From 95f5f6d1c3aec1cb62525f5162e71a4157aca717 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 13 Apr 2024 10:42:27 +0200 Subject: Merging upstream version 3.9.0. Signed-off-by: Daniel Baumann --- proto/DEPRECATION_README.html | 411 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 411 insertions(+) create mode 100644 proto/DEPRECATION_README.html (limited to 'proto/DEPRECATION_README.html') diff --git a/proto/DEPRECATION_README.html b/proto/DEPRECATION_README.html new file mode 100644 index 0000000..1ded555 --- /dev/null +++ b/proto/DEPRECATION_README.html @@ -0,0 +1,411 @@ + + + + + + +Postfix Replacements for Deprecated Features + + + + + + + + +

Postfix +Replacements for Deprecated Features

+ +
+ +

Purpose of this document

+ +

This document describes Postfix features that are deprecated +(will be removed) or that have already been removed. It also has +tips for making an existing Postfix configuration more future-proof. +

+ +

Overview:

+ + + +

Why deprecate?

+ +

Sometimes, a Postfix feature needs to be replaced with a different +one. To give an example:

+ + + + + +

Having both the "old" and "new" way to configure Postfix is +convenient for existing Postfix installations, because their +configuration does not break after an upgrade to a new version. +Unfortunately, there are also disadvantages. Having multiple ways +to do similar things is not only confusing for newcomers, it also +makes Postfix harder to change.

+ +

Deprecation process

+ +

The basic process steps are:

+ +
    + +
  1. Inform humans that a feature will be removed, and suggest +replacements, in logging and documentation.

    + +
  2. Remove the feature, and update logging and documentation.

    + +
+ +

Disclaimer: it has taken 20 years for some features to be +removed. This past is not a guarantee for the future.

+ +

Deprecated features

+ +

The table summarizes removed or deprecated features and +replacements. Click on the "obsolete feature" name for a more +detailed description.

+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Obsolete feature name Warning as
of version +
Removed
in version
Replacement
disable_dns_lookups + 3.9 - smtp_dns_support_level
xxx_use_tls 3.9 - +xxx_tls_security_level
xxx_enforce_tls + 3.9 - xxx_tls_security_level
xxx_per_site 3.9 - +xxx_policy_maps
+smtpd_tls_dh1024_param_file 3.9 - do not specify (leave at default) +
smtpd_tls_eecdh_grade + 3.9 - do not specify (leave at default)
permit_mx_backup 3.9 - +relay_domains
check_relay_domains + 2.2 3.9 permit_mynetworks, reject_unauth_destination
reject_maps_rbl 2.1 3.9 +reject_rbl_client
permit_naked_ip_address + 2.0 3.9 + permit_mynetworks, permit_sasl_authenticated
+ +
+ +

Obsolete DNS on/off configuration +

+ +

The postconf(1) command logs the following:

+ + + +

Replace obsolete configuration with its replacement:

+ +
+ + + + + + + + + +
Goal Obsolete configuration + Replacement configuration
To disable DNS lookups in the Postfix SMTP/LMTP client + disable_dns_lookups = yes smtp_dns_support_level += disabled
To enable DNS lookups in the Postfix SMTP/LMTP client +disable_dns_lookups = no +Leave smtp_dns_support_level at the implicit default which is empty, unless +you need a higher support level such as DNSSEC.
+ +
+ +

Obsolete opportunistic TLS configuration +

+ +

The postconf(1) command logs one of the following:

+ + + +

There are similarly-named parameters and warnings for postscreen(8) +and tlsproxy(8), but those parameters should rarely be specified +by hand.

+ +

Replace obsolete configuration with its replacement:

+ +
+ + + + + + + + + + +
Goal Obsolete configuration Replacement configuration
To turn off TLS xxx_use_tls = no xxx_security_level = none
To turn on opportunistic TLS xxx_use_tls += yes xxx_security_level = may
+ +
+ +

Obsolete mandatory TLS configuration +

+ +

The postconf(1) command logs one of the following:

+ + + +

There are similarly-named parameters and warnings for postscreen(8) +and tlsproxy(8), but those parameters should rarely be specified +by hand.

+ +

Replace obsolete configuration with its replacement:

+ +
+ + + + + + + + + +
Goal Obsolete configuration Replacement configuration
To turn off mandatory TLS xxx_enforce_tls += no xxx_security_level = may
To turn on mandatory TLS xxx_enforce_tls += yes xxx_security_level = encrypt
+ +
+ +

Obsolete TLS policy table configuration +

+ +

The postconf(1) command logs one of the following:

+ + + +

There is similarly-named parameter and warning for tlsproxy(8), +but that parameter should rarely be specified by hand.

+ +

Unfortunately, this is more than a name change: the table format +has changed too, as has the table search process. There is no simple +conversion of the obsolete form to its replacement.

+ +

check_relay_domains

+ +

Depending on the Postfix version, the Postfix SMTP daemon logs +following warning:

+ + + +

This feature was removed because it would relay based on the +client domain name, which is not robust.

+ +

Recommended configuration to prevent an "open relay" problem +with the SMTP service on port 25: +

+ +
+
+main.cf:
+    smtpd_recipient_restrictions = 
+	permit_mynetworks, 
+	permit_sasl_authenticated, 
+	reject_unauth_destination
+	...other restrictions...
+
+
+ +

Or equivalent in smtpd_relay_restrictions.

+ +

permit_mx_backup

+ +

The Postfix version 3.9 and later SMTP daemon logs the following +warning:

+ + + +

This feature will be removed because it is too difficult to +configure recipient address validation, making Postfix a source of +backscatter bounces.

+ +

To specify the domains that Postfix will provide MX backup +service for, see +Configuring Postfix as primary or backup MX host for a remote +site.

+ +

reject_maps_rbl

+ +

Depending on the Postfix version, the SMTP daemon logs one of +the following warnings:

+ + + +

This feature was replaced because "MAPS RBL" is the name of a +specific reputation service. The reject_rbl_client feature provides +a superset of the reject_maps_rbl functionality.

+ +

Recommended configuration:

+ +
+
+main.cf:
+    smtpd_recipient_restrictions =
+        permit_mynetworks,
+        permit_sasl_authenticated,
+        reject_unauth_destination
+	reject_rbl_client domain-name
+	...other restrictions...
+
+
+ +

Where domain-name is the domain name of a DNS reputation service.

+ +

permit_naked_ip_address

+ +

Depending on the Postfix version, the SMTP daemon logs one of +the following warnings:

+ + + +

This feature was removed because it was easy to get a false +match when smtpd_recipient_restrictions was intended to match a +remote SMTP client IP address.

+ +

Recommended configuration:

+ +
+
+main.cf:
+    smtpd_recipient_restrictions =
+        permit_mynetworks,
+        permit_sasl_authenticated,
+        reject_unauth_destination
+        reject_rbl_client domain-name
+        ...other restrictions...
+
+
+ +

That is, no restriction on HELO or EHLO syntax. Such restrictions +ar rarely useful nowadays. + + + + -- cgit v1.2.3