From 426ff88c97805d5359804bcfd7186dcd2c9fbf47 Mon Sep 17 00:00:00 2001
From: Daniel Baumann
-The alias databases that are used for local(8) delivery. See
-aliases(5) for syntax details.
+Optional lookup tables with aliases that apply only to local(8)
+recipients; this is unlike virtual_alias_maps that apply to all
+recipients: local(8), virtual, and remote.
+The table format and lookups are documented in aliases(5). For an
+overview of Postfix address manipulations see the ADDRESS_REWRITING_README
+document.
Specify zero or more "type:name" lookup tables, separated by
whitespace or comma. Tables will be searched in the specified order
until a match is found.
@@ -2732,19 +2738,30 @@ name of the message delivery transport.
The default mail delivery transport and next-hop destination for
-destinations that do not match $mydestination, $inet_interfaces,
+the default domain class: recipient domains that do not match
+$mydestination, $inet_interfaces,
$proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains,
-or $relay_domains. This information can be overruled with the
-sender_dependent_default_transport_maps parameter and with the
-transport(5) table.
-In order of decreasing precedence, the nexthop destination is taken -from $sender_dependent_default_transport_maps, $default_transport, -$sender_dependent_relayhost_maps, $relayhost, or from the recipient -domain. +
For recipient domains in the default domain class:
+ +
In order of decreasing precedence, the delivery transport +is taken from 1) $transport_maps, 2) +$sender_dependent_default_transport_maps or $default_transport.
+In order of decreasing precedence, the nexthop destination +is taken from 1) $transport_maps, 2) +$sender_dependent_default_transport_maps or $default_transport, 3) +$sender_dependent_relayhost_maps or $relayhost or the recipient +domain.
+ +Specify a string of the form transport:nexthop, where transport is the name of a mail delivery transport defined in master.cf. @@ -3713,6 +3730,25 @@ This feature is available in Postfix 2.0 and later.
+ + +Convert body content that claims to be 8-bit into quoted-printable, +before header_checks, body_checks, Milters, and before after-queue +content filters. This feature does not affect messages that are +sent into smtpd_proxy_filter.
+ +The typical use case is an MTA that applies this conversion +before signing outbound messages, so that the signatures will remain +valid when a message is later delivered to an MTA that does not +announce 8BITMIME support, or when a message line exceeds the SMTP +length limit.
+ +This feature is available in Postfix ≥ 3.9.
+ +The local network interface addresses that this mail system receives -mail on. Specify "all" to receive mail on all network -interfaces (default), and "loopback-only" to receive mail -on loopback network interfaces only (Postfix version 2.2 and later). The -parameter also controls delivery of mail to user@[ip.address]. -
+The local network interface addresses that this mail system +receives mail on. Specify "all" to receive mail on all network +interfaces (default), "loopback-only" to receive mail on loopback +network interfaces only (Postfix version 2.2 and later), or zero +or more IPv4 or IPv6 addresses (IPv6 is supported in Postfix version +2.2 and later). The parameter also controls whether Postfix will +accept mail for user@[ip.address], and prevents Postfix +from delivering mail to a host that has equal or larger MX preference. +Specify an empty value if Postfix does not receive mail over the +network, or if all network listeners have an explicit IP address +in master.cf.
Note 1: you need to stop and start Postfix when this parameter changes. @@ -4168,22 +4209,44 @@ Note 1: you need to stop and start Postfix when this parameter changes.
Note 2: address information may be enclosed inside [], but this form is not required here.
-When inet_interfaces specifies just one IPv4 and/or IPv6 address -that is not a loopback address, the Postfix SMTP client will use -this address as the IP source address for outbound mail. Support -for IPv6 is available in Postfix version 2.2 and later.
+When smtp_bind_address and/or smtp_bind_address6 are not +specified, the inet_interfaces setting may constrain the source IP +address for an outbound SMTP or LMTP connection as described below. +
+ +The following text is specific to SMTP and IPv4. The same +reasoning applies to the IPv6 protocol, and to the Postfix LMTP +client. To disable IPv4 or IPv6 support in the Postfix SMTP and +LMTP client, use inet_protocols.
--On a multi-homed firewall with separate Postfix instances listening on the -"inside" and "outside" interfaces, this can prevent each instance from -being able to reach remote SMTP servers on the "other side" of the -firewall. Setting -smtp_bind_address to 0.0.0.0 avoids the potential problem for -IPv4, and setting smtp_bind_address6 to :: solves the problem -for IPv6.
+When inet_interfaces specifies one IPv4 address, and that +is not a loopback address, the Postfix SMTP client uses that as the +source address for outbound IPv4 connections.
+ +Otherwise, the Postfix SMTP client does not constrain the +source IPv4 address, and connects using a system-chosen source IPv4 +address. This includes the cases where inet_interfaces is empty, +where it specifies all, or where it contains no IPv4 address, +one IPv4 address that is a loopback address, or multiple IPv4 +addresses.
+ +A Postfix SMTP client may fail to reach some remote SMTP servers +when the client source IP address is constrained explicitly with +smtp_bind_address or smtp_bind_address6, or implicitly with +inet_interfaces. This can happen when Postfix runs on a multi-homed +system such as a firewall, the Postfix SMTP source client IP address +is constrained to one specific network interface, and the remote +SMTP server must be reached through a different interface. Setting +smtp_bind_address to 0.0.0.0 avoids the potential problem for IPv4, +and setting smtp_bind_address6 to :: solves the problem for IPv6. +
-A better solution for multi-homed firewalls is to leave inet_interfaces +A better solution for multi-homed systems is to leave inet_interfaces at the default value and instead use explicit IP addresses in the master.cf SMTP server definitions. This preserves the Postfix SMTP client's @@ -4215,7 +4278,7 @@ Examples:
The Internet protocols Postfix will attempt to use when making or accepting connections. Specify one or more of "ipv4" @@ -4893,6 +4956,9 @@ configuration parameter. See there for details.
The LMTP-specific version of the smtp_enforce_tls configuration parameter. See there for details.
+This feature is deprecated as of Postfix 3.9. Specify +lmtp_tls_security_level instead.
+This feature is available in Postfix 2.3 and later.
@@ -5293,6 +5359,15 @@ to the remote host. +The LMTP-specific version of the smtp_sasl_password_result_delimiter +configuration parameter. See there for details.
+ +The LMTP-specific version of the smtp_tls_enable_rpk +configuration parameter. See there for details.
+ +This feature is available in Postfix 3.9 and later.
+ +The LMTP-specific version of the smtp_tls_mandatory_protocols configuration parameter. See there for details.
@@ -5721,6 +5807,9 @@ configuration parameter. See there for details.The LMTP-specific version of the smtp_tls_per_site configuration parameter. See there for details.
+This feature is deprecated as of Postfix 3.9. Specify +lmtp_tls_policy_maps instead.
+This feature is available in Postfix 2.3 and later.
@@ -5738,7 +5827,7 @@ configuration parameter. See there for details.The LMTP-specific version of the smtp_tls_protocols configuration parameter. See there for details.
@@ -5853,6 +5942,9 @@ parameter. See there for details.The LMTP-specific version of the smtp_use_tls configuration parameter. See there for details.
+This feature is deprecated as of Postfix 3.9. Specify +lmtp_tls_security_level instead.
+This feature is available in Postfix 2.3 and later.
@@ -6149,8 +6241,8 @@ until a match is found.If this parameter is non-empty (the default), then the Postfix SMTP -server will reject mail for unknown local users. -
+server will reject mail for unknown local users. Other Postfix +interfaces may still accept an "unknown" recipient.To turn off local recipient checking in the Postfix SMTP server, @@ -6449,6 +6541,11 @@ and later.
This feature is available in Postfix 3.4 and later.
+ + +The file access permissions that will be set when the file +$maillog_file is created for the first time, or when the file is +created after an existing file is rotated. Specify one of: 0600 +(only super-user read/write access), 0640 (adds 'group' read +access), or 0644 (also adds 'other' read access). The leading +'0' is optional.
+ +This feature is available in Postfix 3.9 and later.
+ +The amount of time that postscreen(8) will use the result from -a successful "bare newline" SMTP protocol test. During this -time, the client IP address is excluded from this test. The default +
The amount of time that postscreen(8) remembers that a client +IP address passed a "bare newline" SMTP protocol test, before it +address is required to pass that test again. The default is long because a remote SMTP client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server.
@@ -8584,9 +8696,10 @@ defined with the postscreen_dnsSpecify a negative value to enable this feature. When a client passes the postscreen_dnsbl_allowlist_threshold without having failed other tests, all pending or disabled tests are flagged as -completed with a time-to-live value equal to postscreen_dnsbl_ttl. -When a test was already completed, its time-to-live value is updated -if it was less than postscreen_dnsbl_ttl.
+completed with an expiration time based on the DNS reply TTL. +When a test was already completed, its expiration time is updated +if it was less than the value based on the DNS reply TTL. See +also postscreen_dnsbl_max_ttl and postscreen_dnsbl_min_ttl.This feature is available in Postfix 3.6 and later.
@@ -8599,9 +8712,9 @@ if it was less than postscreen_dnThe maximum amount of time that postscreen(8) will use the -result from a successful DNS-based reputation test before a -client IP address is required to pass that test again. If the DNS +
The maximum amount of time that postscreen(8) remembers that a +client IP address passed a DNS-based reputation test, before it is +required to pass that test again. If the DNS reply specifies a shorter TTL value, that value will be used unless it would be smaller than postscreen_dnsbl_min_ttl.
@@ -8619,9 +8732,9 @@ is backwards-compatible with older Postfix versions.The minimum amount of time that postscreen(8) will use the -result from a successful DNS-based reputation test before a -client IP address is required to pass that test again. If the DNS +
The minimum amount of time that postscreen(8) remembers that a +client IP address passed a DNS-based reputation test, before it +is required to pass that test again. If the DNS reply specifies a larger TTL value, that value will be used unless it would be larger than postscreen_dnsbl_max_ttl.
@@ -8762,9 +8875,9 @@ The default time unit is s (seconds).The amount of time that postscreen(8) will use the result from -a successful DNS-based reputation test before a client -IP address is required to pass that test again.
+The amount of time that postscreen(8) remembers that a client +IP address passed a DNS-based reputation test, before it is required +to pass that test again.
Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s @@ -8880,9 +8993,9 @@ value to disable this feature.
The amount of time that postscreen(8) will use the result from -a successful PREGREET test. During this time, the client IP address -is excluded from this test. The default is relatively short, because +
The amount of time that postscreen(8) remembers that a client +IP address passed a PREGREET test, before it is required to pass +that test again. The default is relatively short, because a good client can immediately talk to a real Postfix SMTP server.
Specify a non-zero time value (an integral value plus an optional @@ -8976,9 +9089,9 @@ test, before it can talk to a real Postfix SMTP server.
The amount of time that postscreen(8) will use the result from -a successful "non_smtp_command" SMTP protocol test. During this -time, the client IP address is excluded from this test. The default +
The amount of time that postscreen(8) remembers that a client +IP address passed a "non_smtp_command" SMTP protocol test, before +it is required to pass that test again. The default is long because a client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server.
@@ -9044,9 +9157,9 @@ server.The amount of time that postscreen(8) will use the result from -a successful "pipelining" SMTP protocol test. During this time, the -client IP address is excluded from this test. The default is +
The amount of time that postscreen(8) remembers that a client +IP address passed a "pipelining" SMTP protocol test, before it is +required to pass that test again. The default is long because a good client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server.
@@ -10136,13 +10249,24 @@ This feature is available in Postfix 2.0 and later.The default mail delivery transport and next-hop destination for -remote delivery to domains listed with $relay_domains. In order of -decreasing precedence, the nexthop destination is taken from -$relay_transport, $sender_dependent_relayhost_maps, $relayhost, or -from the recipient domain. This information can be overruled with -the transport(5) table. +the relay domain address class: recipient domains that match +$relay_domains.
+ +For recipient domains in the relay domain address class:
+ +In order of decreasing precedence, the message delivery +transport is taken from 1) $transport_maps, 2) $relay_transport.
+In order of decreasing precedence, the nexthop destination +is taken from 1) $transport_maps, 2) $relay_transport, 3) +$sender_dependent_relayhost_maps or $relayhost or the recipient +domain.
+ +Specify a string of the form transport:nexthop, where transport is the name of a mail delivery transport defined in master.cf. @@ -10166,13 +10290,31 @@ This feature is available in Postfix 2.0 and later. (default: empty)
-The next-hop destination(s) for non-local mail; overrides non-local -domains in recipient addresses. This information is overruled with -relay_transport, sender_dependent_default_transport_maps, -default_transport, sender_dependent_relayhost_maps -and with the transport(5) table. +The next-hop destination(s) for non-local mail; takes precedence +over non-local domains in recipient addresses. This information +will not be used when the sender matches $sender_dependent_relayhost_maps.
+In order of decreasing precedence:
+ +For recipient domains in the relay domain address class +(domains matching $relay_domains), the nexthop destination is taken +from 1) $transport_maps, 2) $relay_transport, 3) +$sender_dependent_relayhost_maps or $relayhost or the recipient +domain.
+ +
For recipient domains in the default domain address class +(domains that do not match $mydestination, $inet_interfaces, +$proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, +or $relay_domains), the nexthop destination is taken from 1) +$transport_maps, 2) $sender_dependent_default_transport_maps or +$default_transport, 3) $sender_dependent_relayhost_maps or $relayhost +or the recipient domain.
+ +On an intranet, specify the organizational domain name. If your internal DNS uses no MX records, specify the name of the intranet @@ -10180,11 +10322,12 @@ gateway host instead.
-In the case of SMTP or LMTP delivery, specify one or more destinations -in the form of a domain name, hostname, hostname:port, [hostname]:port, -[hostaddress] or [hostaddress]:port, separated by comma or whitespace. -The form [hostname] turns off MX lookups. Multiple destinations are -supported in Postfix 3.5 and later. +In the case of SMTP delivery, specify one or more destinations in +the form of a domain name, hostname, hostname:service, [hostname]:service, +[hostaddress] or [hostaddress]:service, separated by comma or whitespace. +The form [hostname] turns off MX or SRV lookups. Multiple destinations +are supported in Postfix 3.5 and later. Each destination is tried +in the specified order.
@@ -10589,18 +10732,38 @@ address and @domain. A lookup result of DUNNO terminates the search without overriding the global default_transport parameter setting. This information is overruled with the transport(5) table.
--Specify zero or more "type:name" lookup tables, separated by -whitespace or comma. Tables will be searched in the specified order -until a match is found. +
This setting affects only the default domain address class +(recipient domains that do not match $mydestination, $inet_interfaces, +$proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, +or $relay_domains):
+ +In order of decreasing precedence, the delivery transport +is taken from 1) $transport_maps, 2) +$sender_dependent_default_transport_maps or $default_transport.
+In order of decreasing precedence, the nexthop destination +is taken from 1) $transport_maps, 2) +$sender_dependent_default_transport_maps or $default_transport, 3) +$sender_dependent_relayhost_maps or $relayhost or the recipient +domain.
+ +Note: this overrides default_transport, not transport_maps, and therefore the expected syntax is that of default_transport, not the syntax of transport_maps. Specifically, this does not support the transport_maps syntax for null transport, null nexthop, or null email addresses.
++Specify zero or more "type:name" lookup tables, separated by +whitespace or comma. Tables will be searched in the specified order +until a match is found. +
+For safety reasons, this feature does not allow $number substitutions in regular expression maps.
@@ -10616,9 +10779,27 @@ substitutions in regular expression maps. setting. The tables are searched by the envelope sender address and @domain. A lookup result of DUNNO terminates the search without overriding the global relayhost parameter setting (Postfix 2.6 and -later). This information is overruled with relay_transport, -sender_dependent_default_transport_maps, default_transport and with -the transport(5) table. +later). + +In order of decreasing precedence:
+ +For recipient domains in the relay domain address class +(domains matching $relay_domains), the nexthop destination is taken +from 1) $transport_maps, 2) $relay_transport, 3) +$sender_dependent_relayhost_maps or $relayhost or the recipient +domain.
+ +For recipient domains in the default domain address class +(domains that do not match mydestination, $inet_interfaces, +$proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, +$relay_domains), the nexthop destination is taken from 1) +$transport_maps, 2) $sender_dependent_default_transport_maps or +$default_transport, 3) $sender_dependent_relayhost_maps or $relayhost +or the recipient domain.
+ +Specify zero or more "type:name" lookup tables, separated by @@ -10820,13 +11001,38 @@ IPv6 connectivity:
The setting "smtp_address_preference = ipv6" is unsafe. -It can fail to deliver mail when there is an outage that affects -IPv6, while the destination is still reachable over IPv4.
+All deliveries will suffer delays during an IPv6 outage, even +while the destination is still reachable over IPv4. Mail may be +stuck in the queue with Postfix versions < 3.3 that do not +implement "smtp_balance_inet_protocols". For similar reasons, the +setting "smtp_address_preference = ipv4" is also unsafe.The setting "smtp_address_preference = any" is safe. With -this, mail will eventually be delivered even if there is an outage +this, and "smtp_balance_inet_protocols = yes" (the default), only +half of deliveries will suffer delays if there is an outage that affects IPv6 or IPv4, as long as it does not affect both.
+The setting "smtp_address_preference = ipv4" is not a +solution for remote servers that flag email received over IPv6 as +more 'spammy' (the client IPv6 address has a bad or missing PTR or +AAAA record, bad network neighbors, etc.). Instead, configure Postfix +to receive mail over both IPv4 and IPv6, and to deliver mail over +only IPv4.
+ +++ ++/etc/postfix/main.cf: + inet_protocols = all ++
+++/etc/postfix/master.cf + smtp ...other fields... smtp -o inet_protocols=ipv4 ++
This feature is available in Postfix 2.8 and later.
@@ -12295,6 +12501,9 @@ If no username:password entry is found, then the Postfix SMTP client will not attempt to authenticate to the remote host. +Use smtp_sasl_password_result_delimiter to specify an +alternative separator between username and password.
+The Postfix SMTP client opens the lookup table before going to chroot jail, so you can leave the password file in /etc/postfix. @@ -12307,6 +12516,18 @@ until a match is found.
+The delimiter between username and password in sasl_passwd_maps lookup +results. Specify one non-whitespace character that does not appear in +the username.
+ +This feature is available in Postfix ≥ 3.9.
+ +Request that remote SMTP servers send an RFC7250 raw public key +instead of an X.509 certificate. This feature and the enable_rpk +policy attribute are ignored when there is no raw public key support +in the local TLS implementation.
+ +At the "may", "encrypt" and "fingerprint" security levels, +with parameter setting "smtp_tls_enable_rpk = yes" or with "enable_rpk += yes" in a policy entry, the Postfix SMTP client will indicate in +the TLS handshake that it prefers to receive a raw server public +key, but it will still accept a server public key certificate.
+ +At the "fingerprint" security level, with parameter setting +"smtp_tls_enable_rpk = yes" or with "enable_rpk = yes" in a policy +entry, server authentication based on certificate fingerprints +becomes more fragile. Even if the server private key and certificate +remain unchanged, the remote SMTP server will fail fingerprint +authentication (won't match the configured list of fingerprints) +when it starts sending a raw public key instead of a certificate, +after its TLS implementation is updated with raw public key support. +Therefore, DO NOT enable raw public keys to remote destinations +authenticated by server certificate fingerprints. You should +enable raw public keys only for servers matched via their public +key fingerprint.
+ +At the "verify" and "secure" security levels, the Postfix +SMTP client always ignores the parameter setting smtp_tls_enable_rpk +or the enable_rpk policy attribute.
+ +At the opportunistic "dane" security level, the Postfix +SMTP client ignores the parameter setting smtp_tls_enable_rpk or +the enable_rpk policy attribute (but it will respect them when it +falls back to the "may" or "encrypt" level). When all valid TLSA +records specify only server public keys (no certificates) and the +local TLS implementation supports raw public keys, the client will +indicate in the TLS handshake that it prefers to receive a raw +public key, but it will still accept a public key certificate.
+ +At the mandatory "dane-only" security level, the Postfix +SMTP client always ignores the parameter setting smtp_tls_enable_rpk +or the enable_rpk policy attribute. When all valid TLSA records +specify only server public keys (no certificates) and the local TLS +implementation supports raw public keys, the client will indicate +in the TLS handshake that it prefers to receive a raw public key, +but it will still accept a public key certificate.
+ +The Postfix SMTP client is always willing to send raw public keys +to servers that solicit them when a client certificate is configured +and the local TLS implementation supports raw public keys.
+ +Sample commands to compute certificate and public key SHA256 digests:
+ ++# SHA256 digest of the first certificate in "cert.pem" +$ openssl x509 -in cert.pem -outform DER | openssl dgst -sha256 -c ++ +
+# SHA256 digest of the SPKI of the first certificate in "cert.pem" +$ openssl x509 -in cert.pem -pubkey -noout | + openssl pkey -pubin -outform DER | openssl dgst -sha256 -c ++ +
+# SHA256 digest of the SPKI of the first private key in "pkey.pem" +$ openssl pkey -in pkey.pem -pubout -outform DER | + openssl dgst -sha256 -c ++ +
This feature is available in Postfix 3.9 and later.
+ + TLS protocols that the Postfix SMTP client will use with
opportunistic TLS encryption. In main.cf the values are separated by
@@ -13975,7 +14300,9 @@ destinations via smtp_tls_policy_
This feature is deprecated as of Postfix 3.9. Specify +smtpd_tls_security_level instead.
+This feature is available in Postfix 2.2 and later. With Postfix 2.3 and later use smtpd_tls_security_level instead.
@@ -15588,8 +15916,8 @@ received with the ETRN command.Reject or restrict input lines from an SMTP client that end in <LF> instead of the standard <CR><LF>. Such line @@ -15654,7 +15982,8 @@ SMTP smuggling.
Disconnect remote SMTP clients that violate RFC 2920 (or 5321) command pipelining constraints. The server replies with "554 5.5.0 Error: SMTP protocol synchronization" and logs the unexpected remote -SMTP client input. Specify "smtpd_forbid_unauth_pipelining = yes" -to enable. This feature is enabled by default with Postfix ≥ -3.9.
+SMTP client input. This feature is enabled by default with Postfix +≥ 3.9. Specify "smtpd_forbid_unauth_pipelining = no" to disable. +This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, 3.6.10, and 3.5.20.
@@ -15899,7 +16235,7 @@ received with the HELO or EHLO command.This feature is available in Postix 2.10 and later.
+This feature is available in Postfix 2.10 and later.
@@ -17411,8 +17746,7 @@ received with the MAIL FROM command.Request that remote SMTP clients send an RFC7250 raw public key +instead of an X.509 certificate, when asking for or requiring client +authentication. This feature is ignored when there is no raw public +key support in the local TLS implementation.
+ +The Postfix SMTP server will log a warning when "smtpd_tls_enable_rpk += yes", but the remote SMTP client sends a certificate, the +certificate's public key fingerprint does not match a check_ccert_access +table, while the certificate fingerprint does match a check_ccert_access +table. The remote SMTP client would lose access when it starts +sending a raw public key instead of a certificate, after its TLS +implementation is updated with raw public key support.
+ +The Postfix SMTP server always sends a raw public key instead +of a certificate, if solicited by the remote SMTP client and the +local TLS implementation supports raw public keys. If the client +sends a server name indication with an SNI TLS extension, and +tls_server_sni_maps is configured, the server will extract a raw +public key from the indicated certificate.
+ +Sample commands to compute certificate and public key SHA256 digests:
+ ++# SHA256 digest of the first certificate in "cert.pem" +$ openssl x509 -in cert.pem -outform DER | openssl dgst -sha256 -c ++ +
+# SHA256 digest of the SPKI of the first certificate in "cert.pem" +$ openssl x509 -in cert.pem -pubkey -noout | + openssl pkey -pubin -outform DER | openssl dgst -sha256 -c ++ +
+# SHA256 digest of the SPKI of the first private key in "pkey.pem" +$ openssl pkey -in pkey.pem -pubout -outform DER | + openssl dgst -sha256 -c ++ +
This feature is available in Postfix 3.9 and later.
+ +TLS protocols accepted by the Postfix SMTP server with opportunistic TLS encryption. If the list is empty, the server supports all available @@ -18931,6 +19314,9 @@ but do not require that clients use TLS encryption.
STARTTLS due to insufficient privileges to access the server private key. This is intended behavior. +This feature is deprecated as of Postfix 3.9. Specify +smtpd_tls_security_level instead.
+This feature is available in Postfix 2.2 and later. With Postfix 2.3 and later use smtpd_tls_security_level instead.
@@ -19438,8 +19824,7 @@ via the tls_config_file parameter. selected name is not present in the configuration file, the default application name ("openssl_conf") is used as a fallback. -This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, -3.6.10, and 3.5.20.
+This feature is available in Postfix ≥ 3.9.
This feature is deprecated as of Postfix 3.9. Specify +tlsproxy_client_security_level instead.
+This feature is available in Postfix 3.4 and later.
@@ -20427,6 +20815,9 @@ value. usage policy by next-hop destination and by remote TLS server hostname. See smtp_tls_per_site for further details. +This feature is deprecated as of Postfix 3.9. Specify +tlsproxy_client_policy_maps instead.
+This feature is available in Postfix 3.4 and later.
@@ -20488,6 +20879,9 @@ was previously called tlsproxy_c support. See smtp_use_tls for further details. Use tlsproxy_client_security_level instead. +This feature is deprecated as of Postfix 3.9. Specify +tlsproxy_client_security_level instead.
+This feature is available in Postfix 3.4 and later.
@@ -20500,6 +20894,9 @@ support. See smtp_use_tls for further require that clients use TLS encryption. See smtpd_enforce_tls for further details. Use tlsproxy_tls_security_level instead. +This feature is deprecated as of Postfix 3.9. Specify +tlsproxy_tls_security_level instead.
+This feature is available in Postfix 2.8 and later.
@@ -20632,6 +21029,8 @@ private DSA key. DSA is obsolete and should not be used. See should use with non-export EDH ciphers. See smtpd_tls_dh1024_param_file for further details. +This feature is deprecated as of Postfix 3.9. Do not specify.
+This feature is available in Postfix 2.8 and later.
@@ -20704,9 +21103,23 @@ the "tlsproxy_tls_chain_files elliptic-curve Diffie-Hellman (EECDH) key exchange. See smtpd_tls_eecdh_grade for further details. +This feature is deprecated as of Postfix 3.9. Do not specify.
+This feature is available in Postfix 2.8 and later.
+ + +Request that remote SMTP clients send an RFC7250 raw public key +instead of an X.509 certificate, when asking or requiring client +authentication. See $smtpd_tls_enable_rpk for details.
+ +This feature is available in Postfix 3.9 and later.
+ +This feature is deprecated as of Postfix 3.9. Specify +tlsproxy_tls_security_level instead.
+This feature is available in Postfix 2.8 and later.
@@ -21100,7 +21516,14 @@ built-in suffix (in this case: "_initial_destination_concurrency").Optional lookup tables with mappings from recipient address to (message delivery transport, next-hop destination). See transport(5) -for details. +for syntax details. +
+ +This information may override the message delivery transport +and/or next-hop destination that are specified with $local_transport, +$virtual_transport, $relay_transport, $default_transport, +$sender_dependent_relayhost_maps, $relayhost, +$sender_dependent_default_transport_maps, or the recipient domain.
@@ -21735,7 +22158,7 @@ This feature is available in Postfix 1.1 and later.
The maximal length of an email address after virtual alias expansion. -This stops virtual aliasing loops that increase the address length +This stops virtual aliasing loops that increase the address length exponentially.
@@ -21814,8 +22237,10 @@ This feature is available in Postfix 2.1 and later. (default: $virtual_maps)-Optional lookup tables that alias specific mail addresses or domains -to other local or remote addresses. The table format and lookups +Optional lookup tables with aliases that apply to all recipients: +local(8), virtual, and remote; this is unlike alias_maps that apply +only to local(8) recipients. +The table format and lookups are documented in virtual(5). For an overview of Postfix address manipulations see the ADDRESS_REWRITING_README document.
-- cgit v1.2.3