_limit"
+ set_postconf "mailbox_size_limit=$mailbox_limit"
+ fi
+
+ db_fget postfix/recipient_delim changed
+ if [ "$RET" = "true" ]; then
+ db_get postfix/recipient_delim && recip="$RET"
+ echo "setting recipient_delimiter: $recip"
+ set_postconf "recipient_delimiter=$recip"
+ fi
+
+ db_fget postfix/main_mailer_type changed
+ if [ "$RET" = "true" ]; then
+ # already have mailer
+ case "$mailer" in
+ "Local only") val=loopback-only;;
+ "Satellite system") val=loopback-only;;
+ *) val=all;;
+ esac
+ echo "setting inet_interfaces: $val"
+ set_postconf "inet_interfaces=$val"
+ fi
+
+ if [ -z "$CHANGES" ]; then
+ MSG="configuration was not changed"
+ else if [ -n "$NEWCONF" ]; then
+ MSG="is now set up with a default configuration"
+ else
+ MSG="is now set up with the changes above"
+ fi
+ fi
+else # ] No configuration [
+ if [ -f main.cf ]; then
+ MSG="configuration was untouched"
+ else
+ MSG="was not set up. Start with
+ cp /usr/share/kolab-postfix/main.cf.debian /etc/kolab-postfix/main.cf
+"
+ # make sure that we don't try anything stupid below.
+ NEWALIASES=""
+ rm -f /var/spool/kolab-postfix/restart /var/spool/kolab-postfix/reload
+ fi
+fi # not 'No configuration' ]
+
+if [ ! -f /etc/aliases ]; then # no /etc/aliases [
+ echo "/etc/aliases does not exist, creating it."
+ cat << EOF > /etc/aliases
+# See man 5 aliases for format
+postmaster: root
+EOF
+ if [ "$mailer" != "No configuration" ]; then # [
+ db_fget postfix/root_address changed
+ if [ "$RET" = "true" ]; then
+ db_get postfix/root_address && root_addr="$RET"
+ ret=$(echo $RET | tr '[A-Z]' '[a-z]')
+ if [ "$ret" != "none" ]; then
+ echo "root: $RET" >> /etc/aliases
+ fi
+ fi
+ fi # not 'No configuration' ]
+fi # ] no /etc/aliases
+
+fset_all_changed false
+
+fold -s << EOF
+
+Postfix $MSG. If you need to make changes, edit
+/etc/kolab-postfix/main.cf (and others) as needed. To view Postfix configuration
+values, see postconf(1).
+
+After modifying main.cf, be sure to run '/etc/init.d/kolab-postfix reload'.
+
+EOF
+
+# all done with debconf here.
+db_stop
+
+fix_master
+
+if [ -n "$NEWALIASES" ]; then
+ echo "Running newaliases"
+ rm -f /etc/aliases.db # handle the roll to db2.0
+ # newaliases chokes if hostname not set
+ if [ -z "$(postconf -h myhostname||true)" ]; then
+ cp -a main.cf main.cf.dpkg.$$
+ postconf -e 'myhostname=debian'
+ newaliases
+ mv main.cf.dpkg.$$ main.cf
+ else
+ newaliases
+ fi
+fi
+
+[ -x /usr/sbin/invoke-rc.d ] && \
+ INIT="invoke-rc.d kolab-postfix" || \
+ INIT="/etc/init.d/kolab-postfix"
+# start postfix
+if [ -f /var/spool/kolab-postfix/restart ]; then
+ rm -f /var/spool/kolab-postfix/restart
+ ${INIT} start
+else
+ # or maybe just restart postfix
+ if [ -f /var/spool/kolab-postfix/reload ]; then
+ rm -f /var/spool/kolab-postfix/reload
+ ${INIT} restart
+ fi
+fi
Added: trunk/kolab-postfix/debian/postrm
===================================================================
--- trunk/kolab-postfix/debian/postrm 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/postrm 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,35 @@
+#!/bin/sh -e
+
+# Debian Postfix postrm
+
+# LaMont Jones <lamont at debian.org>
+
+case "$1" in
+ remove)
+ ldconfig
+ dpkg-statoverride --remove /usr/sbin/postdrop >/dev/null 2>&1 || true
+ dpkg-statoverride --remove /var/spool/kolab-postfix/public >/dev/null 2>&1 || true
+ dpkg-statoverride --remove /usr/sbin/postqueue >/dev/null 2>&1 || true
+ ;;
+
+ upgrade)
+ ;;
+
+ purge)
+ rm -rf /var/spool/postfix
+ rm -rf /etc/postfix
+ update-rc.d postfix remove >/dev/null
+ userdel postfix >/dev/null 2>&1 || true
+ groupdel postdrop >/dev/null 2>&1 || true
+ groupdel postfix >/dev/null 2>&1 || true
+ ;;
+
+ failed-upgrade|abort-install|abort-upgrade|disappear)
+ ;;
+
+ *)
+ echo "postrm called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+#DEBHELPER#
Added: trunk/kolab-postfix/debian/preinst
===================================================================
--- trunk/kolab-postfix/debian/preinst 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/preinst 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,251 @@
+#!/bin/sh -e
+
+# Debian Postfix preinst
+# LaMont Jones <lamont at debian.org>
+# Modified to use debconf by Colin Walters <levanti at verbum.org>
+
+# do we have debconf?
+if [ -f /usr/share/debconf/confmodule ]; then
+ . /usr/share/debconf/confmodule
+ DEBCONF=true
+else
+ DEBCONF=
+fi
+
+dpkg_vers=$(dpkg --status dpkg | sed -n '/Version: /s/^Version: //p')
+CONFIG=/etc/postfix/main.cf
+MASTER=/etc/postfix/master.cf
+POSTDROP=/usr/sbin/postdrop
+
+dynamicmaps_warning() {
+ if [ -n "$DEBCONF" ]; then
+ db_fset postfix/dynamicmaps_upgrade_warning seen false
+ db_input medium postfix/dynamicmaps_upgrade_warning || true
+ db_go || true
+ db_get postfix/dynamicmaps_upgrade_warning
+ if [ "$RET" = "false" ]; then
+ echo "aborting postfix install"
+ exit 1
+ fi
+ else
+ # no debconf, fall back
+ cat << EOF
+Postfix version 2.0.2 and later require changes in dynamicmaps.cf.
+Specifically, wildcard support is gone, and with it %s expansion. Any
+changes that you made to dynamicmaps.cf that relied on these features will
+need to be fixed by you. Failure to correct these will result in a broken
+mailer. Shall I make the changes?
+EOF
+ echo -n "Shall I make the changes? "
+ read line
+ case ${line} in
+ [nN]*) echo "aborting postfix install"
+ exit 1
+ ;;
+ esac
+ fi
+}
+
+nqmgr_warning() {
+ if [ -n "$DEBCONF" ]; then
+ db_fset postfix/nqmgr_upgrade_warning seen false
+ db_input medium postfix/nqmgr_upgrade_warning || true
+ db_go || true
+ db_get postfix/nqmgr_upgrade_warning
+ if [ "$RET" = "false" ]; then
+ echo "aborting postfix install"
+ exit 1
+ fi
+ else
+ # no debconf, fall back
+ cat << EOF
+Postfix version 2.1 has renamed nqmgr to qmgr. Shall I make the change?
+EOF
+ echo -n "Shall I make the change? "
+ read line
+ case ${line} in
+ [nN]*) echo "aborting postfix install"
+ exit 1
+ ;;
+ esac
+ fi
+}
+
+master_warning() {
+ if [ -n "$DEBCONF" ]; then
+ db_fset postfix/master_upgrade_warning seen false
+ db_input medium postfix/master_upgrade_warning || true
+ db_go || true
+ db_get postfix/master_upgrade_warning
+ if [ "$RET" = "false" ]; then
+ echo "aborting postfix install"
+ exit 1
+ fi
+ else
+ # no debconf, fall back
+ cat << EOF
+Postfix version 2.1 and later require new services in master.cf.
+Shall I make the changes?
+EOF
+ echo -n "Shall I make the changes? "
+ read line
+ case ${line} in
+ [nN]*) echo "aborting postfix install"
+ exit 1
+ ;;
+ esac
+ fi
+}
+
+transport_map_warning() {
+ if [ -n "$DEBCONF" ]; then
+ db_input critical postfix/transport_map_warning || true
+ db_go || true
+ else
+ # no debconf, fall back
+ cat << EOF
+You have a transport map defined, and there is an incompatible change
+in how transport maps are used. Postfix will not be restarted
+automatically.
+
+Transport map entries override mydestination. If you use transport
+maps, it is better to always have explicit entries for all domain
+names you have in \$mydestination. See the html/faq.html sections
+for firewalls and intranets.
+
+If you have transport entries for parent domains of anything delivered
+locally, you will probably need to add specific entries for the
+destination domains before you restart Postfix.
+EOF
+ echo -n "Press [ENTER] "
+ read line
+ fi
+ # don't automatically restart postfix now
+ rm -f /var/spool/postfix/restart
+}
+
+db_upgrade_warning() {
+ if [ -n "$DEBCONF" ]; then
+ db_fset postfix/db_upgrade_warning seen false
+ db_input low postfix/db_upgrade_warning || true
+ db_go || true
+ db_get postfix/db_upgrade_warning
+ #else
+ # deal with it in postinst
+ fi
+}
+
+(umask 022; mkdir -p /var/spool/postfix)
+
+case "$1" in
+ install)
+ rm -f /var/spool/postfix/restart /var/spool/postfix/reload
+ # workaround sendmail not unregistering itself...
+ if [ -e /etc/suid.conf ] && [ -x /usr/sbin/suidunregister ]; then
+ if grep -q sendmail /etc/suid.conf; then
+ /usr/sbin/suidunregister -s postfix /usr/sbin/sendmail
+ fi
+ fi
+
+ if [ -L /etc/postfix/postfix-script ]; then
+ rm -f /etc/postfix/postfix-script
+ fi
+
+ ;;
+
+ upgrade)
+ version=$2
+ if [ -d /var/spool/postfix ] && [ -f /etc/postfix/main.cf ]; then
+ touch /var/spool/postfix/restart
+ fi
+ export LANG=C # for the comparison of mail version...
+
+ if dpkg --compare-versions $version lt 0.0.19991231; then
+ if [ -f $CONFIG ] && [ -n "$(postconf -h transport_maps)" ]; then
+ transport_map_warning
+ fi
+ fi
+
+ if [ -L /etc/postfix/postfix-script ]; then
+ rm -f /etc/postfix/postfix-script
+ fi
+
+ if dpkg --compare-versions $version lt 0.0.20001217.SNAPSHOT-4; then
+ if dpkg --compare-versions $dpkg_vers ge 1.8 &&
+ [ -x /usr/sbin/addgroup ]; then
+ # was postdrop setgid before? If so, add the override.
+ set -- $(ls -l $POSTDROP)
+ sgid=${1#??????}
+ if [ "${sgid%???}" = "s" ]; then
+ if ! chgrp postdrop $POSTDROP 2>/dev/null; then
+ addgroup postdrop || true
+ fi
+ dpkg-statoverride --remove $POSTDROP >/dev/null 2>&1 || true
+ dpkg-statoverride --add root postdrop 02555 $POSTDROP
+ fi
+ fi
+ fi
+
+ if dpkg --compare-versions $version lt 2.0.7-4; then
+ # are there any maps that need to be converted?
+ # Likewise, if there's no config, then there is nothing to
+ # upgrade...
+ if [ -f $CONFIG ]; then
+ maps=$(postconf -h | tr ' ,\11' '\12\12\12' | sort -u |
+ grep -e hash: -e btree: || true)
+ if [ -n "$maps" ]; then
+ touch /var/spool/postfix/db-upgrade
+ db_upgrade_warning
+ fi
+ fi
+ fi
+
+ # Don't care what version it was, nqmgr is gone (until
+ # it's back again..)
+ if grep -q '^qmgr.*nqmgr' $MASTER; then
+ nqmgr_warning
+ fi
+ sed '/^qmgr[[:space:]]/s/nqmgr/qmgr/' $MASTER > ${MASTER}.$$
+ cp ${MASTER}.$$ $MASTER && rm ${MASTER}.$$
+
+ if dpkg --compare-versions $version lt 2.1.3-1; then
+ oldsum=$(dpkg --status postfix | sed -n '/\/master.cf/s/^.* //p')
+ filesum=$(md5sum < $MASTER)
+ if [ "$oldsum" != "$filesum" ]; then
+ master_warning
+ fi
+ fi
+
+ if dpkg --compare-versions $version lt 2.0.2-3; then
+ oldsum=$(dpkg --status postfix | sed -n '/\/dynamicmaps.cf/s/^.* //p')
+ if [ -n "$oldsum" ]; then # not a config file any more.
+ dynamicmaps_warning
+ touch /var/spool/postfix/dynamicmaps_upgrade
+ fi
+ else
+ rm -f /var/spool/postfix/dynamicmaps_upgrade
+ fi
+
+ if [ ! start-stop-daemon -K -q -o \
+ --pidfile /var/spool/postfix/pid/master.pid \
+ --exec /usr/lib/postfix/master 2>/dev/null ]; then :; fi
+ ;;
+
+ abort-upgrade)
+ ;;
+
+ *)
+ echo "preinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+if [ install = "$1" -o upgrade = "$1" ]; then
+ # cleanup after past mistakes.
+ rm -f /usr/sbin/postconf.postfix
+ dpkg-divert --package postfix-tls --remove \
+ --divert /usr/sbin/postconf.postfix \
+ /usr/sbin/postconf >/dev/null 2>/dev/null
+fi
+
+#DEBHELPER#
Added: trunk/kolab-postfix/debian/prerm
===================================================================
--- trunk/kolab-postfix/debian/prerm 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/prerm 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,43 @@
+#!/bin/sh -e
+
+# Debian Postfix prerm
+# LaMont Jones <lamont at debian.org>
+
+case "$1" in
+ upgrade)
+ new=$2 # get new version
+ /etc/init.d/postfix stop
+ if dpkg --compare-versions $new lt 0.0.20020113.SNAPSHOT-1; then
+ # Need to handle some changes in services.
+ MASTER=/etc/postfix/master.cf
+ if grep -qE '^cleanup[[:space:]]+unix[[:space:]]+n' ${MASTER}; then
+ echo "in master.cf:"
+ echo " forcing pickup=privileged, cleanup=private, flush=private"
+ sed 's/^\(cleanup[[:space:]]*unix[[:space:]]*\)n/\1-/
+ s/^\(flush[[:space:]]*unix[[:space:]]*\)n/\1-/
+ s/^\(pickup[[:space:]]*fifo[[:space:]]*.[[:space:]]*\)-/\1n/
+ ' ${MASTER} > ${MASTER}.$$
+ mv ${MASTER}.$$ ${MASTER}
+ fi
+ fi
+ ;;
+
+ deconfigure)
+ ;;
+
+ remove)
+ /etc/init.d/postfix stop
+ rm -rf /var/spool/postfix/lib
+ rm -rf /var/spool/postfix/etc
+ ;;
+
+ failed-upgrade)
+ ;;
+
+ *)
+ echo "prerm called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+#DEBHELPER#
+exit 0
Added: trunk/kolab-postfix/debian/rules
===================================================================
--- trunk/kolab-postfix/debian/rules 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/rules 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,264 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+# Debianrules for building a Debian package
+# Version 1.5
+#
+# These rules have been specifically designed NOT to require root to
+# run them. At any time root privileges are required, the command to be
+# executed will be made obvious and root's password will be prompted for.
+# Of course, root may still run this and no password will be required.
+#
+# Robert Leslie <rob at mars.org>
+# modified for Postfix by LaMont Jones <lamont at debian.org>
+
+export DH_COMPAT=2
+
+PACKAGE=postfix
+include /usr/share/dpatch/dpatch.make
+
+TLSSRC=tls
+package=kolab-postfix
+base=debian/$(package)
+docpkg=${package}-doc
+docdir=${base}-doc/usr/share/doc/$(package)
+tls=${base}-tls
+tlsdocdir=${base}-doc/usr/share/doc/$(package)-tls
+chlogdir=${base}/usr/share/doc/$(package)
+sharedir=${base}/usr/share/kolab-postfix
+libdir=${base}/usr/lib
+plibdir=usr/lib/kolab-postfix
+sbindir=usr/sbin
+bindir=${base}/usr/bin
+confdir=${base}/etc/kolab-postfix
+
+#ifeq ($(DEB_BUILD_ARCH),sparc)
+# OFLAGS = -O1
+#else
+# OFLAGS = -O1
+#endif
+
+OFLAGS = -O2
+SHELL=/bin/bash
+
+ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS)))
+DEBUG = -g
+endif
+
+ifneq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
+STRIP=y
+endif
+
+CCARGS=-DDEBIAN -DMAX_DYNAMIC_MAPS -DHAS_PCRE -DHAS_LDAP \
+ -DHAS_MYSQL -I/usr/include/mysql \
+ -DHAS_PGSQL -I/usr/include/postgresql
+
+AUXLIBS =
+
+TLSCCARGS=-DUSE_TLS -I/usr/include/openssl -DHAS_SSL \
+ -DUSE_SASL_AUTH -I/usr/include/sasl ${CCARGS} -DUSE_TLS
+
+TLSAUXLIBS=-lssl -lcrypto -lsasl2
+
+DOCFILES=README_FILES/*_README COMPATIBILITY TODO PORTING
+TLSDOCFILES=${TLSSRC}/README ${TLSSRC}/TODO ${TLSSRC}/ACKNOWLEDGEMENTS
+
+TLSDIRS=src/tlsmgr src/smtp.tls src/smtpd.tls src/lmtp.tls
+
+.PHONY: install install-doc binary binary-arch binary-indep clean
+.PHONY: checkroot
+
+build: patch debian/stamp-tlsfiles conf/master.cf.local
+ $(checkdir)
+ ln -sf /usr/lib/libdb3.so debian/libdb.so
+ ${MAKE} makefiles CCARGS="${CCARGS} -UUSE_TLS" DEBUG=${DEBUG} \
+ AUXLIBS="${AUXLIBS} -L$$(pwd)/debian" OPT="$(OFLAGS)"
+ cd lib && for i in dns global master util; do \
+ ln -fs lib$${i}.a libpostfix-$${i}.so.1; \
+ done
+ ${MAKE} LD_LIBRARY_PATH=$$(pwd)/lib:$${LD_LIBRARY_PATH}
+ ${MAKE} manpages
+
+ # now build the TLS stuff.
+ ${MAKE} makefiles CCARGS="${TLSCCARGS}" DEBUG=${DEBUG} \
+ DIRS="${TLSDIRS}" \
+ AUXLIBS="${TLSAUXLIBS} -L$$(pwd)/debian" OPT="$(OFLAGS)"
+ ${MAKE} LD_LIBRARY_PATH=$$(pwd)/lib:$${LD_LIBRARY_PATH} DIRS="${TLSDIRS}"
+ touch $@
+
+conf/master.cf.local: conf/master.cf
+ cp $? $@
+ patch -p0 < debian/patches/master.cf.local
+
+ # now build the TLS stuff.
+debian/stamp-tlsfiles:
+ rm -rf src/*.tls
+ cp -r src/smtp src/smtp.tls
+ cp -r src/lmtp src/lmtp.tls
+ cp -r src/smtpd src/smtpd.tls
+ rm -f src/*.tls/*.[oa]
+ patch -p0 < debian/tls-patch
+ touch $@
+
+install-doc: build
+ dh_clean -k
+ dh_installdirs -i
+ install -m 0444 html/* $(docdir)/html; rm $(docdir)/html/Makefile.in
+ dh_installexamples -p ${docpkg} examples/{qmail-local,smtpd-policy}
+ dh_installexamples -p ${docpkg} -Xmain.cf -Xmaster.cf -Xfiles conf/[a-z]*
+ dh_installexamples -p ${docpkg} conf/main.cf.default
+ install -m 0444 RELEASE_NOTES $(docdir)/RELEASE_NOTES
+ install -m 0444 AAAREADME $(docdir)/README
+ for file in */README; do \
+ install -m 0444 $${file} $(docdir)/README.$${file%/README}; \
+ done
+ rm -f $(docdir)/README.mantools $(docdir)/README.tls-*
+ for file in ${DOCFILES}; do \
+ install -m 0444 $${file} $(docdir)/$${file##*/}; \
+ done
+ rm -f $(docdir)/ULTRIX_README $(docdir)/MACOSX_README
+
+ install -m 0444 include/[!CRS]* ${base}-dev/usr/include/kolab-postfix
+ cd lib; for i in libpostfix-*; do \
+ ln -sf $$i ../${base}-dev/usr/lib/$${i%.1}; \
+ done
+
+ # and the TLS stuff
+ install -m 0444 ${TLSSRC}/doc/[a-z]* $(tlsdocdir)/html
+ install -m 0444 ${TLSSRC}/CHANGES $(tlsdocdir)/changelog
+ for file in ${TLSDOCFILES}; do \
+ install -m 0444 $${file} $(tlsdocdir)/$${file##*/}; \
+ done
+
+install: build
+ dh_clean -k
+ dh_installdirs -a
+ install lib/*.1 $(libdir)
+ install lib/dict_ldap.so ${base}-ldap/${plibdir}
+ install lib/dict_pcre.so ${base}-pcre/${plibdir}
+ install lib/dict_mysql.so ${base}-mysql/${plibdir}
+ install lib/dict_pgsql.so ${base}-pgsql/${plibdir}
+ install lib/dict_tcp.so ${base}/${plibdir}
+ install lib/dict_sdbm.so ${base}-tls/${plibdir}
+ install libexec/[a-z]* ${base}/${plibdir}
+ rm -f ${base}/${plibdir}/*.tls ${base}/${plibdir}/tlsmgr
+ install bin/[a-z]* ${base}/${sbindir}
+ install auxiliary/qshape/qshape.pl ${base}/${sbindir}/qshape
+ rm -f ${base}/${sbindir}/*.tls
+ install -D -m 0444 HISTORY $(chlogdir)/changelog
+ ln -s ../sbin/rmail $(bindir)/rmail
+ ln -s ../sbin/sendmail $(bindir)/newaliases
+ ln -s ../sbin/sendmail $(bindir)/mailq
+ ln -s ../sbin/sendmail ${base}/usr/lib/sendmail
+ install -m 0755 conf/postfix-script $(confdir)/kolab-postfix-script
+ install -m 0755 conf/post-install $(confdir)/kolab-post-install
+ install -m 0644 conf/postfix-files $(confdir)/kolab-postfix-files
+ install -m 0644 conf/main.cf $(sharedir)/main.cf.dist
+ install -m 0644 debian/functions $(sharedir)/postinst.functions
+ install -m 0644 conf/master.cf $(sharedir)/master.cf.dist
+ install -m 0644 conf/master.cf.local $(sharedir)/master.cf.local
+ install -m 0644 conf/main.cf.debian $(sharedir)/main.cf.debian
+
+ install man/man1/*.1 ${base}/usr/share/man/man1
+ install man/man5/*.5 ${base}/usr/share/man/man5
+ for f in man/man8/*.8; do \
+ install $${f} ${base}/usr/share/$${f}postfix; \
+ done
+ install rmail/rmail.8 ${base}/usr/share/man/man8
+ gzip -9 ${base}/usr/share/man/man8/*.8postfix
+ ln -sf bounce.8postfix.gz ${base}/usr/share/man/man8/trace.8postfix.gz
+ ln -sf bounce.8postfix.gz ${base}/usr/share/man/man8/defer.8postfix.gz
+
+ install debian/init.d ${base}/etc/init.d/kolab-postfix
+ install debian/ip-up.d ${base}/etc/ppp/ip-up.d/kolab-postfix
+ install debian/ip-down.d ${base}/etc/ppp/ip-down.d/kolab-postfix
+ install debian/ip-up.d ${base}/etc/network/if-up.d/kolab-postfix
+ install debian/ip-down.d ${base}/etc/network/if-down.d/kolab-postfix
+ install debian/update-libc.d ${base}/etc/resolvconf/update-libc.d/kolab-postfix
+ install -m 0444 debian/lintian-override ${base}/usr/share/lintian/overrides/${package}
+
+ # and the TLS stuff
+ install lib/dict_sdbm.so ${tls}/${plibdir}
+ install libexec/lmtp.tls ${tls}/$(plibdir)/lmtp
+ install libexec/smtp.tls ${tls}/$(plibdir)/smtp
+ install libexec/smtpd.tls ${tls}/$(plibdir)/smtpd
+ install libexec/tlsmgr ${tls}/$(plibdir)/tlsmgr
+ mv ${base}/usr/share/man/man8/tlsmgr.8postfix.gz ${tls}/usr/share/man/man8
+
+debian/vars:
+ cp debian/vars.in $@
+ # This assumes non-native, and at least one hyphen in the version number.
+ echo Upstream=$$(sed 's/^.*(\(.*\)-[^-]*).*/\1/; q' debian/changelog) >> $@
+
+binary-indep: checkroot install-doc debian/vars
+ dh_installdocs -i
+## dh_installexamples -i
+## dh_installmenu -i
+## dh_installcron -i
+ dh_installchangelogs -i
+ dh_installdebconf -i
+ dh_compress -i
+ dh_fixperms -i
+ dh_installdeb -i
+ for i in $$(sed -n '/^Package:/s/^.* //p' debian/control); do cat debian/vars >> debian/$$i.substvars; done
+ cat debian/vars.in >> debian/substvars
+ dh_gencontrol -i
+## dh_makeshlibs -i
+ dh_md5sums -i
+ dh_builddeb -i
+
+binary-arch: checkroot build install debian/vars
+
+ dh_installdocs -a
+## dh_installexamples -a
+## dh_installmenu -a
+## dh_installcron -a
+ dh_installchangelogs -a
+ dh_installdebconf -a
+## dh_movefiles -a
+ [ -n "$(STRIP)" ] || dh_strip -a
+ dh_compress -a
+ dh_fixperms -a
+ dh_makeshlibs -a
+ dh_installdeb -a
+ LD_LIBRARY_PATH=$$(pwd)/lib:$${LD_LIBRARY_PATH} dh_shlibdeps -a
+ for i in $$(sed -n '/^Package:/s/^.* //p' debian/control); do cat debian/vars >> debian/$$i.substvars; done
+ cat debian/vars.in >> debian/substvars
+ dh_gencontrol -a
+## dh_makeshlibs -a
+ dh_md5sums -a
+ dh_builddeb -a
+
+
+clean: unpatch
+ $(checkdir)
+ dh_clean build
+ test ! -d ${base} || rm -rf ${base}
+ $(MAKE) tidy
+ if [ -f src/tlsmgr/Makefile.in ]; then $(MAKE) tidy DIRS=src/tlsmgr; fi
+ #rm -rf $$(find debian/* -type d ! -name CVS ! -name po)
+ rm -rf debian/{files*,vars,*substvars,*.debhelper}
+ find .. -name $(package)*.asc -size 0 -maxdepth 1 -exec rm {} ";"
+ chmod +x debian/{pre*,post*}
+ rm -f debian/libdb.so debian/stamp-*
+ rm -rf src/*.tls
+
+buildinfo:
+ @echo; dpkg -l gcc "libc6*" binutils ldso make dpkg-dev $(BUILDINFO) \
+ | awk '$$1 == "ii" { printf("%s-%s\n", $$2, $$3) }' \
+ | tee $(docdir)/buildinfo.Debian; echo
+ chmod 644 $(docdir)/buildinfo.Debian
+
+define checkdir
+ test -f debian/rules
+endef
+
+# Below here is fairly generic really
+
+binary: binary-arch binary-indep
+
+newtemplate:
+ debconf-updatepo
+
+checkroot:
+ $(checkdir)
+ test "`id -u`" -eq 0
Property changes on: trunk/kolab-postfix/debian/rules
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/kolab-postfix/debian/shlibs
===================================================================
--- trunk/kolab-postfix/debian/shlibs 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/shlibs 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,4 @@
+libpostfix-util 1 postfix
+libpostfix-global 1 postfix
+libpostfix-dns 1 postfix
+libpostfix-master 1 postfix
Added: trunk/kolab-postfix/debian/templates
===================================================================
--- trunk/kolab-postfix/debian/templates 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/templates 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,215 @@
+Template: postfix/dynamicmaps_upgrade_warning
+Type: boolean
+_Description: Correct dynamicmaps.cf for upgrade?
+ Postfix version 2.0.2 and later require changes in dynamicmaps.cf.
+ Specifically, wildcard support is gone, and with it, %s expansion. Any
+ changes that you made to dynamicmaps.cf that relied on these features will
+ need to be fixed by you. Failure to correct these will result in a broken
+ mailer.
+ .
+ Should dynamicmaps.cf be automatically changed? Decline this option to
+ abort the upgrade, giving you the opportunity to eliminate wildcard and
+ %s-expansion-dependent configuration. Accept this option if you have no
+ such configuration, and automatically make dynamicmaps.cf compatible with
+ Postfix 2.0.2 in this respect.
+
+Template: postfix/master_upgrade_warning
+Type: boolean
+_Description: Correct master.cf for upgrade?
+ Postfix version 2.1 and later require new services in master.cf.
+ .
+ Should this configuration be automatically added to master.cf? Decline
+ this option to abort the upgrade, giving you the opportunity to add this
+ configuration yourself. Accept this option to automatically make
+ master.cf compatible with Postfix 2.1 in this respect.
+
+Template: postfix/nqmgr_upgrade_warning
+Type: boolean
+_Description: Correct master.cf for upgrade?
+ Postfix version 2.1 renamed "nqmgr" to "qmgr", and you are using "nqmgr".
+ .
+ Failure to fix this will result in a broken mailer. Decline this option
+ to abort the upgrade, giving you the opportunity to add this configuration
+ yourself. Accept this option to automatically make master.cf compatible
+ with Postfix 2.1 in this respect.
+
+Template: postfix/db_upgrade_warning
+Type: boolean
+Default: true
+_Description: Should Postfix upgrade hash and btree maps?
+ Postfix has switched to db4, and this may require maps to be upgraded.
+ .
+ Do you want to automatically attempt the conversion?
+
+Template: postfix/transport_map_warning
+Type: note
+_Description: Transport map incompatibility
+ You have a transport map defined, and there is an incompatible change in
+ how transport maps are used. Postfix will not be restarted automatically.
+ .
+ Transport map entries override $mydestination. If you use transport maps,
+ it is better to always have explicit entries for all domain names you have
+ in $mydestination. See the html/faq.html sections for firewalls and
+ intranets. If you have transport entries for parent domains of anything
+ delivered locally, you will probably need to add specific entries for the
+ destination domains before you restart Postfix.
+
+Template: postfix/rfc1035_violation
+Type: boolean
+Default: false
+_Description: Bad entry, try again?
+ The string you have entered
+ .
+ "${enteredstring}"
+ .
+ does not follow RFC 1035 and does not appear to be a valid IP address.
+ .
+ RFC 1035 states that "each component must start with an alphanum, end with
+ an alphanum and contain only alphanums and hyphens. Components must be
+ separated by full stops."
+ .
+ Do you want to keep it anyways?
+
+Template: postfix/main_mailer_type
+Type: select
+_Choices: No configuration, Internet Site, Internet with smarthost, Satellite system, Local only
+Default: Internet Site
+_Description: General type of configuration?
+ You have several choices for general configuration at this point. If you
+ have your debconf priority set to 'low' or 'medium', you will be asked
+ more questions later. You can always run "dpkg-reconfigure --priority=low
+ postfix" at a later point if you want to see these questions again.
+ .
+ No configuration - IF YOU WANT THE INSTALL TO LEAVE YOUR CONFIG ALONE,
+ CHOOSE THIS OPTION. No configuration changes will be done now: If you
+ have not already configured Postfix, your mail system will be broken and
+ should not be used. You must then do the configuration yourself by editing
+ /usr/share/postfix/main.cf.dist and saving your changes as
+ /etc/postfix/main.cf, or by running dpkg-reconfigure Postfix. main.cf
+ will not be modified by the Postfix install process.
+ .
+ Internet site - mail is sent and received directly using SMTP. If your
+ needs don't fit neatly into any category, you probably want to start with
+ this one and then edit the config file by hand.
+ .
+ Internet site using smarthost - You receive Internet mail on this machine,
+ either directly by SMTP or by running a utility such as fetchmail.
+ Outgoing mail is sent using a smarthost. optionally with addresses
+ rewritten. This is probably what you want for a dialup system.
+ .
+ Satellite system - All mail is sent to another machine, called a "smart
+ host" for delivery. root and postmaster mail is delivered according to
+ /etc/aliases. No mail is received locally.
+ .
+ Local delivery only - You are not on a network. Mail for local users is
+ delivered.
+
+Template: postfix/not_configured
+Type: note
+_Description: WARNING: Postfix not configured
+ You have chosen "No Configuration" - Postfix will not be configured and
+ will not be started by default. Please run 'dpkg-reconfigure postfix' at
+ a later date, or configure it yourself by:
+ .
+ 1) Editing /etc/postfix/main.cf to your liking
+ .
+ 2) Running /etc/init.d/postfix start
+
+Template: postfix/mailname
+Type: string
+_Default: /etc/mailname
+_Description: Mail name?
+ Your `mail name' is the hostname portion of the address to be shown on
+ outgoing news and mail messages (following the username and @ sign).
+ .
+ This name will be used by other programs besides Postfix; it should be the
+ single, full domain name (FQDN) from which mail will appear to originate.
+
+Template: postfix/destinations
+Type: string
+_Description: Other destinations to accept mail for? (blank for none)
+ Give a comma-separated list of domains that this machine should consider
+ itself the final destination for. If this is a mail domain gateway, you
+ probably want to include the top-level domain.
+
+Template: postfix/relayhost
+Type: string
+_Description: SMTP relay host? (blank for none)
+ Specify a domain, host, host:port, [address] or [address]:port. Use the
+ form [destination] to turn off MX lookups. Leave this blank for no relay
+ host.
+ .
+ The relayhost parameter specifies the default host to send mail to when no
+ entry is matched in the optional transport(5) table. When no relayhost is
+ given, mail is routed directly to the destination.
+
+Template: postfix/procmail
+Type: boolean
+_Description: Use procmail for local delivery?
+ Do you want to use procmail to deliver local mail?
+ .
+ Note that if you use procmail to deliver mail system-wide, you should set
+ up an alias that forwards mail for root to a real user.
+
+Template: postfix/recipient_delim
+Type: string
+_Default: +
+_Description: Local address extension character?
+ What character defines a local address extension?
+ .
+ To not use address extensions, leave the string blank.
+
+Template: postfix/bad_recipient_delimiter
+Type: note
+_Description: Bad recipient delimiter
+ The recipient delimiter is a single character, you entered too many
+ characters. Please try again.
+ .
+ "${enteredstring}"
+
+Template: postfix/chattr
+Type: boolean
+_Default: false
+_Description: Force synchronous updates on mail queue?
+ If synchronous updates are forced, then mail is processed more slowly.
+ If not forced, then there is a remote chance of losing some mail if
+ the system crashes at an inopportune time, and you are not using a
+ journaled filesystem (such as ext3).
+ .
+ The default is "off".
+
+Template: postfix/mynetworks
+Type: string
+_Default: 127.0.0.0/8
+_Description: Local networks?
+ For what network blocks should this machine relay mail? The default is
+ just the local host, which is needed by some mail user agents.
+ .
+ If this is a smarthost for a block of machines, you need to specify the
+ netblocks here, or mail will be rejected rather than relayed.
+ .
+ To use the postfix default (which is based on connected networks), enter
+ an empty string.
+
+Template: postfix/mailbox_limit
+Type: string
+_Default: 0
+_Description: Mailbox size limit
+ What limit should Postfix place on mailbox files to prevent runaway
+ software errors. A value of zero (0) means no limit. (The upstream
+ default is 51200000.)
+
+Template: postfix/root_address
+Type: string
+_Default: NONE
+_Description: Where should mail for root go
+ The user root (and any other users with a uid of 0) must have mail
+ redirected via an alias, or their mail may be delivered to
+ /var/mail/nobody. This is by design: mail is not delivered to external
+ delivery agents as root.
+ .
+ If you already have a /etc/aliases file, then you possibly need to add
+ this entry. (I will only add it if I am creating a new /etc/aliases.)
+ .
+ What address should I add to /etc/aliases, if I create the file? (Enter
+ NONE to not add one.)
Added: trunk/kolab-postfix/debian/tls-patch
===================================================================
--- trunk/kolab-postfix/debian/tls-patch 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/tls-patch 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,42 @@
+diff -ur src/lmtp.tls.orig/Makefile.in src/lmtp.tls/Makefile.in
+--- src/lmtp.tls.orig/Makefile.in 2003-03-16 21:38:09.000000000 -0700
++++ src/lmtp.tls/Makefile.in 2003-03-16 21:36:10.000000000 -0700
+@@ -13,7 +13,7 @@
+ DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE)
+ CFLAGS = $(DEBUG) $(OPT) $(DEFS)
+ TESTPROG=
+-PROG = lmtp
++PROG = lmtp.tls
+ INC_DIR = ../../include
+ LIBS = ../../lib/libmaster.a ../../lib/libglobal.a ../../lib/libdns.a ../../lib/libutil.a
+
+diff -ur src/smtp.tls.orig/Makefile.in src/smtp.tls/Makefile.in
+--- src/smtp.tls.orig/Makefile.in 2003-03-16 21:38:10.000000000 -0700
++++ src/smtp.tls/Makefile.in 2003-03-16 21:36:10.000000000 -0700
+@@ -13,9 +13,9 @@
+ DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE)
+ CFLAGS = $(DEBUG) $(OPT) $(DEFS)
+ TESTPROG= smtp_unalias
+-PROG = smtp
++PROG = smtp.tls
+ INC_DIR = ../../include
+-LIBS = ../../lib/libmaster.a ../../lib/libglobal.a ../../lib/libdns.a ../../lib/libutil.a
++LIBS = ../../lib/libmaster.a ../../lib/libglobal.a ../../lib/libdns.a ../../lib/libutil.a ../../lib/pfixtls.o
+
+ .c.o:; $(CC) $(CFLAGS) -c $*.c
+
+diff -ur src/smtpd.tls.orig/Makefile.in src/smtpd.tls/Makefile.in
+--- src/smtpd.tls.orig/Makefile.in 2003-03-16 21:38:10.000000000 -0700
++++ src/smtpd.tls/Makefile.in 2003-03-16 21:36:11.000000000 -0700
+@@ -12,9 +12,9 @@
+ DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE)
+ CFLAGS = $(DEBUG) $(OPT) $(DEFS)
+ TESTPROG= smtpd_token smtpd_check
+-PROG = smtpd
++PROG = smtpd.tls
+ INC_DIR = ../../include
+-LIBS = ../../lib/libmaster.a ../../lib/libglobal.a ../../lib/libdns.a ../../lib/libutil.a
++LIBS = ../../lib/libmaster.a ../../lib/libglobal.a ../../lib/libdns.a ../../lib/libutil.a ../../lib/pfixtls.o
+
+ .c.o:; $(CC) $(CFLAGS) -c $*.c
+
Added: trunk/kolab-postfix/debian/update-libc.d
===================================================================
--- trunk/kolab-postfix/debian/update-libc.d 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/update-libc.d 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1,9 @@
+#!/bin/sh -e
+
+# make sure we're still here...
+[ -x /usr/sbin/postconf ] || exit 0
+
+cp /etc/resolv.conf $(/usr/sbin/postconf -h queue_directory)/etc/resolv.conf
+/etc/init.d/postfix reload >/dev/null 2>&1
+
+exit 0
Added: trunk/kolab-postfix/debian/vars.in
===================================================================
--- trunk/kolab-postfix/debian/vars.in 2006-01-09 15:38:02 UTC (rev 123)
+++ trunk/kolab-postfix/debian/vars.in 2006-01-09 16:43:55 UTC (rev 124)
@@ -0,0 +1 @@
+Description=Postfix is Wietse Venema's mail transport agent that started life as an${Newline} alternative to the widely-used Sendmail program. Postfix attempts to${Newline} be fast, easy to administer, and secure, while at the same time being${Newline} sendmail compatible enough to not upset existing users. Thus, the outside${Newline} has a sendmail-ish flavor, but the inside is completely different.
More information about the pkg-kolab-devel
mailing list