diff options
Diffstat (limited to 'README_FILES')
-rw-r--r-- | README_FILES/AAAREADME | 2 | ||||
-rw-r--r-- | README_FILES/ADDRESS_CLASS_README | 76 | ||||
-rw-r--r-- | README_FILES/ADDRESS_REWRITING_README | 223 | ||||
-rw-r--r-- | README_FILES/COMPATIBILITY_README | 64 | ||||
-rw-r--r-- | README_FILES/DATABASE_README | 5 | ||||
-rw-r--r-- | README_FILES/DEPRECATION_README | 270 | ||||
-rw-r--r-- | README_FILES/INSTALL | 44 | ||||
-rw-r--r-- | README_FILES/LOCAL_RECIPIENT_README | 2 | ||||
-rw-r--r-- | README_FILES/MAILLOG_README | 10 | ||||
-rw-r--r-- | README_FILES/MILTER_README | 6 | ||||
-rw-r--r-- | README_FILES/MONGODB_README | 188 | ||||
-rw-r--r-- | README_FILES/POSTSCREEN_README | 4 | ||||
-rw-r--r-- | README_FILES/TLS_README | 120 |
13 files changed, 785 insertions, 229 deletions
diff --git a/README_FILES/AAAREADME b/README_FILES/AAAREADME index 9afa3b7..94d552e 100644 --- a/README_FILES/AAAREADME +++ b/README_FILES/AAAREADME @@ -15,6 +15,7 @@ GGeenneerraall ccoonnffiigguurraattiioonn * SMTPUTF8_README: SMTPUTF8 Support * MAILLOG_README: Postfix logging to file or stdout * COMPATIBILITY_README: Backwards-Compatibility Safety Net + * DEPRECATION_README: Deprecated features and alternatives * INSTALL: Installation from source code PPrroobblleemm ssoollvviinngg @@ -52,6 +53,7 @@ LLooookkuupp ttaabblleess ((ddaattaabbaasseess)) * LDAP_README: LDAP Howto * LMDB_README: LMDB Howto * MEMCACHE_README: Memcache Howto + * MONGODB_README: MongoDB Howto * MYSQL_README: MySQL Howto * PCRE_README: PCRE Howto * PGSQL_README: PostgreSQL Howto diff --git a/README_FILES/ADDRESS_CLASS_README b/README_FILES/ADDRESS_CLASS_README index 7605aa2..774976e 100644 --- a/README_FILES/ADDRESS_CLASS_README +++ b/README_FILES/ADDRESS_CLASS_README @@ -25,18 +25,23 @@ important for the operation of Postfix. An address class is defined by three items. - * The list of domains that are a member of that address class: for example, - all local domains, or all relay domains. + * The list of domains that are a member of that address class. - * The default delivery transport for that address class. For example, the - local, virtual or relay delivery transport (delivery transports are defined - in master.cf). This helps to keep Postfix configurations simple, by - avoiding the need for explicit routing information in transport maps. + Examples: all local domains, or all relay domains. - * The list of valid recipient addresses for that address class. The Postfix - SMTP server rejects invalid recipients with "User unknown in <name of - address class here> table". This helps to keep the Postfix queue free of - undeliverable MAILER-DAEMON messages. + * The default delivery transport for domains in that address class. + + Examples: local_transport or relay_transport (these point to services + defined in master.cf). + + Benefit: this avoids the need for explicit routing information in transport + maps. + + * The list of valid recipient addresses for that address class. + + Benefit: the Postfix SMTP server rejects an invalid recipient with "User + unknown in <name of address class> table", and avoids sending a MAILER- + DAEMON message with backscatter spam. WWhhaatt aaddddrreessss ccllaasssseess ddooeess PPoossttffiixx iimmpplleemmeenntt?? @@ -56,11 +61,11 @@ The local domain class. also includes mail for user@[ipaddress] when the IP address is listed with the inet_interfaces or proxy_interfaces parameters. - * Valid recipient addresses are listed with the local_recipient_maps - parameter, as described in LOCAL_RECIPIENT_README. The Postfix SMTP server - rejects invalid recipients with "User unknown in local recipient table". If - the local_recipient_maps parameter value is empty, then the Postfix SMTP - server accepts any address in the local domain class. + * Valid recipient addresses for those domains are listed with the + local_recipient_maps parameter, as described in LOCAL_RECIPIENT_README. The + Postfix SMTP server rejects invalid recipients with "User unknown in local + recipient table". If the local_recipient_maps parameter value is empty, + then the Postfix SMTP server accepts any address in the local domain class. * The mail delivery transport is specified with the local_transport parameter. The default value is llooccaall::$$mmyyhhoossttnnaammee for delivery with the @@ -69,20 +74,23 @@ The local domain class. The virtual alias domain class. * Purpose: hosted domains where each recipient address is aliased to an - address in a different domain, for example, a local UNIX system account or - a remote address. A virtual alias example is given in the VIRTUAL_README - file. + address in a different domain class, for example, a local UNIX system + account or a remote address. A virtual alias example is given in the + VIRTUAL_README file. * Domain names are listed in virtual_alias_domains. The default value is $virtual_alias_maps for Postfix 1.1 compatibility. - * Valid recipient addresses are listed with the virtual_alias_maps parameter. - The Postfix SMTP server rejects invalid recipients with "User unknown in - virtual alias table". The default value is $virtual_maps for Postfix 1.1 - compatibility. + * Valid recipient addresses for those domains are listed with the + virtual_alias_maps parameter. The Postfix SMTP server rejects invalid + recipients with "User unknown in virtual alias table". The default value is + $virtual_maps for Postfix 1.1 compatibility. + + Note: for historical reasons, virtual_alias_maps apply to recipients in + all domain classes, not only the virtual alias domain class. - * There is no mail delivery transport parameter. Every address must be - aliased to an address in some other domain. + * There is no configurable mail delivery transport. Every address must be + aliased to an address in some other domain class. The virtual mailbox domain class. @@ -93,11 +101,11 @@ The virtual mailbox domain class. * Domain names are listed with the virtual_mailbox_domains parameter. The default value is $virtual_mailbox_maps for Postfix 1.1 compatibility. - * Valid recipient addresses are listed with the virtual_mailbox_maps - parameter. The Postfix SMTP server rejects invalid recipients with "User - unknown in virtual mailbox table". If this parameter value is empty, the - Postfix SMTP server accepts all recipients for domains listed in - $virtual_mailbox_domains. + * Valid recipient addresses for those domains are listed with the + virtual_mailbox_maps parameter. The Postfix SMTP server rejects invalid + recipients with "User unknown in virtual mailbox table". If this parameter + value is empty, the Postfix SMTP server accepts all recipients for domains + listed in $virtual_mailbox_domains. * The mail delivery transport is specified with the virtual_transport parameter. The default value is vviirrttuuaall for delivery with the virtual(8) @@ -113,11 +121,11 @@ The relay domain class. * Domain names are listed with the relay_domains parameter. - * Valid recipient addresses are listed with the relay_recipient_maps - parameter. The Postfix SMTP server rejects invalid recipients with "User - unknown in relay recipient table". If this parameter value is empty, the - Postfix SMTP server accepts all recipients for domains listed with the - relay_domains parameter. + * Valid recipient addresses for those domains are listed with the + relay_recipient_maps parameter. The Postfix SMTP server rejects invalid + recipients with "User unknown in relay recipient table". If this parameter + value is empty, the Postfix SMTP server accepts all recipients for domains + listed with the relay_domains parameter. * The mail delivery transport is specified with the relay_transport parameter. The default value is rreellaayy which is a clone of the smtp(8) diff --git a/README_FILES/ADDRESS_REWRITING_README b/README_FILES/ADDRESS_REWRITING_README index 78237b9..4c24287 100644 --- a/README_FILES/ADDRESS_REWRITING_README +++ b/README_FILES/ADDRESS_REWRITING_README @@ -51,8 +51,7 @@ Topics covered in this document: * Address rewriting when mail is delivered - o Resolve address to destination - o Mail transport switch + o Resolve address to (transport, next-hop destination) o Relocated users table * Address rewriting with remote delivery @@ -131,59 +130,57 @@ this document for the first time, skip forward to "Address rewriting when mail is received". Once you've finished reading the remainder of this document, the table will help you to quickly find what you need. - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - |AAddddrreessss |SSccooppee |DDaaeemmoonn |GGlloobbaall ttuurrnn--oonn |SSeelleeccttiivvee ttuurrnn--ooffff ccoonnttrrooll | - |mmaanniippuullaattiioonn| | |ccoonnttrrooll | | - |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |Rewrite | |trivial-|append_at_myorigin, | | - |addresses to|all mail|rewrite |append_dot_mydomain,|local_header_rewrite_clients,| - |standard | |(8) |swap_bangpath, |remote_header_rewrite_domain | - |form | | |allow_percent_hack | | - |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |Canonical | |cleanup | |receive_override_options, | - |address |all mail|(8) |canonical_maps |local_header_rewrite_clients,| - |mapping | | | |remote_header_rewrite_domain | - |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |Address | |cleanup | |receive_override_options, | - |masquerading|all mail|(8) |masquerade_domains |local_header_rewrite_clients,| - | | | | |remote_header_rewrite_domain | - |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |Automatic | |cleanup |always_bcc, | | - |BCC |new mail|(8) |sender_bcc_maps, |receive_override_options | - |recipients | | |recipient_bcc_maps | | - |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |Virtual |all mail|cleanup |virtual_alias_maps |receive_override_options | - |aliasing | |(8) | | | - |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |Resolve | |trivial-| | | - |address to |all mail|rewrite |none |none | - |destination | |(8) | | | - |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |Mail | |trivial-| | | - |transport |all mail|rewrite |transport_maps |none | - |switch | |(8) | | | - |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |Relocated | |trivial-| | | - |users table |all mail|rewrite |relocated_maps |none | - | | |(8) | | | - |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |Generic |outgoing| | | | - |mapping |SMTP |smtp(8) |smtp_generic_maps |none | - |table |mail | | | | - |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |Local alias |local | | | | - |database |mail |local(8)|alias_maps |none | - | |only | | | | - |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |Local per- |local | | | | - |user |mail |local(8)|forward_path |none | - |.forward |only | | | | - |files | | | | | - |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |Local catch-|local | | | | - |all address |mail |local(8)|luser_relay |none | - | |only | | | | - |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ + |AAddddrreessss |SSccooppee |DDaaeemmoonn |TTuurrnn--oonn ccoonnttrroollss |TTuurrnn--ooffff ccoonnttrroollss | + |mmaanniippuullaattiioonn| | | | | + |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |Rewrite | |trivial-|append_at_myorigin, | | + |addresses to|all mail|rewrite |append_dot_mydomain, swap_bangpath, |local_header_rewrite_clients,| + |standard | |(8) |allow_percent_hack |remote_header_rewrite_domain | + |form | | | | | + |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |Canonical | |cleanup | |receive_override_options, | + |address |all mail|(8) |canonical_maps |local_header_rewrite_clients,| + |mapping | | | |remote_header_rewrite_domain | + |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |Address | |cleanup | |receive_override_options, | + |masquerading|all mail|(8) |masquerade_domains |local_header_rewrite_clients,| + | | | | |remote_header_rewrite_domain | + |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |Automatic | |cleanup |always_bcc, sender_bcc_maps, | | + |BCC |new mail|(8) |recipient_bcc_maps |receive_override_options | + |recipients | | | | | + |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |Virtual |all mail|cleanup |virtual_alias_maps |receive_override_options | + |aliasing | |(8) | | | + |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |Resolve | | |local_transport, virtual_transport, | | + |address to | |trivial-|relay_transport, default_transport, | | + |(transport, |all mail|rewrite |relayhost, |content_filter | + |next-hop | |(8) |sender_dependent_relayhost_maps, | | + |destination)| | |sender_dependent_default_transport_maps| | + |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |Relocated | |trivial-| | | + |users table |all mail|rewrite |relocated_maps |none | + | | |(8) | | | + |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |Generic |outgoing| | | | + |mapping |SMTP |smtp(8) |smtp_generic_maps |none | + |table |mail | | | | + |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |Local alias |local | | | | + |database |mail |local(8)|alias_maps |none | + | |only | | | | + |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |Local per- |local | | | | + |user |mail |local(8)|forward_path |none | + |.forward |only | | | | + |files | | | | | + |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |Local catch-|local | | | | + |all address |mail |local(8)|luser_relay |none | + | |only | | | | + |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | AAddddrreessss rreewwrriittiinngg wwhheenn mmaaiill iiss rreecceeiivveedd @@ -492,6 +489,10 @@ transform " Firstname.Lastname " back into UNIX login names, although it seems that local aliases may be a more appropriate vehicle. See the VIRTUAL_README document for an overview of methods to host virtual domains with Postfix. +Note: virtual aliasing (virtual_alias_maps) applies to all recipients: local +(8), virtual, and remote. This is unlike local aliasing (alias_maps) which +applies only to local(8) recipients. + Virtual aliasing is disabled by default. To enable, edit the virtual_alias_maps parameter in the main.cf file and specify one or more lookup tables, separated by whitespace or commas. @@ -537,8 +538,7 @@ manipulations to the trivial-rewrite(8) server. Address manipulations at this stage are: - * Resolve address to destination - * Mail transport switch + * Resolve address to (transport, next-hop destination) * Relocated users table Each Postfix delivery agent tries to deliver the mail to its destination, while @@ -560,49 +560,82 @@ Address manipulations when mail is delivered via the local(8) delivery agent: The remainder of this document presents each address manipulation step in more detail, with specific examples or with pointers to documentation with examples. -RReessoollvvee aaddddrreessss ttoo ddeessttiinnaattiioonn +RReessoollvvee aaddddrreessss ttoo ((ttrraannssppoorrtt,, nneexxtt--hhoopp ddeessttiinnaattiioonn)) The Postfix qmgr(8) queue manager selects new mail from the incoming queue or -old mail from the deferred queue, and asks the trivial-rewrite(8) address -rewriting and resolving daemon where it should be delivered. - -As of version 2.0, Postfix distinguishes four major address classes. Each class -has its own list of domain names, and each class has its own default delivery +old mail from the deferred queue. First it looks for overrides: + + * The REDIRECT action in access(5), header_checks(5) or body_checks(5) + overrides all recipients of the message, and overrides a content_filter + setting, and FILTER action in access(5), header_checks(5) or body_checks + (5). The REDIRECT action was implemented as a short-cut to retaliate for + abuse. + + * A content_filter setting and FILTER action in access(5), header_checks(5) + or body_checks(5) provide their own (transport, next-hop destination) + information. This bypasses all the steps that are described in the + remainder of this section. + +When there is no content filter override, the qmgr(8) queue manager asks the +trivial-rewrite(8) address rewriting and resolving daemon for each recipient +how to deliver it (which message delivery transport) and where to deliver it +(what next-hop destination). + +As of version 2.0, Postfix distinguishes four major domain classes. Each class +has its own list of recipient domain names, and each class has its own delivery method, as shown in the table below. See the ADDRESS_CLASS_README document for the fine details. Postfix versions before 2.0 only distinguish between local delivery and everything else. - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - |DDeessttiinnaattiioonn ddoommaaiinn lliisstt |DDeeffaauulltt ddeelliivveerryy mmeetthhoodd|AAvvaaiillaabbiilliittyy| - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | - |$mydestination, $inet_interfaces,|$local_transport |Postfix 1.0 | - |$proxy_interfaces | | | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | - |$virtual_mailbox_domains |$virtual_transport |Postfix 2.0 | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | - |$relay_domains |$relay_transport |Postfix 2.0 | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | - |none |$default_transport |Postfix 1.0 | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | - -MMaaiill ttrraannssppoorrtt sswwiittcchh - -Once the trivial-rewrite(8) daemon has determined a default delivery method it -searches the optional transport(5) table for information that overrides the -message destination and/or delivery method. Typical use of the transport(5) -table is to send mail to a system that is not connected to the Internet, or to -use a special SMTP client configuration for destinations that have special -requirements. See, for example, the STANDARD_CONFIGURATION_README and -UUCP_README documents, and the examples in the transport(5) manual page. - -Transport table lookups are disabled by default. To enable, edit the -transport_maps parameter in the main.cf file and specify one or more lookup -tables, separated by whitespace or commas. +Note that the table does not match recipients against virtual_alias_domains. +The reason is that all valid recipients in a virtual alias domain must be +aliased to an address in a different domain. All other recipients in a virtual +alias domain are by definition undeliverable, and do not need to be considered +here. -Example: - - /etc/postfix/main.cf: - transport_maps = hash:/etc/postfix/transport + _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ + |DDoommaaiinn ccllaassss |RReecciippiieenntt ddoommaaiinn mmaattcchh |DDeelliivveerryy mmeetthhoodd |AAvvaaiillaabbiilliittyy| + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | + | |mydestination, | | | + |Local |inet_interfaces, |local_transport |Postfix 1.0 | + | |proxy_interfaces | | | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | + |Virtual mailbox|virtual_mailbox_domains|virtual_transport|Postfix 2.0 | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | + |Relay |relay_domains |relay_transport |Postfix 2.0 | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | + |Default |none |default_transport|Postfix 1.0 | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | + +The delivery methods in the above table may include a next-hop destination in +addition to a delivery transport. This may override the next-hop destination +that is by default taken from the recipient domain. + +Over time, features have been added to override the above transport and/or +next-hop destination information. The following table lists where a transport +or next-hop destination may be taken from, depending on the recipient domain +class. + + _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ + |DDoommaaiinn |TTrraannssppoorrtt ssoouurrcceess ((iinn oorrddeerr ooff |NNeexxtt hhoopp ssoouurrcceess ((iinn oorrddeerr ooff ddeesscceennddiinngg| + |ccllaassss |ddeesscceennddiinngg pprreecceeddeennccee)) |pprreecceeddeennccee)) | + |_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |Local |transport_maps, local_transport |transport_maps, local_transport, | + | | |recipient domain | + |_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |Virtual|transport_maps, virtual_transport |transport_maps, virtual_transport, | + |mailbox| |recipient domain | + |_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + | | |transport_maps, relay_transport, | + |Relay |transport_maps, relay_transport |sender_dependent_relayhost_maps, | + | | |relayhost, recipient domain | + |_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + | | |transport_maps, | + | |transport_maps, |sender_dependent_default_transport_maps,| + |Default|sender_dependent_default_transport_maps,|default_transport, | + | |default_transport |sender_dependent_relayhost_maps, | + | | |relayhost, recipient domain | + |_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | RReellooccaatteedd uusseerrss ttaabbllee @@ -674,6 +707,10 @@ implement distribution lists, or to direct mail for standard aliases such as postmaster to real people. The table can also be used to map "Firstname.Lastname" addresses to login names. +Note: local aliasing (alias_maps) applies only to local(8) recipients. This is +unlike virtual aliasing (virtual_alias_maps) which applies to all recipients: +local(8), virtual, and remote. + Alias lookups are enabled by default. The default configuration depends on the operating system environment, but it is typically one of the following: diff --git a/README_FILES/COMPATIBILITY_README b/README_FILES/COMPATIBILITY_README index 55182b7..aa9e7f6 100644 --- a/README_FILES/COMPATIBILITY_README +++ b/README_FILES/COMPATIBILITY_README @@ -33,17 +33,17 @@ Logged with compatibility_level < 1: * Using backwards-compatible default setting chroot=y -Logged with compatibility_level < 2: - * Using backwards-compatible default setting "smtpd_relay_restrictions = (empty)" + * Using backwards-compatible default setting smtputf8_enable=no + +Logged with compatibility_level < 2: + * Using backwards-compatible default setting mynetworks_style=subnet * Using backwards-compatible default setting relay_domains=$mydestination - * Using backwards-compatible default setting smtputf8_enable=no - Logged with compatibility_level < 3.6: * Using backwards-compatible default setting smtpd_tls_fingerprint_digest=md5 @@ -152,6 +152,34 @@ permanent in main.cf: # ppoossttccoonnff ssmmttppdd__rreellaayy__rreessttrriiccttiioonnss== # ppoossttffiixx rreellooaadd +UUssiinngg bbaacckkwwaarrddss--ccoommppaattiibbllee ddeeffaauulltt sseettttiinngg ssmmttppuuttff88__eennaabbllee==nnoo + +The smtputf8_enable default value has changed from "no" to "yes". With the new +"yes" setting, the Postfix SMTP server rejects non-ASCII addresses from clients +that don't request SMTPUTF8 support, after Postfix is updated from an older +version. The backwards-compatibility safety net is designed to prevent such +surprises. + +As long as the smtputf8_enable parameter is left at its implicit default value, +and the compatibility_level setting is less than 1, Postfix logs a warning each +time an SMTP command uses a non-ASCII address localpart without requesting +SMTPUTF8 support: + + postfix/smtpd[27560]: using backwards-compatible default setting + smtputf8_enable=no to accept non-ASCII sender address + "??@example.org" from localhost[127.0.0.1] + + postfix/smtpd[27560]: using backwards-compatible default setting + smtputf8_enable=no to accept non-ASCII recipient address + "??@example.com" from localhost[127.0.0.1] + +If the address should not be rejected, and the client cannot be updated to use +SMTPUTF8, then the system administrator should make the backwards-compatible +setting "smtputf8_enable = no" permanent in main.cf: + + # ppoossttccoonnff ssmmttppuuttff88__eennaabbllee==nnoo + # ppoossttffiixx rreellooaadd + UUssiinngg bbaacckkwwaarrddss--ccoommppaattiibbllee ddeeffaauulltt sseettttiinngg mmyynneettwwoorrkkss__ssttyyllee==ssuubbnneett The mynetworks_style default value has changed from "subnet" to "host". This @@ -223,34 +251,6 @@ Note: quotes are required as indicated above. Instead of $mydestination, it may be better to specify an explicit list of domain names. -UUssiinngg bbaacckkwwaarrddss--ccoommppaattiibbllee ddeeffaauulltt sseettttiinngg ssmmttppuuttff88__eennaabbllee==nnoo - -The smtputf8_enable default value has changed from "no" to "yes". With the new -"yes" setting, the Postfix SMTP server rejects non-ASCII addresses from clients -that don't request SMTPUTF8 support, after Postfix is updated from an older -version. The backwards-compatibility safety net is designed to prevent such -surprises. - -As long as the smtputf8_enable parameter is left at its implicit default value, -and the compatibility_level setting is less than 1, Postfix logs a warning each -time an SMTP command uses a non-ASCII address localpart without requesting -SMTPUTF8 support: - - postfix/smtpd[27560]: using backwards-compatible default setting - smtputf8_enable=no to accept non-ASCII sender address - "??@example.org" from localhost[127.0.0.1] - - postfix/smtpd[27560]: using backwards-compatible default setting - smtputf8_enable=no to accept non-ASCII recipient address - "??@example.com" from localhost[127.0.0.1] - -If the address should not be rejected, and the client cannot be updated to use -SMTPUTF8, then the system administrator should make the backwards-compatible -setting "smtputf8_enable = no" permanent in main.cf: - - # ppoossttccoonnff ssmmttppuuttff88__eennaabbllee==nnoo - # ppoossttffiixx rreellooaadd - UUssiinngg bbaacckkwwaarrddss--ccoommppaattiibbllee ddeeffaauulltt sseettttiinngg ssmmttppdd__ttllss__ffiinnggeerrpprriinntt__ddiiggeesstt==mmdd55 The smtpd_tls_fingerprint_digest default value has changed from "md5" to diff --git a/README_FILES/DATABASE_README b/README_FILES/DATABASE_README index 3fd88c3..f1629e9 100644 --- a/README_FILES/DATABASE_README +++ b/README_FILES/DATABASE_README @@ -28,7 +28,7 @@ Examples of lookup tables that appear often in the Postfix documentation: alias_maps = hash:/etc/postfix/aliases (local aliasing) header_checks = regexp:/etc/postfix/header_checks (content filtering) transport_maps = hash:/etc/postfix/transport (routing table) - virtual_alias_maps = hash:/etc/postfix/virtual (address rewriting) + virtual_alias_maps = hash:/etc/postfix/virtual (virtual aliasing) All Postfix lookup tables store information as (key, value) pairs. This interface may seem simplistic at first, but it turns out to be very powerful. @@ -236,6 +236,9 @@ To find out what database types your Postfix system supports, use the "ppooss mmeemmccaacchhee Memcache database client. Configuration details are given in memcache_table(5). + mmoonnggooddbb (read-only) + MongoDB database client. Configuration details are given in + mongodb_table(5), with examples in MONGODB_README. mmyyssqqll (read-only) MySQL database client. Configuration details are given in mysql_table (5). diff --git a/README_FILES/DEPRECATION_README b/README_FILES/DEPRECATION_README new file mode 100644 index 0000000..87cf247 --- /dev/null +++ b/README_FILES/DEPRECATION_README @@ -0,0 +1,270 @@ +PPoossttffiixx RReeppllaacceemmeennttss ffoorr DDeepprreeccaatteedd FFeeaattuurreess + +------------------------------------------------------------------------------- + +PPuurrppoossee ooff tthhiiss ddooccuummeenntt + +This document describes Postfix features that are deprecated (will be removed) +or that have already been removed. It also has tips for making an existing +Postfix configuration more future-proof. + +Overview: + + * Why deprecate? + * Deprecation process + * Deprecated features + +WWhhyy ddeepprreeccaattee?? + +Sometimes, a Postfix feature needs to be replaced with a different one. To give +an example: + + * The initial Postfix TLS implementation used multiple boolean parameters: + one parameter to enable opportunistic TLS (for example, "smtp_enforce_tls = + yes") and one parameter to enable mandatory TLS (for example, + "smtp_require_tls = yes"). + + * As we added support more features such as fingerprint, dane, and so on, we + decided not to add more boolean parameters. Instead we introduced one + configuration parameter to select from multiple deployment models (for + example, smtp_tls_security_level = may | encrypt | dane, etc...). + +Having both the "old" and "new" way to configure Postfix is convenient for +existing Postfix installations, because their configuration does not break +after an upgrade to a new version. Unfortunately, there are also disadvantages. +Having multiple ways to do similar things is not only confusing for newcomers, +it also makes Postfix harder to change. + +DDeepprreeccaattiioonn pprroocceessss + +The basic process steps are: + + 1. Inform humans that a feature will be removed, and suggest replacements, in + logging and documentation. + + 2. Remove the feature, and update logging and documentation. + +Disclaimer: it has taken 20 years for some features to be removed. This past is +not a guarantee for the future. + +DDeepprreeccaatteedd ffeeaattuurreess + +The table summarizes removed or deprecated features and replacements. Click on +the "obsolete feature" name for a more detailed description. + + _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ + | |WWaarrnniinngg| | | + |OObbssoolleettee ffeeaattuurree nnaammee |aass |RReemmoovveedd |RReeppllaacceemmeenntt | + | |ooff |iinn vveerrssiioonn| | + | |vveerrssiioonn| | | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |disable_dns_lookups | 3.9 | - |smtp_dns_support_level | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |xxx_use_tls | 3.9 | - |xxx_tls_security_level | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |xxx_enforce_tls | 3.9 | - |xxx_tls_security_level | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |xxx_per_site | 3.9 | - |xxx_policy_maps | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |smtpd_tls_dh1024_param_file| 3.9 | - |do not specify (leave at | + | | | |default) | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |smtpd_tls_eecdh_grade | 3.9 | - |do not specify (leave at | + | | | |default) | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |permit_mx_backup | 3.9 | - |relay_domains | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |check_relay_domains | 2.2 | 3.9 |permit_mynetworks, | + | | | |reject_unauth_destination| + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |reject_maps_rbl | 2.1 | 3.9 |reject_rbl_client | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |permit_naked_ip_address | 2.0 | 3.9 |permit_mynetworks, | + | | | |permit_sasl_authenticated| + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + +OObbssoolleettee DDNNSS oonn//ooffff ccoonnffiigguurraattiioonn + +The postconf(1) command logs the following: + + * support for parameter "disable_dns_lookups" will be removed; instead, + specify "smtp_dns_support_level" + +Replace obsolete configuration with its replacement: + + _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ + |GGooaall |OObbssoolleettee ccoonnffiigguurraattiioonn |RReeppllaacceemmeenntt | + | | |ccoonnffiigguurraattiioonn | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |To disable DNS lookups|disable_dns_lookups = |smtp_dns_support_level =| + |in the Postfix SMTP/ |yes |disabled | + |LMTP client | | | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + | | |Leave | + | | |smtp_dns_support_level | + |To enable DNS lookups | |at the implicit default | + |in the Postfix SMTP/ |disable_dns_lookups = no|which is empty, unless | + |LMTP client | |you need a higher | + | | |support level such as | + | | |DNSSEC. | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + +OObbssoolleettee ooppppoorrttuunniissttiicc TTLLSS ccoonnffiigguurraattiioonn + +The postconf(1) command logs one of the following: + + * support for parameter "lmtp_use_tls" will be removed; instead, specify + "lmtp_tls_security_level" + * support for parameter "smtp_use_tls" will be removed; instead, specify + "smtp_tls_security_level" + * support for parameter "smtpd_use_tls" will be removed; instead, specify + "smtpd_tls_security_level" + +There are similarly-named parameters and warnings for postscreen(8) and +tlsproxy(8), but those parameters should rarely be specified by hand. + +Replace obsolete configuration with its replacement: + + _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ + |GGooaall |OObbssoolleettee ccoonnffiigguurraattiioonn|RReeppllaacceemmeenntt ccoonnffiigguurraattiioonn| + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |To turn off TLS |xxx_use_tls = no |xxx_security_level = none| + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |To turn on opportunistic|xxx_use_tls = yes |xxx_security_level = may | + |TLS | | | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + +OObbssoolleettee mmaannddaattoorryy TTLLSS ccoonnffiigguurraattiioonn + +The postconf(1) command logs one of the following: + + * support for parameter "lmtp_enforce_tls" will be removed; instead, specify + "lmtp_tls_security_level" + * support for parameter "smtp_enforce_tls" will be removed; instead, specify + "smtp_tls_security_level" + * support for parameter "smtpd_enforce_tls" will be removed; instead, specify + "smtpd_tls_security_level" + +There are similarly-named parameters and warnings for postscreen(8) and +tlsproxy(8), but those parameters should rarely be specified by hand. + +Replace obsolete configuration with its replacement: + + _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ + |GGooaall |OObbssoolleettee ccoonnffiigguurraattiioonn|RReeppllaacceemmeenntt ccoonnffiigguurraattiioonn| + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |To turn off mandatory |xxx_enforce_tls = no |xxx_security_level = may | + |TLS | | | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |To turn on mandatory TLS|xxx_enforce_tls = yes |xxx_security_level = | + | | |encrypt | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + +OObbssoolleettee TTLLSS ppoolliiccyy ttaabbllee ccoonnffiigguurraattiioonn + +The postconf(1) command logs one of the following: + + * support for parameter "lmtp_tls_per_site" will be removed; instead, specify + "lmtp_tls_policy_maps" + * support for parameter "smtp_tls_per_site" will be removed; instead, specify + "smtp_tls_policy_maps" + +There is similarly-named parameter and warning for tlsproxy(8), but that +parameter should rarely be specified by hand. + +Unfortunately, this is more than a name change: the table format has changed +too, as has the table search process. There is no simple conversion of the +obsolete form to its replacement. + +cchheecckk__rreellaayy__ddoommaaiinnss + +Depending on the Postfix version, the Postfix SMTP daemon logs following +warning: + + * support for restriction "check_relay_domains" has been removed in Postfix + 3.9"; instead, specify "reject_unauth_destination" + * support for restriction "check_relay_domains" will be removed from Postfix; + use "reject_unauth_destination" instead + +This feature was removed because it would relay based on the client domain +name, which is not robust. + +Recommended configuration to prevent an "open relay" problem with the SMTP +service on port 25: + + main.cf: + smtpd_recipient_restrictions = + permit_mynetworks, + permit_sasl_authenticated, + reject_unauth_destination + ...other restrictions... + +Or equivalent in smtpd_relay_restrictions. + +ppeerrmmiitt__mmxx__bbaacckkuupp + +The Postfix version 3.9 and later SMTP daemon logs the following warning: + + * support for restriction "permit_mx_backup" will be removed from Postfix; + instead, specify "relay_domains" + +This feature will be removed because it is too difficult to configure recipient +address validation, making Postfix a source of backscatter bounces. + +To specify the domains that Postfix will provide MX backup service for, see +Configuring Postfix as primary or backup MX host for a remote site. + +rreejjeecctt__mmaappss__rrbbll + +Depending on the Postfix version, the SMTP daemon logs one of the following +warnings: + + * support for restriction "reject_maps_rbl" has been removed in Postfix 3.9"; + instead, specify "reject_rbl_client domain-name" + * support for restriction "reject_maps_rbl" will be removed from Postfix; use + "reject_rbl_client domain-name" instead + +This feature was replaced because "MAPS RBL" is the name of a specific +reputation service. The reject_rbl_client feature provides a superset of the +reject_maps_rbl functionality. + +Recommended configuration: + + main.cf: + smtpd_recipient_restrictions = + permit_mynetworks, + permit_sasl_authenticated, + reject_unauth_destination + reject_rbl_client domain-name + ...other restrictions... + +Where domain-name is the domain name of a DNS reputation service. + +ppeerrmmiitt__nnaakkeedd__iipp__aaddddrreessss + +Depending on the Postfix version, the SMTP daemon logs one of the following +warnings: + + * support for restriction "permit_naked_ip_address" has been removed in + Postfix 3.9"; instead, specify "permit_mynetworks" or + "permit_sasl_authenticated" + * restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or + permit_sasl_authenticated instead + +This feature was removed because it was easy to get a false match when +smtpd_recipient_restrictions was intended to match a remote SMTP client IP +address. + +Recommended configuration: + + main.cf: + smtpd_recipient_restrictions = + permit_mynetworks, + permit_sasl_authenticated, + reject_unauth_destination + reject_rbl_client domain-name + ...other restrictions... + +That is, no restriction on HELO or EHLO syntax. Such restrictions ar rarely +useful nowadays. + diff --git a/README_FILES/INSTALL b/README_FILES/INSTALL index 09d0f80..85ed2cc 100644 --- a/README_FILES/INSTALL +++ b/README_FILES/INSTALL @@ -376,27 +376,29 @@ whistles. Support for third-party databases etc. must be configured when Postfix is compiled. The following documents describe how to build Postfix with support for optional features: - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - |OOppttiioonnaall ffeeaattuurree |DDooccuummeenntt |AAvvaaiillaabbiilliittyy| - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | - |Berkeley DB database |DB_README |Postfix 1.0 | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | - |LMDB database |LMDB_README |Postfix 2.11| - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | - |LDAP database |LDAP_README |Postfix 1.0 | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | - |MySQL database |MYSQL_README |Postfix 1.0 | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | - |Perl compatible regular expression|PCRE_README |Postfix 1.0 | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | - |PostgreSQL database |PGSQL_README |Postfix 2.0 | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | - |SASL authentication |SASL_README |Postfix 1.0 | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | - |SQLite database |SQLITE_README|Postfix 2.8 | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | - |STARTTLS session encryption |TLS_README |Postfix 2.2 | - |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | + _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ + |OOppttiioonnaall ffeeaattuurree |DDooccuummeenntt |AAvvaaiillaabbiilliittyy| + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | + |Berkeley DB database |DB_README |Postfix 1.0 | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | + |LMDB database |LMDB_README |Postfix 2.11| + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | + |LDAP database |LDAP_README |Postfix 1.0 | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | + |MongoDB database |MONGODB_README|Postfix 3.9 | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | + |MySQL database |MYSQL_README |Postfix 1.0 | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | + |Perl compatible regular expression|PCRE_README |Postfix 1.0 | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | + |PostgreSQL database |PGSQL_README |Postfix 2.0 | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | + |SASL authentication |SASL_README |Postfix 1.0 | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | + |SQLite database |SQLITE_README |Postfix 2.8 | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | + |STARTTLS session encryption |TLS_README |Postfix 2.2 | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ | Note: IP version 6 support is compiled into Postfix on operating systems that have IPv6 support. See the IPV6_README file for details. diff --git a/README_FILES/LOCAL_RECIPIENT_README b/README_FILES/LOCAL_RECIPIENT_README index ea4ce25..c8b97bd 100644 --- a/README_FILES/LOCAL_RECIPIENT_README +++ b/README_FILES/LOCAL_RECIPIENT_README @@ -30,7 +30,7 @@ addresses of local recipients. A recipient address is local when its domain matches $mydestination, $inet_interfaces or $proxy_interfaces. If a local username or address is not listed in $local_recipient_maps, then the Postfix SMTP server will reject the address with "User unknown in local recipient -table". +table". Other Postfix interfaces may still accept an "unknown" recipient. The default setting, shown below, assumes that you use the default Postfix local(8) delivery agent for local delivery, where recipients are either UNIX diff --git a/README_FILES/MAILLOG_README b/README_FILES/MAILLOG_README index 6f8fead..75fa4b5 100644 --- a/README_FILES/MAILLOG_README +++ b/README_FILES/MAILLOG_README @@ -30,8 +30,14 @@ problems for systemd-based systems. 2. Configure Postfix to write logging, to, for example, /var/log/postfix.log. See also the "Logfile rotation" section below for logfile management. + In the example below, specifying maillog_file_permissions is optional + (Postfix 3.9 and later). The default value is 0600, i.e., only the super- + user can access the file; the value 0644 also adds 'group' and 'other' read + access. + # postfix stop # postconf maillog_file=/var/log/postfix.log + # postconf maillog_file_permissions=0644 # (Postfix 3.9 and later) # postfix start By default, the logfile name must start with "/var" or "/dev/stdout" (the @@ -71,6 +77,10 @@ implements the following steps: * After a brief pause, compress the old logfile. The compression program is configured with the maillog_file_compressor parameter (default: gzip). + * The next time it logs an event, postlogd(8) will create a new logfile, with + permissions specified with the maillog_file_permissions parameter (default: + 0600). + Notes: * This command will not rotate a logfile with a pathname under the /dev diff --git a/README_FILES/MILTER_README b/README_FILES/MILTER_README index 4ace868..7d9e938 100644 --- a/README_FILES/MILTER_README +++ b/README_FILES/MILTER_README @@ -392,9 +392,9 @@ ccoommmmaa wwiitthhiinn aa vvaalluuee oorr aarroouunndd DDiiffffeerreenntt sseettttiinnggss ffoorr ddiiffffeerreenntt SSMMTTPP cclliieennttss The smtpd_milter_maps feature supports different Milter settings for different -client IP addresses. Lookup results override the the global smtpd_milters -setting, and have the same syntax. For example, to disable Milter settings for -local address ranges: +client IP addresses. Lookup results override the global smtpd_milters setting, +and have the same syntax. For example, to disable Milter settings for local +address ranges: /etc/postfix/main.cf: smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map diff --git a/README_FILES/MONGODB_README b/README_FILES/MONGODB_README new file mode 100644 index 0000000..c8b8fc6 --- /dev/null +++ b/README_FILES/MONGODB_README @@ -0,0 +1,188 @@ +PPoossttffiixx MMoonnggooDDBB HHoowwttoo + +------------------------------------------------------------------------------- + +MMoonnggooDDBB SSuuppppoorrtt iinn PPoossttffiixx + +Postfix can use MongoDB as a source for any of its lookups: aliases(5), virtual +(5), canonical(5), etc. This allows you to keep information for your mail +service in a replicated noSQL database with fine-grained access controls. By +not storing it locally on the mail server, the administrators can maintain it +from anywhere, and the users can control whatever bits of it you think +appropriate. You can have multiple mail servers using the same information, +without the hassle and delay of having to copy it to each. + +Topics covered in this document: + + * Building Postfix with MongoDB support + * Configuring MongoDB lookups + * Example: virtual alias maps + * Example: Mailing lists + * Example: MongoDB projections + * Feedback + * Credits + +BBuuiillddiinngg PPoossttffiixx wwiitthh MMoonnggooDDBB ssuuppppoorrtt + +These instructions assume that you build Postfix from source code as described +in the INSTALL document. Some modification may be required if you build Postfix +from a vendor-specific source package. + +The Postfix MongoDB client requires the mmoonnggoo--cc--ddrriivveerr library. This can be +built from source code from the mongod-c project, or this can be installed as a +binary package from your OS distribution, typically named mmoonnggoo--cc--ddrriivveerr, +mmoonnggoo--cc--ddrriivveerr--ddeevveell or lliibbmmoonnggoocc--ddeevv. Installing the mongo-c-driver library +may also install lliibbbbssoonn as a dependency. + +To build Postfix with mongodb map support, add to the CCARGS environment +variable the options -DHAS_MONGODB and -I for the directory containing the +mongodb headers, and specify the AUXLIBS_MONGODB with the libmongoc and libbson +libraries, for example: + + % make tidy + % make -f Makefile.init makefiles \ + CCARGS="$CCARGS -DHAS_MONGODB -I/usr/include/libmongoc-1.0 \ + -I/usr/include/libbson-1.0" \ + AUXLIBS_MONGODB="-lmongoc-1.0 -lbson-1.0" + +The 'make tidy' command is needed only if you have previously built Postfix +without MongoDB support. + +If your MongoDB shared library is in a directory that the RUN-TIME linker does +not know about, add a "-Wl,-R,/path/to/directory" option after "-lbson-1.0". +Then, just run 'make'. + +CCoonnffiigguurriinngg MMoonnggooDDBB llooookkuuppss + +In order to use MongoDB lookups, define a MongoDB source as a table lookup in +main.cf, for example: + + alias_maps = hash:/etc/aliases, proxy:mongodb:/etc/postfix/mongo-aliases.cf + +The file /etc/postfix/mongo-aliases.cf can specify a number of parameters. For +a complete description, see the mongodb_table(5) manual page. + +EExxaammppllee:: vviirrttuuaall((55)) aalliiaass mmaappss + +Here's a basic example for using MongoDB to look up virtual(5) aliases. Assume +that in main.cf, you have: + + virtual_alias_maps = hash:/etc/postfix/virtual_aliases, + proxy:mongodb:/etc/postfix/mongo-virtual-aliases.cf + +and in mongodb:/etc/postfix/mongo-virtual-aliases.cf you have: + + uri = mongodb+srv://user_name:password@some_server + dbname = mail + collection = mailbox + query_filter = {"$or": [{"username":"%s"}, {"alias.address": "%s"}], + "active": 1} + result_attribute = username + +This example assumes mailbox names are stored in a MongoDB backend, in a format +like: + + { "username": "user@example.com", + "alias": [ + {"address": "admin@example.com"}, + {"address": "abuse@example.com"} + ], + "active": 1 + } + +Upon receiving mail for "admin@example.com" that isn't found in the /etc/ +postfix/virtual_aliases database, Postfix will search the MongoDB server/ +cluster listening at port 27017 on some_server. It will connect using the +provided credentials, and search for any entries whose username is, or alias +field has "admin@example.com". It will return the username attribute of those +found, and build a list of their email addresses. + +Notes: + + * As with pprroojjeeccttiioonn (see below), the Postfix mongodb client automatically + removes the top-level '_id' field from a result_attribute result. + + * The Postfix mongodb client will only parse result fields with data types + UTF8, INT32, INT64 and ARRAY. Other fields will be ignored, with a warning + in the logs. + +EExxaammppllee:: MMaaiilliinngg lliissttss + +When it comes to mailing lists, one way of implementing one would be as below: + + { "name": "dev@example.com", "active": 1, "address": + [ "hamid@example.com", "wietse@example.com", "viktor@example.com" ] } + +using the filter below, will result in a comma separated string with all email +addresses in this list. + + query_filter = {"name": "%s", "active": 1} + result_attribute = address + +Notes: + + * As with pprroojjeeccttiioonn (see below), the Postfix mongodb client automatically + removes the top-level '_id' field from a result_attribute result. + + * The Postfix mongodb client will only parse result fields with data types + UTF8, INT32, INT64 and ARRAY. Other fields will be ignored, with a warning + in the logs. + +EExxaammppllee:: aaddvvaanncceedd pprroojjeeccttiioonnss + +This module also supports the use of more complex MongoDB projections. There +may be some use cases where operations such as concatenation are necessary to +be performed on the data retrieved from the database. Although it is encouraged +to keep the database design simple enough so this is not necessary, postfix +supports the use of MongoDB projections to achieve the goal. + +Consider the example below: + + { "username": "user@example.com", + "local_part": "user", + "domain": "example.com", + "alias": [ + {"address": "admin@example.com"}, + {"address": "abuse@example.com"} + ], + "active": 1 + } + +virtual_mailbox_maps can be created using below parameters in a mongodb:/etc/ +postfix/mongo-virtual-mailboxes.cf file: + + uri = mongodb+srv://user_name:password@some_server + dbname = mail + collection = mailbox + query_filter = {"$or": [{"username":"%s"}, {"alias.address": "%s"}], + "active": 1} + projection = { "mail_path": {"$concat": ["$domain", "/", "$local_part"]} } + +This will return 'example.com/user' path built from the database fields. + +A couple of considerations when using projections: + + * As with rreessuulltt__aattttrriibbuuttee, the Postfix mongodb client automatically removes + the top-level '_id' field from a projection result. + + * The Postfix mongodb client will only parse fields with data types UTF8, + INT32, INT64 and ARRAY. Other fields will be ignored, with a warning in the + logs. It is suggested to exclude any unnecessary fields when using a + projection. + +FFeeeeddbbaacckk + +If you have questions, send them to postfix-users@postfix.org. Please include +relevant information about your Postfix setup: MongoDB-related output from +postconf, which libraries you built with, and such. If your question involves +your database contents, please include the applicable bits of some database +entries. + +CCrreeddiittss + + * Stephan Ferraro (Aionda GmbH) implemented an early version of the Postfix + MongoDB client. + * Hamid Maadani (Dextrous Technologies, LLC) added support for projections + and %letter interpolation, and added documentation. + * Wietse Venema adopted and restructured the code and documentation. + diff --git a/README_FILES/POSTSCREEN_README b/README_FILES/POSTSCREEN_README index 9467e68..5b4d200 100644 --- a/README_FILES/POSTSCREEN_README +++ b/README_FILES/POSTSCREEN_README @@ -78,7 +78,7 @@ Zombies have challenges too: they have only a limited amount of time to deliver spam before their IP address becomes denylisted. To speed up spam deliveries, zombies make compromises in their SMTP protocol implementation. For example, they speak before their turn, or they ignore responses from SMTP servers and -continue sending mail even when the server tells them to go away. +continue sending commands even when the server tells them to go away. postscreen(8) uses a variety of measurements to recognize zombies. First, postscreen(8) determines if the remote SMTP client IP address is denylisted. @@ -114,7 +114,7 @@ clients. QQuuiicckk tteessttss bbeeffoorree eevveerryytthhiinngg eellssee -Before engaging in SMTP-level tests. postscreen(8) queries a number of local +Before engaging in SMTP-level tests, postscreen(8) queries a number of local deny and allowlists. These tests speed up the handling of known clients. * Permanent allow/denylist test diff --git a/README_FILES/TLS_README b/README_FILES/TLS_README index e7fd259..5e63554 100644 --- a/README_FILES/TLS_README +++ b/README_FILES/TLS_README @@ -1726,73 +1726,109 @@ describe the corresponding table syntax: nnoonnee No TLS. No additional attributes are supported at this level. mmaayy - Opportunistic TLS. The optional "ciphers", "exclude" and "protocols" - attributes (available for opportunistic TLS with Postfix >= 2.6) override - the "smtp_tls_ciphers", "smtp_tls_exclude_ciphers" and "smtp_tls_protocols" - configuration parameters. At this level and higher, the optional - "servername" attribute (available with Postfix >= 3.4) overrides the global - "smtp_tls_servername" parameter, enabling per-destination configuration of - the SNI extension sent to the remote SMTP server. + Opportunistic TLS. The optional "ciphers", "exclude", and "protocols" + attributes (available for opportunistic TLS with Postfix >= 2.6) and + "connection_reuse" attribute (Postfix >= 3.4) override the + "smtp_tls_ciphers", "smtp_tls_exclude_ciphers", "smtp_tls_protocols", and + "smtp_tls_connection_reuse" configuration parameters. At this level and + higher, the optional "servername" attribute (available with Postfix >= 3.4) + overrides the global "smtp_tls_servername" parameter, enabling per- + destination configuration of the SNI extension sent to the remote SMTP + server. The optional "enable_rpk" attribute (Postfix >= 3.9) overrides the + main.cf smtp_tls_enable_rpk parameter. When opportunistic TLS handshakes + fail, Postfix retries the connection with TLS disabled. This allows mail + delivery to sites with non-interoperable TLS implementations. eennccrryypptt Mandatory encryption. Mail is delivered only if the remote SMTP server offers STARTTLS and the TLS handshake succeeds. At this level and higher, the optional "protocols" attribute overrides the main.cf smtp_tls_mandatory_protocols parameter, the optional "ciphers" attribute - overrides the main.cf smtp_tls_mandatory_ciphers parameter, and the - optional "exclude" attribute (Postfix >= 2.6) overrides the main.cf - smtp_tls_mandatory_exclude_ciphers parameter. + overrides the main.cf smtp_tls_mandatory_ciphers parameter, the optional + "exclude" attribute (Postfix >= 2.6) overrides the main.cf + smtp_tls_mandatory_exclude_ciphers parameter, and the optional + "connection_reuse" attribute (Postfix >= 3.4) overrides the main.cf + smtp_tls_connection_reuse parameter. The optional "enable_rpk" attribute + (Postfix >= 3.9) overrides the main.cf smtp_tls_enable_rpk parameter. ddaannee Opportunistic DANE TLS. The TLS policy for the destination is obtained via TLSA records in DNSSEC. If no TLSA records are found, the effective security level used is may. If TLSA records are found, but none are usable, the effective security level is encrypt. When usable TLSA records are - obtained for the remote SMTP server, SSLv2+3 are automatically disabled - (see smtp_tls_mandatory_protocols), and the server certificate must match - the TLSA records. RFC 7672 (DANE) TLS authentication and DNSSEC support is - available with Postfix 2.11 and later. + obtained for the remote SMTP server, the server certificate must match the + TLSA records (and the SNI name is unconditionally set to the TLSA base + domain). RFC 7672 (DANE) TLS authentication and DNSSEC support is available + with Postfix 2.11 and later. The optional "connection_reuse" attribute + (Postfix >= 3.4) overrides the main.cf smtp_tls_connection_reuse parameter. + When the effective security level used is may, the optional "ciphers", + "exclude", and "protocols" attributes (Postfix >= 2.6) override the + "smtp_tls_ciphers", "smtp_tls_exclude_ciphers", and "smtp_tls_protocols" + configuration parameters. When the effective security level used is + encrypt, the optional "ciphers", "exclude", and "protocols" attributes + (Postfix >= 2.6) override the "smtp_tls_mandatory_ciphers", + "smtp_tls_mandatory_exclude_ciphers", and "smtp_tls_mandatory_protocols" + configuration parameters. ddaannee--oonnllyy Mandatory DANE TLS. The TLS policy for the destination is obtained via TLSA records in DNSSEC. If no TLSA records are found, or none are usable, no connection is made to the server. When usable TLSA records are obtained for - the remote SMTP server, SSLv2+3 are automatically disabled (see - smtp_tls_mandatory_protocols), and the server certificate must match the - TLSA records. RFC 7672 (DANE) TLS authentication and DNSSEC support is - available with Postfix 2.11 and later. + the remote SMTP server, the server certificate must match the TLSA records. + RFC 7672 (DANE) TLS authentication and DNSSEC support is available with + Postfix 2.11 and later. The optional "ciphers", "exclude", and "protocols" + attributes (Postfix >= 2.6) override the "smtp_tls_mandatory_ciphers", + "smtp_tls_mandatory_exclude_ciphers", and "smtp_tls_mandatory_protocols" + configuration parameters. The optional "connection_reuse" attribute + (Postfix >= 3.4) overrides the main.cf smtp_tls_connection_reuse parameter. ffiinnggeerrpprriinntt Certificate fingerprint verification. Available with Postfix 2.5 and later. At this security level, there are no trusted Certification Authorities. The certificate trust chain, expiration date, ... are not checked. Instead, the - optional mmaattcchh attribute, or else the main.cf - ssmmttpp__ttllss__ffiinnggeerrpprriinntt__cceerrtt__mmaattcchh parameter, lists the server certificate - fingerprints or public key fingerprints (Postfix 2.9 and later). The digest - algorithm used to calculate fingerprints is selected by the - ssmmttpp__ttllss__ffiinnggeerrpprriinntt__ddiiggeesstt parameter. Multiple fingerprints can be - combined with a "|" delimiter in a single match attribute, or multiple - match attributes can be employed. The ":" character is not used as a - delimiter as it occurs between each pair of fingerprint (hexadecimal) - digits. + optional "match" attribute, or else the main.cf + ssmmttpp__ttllss__ffiinnggeerrpprriinntt__cceerrtt__mmaattcchh parameter, lists the certificate + fingerprints or the public key fingerprints (Postfix 2.9 and later) of + acceptable server certificates. The digest algorithm used to calculate the + fingerprint is selected by the ssmmttpp__ttllss__ffiinnggeerrpprriinntt__ddiiggeesstt parameter. + Multiple fingerprints can be combined with a "|" delimiter in a single + match attribute, or multiple match attributes can be employed. The ": + " character is not used as a delimiter as it occurs between each pair of + fingerprint (hexadecimal) digits. The optional "ciphers", "exclude", and + "protocols" attributes (Postfix >= 2.6) override the + "smtp_tls_mandatory_ciphers", "smtp_tls_mandatory_exclude_ciphers", and + "smtp_tls_mandatory_protocols" configuration parameters. The optional + "connection_reuse" attribute (Postfix >= 3.4) overrides the main.cf + smtp_tls_connection_reuse parameter. The optional "enable_rpk" attribute + (Postfix >= 3.9) overrides the main.cf smtp_tls_enable_rpk parameter. vveerriiffyy Mandatory server certificate verification. Mail is delivered only if the - TLS handshake succeeds, if the remote SMTP server certificate can be - validated (not expired or revoked, and signed by a trusted Certification - Authority), and if the server certificate name matches the optional "match" - attribute (or the main.cf smtp_tls_verify_cert_match parameter value when - no optional "match" attribute is specified). With Postfix >= 2.11 the + TLS handshake succeeds, the remote SMTP server certificate chain can be + validated, and a DNS name in the certificate matches the specified match + criteria. At this security level, DNS MX lookups are presumed to be secure + enough, and the name verified in the server certificate is potentially + obtained via unauthenticated DNS MX lookups. The server certificate name + must match either the optional "match" attribute, or else the main.cf + smtp_tls_verify_cert_match parameter value. With Postfix >= 2.11 the "tafile" attribute optionally modifies trust chain verification in the same manner as the "smtp_tls_trust_anchor_file" parameter. The "tafile" attribute may be specified multiple times to load multiple trust-anchor - files. + files. The optional "connection_reuse" attribute (Postfix >= 3.4) overrides + the main.cf smtp_tls_connection_reuse parameter. sseeccuurree Secure certificate verification. Mail is delivered only if the TLS - handshake succeeds, and DNS forgery resistant remote SMTP certificate - verification succeeds (not expired or revoked, and signed by a trusted - Certification Authority), and if the server certificate name matches the - optional "match" attribute (or the main.cf smtp_tls_secure_cert_match - parameter value when no optional "match" attribute is specified). With - Postfix >= 2.11 the "tafile" attribute optionally modifies trust chain - verification in the same manner as the "smtp_tls_trust_anchor_file" - parameter. The "tafile" attribute may be specified multiple times to load - multiple trust-anchor files. + handshake succeeds, the remote SMTP server certificate chain can be + validated, and a DNS name in the certificate matches the specified match + criteria. At this security level, DNS MX lookups, though potentially used + to determine the candidate next-hop gateway IP addresses, are nnoott presumed + to be secure enough for TLS peername verification. Instead, the default + name verified in the server certificate is obtained directly from the next- + hop, or is explicitly specified via the optional "match" attribute which + overrides the main.cf smtp_tls_secure_cert_match parameter. The optional + "ciphers", "exclude", and "protocols" attributes (Postfix >= 2.6) override + the "smtp_tls_mandatory_ciphers", "smtp_tls_mandatory_exclude_ciphers", and + "smtp_tls_mandatory_protocols" configuration parameters. With Postfix >= + 2.11 the "tafile" attribute optionally modifies trust chain verification in + the same manner as the "smtp_tls_trust_anchor_file" parameter. The "tafile" + attribute may be specified multiple times to load multiple trust-anchor + files. The optional "connection_reuse" attribute (Postfix >= 3.4) overrides + the main.cf smtp_tls_connection_reuse parameter. Notes: * The "match" attribute is especially useful to verify TLS certificates for |