summaryrefslogtreecommitdiffstats
path: root/examples
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--examples/chroot-setup/AIX4212
-rw-r--r--examples/chroot-setup/BSDI24
-rw-r--r--examples/chroot-setup/BSDI34
-rw-r--r--examples/chroot-setup/FREEBSD34
-rw-r--r--examples/chroot-setup/FreeBSD24
-rw-r--r--examples/chroot-setup/HPUX1023
-rw-r--r--examples/chroot-setup/HPUX921
-rw-r--r--examples/chroot-setup/IRIX539
-rw-r--r--examples/chroot-setup/IRIX639
-rw-r--r--examples/chroot-setup/LINUX291
-rw-r--r--examples/chroot-setup/NETBSD14
-rw-r--r--examples/chroot-setup/NEXTSTEP331
-rw-r--r--examples/chroot-setup/OPENSTEP431
-rw-r--r--examples/chroot-setup/OSF121
-rw-r--r--examples/chroot-setup/Solaris10112
-rw-r--r--examples/chroot-setup/Solaris275
-rw-r--r--examples/chroot-setup/Solaris8106
-rw-r--r--examples/qmail-local/qmail-local.txt16
-rw-r--r--examples/smtpd-policy/README.SPF6
-rwxr-xr-xexamples/smtpd-policy/greylist.pl283
20 files changed, 926 insertions, 0 deletions
diff --git a/examples/chroot-setup/AIX42 b/examples/chroot-setup/AIX42
new file mode 100644
index 0000000..41f15b5
--- /dev/null
+++ b/examples/chroot-setup/AIX42
@@ -0,0 +1,12 @@
+umask 022
+mkdir /var/spool/postfix/etc
+chmod 755 /var/spool/postfix/etc
+for i in /etc/environment /etc/netsvc.conf /etc/localtime
+do
+ test -e $i && cp $i /var/spool/postfix/etc
+done
+cp /etc/services /etc/resolv.conf /var/spool/postfix/etc
+mkdir /var/spool/postfix/dev
+chmod 755 /var/spool/postfix/dev
+mknod /var/spool/postfix/dev/null c 2 2
+chmod 666 /var/spool/postfix/dev/null
diff --git a/examples/chroot-setup/BSDI2 b/examples/chroot-setup/BSDI2
new file mode 100644
index 0000000..9d7f020
--- /dev/null
+++ b/examples/chroot-setup/BSDI2
@@ -0,0 +1,4 @@
+umask 022
+mkdir /var/spool/postfix/etc
+chmod 755 /var/spool/postfix/etc
+cp /etc/localtime /etc/services /etc/resolv.conf /var/spool/postfix/etc
diff --git a/examples/chroot-setup/BSDI3 b/examples/chroot-setup/BSDI3
new file mode 100644
index 0000000..9d7f020
--- /dev/null
+++ b/examples/chroot-setup/BSDI3
@@ -0,0 +1,4 @@
+umask 022
+mkdir /var/spool/postfix/etc
+chmod 755 /var/spool/postfix/etc
+cp /etc/localtime /etc/services /etc/resolv.conf /var/spool/postfix/etc
diff --git a/examples/chroot-setup/FREEBSD3 b/examples/chroot-setup/FREEBSD3
new file mode 100644
index 0000000..4afb0eb
--- /dev/null
+++ b/examples/chroot-setup/FREEBSD3
@@ -0,0 +1,4 @@
+umask 022
+mkdir /var/spool/postfix/etc
+chmod 755 /var/spool/postfix/etc
+cd /etc ; cp host.conf localtime services resolv.conf /var/spool/postfix/etc
diff --git a/examples/chroot-setup/FreeBSD2 b/examples/chroot-setup/FreeBSD2
new file mode 100644
index 0000000..4afb0eb
--- /dev/null
+++ b/examples/chroot-setup/FreeBSD2
@@ -0,0 +1,4 @@
+umask 022
+mkdir /var/spool/postfix/etc
+chmod 755 /var/spool/postfix/etc
+cd /etc ; cp host.conf localtime services resolv.conf /var/spool/postfix/etc
diff --git a/examples/chroot-setup/HPUX10 b/examples/chroot-setup/HPUX10
new file mode 100644
index 0000000..c886944
--- /dev/null
+++ b/examples/chroot-setup/HPUX10
@@ -0,0 +1,23 @@
+# Setup chroot jail for HP-UX (9 or 10). -- tiggr (Pieter Schoenmakers)
+
+if test -z "${POSTFIX_DIR}"; then
+ if test -d /usr/spool/postfix; then
+ POSTFIX_DIR=/usr/spool/postfix
+ elif test -d /var/spool/postfix; then
+ POSTFIX_DIR=/var/spool/postfix
+ else
+ echo Please indicate POSTFIX_DIR in the environment >&2
+ exit 2;
+ fi
+fi
+
+set -e
+
+umask 022
+
+cd ${POSTFIX_DIR}
+
+mkdir etc
+cp /etc/services etc
+mkdir -p usr/lib
+cp /usr/lib/tztab usr/lib
diff --git a/examples/chroot-setup/HPUX9 b/examples/chroot-setup/HPUX9
new file mode 100644
index 0000000..ca54c65
--- /dev/null
+++ b/examples/chroot-setup/HPUX9
@@ -0,0 +1,21 @@
+# Setup chroot jail for HP-UX (9 or 10). -- tiggr (Pieter Schoenmakers)
+
+if test -z "${POSTFIX_DIR}"; then
+ if test -d /usr/spool/postfix; then
+ POSTFIX_DIR=/usr/spool/postfix
+ elif test -d /var/spool/postfix; then
+ POSTFIX_DIR=/var/spool/postfix
+ else
+ echo Please indicate POSTFIX_DIR in the environment >&2
+ exit 2;
+ fi
+fi
+
+set -e
+
+umask 022
+
+cd ${POSTFIX_DIR}
+
+mkdir etc
+cp /etc/services etc
diff --git a/examples/chroot-setup/IRIX5 b/examples/chroot-setup/IRIX5
new file mode 100644
index 0000000..a8e3a40
--- /dev/null
+++ b/examples/chroot-setup/IRIX5
@@ -0,0 +1,39 @@
+From owner-postfix-testers@porcupine.org Wed Oct 7 17:19:31 1998
+Delivered-To: wietse@porcupine.org
+Delivered-To: postfix-testers@porcupine.org
+Received: from star.win.or.jp (star.win.or.jp [202.26.20.3])
+ by spike.porcupine.org (Postfix) with ESMTP
+ id 3123445D04; Wed, 7 Oct 1998 17:19:24 -0400 (EDT)
+Received: (from ayamura@localhost)
+ by star.win.or.jp (8.9.1+CL.3.10/8.9.1) id GAA26589;
+ Thu, 8 Oct 1998 06:19:23 +0900 (JST)
+ (envelope-from ayamura)
+From: Ayamura Kikuchi <ayamura@ayamura.org>
+To: postfix-testers@porcupine.org
+Subject: chroot-setup on IRIX
+X-PGP-Fingerprint: 9F 4F FD B6 47 0D 87 65 7B 67 7C A9 70 F3 8C 52
+MIME-Version: 1.0 (generated by SEMI 1.9.0 - "Isurugi")
+Content-Type: text/plain; charset=US-ASCII
+Date: 08 Oct 1998 06:19:22 +0900
+Message-ID: <86u31g3w9x.fsf@star.ayamura.org>
+Lines: 14
+User-Agent: Semi-gnus/6.8.19 SEMI/1.9.0 (Isurugi) FLIM/1.10.1 (Miyamaki) Emacs/20.3.90 (mips-sgi-irix6.2) MULE/4.0 (HANANOEN)
+Sender: owner-postfix-testers@porcupine.org
+Status: RO
+
+# Setup chroot jail for IRIX-5.x or 6.x -- Ayamura Kikuchi <ayamura@ayamura.org>
+
+set -e
+umask 022
+
+#Default POSTFIX_DIR = /var/postfix
+#Else set POSTFIX_DIR in environment
+POSTFIX_DIR=${POSTFIX_DIR-/var/postfix}
+
+/bin/mkdir -p ${POSTFIX_DIR}/etc
+/bin/chmod 755 ${POSTFIX_DIR}
+/bin/cp /etc/services /etc/resolv.conf ${POSTFIX_DIR}/etc
+
+-- Ayamura Kikuchi
+
+
diff --git a/examples/chroot-setup/IRIX6 b/examples/chroot-setup/IRIX6
new file mode 100644
index 0000000..a8e3a40
--- /dev/null
+++ b/examples/chroot-setup/IRIX6
@@ -0,0 +1,39 @@
+From owner-postfix-testers@porcupine.org Wed Oct 7 17:19:31 1998
+Delivered-To: wietse@porcupine.org
+Delivered-To: postfix-testers@porcupine.org
+Received: from star.win.or.jp (star.win.or.jp [202.26.20.3])
+ by spike.porcupine.org (Postfix) with ESMTP
+ id 3123445D04; Wed, 7 Oct 1998 17:19:24 -0400 (EDT)
+Received: (from ayamura@localhost)
+ by star.win.or.jp (8.9.1+CL.3.10/8.9.1) id GAA26589;
+ Thu, 8 Oct 1998 06:19:23 +0900 (JST)
+ (envelope-from ayamura)
+From: Ayamura Kikuchi <ayamura@ayamura.org>
+To: postfix-testers@porcupine.org
+Subject: chroot-setup on IRIX
+X-PGP-Fingerprint: 9F 4F FD B6 47 0D 87 65 7B 67 7C A9 70 F3 8C 52
+MIME-Version: 1.0 (generated by SEMI 1.9.0 - "Isurugi")
+Content-Type: text/plain; charset=US-ASCII
+Date: 08 Oct 1998 06:19:22 +0900
+Message-ID: <86u31g3w9x.fsf@star.ayamura.org>
+Lines: 14
+User-Agent: Semi-gnus/6.8.19 SEMI/1.9.0 (Isurugi) FLIM/1.10.1 (Miyamaki) Emacs/20.3.90 (mips-sgi-irix6.2) MULE/4.0 (HANANOEN)
+Sender: owner-postfix-testers@porcupine.org
+Status: RO
+
+# Setup chroot jail for IRIX-5.x or 6.x -- Ayamura Kikuchi <ayamura@ayamura.org>
+
+set -e
+umask 022
+
+#Default POSTFIX_DIR = /var/postfix
+#Else set POSTFIX_DIR in environment
+POSTFIX_DIR=${POSTFIX_DIR-/var/postfix}
+
+/bin/mkdir -p ${POSTFIX_DIR}/etc
+/bin/chmod 755 ${POSTFIX_DIR}
+/bin/cp /etc/services /etc/resolv.conf ${POSTFIX_DIR}/etc
+
+-- Ayamura Kikuchi
+
+
diff --git a/examples/chroot-setup/LINUX2 b/examples/chroot-setup/LINUX2
new file mode 100644
index 0000000..f9c6184
--- /dev/null
+++ b/examples/chroot-setup/LINUX2
@@ -0,0 +1,91 @@
+#! /bin/sh
+
+# LINUX2 - shell script to set up a Postfix chroot jail for Linux
+# Tested on SuSE Linux 5.3 (libc5) and 7.0 (glibc2.1)
+
+# Other testers reported as working:
+#
+# 2001-01-15 Debian sid (unstable)
+# Christian Kurz <shorty@getuid.de>
+
+# Copyright (c) 2000 - 2001 by Matthias Andree
+# Redistributable unter the MIT-style license that follows:
+# Abstract: "do whatever you want except hold somebody liable or change
+# the copyright information".
+
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to
+# deal in the Software without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+# sell copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+
+# 2000-09-29
+# v0.1: initial release
+
+# 2000-12-05
+# v0.2: copy libdb.* for libnss_db.so
+# remove /etc/localtime in case it's a broken symlink
+# restrict find to maxdepth 1 (faster)
+
+# Revision 1.4 2001/01/15 09:36:35 emma
+# add note it was successfully tested on Debian sid
+#
+# 20060101 /lib64 support by Keith Owens.
+#
+
+CP="cp -p"
+
+cond_copy() {
+ # find files as per pattern in $1
+ # if any, copy to directory $2
+ dir=`dirname "$1"`
+ pat=`basename "$1"`
+ lr=`find "$dir" -maxdepth 1 -name "$pat"`
+ if test ! -d "$2" ; then exit 1 ; fi
+ if test "x$lr" != "x" ; then $CP $1 "$2" ; fi
+}
+
+set -e
+umask 022
+
+POSTFIX_DIR=${POSTFIX_DIR-/var/spool/postfix}
+cd ${POSTFIX_DIR}
+
+mkdir -p etc lib usr/lib/zoneinfo
+test -d /lib64 && mkdir -p lib64
+
+# find localtime (SuSE 5.3 does not have /etc/localtime)
+lt=/etc/localtime
+if test ! -f $lt ; then lt=/usr/lib/zoneinfo/localtime ; fi
+if test ! -f $lt ; then lt=/usr/share/zoneinfo/localtime ; fi
+if test ! -f $lt ; then echo "cannot find localtime" ; exit 1 ; fi
+rm -f etc/localtime
+
+# copy localtime and some other system files into the chroot's etc
+$CP -f $lt /etc/services /etc/resolv.conf /etc/nsswitch.conf etc
+$CP -f /etc/host.conf /etc/hosts /etc/passwd etc
+ln -s -f /etc/localtime usr/lib/zoneinfo
+
+# copy required libraries into the chroot
+cond_copy '/lib/libnss_*.so*' lib
+cond_copy '/lib/libresolv.so*' lib
+cond_copy '/lib/libdb.so*' lib
+if test -d /lib64; then
+ cond_copy '/lib64/libnss_*.so*' lib64
+ cond_copy '/lib64/libresolv.so*' lib64
+ cond_copy '/lib64/libdb.so*' lib64
+fi
+
+postfix reload
diff --git a/examples/chroot-setup/NETBSD1 b/examples/chroot-setup/NETBSD1
new file mode 100644
index 0000000..53a2361
--- /dev/null
+++ b/examples/chroot-setup/NETBSD1
@@ -0,0 +1,4 @@
+umask 022
+mkdir /var/spool/postfix/etc
+chmod 755 /var/spool/postfix/etc
+cd /etc ; cp localtime services resolv.conf /var/spool/postfix/etc
diff --git a/examples/chroot-setup/NEXTSTEP3 b/examples/chroot-setup/NEXTSTEP3
new file mode 100644
index 0000000..a2f163e
--- /dev/null
+++ b/examples/chroot-setup/NEXTSTEP3
@@ -0,0 +1,31 @@
+# Setup chroot jail for NeXT, NEXTSTEP3.
+# Some remarks to the NEXTSTEP3 jail apply:
+# syslog:
+# Logging with syslog(3) uses a sendto ("/dev/log"). For this to work in
+# the jail, ${POSTFIX_DIR}/dev/log must be a hard link to /dev/log. This
+# fails if /usr/spool/postfix is on another filesystem, and consequently,
+# running chrooted will not be possible, unless you like to run your mail
+# system without logging (not).
+#
+# For this trick to work, the following should be run at every reboot,
+# preferably from /etc/rc, after syslog has been started (and given time
+# to create /dev/log):
+# POSTFIX_DIR=/usr/spool/postfix
+# rm ${POSTFIX_DIR}/dev/log
+# ln /dev/log ${POSTFIX_DIR}/dev/log
+
+set -e
+
+umask 022
+
+POSTFIX_DIR=${POSTFIX_DIR-/usr/spool/postfix}
+
+cd ${POSTFIX_DIR}
+
+# If this fails, running chrooted will be useless.
+mkdir dev
+ln /dev/log dev
+
+mkdir etc etc/zoneinfo
+cp /etc/zoneinfo/localtime etc/zoneinfo
+cp /etc/resolv.conf etc
diff --git a/examples/chroot-setup/OPENSTEP4 b/examples/chroot-setup/OPENSTEP4
new file mode 100644
index 0000000..a2f163e
--- /dev/null
+++ b/examples/chroot-setup/OPENSTEP4
@@ -0,0 +1,31 @@
+# Setup chroot jail for NeXT, NEXTSTEP3.
+# Some remarks to the NEXTSTEP3 jail apply:
+# syslog:
+# Logging with syslog(3) uses a sendto ("/dev/log"). For this to work in
+# the jail, ${POSTFIX_DIR}/dev/log must be a hard link to /dev/log. This
+# fails if /usr/spool/postfix is on another filesystem, and consequently,
+# running chrooted will not be possible, unless you like to run your mail
+# system without logging (not).
+#
+# For this trick to work, the following should be run at every reboot,
+# preferably from /etc/rc, after syslog has been started (and given time
+# to create /dev/log):
+# POSTFIX_DIR=/usr/spool/postfix
+# rm ${POSTFIX_DIR}/dev/log
+# ln /dev/log ${POSTFIX_DIR}/dev/log
+
+set -e
+
+umask 022
+
+POSTFIX_DIR=${POSTFIX_DIR-/usr/spool/postfix}
+
+cd ${POSTFIX_DIR}
+
+# If this fails, running chrooted will be useless.
+mkdir dev
+ln /dev/log dev
+
+mkdir etc etc/zoneinfo
+cp /etc/zoneinfo/localtime etc/zoneinfo
+cp /etc/resolv.conf etc
diff --git a/examples/chroot-setup/OSF1 b/examples/chroot-setup/OSF1
new file mode 100644
index 0000000..dd6ae64
--- /dev/null
+++ b/examples/chroot-setup/OSF1
@@ -0,0 +1,21 @@
+*******************************************************************
+# setup chroot jail for OSF1
+# prabhat@wonder
+set -e
+umask 022
+
+#Default POSTFIX_DIR = /var/spool/postfix
+#Else set POSTFIX_DIR in environment
+
+POSTFIX_DIR=${POSTFIX_DIR-/var/spool/postfix}
+
+cd ${POSTFIX_DIR}
+mkdir etc
+cp /etc/svc.conf /etc/services /etc/resolv.conf etc
+#
+# The following line added to make the timestamps in syslog to be correct.
+# /PetBi@UNIT.LiU.SE
+#
+cp -r /etc/zoneinfo etc
+
+#*******************************************************************
diff --git a/examples/chroot-setup/Solaris10 b/examples/chroot-setup/Solaris10
new file mode 100644
index 0000000..8647d9a
--- /dev/null
+++ b/examples/chroot-setup/Solaris10
@@ -0,0 +1,112 @@
+#!/bin/sh
+# From original Solaris 8 version by Matthew X. Economou
+# Solaris 10 version updated by JD Bronson. Caution: this copies
+# too many files. There is no need to copy libc.so and other files
+# that are already linked in before a Postfix daemon chroots itself.
+
+COMMAND_DIRECTORY="/usr/sbin"
+DAEMON_DIRECTORY="/usr/libexec/postfix"
+QUEUE_DIRECTORY="/var/spool/postfix"
+
+## Copy any shared libraries, device entries, or configuration files
+## needed by Postfix into the jail.
+binlist="
+$DAEMON_DIRECTORY/virtual
+$DAEMON_DIRECTORY/trivial-rewrite
+$DAEMON_DIRECTORY/spawn
+$DAEMON_DIRECTORY/smtpd
+$DAEMON_DIRECTORY/smtp
+$DAEMON_DIRECTORY/showq
+$DAEMON_DIRECTORY/qmqpd
+$DAEMON_DIRECTORY/qmgr
+$DAEMON_DIRECTORY/proxymap
+$DAEMON_DIRECTORY/pipe
+$DAEMON_DIRECTORY/pickup
+$DAEMON_DIRECTORY/nqmgr
+$DAEMON_DIRECTORY/master
+$DAEMON_DIRECTORY/local
+$DAEMON_DIRECTORY/lmtp
+$DAEMON_DIRECTORY/flush
+$DAEMON_DIRECTORY/error
+$DAEMON_DIRECTORY/cleanup
+$DAEMON_DIRECTORY/bounce
+/usr/lib/sendmail
+$COMMAND_DIRECTORY/postsuper
+$COMMAND_DIRECTORY/postqueue
+$COMMAND_DIRECTORY/postmap
+$COMMAND_DIRECTORY/postlog
+$COMMAND_DIRECTORY/postlock
+$COMMAND_DIRECTORY/postkick
+$COMMAND_DIRECTORY/postfix
+$COMMAND_DIRECTORY/postdrop
+$COMMAND_DIRECTORY/postconf
+$COMMAND_DIRECTORY/postcat
+$COMMAND_DIRECTORY/postalias
+"
+ldd $binlist | awk '/[=]>/ { print $3 }' | sort -u | while read i
+do
+ mkdir -p $QUEUE_DIRECTORY`dirname $i`
+ ## Sun's version of tar sucks. We'll have to remove the leading
+ ## slashes from file names ourself, otherwise the copy doesn't
+ ## work.
+ (cd / && tar cphf - `echo $i | sed -e 's/^\///'`) | (cd $QUEUE_DIRECTORY && tar xpf -)
+done
+
+## More stuff for the jail, mostly discovered by inspection
+## (e.g. strings, lsof).
+more="
+/dev/zero
+/dev/null
+/dev/udp6
+/dev/tcp6
+/dev/udp
+/dev/tcp
+/dev/poll
+/dev/rawip
+/dev/ticlts
+/dev/ticotsord
+/dev/ticots
+/devices/pseudo/mm@0:zero
+/devices/pseudo/mm@0:null
+/devices/pseudo/udp6@0:udp6
+/devices/pseudo/tcp6@0:tcp6
+/devices/pseudo/udp@0:udp
+/devices/pseudo/tcp@0:tcp
+/devices/pseudo/poll@0:poll
+/devices/pseudo/icmp@0:icmp
+/devices/pseudo/tl@0:ticlts
+/devices/pseudo/tl@0:ticotsord
+/devices/pseudo/tl@0:ticots
+/etc/hosts
+/etc/nsswitch.conf
+/etc/netconfig
+/etc/passwd
+/etc/resolv.conf
+/etc/default/init
+/etc/default/nss
+/etc/inet/services
+/etc/inet/hosts
+/etc/services
+/lib/ld.so
+/lib/ld.so.1
+/usr/lib/nss_dns.so.1
+/usr/lib/sparcv9/straddr.so
+/usr/lib/straddr.so
+/usr/lib/straddr.so.2
+/lib/libintl.so
+/lib/libintl.so.1
+/lib/libw.so
+/lib/libw.so.1
+/lib/nss_nis.so.1
+/lib/nss_nisplus.so.1
+/lib/nss_dns.so.1
+/lib/nss_files.so.1
+/usr/share/lib/zoneinfo
+/var/ld/ld.config
+"
+for i in $more; do
+ mkdir -p $QUEUE_DIRECTORY`dirname $i`
+ (cd / && tar cpf - `echo $i | sed -e 's/^\///'`) | (cd $QUEUE_DIRECTORY && tar xpf -)
+done
+
+exit 0
diff --git a/examples/chroot-setup/Solaris2 b/examples/chroot-setup/Solaris2
new file mode 100644
index 0000000..024492c
--- /dev/null
+++ b/examples/chroot-setup/Solaris2
@@ -0,0 +1,75 @@
+#!/bin/sh
+
+umask 022
+PATH=/usr/bin:/sbin:/usr/sbin
+
+# Create chroot'd area under Solaris 2.5.1 for postfix.
+#
+# Dug Song <dugsong@UMICH.EDU>
+
+if [ $# -ne 1 ]; then
+ echo "Usage: `basename $0` <directory>, e.g.: /var/spool/postfix" ; exit 1
+fi
+
+CHROOT=$1
+
+# If CHROOT does not exist but parent does, create CHROOT
+if [ ! -d ${CHROOT} ]; then
+ # lack of -p below is intentional
+ mkdir ${CHROOT}
+fi
+if [ ! -d ${CHROOT} -o "${CHROOT}" = "/" -o "${CHROOT}" = "/usr" ]; then
+ echo "$0: bad chroot directory ${CHROOT}"
+ exit 2
+fi
+for dir in etc/default etc/inet dev usr/lib usr/share/lib/zoneinfo ; do
+ if [ ! -d ${CHROOT}/${dir} ]; then mkdir -p ${CHROOT}/${dir} ; fi
+done
+#chmod -R 755 ${CHROOT}
+
+# AFS support.
+if [ "`echo $CHROOT | cut -c1-4`" = "/afs" ]; then
+ echo '\tCreating memory resident /dev...'
+ mount -F tmpfs -o size=10 swap ${CHROOT}/dev
+fi
+
+# Setup /etc files.
+cp /etc/nsswitch.conf ${CHROOT}/etc
+cp /etc/netconfig /etc/resolv.conf ${CHROOT}/etc
+cp /etc/default/init ${CHROOT}/etc/default
+cp /etc/inet/services ${CHROOT}/etc/inet/services
+ln -s /etc/inet/services ${CHROOT}/etc/services
+find ${CHROOT}/etc -type f -exec chmod 444 {} \;
+
+# Most of the following are needed for basic operation, except
+# for libnsl.so, nss_nis.so, libsocket.so, and straddr.so which are
+# needed to resolve NIS names.
+cp /usr/lib/ld.so /usr/lib/ld.so.1 ${CHROOT}/usr/lib
+for lib in libc libdl libintl libmp libnsl libsocket libw \
+ nss_nis nss_nisplus nss_dns nss_files; do
+ cp /usr/lib/${lib}.so.1 ${CHROOT}/usr/lib
+ rm -f ${CHROOT}/usr/lib/${lib}.so
+ ln -s ./${lib}.so.1 ${CHROOT}/usr/lib/${lib}.so
+done
+cp /usr/lib/straddr.so.2 ${CHROOT}/usr/lib
+rm -f ${CHROOT}/usr/lib/straddr.so
+ln -s ./straddr.so.2 ${CHROOT}/usr/lib/straddr.so
+chmod 555 ${CHROOT}/usr/lib/*
+
+# Copy timezone database.
+(cd ${CHROOT}/usr/share/lib/zoneinfo
+ (cd /usr/share/lib/zoneinfo; find . -print | cpio -o) | cpio -imdu
+ find . -print | xargs chmod 555
+)
+
+# Make device nodes. We need ticotsord, ticlts and udp to resolve NIS names.
+for device in zero tcp udp ticotsord ticlts; do
+ line=`ls -lL /dev/${device} | sed -e 's/,//'`
+ major=`echo $line | awk '{print $5}'`
+ minor=`echo $line | awk '{print $6}'`
+ rm -f ${CHROOT}/dev/${device}
+ mknod ${CHROOT}/dev/${device} c ${major} ${minor}
+done
+chmod 666 ${CHROOT}/dev/*
+
+exit 0
diff --git a/examples/chroot-setup/Solaris8 b/examples/chroot-setup/Solaris8
new file mode 100644
index 0000000..973e731
--- /dev/null
+++ b/examples/chroot-setup/Solaris8
@@ -0,0 +1,106 @@
+#!/bin/sh
+
+# Solaris 8 version by Matthew X. Economou. Caution: this copies
+# too many files. There is no need to copy libc.so and other files
+# that are already linked in before a Postfix daemon chroots itself.
+
+COMMAND_DIRECTORY="/usr/sbin"
+DAEMON_DIRECTORY="/usr/libexec/postfix"
+QUEUE_DIRECTORY="/var/spool/postfix"
+
+## Copy any shared libraries, device entries, or configuration files
+## needed by Postfix into the jail.
+binlist="
+$DAEMON_DIRECTORY/virtual
+$DAEMON_DIRECTORY/trivial-rewrite
+$DAEMON_DIRECTORY/spawn
+$DAEMON_DIRECTORY/smtpd
+$DAEMON_DIRECTORY/smtp
+$DAEMON_DIRECTORY/showq
+$DAEMON_DIRECTORY/qmqpd
+$DAEMON_DIRECTORY/qmgr
+$DAEMON_DIRECTORY/proxymap
+$DAEMON_DIRECTORY/pipe
+$DAEMON_DIRECTORY/pickup
+$DAEMON_DIRECTORY/nqmgr
+$DAEMON_DIRECTORY/master
+$DAEMON_DIRECTORY/local
+$DAEMON_DIRECTORY/lmtp
+$DAEMON_DIRECTORY/flush
+$DAEMON_DIRECTORY/error
+$DAEMON_DIRECTORY/cleanup
+$DAEMON_DIRECTORY/bounce
+/usr/lib/sendmail
+$COMMAND_DIRECTORY/postsuper
+$COMMAND_DIRECTORY/postqueue
+$COMMAND_DIRECTORY/postmap
+$COMMAND_DIRECTORY/postlog
+$COMMAND_DIRECTORY/postlock
+$COMMAND_DIRECTORY/postkick
+$COMMAND_DIRECTORY/postfix
+$COMMAND_DIRECTORY/postdrop
+$COMMAND_DIRECTORY/postconf
+$COMMAND_DIRECTORY/postcat
+$COMMAND_DIRECTORY/postalias
+"
+ldd $binlist | awk '/[=]>/ { print $3 }' | sort -u | while read i
+do
+ mkdir -p $QUEUE_DIRECTORY`dirname $i`
+ ## Sun's version of tar sucks. We'll have to remove the leading
+ ## slashes from file names ourself, otherwise the copy doesn't
+ ## work.
+ (cd / && tar cphf - `echo $i | sed -e 's/^\///'`) | (cd $QUEUE_DIRECTORY && tar xpf -)
+done
+
+## More stuff for the jail, mostly discovered by inspection
+## (e.g. strings, lsof).
+more="
+/dev/zero
+/dev/null
+/dev/udp6
+/dev/tcp6
+/dev/udp
+/dev/tcp
+/dev/poll
+/dev/rawip
+/dev/ticlts
+/dev/ticotsord
+/dev/ticots
+/devices/pseudo/mm@0:zero
+/devices/pseudo/mm@0:null
+/devices/pseudo/udp6@0:udp6
+/devices/pseudo/tcp6@0:tcp6
+/devices/pseudo/udp@0:udp
+/devices/pseudo/tcp@0:tcp
+/devices/pseudo/poll@0:poll
+/devices/pseudo/icmp@0:icmp
+/devices/pseudo/tl@0:ticlts
+/devices/pseudo/tl@0:ticotsord
+/devices/pseudo/tl@0:ticots
+/etc/nsswitch.conf
+/etc/netconfig
+/etc/default/init
+/etc/inet/services
+/etc/resolv.conf
+/etc/services
+/usr/lib/ld.so
+/usr/lib/ld.so.1
+/usr/lib/sparcv9/straddr.so
+/usr/lib/straddr.so
+/usr/lib/libintl.so
+/usr/lib/libintl.so.1
+/usr/lib/libw.so
+/usr/lib/libw.so.1
+/usr/lib/nss_nis.so.1
+/usr/lib/nss_nisplus.so.1
+/usr/lib/nss_dns.so.1
+/usr/lib/nss_files.so.1
+/usr/share/lib/zoneinfo
+/var/ld/ld.config
+"
+for i in $more; do
+ mkdir -p $QUEUE_DIRECTORY`dirname $i`
+ (cd / && tar cpf - `echo $i | sed -e 's/^\///'`) | (cd $QUEUE_DIRECTORY && tar xpf -)
+done
+
+exit 0
diff --git a/examples/qmail-local/qmail-local.txt b/examples/qmail-local/qmail-local.txt
new file mode 100644
index 0000000..bf62319
--- /dev/null
+++ b/examples/qmail-local/qmail-local.txt
@@ -0,0 +1,16 @@
+From: Ron Bickers <rbickers@logicetc.com>
+
+For the archives (or for comment):
+
+I now have mailbox_command = /usr/local/libexec/postqmail-local and
+postqmail-local looks like this (minus some mailer wrapping):
+
+ #!/bin/sh
+ export PATH=$PATH:/usr/local/bin:/var/qmail/bin
+ tail +2 | seekablepipe qmail-local -- \
+ "$USER" "$HOME" "$LOCAL" "${EXTENSION:+-}" "$EXTENSION"
+ "$DOMAIN""$SENDER" ./Maildir/
+ e=$?
+ (($e == 111)) && exit 75
+ (($e == 100)) && exit 77
+ exit $e
diff --git a/examples/smtpd-policy/README.SPF b/examples/smtpd-policy/README.SPF
new file mode 100644
index 0000000..2590a1d
--- /dev/null
+++ b/examples/smtpd-policy/README.SPF
@@ -0,0 +1,6 @@
+See http://www.openspf.org/Software for the current version of the
+SPF policy daemon for Postfix.
+
+SPF support is also available via MILTER plugins, such as sid-milter
+at http://sourceforge.net/projects/sid-milter/ which implements both
+SenderID and SPF.
diff --git a/examples/smtpd-policy/greylist.pl b/examples/smtpd-policy/greylist.pl
new file mode 100755
index 0000000..dbaa5cb
--- /dev/null
+++ b/examples/smtpd-policy/greylist.pl
@@ -0,0 +1,283 @@
+#!/usr/bin/perl
+
+use DB_File;
+use Fcntl;
+use Sys::Syslog qw(:DEFAULT setlogsock);
+
+#
+# Usage: greylist.pl [-v]
+#
+# Demo delegated Postfix SMTPD policy server. This server implements
+# greylisting. State is kept in a Berkeley DB database. Logging is
+# sent to syslogd.
+#
+# How it works: each time a Postfix SMTP server process is started
+# it connects to the policy service socket, and Postfix runs one
+# instance of this PERL script. By default, a Postfix SMTP server
+# process terminates after 100 seconds of idle time, or after serving
+# 100 clients. Thus, the cost of starting this PERL script is smoothed
+# out over time.
+#
+# To run this from /etc/postfix/master.cf:
+#
+# policy unix - n n - - spawn
+# user=nobody argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl
+#
+# To use this from Postfix SMTPD, use in /etc/postfix/main.cf:
+#
+# smtpd_recipient_restrictions =
+# ...
+# reject_unauth_destination
+# check_policy_service unix:private/policy
+# ...
+#
+# NOTE: specify check_policy_service AFTER reject_unauth_destination
+# or else your system can become an open relay.
+#
+# To test this script by hand, execute:
+#
+# % perl greylist.pl
+#
+# Each query is a bunch of attributes. Order does not matter, and
+# the demo script uses only a few of all the attributes shown below:
+#
+# request=smtpd_access_policy
+# protocol_state=RCPT
+# protocol_name=SMTP
+# helo_name=some.domain.tld
+# queue_id=8045F2AB23
+# sender=foo@bar.tld
+# recipient=bar@foo.tld
+# client_address=1.2.3.4
+# client_name=another.domain.tld
+# instance=123.456.7
+# sasl_method=plain
+# sasl_username=you
+# sasl_sender=
+# size=12345
+# [empty line]
+#
+# The policy server script will answer in the same style, with an
+# attribute list followed by a empty line:
+#
+# action=dunno
+# [empty line]
+#
+
+#
+# greylist status database and greylist time interval. DO NOT create the
+# greylist status database in a world-writable directory such as /tmp
+# or /var/tmp. DO NOT create the greylist database in a file system
+# that can run out of space.
+#
+# In case of database corruption, this script saves the database as
+# $database_name.time(), so that the mail system does not get stuck.
+#
+$database_name="/var/mta/greylist.db";
+$greylist_delay=60;
+
+#
+# Auto-whitelist threshold. Specify 0 to disable, or the number of
+# successful "come backs" after which a client is no longer subject
+# to greylisting.
+#
+$auto_whitelist_threshold = 10;
+
+#
+# Syslogging options for verbose mode and for fatal errors.
+# NOTE: comment out the $syslog_socktype line if syslogging does not
+# work on your system.
+#
+$syslog_socktype = 'unix'; # inet, unix, stream, console
+$syslog_facility="mail";
+$syslog_options="pid";
+$syslog_priority="info";
+
+#
+# Demo SMTPD access policy routine. The result is an action just like
+# it would be specified on the right-hand side of a Postfix access
+# table. Request attributes are available via the %attr hash.
+#
+sub smtpd_access_policy {
+ my($key, $time_stamp, $now, $count);
+
+ # Open the database on the fly.
+ open_database() unless $database_obj;
+
+ # Search the auto-whitelist.
+ if ($auto_whitelist_threshold > 0) {
+ $count = read_database($attr{"client_address"});
+ if ($count > $auto_whitelist_threshold) {
+ return "dunno";
+ }
+ }
+
+ # Lookup the time stamp for this client/sender/recipient.
+ $key =
+ lc $attr{"client_address"}."/".$attr{"sender"}."/".$attr{"recipient"};
+ $time_stamp = read_database($key);
+ $now = time();
+
+ # If this is a new request add this client/sender/recipient to the database.
+ if ($time_stamp == 0) {
+ $time_stamp = $now;
+ update_database($key, $time_stamp);
+ }
+
+ # The result can be any action that is allowed in a Postfix access(5) map.
+ #
+ # To label mail, return ``PREPEND'' headername: headertext
+ #
+ # In case of success, return ``DUNNO'' instead of ``OK'' so that the
+ # check_policy_service restriction can be followed by other restrictions.
+ #
+ # In case of failure, specify ``DEFER_IF_PERMIT optional text...''
+ # so that mail can still be blocked by other access restrictions.
+ #
+ syslog $syslog_priority, "request age %d", $now - $time_stamp if $verbose;
+ if ($now - $time_stamp > $greylist_delay) {
+ # Update the auto-whitelist.
+ if ($auto_whitelist_threshold > 0) {
+ update_database($attr{"client_address"}, $count + 1);
+ }
+ return "dunno";
+ } else {
+ return "defer_if_permit Service is unavailable";
+ }
+}
+
+#
+# You should not have to make changes below this point.
+#
+sub LOCK_SH { 1 }; # Shared lock (used for reading).
+sub LOCK_EX { 2 }; # Exclusive lock (used for writing).
+sub LOCK_NB { 4 }; # Don't block (for testing).
+sub LOCK_UN { 8 }; # Release lock.
+
+#
+# Log an error and abort.
+#
+sub fatal_exit {
+ my($first) = shift(@_);
+ syslog "err", "fatal: $first", @_;
+ exit 1;
+}
+
+#
+# Open hash database.
+#
+sub open_database {
+ my($database_fd);
+
+ # Use tied database to make complex manipulations easier to express.
+ $database_obj = tie(%db_hash, 'DB_File', $database_name,
+ O_CREAT|O_RDWR, 0644, $DB_BTREE) ||
+ fatal_exit "Cannot open database %s: $!", $database_name;
+ $database_fd = $database_obj->fd;
+ open DATABASE_HANDLE, "+<&=$database_fd" ||
+ fatal_exit "Cannot fdopen database %s: $!", $database_name;
+ syslog $syslog_priority, "open %s", $database_name if $verbose;
+}
+
+#
+# Read database. Use a shared lock to avoid reading the database
+# while it is being changed. XXX There should be a way to synchronize
+# our cache from the on-file database before looking up the key.
+#
+sub read_database {
+ my($key) = @_;
+ my($value);
+
+ flock DATABASE_HANDLE, LOCK_SH ||
+ fatal_exit "Can't get shared lock on %s: $!", $database_name;
+ # XXX Synchronize our cache from the on-disk copy before lookup.
+ $value = $db_hash{$key};
+ syslog $syslog_priority, "lookup %s: %s", $key, $value if $verbose;
+ flock DATABASE_HANDLE, LOCK_UN ||
+ fatal_exit "Can't unlock %s: $!", $database_name;
+ return $value;
+}
+
+#
+# Update database. Use an exclusive lock to avoid collisions with
+# other updaters, and to avoid surprises in database readers. XXX
+# There should be a way to synchronize our cache from the on-file
+# database before updating the database.
+#
+sub update_database {
+ my($key, $value) = @_;
+
+ syslog $syslog_priority, "store %s: %s", $key, $value if $verbose;
+ flock DATABASE_HANDLE, LOCK_EX ||
+ fatal_exit "Can't exclusively lock %s: $!", $database_name;
+ # XXX Synchronize our cache from the on-disk copy before update.
+ $db_hash{$key} = $value;
+ $database_obj->sync() &&
+ fatal_exit "Can't update %s: $!", $database_name;
+ flock DATABASE_HANDLE, LOCK_UN ||
+ fatal_exit "Can't unlock %s: $!", $database_name;
+}
+
+#
+# Signal 11 means that we have some kind of database corruption (yes
+# Berkeley DB should handle this better). Move the corrupted database
+# out of the way, and start with a new database.
+#
+sub sigsegv_handler {
+ my $backup = $database_name . "." . time();
+
+ rename $database_name, $backup ||
+ fatal_exit "Can't save %s as %s: $!", $database_name, $backup;
+ fatal_exit "Caught signal 11; the corrupted database is saved as $backup";
+}
+
+$SIG{'SEGV'} = 'sigsegv_handler';
+
+#
+# This process runs as a daemon, so it can't log to a terminal. Use
+# syslog so that people can actually see our messages.
+#
+setlogsock $syslog_socktype;
+openlog $0, $syslog_options, $syslog_facility;
+
+#
+# We don't need getopt() for now.
+#
+while ($option = shift(@ARGV)) {
+ if ($option eq "-v") {
+ $verbose = 1;
+ } else {
+ syslog $syslog_priority, "Invalid option: %s. Usage: %s [-v]",
+ $option, $0;
+ exit 1;
+ }
+}
+
+#
+# Unbuffer standard output.
+#
+select((select(STDOUT), $| = 1)[0]);
+
+#
+# Receive a bunch of attributes, evaluate the policy, send the result.
+#
+while (<STDIN>) {
+ if (/([^=]+)=(.*)\n/) {
+ $attr{substr($1, 0, 512)} = substr($2, 0, 512);
+ } elsif ($_ eq "\n") {
+ if ($verbose) {
+ for (keys %attr) {
+ syslog $syslog_priority, "Attribute: %s=%s", $_, $attr{$_};
+ }
+ }
+ fatal_exit "unrecognized request type: '%s'", $attr{request}
+ unless $attr{"request"} eq "smtpd_access_policy";
+ $action = smtpd_access_policy();
+ syslog $syslog_priority, "Action: %s", $action if $verbose;
+ print STDOUT "action=$action\n\n";
+ %attr = ();
+ } else {
+ chop;
+ syslog $syslog_priority, "warning: ignoring garbage: %.100s", $_;
+ }
+}