summaryrefslogtreecommitdiffstats
path: root/html/postconf.5.html
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--html/postconf.5.html771
1 files changed, 598 insertions, 173 deletions
diff --git a/html/postconf.5.html b/html/postconf.5.html
index dbb8cc8..0ac9b68 100644
--- a/html/postconf.5.html
+++ b/html/postconf.5.html
@@ -612,8 +612,14 @@ Examples:
(default: see "postconf -d" output)</b></DT><DD>
<p>
-The alias databases that are used for <a href="local.8.html">local(8)</a> delivery. See
-<a href="aliases.5.html">aliases(5)</a> for syntax details.
+Optional lookup tables with aliases that apply only to <a href="local.8.html">local(8)</a>
+recipients; this is unlike <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> that apply to all
+recipients: <a href="local.8.html">local(8)</a>, virtual, and remote.
+The table format and lookups are documented in <a href="aliases.5.html">aliases(5)</a>. For an
+overview of Postfix address manipulations see the <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a>
+document. </p>
+
+<p>
Specify zero or more "type:name" lookup tables, separated by
whitespace or comma. Tables will be searched in the specified order
until a match is found.
@@ -2732,19 +2738,30 @@ name of the message delivery transport.
<p>
The default mail delivery transport and next-hop destination for
-destinations that do not match $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>,
+the <a href="ADDRESS_CLASS_README.html#default_domain_class">default domain</a> class: recipient domains that do not match
+$<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>,
$<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>, $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>,
-or $<a href="postconf.5.html#relay_domains">relay_domains</a>. This information can be overruled with the
-<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> parameter and with the
-<a href="transport.5.html">transport(5)</a> table. </p>
+or $<a href="postconf.5.html#relay_domains">relay_domains</a>. This information will not be used when
+<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> returns a result, and may
+be overridden with the <a href="transport.5.html">transport(5)</a> table. </p>
-<p>
-In order of decreasing precedence, the nexthop destination is taken
-from $<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a>, $<a href="postconf.5.html#default_transport">default_transport</a>,
-$<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a>, $<a href="postconf.5.html#relayhost">relayhost</a>, or from the recipient
-domain.
+<p> For recipient domains in the <a href="ADDRESS_CLASS_README.html#default_domain_class">default domain</a> class: <p>
+
+<ul>
+
+<li> <p> In order of decreasing precedence, the delivery transport
+is taken from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2)
+$<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> or $<a href="postconf.5.html#default_transport">default_transport</a>.
</p>
+<li> <p> In order of decreasing precedence, the nexthop destination
+is taken from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2)
+$<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> or $<a href="postconf.5.html#default_transport">default_transport</a>, 3)
+$<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> or $<a href="postconf.5.html#relayhost">relayhost</a> or the recipient
+domain. </p>
+
+</ul>
+
<p>
Specify a string of the form <i>transport:nexthop</i>, where <i>transport</i>
is the name of a mail delivery transport defined in <a href="master.5.html">master.cf</a>.
@@ -3715,6 +3732,25 @@ This feature is available in Postfix 2.0 and later.
</DD>
+<DT><b><a name="force_mime_input_conversion">force_mime_input_conversion</a>
+(default: no)</b></DT><DD>
+
+<p> Convert body content that claims to be 8-bit into quoted-printable,
+before <a href="postconf.5.html#header_checks">header_checks</a>, <a href="postconf.5.html#body_checks">body_checks</a>, Milters, and before after-queue
+content filters. This feature does not affect messages that are
+sent into <a href="postconf.5.html#smtpd_proxy_filter">smtpd_proxy_filter</a>. </p>
+
+<p> The typical use case is an MTA that applies this conversion
+before signing outbound messages, so that the signatures will remain
+valid when a message is later delivered to an MTA that does not
+announce 8BITMIME support, or when a message line exceeds the SMTP
+length limit. </p>
+
+<p> This feature is available in Postfix &ge; 3.9. </p>
+
+
+</DD>
+
<DT><b><a name="fork_attempts">fork_attempts</a>
(default: 5)</b></DT><DD>
@@ -3797,7 +3833,7 @@ filtered with the character set that is specified with the
<dd>The address extension delimiter that was found in the recipient
address (Postfix 2.11 and later), or the 'first' delimiter specified
with the system-wide recipient address extension delimiter (Postfix
-3.5.22, 3.5.12, 3.7.8, 3.8.3 and later). Historically, this was
+3.5.22, 3.6.12, 3.7.8, 3.8.3 and later). Historically, this was
always the system-wide recipient
address extension delimiter (Postfix 2.10 and earlier). </dd>
@@ -4154,12 +4190,17 @@ Specify 0 to disable the feature. Valid delays are 0..10.
<DT><b><a name="inet_interfaces">inet_interfaces</a>
(default: all)</b></DT><DD>
-<p> The local network interface addresses that this mail system receives
-mail on. Specify "all" to receive mail on all network
-interfaces (default), and "loopback-only" to receive mail
-on loopback network interfaces only (Postfix version 2.2 and later). The
-parameter also controls delivery of mail to <tt>user@[ip.address]</tt>.
-</p>
+<p> The local network interface addresses that this mail system
+receives mail on. Specify "all" to receive mail on all network
+interfaces (default), "loopback-only" to receive mail on loopback
+network interfaces only (Postfix version 2.2 and later), or zero
+or more IPv4 or IPv6 addresses (IPv6 is supported in Postfix version
+2.2 and later). The parameter also controls whether Postfix will
+accept mail for <tt>user@[ip.address]</tt>, and prevents Postfix
+from delivering mail to a host that has equal or larger MX preference.
+Specify an empty value if Postfix does not receive mail over the
+network, or if all network listeners have an explicit IP address
+in <a href="master.5.html">master.cf</a>. </p>
<p>
Note 1: you need to stop and start Postfix when this parameter changes.
@@ -4168,22 +4209,44 @@ Note 1: you need to stop and start Postfix when this parameter changes.
<p> Note 2: address information may be enclosed inside <tt>[]</tt>,
but this form is not required here. </p>
-<p> When <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> specifies just one IPv4 and/or IPv6 address
-that is not a loopback address, the Postfix SMTP client will use
-this address as the IP source address for outbound mail. Support
-for IPv6 is available in Postfix version 2.2 and later. </p>
+<p> When <a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> and/or <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> are not
+specified, the <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> setting may constrain the source IP
+address for an outbound SMTP or LMTP connection as described below.
+</p>
+
+<p> The following text is specific to SMTP and IPv4. The same
+reasoning applies to the IPv6 protocol, and to the Postfix LMTP
+client. To disable IPv4 or IPv6 support in the Postfix SMTP and
+LMTP client, use <a href="postconf.5.html#inet_protocols">inet_protocols</a>. </p>
-<p>
-On a multi-homed firewall with separate Postfix instances listening on the
-"inside" and "outside" interfaces, this can prevent each instance from
-being able to reach remote SMTP servers on the "other side" of the
-firewall. Setting
-<a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> to 0.0.0.0 avoids the potential problem for
-IPv4, and setting <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> to :: solves the problem
-for IPv6. </p>
+<ul>
+
+<li> <p> When <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> specifies one IPv4 address, and that
+is not a loopback address, the Postfix SMTP client uses that as the
+source address for outbound IPv4 connections. </p>
+
+<li> <p> Otherwise, the Postfix SMTP client does not constrain the
+source IPv4 address, and connects using a system-chosen source IPv4
+address. This includes the cases where <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> is empty,
+where it specifies <b>all</b>, or where it contains no IPv4 address,
+one IPv4 address that is a loopback address, or multiple IPv4
+addresses. </p>
+
+</ul>
+
+<p> A Postfix SMTP client may fail to reach some remote SMTP servers
+when the client source IP address is constrained explicitly with
+<a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> or <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a>, or implicitly with
+<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>. This can happen when Postfix runs on a multi-homed
+system such as a firewall, the Postfix SMTP source client IP address
+is constrained to one specific network interface, and the remote
+SMTP server must be reached through a different interface. Setting
+<a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> to 0.0.0.0 avoids the potential problem for IPv4,
+and setting <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> to :: solves the problem for IPv6.
+</p>
<p>
-A better solution for multi-homed firewalls is to leave <a href="postconf.5.html#inet_interfaces">inet_interfaces</a>
+A better solution for multi-homed systems is to leave <a href="postconf.5.html#inet_interfaces">inet_interfaces</a>
at the default value and instead use explicit IP addresses in
the <a href="master.5.html">master.cf</a> SMTP server definitions. This preserves the Postfix
SMTP client's
@@ -4215,7 +4278,7 @@ Examples:
</DD>
<DT><b><a name="inet_protocols">inet_protocols</a>
-(default: see 'postconf -d output')</b></DT><DD>
+(default: see 'postconf -d' output)</b></DT><DD>
<p> The Internet protocols Postfix will attempt to use when making
or accepting connections. Specify one or more of "ipv4"
@@ -4893,6 +4956,9 @@ configuration parameter. See there for details. </p>
<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> configuration
parameter. See there for details. </p>
+<p> This feature is deprecated as of Postfix 3.9. Specify
+<a href="postconf.5.html#lmtp_tls_security_level">lmtp_tls_security_level</a> instead. </p>
+
<p> This feature is available in Postfix 2.3 and later. </p>
@@ -5295,6 +5361,15 @@ to the remote host.
</DD>
+<DT><b><a name="lmtp_sasl_password_result_delimiter">lmtp_sasl_password_result_delimiter</a>
+(default: :)</b></DT><DD>
+
+<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_sasl_password_result_delimiter">smtp_sasl_password_result_delimiter</a>
+configuration parameter. See there for details. </p>
+
+
+</DD>
+
<DT><b><a name="lmtp_sasl_path">lmtp_sasl_path</a>
(default: empty)</b></DT><DD>
@@ -5594,6 +5669,17 @@ compiled and linked with OpenSSL 1.0.0 or later. </p>
</DD>
+<DT><b><a name="lmtp_tls_enable_rpk">lmtp_tls_enable_rpk</a>
+(default: yes)</b></DT><DD>
+
+<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a>
+configuration parameter. See there for details. </p>
+
+<p> This feature is available in Postfix 3.9 and later. </p>
+
+
+</DD>
+
<DT><b><a name="lmtp_tls_enforce_peername">lmtp_tls_enforce_peername</a>
(default: yes)</b></DT><DD>
@@ -5694,7 +5780,7 @@ configuration parameter. See there for details. </p>
</DD>
<DT><b><a name="lmtp_tls_mandatory_protocols">lmtp_tls_mandatory_protocols</a>
-(default: see postconf -d output)</b></DT><DD>
+(default: see 'postconf -d' output)</b></DT><DD>
<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>
configuration parameter. See there for details. </p>
@@ -5721,6 +5807,9 @@ configuration parameter. See there for details. </p>
<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> configuration
parameter. See there for details. </p>
+<p> This feature is deprecated as of Postfix 3.9. Specify
+<a href="postconf.5.html#lmtp_tls_policy_maps">lmtp_tls_policy_maps</a> instead. </p>
+
<p> This feature is available in Postfix 2.3 and later. </p>
@@ -5738,7 +5827,7 @@ configuration parameter. See there for details. </p>
</DD>
<DT><b><a name="lmtp_tls_protocols">lmtp_tls_protocols</a>
-(default: see postconf -d output)</b></DT><DD>
+(default: see 'postconf -d' output)</b></DT><DD>
<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> configuration
parameter. See there for details. </p>
@@ -5853,6 +5942,9 @@ parameter. See there for details. </p>
<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> configuration
parameter. See there for details. </p>
+<p> This feature is deprecated as of Postfix 3.9. Specify
+<a href="postconf.5.html#lmtp_tls_security_level">lmtp_tls_security_level</a> instead. </p>
+
<p> This feature is available in Postfix 2.3 and later. </p>
@@ -6149,8 +6241,8 @@ until a match is found.
<p>
If this parameter is non-empty (the default), then the Postfix SMTP
-server will reject mail for unknown local users.
-</p>
+server will reject mail for unknown local users. Other Postfix
+interfaces may still accept an "unknown" recipient. </p>
<p>
To turn off local recipient checking in the Postfix SMTP server,
@@ -6449,6 +6541,11 @@ and later.</dd>
<dd>The domain part of the recipient address. </dd>
+<dt><b>ENVID</b></dt>
+
+<dd>The optional <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a> envelope ID. Available in Postfix version
+3.9 and later</dd>
+
<dt><b>EXTENSION</b></dt>
<dd>The optional address extension. </dd>
@@ -6683,6 +6780,21 @@ first argument. </p>
</DD>
+<DT><b><a name="maillog_file_permissions">maillog_file_permissions</a>
+(default: 0600)</b></DT><DD>
+
+<p> The file access permissions that will be set when the file
+$<a href="postconf.5.html#maillog_file">maillog_file</a> is created for the first time, or when the file is
+created after an existing file is rotated. Specify one of: <b>0600</b>
+(only super-user read/write access), <b>0640</b> (adds 'group' read
+access), or <b>0644</b> (also adds 'other' read access). The leading
+'0' is optional. </p>
+
+<p> This feature is available in Postfix 3.9 and later. </p>
+
+
+</DD>
+
<DT><b><a name="maillog_file_prefixes">maillog_file_prefixes</a>
(default: /var, /dev/stdout)</b></DT><DD>
@@ -8326,9 +8438,9 @@ it passes the test, before it can talk to a real Postfix SMTP server.
<DT><b><a name="postscreen_bare_newline_ttl">postscreen_bare_newline_ttl</a>
(default: 30d)</b></DT><DD>
-<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from
-a successful "bare newline" SMTP protocol test. During this
-time, the client IP address is excluded from this test. The default
+<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a client
+IP address passed a "bare newline" SMTP protocol test, before it
+address is required to pass that test again. The default
is long because a remote SMTP client must disconnect after it passes
the test,
before it can talk to a real Postfix SMTP server. </p>
@@ -8584,9 +8696,10 @@ defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dns
<p> Specify a negative value to enable this feature. When a client
passes the <a href="postconf.5.html#postscreen_dnsbl_allowlist_threshold">postscreen_dnsbl_allowlist_threshold</a> without having
failed other tests, all pending or disabled tests are flagged as
-completed with a time-to-live value equal to <a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>.
-When a test was already completed, its time-to-live value is updated
-if it was less than <a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>. </p>
+completed with an expiration time based on the DNS reply TTL.
+When a test was already completed, its expiration time is updated
+if it was less than the value based on the DNS reply TTL. See
+also <a href="postconf.5.html#postscreen_dnsbl_max_ttl">postscreen_dnsbl_max_ttl</a> and <a href="postconf.5.html#postscreen_dnsbl_min_ttl">postscreen_dnsbl_min_ttl</a>. </p>
<p> This feature is available in Postfix 3.6 and later. </p>
@@ -8599,9 +8712,9 @@ if it was less than <a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dn
<DT><b><a name="postscreen_dnsbl_max_ttl">postscreen_dnsbl_max_ttl</a>
(default: ${<a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>?{$<a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>}:{1}}h)</b></DT><DD>
-<p> The maximum amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the
-result from a successful DNS-based reputation test before a
-client IP address is required to pass that test again. If the DNS
+<p> The maximum amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a
+client IP address passed a DNS-based reputation test, before it is
+required to pass that test again. If the DNS
reply specifies a shorter TTL value, that value will be used unless
it would be smaller than <a href="postconf.5.html#postscreen_dnsbl_min_ttl">postscreen_dnsbl_min_ttl</a>. </p>
@@ -8619,9 +8732,9 @@ is backwards-compatible with older Postfix versions. </p>
<DT><b><a name="postscreen_dnsbl_min_ttl">postscreen_dnsbl_min_ttl</a>
(default: 60s)</b></DT><DD>
-<p> The minimum amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the
-result from a successful DNS-based reputation test before a
-client IP address is required to pass that test again. If the DNS
+<p> The minimum amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a
+client IP address passed a DNS-based reputation test, before it
+is required to pass that test again. If the DNS
reply specifies a larger TTL value, that value will be used unless
it would be larger than <a href="postconf.5.html#postscreen_dnsbl_max_ttl">postscreen_dnsbl_max_ttl</a>. </p>
@@ -8762,9 +8875,9 @@ The default time unit is s (seconds). </p>
<DT><b><a name="postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>
(default: 1h)</b></DT><DD>
-<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from
-a successful DNS-based reputation test before a client
-IP address is required to pass that test again. </p>
+<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a client
+IP address passed a DNS-based reputation test, before it is required
+to pass that test again. </p>
<p> Specify a non-zero time value (an integral value plus an optional
one-letter suffix that specifies the time unit). Time units: s
@@ -8880,9 +8993,9 @@ value to disable this feature. </p>
<DT><b><a name="postscreen_greet_ttl">postscreen_greet_ttl</a>
(default: 1d)</b></DT><DD>
-<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from
-a successful PREGREET test. During this time, the client IP address
-is excluded from this test. The default is relatively short, because
+<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a client
+IP address passed a PREGREET test, before it is required to pass
+that test again. The default is relatively short, because
a good client can immediately talk to a real Postfix SMTP server. </p>
<p> Specify a non-zero time value (an integral value plus an optional
@@ -8976,9 +9089,9 @@ test, before it can talk to a real Postfix SMTP server. </p>
<DT><b><a name="postscreen_non_smtp_command_ttl">postscreen_non_smtp_command_ttl</a>
(default: 30d)</b></DT><DD>
-<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from
-a successful "non_smtp_command" SMTP protocol test. During this
-time, the client IP address is excluded from this test. The default
+<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a client
+IP address passed a "non_smtp_command" SMTP protocol test, before
+it is required to pass that test again. The default
is long because a client must disconnect after it passes the test,
before it can talk to a real Postfix SMTP server. </p>
@@ -9044,9 +9157,9 @@ server. </p>
<DT><b><a name="postscreen_pipelining_ttl">postscreen_pipelining_ttl</a>
(default: 30d)</b></DT><DD>
-<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from
-a successful "pipelining" SMTP protocol test. During this time, the
-client IP address is excluded from this test. The default is
+<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a client
+IP address passed a "pipelining" SMTP protocol test, before it is
+required to pass that test again. The default is
long because a good client must disconnect after it passes the test,
before it can talk to a real Postfix SMTP server. </p>
@@ -10136,13 +10249,24 @@ This feature is available in Postfix 2.0 and later.
<p>
The default mail delivery transport and next-hop destination for
-remote delivery to domains listed with $<a href="postconf.5.html#relay_domains">relay_domains</a>. In order of
-decreasing precedence, the nexthop destination is taken from
-$<a href="postconf.5.html#relay_transport">relay_transport</a>, $<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a>, $<a href="postconf.5.html#relayhost">relayhost</a>, or
-from the recipient domain. This information can be overruled with
-the <a href="transport.5.html">transport(5)</a> table.
+the <a href="ADDRESS_CLASS_README.html#relay_domain_class">relay domain</a> address class: recipient domains that match
+$<a href="postconf.5.html#relay_domains">relay_domains</a>. </p>
+
+<p> For recipient domains in the <a href="ADDRESS_CLASS_README.html#relay_domain_class">relay domain</a> address class: </p>
+
+<ul>
+
+<li> <p> In order of decreasing precedence, the message delivery
+transport is taken from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) $<a href="postconf.5.html#relay_transport">relay_transport</a>.
</p>
+<li> <p> In order of decreasing precedence, the nexthop destination
+is taken from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) $<a href="postconf.5.html#relay_transport">relay_transport</a>, 3)
+$<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> or $<a href="postconf.5.html#relayhost">relayhost</a> or the recipient
+domain. </p>
+
+</ul>
+
<p>
Specify a string of the form <i>transport:nexthop</i>, where <i>transport</i>
is the name of a mail delivery transport defined in <a href="master.5.html">master.cf</a>.
@@ -10166,13 +10290,31 @@ This feature is available in Postfix 2.0 and later.
(default: empty)</b></DT><DD>
<p>
-The next-hop destination(s) for non-local mail; overrides non-local
-domains in recipient addresses. This information is overruled with
-<a href="postconf.5.html#relay_transport">relay_transport</a>, <a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a>,
-<a href="postconf.5.html#default_transport">default_transport</a>, <a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a>
-and with the <a href="transport.5.html">transport(5)</a> table.
+The next-hop destination(s) for non-local mail; takes precedence
+over non-<a href="ADDRESS_CLASS_README.html#local_domain_class">local domains</a> in recipient addresses. This information
+will not be used when the sender matches $<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a>.
</p>
+<p> In order of decreasing precedence: </p>
+
+<ul>
+
+<li> <p> For recipient domains in the <a href="ADDRESS_CLASS_README.html#relay_domain_class">relay domain</a> address class
+(domains matching $<a href="postconf.5.html#relay_domains">relay_domains</a>), the nexthop destination is taken
+from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) $<a href="postconf.5.html#relay_transport">relay_transport</a>, 3)
+$<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> or $<a href="postconf.5.html#relayhost">relayhost</a> or the recipient
+domain. <p>
+
+<li> <p> For recipient domains in the <a href="ADDRESS_CLASS_README.html#default_domain_class">default domain</a> address class
+(domains that do not match $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>,
+$<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>, $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>,
+or $<a href="postconf.5.html#relay_domains">relay_domains</a>), the nexthop destination is taken from 1)
+$<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) $<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> or
+$<a href="postconf.5.html#default_transport">default_transport</a>, 3) $<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> or $<a href="postconf.5.html#relayhost">relayhost</a>
+or the recipient domain. </p>
+
+</ul>
+
<p>
On an intranet, specify the organizational domain name. If your
internal DNS uses no MX records, specify the name of the intranet
@@ -10180,11 +10322,12 @@ gateway host instead.
</p>
<p>
-In the case of SMTP or LMTP delivery, specify one or more destinations
-in the form of a domain name, hostname, hostname:port, [hostname]:port,
-[hostaddress] or [hostaddress]:port, separated by comma or whitespace.
-The form [hostname] turns off MX lookups. Multiple destinations are
-supported in Postfix 3.5 and later.
+In the case of SMTP delivery, specify one or more destinations in
+the form of a domain name, hostname, hostname:service, [hostname]:service,
+[hostaddress] or [hostaddress]:service, separated by comma or whitespace.
+The form [hostname] turns off MX or SRV lookups. Multiple destinations
+are supported in Postfix 3.5 and later. Each destination is tried
+in the specified order.
</p>
<p>
@@ -10589,18 +10732,38 @@ address and @domain. A lookup result of DUNNO terminates the search
without overriding the global <a href="postconf.5.html#default_transport">default_transport</a> parameter setting.
This information is overruled with the <a href="transport.5.html">transport(5)</a> table. </p>
-<p>
-Specify zero or more "type:name" lookup tables, separated by
-whitespace or comma. Tables will be searched in the specified order
-until a match is found.
+<p> This setting affects only the <a href="ADDRESS_CLASS_README.html#default_domain_class">default domain</a> address class
+(recipient domains that do not match $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>,
+$<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>, $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>,
+or $<a href="postconf.5.html#relay_domains">relay_domains</a>): </p>
+
+<ul>
+
+<li> <p> In order of decreasing precedence, the delivery transport
+is taken from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2)
+$<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> or $<a href="postconf.5.html#default_transport">default_transport</a>.
</p>
+<li> <p> In order of decreasing precedence, the nexthop destination
+is taken from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2)
+$<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> or $<a href="postconf.5.html#default_transport">default_transport</a>, 3)
+$<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> or $<a href="postconf.5.html#relayhost">relayhost</a> or the recipient
+domain. </p>
+
+</ul>
+
<p> Note: this overrides <a href="postconf.5.html#default_transport">default_transport</a>, not <a href="postconf.5.html#transport_maps">transport_maps</a>, and
therefore the expected syntax is that of <a href="postconf.5.html#default_transport">default_transport</a>, not the
syntax of <a href="postconf.5.html#transport_maps">transport_maps</a>. Specifically, this does not support the
<a href="postconf.5.html#transport_maps">transport_maps</a> syntax for null transport, null nexthop, or null
email addresses. </p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace or comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
<p> For safety reasons, this feature does not allow $number
substitutions in regular expression maps. </p>
@@ -10616,9 +10779,27 @@ substitutions in regular expression maps. </p>
setting. The tables are searched by the envelope sender address and
@domain. A lookup result of DUNNO terminates the search without
overriding the global <a href="postconf.5.html#relayhost">relayhost</a> parameter setting (Postfix 2.6 and
-later). This information is overruled with <a href="postconf.5.html#relay_transport">relay_transport</a>,
-<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a>, <a href="postconf.5.html#default_transport">default_transport</a> and with
-the <a href="transport.5.html">transport(5)</a> table. </p>
+later). </p>
+
+<p> In order of decreasing precedence: </p>
+
+<ul>
+
+<li> <p> For recipient domains in the <a href="ADDRESS_CLASS_README.html#relay_domain_class">relay domain</a> address class
+(domains matching $<a href="postconf.5.html#relay_domains">relay_domains</a>), the nexthop destination is taken
+from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) $<a href="postconf.5.html#relay_transport">relay_transport</a>, 3)
+$<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> or $<a href="postconf.5.html#relayhost">relayhost</a> or the recipient
+domain. </p>
+
+<li> <p> For recipient domains in the <a href="ADDRESS_CLASS_README.html#default_domain_class">default domain</a> address class
+(domains that do not match <a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>,
+$<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>, $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>,
+$<a href="postconf.5.html#relay_domains">relay_domains</a>), the nexthop destination is taken from 1)
+$<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) $<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> or
+$<a href="postconf.5.html#default_transport">default_transport</a>, 3) $<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> or $<a href="postconf.5.html#relayhost">relayhost</a>
+or the recipient domain. </p>
+
+</ul>
<p>
Specify zero or more "type:name" lookup tables, separated by
@@ -10820,13 +11001,38 @@ IPv6 connectivity: </p>
<ul>
<li> <p> The setting "<a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> = ipv6" is unsafe.
-It can fail to deliver mail when there is an outage that affects
-IPv6, while the destination is still reachable over IPv4. </p>
+All deliveries will suffer delays during an IPv6 outage, even
+while the destination is still reachable over IPv4. Mail may be
+stuck in the queue with Postfix versions &lt; 3.3 that do not
+implement "<a href="postconf.5.html#smtp_balance_inet_protocols">smtp_balance_inet_protocols</a>". For similar reasons, the
+setting "<a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> = ipv4" is also unsafe. </p>
<li> <p> The setting "<a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> = any" is safe. With
-this, mail will eventually be delivered even if there is an outage
+this, and "<a href="postconf.5.html#smtp_balance_inet_protocols">smtp_balance_inet_protocols</a> = yes" (the default), only
+half of deliveries will suffer delays if there is an outage
that affects IPv6 or IPv4, as long as it does not affect both. </p>
+<li> <p> The setting "<a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> = ipv4" is not a
+solution for remote servers that flag email received over IPv6 as
+more 'spammy' (the client IPv6 address has a bad or missing PTR or
+AAAA record, bad network neighbors, etc.). Instead, configure Postfix
+to receive mail over both IPv4 and IPv6, and to deliver mail over
+only IPv4. </p>
+
+<blockquote>
+<pre>
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+ <a href="postconf.5.html#inet_protocols">inet_protocols</a> = all
+</pre>
+</blockquote>
+
+<blockquote>
+<pre>
+/etc/postfix/<a href="master.5.html">master.cf</a>
+ smtp ...other fields... smtp -o <a href="postconf.5.html#inet_protocols">inet_protocols</a>=ipv4
+</pre>
+</blockquote>
+
</ul>
<p> This feature is available in Postfix 2.8 and later. </p>
@@ -12295,6 +12501,9 @@ If no username:password entry is found, then the Postfix SMTP client
will not attempt to authenticate to the remote host.
</p>
+<p> Use <a href="postconf.5.html#smtp_sasl_password_result_delimiter">smtp_sasl_password_result_delimiter</a> to specify an
+alternative separator between username and password. </p>
+
<p>
The Postfix SMTP client opens the lookup table before going to
chroot jail, so you can leave the password file in /etc/postfix.
@@ -12309,6 +12518,18 @@ until a match is found.
</DD>
+<DT><b><a name="smtp_sasl_password_result_delimiter">smtp_sasl_password_result_delimiter</a>
+(default: :)</b></DT><DD>
+
+<p> The delimiter between username and password in sasl_passwd_maps lookup
+results. Specify one non-whitespace character that does not appear in
+the username. </p>
+
+<p> This feature is available in Postfix &ge; 3.9. </p>
+
+
+</DD>
+
<DT><b><a name="smtp_sasl_path">smtp_sasl_path</a>
(default: empty)</b></DT><DD>
@@ -13035,6 +13256,86 @@ compiled and linked with OpenSSL 1.0.0 or later. </p>
</DD>
+<DT><b><a name="smtp_tls_enable_rpk">smtp_tls_enable_rpk</a>
+(default: no)</b></DT><DD>
+
+<p> Request that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key
+instead of an X.509 certificate. This feature and the enable_rpk
+policy attribute are ignored when there is no raw public key support
+in the local TLS implementation. </p>
+
+<ul>
+
+<li> <p> At the "may", "encrypt" and "fingerprint" security levels,
+with parameter setting "<a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> = yes" or with "enable_rpk
+= yes" in a policy entry, the Postfix SMTP client will indicate in
+the TLS handshake that it prefers to receive a raw server public
+key, but it will still accept a server public key certificate. </p>
+
+<li> <p> At the "fingerprint" security level, with parameter setting
+"<a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> = yes" or with "enable_rpk = yes" in a policy
+entry, server authentication based on certificate fingerprints
+becomes more fragile. Even if the server private key and certificate
+remain unchanged, the remote SMTP server will fail fingerprint
+authentication (won't match the configured list of fingerprints)
+when it starts sending a raw public key instead of a certificate,
+after its TLS implementation is updated with raw public key support.
+Therefore, <b>DO NOT</b> enable raw public keys to remote destinations
+authenticated by server <b>certificate</b> fingerprints. You should
+enable raw public keys only for servers matched via their public
+key fingerprint. </p>
+
+<li> <p> At the "verify" and "secure" security levels, the Postfix
+SMTP client always ignores the parameter setting <a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a>
+or the enable_rpk policy attribute. </p>
+
+<li> <p> At the opportunistic "dane" security level, the Postfix
+SMTP client ignores the parameter setting <a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> or
+the enable_rpk policy attribute (but it will respect them when it
+falls back to the "may" or "encrypt" level). When all valid TLSA
+records specify only server public keys (no certificates) and the
+local TLS implementation supports raw public keys, the client will
+indicate in the TLS handshake that it prefers to receive a raw
+public key, but it will still accept a public key certificate. </p>
+
+<li> <p> At the mandatory "dane-only" security level, the Postfix
+SMTP client always ignores the parameter setting <a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a>
+or the enable_rpk policy attribute. When all valid TLSA records
+specify only server public keys (no certificates) and the local TLS
+implementation supports raw public keys, the client will indicate
+in the TLS handshake that it prefers to receive a raw public key,
+but it will still accept a public key certificate. </p>
+
+</ul>
+
+<p>The Postfix SMTP client is always willing to send raw public keys
+to servers that solicit them when a client certificate is configured
+and the local TLS implementation supports raw public keys. </p>
+
+<p> Sample commands to compute certificate and public key SHA256 digests: </p>
+
+<pre>
+# SHA256 digest of the first certificate in "cert.pem"
+$ openssl x509 -in cert.pem -outform DER | openssl dgst -sha256 -c
+</pre>
+
+<pre>
+# SHA256 digest of the SPKI of the first certificate in "cert.pem"
+$ openssl x509 -in cert.pem -pubkey -noout |
+ openssl pkey -pubin -outform DER | openssl dgst -sha256 -c
+</pre>
+
+<pre>
+# SHA256 digest of the SPKI of the first private key in "pkey.pem"
+$ openssl pkey -in pkey.pem -pubout -outform DER |
+ openssl dgst -sha256 -c
+</pre>
+
+<p> This feature is available in Postfix 3.9 and later. </p>
+
+
+</DD>
+
<DT><b><a name="smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>
(default: yes)</b></DT><DD>
@@ -13296,7 +13597,9 @@ verification errors if server certificate verification is not required.
With Postfix 2.8 and earlier, log the summary message and unconditionally
log trust-chain verification errors. </dd>
-<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd>
+<dt> </dt> <dd> 2 Also enable verbose logging in the Postfix TLS
+library, log session cache operations, and enable OpenSSL logging
+of the progress of the SSL handshake. </dd>
<dt> </dt> <dd> 3 Also log the hexadecimal and ASCII dump of the
TLS negotiation process. </dd>
@@ -13546,11 +13849,13 @@ lookup key, and overrides the global <a href="postconf.5.html#smtp_use_tls">smtp
and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> settings. </dd>
<dt> MAY </dt> <dd> Try to use TLS if the server announces support,
-otherwise use an unencrypted connection. This has less precedence
+otherwise use an unencrypted connection; after a failed TLS handshake
+or TLS session, fall back to plaintext if the message has spent
+<a href="postconf.5.html#minimal_backoff_time">minimal_backoff_time</a> in the mail queue. This level has less precedence
than a more specific result (including <b>NONE</b>) from the alternate
host or next-hop lookup key, and has less precedence than the more
specific global "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" or "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>
-= yes". </dd>
+= yes". </dd>
<dt> MUST_NOPEERMATCH </dt> <dd> Require TLS encryption, but do not
require that the remote SMTP server hostname matches the information
@@ -13643,28 +13948,35 @@ security are: </p>
<dd>Opportunistic TLS. Since sending in the clear is acceptable,
demanding stronger than default TLS security merely reduces
interoperability. The optional "ciphers", "exclude", and "protocols"
-attributes (available for opportunistic TLS with Postfix &ge; 2.6)
-and "connection_reuse" attribute (Postfix &ge; 3.4) override the
+attributes (available for opportunistic TLS with Postfix &ge; 2.6) and
+"connection_reuse" attribute (Postfix &ge; 3.4) override the
"<a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>", "<a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a>", "<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a>",
-and
-"<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a>" configuration parameters. In the policy table,
-multiple ciphers, protocols or excluded ciphers must be separated by colons,
-as attribute values may not contain whitespace or commas. When opportunistic
-TLS handshakes fail, Postfix retries the connection with TLS disabled.
-This allows mail delivery to sites with non-interoperable TLS
-implementations.</dd>
+and "<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a>" configuration parameters. In the policy
+table, multiple ciphers, protocols or excluded ciphers must be separated
+by colons, as attribute values may not contain whitespace or commas. At
+this level and higher, the optional "servername" attribute (available
+with Postfix &ge; 3.4) overrides the global "<a href="postconf.5.html#smtp_tls_servername">smtp_tls_servername</a>"
+parameter, enabling per-destination configuration of the SNI extension
+sent to the remote SMTP server. The optional "enable_rpk" attribute
+(Postfix &ge; 3.9) overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> parameter.
+When opportunistic TLS handshakes fail, Postfix retries the connection
+with TLS disabled. This allows mail delivery to sites with
+non-interoperable TLS implementations.</dd>
<dt><b><a href="TLS_README.html#client_tls_encrypt">encrypt</a></b></dt>
-<dd>Mandatory TLS encryption. At this level
-and higher, the optional "protocols" attribute overrides the <a href="postconf.5.html">main.cf</a>
+<dd>Mandatory TLS encryption. Mail is delivered only if the remote SMTP
+server offers STARTTLS and the TLS handshake succeeds. At this level and
+higher, the optional "protocols" attribute overrides the <a href="postconf.5.html">main.cf</a>
<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> parameter, the optional "ciphers" attribute
-overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> parameter, the
-optional "exclude" attribute (Postfix &ge; 2.6) overrides the <a href="postconf.5.html">main.cf</a>
+overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> parameter, the optional
+"exclude" attribute (Postfix &ge; 2.6) overrides the <a href="postconf.5.html">main.cf</a>
<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> parameter, and the optional
-"connection_reuse" attribute (Postfix &ge; 3.4) overrides the
-<a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. In the policy table,
-multiple ciphers, protocols or excluded ciphers must be separated by colons,
-as attribute values may not contain whitespace or commas. </dd>
+"connection_reuse" attribute (Postfix &ge; 3.4) overrides the <a href="postconf.5.html">main.cf</a>
+<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. In the policy table, multiple
+ciphers, protocols or excluded ciphers must be separated by colons, as
+attribute values may not contain whitespace or commas. The optional
+"enable_rpk" attribute (Postfix &ge; 3.9) overrides the <a href="postconf.5.html">main.cf</a>
+<a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> parameter. </dd>
<dt><b><a href="TLS_README.html#client_tls_dane">dane</a></b></dt>
<dd>Opportunistic DANE TLS. The TLS policy for the destination is
@@ -13709,10 +14021,10 @@ configuration parameters. The optional "connection_reuse" attribute
verification. Available with Postfix 2.5 and later. At this security
level, there are no trusted Certification Authorities. The certificate
trust chain, expiration date, ... are not checked. Instead,
-the optional "match" attribute, or else the <a href="postconf.5.html">main.cf</a>
+the optional policy table "match" attribute, or else the <a href="postconf.5.html">main.cf</a>
<b><a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a></b> parameter, lists the certificate
-fingerprints or the public key fingerprint (Postfix 2.9 and later)
-of the valid server certificate. The digest
+fingerprints or the public key fingerprints (Postfix 2.9 and later)
+of acceptable server certificates. The digest
algorithm used to calculate the fingerprint is selected by the
<b><a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a></b> parameter. Multiple fingerprints can
be combined with a "|" delimiter in a single match attribute, or multiple
@@ -13723,45 +14035,58 @@ digits. The optional "ciphers", "exclude", and "protocols" attributes
"<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>", and "<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>"
configuration parameters. The optional "connection_reuse" attribute
(Postfix &ge; 3.4) overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a>
-parameter. </dd>
+parameter. The optional "enable_rpk" attribute (Postfix &ge; 3.9)
+overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> parameter. </dd>
<dt><b><a href="TLS_README.html#client_tls_verify">verify</a></b></dt>
-<dd>Mandatory TLS verification. At this security
-level, DNS MX lookups are trusted to be secure enough, and the name
-verified in the server certificate is usually obtained indirectly via
-unauthenticated DNS MX lookups. The optional "match" attribute overrides
-the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> parameter. In the policy table,
-multiple match patterns and strategies must be separated by colons.
-In practice explicit control over matching is more common with the
-"secure" policy, described below. The optional "ciphers", "exclude",
-and "protocols" attributes (Postfix &ge; 2.6) override the
-"<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>", "<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>", and
-"<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>" configuration parameters. The optional
-"connection_reuse" attribute (Postfix &ge; 3.4) overrides the <a href="postconf.5.html">main.cf</a>
-<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. </dd>
+<dd>Mandatory TLS verification. Mail is delivered only if the TLS
+handshake succeeds, the remote SMTP server certificate chain can be
+validated, and a DNS name in the certificate matches the specified match
+criteria. At this security level, DNS MX lookups are presumed to be
+secure enough, and the name verified in the server certificate is
+potentially obtained via unauthenticated DNS MX lookups. The optional
+"match" attribute overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a>
+parameter. In the policy table, multiple match patterns and strategies
+must be separated by colons. In practice explicit control over matching
+is more common with the "secure" policy, described below. The optional
+"ciphers", "exclude", and "protocols" attributes (Postfix &ge; 2.6)
+override the "<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>",
+"<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>", and "<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>"
+configuration parameters. With Postfix &ge; 2.11 the optional "tafile"
+policy table attribute modifies trust chain verification in the same
+manner as the "<a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a>" parameter. The "tafile"
+attribute may be specified multiple times to load multiple trust-anchor
+files. The optional "connection_reuse" attribute (Postfix &ge; 3.4)
+overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. </dd>
<dt><b><a href="TLS_README.html#client_tls_secure">secure</a></b></dt>
-<dd>Secure-channel TLS. At this security level, DNS
-MX lookups, though potentially used to determine the candidate next-hop
-gateway IP addresses, are <b>not</b> trusted to be secure enough for TLS
-peername verification. Instead, the default name verified in the server
-certificate is obtained directly from the next-hop, or is explicitly
-specified via the optional "match" attribute which overrides the
-<a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> parameter. In the policy table,
-multiple match patterns and strategies must be separated by colons.
-The match attribute is most useful when multiple domains are supported by
-a common server: the policy entries for additional domains specify matching
-rules for the primary domain certificate. While transport table overrides
-that route the secondary domains to the primary nexthop also allow secure
-verification, they risk delivery to the wrong destination when domains
-change hands or are re-assigned to new gateways. With the "match"
-attribute approach, routing is not perturbed, and mail is deferred if
-verification of a new MX host fails. The optional "ciphers", "exclude",
-and "protocols" attributes (Postfix &ge; 2.6) override the
-"<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>", "<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>", and
-"<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>" configuration parameters. The optional
-"connection_reuse" attribute (Postfix &ge; 3.4) overrides the <a href="postconf.5.html">main.cf</a>
-<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. </dd>
+<dd>Secure certificate verification. Mail is delivered only if the TLS
+handshake succeeds, the remote SMTP server certificate chain can be
+validated, and a DNS name in the certificate matches the specified match
+criteria. At this security level, DNS MX lookups, though potentially
+used to determine the candidate next-hop gateway IP addresses, are
+<b>not</b> presumed to be secure enough for TLS peername verification.
+Instead, the default name verified in the server certificate is obtained
+directly from the next-hop, or is explicitly specified via the optional
+"match" attribute which overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a>
+parameter. In the policy table, multiple match patterns and strategies
+must be separated by colons. The match attribute is most useful when
+multiple domains are supported by a common server: the policy entries
+for additional domains specify matching rules for the primary domain
+certificate. While transport table overrides that route the secondary
+domains to the primary nexthop also allow secure verification, they risk
+delivery to the wrong destination when domains change hands or are
+re-assigned to new gateways. With the "match" attribute approach,
+routing is not perturbed, and mail is deferred if verification of a new
+MX host fails. The optional "ciphers", "exclude", and "protocols"
+attributes (Postfix &ge; 2.6) override the "<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>",
+"<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>", and "<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>"
+configuration parameters. With Postfix &ge; 2.11 the "tafile" attribute
+optionally modifies trust chain verification in the same manner as the
+"<a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a>" parameter. The "tafile" attribute may be
+specified multiple times to load multiple trust-anchor files. The
+optional "connection_reuse" attribute (Postfix &ge; 3.4) overrides the
+<a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. </dd>
</dl>
@@ -13807,7 +14132,7 @@ configurations in environments where DNS security is not assured. </p>
</DD>
<DT><b><a name="smtp_tls_protocols">smtp_tls_protocols</a>
-(default: see postconf -d output)</b></DT><DD>
+(default: see 'postconf -d' output)</b></DT><DD>
<p> TLS protocols that the Postfix SMTP client will use with
opportunistic TLS encryption. In <a href="postconf.5.html">main.cf</a> the values are separated by
@@ -13975,7 +14300,9 @@ destinations via <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_
<dt><b><a href="TLS_README.html#client_tls_may">may</a></b></dt>
<dd> Opportunistic TLS. Use TLS if this is supported by the remote
-SMTP server, otherwise use plaintext. Since
+SMTP server, otherwise use plaintext; after a failed TLS handshake
+or TLS session, fall back to plaintext if the message has spent
+<a href="postconf.5.html#minimal_backoff_time">minimal_backoff_time</a> in the mail queue. Since
sending in the clear is acceptable, demanding stronger than default TLS
security merely reduces interoperability.
The "<a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>" and "<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a>" (Postfix &ge; 2.6)
@@ -14896,9 +15223,8 @@ pubkey_fingerprint } } </dd>
<dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
-<dd>Search the specified access database for the client hostname,
-parent domains, client IP address, or networks obtained by stripping
-least significant octets. See the <a href="access.5.html">access(5)</a> manual page for details. </dd>
+<dd>Search the specified access database for the client hostname
+or IP address. See the <a href="access.5.html">access(5)</a> manual page for details. </dd>
<dt><b><a name="check_client_a_access">check_client_a_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
@@ -14929,8 +15255,7 @@ available in Postfix 2.7 and later. </dd>
<dt><b><a name="check_reverse_client_hostname_access">check_reverse_client_hostname_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
<dd>Search the specified access database for the unverified reverse
-client hostname, parent domains, client IP address, or networks
-obtained by stripping least significant octets. See the <a href="access.5.html">access(5)</a>
+client hostname or IP address. See the <a href="access.5.html">access(5)</a>
manual page for details. Note: a result of "OK" is not allowed for
safety reasons. Instead, use DUNNO in order to exclude specific
hosts from denylists. This feature is available in Postfix 2.6
@@ -15527,6 +15852,9 @@ server. This option is therefore off by default. </p>
STARTTLS due to insufficient privileges to access the server private
key. This is intended behavior. </p>
+<p> This feature is deprecated as of Postfix 3.9. Specify
+<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> instead. </p>
+
<p> This feature is available in Postfix 2.2 and later. With
Postfix 2.3 and later use <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> instead. </p>
@@ -15588,8 +15916,8 @@ received with the ETRN command.
<dt><b><a name="check_etrn_access">check_etrn_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
-<dd>Search the specified access database for the ETRN domain name
-or its parent domains. See the <a href="access.5.html">access(5)</a> manual page for details.
+<dd>Search the specified access database for the ETRN domain name.
+See the <a href="access.5.html">access(5)</a> manual page for details.
</dd>
</dl>
@@ -15641,7 +15969,7 @@ This feature is available in Postfix 2.0 and later.
</DD>
<DT><b><a name="smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a>
-(default: Postfix &lt; 3.9: no)</b></DT><DD>
+(default: Postfix &ge; 3.9: normalize)</b></DT><DD>
<p> Reject or restrict input lines from an SMTP client that end in
&lt;LF&gt; instead of the standard &lt;CR&gt;&lt;LF&gt;. Such line
@@ -15654,7 +15982,8 @@ SMTP smuggling</a>. </p>
<dl compact>
-<dt> <b>normalize</b></dt> <dd> Require the standard
+<dt> <b>normalize</b> (default for Postfix &ge; 3.9) </dt>
+<dd> Require the standard
End-of-DATA sequence &lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;.
Otherwise, allow command or message content lines ending in the
non-standard &lt;LF&gt;, and process them as if the client sent the
@@ -15666,6 +15995,13 @@ with the standard End-of-DATA sequence
&lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;. <br> <br> Such clients
can be excluded with <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a>. </dd>
+<dt> <b>note</b> </dt> <dd> Same as "normalize", but also notes in
+the log whether the Postfix SMTP server received any lines with
+"bare &lt;LF&gt;". The information is formatted as "<tt>disconnect
+from name[address] ... notes=bare_lf</tt>". The notes value is
+expected to become a list of comma-separated names. <br> <br> This
+feature is available in Postfix 3.9 and later. </dd>
+
<dt> <b>yes</b> </dt> <dd> Compatibility alias for <b>normalize</b>. </dd>
<dt> <b>reject</b> </dt> <dd> Require the standard End-of-DATA
@@ -15684,8 +16020,8 @@ of BDAT violations, BDAT can be selectively disabled with
<a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a>, or globally disabled with
<a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>). </dd>
-<dt> <b>no</b> (default)</dt> <dd> Do not require the standard
-End-of-DATA
+<dt> <b>no</b> (default for Postfix &lt; 3.9) </dt>
+<dd> Do not require the standard End-of-DATA
sequence &lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;. Always process
a bare &lt;LF&gt; as if the client sent &lt;CR&gt;&lt;LF&gt;. This
option is fully backwards compatible, but is not recommended for
@@ -15793,9 +16129,9 @@ Specify a 5XX status code (521 to disconnect).
<p> Disconnect remote SMTP clients that violate <a href="https://tools.ietf.org/html/rfc2920">RFC 2920</a> (or 5321)
command pipelining constraints. The server replies with "554 5.5.0
Error: SMTP protocol synchronization" and logs the unexpected remote
-SMTP client input. Specify "<a href="postconf.5.html#smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a> = yes"
-to enable. This feature is enabled by default with Postfix &ge;
-3.9. </p>
+SMTP client input. This feature is enabled by default with Postfix
+&ge; 3.9. Specify "<a href="postconf.5.html#smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a> = no" to disable.
+</p>
<p> This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
3.6.10, and 3.5.20. </p>
@@ -15899,7 +16235,7 @@ received with the HELO or EHLO command.
<dt><b><a name="check_helo_access">check_helo_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
<dd>Search the specified <a href="access.5.html">access(5)</a> database for the HELO or EHLO
-hostname or parent domains, and execute the corresponding action.
+hostname, and execute the corresponding action.
Note: specify "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes" to fully enforce this
restriction (without "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes", a client can
simply skip <a href="postconf.5.html#check_helo_access">check_helo_access</a> by not sending HELO or EHLO). </dd>
@@ -16563,8 +16899,7 @@ that is received with the RCPT TO command.
<dt><b><a name="check_recipient_access">check_recipient_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
<dd>Search the specified <a href="access.5.html">access(5)</a> database for the resolved RCPT
-TO address, domain, parent domains, or localpart@, and execute the
-corresponding action. </dd>
+TO address, and execute the corresponding action. </dd>
<dt><b><a name="check_recipient_a_access">check_recipient_a_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
@@ -16993,7 +17328,7 @@ The same restrictions are available as documented under
<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>.
</p>
-<p> This feature is available in Postix 2.10 and later. </p>
+<p> This feature is available in Postfix 2.10 and later. </p>
</DD>
@@ -17411,8 +17746,7 @@ received with the MAIL FROM command.
<dt><b><a name="check_sender_access">check_sender_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
<dd>Search the specified <a href="access.5.html">access(5)</a> database for the MAIL FROM
-address, domain, parent domains, or localpart@, and execute the
-corresponding action. </dd>
+address, and execute the corresponding action. </dd>
<dt><b><a name="check_sender_a_access">check_sender_a_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
@@ -18316,6 +18650,53 @@ where EC algorithms have not been disabled by the vendor. </p>
</DD>
+<DT><b><a name="smtpd_tls_enable_rpk">smtpd_tls_enable_rpk</a>
+(default: no)</b></DT><DD>
+
+<p> Request that remote SMTP clients send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key
+instead of an X.509 certificate, when asking for or requiring client
+authentication. This feature is ignored when there is no raw public
+key support in the local TLS implementation. </p>
+
+<p> The Postfix SMTP server will log a warning when "<a href="postconf.5.html#smtpd_tls_enable_rpk">smtpd_tls_enable_rpk</a>
+= yes", but the remote SMTP client sends a certificate, the
+certificate's public key fingerprint does not match a <a href="postconf.5.html#check_ccert_access">check_ccert_access</a>
+table, while the certificate fingerprint does match a <a href="postconf.5.html#check_ccert_access">check_ccert_access</a>
+table. The remote SMTP client would lose access when it starts
+sending a raw public key instead of a certificate, after its TLS
+implementation is updated with raw public key support. </p>
+
+<p> The Postfix SMTP server always sends a raw public key instead
+of a certificate, if solicited by the remote SMTP client and the
+local TLS implementation supports raw public keys. If the client
+sends a server name indication with an SNI TLS extension, and
+<a href="postconf.5.html#tls_server_sni_maps">tls_server_sni_maps</a> is configured, the server will extract a raw
+public key from the indicated certificate. </p>
+
+<p> Sample commands to compute certificate and public key SHA256 digests: </p>
+
+<pre>
+# SHA256 digest of the first certificate in "cert.pem"
+$ openssl x509 -in cert.pem -outform DER | openssl dgst -sha256 -c
+</pre>
+
+<pre>
+# SHA256 digest of the SPKI of the first certificate in "cert.pem"
+$ openssl x509 -in cert.pem -pubkey -noout |
+ openssl pkey -pubin -outform DER | openssl dgst -sha256 -c
+</pre>
+
+<pre>
+# SHA256 digest of the SPKI of the first private key in "pkey.pem"
+$ openssl pkey -in pkey.pem -pubout -outform DER |
+ openssl dgst -sha256 -c
+</pre>
+
+<p> This feature is available in Postfix 3.9 and later. </p>
+
+
+</DD>
+
<DT><b><a name="smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a>
(default: empty)</b></DT><DD>
@@ -18472,7 +18853,9 @@ if client certificate verification is not required. With Postfix 2.8 and
earlier, log the summary message, peer certificate summary information
and unconditionally log trust-chain verification errors. </dd>
-<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd>
+<dt> </dt> <dd> 2 Also enable verbose logging in the Postfix TLS
+library, log session cache operations, and enable OpenSSL logging
+of the progress of the SSL handshake. </dd>
<dt> </dt> <dd> 3 Also log hexadecimal and ASCII dump of TLS negotiation
process. </dd>
@@ -18655,7 +19038,7 @@ releases &ge; 3.0.14, 3.1.10, 3.2.7 and 3.3.2). </p>
</DD>
<DT><b><a name="smtpd_tls_protocols">smtpd_tls_protocols</a>
-(default: see postconf -d output)</b></DT><DD>
+(default: see 'postconf -d' output)</b></DT><DD>
<p> TLS protocols accepted by the Postfix SMTP server with opportunistic
TLS encryption. If the list is empty, the server supports all available
@@ -18931,6 +19314,9 @@ but do not require that clients use TLS encryption. </p>
STARTTLS due to insufficient privileges to access the server private
key. This is intended behavior. </p>
+<p> This feature is deprecated as of Postfix 3.9. Specify
+<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> instead. </p>
+
<p> This feature is available in Postfix 2.2 and later. With
Postfix 2.3 and later use <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> instead. </p>
@@ -19438,8 +19824,7 @@ via the <a href="postconf.5.html#tls_config_file">tls_config_file</a> parameter.
selected name is not present in the configuration file, the default
application name ("openssl_conf") is used as a fallback. </p>
-<p> This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
-3.6.10, and 3.5.20. </p>
+<p> This feature is available in Postfix &ge; 3.9. </p>
</DD>
@@ -20356,6 +20741,9 @@ to configure tlsproxy client keys and certificates is via the
See <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> for further details. Use
<a href="postconf.5.html#tlsproxy_client_security_level">tlsproxy_client_security_level</a> instead. </p>
+<p> This feature is deprecated as of Postfix 3.9. Specify
+<a href="postconf.5.html#tlsproxy_client_security_level">tlsproxy_client_security_level</a> instead. </p>
+
<p> This feature is available in Postfix 3.4 and later. </p>
@@ -20427,6 +20815,9 @@ value. </p>
usage policy by next-hop destination and by remote TLS server
hostname. See <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> for further details. </p>
+<p> This feature is deprecated as of Postfix 3.9. Specify
+<a href="postconf.5.html#tlsproxy_client_policy_maps">tlsproxy_client_policy_maps</a> instead. </p>
+
<p> This feature is available in Postfix 3.4 and later. </p>
@@ -20488,6 +20879,9 @@ was previously called <a href="postconf.5.html#tlsproxy_client_level">tlsproxy_c
support. See <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> for further details. Use
<a href="postconf.5.html#tlsproxy_client_security_level">tlsproxy_client_security_level</a> instead. </p>
+<p> This feature is deprecated as of Postfix 3.9. Specify
+<a href="postconf.5.html#tlsproxy_client_security_level">tlsproxy_client_security_level</a> instead. </p>
+
<p> This feature is available in Postfix 3.4 and later. </p>
@@ -20500,6 +20894,9 @@ support. See <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> for further
require that clients use TLS encryption. See <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> for
further details. Use <a href="postconf.5.html#tlsproxy_tls_security_level">tlsproxy_tls_security_level</a> instead. </p>
+<p> This feature is deprecated as of Postfix 3.9. Specify
+<a href="postconf.5.html#tlsproxy_tls_security_level">tlsproxy_tls_security_level</a> instead. </p>
+
<p> This feature is available in Postfix 2.8 and later. </p>
@@ -20632,6 +21029,8 @@ private DSA key. DSA is obsolete and should not be used. See
should use with non-export EDH ciphers. See <a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a>
for further details. </p>
+<p> This feature is deprecated as of Postfix 3.9. Do not specify. </p>
+
<p> This feature is available in Postfix 2.8 and later. </p>
@@ -20704,11 +21103,25 @@ the "<a href="postconf.5.html#tlsproxy_tls_chain_files">tlsproxy_tls_chain_files
elliptic-curve Diffie-Hellman (EECDH) key exchange. See
<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> for further details. </p>
+<p> This feature is deprecated as of Postfix 3.9. Do not specify. </p>
+
<p> This feature is available in Postfix 2.8 and later. </p>
</DD>
+<DT><b><a name="tlsproxy_tls_enable_rpk">tlsproxy_tls_enable_rpk</a>
+(default: $<a href="postconf.5.html#smtpd_tls_enable_rpk">smtpd_tls_enable_rpk</a>)</b></DT><DD>
+
+<p> Request that remote SMTP clients send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key
+instead of an X.509 certificate, when asking or requiring client
+authentication. See $<a href="postconf.5.html#smtpd_tls_enable_rpk">smtpd_tls_enable_rpk</a> for details. </p>
+
+<p> This feature is available in Postfix 3.9 and later. </p>
+
+
+</DD>
+
<DT><b><a name="tlsproxy_tls_exclude_ciphers">tlsproxy_tls_exclude_ciphers</a>
(default: $<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a>)</b></DT><DD>
@@ -20856,6 +21269,9 @@ shared by all three services, namely <a href="postconf.5.html#smtpd_tls_session_
but do not require that clients use TLS encryption. See <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>
for further details. Use <a href="postconf.5.html#tlsproxy_tls_security_level">tlsproxy_tls_security_level</a> instead. </p>
+<p> This feature is deprecated as of Postfix 3.9. Specify
+<a href="postconf.5.html#tlsproxy_tls_security_level">tlsproxy_tls_security_level</a> instead. </p>
+
<p> This feature is available in Postfix 2.8 and later. </p>
@@ -21100,7 +21516,14 @@ built-in suffix (in this case: "_initial_destination_concurrency").
<p>
Optional lookup tables with mappings from recipient address to
(message delivery transport, next-hop destination). See <a href="transport.5.html">transport(5)</a>
-for details.
+for syntax details.
+</p>
+
+<p> This information may override the message delivery transport
+and/or next-hop destination that are specified with $<a href="postconf.5.html#local_transport">local_transport</a>,
+$<a href="postconf.5.html#virtual_transport">virtual_transport</a>, $<a href="postconf.5.html#relay_transport">relay_transport</a>, $<a href="postconf.5.html#default_transport">default_transport</a>,
+$<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a>, $<a href="postconf.5.html#relayhost">relayhost</a>,
+$<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a>, or the recipient domain.
</p>
<p>
@@ -21735,7 +22158,7 @@ This feature is available in Postfix 1.1 and later.
<p>
The maximal length of an email address after virtual alias expansion.
-This stops virtual aliasing loops that increase the address length
+This stops <a href="ADDRESS_REWRITING_README.html#virtual">virtual aliasing</a> loops that increase the address length
exponentially.
</p>
@@ -21814,8 +22237,10 @@ This feature is available in Postfix 2.1 and later.
(default: $<a href="postconf.5.html#virtual_maps">virtual_maps</a>)</b></DT><DD>
<p>
-Optional lookup tables that alias specific mail addresses or domains
-to other local or remote addresses. The table format and lookups
+Optional lookup tables with aliases that apply to all recipients:
+<a href="local.8.html">local(8)</a>, virtual, and remote; this is unlike <a href="postconf.5.html#alias_maps">alias_maps</a> that apply
+only to <a href="local.8.html">local(8)</a> recipients.
+The table format and lookups
are documented in <a href="virtual.5.html">virtual(5)</a>. For an overview of Postfix address
manipulations see the <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> document.
</p>