PPoossttffiixx bbeeffoorree--qquueeuuee MMiilltteerr ssuuppppoorrtt

-------------------------------------------------------------------------------

IInnttrroodduuccttiioonn

Postfix version 2.3 introduces support for Sendmail 8 Milter (mail filter)
applications. These applications run outside the MTA to inspect SMTP events
(CONNECT, HELO, MAIL FROM, etc.) as well as mail content. A Milter application
can instruct the MTA to accept, reject, discard or quarantine an entire
connection, command, or message content; to delete or add a recipient or
message header; and to replace a message header or entire message body. All
this happens before mail is queued.

The reason for adding Milter support to Postfix is that there exists a large
collection of applications, not only to block unwanted mail, but also to verify
authenticity (examples: SenderID+SPF and Domain keys) or to sign mail (example:
Domain keys). Having yet another MTA-specific version of all that software is a
poor use of human and system resources.

Postfix 2.3 implements all the requests of Sendmail 8 Milter protocols up to
version 4, except one: message body replacement. See, however, the limitations
section at the end of this document.

This document provides information on the following topics:

  * Building Milter applications
  * Running Milter applications
  * Configuring Postfix
  * Workarounds
  * Limitations

BBuuiillddiinngg MMiilltteerr aapppplliiccaattiioonnss

Although Milter applications can be written in C, JAVA or Perl, this text deals
with C applications only. For these, you need a library that implements the
Milter protocol. Postfix currently does not provide such a library.

On some recent Linux and *BSD distributions, the Sendmail libmilter library is
installed by default. Applications such as dk-milter and and sid-milter build
out of the box:

    $ ggzzccaatt ddkk--mmiilltteerr--xx..yy..zz..ttaarr..ggzz || ttaarr xxff --
    $ ccdd ddkk--mmiilltteerr--xx..yy..zz
    $ mmaakkee
    [...lots of output omitted...]

On other platforms you have two options:

  * Install the Sendmail lliibbmmiilltteerr library and the corresponding include files.
    On Linux systems, lliibbmmiilltteerr is usually part of the sseennddmmaaiill--ddeevveell package.
    After installing lliibbmmiilltteerr, build the Milter applications as described in
    the preceding section.

  * Don't install the Sendmail lliibbmmiilltteerr library, but build the library from
    Sendmail source code instead:

        $ ggzzccaatt sseennddmmaaiill--xx..yy..zz..ttaarr..ggzz || ttaarr xxff --
        $ ccdd sseennddmmaaiill--xx..yy..zz
        $ mmaakkee
        [...lots of output omitted...]

    After building your own lliibbmmiilltteerr, follow the installation instructions in
    the Milter application source distribution to specify the location of the
    libmilter include files and object library. Typically, these settings are
    configured in a file named sid-filter/Makefile.m4 or similar:

        dnl APPENDDEF(`confINCDIRS', `-I/some/where/sendmail-x.y.z/include')
        dnl APPENDDEF(`confLIBDIRS', `-L/some/where/sendmail-x.y.z/
        obj.systemtype/libmilter')

    Then build the Milter application.

RRuunnnniinngg MMiilltteerr aapppplliiccaattiioonnss

To run a Milter application, see the documentation of the filter for options. A
typical command looks like this:

    $ //ssoommee//wwhheerree//ddkk--ffiilltteerr --pp iinneett::ppoorrttnnuummbbeerr@@llooccaallhhoosstt ......ootthheerr ooppttiioonnss......

CCoonnffiigguurriinngg PPoossttffiixx

Like Sendmail, Postfix has a lot of configuration options that control how it
talks to Milter applications. Initially, many options are global, that is, they
apply to all Milter applications. Future Postfix versions may support per-
Milter timeouts, per-Milter error handling, etc.

Information in this section:

  * Milter applications
  * Milter error handling
  * Milter protocol version
  * Milter protocol timeouts
  * Sendmail macro emulation

MMiilltteerr aapppplliiccaattiioonnss

The Milter protocol was originally developed to block unwanted mail that
arrives from the network. For this, Postfix uses the Milter applications that
are listed with the smtpd_milters parameter. You specify Milter applications by
the name of their listening socket (other Milter options will be discussed
below). The example below shows only one Milter application, but Postfix allows
multiple milters. They will be applied in the order as specified.

    /etc/postfix/main.cf:
        # Milters for mail that arrives via the smtpd(8) server.
        # See below for socket address syntax.
        smtpd_milters = inet:localhost:portnumber ...other filters...

Nowadays, Milter applications are also developed to sign mail so that other
systems can detect spam, phishing, etc. Using such signing Milters is easy
enough for mail that arrives via SMTP, but that does not handle submissions via
the Postfix sendmail command line.

To make Milter processing of non-SMTP mail possible, Postfix uses the Milter
applications that are listed with the cleanup_milters parameter. This allows
you to sign submissions via the Postfix sendmail command.

    /etc/postfix/main.cf:
        # Milters for non-SMTP mail.
        # See below for socket address syntax.
        cleanup_milters = inet:localhost:portnumber ...other filters...

To keep the Milter applications happy in the case of non-SMTP mail, the cleanup
(8) server simulates SMTP events for CONNECT, EHLO, MAIL FROM, RCPT TO, and
DATA, pretending that the mail arrives with ESMTP from "localhost" and IP
address "127.0.0.1". However, there is no real ESMTP client involved. For this
reason, the Milter application must not reject simulated RCPT TO commands. When
it does, Postfix will report a configuration error, and mail will stay in the
queue.

The general syntax for listening sockets is as follows:

    uunniixx::pathname
        Connect to the local UNIX-domain server that is bound to the specified
        pathname. If the smtpd(8) or cleanup(8) process runs chrooted, an
        absolute pathname is interpreted relative to the Postfix queue
        directory.

    iinneett::host::port
        Connect to the specified TCP port on the specified local or remote
        host. The host and port can be specified in numeric or symbolic form.

        Note: Postfix syntax differs from Milter syntax which has the form
        iinneett::port@@host.

MMiilltteerr eerrrroorr hhaannddlliinngg

The milter_default_action parameter specifies how Postfix handles errors. The
default is to respond with a temporary error status, so that the client will
try again later. Specify "accept" if you want to receive mail as if the filter
does not exist, and "reject" to reject mail with a permanent status.

        # What to do in case of errors? Specify accept, reject, or tempfail.
        milter_default_action = tempfail

MMiilltteerr pprroottooccooll vveerrssiioonn

As Postfix is not built with the Sendmail lliibbmmiilltteerr library, you may also need
to configure the Milter protocol version that Postfix should use. The default
version is 2.

    milter_protocol = 2

If the Postfix milter_protocol setting specifies a too low version, the
libmilter library will log an error message like this:

    application name: st_optionneg[xxxxx]: 0xyy does not fulfill action
    requirements 0xzz

The remedy is to increase the Postfix milter_protocol version number. See,
however, the limitations section below for features that aren't supported by
Postfix.

If the Postfix milter_protocol setting specifies a too high version, the
libmilter library simply hangs up without logging a warning, and you see a
Postfix warning message like one of the following:

    postfix/smtpd[21045]: warning: milter inet:host:port: can't read packet
    header: Unknown error : 0
    postfix/cleanup[15190]: warning: milter inet:host:port: can't read packet
    header: Success

The remedy is to lower the Postfix milter_protocol version number.

MMiilltteerr pprroottooccooll ttiimmeeoouuttss

Postfix uses different time limits at different Milter protocol stages. The
table shows wich timeouts are used and when (EOH = end of headers; EOM = end of
message).

     _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
    |PPaarraammeetteerr             |TTiimmee lliimmiitt|PPrroottooccooll ssttaaggee                 |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |milter_connect_timeout|30s       |CONNECT                        |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |milter_command_timeout|30s       |HELO, MAIL, RCPT, DATA, UNKNOWN|
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |milter_content_timeout|300s      |HEADER, EOH, BODY, EOM         |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |

Beware: 30s is not a lot for applications that do a lot of DNS lookups.
However, if you increase the above timeouts too much, remote SMTP clients may
hang up and mail may be delivered multiple times. This is an inherent problem
with before-queue filtering.

SSeennddmmaaiill mmaaccrroo eemmuullaattiioonn

Postfix emulates a limited number of Sendmail macros, as shown in the table.
Different macros are available at different SMTP protocol stages (EOM = end-of-
message); their availability is not always the same as in Sendmail. See the
workarounds section below for solutions.

     _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
    |NNaammee                |AAvvaaiillaabbiilliittyy             |DDeessccrriippttiioonn               |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |i                   |DATA, EOM                |Queue ID                  |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |j                   |Always                   |value of myhostname       |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |{auth_authen}       |MAIL, DATA, EOM          |SASL login name           |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |{auth_author}       |MAIL, DATA, EOM          |SASL sender               |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |{auth_type}         |MAIL, DATA, EOM          |SASL login method         |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |{client_addr}       |Always                   |Client IP address         |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |{client_connections}|CONNECT                  |Connection concurrency for|
    |                    |                         |this client               |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |                    |                         |Client hostname, "unknown"|
    |{client_name}       |Always                   |when lookup or            |
    |                    |                         |verification fails        |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |                    |                         |Client name from reverse  |
    |{client_ptr}        |CONNECT, HELO, MAIL, DATA|lookup, "unknown" when    |
    |                    |                         |lookup fails              |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |{cert_issuer}       |HELO, MAIL, DATA, EOM    |TLS client certificate    |
    |                    |                         |issuer                    |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |{cert_subject}      |HELO, MAIL, DATA, EOM    |TLS client certificate    |
    |                    |                         |subject                   |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |{cipher_bits}       |HELO, MAIL, DATA, EOM    |TLS session key size      |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |{cipher}            |HELO, MAIL, DATA, EOM    |TLS cipher                |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |{daemon_name}       |Always                   |value of                  |
    |                    |                         |milter_macro_daemon_name  |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |{mail_addr}         |MAIL                     |Sender address            |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |{rcpt_addr}         |RCPT                     |Recipient address         |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |{tls_version}       |HELO, MAIL, DATA, EOM    |TLS protocol version      |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |v                   |Always                   |value of milter_macro_v   |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |

Postfix sends specific sets of macros at different SMTP protocol stages. The
sets are configured with the parameters as described in the table (EOM = end of
message).

     _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
    |PPaarraammeetteerr nnaammee               |PPrroottooccooll vveerrssiioonn|PPrroottooccooll ssttaaggee |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |milter_connect_macros        |2 or higher     |CONNECT        |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |milter_helo_macros           |2 or higher     |HELO/EHLO      |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |milter_mail_macros           |2 or higher     |MAIL FROM      |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |milter_rcpt_macros           |2 or higher     |RCPT TO        |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |milter_data_macros           |4 or higher     |DATA           |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |milter_end_of_data_macros    |2 or higher     |EOM            |
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
    |milter_unknown_command_macros|3 or higher     |unknown command|
    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |

WWoorrkkaarroouunnddss

Sendmail Milter applications were originally developed for the Sendmail version
8 MTA, which has a different architecture than Postfix. The result is that some
Milter applications make assumptions that aren't true in a Postfix environment.

  * Some Milter applications log a warning that looks like this:

        sid-filter[36540]: WARNING: sendmail symbol 'i' not available

    And they may insert a message header with "unknown-msgid" like this:

        X-SenderID: Sendmail Sender-ID Filter vx.y.z host.example.com <unknown-
        msgid>

    This happens because the Milter application expects that the queue ID is
    known before the MTA accepts the MAIL FROM (sender) command. Postfix, on
    the other hand, does not create a queue file until after Postfix accepts
    the first valid RCPT TO (recipient) command. This queue file name must be
    globally unique across multiple queue directories, so it cannot be chosen
    until the file is actually created.

    To work around the ugly message header from Milter applications, we add a
    little code to the Milter source to look up the queue ID after Postfix
    receives the end of the message.

      o Edit the filter source file (typically named dk-filter/dk-filter.c or
        similar).

      o Look up the mlfi_eom() function and add code near the top shown as bboolldd
        text below:

        sic = (Context) smfi_getpriv(ctx);
        assert(sic != NULL);

        //**
        ****  DDeetteerrmmiinnee tthhee jjoobb IIDD ffoorr llooggggiinngg..
        **//
        iiff ((ssiicc-->>ccttxx__jjoobbiidd ==== 00 |||| ssttrrccmmpp((ssiicc-->>ccttxx__jjoobbiidd,, MMSSGGIIDDUUNNKKNNOOWWNN)) ==== 00)) {{
                cchhaarr **jjoobbiidd == ssmmffii__ggeettssyymmvvaall((ccttxx,, ""ii""));;
                iiff ((jjoobbiidd !!== 00))
                        ssiicc-->>ccttxx__jjoobbiidd == jjoobbiidd;;
        }}

    This does not remove the WARNING message, however.

    With some Milter applications we can fix both the WARNING and the "unknown-
    msgid" by postponing the call of mlfi_eoh() (or whatever routine logs the
    WARNING) until the end of the message.

      o Edit the filter source file (typically named sid-filter/sid-filter.c or
        similar).

      o Look up the smfilter table and replace mlfi_eoh (or whatever routine
        logs the WARNING) by NULL.

      o Look up the mlfi_eom() function and add code near the top that calls
        mlfi_eoh() as shown by the bboolldd text below:

                assert(ctx != NULL);
        #endif /* !DEBUG */

                rreett == mmllffii__eeoohh((ccttxx));;
                iiff ((rreett !!== SSMMFFIISS__CCOONNTTIINNUUEE))
                        rreettuurrnn rreett;;

    This works with sid-milter-0.2.10. Other Milter applications will dump core
    when you do this.

LLiimmiittaattiioonnss

This section lists limitations of the Postfix Milter implementation. Some
limitations will be removed disappear as support is extended over time. Of
course the usual limitations of before-queue filtering will always apply. See
the CONTENT_INSPECTION_README document for a discussion.

  * Postfix currently supports only applications that speak the Sendmail 8
    Milter protocol versions 2..4. Support for other protocol types or protocol
    versions may be added later.

  * For applications that are written in C, you need to use the Sendmail
    libmilter library. A Postfix replacement may be provided in the future.

  * When mail does not arrive via the smtpd(8) server, the cleanup(8) server
    simulates SMTP events for CONNECT, HELO, MAIL FROM, RCPT TO, and DATA.
    However, Milter applications must not reject simulated RCPT TO events.
    Postfix will report a configuration error when this happens, and mail will
    stay in the queue.

  * Postfix currently does not apply content filters to mail that is forwarded
    or aliased internally, or to mail that is generated internally such as
    bounces or Postmaster notifications. This may be a problem when you want to
    apply a signing Milter to such mail.

  * When you use the before-queue filter for incoming SMTP mail (see
    SMTPD_PROXY_README), Milter applications have access only to the SMTP
    command information; they have no access to the message header or body, and
    cannot make modifications to the message or to the envelope.

  * Postfix 2.3 does not support Milter requests to replace the message body.
    Milter applications that request this unsupported operation will log a
    warning like this:

        application name: st_optionneg[134563840]: 0x3d does not fulfill action
        requirements 0x1e

    The solution is (to wait for) a Postfix version that supports the missing
    functionality.

  * Most Milter configuration options are global. Future Postfix versions may
    support per-Milter timeouts, per-Milter error handling, etc.

