diff options
Diffstat (limited to '')
-rw-r--r-- | README_FILES/DEPRECATION_README | 270 |
1 files changed, 270 insertions, 0 deletions
diff --git a/README_FILES/DEPRECATION_README b/README_FILES/DEPRECATION_README new file mode 100644 index 0000000..87cf247 --- /dev/null +++ b/README_FILES/DEPRECATION_README @@ -0,0 +1,270 @@ +PPoossttffiixx RReeppllaacceemmeennttss ffoorr DDeepprreeccaatteedd FFeeaattuurreess + +------------------------------------------------------------------------------- + +PPuurrppoossee ooff tthhiiss ddooccuummeenntt + +This document describes Postfix features that are deprecated (will be removed) +or that have already been removed. It also has tips for making an existing +Postfix configuration more future-proof. + +Overview: + + * Why deprecate? + * Deprecation process + * Deprecated features + +WWhhyy ddeepprreeccaattee?? + +Sometimes, a Postfix feature needs to be replaced with a different one. To give +an example: + + * The initial Postfix TLS implementation used multiple boolean parameters: + one parameter to enable opportunistic TLS (for example, "smtp_enforce_tls = + yes") and one parameter to enable mandatory TLS (for example, + "smtp_require_tls = yes"). + + * As we added support more features such as fingerprint, dane, and so on, we + decided not to add more boolean parameters. Instead we introduced one + configuration parameter to select from multiple deployment models (for + example, smtp_tls_security_level = may | encrypt | dane, etc...). + +Having both the "old" and "new" way to configure Postfix is convenient for +existing Postfix installations, because their configuration does not break +after an upgrade to a new version. Unfortunately, there are also disadvantages. +Having multiple ways to do similar things is not only confusing for newcomers, +it also makes Postfix harder to change. + +DDeepprreeccaattiioonn pprroocceessss + +The basic process steps are: + + 1. Inform humans that a feature will be removed, and suggest replacements, in + logging and documentation. + + 2. Remove the feature, and update logging and documentation. + +Disclaimer: it has taken 20 years for some features to be removed. This past is +not a guarantee for the future. + +DDeepprreeccaatteedd ffeeaattuurreess + +The table summarizes removed or deprecated features and replacements. Click on +the "obsolete feature" name for a more detailed description. + + _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ + | |WWaarrnniinngg| | | + |OObbssoolleettee ffeeaattuurree nnaammee |aass |RReemmoovveedd |RReeppllaacceemmeenntt | + | |ooff |iinn vveerrssiioonn| | + | |vveerrssiioonn| | | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |disable_dns_lookups | 3.9 | - |smtp_dns_support_level | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |xxx_use_tls | 3.9 | - |xxx_tls_security_level | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |xxx_enforce_tls | 3.9 | - |xxx_tls_security_level | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |xxx_per_site | 3.9 | - |xxx_policy_maps | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |smtpd_tls_dh1024_param_file| 3.9 | - |do not specify (leave at | + | | | |default) | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |smtpd_tls_eecdh_grade | 3.9 | - |do not specify (leave at | + | | | |default) | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |permit_mx_backup | 3.9 | - |relay_domains | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |check_relay_domains | 2.2 | 3.9 |permit_mynetworks, | + | | | |reject_unauth_destination| + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |reject_maps_rbl | 2.1 | 3.9 |reject_rbl_client | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |permit_naked_ip_address | 2.0 | 3.9 |permit_mynetworks, | + | | | |permit_sasl_authenticated| + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + +OObbssoolleettee DDNNSS oonn//ooffff ccoonnffiigguurraattiioonn + +The postconf(1) command logs the following: + + * support for parameter "disable_dns_lookups" will be removed; instead, + specify "smtp_dns_support_level" + +Replace obsolete configuration with its replacement: + + _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ + |GGooaall |OObbssoolleettee ccoonnffiigguurraattiioonn |RReeppllaacceemmeenntt | + | | |ccoonnffiigguurraattiioonn | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |To disable DNS lookups|disable_dns_lookups = |smtp_dns_support_level =| + |in the Postfix SMTP/ |yes |disabled | + |LMTP client | | | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + | | |Leave | + | | |smtp_dns_support_level | + |To enable DNS lookups | |at the implicit default | + |in the Postfix SMTP/ |disable_dns_lookups = no|which is empty, unless | + |LMTP client | |you need a higher | + | | |support level such as | + | | |DNSSEC. | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + +OObbssoolleettee ooppppoorrttuunniissttiicc TTLLSS ccoonnffiigguurraattiioonn + +The postconf(1) command logs one of the following: + + * support for parameter "lmtp_use_tls" will be removed; instead, specify + "lmtp_tls_security_level" + * support for parameter "smtp_use_tls" will be removed; instead, specify + "smtp_tls_security_level" + * support for parameter "smtpd_use_tls" will be removed; instead, specify + "smtpd_tls_security_level" + +There are similarly-named parameters and warnings for postscreen(8) and +tlsproxy(8), but those parameters should rarely be specified by hand. + +Replace obsolete configuration with its replacement: + + _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ + |GGooaall |OObbssoolleettee ccoonnffiigguurraattiioonn|RReeppllaacceemmeenntt ccoonnffiigguurraattiioonn| + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |To turn off TLS |xxx_use_tls = no |xxx_security_level = none| + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |To turn on opportunistic|xxx_use_tls = yes |xxx_security_level = may | + |TLS | | | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + +OObbssoolleettee mmaannddaattoorryy TTLLSS ccoonnffiigguurraattiioonn + +The postconf(1) command logs one of the following: + + * support for parameter "lmtp_enforce_tls" will be removed; instead, specify + "lmtp_tls_security_level" + * support for parameter "smtp_enforce_tls" will be removed; instead, specify + "smtp_tls_security_level" + * support for parameter "smtpd_enforce_tls" will be removed; instead, specify + "smtpd_tls_security_level" + +There are similarly-named parameters and warnings for postscreen(8) and +tlsproxy(8), but those parameters should rarely be specified by hand. + +Replace obsolete configuration with its replacement: + + _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ + |GGooaall |OObbssoolleettee ccoonnffiigguurraattiioonn|RReeppllaacceemmeenntt ccoonnffiigguurraattiioonn| + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |To turn off mandatory |xxx_enforce_tls = no |xxx_security_level = may | + |TLS | | | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |To turn on mandatory TLS|xxx_enforce_tls = yes |xxx_security_level = | + | | |encrypt | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + +OObbssoolleettee TTLLSS ppoolliiccyy ttaabbllee ccoonnffiigguurraattiioonn + +The postconf(1) command logs one of the following: + + * support for parameter "lmtp_tls_per_site" will be removed; instead, specify + "lmtp_tls_policy_maps" + * support for parameter "smtp_tls_per_site" will be removed; instead, specify + "smtp_tls_policy_maps" + +There is similarly-named parameter and warning for tlsproxy(8), but that +parameter should rarely be specified by hand. + +Unfortunately, this is more than a name change: the table format has changed +too, as has the table search process. There is no simple conversion of the +obsolete form to its replacement. + +cchheecckk__rreellaayy__ddoommaaiinnss + +Depending on the Postfix version, the Postfix SMTP daemon logs following +warning: + + * support for restriction "check_relay_domains" has been removed in Postfix + 3.9"; instead, specify "reject_unauth_destination" + * support for restriction "check_relay_domains" will be removed from Postfix; + use "reject_unauth_destination" instead + +This feature was removed because it would relay based on the client domain +name, which is not robust. + +Recommended configuration to prevent an "open relay" problem with the SMTP +service on port 25: + + main.cf: + smtpd_recipient_restrictions = + permit_mynetworks, + permit_sasl_authenticated, + reject_unauth_destination + ...other restrictions... + +Or equivalent in smtpd_relay_restrictions. + +ppeerrmmiitt__mmxx__bbaacckkuupp + +The Postfix version 3.9 and later SMTP daemon logs the following warning: + + * support for restriction "permit_mx_backup" will be removed from Postfix; + instead, specify "relay_domains" + +This feature will be removed because it is too difficult to configure recipient +address validation, making Postfix a source of backscatter bounces. + +To specify the domains that Postfix will provide MX backup service for, see +Configuring Postfix as primary or backup MX host for a remote site. + +rreejjeecctt__mmaappss__rrbbll + +Depending on the Postfix version, the SMTP daemon logs one of the following +warnings: + + * support for restriction "reject_maps_rbl" has been removed in Postfix 3.9"; + instead, specify "reject_rbl_client domain-name" + * support for restriction "reject_maps_rbl" will be removed from Postfix; use + "reject_rbl_client domain-name" instead + +This feature was replaced because "MAPS RBL" is the name of a specific +reputation service. The reject_rbl_client feature provides a superset of the +reject_maps_rbl functionality. + +Recommended configuration: + + main.cf: + smtpd_recipient_restrictions = + permit_mynetworks, + permit_sasl_authenticated, + reject_unauth_destination + reject_rbl_client domain-name + ...other restrictions... + +Where domain-name is the domain name of a DNS reputation service. + +ppeerrmmiitt__nnaakkeedd__iipp__aaddddrreessss + +Depending on the Postfix version, the SMTP daemon logs one of the following +warnings: + + * support for restriction "permit_naked_ip_address" has been removed in + Postfix 3.9"; instead, specify "permit_mynetworks" or + "permit_sasl_authenticated" + * restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or + permit_sasl_authenticated instead + +This feature was removed because it was easy to get a false match when +smtpd_recipient_restrictions was intended to match a remote SMTP client IP +address. + +Recommended configuration: + + main.cf: + smtpd_recipient_restrictions = + permit_mynetworks, + permit_sasl_authenticated, + reject_unauth_destination + reject_rbl_client domain-name + ...other restrictions... + +That is, no restriction on HELO or EHLO syntax. Such restrictions ar rarely +useful nowadays. + |