type => 'string',
},
clamav_heuristic_score => {
- description => "Score for ClamAV heuristics (Encrypted Archives/Documents, Google Safe Browsing database, PhishingScanURLs, ...).",
+ description => "Score for ClamAV heuristics (Encrypted Archives/Documents, PhishingScanURLs, ...).",
type => 'integer',
minimum => 0,
maximum => 1000,
description => "Text for 'From' header in daily spam report mails.",
type => 'string',
},
+ quarantinelink => {
+ description => "Enables user self-service for Quarantine Links. Caution: this is accessible without authentication",
+ type => 'boolean',
+ default => 0,
+ },
};
}
allowhrefs => { optional => 1 },
port => { optional => 1 },
protocol => { optional => 1 },
+ quarantinelink => { optional => 1 },
};
}
minimum => 0,
default => 0,
},
+ # FIXME: remove for PMG 8.0 - https://blog.clamav.net/2021/04/are-you-still-attempting-to-download.html
safebrowsing => {
- description => "Enables support for Google Safe Browsing.",
+ description => "Enables support for Google Safe Browsing. (deprecated option, will be ignored)",
+ type => 'boolean',
+ default => 0
+ },
+ scriptedupdates => {
+ description => "Enables ScriptedUpdates (incremental download of signatures)",
type => 'boolean',
default => 1
},
maxscansize => { optional => 1 },
dbmirror => { optional => 1 },
maxcccount => { optional => 1 },
- safebrowsing => { optional => 1 },
+ safebrowsing => { optional => 1 }, # FIXME: remove for PMG 8.0
+ scriptedupdates => { optional => 1},
};
}
default => 1,
},
greylist => {
- description => "Use Greylisting.",
+ description => "Use Greylisting for IPv4.",
type => 'boolean',
default => 1,
},
+ greylistmask4 => {
+ description => "Netmask to apply for greylisting IPv4 hosts",
+ type => 'integer',
+ minimum => 0,
+ maximum => 32,
+ default => 24,
+ },
+ greylist6 => {
+ description => "Use Greylisting for IPv6.",
+ type => 'boolean',
+ default => 0,
+ },
+ greylistmask6 => {
+ description => "Netmask to apply for greylisting IPv6 hosts",
+ type => 'integer',
+ minimum => 0,
+ maximum => 128,
+ default => 64,
+ },
helotests => {
description => "Use SMTP HELO tests.",
type => 'boolean',
max_smtpd_in => { optional => 1 },
max_smtpd_out => { optional => 1 },
greylist => { optional => 1 },
+ greylistmask4 => { optional => 1 },
+ greylist6 => { optional => 1 },
+ greylistmask6 => { optional => 1 },
helotests => { optional => 1 },
tls => { optional => 1 },
tlslog => { optional => 1 },
local $/ = undef; # slurp mode
- my $raw = <$fh> if defined($fh);
+ my $raw;
+ $raw = <$fh> if defined($fh);
return PMG::Config::Base->parse_config($filename, $raw);
}
return $policy;
}
+PVE::JSONSchema::register_format(
+ 'transport-domain-or-nexthop', \&pmg_verify_transport_domain_or_nexthop);
+
+sub pmg_verify_transport_domain_or_nexthop {
+ my ($name, $noerr) = @_;
+
+ if (pmg_verify_transport_domain($name, 1)) {
+ return $name;
+ } elsif ($name =~ m/^(\S+)(?::\d+)?$/) {
+ my $nexthop = $1;
+ if ($nexthop =~ m/^\[(.*)\]$/) {
+ $nexthop = $1;
+ }
+ return $name if pmg_verify_transport_address($nexthop, 1);
+ } else {
+ return undef if $noerr;
+ die "value does not look like a valid domain or next-hop\n";
+ }
+}
+
sub read_tls_policy {
my ($filename, $fh) = @_;
};
if ($line =~ m/^(\S+)\s+(.+)\s*$/) {
- my ($domain, $policy) = ($1, $2);
+ my ($destination, $policy) = ($1, $2);
eval {
- pmg_verify_transport_domain($domain);
+ pmg_verify_transport_domain_or_nexthop($destination);
pmg_verify_tls_policy($policy);
};
if (my $err = $@) {
next;
}
- $tls_policy->{$domain} = {
- domain => $domain,
+ $tls_policy->{$destination} = {
+ destination => $destination,
policy => $policy,
};
} else {
return if !$tls_policy;
- foreach my $domain (sort keys %$tls_policy) {
- my $entry = $tls_policy->{$domain};
+ foreach my $destination (sort keys %$tls_policy) {
+ my $entry = $tls_policy->{$destination};
PVE::Tools::safe_print(
- $filename, $fh, "$entry->{domain} $entry->{policy}\n");
+ $filename, $fh, "$entry->{destination} $entry->{policy}\n");
}
}
PMG::Utils::run_postmap($transport_map_filename);
}
+PVE::JSONSchema::register_format(
+ 'transport-address', \&pmg_verify_transport_address);
+
+sub pmg_verify_transport_address {
+ my ($name, $noerr) = @_;
+
+ if ($name =~ m/^ipv6:($IPV6RE)$/i) {
+ return $name;
+ } elsif (PVE::JSONSchema::pve_verify_address($name, 1)) {
+ return $name;
+ } else {
+ return undef if $noerr;
+ die "value does not look like a valid address\n";
+ }
+}
+
sub read_transport_map {
my ($filename, $fh) = @_;
$host = $1;
$use_mx = 0;
}
- $use_mx = 0 if ($protocol eq "lmtp");
+ $use_mx = 0 if ($protocol eq "lmtp");
- eval { PVE::JSONSchema::pve_verify_address($host); };
+ eval { pmg_verify_transport_address($host); };
if (my $err = $@) {
$parse_error->($err);
next;
PVE::Tools::safe_print($filename, $fh, "#$comment\n")
if defined($comment) && $comment !~ m/^\s*$/;
- my $use_mx = $data->{use_mx};
- $use_mx = 0 if $data->{host} =~ m/^(?:$IPV4RE|$IPV6RE)$/;
+ my $bracket_host = !$data->{use_mx};
if ($data->{protocol} eq 'lmtp') {
- $use_mx = 1;
+ $bracket_host = 0;
$data->{protocol} .= ":inet";
}
+ $bracket_host = 1 if $data->{host} =~ m/^(?:$IPV4RE|(?:ipv6:)?$IPV6RE)$/i;
+ my $host = $bracket_host ? "[$data->{host}]" : $data->{host};
- if ($use_mx) {
- PVE::Tools::safe_print(
- $filename, $fh, "$data->{domain} $data->{protocol}:$data->{host}:$data->{port}\n");
- } else {
- PVE::Tools::safe_print(
- $filename, $fh, "$data->{domain} $data->{protocol}:[$data->{host}]:$data->{port}\n");
- }
+ PVE::Tools::safe_print($filename, $fh, "$data->{domain} $data->{protocol}:$host:$data->{port}\n");
}
}
my $resolv = PVE::INotify::read_file('resolvconf');
my $domain = $resolv->{search} // 'localdomain';
+ # postfix will not parse a hostname with trailing '.'
+ $domain =~ s/^(.*)\.$/$1/;
$dnsinfo->{domain} = $domain;
$dnsinfo->{fqdn} = "$nodename.$domain";
my $host = $data->{host};
if ($host =~ m/^$IPV4RE$/) {
push @$transportnets, "$host/32";
- } elsif ($host =~ m/^$IPV6RE$/) {
- push @$transportnets, "[$host]/128";
+ } elsif ($host =~ m/^(?:ipv6:)?($IPV6RE)$/i) {
+ push @$transportnets, "[$1]/128";
}
}
}
my $mynetworks = [ '127.0.0.0/8', '[::1]/128' ];
- if (my $int_net_cidr = PMG::Utils::find_local_network_for_ip($int_ip, 1)) {
- if ($int_net_cidr =~ m/^($IPV6RE)\/(\d+)$/) {
- push @$mynetworks, "[$1]/$2";
- } else {
- push @$mynetworks, $int_net_cidr;
- }
- } else {
- if ($int_ip =~ m/^$IPV6RE$/) {
- push @$mynetworks, "[$int_ip]/128";
+ if (defined($int_ip)) { # we cannot really do anything and the loopback nets are already added
+ if (my $int_net_cidr = PMG::Utils::find_local_network_for_ip($int_ip, 1)) {
+ if ($int_net_cidr =~ m/^($IPV6RE)\/(\d+)$/) {
+ push @$mynetworks, "[$1]/$2";
+ } else {
+ push @$mynetworks, $int_net_cidr;
+ }
} else {
- push @$mynetworks, "$int_ip/32";
+ if ($int_ip =~ m/^$IPV6RE$/) {
+ push @$mynetworks, "[$int_ip]/128";
+ } else {
+ push @$mynetworks, "$int_ip/32";
+ }
}
}
my $usepolicy = 0;
$usepolicy = 1 if $self->get('mail', 'greylist') ||
- $self->get('mail', 'spf');
+ $self->get('mail', 'greylist6') || $self->get('mail', 'spf');
$vars->{postfix}->{usepolicy} = $usepolicy;
- if ($int_ip =~ m/^$IPV6RE$/) {
+ if (!defined($int_ip)) {
+ warn "could not get node IP, falling back to loopback '127.0.0.1'\n";
+ $vars->{postfix}->{int_ip} = '127.0.0.1';
+ } elsif ($int_ip =~ m/^$IPV6RE$/) {
$vars->{postfix}->{int_ip} = "[$int_ip]";
} else {
$vars->{postfix}->{int_ip} = $int_ip;
return $vars;
}
+# reads the $filename and checks if it's equal as the $cmp string passed
+my sub file_content_equals_str {
+ my ($filename, $cmp) = @_;
+
+ return if !-f $filename;
+ my $current = PVE::Tools::file_get_contents($filename, 128*1024);
+ return defined($current) && $current eq $cmp; # no change
+}
+
# use one global TT cache
our $tt_include_path = ['/etc/pmg/templates' ,'/var/lib/pmg/templates' ];
my $output = '';
- $tt->process($tmplname, $vars, \$output) ||
- die $tt->error() . "\n";
-
- my $old = PVE::Tools::file_get_contents($dstfn, 128*1024) if -f $dstfn;
+ $tt->process($tmplname, $vars, \$output) || die $tt->error() . "\n";
- return 0 if defined($old) && ($old eq $output); # no change
+ return 0 if file_content_equals_str($dstfn, $output); # no change -> nothing to do
PVE::Tools::file_set_contents($dstfn, $output, $perm);
} else {
# empty .forward does not forward mails (see man local)
}
-
- my $old = PVE::Tools::file_get_contents($dstfn, 128*1024) if -f $dstfn;
-
- return 0 if defined($old) && ($old eq $output); # no change
+ return 0 if file_content_equals_str($dstfn, $output); # no change -> nothing to do
PVE::Tools::file_set_contents($dstfn, $output);
$action = 'OK' if !$action;
- my $old = PVE::Tools::file_get_contents($filename, 1024*1024)
- if -f $filename;
-
my $new = '';
foreach my $k (sort keys %$data) {
$new .= "$k $action\n";
}
-
- return 0 if defined($old) && ($old eq $new); # no change
+ return 0 if file_content_equals_str($filename, $new); # no change -> nothing to do
PVE::Tools::file_set_contents($filename, $new);