summaryrefslogtreecommitdiffstats
path: root/README_FILES/DEPRECATION_README
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--README_FILES/DEPRECATION_README270
1 files changed, 270 insertions, 0 deletions
diff --git a/README_FILES/DEPRECATION_README b/README_FILES/DEPRECATION_README
new file mode 100644
index 0000000..87cf247
--- /dev/null
+++ b/README_FILES/DEPRECATION_README
@@ -0,0 +1,270 @@
+PPoossttffiixx RReeppllaacceemmeennttss ffoorr DDeepprreeccaatteedd FFeeaattuurreess
+
+-------------------------------------------------------------------------------
+
+PPuurrppoossee ooff tthhiiss ddooccuummeenntt
+
+This document describes Postfix features that are deprecated (will be removed)
+or that have already been removed. It also has tips for making an existing
+Postfix configuration more future-proof.
+
+Overview:
+
+ * Why deprecate?
+ * Deprecation process
+ * Deprecated features
+
+WWhhyy ddeepprreeccaattee??
+
+Sometimes, a Postfix feature needs to be replaced with a different one. To give
+an example:
+
+ * The initial Postfix TLS implementation used multiple boolean parameters:
+ one parameter to enable opportunistic TLS (for example, "smtp_enforce_tls =
+ yes") and one parameter to enable mandatory TLS (for example,
+ "smtp_require_tls = yes").
+
+ * As we added support more features such as fingerprint, dane, and so on, we
+ decided not to add more boolean parameters. Instead we introduced one
+ configuration parameter to select from multiple deployment models (for
+ example, smtp_tls_security_level = may | encrypt | dane, etc...).
+
+Having both the "old" and "new" way to configure Postfix is convenient for
+existing Postfix installations, because their configuration does not break
+after an upgrade to a new version. Unfortunately, there are also disadvantages.
+Having multiple ways to do similar things is not only confusing for newcomers,
+it also makes Postfix harder to change.
+
+DDeepprreeccaattiioonn pprroocceessss
+
+The basic process steps are:
+
+ 1. Inform humans that a feature will be removed, and suggest replacements, in
+ logging and documentation.
+
+ 2. Remove the feature, and update logging and documentation.
+
+Disclaimer: it has taken 20 years for some features to be removed. This past is
+not a guarantee for the future.
+
+DDeepprreeccaatteedd ffeeaattuurreess
+
+The table summarizes removed or deprecated features and replacements. Click on
+the "obsolete feature" name for a more detailed description.
+
+ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
+ | |WWaarrnniinngg| | |
+ |OObbssoolleettee ffeeaattuurree nnaammee |aass |RReemmoovveedd |RReeppllaacceemmeenntt |
+ | |ooff |iinn vveerrssiioonn| |
+ | |vveerrssiioonn| | |
+ |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |disable_dns_lookups | 3.9 | - |smtp_dns_support_level |
+ |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |xxx_use_tls | 3.9 | - |xxx_tls_security_level |
+ |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |xxx_enforce_tls | 3.9 | - |xxx_tls_security_level |
+ |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |xxx_per_site | 3.9 | - |xxx_policy_maps |
+ |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |smtpd_tls_dh1024_param_file| 3.9 | - |do not specify (leave at |
+ | | | |default) |
+ |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |smtpd_tls_eecdh_grade | 3.9 | - |do not specify (leave at |
+ | | | |default) |
+ |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |permit_mx_backup | 3.9 | - |relay_domains |
+ |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |check_relay_domains | 2.2 | 3.9 |permit_mynetworks, |
+ | | | |reject_unauth_destination|
+ |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |reject_maps_rbl | 2.1 | 3.9 |reject_rbl_client |
+ |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |permit_naked_ip_address | 2.0 | 3.9 |permit_mynetworks, |
+ | | | |permit_sasl_authenticated|
+ |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+
+OObbssoolleettee DDNNSS oonn//ooffff ccoonnffiigguurraattiioonn
+
+The postconf(1) command logs the following:
+
+ * support for parameter "disable_dns_lookups" will be removed; instead,
+ specify "smtp_dns_support_level"
+
+Replace obsolete configuration with its replacement:
+
+ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
+ |GGooaall |OObbssoolleettee ccoonnffiigguurraattiioonn |RReeppllaacceemmeenntt |
+ | | |ccoonnffiigguurraattiioonn |
+ |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |To disable DNS lookups|disable_dns_lookups = |smtp_dns_support_level =|
+ |in the Postfix SMTP/ |yes |disabled |
+ |LMTP client | | |
+ |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ | | |Leave |
+ | | |smtp_dns_support_level |
+ |To enable DNS lookups | |at the implicit default |
+ |in the Postfix SMTP/ |disable_dns_lookups = no|which is empty, unless |
+ |LMTP client | |you need a higher |
+ | | |support level such as |
+ | | |DNSSEC. |
+ |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+
+OObbssoolleettee ooppppoorrttuunniissttiicc TTLLSS ccoonnffiigguurraattiioonn
+
+The postconf(1) command logs one of the following:
+
+ * support for parameter "lmtp_use_tls" will be removed; instead, specify
+ "lmtp_tls_security_level"
+ * support for parameter "smtp_use_tls" will be removed; instead, specify
+ "smtp_tls_security_level"
+ * support for parameter "smtpd_use_tls" will be removed; instead, specify
+ "smtpd_tls_security_level"
+
+There are similarly-named parameters and warnings for postscreen(8) and
+tlsproxy(8), but those parameters should rarely be specified by hand.
+
+Replace obsolete configuration with its replacement:
+
+ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
+ |GGooaall |OObbssoolleettee ccoonnffiigguurraattiioonn|RReeppllaacceemmeenntt ccoonnffiigguurraattiioonn|
+ |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |To turn off TLS |xxx_use_tls = no |xxx_security_level = none|
+ |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |To turn on opportunistic|xxx_use_tls = yes |xxx_security_level = may |
+ |TLS | | |
+ |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+
+OObbssoolleettee mmaannddaattoorryy TTLLSS ccoonnffiigguurraattiioonn
+
+The postconf(1) command logs one of the following:
+
+ * support for parameter "lmtp_enforce_tls" will be removed; instead, specify
+ "lmtp_tls_security_level"
+ * support for parameter "smtp_enforce_tls" will be removed; instead, specify
+ "smtp_tls_security_level"
+ * support for parameter "smtpd_enforce_tls" will be removed; instead, specify
+ "smtpd_tls_security_level"
+
+There are similarly-named parameters and warnings for postscreen(8) and
+tlsproxy(8), but those parameters should rarely be specified by hand.
+
+Replace obsolete configuration with its replacement:
+
+ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
+ |GGooaall |OObbssoolleettee ccoonnffiigguurraattiioonn|RReeppllaacceemmeenntt ccoonnffiigguurraattiioonn|
+ |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |To turn off mandatory |xxx_enforce_tls = no |xxx_security_level = may |
+ |TLS | | |
+ |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |To turn on mandatory TLS|xxx_enforce_tls = yes |xxx_security_level = |
+ | | |encrypt |
+ |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+
+OObbssoolleettee TTLLSS ppoolliiccyy ttaabbllee ccoonnffiigguurraattiioonn
+
+The postconf(1) command logs one of the following:
+
+ * support for parameter "lmtp_tls_per_site" will be removed; instead, specify
+ "lmtp_tls_policy_maps"
+ * support for parameter "smtp_tls_per_site" will be removed; instead, specify
+ "smtp_tls_policy_maps"
+
+There is similarly-named parameter and warning for tlsproxy(8), but that
+parameter should rarely be specified by hand.
+
+Unfortunately, this is more than a name change: the table format has changed
+too, as has the table search process. There is no simple conversion of the
+obsolete form to its replacement.
+
+cchheecckk__rreellaayy__ddoommaaiinnss
+
+Depending on the Postfix version, the Postfix SMTP daemon logs following
+warning:
+
+ * support for restriction "check_relay_domains" has been removed in Postfix
+ 3.9"; instead, specify "reject_unauth_destination"
+ * support for restriction "check_relay_domains" will be removed from Postfix;
+ use "reject_unauth_destination" instead
+
+This feature was removed because it would relay based on the client domain
+name, which is not robust.
+
+Recommended configuration to prevent an "open relay" problem with the SMTP
+service on port 25:
+
+ main.cf:
+ smtpd_recipient_restrictions =
+ permit_mynetworks,
+ permit_sasl_authenticated,
+ reject_unauth_destination
+ ...other restrictions...
+
+Or equivalent in smtpd_relay_restrictions.
+
+ppeerrmmiitt__mmxx__bbaacckkuupp
+
+The Postfix version 3.9 and later SMTP daemon logs the following warning:
+
+ * support for restriction "permit_mx_backup" will be removed from Postfix;
+ instead, specify "relay_domains"
+
+This feature will be removed because it is too difficult to configure recipient
+address validation, making Postfix a source of backscatter bounces.
+
+To specify the domains that Postfix will provide MX backup service for, see
+Configuring Postfix as primary or backup MX host for a remote site.
+
+rreejjeecctt__mmaappss__rrbbll
+
+Depending on the Postfix version, the SMTP daemon logs one of the following
+warnings:
+
+ * support for restriction "reject_maps_rbl" has been removed in Postfix 3.9";
+ instead, specify "reject_rbl_client domain-name"
+ * support for restriction "reject_maps_rbl" will be removed from Postfix; use
+ "reject_rbl_client domain-name" instead
+
+This feature was replaced because "MAPS RBL" is the name of a specific
+reputation service. The reject_rbl_client feature provides a superset of the
+reject_maps_rbl functionality.
+
+Recommended configuration:
+
+ main.cf:
+ smtpd_recipient_restrictions =
+ permit_mynetworks,
+ permit_sasl_authenticated,
+ reject_unauth_destination
+ reject_rbl_client domain-name
+ ...other restrictions...
+
+Where domain-name is the domain name of a DNS reputation service.
+
+ppeerrmmiitt__nnaakkeedd__iipp__aaddddrreessss
+
+Depending on the Postfix version, the SMTP daemon logs one of the following
+warnings:
+
+ * support for restriction "permit_naked_ip_address" has been removed in
+ Postfix 3.9"; instead, specify "permit_mynetworks" or
+ "permit_sasl_authenticated"
+ * restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or
+ permit_sasl_authenticated instead
+
+This feature was removed because it was easy to get a false match when
+smtpd_recipient_restrictions was intended to match a remote SMTP client IP
+address.
+
+Recommended configuration:
+
+ main.cf:
+ smtpd_recipient_restrictions =
+ permit_mynetworks,
+ permit_sasl_authenticated,
+ reject_unauth_destination
+ reject_rbl_client domain-name
+ ...other restrictions...
+
+That is, no restriction on HELO or EHLO syntax. Such restrictions ar rarely
+useful nowadays.
+