From 426ff88c97805d5359804bcfd7186dcd2c9fbf47 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 13 Apr 2024 10:42:06 +0200 Subject: Merging upstream version 3.9.0. Signed-off-by: Daniel Baumann --- html/postconf.5.html | 771 +++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 598 insertions(+), 173 deletions(-) (limited to 'html/postconf.5.html') diff --git a/html/postconf.5.html b/html/postconf.5.html index dbb8cc8..0ac9b68 100644 --- a/html/postconf.5.html +++ b/html/postconf.5.html @@ -612,8 +612,14 @@ Examples: (default: see "postconf -d" output)

-The alias databases that are used for local(8) delivery. See -aliases(5) for syntax details. +Optional lookup tables with aliases that apply only to local(8) +recipients; this is unlike virtual_alias_maps that apply to all +recipients: local(8), virtual, and remote. +The table format and lookups are documented in aliases(5). For an +overview of Postfix address manipulations see the ADDRESS_REWRITING_README +document.

+ +

Specify zero or more "type:name" lookup tables, separated by whitespace or comma. Tables will be searched in the specified order until a match is found. @@ -2732,19 +2738,30 @@ name of the message delivery transport.

The default mail delivery transport and next-hop destination for -destinations that do not match $mydestination, $inet_interfaces, +the default domain class: recipient domains that do not match +$mydestination, $inet_interfaces, $proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, -or $relay_domains. This information can be overruled with the -sender_dependent_default_transport_maps parameter and with the -transport(5) table.

+or $relay_domains. This information will not be used when +sender_dependent_default_transport_maps returns a result, and may +be overridden with the transport(5) table.

-

-In order of decreasing precedence, the nexthop destination is taken -from $sender_dependent_default_transport_maps, $default_transport, -$sender_dependent_relayhost_maps, $relayhost, or from the recipient -domain. +

For recipient domains in the default domain class:

+ +

+

Specify a string of the form transport:nexthop, where transport is the name of a mail delivery transport defined in master.cf. @@ -3713,6 +3730,25 @@ This feature is available in Postfix 2.0 and later.

+
+ +
force_mime_input_conversion +(default: no)
+ +

Convert body content that claims to be 8-bit into quoted-printable, +before header_checks, body_checks, Milters, and before after-queue +content filters. This feature does not affect messages that are +sent into smtpd_proxy_filter.

+ +

The typical use case is an MTA that applies this conversion +before signing outbound messages, so that the signatures will remain +valid when a message is later delivered to an MTA that does not +announce 8BITMIME support, or when a message line exceeds the SMTP +length limit.

+ +

This feature is available in Postfix ≥ 3.9.

+ +
fork_attempts @@ -3797,7 +3833,7 @@ filtered with the character set that is specified with the
The address extension delimiter that was found in the recipient address (Postfix 2.11 and later), or the 'first' delimiter specified with the system-wide recipient address extension delimiter (Postfix -3.5.22, 3.5.12, 3.7.8, 3.8.3 and later). Historically, this was +3.5.22, 3.6.12, 3.7.8, 3.8.3 and later). Historically, this was always the system-wide recipient address extension delimiter (Postfix 2.10 and earlier).
@@ -4154,12 +4190,17 @@ Specify 0 to disable the feature. Valid delays are 0..10.
inet_interfaces (default: all)
-

The local network interface addresses that this mail system receives -mail on. Specify "all" to receive mail on all network -interfaces (default), and "loopback-only" to receive mail -on loopback network interfaces only (Postfix version 2.2 and later). The -parameter also controls delivery of mail to user@[ip.address]. -

+

The local network interface addresses that this mail system +receives mail on. Specify "all" to receive mail on all network +interfaces (default), "loopback-only" to receive mail on loopback +network interfaces only (Postfix version 2.2 and later), or zero +or more IPv4 or IPv6 addresses (IPv6 is supported in Postfix version +2.2 and later). The parameter also controls whether Postfix will +accept mail for user@[ip.address], and prevents Postfix +from delivering mail to a host that has equal or larger MX preference. +Specify an empty value if Postfix does not receive mail over the +network, or if all network listeners have an explicit IP address +in master.cf.

Note 1: you need to stop and start Postfix when this parameter changes. @@ -4168,22 +4209,44 @@ Note 1: you need to stop and start Postfix when this parameter changes.

Note 2: address information may be enclosed inside [], but this form is not required here.

-

When inet_interfaces specifies just one IPv4 and/or IPv6 address -that is not a loopback address, the Postfix SMTP client will use -this address as the IP source address for outbound mail. Support -for IPv6 is available in Postfix version 2.2 and later.

+

When smtp_bind_address and/or smtp_bind_address6 are not +specified, the inet_interfaces setting may constrain the source IP +address for an outbound SMTP or LMTP connection as described below. +

+ +

The following text is specific to SMTP and IPv4. The same +reasoning applies to the IPv6 protocol, and to the Postfix LMTP +client. To disable IPv4 or IPv6 support in the Postfix SMTP and +LMTP client, use inet_protocols.

-

-On a multi-homed firewall with separate Postfix instances listening on the -"inside" and "outside" interfaces, this can prevent each instance from -being able to reach remote SMTP servers on the "other side" of the -firewall. Setting -smtp_bind_address to 0.0.0.0 avoids the potential problem for -IPv4, and setting smtp_bind_address6 to :: solves the problem -for IPv6.

+
    + +

  • When inet_interfaces specifies one IPv4 address, and that +is not a loopback address, the Postfix SMTP client uses that as the +source address for outbound IPv4 connections.

    + +

  • Otherwise, the Postfix SMTP client does not constrain the +source IPv4 address, and connects using a system-chosen source IPv4 +address. This includes the cases where inet_interfaces is empty, +where it specifies all, or where it contains no IPv4 address, +one IPv4 address that is a loopback address, or multiple IPv4 +addresses.

    + +
+ +

A Postfix SMTP client may fail to reach some remote SMTP servers +when the client source IP address is constrained explicitly with +smtp_bind_address or smtp_bind_address6, or implicitly with +inet_interfaces. This can happen when Postfix runs on a multi-homed +system such as a firewall, the Postfix SMTP source client IP address +is constrained to one specific network interface, and the remote +SMTP server must be reached through a different interface. Setting +smtp_bind_address to 0.0.0.0 avoids the potential problem for IPv4, +and setting smtp_bind_address6 to :: solves the problem for IPv6. +

-A better solution for multi-homed firewalls is to leave inet_interfaces +A better solution for multi-homed systems is to leave inet_interfaces at the default value and instead use explicit IP addresses in the master.cf SMTP server definitions. This preserves the Postfix SMTP client's @@ -4215,7 +4278,7 @@ Examples:

inet_protocols -(default: see 'postconf -d output')
+(default: see 'postconf -d' output)

The Internet protocols Postfix will attempt to use when making or accepting connections. Specify one or more of "ipv4" @@ -4893,6 +4956,9 @@ configuration parameter. See there for details.

The LMTP-specific version of the smtp_enforce_tls configuration parameter. See there for details.

+

This feature is deprecated as of Postfix 3.9. Specify +lmtp_tls_security_level instead.

+

This feature is available in Postfix 2.3 and later.

@@ -5293,6 +5359,15 @@ to the remote host.

+
+ +
lmtp_sasl_password_result_delimiter +(default: :)
+ +

The LMTP-specific version of the smtp_sasl_password_result_delimiter +configuration parameter. See there for details.

+ +
lmtp_sasl_path @@ -5592,6 +5667,17 @@ parameter. See there for details.

compiled and linked with OpenSSL 1.0.0 or later.

+ + +
lmtp_tls_enable_rpk +(default: yes)
+ +

The LMTP-specific version of the smtp_tls_enable_rpk +configuration parameter. See there for details.

+ +

This feature is available in Postfix 3.9 and later.

+ +
lmtp_tls_enforce_peername @@ -5694,7 +5780,7 @@ configuration parameter. See there for details.

lmtp_tls_mandatory_protocols -(default: see postconf -d output)
+(default: see 'postconf -d' output)

The LMTP-specific version of the smtp_tls_mandatory_protocols configuration parameter. See there for details.

@@ -5721,6 +5807,9 @@ configuration parameter. See there for details.

The LMTP-specific version of the smtp_tls_per_site configuration parameter. See there for details.

+

This feature is deprecated as of Postfix 3.9. Specify +lmtp_tls_policy_maps instead.

+

This feature is available in Postfix 2.3 and later.

@@ -5738,7 +5827,7 @@ configuration parameter. See there for details.

lmtp_tls_protocols -(default: see postconf -d output)
+(default: see 'postconf -d' output)

The LMTP-specific version of the smtp_tls_protocols configuration parameter. See there for details.

@@ -5853,6 +5942,9 @@ parameter. See there for details.

The LMTP-specific version of the smtp_use_tls configuration parameter. See there for details.

+

This feature is deprecated as of Postfix 3.9. Specify +lmtp_tls_security_level instead.

+

This feature is available in Postfix 2.3 and later.

@@ -6149,8 +6241,8 @@ until a match is found.

If this parameter is non-empty (the default), then the Postfix SMTP -server will reject mail for unknown local users. -

+server will reject mail for unknown local users. Other Postfix +interfaces may still accept an "unknown" recipient.

To turn off local recipient checking in the Postfix SMTP server, @@ -6449,6 +6541,11 @@ and later.

The domain part of the recipient address.
+
ENVID
+ +
The optional RFC 3461 envelope ID. Available in Postfix version +3.9 and later
+
EXTENSION
The optional address extension.
@@ -6681,6 +6778,21 @@ first argument.

This feature is available in Postfix 3.4 and later.

+ + +
maillog_file_permissions +(default: 0600)
+ +

The file access permissions that will be set when the file +$maillog_file is created for the first time, or when the file is +created after an existing file is rotated. Specify one of: 0600 +(only super-user read/write access), 0640 (adds 'group' read +access), or 0644 (also adds 'other' read access). The leading +'0' is optional.

+ +

This feature is available in Postfix 3.9 and later.

+ +
maillog_file_prefixes @@ -8326,9 +8438,9 @@ it passes the test, before it can talk to a real Postfix SMTP server.
postscreen_bare_newline_ttl (default: 30d)
-

The amount of time that postscreen(8) will use the result from -a successful "bare newline" SMTP protocol test. During this -time, the client IP address is excluded from this test. The default +

The amount of time that postscreen(8) remembers that a client +IP address passed a "bare newline" SMTP protocol test, before it +address is required to pass that test again. The default is long because a remote SMTP client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server.

@@ -8584,9 +8696,10 @@ defined with the postscreen_dns

Specify a negative value to enable this feature. When a client passes the postscreen_dnsbl_allowlist_threshold without having failed other tests, all pending or disabled tests are flagged as -completed with a time-to-live value equal to postscreen_dnsbl_ttl. -When a test was already completed, its time-to-live value is updated -if it was less than postscreen_dnsbl_ttl.

+completed with an expiration time based on the DNS reply TTL. +When a test was already completed, its expiration time is updated +if it was less than the value based on the DNS reply TTL. See +also postscreen_dnsbl_max_ttl and postscreen_dnsbl_min_ttl.

This feature is available in Postfix 3.6 and later.

@@ -8599,9 +8712,9 @@ if it was less than postscreen_dn
postscreen_dnsbl_max_ttl (default: ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h)
-

The maximum amount of time that postscreen(8) will use the -result from a successful DNS-based reputation test before a -client IP address is required to pass that test again. If the DNS +

The maximum amount of time that postscreen(8) remembers that a +client IP address passed a DNS-based reputation test, before it is +required to pass that test again. If the DNS reply specifies a shorter TTL value, that value will be used unless it would be smaller than postscreen_dnsbl_min_ttl.

@@ -8619,9 +8732,9 @@ is backwards-compatible with older Postfix versions.

postscreen_dnsbl_min_ttl (default: 60s)
-

The minimum amount of time that postscreen(8) will use the -result from a successful DNS-based reputation test before a -client IP address is required to pass that test again. If the DNS +

The minimum amount of time that postscreen(8) remembers that a +client IP address passed a DNS-based reputation test, before it +is required to pass that test again. If the DNS reply specifies a larger TTL value, that value will be used unless it would be larger than postscreen_dnsbl_max_ttl.

@@ -8762,9 +8875,9 @@ The default time unit is s (seconds).

postscreen_dnsbl_ttl (default: 1h)
-

The amount of time that postscreen(8) will use the result from -a successful DNS-based reputation test before a client -IP address is required to pass that test again.

+

The amount of time that postscreen(8) remembers that a client +IP address passed a DNS-based reputation test, before it is required +to pass that test again.

Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s @@ -8880,9 +8993,9 @@ value to disable this feature.

postscreen_greet_ttl (default: 1d)
-

The amount of time that postscreen(8) will use the result from -a successful PREGREET test. During this time, the client IP address -is excluded from this test. The default is relatively short, because +

The amount of time that postscreen(8) remembers that a client +IP address passed a PREGREET test, before it is required to pass +that test again. The default is relatively short, because a good client can immediately talk to a real Postfix SMTP server.

Specify a non-zero time value (an integral value plus an optional @@ -8976,9 +9089,9 @@ test, before it can talk to a real Postfix SMTP server.

postscreen_non_smtp_command_ttl (default: 30d)
-

The amount of time that postscreen(8) will use the result from -a successful "non_smtp_command" SMTP protocol test. During this -time, the client IP address is excluded from this test. The default +

The amount of time that postscreen(8) remembers that a client +IP address passed a "non_smtp_command" SMTP protocol test, before +it is required to pass that test again. The default is long because a client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server.

@@ -9044,9 +9157,9 @@ server.

postscreen_pipelining_ttl (default: 30d)
-

The amount of time that postscreen(8) will use the result from -a successful "pipelining" SMTP protocol test. During this time, the -client IP address is excluded from this test. The default is +

The amount of time that postscreen(8) remembers that a client +IP address passed a "pipelining" SMTP protocol test, before it is +required to pass that test again. The default is long because a good client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server.

@@ -10136,13 +10249,24 @@ This feature is available in Postfix 2.0 and later.

The default mail delivery transport and next-hop destination for -remote delivery to domains listed with $relay_domains. In order of -decreasing precedence, the nexthop destination is taken from -$relay_transport, $sender_dependent_relayhost_maps, $relayhost, or -from the recipient domain. This information can be overruled with -the transport(5) table. +the relay domain address class: recipient domains that match +$relay_domains.

+ +

For recipient domains in the relay domain address class:

+ + +

Specify a string of the form transport:nexthop, where transport is the name of a mail delivery transport defined in master.cf. @@ -10166,13 +10290,31 @@ This feature is available in Postfix 2.0 and later. (default: empty)

-The next-hop destination(s) for non-local mail; overrides non-local -domains in recipient addresses. This information is overruled with -relay_transport, sender_dependent_default_transport_maps, -default_transport, sender_dependent_relayhost_maps -and with the transport(5) table. +The next-hop destination(s) for non-local mail; takes precedence +over non-local domains in recipient addresses. This information +will not be used when the sender matches $sender_dependent_relayhost_maps.

+

In order of decreasing precedence:

+ + +

On an intranet, specify the organizational domain name. If your internal DNS uses no MX records, specify the name of the intranet @@ -10180,11 +10322,12 @@ gateway host instead.

-In the case of SMTP or LMTP delivery, specify one or more destinations -in the form of a domain name, hostname, hostname:port, [hostname]:port, -[hostaddress] or [hostaddress]:port, separated by comma or whitespace. -The form [hostname] turns off MX lookups. Multiple destinations are -supported in Postfix 3.5 and later. +In the case of SMTP delivery, specify one or more destinations in +the form of a domain name, hostname, hostname:service, [hostname]:service, +[hostaddress] or [hostaddress]:service, separated by comma or whitespace. +The form [hostname] turns off MX or SRV lookups. Multiple destinations +are supported in Postfix 3.5 and later. Each destination is tried +in the specified order.

@@ -10589,18 +10732,38 @@ address and @domain. A lookup result of DUNNO terminates the search without overriding the global default_transport parameter setting. This information is overruled with the transport(5) table.

-

-Specify zero or more "type:name" lookup tables, separated by -whitespace or comma. Tables will be searched in the specified order -until a match is found. +

This setting affects only the default domain address class +(recipient domains that do not match $mydestination, $inet_interfaces, +$proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, +or $relay_domains):

+ + +

Note: this overrides default_transport, not transport_maps, and therefore the expected syntax is that of default_transport, not the syntax of transport_maps. Specifically, this does not support the transport_maps syntax for null transport, null nexthop, or null email addresses.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace or comma. Tables will be searched in the specified order +until a match is found. +

+

For safety reasons, this feature does not allow $number substitutions in regular expression maps.

@@ -10616,9 +10779,27 @@ substitutions in regular expression maps.

setting. The tables are searched by the envelope sender address and @domain. A lookup result of DUNNO terminates the search without overriding the global relayhost parameter setting (Postfix 2.6 and -later). This information is overruled with relay_transport, -sender_dependent_default_transport_maps, default_transport and with -the transport(5) table.

+later).

+ +

In order of decreasing precedence:

+ +

Specify zero or more "type:name" lookup tables, separated by @@ -10820,13 +11001,38 @@ IPv6 connectivity:

  • The setting "smtp_address_preference = ipv6" is unsafe. -It can fail to deliver mail when there is an outage that affects -IPv6, while the destination is still reachable over IPv4.

    +All deliveries will suffer delays during an IPv6 outage, even +while the destination is still reachable over IPv4. Mail may be +stuck in the queue with Postfix versions < 3.3 that do not +implement "smtp_balance_inet_protocols". For similar reasons, the +setting "smtp_address_preference = ipv4" is also unsafe.

  • The setting "smtp_address_preference = any" is safe. With -this, mail will eventually be delivered even if there is an outage +this, and "smtp_balance_inet_protocols = yes" (the default), only +half of deliveries will suffer delays if there is an outage that affects IPv6 or IPv4, as long as it does not affect both.

    +

  • The setting "smtp_address_preference = ipv4" is not a +solution for remote servers that flag email received over IPv6 as +more 'spammy' (the client IPv6 address has a bad or missing PTR or +AAAA record, bad network neighbors, etc.). Instead, configure Postfix +to receive mail over both IPv4 and IPv6, and to deliver mail over +only IPv4.

    + +
    +
    +/etc/postfix/main.cf:
+    inet_protocols = all
+
    +
    + +
    +
    +/etc/postfix/master.cf
+    smtp ...other fields... smtp -o inet_protocols=ipv4
+
    +
    +

This feature is available in Postfix 2.8 and later.

@@ -12295,6 +12501,9 @@ If no username:password entry is found, then the Postfix SMTP client will not attempt to authenticate to the remote host.

+

Use smtp_sasl_password_result_delimiter to specify an +alternative separator between username and password.

+

The Postfix SMTP client opens the lookup table before going to chroot jail, so you can leave the password file in /etc/postfix. @@ -12307,6 +12516,18 @@ until a match is found.

+
+ +
smtp_sasl_password_result_delimiter +(default: :)
+ +

The delimiter between username and password in sasl_passwd_maps lookup +results. Specify one non-whitespace character that does not appear in +the username.

+ +

This feature is available in Postfix ≥ 3.9.

+ +
smtp_sasl_path @@ -13033,6 +13254,86 @@ to anyone else.

compiled and linked with OpenSSL 1.0.0 or later.

+ + +
smtp_tls_enable_rpk +(default: no)
+ +

Request that remote SMTP servers send an RFC7250 raw public key +instead of an X.509 certificate. This feature and the enable_rpk +policy attribute are ignored when there is no raw public key support +in the local TLS implementation.

+ +
    + +

  • At the "may", "encrypt" and "fingerprint" security levels, +with parameter setting "smtp_tls_enable_rpk = yes" or with "enable_rpk += yes" in a policy entry, the Postfix SMTP client will indicate in +the TLS handshake that it prefers to receive a raw server public +key, but it will still accept a server public key certificate.

    + +

  • At the "fingerprint" security level, with parameter setting +"smtp_tls_enable_rpk = yes" or with "enable_rpk = yes" in a policy +entry, server authentication based on certificate fingerprints +becomes more fragile. Even if the server private key and certificate +remain unchanged, the remote SMTP server will fail fingerprint +authentication (won't match the configured list of fingerprints) +when it starts sending a raw public key instead of a certificate, +after its TLS implementation is updated with raw public key support. +Therefore, DO NOT enable raw public keys to remote destinations +authenticated by server certificate fingerprints. You should +enable raw public keys only for servers matched via their public +key fingerprint.

    + +

  • At the "verify" and "secure" security levels, the Postfix +SMTP client always ignores the parameter setting smtp_tls_enable_rpk +or the enable_rpk policy attribute.

    + +

  • At the opportunistic "dane" security level, the Postfix +SMTP client ignores the parameter setting smtp_tls_enable_rpk or +the enable_rpk policy attribute (but it will respect them when it +falls back to the "may" or "encrypt" level). When all valid TLSA +records specify only server public keys (no certificates) and the +local TLS implementation supports raw public keys, the client will +indicate in the TLS handshake that it prefers to receive a raw +public key, but it will still accept a public key certificate.

    + +

  • At the mandatory "dane-only" security level, the Postfix +SMTP client always ignores the parameter setting smtp_tls_enable_rpk +or the enable_rpk policy attribute. When all valid TLSA records +specify only server public keys (no certificates) and the local TLS +implementation supports raw public keys, the client will indicate +in the TLS handshake that it prefers to receive a raw public key, +but it will still accept a public key certificate.

    + +
+ +

The Postfix SMTP client is always willing to send raw public keys +to servers that solicit them when a client certificate is configured +and the local TLS implementation supports raw public keys.

+ +

Sample commands to compute certificate and public key SHA256 digests:

+ +
+# SHA256 digest of the first certificate in "cert.pem"
+$ openssl x509 -in cert.pem -outform DER | openssl dgst -sha256 -c
+
+ +
+# SHA256 digest of the SPKI of the first certificate in "cert.pem"
+$ openssl x509 -in cert.pem -pubkey -noout |
+    openssl pkey -pubin -outform DER | openssl dgst -sha256 -c
+
+ +
+# SHA256 digest of the SPKI of the first private key in "pkey.pem"
+$ openssl pkey -in pkey.pem -pubout -outform DER |
+    openssl dgst -sha256 -c
+
+ +

This feature is available in Postfix 3.9 and later.

+ +
smtp_tls_enforce_peername @@ -13296,7 +13597,9 @@ verification errors if server certificate verification is not required. With Postfix 2.8 and earlier, log the summary message and unconditionally log trust-chain verification errors. -
2 Also log levels during TLS negotiation.
+
2 Also enable verbose logging in the Postfix TLS +library, log session cache operations, and enable OpenSSL logging +of the progress of the SSL handshake.
3 Also log the hexadecimal and ASCII dump of the TLS negotiation process.
@@ -13546,11 +13849,13 @@ lookup key, and overrides the global smtp and smtp_tls_enforce_peername settings.
MAY
Try to use TLS if the server announces support, -otherwise use an unencrypted connection. This has less precedence +otherwise use an unencrypted connection; after a failed TLS handshake +or TLS session, fall back to plaintext if the message has spent +minimal_backoff_time in the mail queue. This level has less precedence than a more specific result (including NONE) from the alternate host or next-hop lookup key, and has less precedence than the more specific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peername -= yes".
+= yes".
MUST_NOPEERMATCH
Require TLS encryption, but do not require that the remote SMTP server hostname matches the information @@ -13643,28 +13948,35 @@ security are:

Opportunistic TLS. Since sending in the clear is acceptable, demanding stronger than default TLS security merely reduces interoperability. The optional "ciphers", "exclude", and "protocols" -attributes (available for opportunistic TLS with Postfix ≥ 2.6) -and "connection_reuse" attribute (Postfix ≥ 3.4) override the +attributes (available for opportunistic TLS with Postfix ≥ 2.6) and +"connection_reuse" attribute (Postfix ≥ 3.4) override the "smtp_tls_ciphers", "smtp_tls_exclude_ciphers", "smtp_tls_protocols", -and -"smtp_tls_connection_reuse" configuration parameters. In the policy table, -multiple ciphers, protocols or excluded ciphers must be separated by colons, -as attribute values may not contain whitespace or commas. When opportunistic -TLS handshakes fail, Postfix retries the connection with TLS disabled. -This allows mail delivery to sites with non-interoperable TLS -implementations.
+and "smtp_tls_connection_reuse" configuration parameters. In the policy +table, multiple ciphers, protocols or excluded ciphers must be separated +by colons, as attribute values may not contain whitespace or commas. At +this level and higher, the optional "servername" attribute (available +with Postfix ≥ 3.4) overrides the global "smtp_tls_servername" +parameter, enabling per-destination configuration of the SNI extension +sent to the remote SMTP server. The optional "enable_rpk" attribute +(Postfix ≥ 3.9) overrides the main.cf smtp_tls_enable_rpk parameter. +When opportunistic TLS handshakes fail, Postfix retries the connection +with TLS disabled. This allows mail delivery to sites with +non-interoperable TLS implementations.
encrypt
-
Mandatory TLS encryption. At this level -and higher, the optional "protocols" attribute overrides the main.cf +
Mandatory TLS encryption. Mail is delivered only if the remote SMTP +server offers STARTTLS and the TLS handshake succeeds. At this level and +higher, the optional "protocols" attribute overrides the main.cf smtp_tls_mandatory_protocols parameter, the optional "ciphers" attribute -overrides the main.cf smtp_tls_mandatory_ciphers parameter, the -optional "exclude" attribute (Postfix ≥ 2.6) overrides the main.cf +overrides the main.cf smtp_tls_mandatory_ciphers parameter, the optional +"exclude" attribute (Postfix ≥ 2.6) overrides the main.cf smtp_tls_mandatory_exclude_ciphers parameter, and the optional -"connection_reuse" attribute (Postfix ≥ 3.4) overrides the -main.cf smtp_tls_connection_reuse parameter. In the policy table, -multiple ciphers, protocols or excluded ciphers must be separated by colons, -as attribute values may not contain whitespace or commas.
+"connection_reuse" attribute (Postfix ≥ 3.4) overrides the main.cf +smtp_tls_connection_reuse parameter. In the policy table, multiple +ciphers, protocols or excluded ciphers must be separated by colons, as +attribute values may not contain whitespace or commas. The optional +"enable_rpk" attribute (Postfix ≥ 3.9) overrides the main.cf +smtp_tls_enable_rpk parameter.
dane
Opportunistic DANE TLS. The TLS policy for the destination is @@ -13709,10 +14021,10 @@ configuration parameters. The optional "connection_reuse" attribute verification. Available with Postfix 2.5 and later. At this security level, there are no trusted Certification Authorities. The certificate trust chain, expiration date, ... are not checked. Instead, -the optional "match" attribute, or else the main.cf +the optional policy table "match" attribute, or else the main.cf smtp_tls_fingerprint_cert_match parameter, lists the certificate -fingerprints or the public key fingerprint (Postfix 2.9 and later) -of the valid server certificate. The digest +fingerprints or the public key fingerprints (Postfix 2.9 and later) +of acceptable server certificates. The digest algorithm used to calculate the fingerprint is selected by the smtp_tls_fingerprint_digest parameter. Multiple fingerprints can be combined with a "|" delimiter in a single match attribute, or multiple @@ -13723,45 +14035,58 @@ digits. The optional "ciphers", "exclude", and "protocols" attributes "smtp_tls_mandatory_exclude_ciphers", and "smtp_tls_mandatory_protocols" configuration parameters. The optional "connection_reuse" attribute (Postfix ≥ 3.4) overrides the main.cf smtp_tls_connection_reuse -parameter.
+parameter. The optional "enable_rpk" attribute (Postfix ≥ 3.9) +overrides the main.cf smtp_tls_enable_rpk parameter.
verify
-
Mandatory TLS verification. At this security -level, DNS MX lookups are trusted to be secure enough, and the name -verified in the server certificate is usually obtained indirectly via -unauthenticated DNS MX lookups. The optional "match" attribute overrides -the main.cf smtp_tls_verify_cert_match parameter. In the policy table, -multiple match patterns and strategies must be separated by colons. -In practice explicit control over matching is more common with the -"secure" policy, described below. The optional "ciphers", "exclude", -and "protocols" attributes (Postfix ≥ 2.6) override the -"smtp_tls_mandatory_ciphers", "smtp_tls_mandatory_exclude_ciphers", and -"smtp_tls_mandatory_protocols" configuration parameters. The optional -"connection_reuse" attribute (Postfix ≥ 3.4) overrides the main.cf -smtp_tls_connection_reuse parameter.
+
Mandatory TLS verification. Mail is delivered only if the TLS +handshake succeeds, the remote SMTP server certificate chain can be +validated, and a DNS name in the certificate matches the specified match +criteria. At this security level, DNS MX lookups are presumed to be +secure enough, and the name verified in the server certificate is +potentially obtained via unauthenticated DNS MX lookups. The optional +"match" attribute overrides the main.cf smtp_tls_verify_cert_match +parameter. In the policy table, multiple match patterns and strategies +must be separated by colons. In practice explicit control over matching +is more common with the "secure" policy, described below. The optional +"ciphers", "exclude", and "protocols" attributes (Postfix ≥ 2.6) +override the "smtp_tls_mandatory_ciphers", +"smtp_tls_mandatory_exclude_ciphers", and "smtp_tls_mandatory_protocols" +configuration parameters. With Postfix ≥ 2.11 the optional "tafile" +policy table attribute modifies trust chain verification in the same +manner as the "smtp_tls_trust_anchor_file" parameter. The "tafile" +attribute may be specified multiple times to load multiple trust-anchor +files. The optional "connection_reuse" attribute (Postfix ≥ 3.4) +overrides the main.cf smtp_tls_connection_reuse parameter.
secure
-
Secure-channel TLS. At this security level, DNS -MX lookups, though potentially used to determine the candidate next-hop -gateway IP addresses, are not trusted to be secure enough for TLS -peername verification. Instead, the default name verified in the server -certificate is obtained directly from the next-hop, or is explicitly -specified via the optional "match" attribute which overrides the -main.cf smtp_tls_secure_cert_match parameter. In the policy table, -multiple match patterns and strategies must be separated by colons. -The match attribute is most useful when multiple domains are supported by -a common server: the policy entries for additional domains specify matching -rules for the primary domain certificate. While transport table overrides -that route the secondary domains to the primary nexthop also allow secure -verification, they risk delivery to the wrong destination when domains -change hands or are re-assigned to new gateways. With the "match" -attribute approach, routing is not perturbed, and mail is deferred if -verification of a new MX host fails. The optional "ciphers", "exclude", -and "protocols" attributes (Postfix ≥ 2.6) override the -"smtp_tls_mandatory_ciphers", "smtp_tls_mandatory_exclude_ciphers", and -"smtp_tls_mandatory_protocols" configuration parameters. The optional -"connection_reuse" attribute (Postfix ≥ 3.4) overrides the main.cf -smtp_tls_connection_reuse parameter.
+
Secure certificate verification. Mail is delivered only if the TLS +handshake succeeds, the remote SMTP server certificate chain can be +validated, and a DNS name in the certificate matches the specified match +criteria. At this security level, DNS MX lookups, though potentially +used to determine the candidate next-hop gateway IP addresses, are +not presumed to be secure enough for TLS peername verification. +Instead, the default name verified in the server certificate is obtained +directly from the next-hop, or is explicitly specified via the optional +"match" attribute which overrides the main.cf smtp_tls_secure_cert_match +parameter. In the policy table, multiple match patterns and strategies +must be separated by colons. The match attribute is most useful when +multiple domains are supported by a common server: the policy entries +for additional domains specify matching rules for the primary domain +certificate. While transport table overrides that route the secondary +domains to the primary nexthop also allow secure verification, they risk +delivery to the wrong destination when domains change hands or are +re-assigned to new gateways. With the "match" attribute approach, +routing is not perturbed, and mail is deferred if verification of a new +MX host fails. The optional "ciphers", "exclude", and "protocols" +attributes (Postfix ≥ 2.6) override the "smtp_tls_mandatory_ciphers", +"smtp_tls_mandatory_exclude_ciphers", and "smtp_tls_mandatory_protocols" +configuration parameters. With Postfix ≥ 2.11 the "tafile" attribute +optionally modifies trust chain verification in the same manner as the +"smtp_tls_trust_anchor_file" parameter. The "tafile" attribute may be +specified multiple times to load multiple trust-anchor files. The +optional "connection_reuse" attribute (Postfix ≥ 3.4) overrides the +main.cf smtp_tls_connection_reuse parameter.
@@ -13807,7 +14132,7 @@ configurations in environments where DNS security is not assured.

smtp_tls_protocols -(default: see postconf -d output)
+(default: see 'postconf -d' output)

TLS protocols that the Postfix SMTP client will use with opportunistic TLS encryption. In main.cf the values are separated by @@ -13975,7 +14300,9 @@ destinations via smtp_tls_policy_

may
Opportunistic TLS. Use TLS if this is supported by the remote -SMTP server, otherwise use plaintext. Since +SMTP server, otherwise use plaintext; after a failed TLS handshake +or TLS session, fall back to plaintext if the message has spent +minimal_backoff_time in the mail queue. Since sending in the clear is acceptable, demanding stronger than default TLS security merely reduces interoperability. The "smtp_tls_ciphers" and "smtp_tls_protocols" (Postfix ≥ 2.6) @@ -14896,9 +15223,8 @@ pubkey_fingerprint } }
check_client_access type:table
-
Search the specified access database for the client hostname, -parent domains, client IP address, or networks obtained by stripping -least significant octets. See the access(5) manual page for details.
+
Search the specified access database for the client hostname +or IP address. See the access(5) manual page for details.
check_client_a_access type:table
@@ -14929,8 +15255,7 @@ available in Postfix 2.7 and later.
check_reverse_client_hostname_access type:table
Search the specified access database for the unverified reverse -client hostname, parent domains, client IP address, or networks -obtained by stripping least significant octets. See the access(5) +client hostname or IP address. See the access(5) manual page for details. Note: a result of "OK" is not allowed for safety reasons. Instead, use DUNNO in order to exclude specific hosts from denylists. This feature is available in Postfix 2.6 @@ -15527,6 +15852,9 @@ server. This option is therefore off by default.

STARTTLS due to insufficient privileges to access the server private key. This is intended behavior.

+

This feature is deprecated as of Postfix 3.9. Specify +smtpd_tls_security_level instead.

+

This feature is available in Postfix 2.2 and later. With Postfix 2.3 and later use smtpd_tls_security_level instead.

@@ -15588,8 +15916,8 @@ received with the ETRN command.
check_etrn_access type:table
-
Search the specified access database for the ETRN domain name -or its parent domains. See the access(5) manual page for details. +
Search the specified access database for the ETRN domain name. +See the access(5) manual page for details.
@@ -15641,7 +15969,7 @@ This feature is available in Postfix 2.0 and later.
smtpd_forbid_bare_newline -(default: Postfix < 3.9: no)
+(default: Postfix ≥ 3.9: normalize)

Reject or restrict input lines from an SMTP client that end in <LF> instead of the standard <CR><LF>. Such line @@ -15654,7 +15982,8 @@ SMTP smuggling.

-
normalize
Require the standard +
normalize (default for Postfix ≥ 3.9)
+
Require the standard End-of-DATA sequence <CR><LF>.<CR><LF>. Otherwise, allow command or message content lines ending in the non-standard <LF>, and process them as if the client sent the @@ -15666,6 +15995,13 @@ with the standard End-of-DATA sequence <CR><LF>.<CR><LF>.

Such clients can be excluded with smtpd_forbid_bare_newline_exclusions.
+
note
Same as "normalize", but also notes in +the log whether the Postfix SMTP server received any lines with +"bare <LF>". The information is formatted as "disconnect +from name[address] ... notes=bare_lf". The notes value is +expected to become a list of comma-separated names.

This +feature is available in Postfix 3.9 and later.
+
yes
Compatibility alias for normalize.
reject
Require the standard End-of-DATA @@ -15684,8 +16020,8 @@ of BDAT violations, BDAT can be selectively disabled with smtpd_discard_ehlo_keyword_address_maps, or globally disabled with smtpd_discard_ehlo_keywords).
-
no (default)
Do not require the standard -End-of-DATA +
no (default for Postfix < 3.9)
+
Do not require the standard End-of-DATA sequence <CR><LF>.<CR><LF>. Always process a bare <LF> as if the client sent <CR><LF>. This option is fully backwards compatible, but is not recommended for @@ -15793,9 +16129,9 @@ Specify a 5XX status code (521 to disconnect).

Disconnect remote SMTP clients that violate RFC 2920 (or 5321) command pipelining constraints. The server replies with "554 5.5.0 Error: SMTP protocol synchronization" and logs the unexpected remote -SMTP client input. Specify "smtpd_forbid_unauth_pipelining = yes" -to enable. This feature is enabled by default with Postfix ≥ -3.9.

+SMTP client input. This feature is enabled by default with Postfix +≥ 3.9. Specify "smtpd_forbid_unauth_pipelining = no" to disable. +

This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, 3.6.10, and 3.5.20.

@@ -15899,7 +16235,7 @@ received with the HELO or EHLO command.
check_helo_access type:table
Search the specified access(5) database for the HELO or EHLO -hostname or parent domains, and execute the corresponding action. +hostname, and execute the corresponding action. Note: specify "smtpd_helo_required = yes" to fully enforce this restriction (without "smtpd_helo_required = yes", a client can simply skip check_helo_access by not sending HELO or EHLO).
@@ -16563,8 +16899,7 @@ that is received with the RCPT TO command.
check_recipient_access type:table
Search the specified access(5) database for the resolved RCPT -TO address, domain, parent domains, or localpart@, and execute the -corresponding action.
+TO address, and execute the corresponding action.
check_recipient_a_access type:table
@@ -16993,7 +17328,7 @@ The same restrictions are available as documented under smtpd_recipient_restrictions.

-

This feature is available in Postix 2.10 and later.

+

This feature is available in Postfix 2.10 and later.

@@ -17411,8 +17746,7 @@ received with the MAIL FROM command.
check_sender_access type:table
Search the specified access(5) database for the MAIL FROM -address, domain, parent domains, or localpart@, and execute the -corresponding action.
+address, and execute the corresponding action.
check_sender_a_access type:table
@@ -18314,6 +18648,53 @@ compiled and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms have not been disabled by the vendor.

+ + +
smtpd_tls_enable_rpk +(default: no)
+ +

Request that remote SMTP clients send an RFC7250 raw public key +instead of an X.509 certificate, when asking for or requiring client +authentication. This feature is ignored when there is no raw public +key support in the local TLS implementation.

+ +

The Postfix SMTP server will log a warning when "smtpd_tls_enable_rpk += yes", but the remote SMTP client sends a certificate, the +certificate's public key fingerprint does not match a check_ccert_access +table, while the certificate fingerprint does match a check_ccert_access +table. The remote SMTP client would lose access when it starts +sending a raw public key instead of a certificate, after its TLS +implementation is updated with raw public key support.

+ +

The Postfix SMTP server always sends a raw public key instead +of a certificate, if solicited by the remote SMTP client and the +local TLS implementation supports raw public keys. If the client +sends a server name indication with an SNI TLS extension, and +tls_server_sni_maps is configured, the server will extract a raw +public key from the indicated certificate.

+ +

Sample commands to compute certificate and public key SHA256 digests:

+ +
+# SHA256 digest of the first certificate in "cert.pem"
+$ openssl x509 -in cert.pem -outform DER | openssl dgst -sha256 -c
+
+ +
+# SHA256 digest of the SPKI of the first certificate in "cert.pem"
+$ openssl x509 -in cert.pem -pubkey -noout |
+    openssl pkey -pubin -outform DER | openssl dgst -sha256 -c
+
+ +
+# SHA256 digest of the SPKI of the first private key in "pkey.pem"
+$ openssl pkey -in pkey.pem -pubout -outform DER |
+    openssl dgst -sha256 -c
+
+ +

This feature is available in Postfix 3.9 and later.

+ +
smtpd_tls_exclude_ciphers @@ -18472,7 +18853,9 @@ if client certificate verification is not required. With Postfix 2.8 and earlier, log the summary message, peer certificate summary information and unconditionally log trust-chain verification errors. -
2 Also log levels during TLS negotiation.
+
2 Also enable verbose logging in the Postfix TLS +library, log session cache operations, and enable OpenSSL logging +of the progress of the SSL handshake.
3 Also log hexadecimal and ASCII dump of TLS negotiation process.
@@ -18655,7 +19038,7 @@ releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2).

smtpd_tls_protocols -(default: see postconf -d output)
+(default: see 'postconf -d' output)

TLS protocols accepted by the Postfix SMTP server with opportunistic TLS encryption. If the list is empty, the server supports all available @@ -18931,6 +19314,9 @@ but do not require that clients use TLS encryption.

STARTTLS due to insufficient privileges to access the server private key. This is intended behavior.

+

This feature is deprecated as of Postfix 3.9. Specify +smtpd_tls_security_level instead.

+

This feature is available in Postfix 2.2 and later. With Postfix 2.3 and later use smtpd_tls_security_level instead.

@@ -19438,8 +19824,7 @@ via the tls_config_file parameter. selected name is not present in the configuration file, the default application name ("openssl_conf") is used as a fallback.

-

This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, -3.6.10, and 3.5.20.

+

This feature is available in Postfix ≥ 3.9.

@@ -20356,6 +20741,9 @@ to configure tlsproxy client keys and certificates is via the See smtp_enforce_tls for further details. Use tlsproxy_client_security_level instead.

+

This feature is deprecated as of Postfix 3.9. Specify +tlsproxy_client_security_level instead.

+

This feature is available in Postfix 3.4 and later.

@@ -20427,6 +20815,9 @@ value.

usage policy by next-hop destination and by remote TLS server hostname. See smtp_tls_per_site for further details.

+

This feature is deprecated as of Postfix 3.9. Specify +tlsproxy_client_policy_maps instead.

+

This feature is available in Postfix 3.4 and later.

@@ -20488,6 +20879,9 @@ was previously called tlsproxy_c support. See smtp_use_tls for further details. Use tlsproxy_client_security_level instead.

+

This feature is deprecated as of Postfix 3.9. Specify +tlsproxy_client_security_level instead.

+

This feature is available in Postfix 3.4 and later.

@@ -20500,6 +20894,9 @@ support. See smtp_use_tls for further require that clients use TLS encryption. See smtpd_enforce_tls for further details. Use tlsproxy_tls_security_level instead.

+

This feature is deprecated as of Postfix 3.9. Specify +tlsproxy_tls_security_level instead.

+

This feature is available in Postfix 2.8 and later.

@@ -20632,6 +21029,8 @@ private DSA key. DSA is obsolete and should not be used. See should use with non-export EDH ciphers. See smtpd_tls_dh1024_param_file for further details.

+

This feature is deprecated as of Postfix 3.9. Do not specify.

+

This feature is available in Postfix 2.8 and later.

@@ -20704,9 +21103,23 @@ the "tlsproxy_tls_chain_files elliptic-curve Diffie-Hellman (EECDH) key exchange. See smtpd_tls_eecdh_grade for further details.

+

This feature is deprecated as of Postfix 3.9. Do not specify.

+

This feature is available in Postfix 2.8 and later.

+ + +
tlsproxy_tls_enable_rpk +(default: $smtpd_tls_enable_rpk)
+ +

Request that remote SMTP clients send an RFC7250 raw public key +instead of an X.509 certificate, when asking or requiring client +authentication. See $smtpd_tls_enable_rpk for details.

+ +

This feature is available in Postfix 3.9 and later.

+ +
tlsproxy_tls_exclude_ciphers @@ -20856,6 +21269,9 @@ shared by all three services, namely smtpd_use_tls for further details. Use tlsproxy_tls_security_level instead.

+

This feature is deprecated as of Postfix 3.9. Specify +tlsproxy_tls_security_level instead.

+

This feature is available in Postfix 2.8 and later.

@@ -21100,7 +21516,14 @@ built-in suffix (in this case: "_initial_destination_concurrency").

Optional lookup tables with mappings from recipient address to (message delivery transport, next-hop destination). See transport(5) -for details. +for syntax details. +

+ +

This information may override the message delivery transport +and/or next-hop destination that are specified with $local_transport, +$virtual_transport, $relay_transport, $default_transport, +$sender_dependent_relayhost_maps, $relayhost, +$sender_dependent_default_transport_maps, or the recipient domain.

@@ -21735,7 +22158,7 @@ This feature is available in Postfix 1.1 and later.

The maximal length of an email address after virtual alias expansion. -This stops virtual aliasing loops that increase the address length +This stops virtual aliasing loops that increase the address length exponentially.

@@ -21814,8 +22237,10 @@ This feature is available in Postfix 2.1 and later. (default: $virtual_maps)

-Optional lookup tables that alias specific mail addresses or domains -to other local or remote addresses. The table format and lookups +Optional lookup tables with aliases that apply to all recipients: +local(8), virtual, and remote; this is unlike alias_maps that apply +only to local(8) recipients. +The table format and lookups are documented in virtual(5). For an overview of Postfix address manipulations see the ADDRESS_REWRITING_README document.

-- cgit v1.2.3