Mail addresses (PLEASE send questions to the mailing list)
postfix-users@postfix.org Postfix users mailing list
- wietse@porcupine.org the original author
In order to subscribe to the mailing list, see http://www.postfix.org/.
auxiliary/ Auxiliary software etc.
bin/ Postfix command executables
conf/ Configuration files, run-time scripts
- include/ Installed include files
- lib/ Installed object libraries
+ include/ Include files
+ implementation-notes/ Background information
+ lib/ Object libraries
libexec/ Postfix daemon executables
- mantools/ Manual page utilities
+ mantools/ Documentation utilities
proto/ Documentation source
aliases yes (can enable/disable mail to /file or |command)
bare newlines yes (but will send CRLF)
blacklisting yes (client name/addr; helo hostname; mail from; rcpt to)
-connection caching yes (SMTP shared cache; LMTP in-process cache)
+connection caching yes (SMTP shared cache; LMTP shared cache)
content filter yes (before and after queue, internal and external)
db tables yes (compile time option)
dbm tables yes (compile time option)
delivered-to yes (configurable with prepend_delivered_header)
-dsn almost (supports enhanced status codes and DSN format bounces)
+dsn yes
+enhanced status codes yes
errors-to: no (removed with Postfix 2.2)
esmtp yes
etrn support yes (per-destination log for authorized destinations only)
greylist yes (delegated policy script)
home mailbox yes
ident lookup no
-ipv6 yes (compatibility for ipv4-only kernels/libraries)
+ipv6 yes (compatibility for ipv4-only systems)
ldap tables yes (contributed)
-lmtp support yes (client)
+lmtp support yes (client only)
luser relay yes
m4 config no
mail to command yes (configurable for .forward, aliases, :include:)
mailertable yes (it's called transport)
mailq yes
majordomo yes (edit approve script to delete /^delivered-to:/i)
+milter yes (except body replacement)
mime yes (including 8bit to quoted-printable conversion)
mysql tables yes (contributed)
netinfo tables yes (contributed)
nis+ tables yes (contributed)
no <> in smtp yes (most common address forms)
pgsql tables yes (contributed)
-pipeline option yes (server and client)
-pop/imap yes (with third-party daemons that use mailbox or maildir)
+pipeline option yes (SMTP server and client; LMTP client)
+pop/imap no
qmqp server yes (with verp support)
rbl support yes
-return-receipt: no
+return-receipt: no (use DSN NOTIFY=SUCCESS)
rhsbl support yes
sasl support yes (compile time option)
sendmail -bt no
+++ /dev/null
-Postfix DSN support implementation notes
-========================================
-
-In delivery status reports, Postfix now properly reports remote
-LMTP/SMTP server replies with Diagnostic-Type: SMTP, with the
-Diagnostic-Code: equal to the server reply, and with Remote-MTA:
-equal to the name of the remote MTA.
-
-Of course Postfix still produces the same "informal" error descriptions
-that it produced before (for example, the error text that appears
-in the first section of a bounce report).
-
-The Postfix LMTP/SMTP clients also report locally generated SMTP-style
-Diagnostic-Code: text (such as "420 conversation timed out") while
-taking care NOT to present these as if they are replies from the
-remote MTA (Sendmail appears to violate RFC 3464 here).
-
-That was the easy part. The remainder of Postfix is still somewhat
-inconsistent in the way that it creates the formal Diagnostic-Type:
-and Diagnostic-Code: information.
-
-- The queue manager attempts to produce standard SMTP Diagnostic-Type:
-and Diagnostic-Code: information for errors that it detects. It
-also receives error information from delivery agents and reports
-that information unmodified when it decides to "temporarily suspend"
-a delivery channel.
-
-- The "pipe to command" code in local(8) and pipe(8) produces
-Diagnostic-Type: X-UNIX, and Diagnostic-Code: text that is taken
-from /usr/include/sysexits.h or from the command output. This could
-be morphed into SMTP-style information, by mapping a sysexits error
-code to an SMTP error code, and combining that SMTP code with the
-sysexits.h text or command output. The advantage of this would be
-more useful Diagnostic-Code: information.
-
-- The code that delivers to mailbox produces Diagnostic-Type:
-X-Postfix and Diagnostic-Code: text that is the same good old Postfix
-error message that we are already familiar with. Typically these
-are errno-style reports about locking a file or appending a file.
-This information could be morphed into SMTP-style information, by
-mapping an errno error code into an SMTP error code, and combining
-that SMTP code with the Postfix-style text that we already have
-(such as text that says unable to lock mailbox, or mailbox file
-size limit exceeded).
-
-I'm not (yet) religious about banning X-UNIX and X-Postfix from the
-formal part of a delivery status report, but all these non-standard
-diagnostic codes aren't really very useful.
tls/tls_misc.c, tls/tls_server.c.
Added smtpd_tls_protocols parameter to complement
- smtp_tls_protocols.
+ smtp_tls_protocols. Victor Duchovni.
20060517
The smtp_tls_policy_maps table now implements parent domain
matching for destinations that are bare domains (without
enclosin [] or optional :port suffix). This allows one to
- set TLS policy for a domain and all sub-domains.
+ set TLS policy for a domain and all sub-domains. Victor
+ Duchovni.
20060519
The same parameter can bind to different variables in
different daemons, ignore the variable name when eliminating
- duplicates in extract.awk.
+ duplicates in extract.awk. Victor Duchovni.
20060523
Improved handling of smtp_tls_protocols and smtpd_tls_protocols,
names now processed via name_mask(3) and canonicalized prior
to use in the SMTP/LMTP client TLS session lookup key. Also
- simplifies the corresponding code in the TLS driver.
+ simplifies the corresponding code in the TLS driver. Victor
+ Duchovni.
20060524
20060601
Fixed default value of LMTP TLS client certificate parameters,
- using the SMTP values as a default was wrong.
+ using the SMTP values as a default was wrong. Victor Duchovni.
20060603
settings. We need to add the transport name to the TLS
session lookup key so that sessions verified with one set
of trusted roots are not inadvertantly considered verified
- for another.
+ for another. Victor Duchovni.
20060604
20060606
Portability: Some systems no longer support the traditional
- "sort +0 -2 +3".
+ "sort +0 -2 +3". Victor Duchovni.
20060607
20060612
- Changed smtp security level parsing and level to name
- convertion to use name_code(3).
+ Changed smtp security level parsing and level->name conversion
+ to use name_code(3). Victor Duchovni.
Implemented new smtp_tls_security_level parameter, to replace
the unnecessarily complex smtp_use_tls, smtp_enforce_tls
and smtp_tls_enforce_peername parameters. The main.cf
security level settings are now consistent with the new
- policy table.
+ policy table. Victor Duchovni.
The smtp_sasl_tls_verified_security_options feature is not
yet complete, added #ifdef SNAPSHOT and changed documentation
- to delay introduction until Postfix 2.4.
+ to delay introduction until Postfix 2.4. Victor Duchovni.
20060614
personality of the unified SMTP/LMTP client.
Allow mandatory TLS encryption with LMTP over UNIX-domain
- sockets.
+ sockets. Victor Duchovni.
Safety: improved code to avoid I/O on connections after the
- TLS handshake fails.
+ TLS handshake fails. Victor Duchovni.
20060615
The qshape.pl script was updated for the pointer records
that were introduced to support message content modification
- by Milter applications.
+ by Milter applications. Victor Duchovni.
20060620
The levels are "high", "medium" (or better), "low" (or
better), "export" (or better) and "null". The underlying
definitions of these levels are configurable, but users are
- strongly encouraged to not change those definitions.
+ strongly encouraged to not change those definitions. Victor
+ Duchovni.
20060626
mumble_tls_mandatory_mumble; added _mandatory_ qualifier
to names of parameters that affect only mandatory TLS.
+20060630
+
+ Features promoted from SNAPSHOT to STABLE: the "sleep"
+ pseudo restriction; Postfix daemons now read the local
+ timezone file before chrooting; trivial-rewrite now detects
+ table changes every 10 seconds, so it restarts more timely.
+
+ Features that stay #ifdef SNAPSHOT: tcp_table,
+ lmtp_sasl_tls_verified_security_options, and
+ smtp_sasl_tls_verified_security_options.
+
+ Compatibility: Sendmail does not send its own Received:
+ header to Milter applications. Offsets in header replace
+ requests are relative to the message content as received
+ (i.e. without our own Received: header), while offsets in
+ header insert requests are relative to the message as
+ delivered (i.e. they include our own Received: header).
+ This explains why dk-filter would sign our own Received:
+ header but place the signature between our own Received:
+ header and the rest of the message, violating the draft
+ domainkeys spec.
+
+20060702
+
+ Cleanup: more graceful handling of queue file read/write
+ errors while processing milter message modification requests.
+ Files: cleanup/cleanup_milter.c, milter/milter8.c.
+
+20060703
+
+ Debugging: the Postfix milter client gives more context
+ when it experiences trouble while talking to an uncooperative
+ Milter application. File: milter/milter8.c.
+
+ Compatibility: with OpenBSD 2.7 and later, the alias file
+ is now in /etc/mail/aliases.
+
+20060704
+
+ Bugfix: the Milter client skipped zero-length body lines.
+ File: milter/milter8.c.
+
+ Feature (just this one): RFC 3834 "Auto-Submitted:" message
+ header in DSNs. File: bounce/bounce_notify_util.c.
+
+20060705
+
+ Portability: LP64 systems required a few ssize_t->int casts
+ in debug logging statements. Files: milter/test_milter.c,
+ cleanup/cleanup_milter.c.
+
+ Cleanup: comments, error messages, and crumbling interfaces.
+
+20060707
+
+ Workaround: apparently, Solaris gettimeofday() can return
+ out-of range microsecond values. File: src/global/log_adhoc.c.
+
+ Robustness: the SMTPD policy client now encodes the
+ ccert_subject and ccert-issuer attributes as xtext. Some
+ characters are replaced by +XX, where XX is the two-digit
+ hexadecimal code for the character value. File:
+ smtpd/smtpd_check.c.
+
+ Safety: the SMTP/LMTP client now defers delivery when a
+ SASL password exists, but the server does not offer SASL
+ authentication. Mail could be rejected otherwise. This may
+ become an issue now that Postfix retries delivery in plaintext
+ after an opportunistic TLS handshake fails. Specify
+ "smtp_sasl_auth_enforce = no" to deliver mail anyway. File:
+ smtp/smtp_proto.c. See workaround 20060711 for sender-dependent
+ SASL passwords.
+
+20060709
+
+ Cleanup: the new single smtpd_tls_security_level parameter
+ obsoletes the multiple smtpd_use_tls and smtpd_enforce_tls
+ parameters. This is done for consistency with the Postfix
+ SMTP client. In the Postfix SMTP server, the levels "verify"
+ and "secure" are currently not applicable, and are treated
+ as "encrypt", after logging a warning. Files: smtpd/smtpd.c,
+ tls/tls_level.c, smtp/smtp_session.c.
+
+ Compatibility: don't send the first (blank) body line to
+ Milter applications. This broke domain key etc. signatures
+ when verified by non-Postfix MTAs. File: milter/milter8.c.
+
+20060710
+
+ Cleanup: more consistency between smtpd(8) and smtp(8) TLS
+ configuration interfaces: smtpd_tls_mandatory_exclude_ciphers,
+ smtpd_tls_mandatory_ciphers, smtpd_tls_mandatory_protocols.
+ By Victor. Files:smtpd/smtpd.c.
+
+ Cleanup: to support domainkey signing of bounces and
+ Postmaster notices, enable content inspection of Postfix-
+ generated mail with the new internal_mail_filter_classes
+ feature. This is disabled by default, because it is not
+ yet safe enough. Files: global/int_filt.[hc] and everything
+ that calls post_mail_fopen*().
+
+20060711
+
+ Cleanup: smtpd_tls_mumble -> smtpd_tls_mandatory_mumble,
+ and finer control over the Postfix SMTP server TLS ciphers,
+ all this for consistency with the same functionality in the
+ Postfix SMTP client. Victor Duchovni.
+
+ Compatibility: Sendmail's milter client handles whitespace
+ after the header label and ":" in an interesting manner.
+ It eats one space (not tab). File: milter/milter8.c.
+
+ Workaround: if sender-depedendent SASL passwords are enabled,
+ don't defer delivery when a SASL password exists but the
+ server doesn't announce SASL support. File: smtp/smtp_proto.c.
+
+ Cleanup: format of cleanup milter reject messages. File:
+ cleanup_milter.c.
+
+ Bugfix: file/memory leak if a transfer of multiple milters
+ from smtpd to cleanup broke in the middle. Found by Coverity.
+ File: milter/milter.c.
+
Wish list:
- In the SMTPD policy client (encode or strip) non-printable
- non-ASCII in (TLS or all) attributes.
+ The usage of TLScontext->cache_type is unclear. It specifies
+ a TLS session cache type (smtpd, smtp, or lmtp), but it is
+ sometimes used as an indicator that TLS session caching is
+ unavailable. In reality, that decision is made by not
+ registering call-back functions for cache maintenance.
- run real sendmail through test-milter and check the data
- for bit-wise compatibility with Postfix.
+ Postfix TLS library code should copy any strings that it
+ receives from the application, instead of passing them
+ around as pointers. TLScontext->cache_type is a case in
+ point.
Are transport:nexthop null fields the same as in the case
of default_transport etc. parameters?
- Introduce the notion of required security level into smtpd(8)
- just like with smtp(8): if the level is specified, ignore
- the legacy boolean parameters.
-
Introduce structured API for tls_server_mumble() just like
with smtp(8): this eliminates ever-growing lists of arguments.
- Cleanup: declare smtp_tls_levels[] in a header file, probably
- one that is owned by the Postfix TLS library instead of
- smtp(8). Better, encapsulate the name to code conversion
- as a Postfix TLS library service routine.
-
- With (non)delivery notifications, prepend an "Auto-Submitted:
- auto-replied" header, as per RFC 3834.
-
- Defer delivery when a SASL password exists but the server
- does not offer SASL authentication, as mail might otherwise
- be bounced. This may become an issue now that Postfix will
- retry in plaintext after optional TLS fails. Make this
- configurable so people can get the old behavior.
-
Don't lose bits when converting st_dev into maildir file
name. It's 64 bits on Linux. Found with the BEAM source
- code analyzer.
+ code analyzer. Is this really a problem, or are they just
+ using 64 bits for upwards compatibility with LP64 systems?
Do or don't introduce unknown_reverse_client_reject_code.
- mail_addr/rcpt_addr should be externalized as they are in
- Sendmail. Likewise, addresses in add/delete requests should
- be internalized before updating the queue file.
-
- Check that UINT32 == in choice is ok (i.e. LP64 UNIX).
+ In Milter events, mail_addr/rcpt_addr should be externalized
+ as they are in Sendmail. Likewise, addresses in add/delete
+ requests should be internalized before updating the queue
+ file.
- Fix milter_argv() so it does not forget how much memory it
- has.
+ Check that "UINT32 == unsigned int" choice is ok (i.e. LP64
+ UNIX).
Tempfail when a Milter application wants content access,
while it is configured in an SMTP server that runs before
the smtpd_proxy filter.
- Don't send xforward attributes to every site that announces
- xforward support.
-
The sendmail command should not return non-std exit status
after fatal error in some internal library routine.
Keep whitespace between label and ":"?
- Make XCLIENT/XFORWARD future proof: send xtext and accept
- old non-xtext.
-
Make the map case folding/locking options configurable, if
not at run-time then at least at compile time so we get
consistent behavior across applications.
- Investigate if it is feasible to eliminate cleanup(8) from
- the path of mail that is forwarded or generated internally.
- Good: we don't want header rewriting or content inspection.
- Bad: we still need virtual aliasing, even when mail is
- forwarded internally. This almost seems to imply that we
- do virtual aliasing earlier?
-
Investigate what it would take to eliminate oqmgr, and to
make the old behavior configurable in a unified queue
manager. This would shave another 2.7 KLOC from the source
Eliminate the (incoming,deferred)->active rename operation.
Softbounce fallback-to-ISP for SOHO users. This requires
- playing with with the soft_error test in the smtp_trouble.c
- module, and a way to avoid trying direct-to-MX-backup.
+ playing with the soft_error test in the smtp_trouble.c
+ module, and avoiding delivery to backup MX hosts.
select -> kqueue, epoll, /dev/poll, poll() ...
access rule.
Centralize main.cf parameter input so that defaults work
- consistently.
+ consistently. What about parameter names that are prefixed
+ with mail delivery transport names?
Fix default time unit handling so that we can have a default
bounce lifetime of $maximal_queue_lifetime, without causing
Remove defer(8) and trace(8) references and man pages. These
are services not program names.
- dsb_formal -> dsb_form_all, dsb_status -> dsb_form_status
-
Is it safe to cache a connection after it has been used for
more than some number of address verification probes?
Low: replace_sender/replace_recipient actions in access
maps?
- Feature: need "soft-bounce before fall-back relay" for SOHO
- type operations, so they can send direct mail without having
- to route everything through a provider.
-
- Med: disable header address rewriting after XCLIENT?
- Introduce a better concept of original submission?
-
Low: configurable order of local(8) delivery methods.
Med: local and remote source port and IP address for smtpd
Low: configurable internal/system locking method.
- Low: make sure CCARGS -I options come at the end.
-
Low: add INSTALL section for pre-existing Postfix systems.
Low: add INSTALL section for pre-existing RPM Postfixes.
Med: postsuper -r should do something with recipients in
bounce logfiles, to make sure the sender will be notified.
To be perfectly safe, no process other than the queue manager
- should move a queue file from the active queue.
+ should move a queue file away from the active queue.
This could involve tagging a queue file, and use up another
permission bit.
recipient address. If a recipient probe succeeds, then Postfix accepts mail for
the recipient address.
+By default, address verification results are not saved. To avoid probing the
+same address repeatedly, you can store the result in a persistent database as
+described later.
+
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
permit_mynetworks
# =============================================================
scan unix - - n - 10 smtp
-o smtp_send_xforward_command=yes
+ -o disable_mime_output_conversion=yes
* This runs up to 10 content filters in parallel. Instead of a limit of 10
concurrent processes, use whatever process limit is feasible for your
real client name IP address. See smtp(8) and XFORWARD_README for more
information.
+ * With "-o disable_mime_output_conversion=yes", the scan delivery agent will
+ not convert 8BITMIME mail to quoted-printable form while delivering to the
+ content filter, as that would invalidate domainkeys and other digital
+ signatures. This workaround is needed because some SMTP-based content
+ filters don't announce 8BITMIME support, even though they can handle it
+ just fine.
+
A\bAd\bdv\bva\ban\bnc\bce\bed\bd c\bco\bon\bnt\bte\ben\bnt\bt f\bfi\bil\blt\bte\ber\br:\b: r\bru\bun\bnn\bni\bin\bng\bg t\bth\bhe\be c\bco\bon\bnt\bte\ben\bnt\bt f\bfi\bil\blt\bte\ber\br
The content filter can be set up with the Postfix spawn service, which is the
OSF1.V3 - OSF1.V5 (Digital UNIX)
Reliant UNIX 5.x
Rhapsody 5.x
- SunOS 4.1.4 (December 2005)
+ SunOS 4.1.4 (July 2006)
SunOS 5.4 - 5.9 (Solaris 2.4..9)
Ultrix 4.x (well, that was long ago)
/etc/postfix/master.cf:
maildrop unix - n n - - pipe
- flags=DRhu user=vmail argv=/path/to/maildrop -d ${recipient}
+ flags=ODRhu user=vmail argv=/path/to/maildrop -d ${recipient}
+
+The pipe(8) manual page gives a detailed description of the above command line
+arguments, and more.
If you want to support user+extension@domain style addresses, use the following
instead:
/etc/postfix/master.cf:
maildrop unix - n n - - pipe
- flags=DRhu user=vmail argv=/path/to/maildrop
+ flags=ODRhu user=vmail argv=/path/to/maildrop
-d ${user}@${nexthop} ${extension} ${recipient} ${user} ${nexthop}
The mail is delivered to ${user}@${nexthop} (match key for maildrop userdb
The reason for adding Milter support to Postfix is that there exists a large
collection of applications, not only to block unwanted mail, but also to verify
authenticity (examples: SenderID+SPF and Domain keys) or to digitally sign mail
-(example: Domain keys). Having yet another MTA-specific version of all that
+(example: Domain keys). Having yet another Postfix-specific version of all that
software is a poor use of human and system resources.
Postfix 2.3 implements all the requests of Sendmail version 8 Milter protocols
up to version 4, except one: message body replacement. See, however, the
-limitations section at the end of this document.
+workarounds and limitations sections at the end of this document.
This document provides information on the following topics:
To run a Milter application, see the documentation of the filter for options. A
typical command looks like this:
- $ /\b/s\bso\bom\bme\be/\b/w\bwh\bhe\ber\bre\be/\b/d\bdk\bk-\b-f\bfi\bil\blt\bte\ber\br -\b-p\bp i\bin\bne\bet\bt:\b:p\bpo\bor\brt\btn\bnu\bum\bmb\bbe\ber\br@\b@l\blo\boc\bca\bal\blh\bho\bos\bst\bt .\b..\b..\b.o\bot\bth\bhe\ber\br o\bop\bpt\bti\bio\bon\bns\bs.\b..\b..\b.
+ # /\b/s\bso\bom\bme\be/\b/w\bwh\bhe\ber\bre\be/\b/d\bdk\bk-\b-f\bfi\bil\blt\bte\ber\br -\b-u\bu u\bus\bse\ber\bri\bid\bd -\b-p\bp i\bin\bne\bet\bt:\b:p\bpo\bor\brt\btn\bnu\bum\bmb\bbe\ber\br@\b@l\blo\boc\bca\bal\blh\bho\bos\bst\bt .\b..\b..\b.o\bot\bth\bhe\ber\br
+ o\bop\bpt\bti\bio\bon\bns\bs.\b..\b..\b.
+
+Please specify a userid value that isn't used for other applications (not
+"postfix", not "www", etc.).
C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg P\bPo\bos\bst\btf\bfi\bix\bx
server is not filtered by the non-SMTP filters that are described in the next
section.
+NOTE: Do not use the header_checks(5) IGNORE action to remove Postfix's own
+Received: message header. This causes problems with mail signing filters.
+Instead, keep Postfix's own Received: message header and use the header_checks
+(5) REPLACE action to sanitize information.
+
You specify SMTP-only Milter applications (there can be more than one) with the
smtpd_milters parameter. Each Milter application is identified by the name of
its listening socket; other Milter configuration options will be discussed in
Connect to the specified TCP port on the specified local or remote
host. The host and port can be specified in numeric or symbolic form.
- Note: Postfix syntax differs from Milter syntax which has the form
+ NOTE: Postfix syntax differs from Milter syntax which has the form
i\bin\bne\bet\bt:\b:port@\b@host.
N\bNo\bon\bn-\b-S\bSM\bMT\bTP\bP M\bMi\bil\blt\bte\ber\br a\bap\bpp\bpl\bli\bic\bca\bat\bti\bio\bon\bns\bs
that arrives via the Postfix smtpd(8) server is not filtered by the non-SMTP
filters.
+NOTE: Do not use the header_checks(5) IGNORE action to remove Postfix's own
+Received: message header. This causes problems with mail signing filters.
+Instead, keep Postfix's own Received: message header and use the header_checks
+(5) REPLACE action to sanitize information.
+
You specify non-SMTP Milter applications with the non_smtpd_milters parameter.
This parameter uses the same syntax as the smtpd_milters parameter in the
previous section. As with the SMTP-only filters, you can specify more than one
W\bWo\bor\brk\bka\bar\bro\bou\bun\bnd\bds\bs
+Content filters may break domain key etc. signatures. If you use an SMTP-based
+filter as described in FILTER_README, then you should add a line to master.cf
+with "disable_mime_output_conversion = yes", as described in the advanced
+content filter example.
+
Sendmail Milter applications were originally developed for the Sendmail version
8 MTA, which has a different architecture than Postfix. The result is that some
Milter applications make assumptions that aren't true in a Postfix environment.
+ * Some Milter applications use the "{if_addr}" macro to recognize local mail;
+ this macro does not exist in Postfix. Workaround: use the "{client_addr}"
+ macro instead.
+
* Some Milter applications log a warning that looks like this:
sid-filter[36540]: WARNING: sendmail symbol 'i' not available
X-SenderID: Sendmail Sender-ID Filter vx.y.z host.example.com <unknown-
msgid>
- This happens because the Milter application expects that the queue ID is
+ This happens because some Milter applications expect that the queue ID is
known before the MTA accepts the MAIL FROM (sender) command. Postfix, on
- the other hand, does not create a queue file until after Postfix accepts
- the first valid RCPT TO (recipient) command. This queue file name must be
- globally unique across multiple queue directories, so it cannot be chosen
- until the file is actually created.
+ the other hand, does not choose a queue file name until after it accepts
+ the first valid RCPT TO (recipient) command. Postfix queue file names must
+ be unique across multiple directories, so the name can't be chosen before
+ the file is created. If multiple messages were to use the same queue ID
+ simultaneously, mail would be lost.
To work around the ugly message header from Milter applications, we add a
little code to the Milter source to look up the queue ID after Postfix
o Look up the mlfi_eom() function and add code near the top shown as b\bbo\bol\bld\bd
text below:
- sic = (Context) smfi_getpriv(ctx);
- assert(sic != NULL);
+ dfc = cc->cctx_msg;
+ assert(dfc != NULL);
- /\b/*\b*
- *\b**\b* D\bDe\bet\bte\ber\brm\bmi\bin\bne\be t\bth\bhe\be j\bjo\bob\bb I\bID\bD f\bfo\bor\br l\blo\bog\bgg\bgi\bin\bng\bg.\b.
- *\b*/\b/
- i\bif\bf (\b(s\bsi\bic\bc-\b->\b>c\bct\btx\bx_\b_j\bjo\bob\bbi\bid\bd =\b==\b= 0\b0 |\b||\b| s\bst\btr\brc\bcm\bmp\bp(\b(s\bsi\bic\bc-\b->\b>c\bct\btx\bx_\b_j\bjo\bob\bbi\bid\bd,\b, M\bMS\bSG\bGI\bID\bDU\bUN\bNK\bKN\bNO\bOW\bWN\bN)\b) =\b==\b= 0\b0)\b) {\b{
+ /\b/*\b* D\bDe\bet\bte\ber\brm\bmi\bin\bne\be t\bth\bhe\be j\bjo\bob\bb I\bID\bD f\bfo\bor\br l\blo\bog\bgg\bgi\bin\bng\bg.\b. *\b*/\b/
+ i\bif\bf (\b(d\bdf\bfc\bc-\b->\b>m\bmc\bct\btx\bx_\b_j\bjo\bob\bbi\bid\bd =\b==\b= 0\b0 |\b||\b| s\bst\btr\brc\bcm\bmp\bp(\b(d\bdf\bfc\bc-\b->\b>m\bmc\bct\btx\bx_\b_j\bjo\bob\bbi\bid\bd,\b, J\bJO\bOB\bBI\bID\bDU\bUN\bNK\bKN\bNO\bOW\bWN\bN)\b) =\b==\b= 0\b0)\b)
+ {\b{
c\bch\bha\bar\br *\b*j\bjo\bob\bbi\bid\bd =\b= s\bsm\bmf\bfi\bi_\b_g\bge\bet\bts\bsy\bym\bmv\bva\bal\bl(\b(c\bct\btx\bx,\b, "\b"i\bi"\b")\b);\b;
i\bif\bf (\b(j\bjo\bob\bbi\bid\bd !\b!=\b= 0\b0)\b)
- s\bsi\bic\bc-\b->\b>c\bct\btx\bx_\b_j\bjo\bob\bbi\bid\bd =\b= j\bjo\bob\bbi\bid\bd;\b;
+ d\bdf\bfc\bc-\b->\b>m\bmc\bct\btx\bx_\b_j\bjo\bob\bbi\bid\bd =\b= j\bjo\bob\bbi\bid\bd;\b;
}\b}
- This does not remove the WARNING message, however.
+ /* get hostname; used in the X header and in new MIME boundaries */
+
+ NOTES:
+
+ o Different mail filters use slightly different names for variables. If
+ the above code does not compile, look for the code at the start of the
+ mlfi_eoh() routine.
+
+ o This fixes only the ugly message header, but not the WARNING message.
+ Fortunately, dk-filter logs that message only once.
With some Milter applications we can fix both the WARNING and the "unknown-
msgid" by postponing the call of mlfi_eoh() (or whatever routine logs the
L\bLi\bim\bmi\bit\bta\bat\bti\bio\bon\bns\bs
This section lists limitations of the Postfix Milter implementation. Some
-limitations will be removed disappear as support is extended over time. Of
+limitations will be removed as the implementation is extended over time. Of
course the usual limitations of before-queue filtering will always apply. See
the CONTENT_INSPECTION_README document for a discussion.
configuration can be set with:
/etc/postfix/main.cf:
- smtpd_sasl_application_name = smtpd
+ smtpd_sasl_application_name = smtpd (Postfix < 2.3)
+ smtpd_sasl_path = smtpd (Postfix 2.3 and later)
The pwcheck daemon is contained in the cyrus-sasl source tarball.
reject_authenticated_sender_login_mismatch and
reject_unauthenticated_sender_login_mismatch, and revised the docs.
* Wietse made another iteration through the code to add plug-in support for
- multiple SASL implementations.
+ multiple SASL implementations, and changed smtpd_sasl_application_name into
+ smtpd_sasl_path.
* The Dovecot SMTP server-only plug-in was originally implemented by Timo
Sirainen of Procontrol, Finland.
sasl_sender=
size=12345
ccert_subject=solaris9.porcupine.org
- ccert_issuer=Wietse Venema
+ ccert_issuer=Wietse+20Venema
ccert_fingerprint=C2:9D:F4:87:71:73:73:D9:18:E7:C2:F3:C1:DA:6E:04
P\bPo\bos\bst\btf\bfi\bix\bx v\bve\ber\brs\bsi\bio\bon\bn 2\b2.\b.3\b3 a\ban\bnd\bd l\bla\bat\bte\ber\br:\b:
encryption_protocol=TLSv1/SSLv3
* The "ccert_*" attributes (Postfix 2.2 and later) specify information about
how the client was authenticated via TLS. These attributes are empty in
- case of no certificate authentication.
+ case of no certificate authentication. As of Postfix 2.2.11 these attribute
+ values are encoded as xtext: some characters are represented by +XX, where
+ XX is the two-digit hecadecimal representation of the character value.
* The "encryption_*" attributes (Postfix 2.3 and later) specify information
about how the connection is encrypted. With plaintext connections the
failure, the server will be unable to receive email from most TLS enabled
clients. To avoid accidental configurations with no certificates, Postfix 2.3
enables certificate-less operation only when the administrator explicitly sets
-"smtpd_tls_cert_file = none". This ensures that new Postfix configurations with
-just "smtpd_use_tls = yes" added, will not accidentally run with no
-certificates.
+"smtpd_tls_cert_file = none". This ensures that new Postfix configurations will
+not accidentally run with no certificates.
Both RSA and DSA certificates are supported. Typically you will only have RSA
certificates issued by a commercial CA. In addition, the tools supplied with
E\bEn\bna\bab\bbl\bli\bin\bng\bg T\bTL\bLS\bS i\bin\bn t\bth\bhe\be P\bPo\bos\bst\btf\bfi\bix\bx S\bSM\bMT\bTP\bP s\bse\ber\brv\bve\ber\br
By default, TLS is disabled in the Postfix SMTP server, so no difference to
-plain Postfix is visible. Explicitly switch it on using "smtpd_use_tls = yes".
+plain Postfix is visible. Explicitly switch it on with
+"smtpd_tls_security_level = may" (Postfix 2.3 and later) or "smtpd_use_tls =
+yes" (obsolete but still supported).
Example:
/etc/postfix/main.cf:
+ # Postfix 2.3 and later
+ smtpd_tls_security_level = may
+ # Obsolete, but still supported
smtpd_use_tls = yes
With this, Postfix SMTP server announces STARTTLS support to SMTP clients, but
You can ENFORCE the use of TLS, so that the Postfix SMTP server announces
STARTTLS and accepts no mail without TLS encryption, by setting
-"smtpd_enforce_tls = yes". According to RFC 2487 this MUST NOT be applied in
-case of a publicly-referenced Postfix SMTP server. This option is off by
-default and should only seldom be used.
+"smtpd_tls_security_level = encrypt" (Postfix 2.3 and later) or
+"smtpd_enforce_tls = yes" (obsolete but still supported). According to RFC 2487
+this MUST NOT be applied in case of a publicly-referenced Postfix SMTP server.
+This option is off by default and should only seldom be used.
Example:
/etc/postfix/main.cf:
+ # Postfix 2.3 and later
+ smtpd_tls_security_level = encrypt
+ # Obsolete, but still supported
smtpd_enforce_tls = yes
TLS is sometimes used in the non-standard "wrapper" mode where a server always
Example:
/etc/postfix/main.cf:
- smtpd_use_tls = yes
smtpd_tls_ask_ccert = yes
+ # Postfix 2.3 and later
+ smtpd_tls_security_level = may
+ # Obsolete, but still supported
+ smtpd_use_tls = yes
When TLS is enforced you may also decide to REQUIRE a remote SMTP client
certificate for all TLS connections, by setting "smtpd_tls_req_ccert = yes".
Example:
/etc/postfix/main.cf:
- smtpd_enforce_tls = yes
smtpd_tls_req_ccert = yes
+ # Postfix 2.3 and later
+ smtpd_tls_security_level = encrypt
+ # Obsolete, but still supported
+ smtpd_enforce_tls = yes
A client certificate verification depth of 1 is sufficient if the certificate
is directly issued by a CA listed in the CA file. The default value (5) should
S\bSu\bup\bpp\bpo\bor\brt\bti\bin\bng\bg A\bAU\bUT\bTH\bH o\bov\bve\ber\br T\bTL\bLS\bS o\bon\bnl\bly\by
Sending AUTH data over an unencrypted channel poses a security risk. When TLS
-layer encryption is required (smtpd_enforce_tls = yes), the Postfix SMTP server
-will announce and accept AUTH only after the TLS layer has been activated with
-STARTTLS. When TLS layer encryption is optional (smtpd_enforce_tls = no), it
-may however still be useful to only offer AUTH when TLS is active. To maintain
-compatibility with non-TLS clients, the default is to accept AUTH without
-encryption. In order to change this behavior, set "smtpd_tls_auth_only = yes".
+layer encryption is required ("smtpd_tls_security_level = encrypt" or the
+obsolete "smtpd_enforce_tls = yes"), the Postfix SMTP server will announce and
+accept AUTH only after the TLS layer has been activated with STARTTLS. When TLS
+layer encryption is optional ("smtpd_tls_security_level = may" or the obsolete
+"smtpd_enforce_tls = no"), it may however still be useful to only offer AUTH
+when TLS is active. To maintain compatibility with non-TLS clients, the default
+is to accept AUTH without encryption. In order to change this behavior, set
+"smtpd_tls_auth_only = yes".
Example:
The description below is for Postfix 2.3; for Postfix < 2.3 the
smtpd_tls_cipherlist parameter specifies the acceptable ciphers as an explicit
-OpenSSL cipherlist.
+OpenSSL cipherlist. The obsolete setting applies even when TLS encryption is
+not enforced. Use of this control on public MX hosts is strongly discouraged.
+
+With mandatory TLS encryption, the Postfix SMTP server will by default only use
+SSLv3 or TLSv1. SSLv2 is only used when TLS encryption is optional. This is
+controlled by the smtpd_tls_mandatory_protocols configuration parameter.
The Postfix SMTP server supports 5 distinct cipher security levels as specified
-by the smtpd_tls_ciphers configuration parameter. The default value is "export"
-which is the only one appropriate for public MX hosts. On private MX hosts or
-MSAs one can further restrict the OpenSSL cipherlist selection.
+by the smtpd_tls_mandatory_ciphers configuration parameter, which determines
+the cipher grade with mandatory TLS encryption. The default value is "medium"
+which is essentially 128-bit encryption or better. With opportunistic TLS
+encryption, the minimum accepted cipher grade is always "export".
By default anonymous ciphers are allowed, and automatically disabled when
client certificates are requested. If clients are expected to always verify the
server certificate you may want to exclude anonymous ciphers by setting
-"smtpd_tls_exclude_ciphers = aNULL". One can't force a client to check the
-server certificate, so excluding anonymous ciphers is generally unnecessary.
+"smtpd_tls_mandatory_exclude_ciphers = aNULL". One can't force a client to
+check the server certificate, so excluding anonymous ciphers is generally
+unnecessary.
For a server that is not a public Internet MX host, Postfix 2.3 supports
configurations with no server certificates that use o\bon\bnl\bly\by the anonymous ciphers.
This is enabled by explicitly setting "smtpd_tls_cert_file = none" and not
specifying an smtpd_tls_dcert_file.
-Example: (MSA that requires TLS with reasonably secure ciphers)
+Example: (MSA that requires TLS with high grade ciphers)
/etc/postfix/main.cf:
- smtpd_use_tls = yes
- smtpd_enforce_tls = yes
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_key_file = /etc/postfix/key.pem
- smtpd_tls_ciphers = medium
- smtpd_tls_exclude_ciphers = aNULL, MD5
+ smtpd_tls_mandatory_ciphers = high
+ smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
+ # Postfix 2.3 and later
+ smtpd_tls_security_level = encrypt
+ # Obsolete, but still supported
+ smtpd_enforce_tls = yes
If you want to take advantage of ciphers with EDH, DH parameters are needed.
Instead of using the built-in DH parameters for both 1024bit and 512bit, it is
With Postfix 2.2 and earlier, or when smtp_tls_security_level is set to its
default (backwards compatible) empty value, the appropriate configuration
settings are "smtp_use_tls = yes" and "smtp_enforce_tls = no". For LMTP use the
-corresponding "lmtp" parameters.
+corresponding "lmtp_" parameters.
With opportunistic TLS, mail delivery continues even if the server certificate
is untrusted or bears the wrong name. Starting with Postfix 2.3, when the TLS
With Postfix 2.2 and earlier, or when smtp_tls_security_level is set to its
default (backwards compatible) empty value, the appropriate configuration
settings are "smtp_enforce_tls = yes" and "smtp_tls_enforce_peername = no". For
-LMTP use the corresponding lmtp_ parameters.
+LMTP use the corresponding "lmtp_" parameters.
Despite the potential for eliminating passive eavesdropping attacks, mandatory
TLS encryption is not viable as a default security level for mail delivery to
M\bMa\ban\bnd\bda\bat\bto\bor\bry\by s\bse\ber\brv\bve\ber\br c\bce\ber\brt\bti\bif\bfi\bic\bca\bat\bte\be v\bve\ber\bri\bif\bfi\bic\bca\bat\bti\bio\bon\bn
At the "verify" TLS security level, messages are sent only over TLS encrypted
-sessions for which server certificate verification succeeds. If no suitable
-servers are found, the message will be deferred. With Postfix 2.3 and later,
-mandatory server certificate verification can be configured by setting
-"smtp_tls_security_level = verify", the smtp_tls_verify_cert_match parameter
-can override the default "hostname" certificate match strategy. Fine-tuning the
-matching strategy is generally only appropriate for secure-channel
-destinations.
+sessions if the server certificate is valid (not expired or revoked, and signed
+by a trusted certificate authority) and if the server certificate name matches
+a known pattern. Mandatory server certificate verification can be configured by
+setting "smtp_tls_security_level = verify". The smtp_tls_verify_cert_match
+parameter can override the default "hostname" certificate name matching
+strategy. Fine-tuning the matching strategy is generally only appropriate for
+secure-channel destinations.
With Postfix 2.2 and earlier, or when smtp_tls_security_level is set to its
default (backwards compatible) empty value, the appropriate configuration
settings are "smtp_enforce_tls = yes" and "smtp_tls_enforce_peername = yes".
-For LMTP use the corresponding lmtp_ parameters.
+For LMTP use the corresponding "lmtp_" parameters.
If the server certificate chain is trusted (see smtp_tls_CAfile and
smtp_tls_CApath), any DNS names in the SubjectAlternativeName certificate
default (backwards compatible) empty value, the appropriate configuration
settings are "smtp_enforce_tls = yes" and "smtp_tls_enforce_peername = yes"
with additional settings to harden peer certificate verification against forged
-DNS data. For LMTP, use the corresponding lmtp_ parameters.
+DNS data. For LMTP, use the corresponding "lmtp_" parameters.
If the server certificate chain is trusted (see smtp_tls_CAfile and
smtp_tls_CApath), any DNS names in the SubjectAlternativeName certificate
The new policy table is specified via the smtp_tls_policy_maps parameter. This
lists optional lookup tables with the Postfix SMTP client TLS security policy
-by next-hop destination. It supersedes the obsolete smtp_tls_per_site
-parameter. When $smtp_tls_policy_maps is not empty, the smtp_tls_per_site
-parameter is ignored (a warning is written to the logs if it is also non-
-empty).
+by next-hop destination. When $smtp_tls_policy_maps is not empty, the obsolete
+smtp_tls_per_site parameter is ignored (a warning is written to the logs if
+both parameter values are non-empty).
The TLS policy table is indexed by the full next-hop destination, which is
either the recipient domain, or the verbatim next-hop specified in the
m\bma\bay\by
Opportunistic TLS. No additional attributes are supported at this level.
e\ben\bnc\bcr\bry\byp\bpt\bt
- Mandatory TLS encryption. At this level and higher the optional "ciphers"
- attribute overrides the main.cf smtp_tls_mandatory_ciphers parameter and
- the optional "protocols" keyword overrides the main.cf
- smtp_tls_mandatory_protocols parameter. In the policy table, multiple
- protocols must be separated by colons, as attribute values may not contain
- whitespace or commas.
+ Mandatory TLS encryption. Mail is delivered only if remote SMTP server
+ offers STARTTLS and the TLS handshake succeeds. At this level and higher
+ the optional "ciphers" attribute overrides the main.cf
+ smtp_tls_mandatory_ciphers parameter and the optional "protocols" keyword
+ overrides the main.cf smtp_tls_mandatory_protocols parameter.
v\bve\ber\bri\bif\bfy\by
- Mandatory server certificate verification. The optional "match" attribute
- overrides the main.cf smtp_tls_verify_cert_match parameter. In the policy
- table, multiple match patterns and strategies must be separated by colons.
+ Mandatory server certificate verification. Mail is delivered only if the
+ TLS handshake succeeds, if the server certificate can be validated (not
+ expired or revoked, and signed by a trusted certificate authority), and if
+ the server certificate name matches the optional "match" attribute (or the
+ main.cf smtp_tls_verify_cert_match parameter value when no optional "match"
+ attribute is specified).
s\bse\bec\bcu\bur\bre\be
- Secure-channel TLS. The optional "match" attribute overrides the main.cf
- smtp_tls_secure_cert_match parameter. In the policy table, multiple match
- patterns and strategies must be separated by colons. The match attribute is
- useful when additional domains are supported by common server, the policy
- entries for the additional domains specify matching rules for the primary
- domain certificate. While transport table overrides routing secondary
- domains to the primary nexthop also allow secure verification, they risk
- delivery to the wrong destination when domains change hands or are re-
- assigned to new gateways. With the "match" attribute approach, routing is
- not perturbed, and mail is deferred if verification of a new MX host fails.
+ Secure-channel TLS. Mail is delivered only if the TLS handshake succeeds,
+ if the server certificate can be validated (not expired or revoked, and
+ signed by a trusted certificate authority), and if the server certificate
+ name matches the optional "match" attribute (or the main.cf
+ smtp_tls_secure_cert_match parameter value when no optional "match"
+ attribute is specified).
+Notes:
+
+ * The "match" attribute is especially useful to verify TLS certificates for
+ domains that are hosted on a shared server. In that case, specify "match"
+ rules for the shared server's name. While secure verification can also be
+ achieved with manual routing overrides in Postfix transport(5) tables, that
+ approach can deliver mail to the wrong host when domains are assigned to
+ new gateway hosts. The "match" attribute approach avoids the problems of
+ manual routing overrides; mail is deferred if verification of a new MX host
+ fails.
+
+ * When a policy table entry specifies multiple match patterns, multiple match
+ strategies, or multiple protocols, these must be separated by colons.
+
Example:
/etc/postfix/main.cf:
MAY
Opportunistic TLS. This has less precedence than a more specific result
(including "NONE") from the alternate host or next-hop lookup key, and
- has less precedence than the more specific global
- "smtp_enforce_tls = yes" or "smtp_tls_enforce_peername = yes".
+ has less precedence than the more specific global "smtp_enforce_tls =
+ yes" or "smtp_tls_enforce_peername = yes".
MUST_NOPEERMATCH
Mandatory TLS encryption. This overrides a less secure "NONE" or a less
specific "MAY" lookup result from the alternate host or next-hop lookup
to configure ciphers on a per-destination basis.
By default anonymous ciphers are allowed, and automatically disabled when
-server certificates are verified. If you want to disable even at the "encrypt"
-security level, set "smtp_tls_mandatory_exclude_ciphers = aNULL", to disable
-anonymous ciphers even with opportunistic TLS, set
+server certificates are verified. If you want to disable anonymous ciphers even
+at the "encrypt" security level, set "smtp_tls_mandatory_exclude_ciphers =
+aNULL"; and to disable anonymous ciphers even with opportunistic TLS, set
"smtp_tls_exclude_ciphers = aNULL". There is generally no need to take these
measures. Anonymous ciphers save bandwidth and TLS session cache space, if
certificates are ignored, there is little point in requesting them.
certificate and key incorrectly, you will be unable to send mail to sites
that request client certificate, but don't require them from all clients.
- smtp_tls_CAfile = /etc/postfix/cacert.pem
- smtp_tls_session_cache_database =
- btree:/var/spool/postfix/smtp_tls_session_cache
- smtp_use_tls = yes
- smtpd_tls_CAfile = /etc/postfix/cacert.pem
- smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
- smtpd_tls_key_file = /etc/postfix/FOO-key.pem
- smtpd_tls_received_header = yes
- smtpd_tls_session_cache_database =
- btree:/var/spool/postfix/smtpd_tls_session_cache
- smtpd_use_tls = yes
- tls_random_source = dev:/dev/urandom
+ /etc/postfix/main.cf:
+ smtp_tls_CAfile = /etc/postfix/cacert.pem
+ smtp_tls_session_cache_database =
+ btree:/var/spool/postfix/smtp_tls_session_cache
+ smtp_use_tls = yes
+ smtpd_tls_CAfile = /etc/postfix/cacert.pem
+ smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
+ smtpd_tls_key_file = /etc/postfix/FOO-key.pem
+ smtpd_tls_received_header = yes
+ smtpd_tls_session_cache_database =
+ btree:/var/spool/postfix/smtpd_tls_session_cache
+ tls_random_source = dev:/dev/urandom
+ # Postfix 2.3 and later
+ smtpd_tls_security_level = may
+ # Obsolete, but still supported
+ smtpd_use_tls = yes
R\bRe\bep\bpo\bor\brt\bti\bin\bng\bg p\bpr\bro\bob\bbl\ble\bem\bms\bs
-The stable Postfix release is called postfix-2.2.x where 2=major
-release number, 2=minor release number, x=patchlevel. The stable
+The stable Postfix release is called postfix-2.3.x where 2=major
+release number, 3=minor release number, x=patchlevel. The stable
release never changes except for patches that address bugs or
emergencies. Patches change the patchlevel and the release date.
New features are developed in snapshot releases. These are called
-postfix-2.3-yyyymmdd where yyyymmdd is the release date (yyyy=year,
+postfix-2.4-yyyymmdd where yyyymmdd is the release date (yyyy=year,
mm=month, dd=day). Patches are never issued for snapshot releases;
instead, a new snapshot is released.
The mail_release_date configuration parameter (format: yyyymmdd)
specifies the release date of a stable release or snapshot release.
-Incompatibility with Postfix 2.1 and earlier
+Incompatibility with Postfix 2.2 and earlier
============================================
-If you upgrade from Postfix 2.1 or earlier, read RELEASE_NOTES-2.2
+If you upgrade from Postfix 2.2 or earlier, read RELEASE_NOTES-2.3
before proceeding.
-Major changes with snapshot 20060626
-====================================
-
-Both the SMTP client and server can be configured without a client
-or server certificate. An SMTP server without certificate can use
-only anonymous ciphers, and will not interoperate with most clients.
-
-The SMTP server supports anonymous ciphers when client certificates
-are not requested or required, and the administrator has not excluded
-the "aNULL" OpenSSL cipher type.
-
-The SMTP client supports anonymous ciphers when no server certificate
-is required (notably Postfix 2.3 in "opportunistic" mode) and the
-administrator has not excluded the "aNULL" OpenSSL cipher type.
-
-Instead of cipher lists you can now specify cipher grades. The
-smtp_tls_ciphers, lmtp_tls_ciphers and smtpd_tls_ciphers parameters
-specify one of "high", "medium", "low", "export" or "null". See the
-documentation for details.
-
-Incompatibility with Postfix snapshot 20060614
-==============================================
-
-The smtp_sasl_tls_verified_security_options feature is not yet
-complete, and will therefore not appear in the stable Postfix 2.3
-release.
-
-New smtp_tls_mandatory_protocols feature used for mandatory TLS
-destinations. The default value is "SSLv3, TLSv1". SSLv2 is by
-default no longer used with mandatory TLS.
-
-The smtp_tls_cipherlist parameter only applies when TLS is mandatory,
-it is ignored for opportunistic TLS sessions.
-
-At (lmtp|smtp|smtpd)_tls_loglevel >= 2, Postfix now also logs TLS
-session cache activity. Use level 2 and higher for debugging only,
-use levels 0 or 1 as production settings.
-
-Major changes with snapshot 20060614
-====================================
-
-New design of the TLS policy interface (minimum security levels,
-cipher and protocol selection).
-
-New smtp_tls_security_level parameter obsoletes the unnecessarily
-complex smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername
-parameters. Use smtp_tls_security_level instead. The old parameters
-will be removed in a future Postfix release.
-
-New smtp_tls_policy_maps feature obsoletes smtp_tls_per_site, the
-old feature is only used when smtp_tls_policy_maps is not set. Use
-smtp_tls_policy_maps instead. This also implements parent domain
-matching for destinations that are bare domains (without enclosing
-[] or optional :port suffix). One can now set TLS policy for a
-domain and all sub-domains.
-
-New smtpd_tls_protocols parameter complements the
-smtp_tls_mandatory_protocols parameter, only recommended for MSA
-configurations, not MX hosts.
-
-The unified SMTP/LMTP client now has complete sets of configuration
-parameters for each protocol.
-
-Incompatibility with snapshot 20060611
-======================================
-
-Postfix internal protocols have has changed. You need to "postfix
-reload" or restart Postfix, otherwise the cleanup server or delivery
-agents will log "unexpected attribute" warnings and mail will not
-be delivered.
-
-Incompatibility with snapshot 20060515
-======================================
-
-Milter support introduces a three new queue file record types. Queue
-files created with this Postfix version will be understood by older
-Postfix versions ONLY if Milter support is turned off, which is
-the default.
-
-Milter support introduces new logging event types: milter-reject,
-milter-discard and milter-hold, that identify actions from Milter
-applications. This may affect logfile processing software.
-
-Major changes with snapshot 20060515
-====================================
-
-Milter (mail filter) application support, compatible with Sendmail
-version 8. This allows you to run a large number of plug-ins to
-reject unwanted mail and to sign mail with, for example, domain
-keys. All Milter functions are implemented except replacing the
-message body, which will be added later. Milters are before-queue
-filters, so they don't change the queue ID.
-
-See the MILTER_README document for a discussion of how to use Milter
-support with Postfix.
-
-Incompatibility with snapshot 20060611
-======================================
-
-The PostgreSQL client was updated after the PostgreSQL developers
-made major database API changes in response to SQL injection problems.
-This breaks support for PGSQL versions prior to 8.1.4, 8.0.8, 7.4.13,
-and 7.3.15. Support for these requires major code changes which are
-not possible in the time that is left for completing the Postfix
-2.3 stable release.
-
-The SMTP server XCLIENT implementation has changed. The SMTP server
-now resets state to the initial server greeting stage, so that it
-can accurately simulate the effect of connection-level access
-restrictions. Without this change, XCLIENT will not work at all
-with Milter applications.
-
-The SMTP server XCLIENT and XFORWARD commands now expect that
-attributes are xtext encoded (RFC 1891). For backwards compatibility
-they will accept unencoded attribute values. The XFORWARD client
-code in the SMTP client and in the SMTPD_PROXY client will always
-encode attribute values. This change will have effect only for
-malformed hostname and helo parameter values.
-
-For more details, see the XCLIENT_README and XFORWARD_README
-documents.
-
-Incompatibility with snapshot 20060207
-======================================
-
-The Postfix SMTP server no longer complains when TLS support is not
-compiled in, but permit_tls_clientcerts, permit_tls_all_clientcerts,
-or check_ccert_access are used. These features now are effectively
-ignored. However, the reject_plaintext_session feature is not
-ignored and will reject mail.
-
-Incompatibility with snapshot 20060123
-======================================
-
-Postfix now preserves uppercase information while mapping addresses
-with canonical, virtual, relocated or generic maps; this happens
-even with $number substitutions in regular expression maps. However,
-the local(8) and virtual(8) delivery agents still fold addresses
-to lower case.
-
-By default, Postfix now folds the search string to lowercase only
-with tables that have fixed-case lookup fields such as btree:,
-hash:, dbm:, ldap:, or *sql:. The search string is no longer case
-folded with tables whose lookup fields can match both upper or lower
-case, such as regexp:, pcre:, or cidr:.
-
-For safety reasons, Postfix no longer allows $number substitution
-in regexp: or pcre: transport tables or per-sender relayhost tables.
-
-Major changes with snapshot 20060123
-====================================
-
-Postfix now does a better job at preserving upper/lower case
-information while transforming addresses. The table lookup code
-was revised, and is now more careful about when it folds search
-strings to lower case. As a side effect, Postfix now also does a
-better job at being case insensitive where it should, for example
-while searching per-host TLS policies or SASL passwords.
-
-Some obscure behavior was eliminated from the smtp_tls_per_site
-feature, without changes to the user interface. Some Postfix internals
-had to be re-structured in preparation for a more general TLS policy
-mechanism; this required that smtp_tls_per_site be re-implemented
-from scratch.
-
-Postfix 2.3 is expected to provide a new per-site TLS policy mechanism
-that eliminates DNS spoofing attacks more effectively; the legacy
-smtp_tls_per_site feature will be kept intact for a few releases
-so that sites can upgrade Postfix without being forced to use a
-different TLS policy mechanism.
-
-Incompatibility with snapshot 20060112
-======================================
-
-The queue manager delivery request protocol has changed. You must
-reload Postfix when upgrading. If you omit this step, delivery
-agents complain with "warning: unexpected attribute original_recipient"
-and mail will not be delivered.
-
-The Postfix SMTP/LMTP client by default no longer allows DNS CNAME
-records to override the server hostname that is used for logging,
-SASL password lookup, TLS policy selection and TLS server certificate
-verification. Specify "smtp_cname_overrides_servername = yes" to get
-the old behavior.
-
-Postfix DSN reports no longer make up their own surrogate SMTP
-replies for errors that were not reported by a remote SMTP server.
-
-Incompatibility with snapshot 20060103
-======================================
-
-The Postfix SMTP/LMTP client no longer defers mail when it receives
-a malformed SMTP server reply in a session with command pipelining.
-When helpful warnings are enabled, it will suggest that command
-pipelining be disabled for the affected destination.
-
-Major changes with snapshot 20051222
-====================================
-
-Dovecot SASL support (SMTP server only). Details can be found
-in the SASL_README document.
-
-You can now use "resolve_numeric_domain = yes" to stop Postfix
-from rejecting user@ipaddress as an invalid destination. It will
-deliver the mail to user@[ipaddress] instead.
-
-Incompatibility with snapshot 20051220
-======================================
-
-The Postfix-with-Cyrus-SASL build procedure has changed. You now
-need to specify -DUSE_CYRUS_SASL in addition to -DUSE_SASL_AUTH or
-else you end up without any Cyrus SASL support. The error messages
-are:
-
- unsupported SASL server implementation: cyrus
- unsupported SASL client implementation: cyrus
-
-Major changes with snapshot 20051220
-====================================
-
-Plug-in support for SASL authentication in the SMTP server and in
-the SMTP+LMTP client. With this, Postfix can support multiple SASL
-implementations without source code patches. Some distributors may
-even make SASL support a run-time linking option, just like they
-do with Postfix lookup tables.
-
-Hints and tips for plug-in developers are in the xsasl/README file.
-
-For backwards compatibility the default plug-in type is Cyrus SASL,
-so everything should behave like it did before. Some error messages
-are slightly different, but these are generally improvements.
-
-The "postconf -a" command shows what plug-in implementations are
-available for the SMTP server, and "postconf -A" does the same for
-the SMTP+LMTP client. Plug-in implementations are selected with
-the smtpd_sasl_type, smtp_sasl_type and lmtp_sasl_type configuration
-parameters.
-
-Other new configuration parameters are smtpd_sasl_path, smtp_sasl_path
-and lmtp_sasl_path. These are better left alone; they are introduced
-for the convenience of other SASL implementations.
-
-Incompatibility with snapshot 20051208
-======================================
-
-The fallback_relay feature is renamed to smtp_fallback_relay, to
-make clear that the combined SMTP+LMTP client uses this setting
-only for SMTP deliveries. The old name still works.
-
-The LMTP client now reports the server as "myhostname[/path/name]".
-With the real server hostname in delivery status reports, the
-information will be more useful.
-
-Major changes with snapshot 20051208
-====================================
-
-The SMTP client now implements the LMTP protocol. Most but not all
-smtp_xxx parameters have an lmtp_xxx "ghost" parameter. This means
-there are lot of new LMTP features, including support for TLS and
-for the shared connection cache. There are no lmtp_xxx "ghost"
-parameters for the HELO or EHLO commands, because those commands
-exist only in SMTP.
-
-Incompatibility with snapshot 20051202
-======================================
-
-The Postfix SMTP daemon will not receive mail from the network if
-it isn't running with postfix mail_owner privileges. This prevents
-surprises when, for example, "sendmail -bs" is configured to run
-as root from xinetd.
-
-Incompatibility with snapshot 20051125
-======================================
-
-You MUST stop and restart Postfix, because the address resolver
-protocol has changed. If you don't stop and restart Postfix, you
-will have an endless stream of warning messages with "problem talking
-to service rewrite: Unknown error: 0" and "warning: unexpected
-attribute address in input from rewrite socket".
-
-Major changes with snapshot 20051125
-====================================
-
-This snapshot adds support for sender-dependent ISP accounts.
-
-- Sender-dependent smarthost lookup tables. The maps are searched
- with the sender address and with the sender @domain. The result
- overrides the global relayhost setting, but otherwise has identical
- behavior. See the postconf(5) manual page for more details.
-
- Example:
- /etc/postfix/main.cf:
- sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
-
-- Sender-dependent SASL authentication support. This disables SMTP
- connection caching to ensure that mail from different senders
- will use the correct authentication credentials. The SMTP SASL
- password file is first searched by sender address, and then by
- the remote domain and hostname as usual.
-
- Example:
- /etc/postfix/main.cf:
- smtp_sasl_auth_enable = yes
- smtp_sender_dependent_authentication = yes
- smtp_sasl_password_maps = hash:/etc/postfix/sasl_pass
-
-Incompatibility with snapshot 20051121
-======================================
-
-For compatibility reasons, the permit_mx_backup feature will accept
-mail for authorized destinations (see permit_mx_backup for definition).
-Only with other destinations will it require that the local MTA is
-listed as non-primary MX.
-
-Incompatibility with snapshot 20051120
-======================================
-
-The permit_mx_backup feature now requires that the local MTA is not
-listed as primary MX host for the recipient domain. This prevents
-mail loop problems when someone points the primary MX record at
-Postfix.
-
-Major changes with snapshot 20051113
-====================================
-
-Configurable bounce messages, based on a format that was developed
-by Nicolas Riendeau. The file with templates is specified with the
-bounce_template_file parameter. Details are in the bounce(5) manual
-page, and examples of the built-in templates can be found in a file
-bounce.cf.default in the Postfix configuration directory. The
-template for the default bounce message looks like this:
-
- failure_template = <<EOF
- Charset: us-ascii
- From: MAILER-DAEMON (Mail Delivery System)
- Subject: Undelivered Mail Returned to Sender
- Postmaster-Subject: Postmaster Copy: Undelivered Mail
-
- This is the $mail_name program at host $myhostname.
-
- I'm sorry to have to inform you that your message could not
- be delivered to one or more recipients. It's attached below.
-
- For further assistance, please send mail to <postmaster>
-
- If you do so, please include this problem report. You can
- delete your own text from the attached returned message.
-
- The $mail_name program
- EOF
-
-Incompatibility with snapshot 20051106
-======================================
-
-The relay=... logging has changed and now includes the remote SMTP
-server port number as hostname[hostaddr]:port.
-
-Incompatibility with snapshot 20051105
-======================================
-
-qshape needs to be updated. See the file qshape-microsecond-patch.
-
-All delay logging now has sub-second resolution, including the
-over-all "delay=nnn" logging.
-
-At this point the Postfix logging for a recipient looks like this:
-
- Nov 3 16:04:31 myname postfix/smtp[30840]: 19B6B2900FE:
- to=<wietse@test.example.com>, orig_to=<wietse@test>,
- relay=mail.example.com[1.2.3.4], conn_use=2, delay=0.22,
- delays=0.04/0.01/0.05/0.1, dsn=2.0.0, status=sent (250 2.0.0 Ok)
-
-
-Incompatibility with snapshot 20051103
-======================================
-
-pflogsumm needs to be updated. See the pflogsumm-conn-delays-dsn-patch
-file.
-
-The queue manager protocol has changed. You need to "postfix reload"
-after "make upgrade".
-
-The logging of recipient status information has changed. This may
-require changes to logfile processing tools.
-
-- Postfix now logs an additional attribute with detailed delay
-information (delays=a/b/c/d) as described below.
-
-- Postfix now logs an additional attribute with the connection reuse
-count (conn_use=nnn) as described below.
-
-Major changes with snapshot 20051103
-====================================
-
-This release makes a beginning with a series of new attributes in
-Postfix logfile records.
-
-- Better insight into the nature of performance bottle necks, with
-detailed logging of delays in various stages of message delivery.
-Postfix logs additional delay information as "delays=a/b/c/d" where
-a=time before queue manager, including message transmission; b=time
-in queue manager; c=connection setup time including DNS, HELO and
-TLS; d=message transmission time.
-
-- Logging of the connection reuse count when SMTP connections are
-used for more than one message delivery. This information is needed
-because Postfix can now reuse connections hundreds of times or more,
-and can help to diagnose interoperability problems with servers
-that suffer from memory leaks or other resource leaks.
-
-At this point the Postfix logging for a recipient looks like this:
-
- Nov 3 16:04:31 myname postfix/smtp[30840]: 19B6B2900FE:
- to=<wietse@test.example.com>, orig_to=<wietse@test>,
- relay=mail.example.com[1.2.3.4], conn_use=2, delay=0,
- delays=0/0.01/0.05/0.1, dsn=2.0.0, status=sent (250 2.0.0 Ok)
-
-The following two logfile fields may or may not be present:
-
- orig_to This is omitted when the address did not change.
- conn_use This is omitted when a connection is used once.
-
-Incompatibility with snapshot 20051026
-======================================
-
-The connection cache protocol for SMTP connections has changed.
-You need to "postfix reload" after "make upgrade".
-
-The smtp_connection_cache_reuse_limit parameter (which limits the
-number of deliveries per SMTP connection) is replaced by the new
-smtp_connection_reuse_time_limit parameter (the time after which a
-connection is no longer stored into the connection cache).
-
-Major changes with snapshot 20051026
-====================================
-
-This snapshot addresses a performance stability problem with remote
-SMTP servers. The problem is not specific to Postfix: it can happen
-when any MTA sends large amounts of SMTP email to a site that has
-multiple MX hosts. The insight that led to the solution, as well
-as an initial implementation, are due to Victor Duchovni.
-
-The problem starts when one of a set of MX hosts becomes slower
-than the rest. Even though SMTP clients connect to fast and slow
-MX hosts with equal probability, the slow MX host ends up with more
-simultaneous inbound connections than the faster MX hosts, because
-the slow MX host needs more time to serve each client request.
-
-The slow MX host becomes a connection attractor. If one MX host
-becomes N times slower than the rest, it dominates mail delivery
-latency unless there are more than N fast MX hosts to counter the
-effect. And if the number of MX hosts is smaller than N, the mail
-delivery latency becomes effectively that of the slowest MX host
-divided by the total number of MX hosts.
-
-The solution uses connection caching in a way that differs from
-Postfix 2.2. By limiting the amount of time during which a connection
-can be used repeatedly (instead of limiting the number of deliveries
-over that connection), Postfix not only restores fairness in the
-distribution of simultaneous connections across a set of MX hosts,
-it also favors deliveries over connections that perform well, which
-is exactly what we want.
-
-The smtp_connection_reuse_time_limit feature implements the connection
-reuse time limit as discussed above. It limits the amount of time
-after which an SMTP connection is no longer stored into the connection
-cache. The default limit, 300s, can result in a huge number of
-deliveries over a single connection.
-
-This solution will be complete when Postfix logging is updated to
-include information about the number of times that a connection was
-used. This information is needed to diagnose inter-operability
-problems with servers that exhibit bugs when they receive multiple
-messages over the same connection.
-
-Incompatibility with snapshot 20051011
-======================================
-
-The Postfix local(8) delivery agent no longer updates its idea of
-the Delivered-To: address while it expands aliases or .forward
-files. With deeply nested aliases or .forward files, this can greatly
-reduce the number of queue files and cleanup process instances. To
-get the earlier behavior, specify "frozen_delivered_to = no".
-
-The frozen_delivered_to feature can help to alleviate a long-standing
-problem with multiple deliveries to recipients that are listed
-multiple times in a hierarchy of nested aliases. For this to work,
-only the top-level alias should have an owner- alias, and none of
-the subordinate aliases.
-
-Major changes with snapshot 20051011
-====================================
-
-Optional protection against SMTP clients that hammer the server
-with too many new (i.e. uncached) SMTP-over-TLS sessions. Cached
-sessions are much less expensive in terms of CPU cycles. Use the
-smtpd_client_new_tls_session_rate_limit parameter to specify a limit
-that is at least the inbound client concurrency limit, or else you
-may deny legitimate service requests.
-
-Optional suppression of remote SMTP client hostname lookup and
-hostname verification. Specify "smtpd_peername_lookup = no" to
-eliminate DNS lookup latencies, but do so only under extreme
-conditions, as it makes Postfix logging less informative.
-
-Incompatibility with snapshot 20050828
-======================================
-
-When a header/body_checks or message_reject_characters rule rejects
-mail that was submitted with the Postfix sendmail command (or
-re-queued with "postsuper -r"), the returned message is now limited
-to just the message headers, to avoid the risk of exposure to harmful
-content in the message body or attachments.
-
-When the cleanup server rejects the content or size of mail that
-was submitted with the Postfix sendmail command, forwarded with the
-local(8) delivery agent, or that was re-queued with "postsuper -r",
-Postfix no longer sends DSN SUCCESS notification of virtual alias
-expansions. Since all the recipients are reported as failed, the
-SUCCESS notification seems redundant.
-
-Major changes with snapshot 20050828
-====================================
-
-Configurable filters to reject or remove unwanted characters in
-email content. The message_reject_characters and message_strip_characters
-parameters understand the usual C-like escape sequences: \a \b \f
-\n \r \t \v \ddd (up to three octal digits) and \\.
-
-Incompatibility with snapshot 20050726
-======================================
-
-Name server replies that contain a malformed hostname are now flagged
-as permanent errors instead of transient errors. This change works
-around a questionable proposal to use syntactically invalid hostnames
-in MX records.
-
-Major changes with snapshot 20050724
-====================================
-
-SMTPD Access control based on the existence of an address->name
-mapping, with reject_unknown_reverse_client_hostname. There is
-no corresponding access table lookup feature, because the name
-is not validated in any way (except that it has proper syntax).
-
-Several confusing SMTPD access restrictions were renamed:
-
- reject_unknown_client -> reject_unknown_client_hostname,
- reject_unknown_hostname -> reject_unknown_helo_hostname,
- reject_invalid_hostname -> reject_invalid_helo_hostname,
- reject_non_fqdn_hostname -> reject_non_fqdn_helo_hostname.
-
-The old names are still recognized and documented.
-
-Incompatibility with snapshot 20050716
-======================================
-
-Internal interfaces have changed; this may break third-party patches
-because the text of function argument and result type definitions
-has changed. The type of buffer lengths and offsets were changed
-from "(unsigned) int" (32 bit on 32-bit and LP64 systems) to
-"(s)size_t" (64 bit on LP64 systems, 32 bit on 32-bit systems).
-
-Otherwise, this change makes no difference on 32-bit systems. On
-LP64 systems, however, software may mis-behave 1) when Postfix is
-linked with pre-compiled code that was compiled with old Postfix
-interface definitions and 2) when compiling Postfix source that was
-modified by a third-party patch: incorrect code may be generated
-when the patch passes the wrong integer argument type in contexts
-that disable automatic argument type conversions. Examples of such
-contexts are formatting with printf-like arguments, and invoking
-functions that write Postfix request or reply attributes across
-inter-process communication channels. Unfortunately, gcc does not
-report "(unsigned) int" versus "(s)size_t" format string argument
-mis-matches on 32-bit systems; they can be found only on 64-bit
-systems.
-
-Major changes with snapshot 20050716
-====================================
-
-Improved portability to LP64 systems, by converting the type of
-buffer lengths and offsets from "(unsigned) int" to "(s)size_t".
-This change has zero effect on 32-bit systems. On LP64 platforms,
-however, this change not only eliminates some obscure portability
-bugs, it also eliminates unnecessary conversions between 32/64 bit
-integer types, because many system library routines take "(s)size_t"
-arguments or return "(s)size_t" values.
-
-Incompatibility with snapshot 20050707
-======================================
-
-The connection cache protocol is changed. You may need to "postfix
-reload" after upgrading.
-
-Incompatibility with snapshot 20050627
-======================================
-
-The Postfix SMTP client no longer applies the smtp_mx_session_limit
-to non-permanent errors during the TCP, SMTP, HELO or TLS handshake.
-Previous versions did that only with TCP and SMTP handshake errors.
-
-Incompatibility with snapshot 20050622
-======================================
-
-The Postfix SMTP client by default limits the number of MX server
-addresses to smtp_mx_address_limit=5. Previously this limit was
-disabled by default. The new limit prevents Postfix from spending
-lots of time trying to connect to lots of bogus MX servers.
-
-The Postfix SMTP error handling of [45]XX server greetings was
-cleaned up. The server reply is now properly reported.
-
-Incompatibility with snapshot 20050615
-======================================
-
-Many internal protocols have changed. You must reload Postfix or
-else the queue manager and delivery agents will complain about
-unexpected request and reply attributes.
-
-The new DSN support conflicts with VERP support. For Sendmail
-compatibility, Postfix now uses the sendmail -V command line option
-for DSN. In order to request VERP style delivery, you must now
-specify -XV instead of -V. The Postfix sendmail command will
-recognize if you try to use -V for VERP-style delivery. It will
-do the right thing and will remind you of the new syntax.
-
-The queue file format is backwards compatible (again) with Postfix
-2.2. Postfix 2.3 stores attributes that older versions will ignore.
-
-Major changes with snapshot 20050615
-====================================
-
-DSN support as described in RFC 3461 .. RFC 3464. This gives senders
-control over successful and failed delivery notifications. DSN
-involves extra parameters to the SMTP MAIL FROM and RCPT TO commands,
-as well as extra Postfix sendmail command line options that provide
-a sub-set of the functions of those extra SMTP command parameters.
-
-See DSN_README for details. Some implementation notes are in
-DSN_NOTES, in the top-level source code directory.
-
-Major changes with snapshot 20050510
-====================================
-
-This release improves usability of enhanced status codes in Postfix
-access tables, RBL reply templates and in transport maps that use
-the error(8) delivery agent.
-
-- When the SMTP server rejects a sender address, it transforms a
- recipient DSN status (e.g., 4.1.1-4.1.6) into the corresponding
- sender DSN status, and vice versa.
-
-- When the SMTP server rejects non-address information (such as the
- HELO command parameter or the client hostname/address), it
- transforms a sender or recipient DSN status into a generic
- non-address DSN status (e.g., 4.0.0).
-
-These transformations are needed when the same access table or RBL
-reply template are used for client, helo, sender, or recipient
-restrictions; or when the same error(8) mailer information is used
-for both senders and recipients.
-
-Incompatibility with snapshot 20050503
-======================================
-
-The format of some "warning:" messages in the maillog has changed
-so that they are easier to sort:
-
-- The logging now talks about "access table", instead of using three
-different expressions "access table", "access map" and "SMTPD access
-map" for the same thing.
-
-- "non-SMTP command" is now logged BEFORE the client name/address
-and the offending client input, instead of at the end.
-
-Major change with snapshot 20050427+DSN
-=======================================
-
-This is experimental DSN support added to snapshot 20050427. The
-code is not for production purposes; it is not fully tested, some
-names and interfaces are still rough around the edges, and it does
-not update the oqmgr so you have to use qmgr instead. Some
-implementation notes and open issues are described in the
-DSN_SUPPORT_README file (top-level directory).
-
-Incompatibility with snapshot 20050329
-======================================
-
-If you use TLS, you need to execute "postfix reload" because the
-TLS manager protocol has changed.
-
-Incompatibility with snapshot 20050328
-======================================
-
-The logging format has changed. Postfix delivery agents now log the
-RFC 3463 enhanced status code as "dsn=x.y.z" where y and z can be
-up to three digits each. See the file pfloggsum-dsn-patch for an
-update to the pfloggsum script.
-
-After you upgrade from Postfix 2.2 or 2.3 you need to execute
-"postfix reload", otherwise you will keep running the old Postfix
-queue manager, which gives no special treatment to the enhanced
-status codes that it receives from Postfix delivery agents.
-
-Major changes with snapshot 20050328
-====================================
-
-This release introduces support for RFC 3463 enhanced status codes.
-For example, status code 5.1.1 means "recipient unknown". Postfix
-recognizes enhanced status codes in remote server replies, generates
-enhanced status codes while handling email, and reports enhanced
-status codes in non-delivery notifications. This improves the user
-interaction with mail clients that hide the text of error messages
-from users.
-
-You can, but don't have to, specify RFC 3463 enhanced status codes
-in the output from commands that receive mail from a pipe. If a
-command terminates with non-zero exit status, and an enhanced status
-code is present at the beginning of the command output, then that
-status code takes precedence over the non-zero exit status.
-
-You can, but don't have to, specify RFC 3463 enhanced status codes
-in Postfix access maps, header/body_checks REJECT actions, or in
-RBL replies. For example:
-
- REJECT 5.7.1 You can't go here from there
-
-The status 5.7.1 means "no authorization, message refused", and is
-the default for access maps, header/body_checks REJECT actions, and
-for RBL replies.
-
-If you specify your own enhanced status code, the Postfix SMTP
-server will automatically change a leading '5' digit (hard error)
-into '4' where appropriate. This is needed, for example, with
-soft_bounce=yes.
--- /dev/null
+The stable Postfix release is called postfix-2.3.x where 2=major
+release number, 3=minor release number, x=patchlevel. The stable
+release never changes except for patches that address bugs or
+emergencies. Patches change the patchlevel and the release date.
+
+New features are developed in snapshot releases. These are called
+postfix-2.4-yyyymmdd where yyyymmdd is the release date (yyyy=year,
+mm=month, dd=day). Patches are never issued for snapshot releases;
+instead, a new snapshot is released.
+
+The mail_release_date configuration parameter (format: yyyymmdd)
+specifies the release date of a stable release or snapshot release.
+
+Critical notes
+--------------
+
+See RELEASE_NOTES_2.2 if you upgrade from Postfix 2.1 or earlier.
+
+Some Postfix internal protocols have changed. You need to "postfix
+reload" or restart Postfix, otherwise many servers will log warning
+messages like "unexpected attribute xxx" or "problem talking to
+service yyy", and mail will not be delivered.
+
+The Sendmail-compatible Milter support introduces three new queue
+file record types. As long as you leave this feature turned off,
+you can still go back to Postfix version 2.2 without losing mail
+that was received by Postfix 2.3.
+
+Major changes - DNS lookups
+---------------------------
+
+[Incompat 20050726] Name server replies that contain a malformed
+hostname are now flagged as permanent errors instead of transient
+errors. This change works around a questionable proposal to use
+syntactically invalid hostnames in MX records.
+
+Major changes - DSN
+-------------------
+
+[Feature 20050615] DSN support as described in RFC 3461 .. RFC 3464.
+This gives senders control over successful and failed delivery
+notifications. DSN involves extra parameters to the SMTP "MAIL
+FROM" and "RCPT TO" commands, as well as extra Postfix sendmail
+command line options for mail submission.
+
+See DSN_README for details. Some implementation notes can be found
+in implementation-notes/DSN.
+
+[Incompat 20050615] The new DSN support conflicts with VERP support.
+For Sendmail compatibility, Postfix now uses the sendmail -V command
+line option for DSN. To request VERP style delivery, you must now
+specify -XV instead of -V. The Postfix sendmail command will
+recognize if you try to use -V for VERP-style delivery. It will
+usually do the right thing, and remind you of the new syntax.
+
+[Incompat 20050828] Postfix no longer sends DSN SUCCESS notification
+after virtual alias expansions when the cleanup server rejects the
+content or size of mail that was submitted with the Postfix sendmail
+command, mail that was forwarded with the local(8) delivery agent,
+or mail that was re-queued with "postsuper -r". Since all the
+recipients are reported as failed, the SUCCESS notification seems
+redundant.
+
+Major changes - LMTP client
+---------------------------
+
+See the "SASL authentication" and "TLS" sections for changes related
+to SASL authentication and TLS support, respectively.
+
+[Feature 20051208] The SMTP client now implements the LMTP protocol.
+Most but not all smtp_xxx parameters now have an lmtp_xxx equivalent.
+This means there are lot of new LMTP features, including support
+for TLS and for the shared connection cache. See the "SMTP client"
+section for details.
+
+[Incompat 20051208] The LMTP client now reports the server as
+"myhostname[/path/name]". With the real server hostname in delivery
+status reports, the information will be more useful.
+
+Major changes - Milter support
+------------------------------
+
+[Feature 20060515] Milter (mail filter) application support,
+compatible with Sendmail version 8.13.6 and earlier. This allows
+you to run a large number of plug-ins to reject unwanted mail, and
+to sign mail with for example domain keys. All Milter functions are
+implemented except replacing the message body, which will be added
+later. Milters are before-queue filters, so they don't change the
+queue ID.
+
+See the MILTER_README document for a discussion of how to use Milter
+support with Postfix, and limitations of the current implementation.
+
+The Sendmail-compatible Milter support introduces three new queue
+file record types. As long as you leave this feature turned off,
+you can still go back to Postfix version 2.2 without losing mail
+that was received by Postfix 2.3.
+
+[Incompat 20060515] Milter support introduces new logfile event
+types: milter-reject, milter-discard and milter-hold, that identify
+actions from Milter applications. This may affect logfile processing
+software.
+
+Major changes - SASL authentication
+-----------------------------------
+
+[Feature 20051220] Plug-in support for SASL authentication in the
+SMTP server and in the SMTP/LMTP client. With this, Postfix can
+support multiple SASL implementations without source code patches.
+Some distributors may even make SASL support a run-time linking
+option, just like they already do with Postfix lookup tables.
+
+Hints and tips for plug-in developers are in the xsasl/README file.
+
+For backwards compatibility the default plug-in type is Cyrus SASL,
+so everything should behave like it did before. Some error messages
+are slightly different, but these are generally improvements.
+
+The "postconf -a" command shows what plug-in implementations are
+available for the SMTP server, and "postconf -A" does the same for
+the SMTP/LMTP client. Plug-in implementations are selected with
+the smtpd_sasl_type, smtp_sasl_type and lmtp_sasl_type configuration
+parameters.
+
+Other new configuration parameters are smtpd_sasl_path, smtp_sasl_path
+and lmtp_sasl_path. These are better left alone; they are introduced
+for the convenience of other SASL implementations.
+
+[Feature 20051222] Dovecot SASL support (SMTP server only). Details
+can be found in the SASL_README document.
+
+[Incompat 20051220] The Postfix-with-Cyrus-SASL build procedure has
+changed. You now need to specify -DUSE_CYRUS_SASL in addition to
+-DUSE_SASL_AUTH or else you end up without any Cyrus SASL support.
+The error messages are:
+
+ unsupported SASL server implementation: cyrus
+ unsupported SASL client implementation: cyrus
+
+[Feature 20051125] This snapshot adds support for sender-dependent
+ISP accounts.
+
+- Sender-dependent smarthost lookup tables. The maps are searched
+ with the sender address and with the sender @domain. The result
+ overrides the global relayhost setting, but otherwise has identical
+ behavior. See the postconf(5) manual page for more details.
+
+ Example:
+ /etc/postfix/main.cf:
+ sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
+
+- Sender-dependent SASL authentication support. This disables SMTP
+ connection caching to ensure that mail from different senders
+ will use the correct authentication credentials. The SMTP SASL
+ password file is first searched by sender address, and then by
+ the remote domain and hostname as usual.
+
+ Example:
+ /etc/postfix/main.cf:
+ smtp_sasl_auth_enable = yes
+ smtp_sender_dependent_authentication = yes
+ smtp_sasl_password_maps = hash:/etc/postfix/sasl_pass
+
+[Incompat 20060707] The SMTP/LMTP client now defers delivery when
+a SASL password exists but the server does not announce support for
+SASL authentication. This can happen with servers that announce
+SASL support only when TLS is turned on. When an opportunistic TLS
+handshake fails, Postfix >= 2.3 retries delivery in plaintext, and
+the remote server rejects mail from the unauthenticated client.
+Specify "smtp_sasl_auth_enforce = no" to deliver mail anyway.
+
+Major changes - SMTP client
+---------------------------
+
+See the "SASL authentication" and "TLS" sections for changes related
+to SASL authentication and TLS support, respectively.
+
+[Feature 20051208] The SMTP client now implements the LMTP protocol.
+Most but not all smtp_xxx parameters now have an lmtp_xxx equivalent.
+This means there are lot of new LMTP features, including support
+for TLS and for the shared connection cache.
+
+[Incompat 20060112] The Postfix SMTP/LMTP client by default no
+longer allows DNS CNAME records to override the server hostname
+that is used for logging, SASL password lookup, TLS policy selection
+and TLS server certificate verification. Specify
+"smtp_cname_overrides_servername = yes" to get the old behavior.
+
+[Incompat 20060103] The Postfix SMTP/LMTP client no longer defers
+mail delivery when it receives a malformed SMTP server reply in a
+session with command pipelining. When helpful warnings are enabled,
+it will suggest that command pipelining be disabled for the affected
+destination.
+
+[Incompat 20051208] The fallback_relay feature is renamed to
+smtp_fallback_relay, to make clear that the combined SMTP/LMTP
+client uses this setting only for SMTP deliveries. The old name
+still works.
+
+[Incompat 20051106] The relay=... logging has changed and now
+includes the remote SMTP server port number as hostname[hostaddr]:port.
+
+[Incompat 20051026] The smtp_connection_cache_reuse_limit parameter
+(which limits the number of deliveries per SMTP connection) is
+replaced by the new smtp_connection_reuse_time_limit parameter (the
+time after which a connection is no longer stored into the connection
+cache).
+
+[Feature 20051026] This snapshot addresses a performance stability
+problem with remote SMTP servers. The problem is not specific to
+Postfix: it can happen when any MTA sends large amounts of SMTP
+email to a site that has multiple MX hosts. The insight that led
+to the solution, as well as an initial implementation, are due to
+Victor Duchovni.
+
+The problem starts when one of a set of MX hosts becomes slower
+than the rest. Even though SMTP clients connect to fast and slow
+MX hosts with equal probability, the slow MX host ends up with more
+simultaneous inbound connections than the faster MX hosts, because
+the slow MX host needs more time to serve each client request.
+
+The slow MX host becomes a connection attractor. If one MX host
+becomes N times slower than the rest, it dominates mail delivery
+latency unless there are more than N fast MX hosts to counter the
+effect. And if the number of MX hosts is smaller than N, the mail
+delivery latency becomes effectively that of the slowest MX host
+divided by the total number of MX hosts.
+
+The solution uses connection caching in a way that differs from
+Postfix 2.2. By limiting the amount of time during which a connection
+can be used repeatedly (instead of limiting the number of deliveries
+over that connection), Postfix not only restores fairness in the
+distribution of simultaneous connections across a set of MX hosts,
+it also favors deliveries over connections that perform well, which
+is exactly what we want.
+
+The smtp_connection_reuse_time_limit feature implements the connection
+reuse time limit as discussed above. It limits the amount of time
+after which an SMTP connection is no longer stored into the connection
+cache. The default limit, 300s, can result in a huge number of
+deliveries over a single connection.
+
+This solution will be complete when Postfix logging is updated to
+include information about the number of times that a connection was
+used. This information is needed to diagnose inter-operability
+problems with servers that exhibit bugs when they receive multiple
+messages over the same connection.
+
+[Incompat 20050627] The Postfix SMTP client no longer applies the
+smtp_mx_session_limit to non-permanent errors during the TCP, SMTP,
+HELO or TLS handshake. Previous versions did that only with TCP
+and SMTP handshake errors.
+
+[Incompat 20050622] The Postfix SMTP client by default limits the
+number of MX server addresses to smtp_mx_address_limit=5. Previously
+this limit was disabled by default. The new limit prevents Postfix
+from spending lots of time trying to connect to lots of bogus MX
+servers.
+
+Major changes - SMTP server
+---------------------------
+
+See the "SASL authentication" and "TLS" sections for changes related
+to SASL authentication and TLS support, respectively.
+
+[Feature 20051222] To accept the non-compliant user@ipaddress form,
+specify "resolve_numeric_domain = yes". Postfix will deliver the
+mail to user@[ipaddress] instead.
+
+[Incompat 20051202] The Postfix SMTP server now refuses to receive
+mail from the network if it isn't running with postfix mail_owner
+privileges. This prevents surprises when, for example, "sendmail
+-bs" is configured to run as root from xinetd.
+
+[Incompat 20051121] Although the permit_mx_backup feature still
+accepts mail for authorized destinations (see permit_mx_backup for
+definition), with all other destinations it now requires that the
+local MTA is listed as non-primary MX server. This prevents mail
+loop problems when someone points their primary MX record at a
+Postfix system.
+
+[Feature 20051011] Optional suppression of remote SMTP client
+hostname lookup and hostname verification. Specify "smtpd_peername_lookup
+= no" to eliminate DNS lookup latencies, but do so only under extreme
+conditions, as it makes Postfix logging less informative.
+
+[Feature 20050724] SMTPD Access control based on the existence of
+an address->name mapping, with reject_unknown_reverse_client_hostname.
+There is no corresponding access table lookup feature, because the
+name is not validated in any way (except that it has proper syntax).
+
+Several confusing SMTPD access restrictions were renamed:
+
+ reject_unknown_client -> reject_unknown_client_hostname,
+ reject_unknown_hostname -> reject_unknown_helo_hostname,
+ reject_invalid_hostname -> reject_invalid_helo_hostname,
+ reject_non_fqdn_hostname -> reject_non_fqdn_helo_hostname.
+
+The old names are still recognized and documented.
+
+Major changes - TLS
+-------------------
+
+Major revisions were made to Postfix TLS support; see TLS_README
+for the details. For backwards compatibility, the old TLS policy
+user interface will be kept intact for a few releases so that sites
+can upgrade Postfix without being forced to use a different TLS
+policy mechanism.
+
+[Feature 20060614] New concept: TLS security levels ("none", "may",
+"encrypt", "verify" or "secure") in the Postfix SMTP client. You
+can specify the TLS security level via the smtp_tls_security_level
+parameter. This is more convenient than controlling TLS with the
+multiple smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername,
+parameters.
+
+[Feature 20060709] TLS security levels ("none", "may", "encrypt")
+in the Postfix SMTP server. You specify the security level with the
+smtpd_tls_security_level parameter. This overrides the multiple
+smtpd_use_tls and smtpd_enforce_tls parameters. When one of the
+unimplemented "verify" or "secure" levels is specified, the Postfix
+SMTP server logs a warning and uses "encrypt" instead.
+
+[Feature 20060123] A new per-site TLS policy mechanism for the
+Postfix SMTP client that supports the new TLS security levels,
+and that eliminates DNS spoofing attacks more effectively.
+
+[Feature 20060626] Both the Postfix SMTP client and server can be
+configured without a client or server certificate. An SMTP server
+without certificate can use only anonymous ciphers, and will not
+inter-operate with most clients.
+
+The Postfix SMTP server supports anonymous ciphers when 1) no client
+certificates are requested or required, and 2) the administrator
+has not excluded the "aNULL" OpenSSL cipher type with the
+smtpd_tls_exclude_ciphers parameter.
+
+The Postfix SMTP client supports anonymous ciphers when 1) no server
+certificate is required and 2) the administrator has not excluded
+the "aNULL" OpenSSL cipher type with the smtp_tls_exclude_ciphers
+parameter.
+
+[Incompat 20060707] The SMTPD policy client now encodes the
+ccert_subject and ccert_issuer attributes as xtext. Some characters
+are represented by +XX, where XX is the two-digit hexadecimal
+representation of the character value.
+
+[Feature 20060614] The smtpd_tls_protocols parameter restricts the
+list of TLS protocols supported by the SMTP server. This is
+recommended for use with MSA configurations only. It should not
+be used with MX hosts that receive mail from the Internet, as it
+reduces inter-operability.
+
+[Incompat 20060614] The smtp_tls_cipherlist parameter only applies
+when TLS is mandatory. It is ignored with opportunistic TLS sessions.
+
+[Incompat 20060614] At (lmtp|smtp|smtpd)_tls_loglevel >= 2, Postfix
+now also logs TLS session cache activity. Use level 2 and higher
+for debugging only; use levels 0 or 1 as production settings.
+
+[Incompat 20060207] The Postfix SMTP server no longer complains
+when TLS support is not compiled in while permit_tls_clientcerts,
+permit_tls_all_clientcerts, or check_ccert_access are specified in
+main.cf. These features now are effectively ignored. However, the
+reject_plaintext_session feature is not ignored and will reject
+plain-text mail.
+
+[Feature 20060123] Some obscure behavior was eliminated from the
+smtp_tls_per_site feature, without changes to the user interface.
+Some Postfix internals had to be re-structured for the new TLS
+policy mechanism; for this, smtp_tls_per_site had to be re-implemented.
+The obscure behavior was found during compatibility testing.
+
+[Feature 20051011] Optional protection against SMTP clients that
+hammer the server with too many new (i.e. uncached) SMTP-over-TLS
+sessions. Cached sessions are much less expensive in terms of CPU
+cycles. Use the smtpd_client_new_tls_session_rate_limit parameter
+to specify a limit that is at least the inbound client concurrency
+limit, or else you may deny legitimate service requests.
+
+Major changes - VERP
+--------------------
+
+[Incompat 20050615] The new DSN support conflicts with VERP support.
+For Sendmail compatibility, Postfix now uses the sendmail -V command
+line option for DSN. In order to request VERP style delivery, you
+must now specify -XV instead of -V. The Postfix sendmail command
+will recognize if you try to use -V for VERP-style delivery. It
+will do the right thing and will remind you of the new syntax.
+
+Major changes - XCLIENT and XFORWARD
+------------------------------------
+
+[Incompat 20060611] The SMTP server XCLIENT implementation has
+changed. The SMTP server now resets state to the initial server
+greeting stage, immediately before the EHLO/HELO greeting. This
+was needed to correctly simulate the effect of connection-level
+access restrictions. Without this change, XCLIENT would not work
+at all with Milter applications.
+
+[Incompat 20060611] The SMTP server XCLIENT and XFORWARD commands
+now expect that attributes are xtext encoded (RFC 1891). For backwards
+compatibility they will also accept unencoded attribute values. The
+XFORWARD client code in the SMTP client and in the SMTPD_PROXY
+client now always encode attribute values. This change will have a
+visible effect only for malformed hostname and helo parameter values.
+
+For more details, see the XCLIENT_README and XFORWARD_README
+documents.
+
+Major changes - address manipulation
+------------------------------------
+
+[Incompat 20060123] Postfix now preserves uppercase information
+while mapping addresses with canonical, virtual, relocated or generic
+maps; this happens even with $number substitutions in regular
+expression maps. However, the local(8) and virtual(8) delivery
+agents still fold addresses to lower case.
+
+As a side effect, Postfix now also does a better job at being case
+insensitive where it should be, for example while searching per-host
+TLS policies or SASL passwords.
+
+By default, Postfix now folds the search string to lowercase only
+with tables that have fixed-case lookup fields such as btree:,
+hash:, dbm:, ldap:, or *sql:. The search string is no longer case
+folded with tables whose lookup fields can match both upper or lower
+case, such as regexp:, pcre:, or cidr:.
+
+For safety reasons, Postfix no longer allows $number substitution
+in regexp: or pcre: transport tables or per-sender relayhost tables.
+
+Major changes - bounce message templates
+----------------------------------------
+
+[Feature 20051113] Configurable bounce messages, based on a format
+that was developed by Nicolas Riendeau. The file with templates is
+specified with the bounce_template_file parameter. Details are in
+the bounce(5) manual page, and examples of the built-in templates
+can be found in $config_directory/bounce.cf.default. The template
+for the default bounce message looks like this:
+
+ failure_template = <<EOF
+ Charset: us-ascii
+ From: MAILER-DAEMON (Mail Delivery System)
+ Subject: Undelivered Mail Returned to Sender
+ Postmaster-Subject: Postmaster Copy: Undelivered Mail
+
+ This is the $mail_name program at host $myhostname.
+
+ I'm sorry to have to inform you that your message could not
+ be delivered to one or more recipients. It's attached below.
+
+ For further assistance, please send mail to <postmaster>
+
+ If you do so, please include this problem report. You can
+ delete your own text from the attached returned message.
+
+ The $mail_name program
+ EOF
+
+Major changes - built-in filters
+--------------------------------
+
+[Feature 20050828] Configurable filters to reject or remove unwanted
+characters in email content. The message_reject_characters and
+message_strip_characters parameters understand the usual C-like
+escape sequences: \a \b \f \n \r \t \v \ddd (up to three octal
+digits) and \\.
+
+[Incompat 20050828] When a header/body_checks rule or when
+message_reject_characters rejects mail that was submitted with the
+Postfix sendmail command (or re-queued with "postsuper -r"), the
+returned message is now limited to just the message headers, to
+avoid the risk of exposure to harmful content in the message body
+or attachments.
+
+Major changes - database support
+--------------------------------
+
+[Incompat 20060611] The PostgreSQL client was updated after the
+PostgreSQL developers made major database API changes in response
+to SQL injection problems. This breaks support for PGSQL versions
+prior to 8.1.4, 8.0.8, 7.4.13, and 7.3.15. Support for these requires
+major code changes which are not possible in the time that is left
+for completing the Postfix 2.3 stable release.
+
+Major changes - enhanced status codes
+-------------------------------------
+
+[Feature 20050328] This release introduces support for RFC 3463
+enhanced status codes. For example, status code 5.1.1 means
+"recipient unknown". Postfix recognizes enhanced status codes in
+remote server replies, generates enhanced status codes while handling
+email, and reports enhanced status codes in non-delivery notifications.
+This improves the user experience with mail clients that translate
+enhanced status codes into text in the user's own language.
+
+You can, but don't have to, specify RFC 3463 enhanced status codes
+in the output from commands that receive mail from a pipe. If a
+command terminates with non-zero exit status, and an enhanced status
+code is present at the beginning of the command output, then that
+status code takes precedence over the non-zero exit status.
+
+You can, but don't have to, specify RFC 3463 enhanced status codes
+in Postfix access maps, header/body_checks REJECT actions, or in
+RBL replies. For example:
+
+ REJECT 5.7.1 You can't go here from there
+
+The status 5.7.1 means "no authorization, message refused", and is
+the default for access maps, header/body_checks REJECT actions, and
+for RBL replies.
+
+[Feature 20050328] If you specify your own enhanced status code,
+the Postfix SMTP server will automatically change a leading '5'
+digit (hard error) into '4' where appropriate. This is needed, for
+example, with soft_bounce=yes.
+
+[Feature 20050510] This release improves usability of enhanced
+status codes in Postfix access tables, RBL reply templates and in
+transport maps that use the error(8) delivery agent.
+
+- When the SMTP server rejects a sender address, it transforms a
+ recipient DSN status (e.g., 4.1.1-4.1.6) into the corresponding
+ sender DSN status, and vice versa.
+
+- When the SMTP server rejects non-address information (such as the
+ HELO command parameter or the client hostname/address), it
+ transforms a sender or recipient DSN status into a generic
+ non-address DSN status (e.g., 4.0.0).
+
+These transformations are needed when the same access table or RBL
+reply template are used for client, helo, sender, or recipient
+restrictions; or when the same error(8) mailer information is used
+for both senders and recipients.
+
+Major changes - local alias expansion
+-------------------------------------
+
+[Incompat 20051011] The Postfix local(8) delivery agent no longer
+updates its idea of the Delivered-To: address while it expands
+aliases or .forward files. With deeply nested aliases or .forward
+files, this can greatly reduce the number of queue files and cleanup
+process instances. To get the earlier behavior, specify
+"frozen_delivered_to = no".
+
+The frozen_delivered_to feature can help to alleviate a long-standing
+problem with multiple deliveries to recipients that are listed
+multiple times in a hierarchy of nested aliases. For this to work,
+only the top-level alias should have an owner- alias, and none of
+the subordinate aliases.
+
+Major changes - logging
+-----------------------
+
+[Incompat 20060515] Milter support introduces new logfile event
+types: milter-reject, milter-discard and milter-hold, that identify
+actions from Milter applications. This may affect logfile processing
+software.
+
+[Incompat 20051106] The relay=... logging has changed and now
+includes the remote SMTP server port number as hostname[hostaddr]:port.
+
+[Incompat 20060112] The Postfix SMTP/LMTP client by default no
+longer allows DNS CNAME records to override the server hostname
+that is used for logging, SASL password lookup, TLS policy selection
+and TLS server certificate verification. Specify
+"smtp_cname_overrides_servername = yes" to get the old behavior.
+
+[Incompat 20051105] All delay logging now has sub-second resolution,
+including the over-all "delay=nnn" logging. A patch is available
+for pflogsumm (pflogsumm-conn-delays-dsn-patch). The qshape script
+has been updated (auxiliary/qshape/qshape.pl).
+
+[Feature 20051103] This release makes a beginning with a series of
+new attributes in Postfix logfile records.
+
+- Better insight into the nature of performance bottle necks, with
+ detailed logging of delays in various stages of message delivery.
+ Postfix logs additional delay information as "delays=a/b/c/d"
+ where a=time before queue manager, including message transmission;
+ b=time in queue manager; c=connection setup time including DNS,
+ HELO and TLS; d=message transmission time.
+
+- Logging of the connection reuse count when SMTP connections are
+ used for more than one message delivery. This information is
+ needed because Postfix can now reuse connections hundreds of times
+ or more. Logging of the connection reuse count can help to diagnose
+ inter-operability problems with servers that suffer from memory
+ leaks or other resource leaks.
+
+At this point the Postfix logging for a recipient looks like this:
+
+ Nov 3 16:04:31 myname postfix/smtp[30840]: 19B6B2900FE:
+ to=<wietse@test.example.com>, orig_to=<wietse@test>,
+ relay=mail.example.com[1.2.3.4], conn_use=2, delay=0,
+ delays=0/0.01/0.05/0.1, dsn=2.0.0, status=sent (250 2.0.0 Ok)
+
+The following two logfile fields may or may not be present:
+
+ orig_to This is omitted when the address did not change.
+ conn_use This is omitted when a connection is used once.
+
+[Incompat 20050503] The format of some "warning:" messages in the
+maillog has changed so that they are easier to sort:
+
+- The logging now talks about "access table", instead of using three
+ different expressions "access table", "access map" and "SMTPD
+ access map" for the same thing.
+
+- "non-SMTP command" is now logged BEFORE the client name/address
+ and the offending client input, instead of at the end.
+
+[Incompat 20050328] The logging format has changed. Postfix delivery
+agents now log the RFC 3463 enhanced status code as "dsn=x.y.z"
+where y and z can be up to three digits each.
+
+[Incompat 20051208] The LMTP client now reports the server as
+"myhostname[/path/name]". With the real server hostname in delivery
+status reports, the information will be more useful.
+
+Major changes - performance
+---------------------------
+
+[Incompat 20051105] All delay logging now has sub-second resolution,
+including the over-all "delay=nnn" logging. A patch is available
+for pflogsumm (pflogsumm-conn-delays-dsn-patch). The qshape script
+has been updated (auxiliary/qshape/qshape.pl).
+
+[Incompat 20050622] The Postfix SMTP client by default limits the
+number of MX server addresses to smtp_mx_address_limit=5. Previously
+this limit was disabled by default. The new limit prevents Postfix
+from spending lots of time trying to connect to lots of bogus MX
+servers.
+
+[Feature 20051026] This snapshot addresses a performance stability
+problem with remote SMTP servers. The problem is not specific to
+Postfix: it can happen when any MTA sends large amounts of SMTP
+email to a site that has multiple MX hosts. The insight that led
+to the solution, as well as an initial implementation, are due to
+Victor Duchovni.
+
+The problem starts when one of a set of MX hosts becomes slower
+than the rest. Even though SMTP clients connect to fast and slow
+MX hosts with equal probability, the slow MX host ends up with more
+simultaneous inbound connections than the faster MX hosts, because
+the slow MX host needs more time to serve each client request.
+
+The slow MX host becomes a connection attractor. If one MX host
+becomes N times slower than the rest, it dominates mail delivery
+latency unless there are more than N fast MX hosts to counter the
+effect. And if the number of MX hosts is smaller than N, the mail
+delivery latency becomes effectively that of the slowest MX host
+divided by the total number of MX hosts.
+
+The solution uses connection caching in a way that differs from
+Postfix 2.2. By limiting the amount of time during which a connection
+can be used repeatedly (instead of limiting the number of deliveries
+over that connection), Postfix not only restores fairness in the
+distribution of simultaneous connections across a set of MX hosts,
+it also favors deliveries over connections that perform well, which
+is exactly what we want.
+
+The smtp_connection_reuse_time_limit feature implements the connection
+reuse time limit as discussed above. It limits the amount of time
+after which an SMTP connection is no longer stored into the connection
+cache. The default limit, 300s, can result in a huge number of
+deliveries over a single connection.
+
+This solution will be complete when Postfix logging is updated to
+include information about the number of times that a connection was
+used. This information is needed to diagnose inter-operability
+problems with servers that exhibit bugs when they receive multiple
+messages over the same connection.
+
+[Feature 20051011] Optional protection against SMTP clients that
+hammer the server with too many new (i.e. uncached) SMTP-over-TLS
+sessions. Cached sessions are much less expensive in terms of CPU
+cycles. Use the smtpd_client_new_tls_session_rate_limit parameter
+to specify a limit that is at least the inbound client concurrency
+limit, or else you may deny legitimate service requests.
+
+[Feature 20051011] Optional suppression of remote SMTP client
+hostname lookup and hostname verification. Specify "smtpd_peername_lookup
+= no" to eliminate DNS lookup latencies, but do so only under extreme
+conditions, as it makes Postfix logging less informative.
+
+Major changes - portability
+---------------------------
+
+[Incompat 20050716] Internal interfaces have changed; this may break
+third-party patches because the types of function arguments and of
+result values have changed. The types of buffer lengths and offsets
+were changed from "int" or "unsigned int" (32 bit on 32-bit and
+LP64 systems) to "ssize_t" or "size_t" (64 bit on LP64 systems, 32
+bit on 32-bit systems).
+
+This change makes no difference in Postfix behavior on 32-bit
+systems. On LP64 systems, however, this change not only eliminates
+some obscure portability bugs, it also eliminates unnecessary
+conversions between 32/64 bit integer types, because many system
+library routines take "(s)size_t" arguments or return "(s)size_t"
+values.
+
+This change may break software on LP64 systems 1) when Postfix is
+linked with pre-compiled code that was compiled with old Postfix
+interface definitions and 2) when compiling Postfix source that was
+modified by a third-party patch: incorrect code will be generated
+when the patch passes the wrong integer argument type in contexts
+that disable automatic argument type conversions. Examples of such
+contexts are formatting with printf-like arguments, and invoking
+functions that write Postfix request or reply attributes across
+inter-process communication channels. Unfortunately, gcc reports
+"(unsigned) int" versus "(s)size_t" format string argument mis-matches
+only on LP64 systems.
+
+Major changes - safety
+----------------------
+
+[Incompat 20051121] Although the permit_mx_backup feature still
+accepts mail for authorized destinations (see permit_mx_backup for
+definition), with all other destinations it now requires that the
+local MTA is listed as non-primary MX. This prevents mail loop
+problems when someone points the primary MX record at a Postfix
+system.
+
+[Incompat 20051011] The Postfix local(8) delivery agent no longer
+updates its idea of the Delivered-To: address while it expands
+aliases or .forward files. With deeply nested aliases or .forward
+files, this can greatly reduce the number of queue files and cleanup
+process instances. To get the earlier behavior, specify
+"frozen_delivered_to = no".
+
+The frozen_delivered_to feature can help to alleviate a long-standing
+problem with multiple deliveries to recipients that are listed
+multiple times in a hierarchy of nested aliases. For this to work,
+only the top-level alias should have an owner- alias, and none of
+the subordinate aliases.
+
+[Incompat 20050828] When a header/body_checks rule or when
+message_reject_characters rejects mail that was submitted with the
+Postfix sendmail command (or re-queued with "postsuper -r"), the
+returned message is now limited to just the message headers, to
+avoid the risk of exposure to harmful content in the message body
+or attachments.
+
+[Incompat 20051202] The Postfix SMTP server now refuses to receive
+mail from the network if it isn't running with postfix mail_owner
+privileges. This prevents surprises when, for example, "sendmail
+-bs" is configured to run as root from xinetd.
+
+[Incompat 20060123] For safety reasons, Postfix no longer allows
+$number substitution in regexp: or pcre: transport tables or
+per-sender relayhost tables.
+
+[Incompat 20060112] The Postfix SMTP/LMTP client by default no
+longer allows DNS CNAME records to override the server hostname
+that is used for logging, SASL password lookup, TLS policy selection
+and TLS server certificate verification. Specify
+"smtp_cname_overrides_servername = yes" to get the old behavior.
# lookups are directed to a TCP-based server. For a descrip-
# tion of the TCP client/server lookup protocol, see tcp_ta-
# ble(5). This feature is not available up to and including
-# Postfix version 2.2.
+# Postfix version 2.3.
#
# Each lookup operation uses the entire query string once.
# Depending on the application, that string is an entire
# lookups are directed to a TCP-based server. For a descrip-
# tion of the TCP client/server lookup protocol, see tcp_ta-
# ble(5). This feature is not available up to and including
-# Postfix version 2.2.
+# Postfix version 2.3.
#
# Each lookup operation uses the entire address once. Thus,
# user@domain mail addresses are not broken up into their
# lookups are directed to a TCP-based server. For a descrip-
# tion of the TCP client/server lookup protocol, see tcp_ta-
# ble(5). This feature is not available up to and including
-# Postfix version 2.2.
+# Postfix version 2.3.
#
# Each lookup operation uses the entire address once. Thus,
# user@domain mail addresses are not broken up into their
# regexp_table(5) or pcre_table(5). For a description of the
# TCP client/server table lookup protocol, see tcp_table(5).
# This feature is not available up to and including Postfix
-# version 2.2.
+# version 2.3.
#
# Each pattern is a regular expression that is applied to
# the entire address being looked up. Thus, user@domain mail
# lookups are directed to a TCP-based server. For a descrip-
# tion of the TCP client/server lookup protocol, see tcp_ta-
# ble(5). This feature is not available up to and including
-# Postfix version 2.2.
+# Postfix version 2.3.
#
# Each lookup operation uses the entire address once. Thus,
# user@domain mail addresses are not broken up into their
# lookups are directed to a TCP-based server. For a descrip-
# tion of the TCP client/server lookup protocol, see tcp_ta-
# ble(5). This feature is not available up to and including
-# Postfix version 2.2.
+# Postfix version 2.3.
#
# Each lookup operation uses the entire recipient address
# once. Thus, some.domain.hierarchy is not looked up via
# lookups are directed to a TCP-based server. For a descrip-
# tion of the TCP client/server lookup protocol, see tcp_ta-
# ble(5). This feature is not available up to and including
-# Postfix version 2.2.
+# Postfix version 2.3.
#
# Each lookup operation uses the entire address once. Thus,
# user@domain mail addresses are not broken up into their
rejects mail for the recipient address. If a recipient probe
succeeds, then Postfix accepts mail for the recipient address. </p>
+<p> By default, address verification results are not saved. To avoid
+probing the same address repeatedly, you can store the result in a
+<a href="#caching">persistent database</a> as described later. </p>
+
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
# =============================================================
scan unix - - n - 10 smtp
-o <a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a>=yes
+ -o <a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a>=yes
</pre>
</blockquote>
the real client name IP address. See <a href="smtp.8.html">smtp(8)</a> and <a href="XFORWARD_README.html">XFORWARD_README</a>
for more information. </p>
+<li> <p> With "-o <a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a>=yes", the scan
+delivery agent will not convert 8BITMIME mail to quoted-printable
+form while delivering to the content filter, as that would invalidate
+domainkeys and other digital signatures. This workaround is needed
+because some SMTP-based content filters don't announce 8BITMIME
+support, even though they can handle it just fine. </p>
+
</ul>
<h3>Advanced content filter: running the content filter</h3>
OSF1.V3 - OSF1.V5 (Digital UNIX) <br>
Reliant UNIX 5.x <br>
Rhapsody 5.x <br>
-SunOS 4.1.4 (December 2005) <br>
+SunOS 4.1.4 (July 2006) <br>
SunOS 5.4 - 5.9 (Solaris 2.4..9) <br>
Ultrix 4.x (well, that was long ago) <br>
</p>
<ul>
<li> <p> The non-interactive version ("make upgrade") needs the
-/etc/postfix/main.cf file from a previous installation. If the file
+/etc/postfix/<a href="postconf.5.html">main.cf</a> file from a previous installation. If the file
does not exist, use interactive installation ("make install")
instead. </p>
<li> <p> The interactive version offers suggestions for pathnames
that you can override interactively, and stores your preferences
-in /etc/postfix/main.cf for convenient future upgrades. </p>
+in /etc/postfix/<a href="postconf.5.html">main.cf</a> for convenient future upgrades. </p>
</ul>
href="#hamlet">To chroot or not to chroot</a>" text in section
11. </p>
-<p> You MUST comment out the "smtp inet" entry in /etc/postfix/master.cf,
+<p> You MUST comment out the "smtp inet" entry in /etc/postfix/<a href="master.5.html">master.cf</a>,
in order to avoid conflicts with the real sendmail. Put a "#"
character in front of the line that defines the smtpd service: </p>
<blockquote>
<pre>
-/etc/postfix/master.cf:
+/etc/postfix/<a href="master.5.html">master.cf</a>:
#smtp inet n - n - - smtpd
</pre>
</blockquote>
Postfix on a virtual interface address. Simply configure your mail
user agent to directly invoke the Postfix sendmail program. </p>
-<p> In the /etc/postfix/main.cf file, I would specify </p>
+<p> In the /etc/postfix/<a href="postconf.5.html">main.cf</a> file, I would specify </p>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#myhostname">myhostname</a> = virtual.host.tld
<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> = $<a href="postconf.5.html#myhostname">myhostname</a>
<a href="postconf.5.html#mydestination">mydestination</a> = $<a href="postconf.5.html#myhostname">myhostname</a>
<h3>10.1 - Postfix configuration files</h3>
<p> By default, Postfix configuration files are in /etc/postfix.
-The two most important files are main.cf and master.cf; these files
+The two most important files are <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a>; these files
must be owned by root. Giving someone else write permission to
-main.cf or master.cf (or to their parent directories) means giving
+<a href="postconf.5.html">main.cf</a> or <a href="master.5.html">master.cf</a> (or to their parent directories) means giving
root privileges to that person. </p>
-<p> In /etc/postfix/main.cf, you will have to set up a minimal number
+<p> In /etc/postfix/<a href="postconf.5.html">main.cf</a>, you will have to set up a minimal number
of configuration parameters. Postfix configuration parameters
resemble shell variables, with two important differences: the first
one is that Postfix does not know about quotes like the UNIX shell
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
parameter = value
</pre>
</blockquote>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
other_parameter = $parameter
</pre>
</blockquote>
configuration language uses lazy evaluation, and does not look at
a parameter value until it is needed at runtime. </p>
-<p> Whenever you make a change to the main.cf or master.cf file,
+<p> Whenever you make a change to the <a href="postconf.5.html">main.cf</a> or <a href="master.5.html">master.cf</a> file,
execute the following command in order to refresh a running mail
system: </p>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#myorigin">myorigin</a> = $<a href="postconf.5.html#myhostname">myhostname</a> (send mail as "user@$<a href="postconf.5.html#myhostname">myhostname</a>")
<a href="postconf.5.html#myorigin">myorigin</a> = $<a href="postconf.5.html#mydomain">mydomain</a> (send mail as "user@$<a href="postconf.5.html#mydomain">mydomain</a>")
</pre>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#mydestination">mydestination</a> = $<a href="postconf.5.html#myhostname">myhostname</a>, localhost.$<a href="postconf.5.html#mydomain">mydomain</a>, localhost
<a href="postconf.5.html#mydestination">mydestination</a> = $<a href="postconf.5.html#myhostname">myhostname</a>, localhost.$<a href="postconf.5.html#mydomain">mydomain</a>, localhost, $<a href="postconf.5.html#mydomain">mydomain</a>
<a href="postconf.5.html#mydestination">mydestination</a> = $<a href="postconf.5.html#myhostname">myhostname</a>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> = 1.2.3.4 (the proxy/NAT external network address)
</pre>
</blockquote>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#mynetworks">mynetworks</a> = 168.100.189.0/28, 127.0.0.0/8
</pre>
</blockquote>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#relay_domains">relay_domains</a> = (do not forward mail from strangers)
<a href="postconf.5.html#relay_domains">relay_domains</a> = $<a href="postconf.5.html#mydomain">mydomain</a> (my domain and subdomains)
<a href="postconf.5.html#relay_domains">relay_domains</a> = $<a href="postconf.5.html#mydomain">mydomain</a>, other.domain.tld, ...
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#relayhost">relayhost</a> = $<a href="postconf.5.html#mydomain">mydomain</a>
<a href="postconf.5.html#relayhost">relayhost</a> = [mail.$<a href="postconf.5.html#mydomain">mydomain</a>]
</pre>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> = yes
</pre>
</blockquote>
<h2><a name="hamlet">11 - To chroot or not to chroot</a></h2>
-<p> Postfix daemon processes can be configured (via master.cf) to
+<p> Postfix daemon processes can be configured (via <a href="master.5.html">master.cf</a>) to
run in a chroot jail. The processes run at a fixed low privilege
and with access only to the Postfix queue directories (/var/spool/postfix).
This provides a significant barrier against intrusion. The barrier
porcupine.org mail server runs all daemons chrooted that can be
chrooted. </p>
-<p> The default /etc/postfix/master.cf file specifies that no
+<p> The default /etc/postfix/<a href="master.5.html">master.cf</a> file specifies that no
Postfix daemon runs chrooted. In order to enable chroot operation,
-edit the file /etc/postfix/master.cf. Instructions are in the file.
+edit the file /etc/postfix/<a href="master.5.html">master.cf</a>. Instructions are in the file.
</p>
<p> Note that a chrooted daemon resolves all filenames relative to
<blockquote>
<pre>
- 1 /etc/postfix/main.cf:
+ 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
2 maildrop_destination_recipient_limit = 1
3 <a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> = some.domain someother.domain
4 <a href="postconf.5.html#virtual_transport">virtual_transport</a> = maildrop
<li> <p> Line 3 informs Postfix that some.domain and someother.domain
are so-called <a href="ADDRESS_CLASS_README.html#virtual_mailbox_class">virtual mailbox domains</a>.
-Instead of listing the names in main.cf you can also
+Instead of listing the names in <a href="postconf.5.html">main.cf</a> you can also
list them in a file; see the <a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> documentation for
details. </p>
<blockquote>
<pre>
-/etc/postfix/master.cf:
+/etc/postfix/<a href="master.5.html">master.cf</a>:
maildrop unix - n n - - pipe
- flags=DRhu user=vmail argv=/path/to/maildrop -d ${recipient}
+ flags=ODRhu user=vmail argv=/path/to/maildrop -d ${recipient}
</pre>
</blockquote>
+<p> The <a href="pipe.8.html">pipe(8)</a> manual page gives a detailed description of the
+above command line arguments, and more. </p>
+
<p> If you want to support user+extension@domain style addresses,
use the following instead: </p>
<blockquote>
<pre>
-/etc/postfix/master.cf:
+/etc/postfix/<a href="master.5.html">master.cf</a>:
maildrop unix - n n - - pipe
- flags=DRhu user=vmail argv=/path/to/maildrop
+ flags=ODRhu user=vmail argv=/path/to/maildrop
-d ${user}@${nexthop} ${extension} ${recipient} ${user} ${nexthop}
</pre>
</blockquote>
<p> The mail is delivered to ${user}@${nexthop} (match key for
maildrop userdb lookup). The ${extension} and the other address
components are available to maildrop rules as $1, $2, $3, ... and
-can be omitted from master.cf or ignored by maildrop when not
+can be omitted from <a href="master.5.html">master.cf</a> or ignored by maildrop when not
needed. </p>
<h2><a name="indirect">Indirect delivery via the local delivery agent</a></h2>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#mailbox_command">mailbox_command</a> = /path/to/maildrop -d ${USER}
</pre>
</blockquote>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#mailbox_command_maps">mailbox_command_maps</a> = hash:/etc/postfix/mailbox_commands
/etc/postfix/mailbox_commands:
<a href="http://sourceforge.net/projects/dk-milter/">Domain keys</a>)
or to digitally sign mail (example: <a
href="http://sourceforge.net/projects/dk-milter/">Domain keys</a>).
-Having yet another MTA-specific version of all that software is a
-poor use of human and system resources. </p>
+Having yet another Postfix-specific version of all that software
+is a poor use of human and system resources. </p>
<p> Postfix 2.3 implements all the requests of Sendmail version 8
Milter protocols up to version 4, except one: message body replacement.
-See, however, the <a href="#limitations">limitations</a> section
-at the end of this document. </p>
+See, however, the <a href="#workarounds">workarounds</a> and <a
+href="#limitations">limitations</a> sections at the end of this
+document. </p>
<p> This document provides information on the following topics: </p>
<blockquote>
<pre>
-$ <b>/some/where/dk-filter -p inet:<i>portnumber</i>@localhost ...<i>other options</i>...</b>
+# <b>/some/where/dk-filter -u <i>userid</i> -p inet:<i>portnumber</i>@localhost ...<i>other options</i>...</b>
</pre>
</blockquote>
+<p> Please specify a <i>userid</i> value that isn't used for other
+applications (not "postfix", not "www", etc.). </p>
+
<h2><a name="config">Configuring Postfix</a></h2>
<p> Like Sendmail, Postfix has a lot of configuration options that
that arrives via the Postfix <a href="smtpd.8.html">smtpd(8)</a> server is not filtered by the
non-SMTP filters that are described in the next section. </p>
+<p> NOTE: Do not use the <a href="header_checks.5.html">header_checks(5)</a> IGNORE action to remove
+Postfix's own Received: message header. This causes problems with
+mail signing filters. Instead, keep Postfix's own Received: message
+header and use the <a href="header_checks.5.html">header_checks(5)</a> REPLACE action to sanitize
+information. </p>
+
<p> You specify SMTP-only Milter applications (there can be more
than one) with the <a href="postconf.5.html#smtpd_milters">smtpd_milters</a> parameter. Each Milter application
is identified by the name of its listening socket; other Milter
host. The host and port can be specified in numeric or symbolic
form.</p>
-<p> Note: Postfix syntax differs from Milter syntax which has the
+<p> NOTE: Postfix syntax differs from Milter syntax which has the
form <b>inet:</b><i>port</i><b>@</b><i>host</i>. </p> </dd>
</dl>
via the Postfix <a href="smtpd.8.html">smtpd(8)</a> server is not filtered by the non-SMTP
filters. </p>
+<p> NOTE: Do not use the <a href="header_checks.5.html">header_checks(5)</a> IGNORE action to remove
+Postfix's own Received: message header. This causes problems with
+mail signing filters. Instead, keep Postfix's own Received: message
+header and use the <a href="header_checks.5.html">header_checks(5)</a> REPLACE action to sanitize
+information. </p>
+
<p> You specify non-SMTP Milter applications with the <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>
parameter. This parameter uses the same syntax as the <a href="postconf.5.html#smtpd_milters">smtpd_milters</a>
parameter in the previous section. As with the SMTP-only filters,
<h2><a name="workarounds">Workarounds</a></h2>
+<p> Content filters may break domain key etc. signatures. If you
+use an SMTP-based filter as described in <a href="FILTER_README.html">FILTER_README</a>, then you
+should add a line to <a href="master.5.html">master.cf</a> with "<a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a>
+= yes", as described in the <a
+href="FILTER_README.html#advanced_filter">advanced content filter</a>
+example. </p>
+
<p> Sendmail Milter applications were originally developed for the
Sendmail version 8 MTA, which has a different architecture than
Postfix. The result is that some Milter applications make assumptions
<ul>
+<li> <p> Some Milter applications use the "<tt>{if_addr}</tt>" macro
+to recognize local mail; this macro does not exist in Postfix.
+Workaround: use the "<tt>{client_addr}</tt>" macro instead. </p>
+
<li> <p> Some Milter applications log a warning that looks like
this: </p>
</pre>
</blockquote>
-<p> This happens because the Milter application expects that the
+<p> This happens because some Milter applications expect that the
queue ID is known <i>before</i> the MTA accepts the MAIL FROM
-(sender) command. Postfix, on the other hand, does not create a
-queue file until <i>after</i> Postfix accepts the first valid RCPT
-TO (recipient) command. This queue file name must be globally unique
-across multiple queue directories, so it cannot be chosen until the
-file is actually created. </p>
+(sender) command. Postfix, on the other hand, does not choose a
+queue file name until <i>after</i> it accepts the first valid RCPT
+TO (recipient) command. Postfix queue file names must be unique
+across multiple directories, so the name can't be chosen before the
+file is created. If multiple messages were to use the same queue
+ID <i>simultaneously</i>, mail would be lost. </p>
<p> To work around the ugly message header from Milter applications,
we add a little code to the Milter source to look up the queue ID
<blockquote>
<pre>
-sic = (Context) smfi_getpriv(ctx);
-assert(sic != NULL);
+dfc = cc->cctx_msg;
+assert(dfc != NULL);
<b>
-/*
-** Determine the job ID for logging.
-*/
-if (sic->ctx_jobid == 0 || strcmp(sic->ctx_jobid, MSGIDUNKNOWN) == 0) {
+/* Determine the job ID for logging. */
+if (dfc->mctx_jobid == 0 || strcmp(dfc->mctx_jobid, JOBIDUNKNOWN) == 0) {
char *jobid = smfi_getsymval(ctx, "i");
if (jobid != 0)
- sic->ctx_jobid = jobid;
+ dfc->mctx_jobid = jobid;
}</b>
+
+/* get hostname; used in the X header and in new MIME boundaries */
</pre>
</blockquote>
-<p> This does not remove the WARNING message, however. </p>
+<p> NOTES: </p>
+
+<ul>
+
+<li> <p> Different mail filters use slightly different names for
+variables. If the above code does not compile, look for the code
+at the start of the <tt>mlfi_eoh()</tt> routine. </p>
+
+<li> <p> This fixes only the ugly message header, but not the WARNING
+message. Fortunately, dk-filter logs that message only once. </p>
+
+</ul>
<p> With some Milter applications we can fix both the WARNING and
the "unknown-msgid" by postponing the call of <tt>mlfi_eoh()</tt>
<h2><a name="limitations">Limitations</a></h2>
<p> This section lists limitations of the Postfix Milter implementation.
-Some limitations will be removed disappear as support is extended
+Some limitations will be removed as the implementation is extended
over time. Of course the usual limitations of before-queue filtering
will always apply. See the <a href="CONTENT_INSPECTION_README.html">CONTENT_INSPECTION_README</a> document for
a discussion. </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
- smtpd_sasl_application_name = smtpd
+ smtpd_sasl_application_name = smtpd (Postfix < 2.3)
+ <a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a> = smtpd (Postfix 2.3 and later)
</pre>
</blockquote>
<a href="postconf.5.html#reject_authenticated_sender_login_mismatch">reject_authenticated_sender_login_mismatch</a> and
<a href="postconf.5.html#reject_unauthenticated_sender_login_mismatch">reject_unauthenticated_sender_login_mismatch</a>, and revised the docs.
-<li> Wietse made another iteration through the code to add
-plug-in support for multiple SASL implementations.
+<li> Wietse made another iteration through the code to add plug-in
+support for multiple SASL implementations, and changed
+smtpd_sasl_application_name into <a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a>.
<li> The Dovecot SMTP server-only plug-in was originally implemented by
Timo Sirainen of Procontrol, Finland.
sasl_sender=
size=12345
ccert_subject=solaris9.porcupine.org
-ccert_issuer=Wietse Venema
+ccert_issuer=Wietse+20Venema
ccert_fingerprint=C2:9D:F4:87:71:73:73:D9:18:E7:C2:F3:C1:DA:6E:04
<b>Postfix version 2.3 and later:</b>
encryption_protocol=TLSv1/SSLv3
<li> <p> The "ccert_*" attributes (Postfix 2.2 and later) specify
information about how the client was authenticated via TLS.
These attributes are empty in case of no certificate authentication.
+ As of Postfix 2.2.11 these attribute values are encoded as
+ xtext: some characters are represented by +XX, where XX is the
+ two-digit hecadecimal representation of the character value.
</p>
<li> <p> The "encryption_*" attributes (Postfix 2.3 and later)
be unable to receive email from most TLS enabled clients. To avoid
accidental configurations with no certificates, Postfix 2.3 enables
certificate-less operation only when the administrator explicitly sets
-"<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = none". This ensures that new Postfix
-configurations with just "<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes" added, will
-not accidentally run with no certificates. </p>
+"<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = none". This ensures that new Postfix
+configurations will not accidentally run with no certificates. </p>
<p> Both RSA and DSA certificates are supported. Typically you will
only have RSA certificates issued by a commercial CA. In addition,
<p> By default, TLS is disabled in the Postfix SMTP server, so no
difference to plain Postfix is visible. Explicitly switch it on
-using "<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes". </p>
+with "<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = may" (Postfix 2.3 and
+later) or "<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes" (obsolete but still
+supported). </p>
<p> Example: </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+ # Postfix 2.3 and later
+ <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = may
+ # Obsolete, but still supported
<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes
</pre>
</blockquote>
is never offered due to insufficient privileges to access the server
private key. This is intended behavior. </p>
-<p> <a name="server_enforce">You can ENFORCE the use of TLS</a>, so that
-the Postfix SMTP server announces STARTTLS and accepts no mail without
-TLS encryption, by setting "<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes". According
-to <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a> this MUST NOT be applied in case of a publicly-referenced
-Postfix SMTP server. This option is off by default and should only
-seldom be used. </p>
+<p> <a name="server_enforce">You can ENFORCE the use of TLS</a>,
+so that the Postfix SMTP server announces STARTTLS and accepts no
+mail without TLS encryption, by setting
+"<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = encrypt" (Postfix 2.3 and
+later) or "<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes" (obsolete but still
+supported). According to <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a> this MUST NOT be applied in case
+of a publicly-referenced Postfix SMTP server. This option is off
+by default and should only seldom be used. </p>
<p> Example: </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+ # Postfix 2.3 and later
+ <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = encrypt
+ # Obsolete, but still supported
<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes
</pre>
</blockquote>
<p> It is strictly discouraged to use this mode from <a href="postconf.5.html">main.cf</a>. If
you want to support this service, enable a special port in <a href="master.5.html">master.cf</a>
-and specify "-o <a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a>
= yes" as an <a href="smtpd.8.html">smtpd(8)</a> command
+and specify "-o <a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a>
= yes" as an <a href="smtpd.8.html">smtpd(8)</a> command
line option. Port 465 (smtps) was once chosen for this feature.
</p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
- <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes
<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> = yes
+ # Postfix 2.3 and later
+ <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = may
+ # Obsolete, but still supported
+ <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes
</pre>
</blockquote>
<p> When TLS is <a href="#server_enforce">enforced</a> you may also decide
to REQUIRE a remote SMTP client certificate for all TLS connections,
-by setting "<a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a> = yes". This feature implies
-"<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> = yes". When TLS is not enforced,
-"<a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a> = yes" is ignored and a warning is
+by setting "<a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a> = yes". This feature implies
+"<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> = yes". When TLS is not enforced,
+"<a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a> = yes" is ignored and a warning is
logged. </p>
<p> Example: </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
- <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes
<a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a> = yes
+ # Postfix 2.3 and later
+ <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = encrypt
+ # Obsolete, but still supported
+ <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes
</pre>
</blockquote>
<h3><a name="server_tls_auth">Supporting AUTH over TLS only</a></h3>
-<p> Sending AUTH data over an unencrypted channel poses a security risk.
-When TLS layer encryption is required (<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes),
-the Postfix SMTP server will announce and accept AUTH only
-after the TLS layer has been activated with STARTTLS. When TLS
-layer encryption is optional (<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = no), it may
-however still be useful to only offer AUTH when TLS is active. To
-maintain compatibility with non-TLS clients, the default is to
-accept AUTH without encryption. In order to change this behavior,
-set "<a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> = yes". </p>
+<p> Sending AUTH data over an unencrypted channel poses a security
+risk. When TLS layer encryption is required
+("<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = encrypt" or the obsolete
+"<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes"), the Postfix SMTP server will
+announce and accept AUTH only after the TLS layer has been activated
+with STARTTLS. When TLS layer encryption is optional
+("<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = may" or the obsolete
+"<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = no"), it may however still be useful
+to only offer AUTH when TLS is active. To maintain compatibility
+with non-TLS clients, the default is to accept AUTH without encryption.
+In order to change this behavior, set
+"<a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> = yes". </p>
<p> Example: </p>
<h3><a name="server_cipher">Server-side cipher controls</a> </h3>
<p> The description below is for Postfix 2.3; for Postfix < 2.3 the
-smtpd_tls_cipherlist parameter specifies the acceptable ciphers as an
-explicit OpenSSL cipherlist. </p>
+<a href="postconf.5.html#smtpd_tls_cipherlist">smtpd_tls_cipherlist</a> parameter specifies the acceptable ciphers as an
+explicit OpenSSL cipherlist. The obsolete setting applies even when TLS
+encryption is not enforced. Use of this control on public MX hosts is
+strongly discouraged. </p>
+
+<p> With mandatory TLS encryption, the Postfix SMTP server will by
+default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption
+is optional. This is controlled by the <a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a>
+configuration parameter. </p>
<p> The Postfix SMTP server supports 5 distinct cipher security levels
-as specified by the <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a> configuration parameter. The
-default value is "export" which is the only one appropriate for public
-MX hosts. On private MX hosts or MSAs one can further restrict the
-OpenSSL cipherlist selection. </p>
+as specified by the <a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a> configuration parameter,
+which determines the cipher grade with mandatory TLS encryption. The
+default value is "medium" which is essentially 128-bit encryption or better.
+With opportunistic TLS encryption, the minimum accepted cipher grade is
+always "export". </p>
<p> By default anonymous ciphers are allowed, and automatically disabled
when client certificates are requested. If clients are expected to always
verify the server certificate you may want to exclude anonymous ciphers
-by setting "<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> = aNULL". One can't
-force a client to check the server certificate, so excluding anonymous
-ciphers is generally unnecessary. </p>
+by setting "<a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> = aNULL".
+One can't force a client to check the server certificate, so excluding
+anonymous ciphers is generally unnecessary. </p>
<p> For a server that is not a public Internet MX host, Postfix 2.3
supports configurations with no <a href="#server_cert_key">server
certificates</a> that use <b>only</b> the anonymous ciphers. This is
-enabled by explicitly setting "<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = none"
+enabled by explicitly setting "<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = none"
and not specifying an <a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>. </p>
-<p> Example: (MSA that requires TLS with reasonably secure ciphers) </p>
+<p> Example: (MSA that requires TLS with high grade ciphers) </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
- <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes
- <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes
<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = /etc/postfix/cert.pem
<a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> = /etc/postfix/key.pem
- <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a> = medium
- <a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> = aNULL, MD5
+ <a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a> = high
+ <a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> = aNULL, MD5
+ # Postfix 2.3 and later
+ <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = encrypt
+ # Obsolete, but still supported
+ <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes
</pre>
</blockquote>
<p> At the "none" TLS security level, TLS encryption is
disabled. This is the default security level. With Postfix 2.3 and later,
-it can be configured explicitly by setting "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = none". </p>
+it can be configured explicitly by setting "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = none". </p>
<p> With Postfix 2.2 and earlier, or when <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> is set to
its default (backwards compatible) empty value, the appropriate configuration
-settings are "<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> = no" and "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = no".
+settings are "<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> = no" and "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = no".
With either approach, TLS is not used even if supported by the server.
For LMTP, use the corresponding "lmtp_" parameters. </p>
The SMTP transaction is encrypted if the STARTTLS ESMTP feature
is supported by the server. Otherwise, messages are sent in the clear.
With Postfix 2.3 and later, opportunistic TLS can be configured by
-setting "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = may".
+setting "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = may".
<p> Since sending in the clear is acceptable, demanding stronger
than default TLS security merely reduces inter-operability. For
<p> With Postfix 2.2 and earlier, or when <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> is
set to its default (backwards compatible) empty value, the appropriate
-configuration settings are "<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> = yes" and
-"<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = no".
-For LMTP use the corresponding "lmtp" parameters. </p>
+configuration settings are "<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> = yes" and
+"<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = no".
+For LMTP use the corresponding "lmtp_" parameters. </p>
<p> With opportunistic TLS, mail delivery continues even if the
server certificate is untrusted or bears the wrong name. Starting
<p> At the "encrypt" TLS security level, messages are sent only
over TLS encrypted sessions. The SMTP transaction is aborted unless
-the STARTTLS ESMTP feature is supported by the server. If no
-suitable servers are found, the message will be deferred. With Postfix
-2.3 and later, mandatory TLS encryption can be configured by setting
-"<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt". Even though TLS encryption
-is always used, mail delivery continues if the server certificate is
-untrusted or bears the wrong name. </p>
+the STARTTLS ESMTP feature is supported by the server. If no suitable
+servers are found, the message will be deferred. With Postfix 2.3
+and later, mandatory TLS encryption can be configured by setting
+"<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt". Even though TLS
+encryption is always used, mail delivery continues if the server
+certificate is untrusted or bears the wrong name. </p>
<p> At this security level and higher, the <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>
and <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> configuration parameters determine
<p> With Postfix 2.2 and earlier, or when <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>
is set to its default (backwards compatible) empty value, the
-appropriate configuration settings are "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes"
-and "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = no". For LMTP use the corresponding
-<i>lmtp_</i> parameters. </p>
+appropriate configuration settings are "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes"
+and "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = no". For LMTP use the corresponding
+"lmtp_" parameters. </p>
<p> Despite the potential for eliminating passive eavesdropping attacks,
mandatory TLS encryption is not viable as a default security level for
<h3><a name="client_tls_verify"> Mandatory server certificate verification </a>
</h3>
-<p> At the "verify" TLS security level, messages are sent only
-over TLS encrypted sessions for which server certificate verification
-succeeds. If no suitable servers are found, the message will be
-deferred. With Postfix 2.3 and later, mandatory server certificate
-verification can be configured by setting
-"<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = verify", the
+<p> At the "verify" TLS security level, messages are sent only over
+TLS encrypted sessions if the server certificate is valid (not
+expired or revoked, and signed by a trusted certificate authority)
+and if the server certificate name matches a known pattern. Mandatory
+server certificate verification can be configured by setting
+"<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = verify". The
<a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> parameter can override the default
-"hostname" certificate match strategy. Fine-tuning the matching
-strategy is generally only appropriate for <a
+"hostname" certificate name matching strategy. Fine-tuning the
+
matching strategy is generally only appropriate for <a
href="#client_tls_secure">secure-channel</a> destinations. </p>
<p> With Postfix 2.2 and earlier, or when <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>
is set to its default (backwards compatible) empty value, the
-appropriate configuration settings are "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" and
-"<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes". For LMTP use the corresponding
-<i>lmtp_</i> parameters. </p>
+appropriate configuration settings are "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" and
+"<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes". For LMTP use the corresponding
+"lmtp_" parameters. </p>
<p> If the server certificate chain is trusted (see <a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a>
and <a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a>), any DNS names in the SubjectAlternativeName
<i>secure-channel</i> TLS sessions where DNS forgery resistant server
certificate verification succeeds. If no suitable servers are found, the
message will be deferred. With Postfix 2.3 and later, secure-channels
-can be configured by setting "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = secure".
+can be configured by setting "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = secure".
The <a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> parameter can override the default
"nexthop, dot-nexthop" certificate match strategy. </p>
<p> With Postfix 2.2 and earlier, or when <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>
is set to its default (backwards compatible) empty value, the
-appropriate configuration settings are "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes"
-and "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes" with additional settings to
+appropriate configuration settings are "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes"
+and "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes" with additional settings to
<a href="#client_tls_harden">harden</a> peer certificate verification
-against forged DNS data. For LMTP, use the corresponding <i>lmtp_</i>
+against forged DNS data. For LMTP, use the corresponding "lmtp_"
parameters. </p>
<p> If the server certificate chain is trusted (see <a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> and
<p> The new policy table is specified via the <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>
parameter. This lists optional lookup tables with the Postfix SMTP client
-TLS security policy by next-hop destination. It supersedes the obsolete
-<a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter. When $<a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> is not empty,
-the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter is ignored (a warning is written to the
-logs if it is also non-empty). </p>
+TLS security policy by next-hop destination. When $<a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>
+is not empty, the obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter is ignored
+(a warning is written to the logs if both parameter values are
+non-empty). </p>
<p> The TLS policy table is indexed by the full next-hop destination,
which is either the recipient domain, or the verbatim next-hop
<dd>Opportunistic TLS. No additional attributes are supported at this
level. </dd>
-<dt><b>encrypt</b></dt> <dd>Mandatory TLS encryption. At this level and
-higher the optional "ciphers" attribute overrides the <a href="postconf.5.html">main.cf</a>
-<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> parameter and the optional "protocols"
-keyword overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> parameter.
-In the policy table, multiple protocols must be separated by colons,
-as attribute values may not contain whitespace or commas.</dd>
-
-<dt><b>verify</b></dt>
-<dd>Mandatory server certificate verification. The optional "match"
-attribute overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> parameter.
-In the policy table, multiple match patterns and strategies must
-be separated by colons. </dd>
-
-<dt><b>secure</b></dt> <dd>Secure-channel TLS. The optional "match"
-attribute overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> parameter. In
-the policy table, multiple match patterns and strategies must be separated
-by colons. The match attribute is useful when additional domains are
-supported by common server, the policy entries for the additional domains
-specify matching rules for the primary domain certificate. While transport
-table overrides routing secondary domains to the primary nexthop also
-allow secure verification, they risk delivery to the wrong destination
-when domains change hands or are re-assigned to new gateways. With the
-"match" attribute approach, routing is not perturbed, and mail is deferred
-if verification of a new MX host fails. </dd>
+<dt><b>encrypt</b></dt> <dd>Mandatory TLS encryption. Mail is
+delivered only if remote SMTP server offers STARTTLS and the TLS
+handshake succeeds. At this level and higher the optional "ciphers"
+attribute overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> parameter
+and the optional "protocols" keyword overrides the <a href="postconf.5.html">main.cf</a>
+<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> parameter. </dd>
+
+<dt><b>verify</b></dt> <dd>Mandatory server certificate verification.
+Mail is delivered only if the TLS handshake succeeds, if the server
+certificate can be validated (not expired or revoked, and signed
+by a trusted certificate authority), and if the server certificate
+name matches the optional "match" attribute (or the <a href="postconf.5.html">main.cf</a>
+<a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> parameter value when no optional "match"
+attribute is specified). </dd>
+
+<dt><b>secure</b></dt> <dd>Secure-channel TLS. Mail is delivered
+only if the TLS handshake succeeds, if the server certificate can
+be validated (not expired or revoked, and signed by a trusted
+certificate authority), and if the server certificate name matches
+the optional "match" attribute (or the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a>
+parameter value when no optional "match" attribute is specified).
+</dd>
</dl>
+<p> Notes: </p>
+
+<ul>
+
+<li> <p> The "match" attribute is especially useful to verify TLS
+certificates for domains that are hosted on a shared server. In
+that case, specify "match" rules for the shared server's name.
+While secure verification can also be achieved with manual routing
+overrides in Postfix <a href="transport.5.html">transport(5)</a> tables, that approach can deliver
+mail to the wrong host when domains are assigned to new gateway
+hosts. The "match" attribute approach avoids the problems of manual
+routing overrides; mail is deferred if verification of a new MX
+host fails. </p>
+
+<li> <p> When a policy table entry specifies multiple match patterns,
+multiple match strategies, or multiple protocols, these must be
+separated by colons. </p>
+
+</ul>
+
<p>
Example:
</p>
for the obsolete "MUST" keyword in the same way as for the "verify"
level in the new policy. </p>
-<p> With Postfix < 2.3, the obsolete smtp_tls_cipherlist parameter
+<p> With Postfix < 2.3, the obsolete <a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> parameter
is also applied for opportunistic TLS sessions, and should be used with
care, or not at all. Setting cipherlist restrictions that are incompatible
with a remote SMTP server render that server unreachable, TLS handshakes
<dt> MAY </dt> <dd> Opportunistic TLS. This has less precedence than
a more specific result (including "NONE") from the alternate host or
next-hop lookup key, and has less precedence than the more specific global
-"<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" or "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes". </dd>
+"<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" or "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes". </dd>
<dt> MUST_NOPEERMATCH </dt> <dd> Mandatory TLS encryption. This
overrides a less secure "NONE" or a less specific "MAY" lookup result
<li> <p> When neither the remote SMTP server hostname nor the
next-hop destination are found in the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table, the
policy is based on <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> and
-<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>. Note: "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" and
-"<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes" imply "<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> = yes". </p>
+<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>. Note: "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" and
+"<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes" imply "<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> = yes". </p>
<li> <p> When both hostname and next-hop destination lookups produce
a result, the more specific per-site policy (NONE, MUST, etc)
<li> <p> After the per-site policy lookups are combined, the result
generally overrides the global policy. The exception is the less
specific "MAY" per-site policy, which is overruled by the more
-specific global "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" with server certificate
+specific global "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" with server certificate
verification as specified with the <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>
parameter. </p>
verification. </p>
<li> <p> Disallow CNAME hostname overrides. In <a href="postconf.5.html">main.cf</a>, specify
-"<a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> = no". This prevents false hostname
+"<a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> = no". This prevents false hostname
information in DNS CNAME records from changing the server hostname
that Postfix uses for TLS policy lookup and server certificate
verification. This feature requires Postfix 2.2.9 or later. The
ciphers on a per-destination basis. </p>
<p> By default anonymous ciphers are allowed, and automatically
-disabled when server certificates are verified. If you
-want to disable even at the "encrypt" security level, set
-"<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> = aNULL",
-to disable anonymous ciphers even with opportunistic TLS, set
-"<a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> = aNULL". There is generally no
-need to take these measures. Anonymous ciphers save bandwidth and TLS
-session cache space, if certificates are ignored, there is little point
-in requesting them. </p>
+disabled when server certificates are verified. If you want to
+disable anonymous ciphers even at the "encrypt" security level, set
+"<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> = aNULL"; and to
+disable anonymous ciphers even with opportunistic TLS, set
+"<a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> = aNULL". There is generally
+no need to take these measures. Anonymous ciphers save bandwidth
+and TLS session cache space, if certificates are ignored, there is
+little point in requesting them. </p>
<p> Example: </p>
<blockquote>
<pre>
-<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> = /etc/postfix/cacert.pem
-<a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> =
- btree:/var/spool/postfix/smtp_tls_session_cache
-<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> = yes
-<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> = /etc/postfix/cacert.pem
-<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = /etc/postfix/FOO-cert.pem
-<a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> = /etc/postfix/FOO-key.pem
-<a href="postconf.5.html#smtpd_tls_received_header">smtpd_tls_received_header</a> = yes
-<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> =
- btree:/var/spool/postfix/smtpd_tls_session_cache
-<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes
-<a href="postconf.5.html#tls_random_source">tls_random_source</a> = dev:/dev/urandom
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+ <a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> = /etc/postfix/cacert.pem
+ <a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> =
+ btree:/var/spool/postfix/smtp_tls_session_cache
+ <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> = yes
+ <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> = /etc/postfix/cacert.pem
+ <a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = /etc/postfix/FOO-cert.pem
+ <a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> = /etc/postfix/FOO-key.pem
+ <a href="postconf.5.html#smtpd_tls_received_header">smtpd_tls_received_header</a> = yes
+ <a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> =
+ btree:/var/spool/postfix/smtpd_tls_session_cache
+ <a href="postconf.5.html#tls_random_source">tls_random_source</a> = dev:/dev/urandom
+ # Postfix 2.3 and later
+ <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = may
+ # Obsolete, but still supported
+ <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes
</pre>
</blockquote>
cache databases. Such a protocol cannot be run across fifos. </p>
<li> <p> <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>: the MUST_NOPEERMATCH per-site policy
-cannot override the global "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes" setting.
+cannot override the global "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes" setting.
</p>
<li> <p> <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>: a combined (NONE + MAY) lookup result
for (hostname and next-hop destination) produces counter-intuitive
results for different <a href="postconf.5.html">main.cf</a> settings. TLS is enabled with
-"<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = no", but it is disabled when both
-"<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" and "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes".
+"<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = no", but it is disabled when both
+"<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" and "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes".
</p>
</ul>
lookups are directed to a TCP-based server. For a descrip-
tion of the TCP client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_ta-</b></a>
<a href="tcp_table.5.html"><b>ble</b>(5)</a>. This feature is not available up to and including
- Postfix version 2.2.
+ Postfix version 2.3.
Each lookup operation uses the entire query string once.
Depending on the application, that string is an entire
<b>STANDARDS</b>
<a href="http://www.faqs.org/rfcs/rfc822.html">RFC 822</a> (ARPA Internet Text Messages)
+ <a href="http://www.faqs.org/rfcs/rfc2045.html">RFC 2045</a> (Format of Internet Message Bodies)
<a href="http://www.faqs.org/rfcs/rfc2822.html">RFC 2822</a> (ARPA Internet Text Messages)
<a href="http://www.faqs.org/rfcs/rfc3462.html">RFC 3462</a> (Delivery Status Notifications)
<a href="http://www.faqs.org/rfcs/rfc3464.html">RFC 3464</a> (Delivery Status Notifications)
- <a href="http://www.faqs.org/rfcs/rfc2045.html">RFC 2045</a> (Format of Internet Message Bodies)
+ <a href="http://www.faqs.org/rfcs/rfc3834.html">RFC 3834</a> (Auto-Submitted: message header)
<b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8).
The time limit for sending or receiving information
over an internal communication channel.
+ <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
+ What categories of Postfix-generated mail are sub-
+ ject to before-queue content inspection by
+ <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
+
<b><a href="postconf.5.html#mail_name">mail_name</a> (Postfix)</b>
The mail system name that is displayed in Received:
headers, in the SMTP greeting banner, and in
lookups are directed to a TCP-based server. For a descrip-
tion of the TCP client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_ta-</b></a>
<a href="tcp_table.5.html"><b>ble</b>(5)</a>. This feature is not available up to and including
- Postfix version 2.2.
+ Postfix version 2.3.
Each lookup operation uses the entire address once. Thus,
<i>user@domain</i> mail addresses are not broken up into their
lookups are directed to a TCP-based server. For a descrip-
tion of the TCP client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_ta-</b></a>
<a href="tcp_table.5.html"><b>ble</b>(5)</a>. This feature is not available up to and including
- Postfix version 2.2.
+ Postfix version 2.3.
Each lookup operation uses the entire address once. Thus,
<i>user@domain</i> mail addresses are not broken up into their
Postfix services are implemented by daemon processes.
These run in the background under control of the <a href="master.8.html"><b>master</b>(8)</a>
- process. The master.cf configuration file defines how a
+ process. The <a href="master.5.html">master.cf</a> configuration file defines how a
client program connects to a service, and what daemon pro-
gram runs when a service is requested. Most daemon pro-
cesses are short-lived and terminate after serving <b><a href="postconf.5.html#max_use">max_use</a></b>
<a href="local.8.html"><b>local</b>(8)</a>, <a href="pipe.8.html"><b>pipe</b>(8)</a> or <a href="spawn.8.html"><b>spawn</b>(8)</a> services, or run the server
under control by <b>inetd</b>(8) or equivalent.
- After changing master.cf you must execute "<b>postfix reload</b>"
+ After changing <a href="master.5.html">master.cf</a> you must execute "<b>postfix reload</b>"
to reload the configuration.
<b>SYNTAX</b>
- The general format of the master.cf file is as follows:
+ The general format of the <a href="master.5.html">master.cf</a> file is as follows:
<b>o</b> Each logical line defines a single Postfix service.
Each service is identified by its name and type as
described below. When multiple lines specify the
same service name and type, only the last one is
- remembered. Otherwise, the order of master.cf ser-
+ remembered. Otherwise, the order of <a href="master.5.html">master.cf</a> ser-
vice definitions does not matter.
<b>o</b> Empty lines and whitespace-only lines are ignored,
Each logical line consists of eight fields separated by
whitespace. These are described below in the order as
- they appear in the master.cf file.
+ they appear in the <a href="master.5.html">master.cf</a> file.
Where applicable a field of "-" requests that the built-in
default value be used. For boolean fields specify "y" or
Note: with Postfix version 2.2 and later
specify "<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> = loopback-only</b>" in
- main.cf, instead of hard-coding loopback IP
- address information in master.cf or in
- main.cf.
+ <a href="postconf.5.html">main.cf</a>, instead of hard-coding loopback IP
+ address information in <a href="master.5.html">master.cf</a> or in
+ <a href="postconf.5.html">main.cf</a>.
<b>unix</b> The service listens on a UNIX-domain socket
and is accessible for local clients only.
The service name is a pathname relative to
the Postfix queue directory (pathname con-
trolled with the <b><a href="postconf.5.html#queue_directory">queue_directory</a></b> configura-
- tion parameter in main.cf).
+ tion parameter in <a href="postconf.5.html">main.cf</a>).
On Solaris systems the <b>unix</b> type is imple-
mented with streams sockets.
The service name is a pathname relative to
the Postfix queue directory (pathname con-
trolled with the <b><a href="postconf.5.html#queue_directory">queue_directory</a></b> configura-
- tion parameter in main.cf).
+ tion parameter in <a href="postconf.5.html">main.cf</a>).
<b>Private (default: y)</b>
Whether or not access is restricted to the mail
Whether the service runs with root privileges or as
the owner of the Postfix system (the owner name is
controlled by the <b><a href="postconf.5.html#mail_owner">mail_owner</a></b> configuration variable
- in the main.cf file).
+ in the <a href="postconf.5.html">main.cf</a> file).
The <a href="local.8.html"><b>local</b>(8)</a>, <a href="pipe.8.html"><b>pipe</b>(8)</a>, <a href="spawn.8.html"><b>spawn</b>(8)</a>, and <a href="virtual.8.html"><b>virtual</b>(8)</a>
daemons require privileges.
Whether or not the service runs chrooted to the
mail queue directory (pathname is controlled by the
<b><a href="postconf.5.html#queue_directory">queue_directory</a></b> configuration variable in the
- main.cf file).
+ <a href="postconf.5.html">main.cf</a> file).
Chroot should not be used with the <a href="local.8.html"><b>local</b>(8)</a>,
<a href="pipe.8.html"><b>pipe</b>(8)</a>, <a href="spawn.8.html"><b>spawn</b>(8)</a>, and <a href="virtual.8.html"><b>virtual</b>(8)</a> daemons.
service in the first place.
The files in the examples/chroot-setup subdirectory
- of the Postfix source archive describe how to set
- up a Postfix chroot environment for your type of
- machine, and <a href="BASIC_CONFIGURATION_README.html">BASIC_CONFIGURATION_README</a> discusses
- issues related to running daemons chrooted.
+ of the Postfix source archive show set up a Postfix
+ chroot environment on a variety of systems. See
+ also <a href="BASIC_CONFIGURATION_README.html">BASIC_CONFIGURATION_README</a> for issues related
+ to running daemons chrooted.
<b>Wake up time (default: 0)</b>
Automatically wake up the named service after the
specified number of seconds. The wake up is imple-
mented by connecting to the service and sending a
wake up request. A ? at the end of the wake-up
- time field requests that wake up events be sent
- only to services that are actually being used.
- Specify 0 for no automatic wake up.
+ time field requests that no wake up events be sent
+ before the service is used. Specify 0 for no auto-
+ matic wake up.
The <a href="pickup.8.html"><b>pickup</b>(8)</a>, <a href="qmgr.8.html"><b>qmgr</b>(8)</a> and <a href="flush.8.html"><b>flush</b>(8)</a> daemons require
a wake up timer.
<b>-D</b> Run the daemon under control by the command
specified with the <b><a href="postconf.5.html#debugger_command">debugger_command</a></b> variable
- in the main.cf configuration file. See
+ in the <a href="postconf.5.html">main.cf</a> configuration file. See
<a href="DEBUG_README.html">DEBUG_README</a> for hints and tips.
<b>-o</b> <i>name</i>=<i>value</i>
- Override the named main.cf configuration
+ Override the named <a href="postconf.5.html">main.cf</a> configuration
parameter. The parameter value can refer to
other parameters as <i>$name</i> etc., just like in
-
main.cf. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for syntax.
+
<a href="postconf.5.html">main.cf</a>. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for syntax.
NOTE 1: do not specify whitespace around the
"=". In parameter values, either avoid
whitespace altogether, use commas instead of
spaces, or consider overrides like "-o
name=$override_parameter" with $over-
- ride_parameter set in main.cf.
+ ride_parameter set in <a href="postconf.5.html">main.cf</a>.
NOTE 2: Over-zealous use of parameter over-
rides makes the Postfix configuration hard
<p>
Specify, for example, "<a href="postconf.5.html#best_mx_transport">best_mx_transport</a> = local" to pass the mail
-from the SMTP client to the <a href="local.8.html">local(8)</a> delivery agent. You can specify
+from the Postfix SMTP client to the <a href="local.8.html">local(8)</a> delivery agent. You
+can specify
any message delivery "transport" or "transport:nexthop" that is
defined in the <a href="master.5.html">master.cf</a> file. See the <a href="transport.5.html">transport(5)</a> manual page
for the syntax and meaning of "transport" or "transport:nexthop".
<p>
A better solution for multi-homed firewalls is to leave <a href="postconf.5.html#inet_interfaces">inet_interfaces</a>
at the default value and instead use explicit IP addresses in
-the <a href="master.5.html">master.cf</a> SMTP server definitions. This preserves the SMTP client's
+the <a href="master.5.html">master.cf</a> SMTP server definitions. This preserves the Postfix
+SMTP client's
loop detection, by ensuring that each side of the firewall knows that the
other IP address is still the same host. Setting $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> to a
single IPv4 and/or IPV6 address is primarily useful with virtual
</p>
+</DD>
+
+<DT><b><a name="internal_mail_filter_classes">internal_mail_filter_classes</a>
+(default: empty)</b></DT><DD>
+
+<p> What categories of Postfix-generated mail are subject to
+before-queue content inspection by <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a>
+and <a href="postconf.5.html#body_checks">body_checks</a>. Specify zero or more of the following, separated
+by whitespace or comma. </p>
+
+<dl>
+
+<dt> <b> bounce </b> </dt> <dd> Inspect the content of delivery
+status notifications. </dd>
+
+<dt> <b> notify </b> </dt> <dd> Inspect the content of postmaster
+notifications by the <a href="smtp.8.html">smtp(8)</a> and <a href="smtpd.8.html">smtpd(8)</a> processes. </dd>
+
+</dl>
+
+<p> NOTE: It's generally not safe to enable content inspection of
+Postfix-generated email messages. The user is warned. </p>
+
+<p> This feature is available in Postfix 2.3 and later. </p>
+
+
</DD>
<DT><b><a name="invalid_hostname_reject_code">invalid_hostname_reject_code</a>
</p>
+</DD>
+
+<DT><b><a name="lmtp_sasl_auth_enforce">lmtp_sasl_auth_enforce</a>
+(default: yes)</b></DT><DD>
+
+<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_sasl_auth_enforce">smtp_sasl_auth_enforce</a>
+configuration parameter. See there for details. </p>
+
+<p> This feature is available in Postfix 2.3 and later. </p>
+
+
</DD>
<DT><b><a name="lmtp_sasl_mechanism_filter">lmtp_sasl_mechanism_filter</a>
not, but it does not use the result from table lookup. </p>
<p>
-If this parameter is non-empty (the default), then the Postfix SMTP server
-will reject mail for unknown local users.
+If this parameter is non-empty (the default), then the Postfix SMTP
+server will reject mail for unknown local users.
</p>
<p>
(default: empty)</b></DT><DD>
<p>
-An optional numerical network address that the SMTP client should
-bind to when making an IPv4 connection.
+An optional numerical network address that the Postfix SMTP client
+should bind to when making an IPv4 connection.
</p>
<p>
(default: empty)</b></DT><DD>
<p>
-An optional numerical network address that the SMTP client should
-bind to when making an IPv6 connection.
+An optional numerical network address that the Postfix SMTP client
+should bind to when making an IPv6 connection.
</p>
<p> This feature is available in Postfix 2.2 and later. </p>
</p>
<p>
-When no connection can be made within the deadline, the SMTP client
+When no connection can be made within the deadline, the Postfix
+SMTP client
tries the next address on the mail exchanger list. Specify 0 to
disable the time limit (i.e. use whatever timeout is implemented by
the operating system).
<p>
The SMTP client time limit for sending the SMTP message content.
When the connection makes no progress for more than $<a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a>
-seconds the SMTP client terminates the transfer.
+seconds the Postfix SMTP client terminates the transfer.
</p>
<p>
<p> Lookup tables, indexed by the remote SMTP server address, with
case insensitive lists of EHLO keywords (pipelining, starttls, auth,
-etc.) that the SMTP client will ignore in the EHLO response from a
+etc.) that the Postfix SMTP client will ignore in the EHLO response from a
remote SMTP server. See <a href="postconf.5.html#smtp_discard_ehlo_keywords">smtp_discard_ehlo_keywords</a> for details. The
table is not indexed by hostname for consistency with
<a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a>. </p>
(default: empty)</b></DT><DD>
<p> A case insensitive list of EHLO keywords (pipelining, starttls,
-auth, etc.) that the SMTP client will ignore in the EHLO response
-from a remote SMTP server. </p>
+auth, etc.) that the Postfix SMTP client will ignore in the EHLO
+response from a remote SMTP server. </p>
<p> This feature is available in Postfix 2.2 and later. </p>
(default: dns)</b></DT><DD>
<p>
-What mechanisms when the SMTP client uses to look up a host's IP
+What mechanisms when the Postfix SMTP client uses to look up a host's IP
address. This parameter is ignored when DNS lookups are disabled.
</p>
</pre>
+</DD>
+
+<DT><b><a name="smtp_sasl_auth_enforce">smtp_sasl_auth_enforce</a>
+(default: yes)</b></DT><DD>
+
+<p> If sender-dependent SASL passwords are turned off, defer mail
+delivery when an SMTP server does not support SASL authentication,
+while <a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> contains SASL login/password information
+for that server. </p>
+
+<p> This feature is available in Postfix 2.3 and later. </p>
+
+
</DD>
<DT><b><a name="smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a>
(default: no)</b></DT><DD>
<p>
-Send the non-standard XFORWARD command when the Postfix SMTP server EHLO
-response announces XFORWARD support.
+Send the non-standard XFORWARD command when the Postfix SMTP server
+EHLO response announces XFORWARD support.
</p>
<p>
(default: no)</b></DT><DD>
<p>
-Enable sender-dependent authentication in the SMTP client; this is
+Enable sender-dependent authentication in the Postfix SMTP client; this is
available only with SASL authentication, and disables SMTP connection
caching to ensure that mail from different senders will use the
appropriate credentials. </p>
(default: empty)</b></DT><DD>
<p> Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS
-cipher list. As this feature applies to all security levels, it is easy
+cipher list. As this feature applies to all TLS security levels, it is easy
to create inter-operability problems by choosing a non-default cipher
list. Do not use a non-default TLS cipher list on hosts that deliver email
to the public Internet: you will be unable to send email to servers that
<DT><b><a name="smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>
(default: yes)</b></DT><DD>
-<p> When TLS encryption is enforced, require that the remote SMTP
+<p> With mandatory TLS encryption, require that the remote SMTP
server hostname matches the information in the remote SMTP server
certificate. As of <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a> the requirements for hostname checking
for MTA clients are not specified. </p>
<DT><b><a name="smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a>
(default: empty)</b></DT><DD>
-<p> List of ciphers or cipher types to exclude from the SMTP client cipher
-list at all security levels. This is not an OpenSSL cipherlist, it is
+<p> List of ciphers or cipher types to exclude from the Postfix
+SMTP client cipher
+list at all TLS security levels. This is not an OpenSSL cipherlist, it is
a simple list separated by whitespace and/or commas. The elements are a
single cipher, or one or more "+" separated cipher properties, in which
case only ciphers matching <b>all</b> the properties are excluded. </p>
<DT><b><a name="smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>
(default: medium)</b></DT><DD>
-<p> The minimum SMTP client TLS cipher grade that is strong enough to
-be used with the "encrypt" security level and higher. The default
-value "medium" is suitable for most destinations with which you may
-want to enforce TLS, and is beyond the reach of today's crypt-analytic
-methods. See <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> for information on how to configure
-ciphers on a per-destination basis. </p>
+<p> The minimum TLS cipher grade that the Postfix SMTP client will
+use with
+mandatory TLS encryption. The default value "medium" is suitable
+for most destinations with which you may want to enforce TLS, and
+is beyond the reach of today's crypt-analytic methods. See
+<a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> for information on how to configure ciphers
+on a per-destination basis. </p>
<p> The following cipher grades are supported: </p>
<DT><b><a name="smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>
(default: empty)</b></DT><DD>
-<p> List of ciphers or cipher types to exclude from the SMTP client
-cipher list at the mandatory TLS security levels: "encrypt", "verify"
-and "secure". See <a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> for syntax details. When
-both "exclude" parameters are defined, the combined list of ciphers is
-excluded (provided the TLS security level is "encrypt" or higher). </p>
+<p> Additional list of ciphers or cipher types to exclude from the
+SMTP client cipher list at mandatory TLS security levels. This list
+works in addition to the exclusions listed with <a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a>
+(see there for syntax details). </p>
<p> This feature is available in Postfix 2.3 and later. </p>
<DT><b><a name="smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>
(default: SSLv3, TLSv1)</b></DT><DD>
-<p> List of TLS protocol versions that are secure enough to be used
-with
the "encrypt" security level and higher. In <a href="postconf.5.html">main.cf</a> the values
+<p> List of TLS protocols that the Postfix SMTP client will use
+with
mandatory TLS encryption. In <a href="postconf.5.html">main.cf</a> the values
are separated by whitespace, commas or colons. In the policy table
(see <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>) the only valid separator is colon. An
empty value means allow all protocols. The valid protocol names,
<DT><b><a name="smtp_tls_security_level">smtp_tls_security_level</a>
(default: empty)</b></DT><DD>
-<p> The default SMTP TLS security level for all destinations; when
-a non-empty value is specified, this overrides the obsolete parameters
-<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>. </p>
+<p> The default SMTP TLS security level for the Postfix SMTP client;
+when a non-empty value is specified, this overrides the obsolete
+parameters <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
+</p>
<p> Specify one of the following security levels: </p>
<DT><b><a name="smtpd_enforce_tls">smtpd_enforce_tls</a>
(default: no)</b></DT><DD>
-<p> Enforcement mode: announce STARTTLS support to SMTP clients,
+<p> Mandatory TLS: announce STARTTLS support to SMTP clients,
and require that clients use TLS encryption. According to <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a>
this MUST NOT be applied in case of a publicly-referenced SMTP
server. This option is off by default and should be used only on
dedicated servers. </p>
-<p> Note 1:
this mode implies "<a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> = yes". </p>
+<p> Note 1:
"<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes" implies "<a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> = yes". </p>
<p> Note 2: when invoked via "<b>sendmail -bs</b>", Postfix will never offer
STARTTLS due to insufficient privileges to access the server private
key. This is intended behavior. </p>
-<p> This feature is available in Postfix 2.2 and later. </p>
+<p> This feature is available in Postfix 2.2 and later. With
+Postfix 2.3 and later use <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> instead. </p>
</DD>
<DT><b><a name="smtpd_peername_lookup">smtpd_peername_lookup</a>
(default: yes)</b></DT><DD>
-<p> Attempt to look up the SMTP client hostname, and verify that
+<p> Attempt to look up the Postfix SMTP client hostname, and verify that
the name matches the client IP address. A client name is set to
"unknown" when it cannot be looked up or verified, or when name
lookup is disabled. Turning off name lookup reduces delays due to
</p>
<p>
-This feature is available in Postfix 2.1 and later.
+This feature is available in Postfix 2.1 and 2.2. With Postfix 2.3
+it was renamed to <a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a>.
</p>
<b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a></b>. Typically this specifies the name of a
configuration file or rendezvous point. </p>
-<p> This feature is available in Postfix 2.3 and later. </p>
+<p> This feature is available in Postfix 2.3 and later. In earlier
+releases it was called smtpd_sasl_application. </p>
</DD>
similar software, it will still insist on a server certificate. </p>
<p> For servers that are <b>not</b> public Internet MX hosts, Postfix
-2.3 supports configurations with no certificates. This entails the use
-of just the anonymous TLS ciphers, which are not supported by typical
-SMTP clients. Since such clients will not, as a rule, fall back to plain
-text after a TLS handshake failure, the server will be unable to receive
-email from TLS enabled clients. To avoid accidental configurations with
-no certificates, Postfix 2.3 enables certificate-less operation only
-when the administrator explicitly sets "<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = none". This
-ensures that new Postfix configurations with just "<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes"
-added, will not accidentally run with no certificates. </p>
+2.3 supports configurations with no certificates. This entails the
+use of just the anonymous TLS ciphers, which are not supported by
+typical SMTP clients. Since such clients will not, as a rule, fall
+back to plain text after a TLS handshake failure, the server will
+be unable to receive email from TLS enabled clients. To avoid
+accidental configurations with no certificates, Postfix 2.3 enables
+certificate-less operation only when the administrator explicitly
+sets "<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = none". This ensures that new Postfix
+configurations will not accidentally run with no certificates. </p>
<p> Both RSA and DSA certificates are supported. When both types
are present, the cipher used determines which certificate will be
<p> <b>Note:</b> do not use "" quotes around the parameter value. </p>
<p>This feature is available with Postfix version 2.2. It is not used with
-Postfix 2.3 and later; use <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a> instead. </p>
-
-
-</DD>
-
-<DT><b><a name="smtpd_tls_ciphers">smtpd_tls_ciphers</a>
-(default: export)</b></DT><DD>
-
-<p> The minimum acceptable SMTP server TLS cipher grade. It is easy to
-create inter-operability problems by choosing a non-default cipher grade.
-Do not use a stronger than default minimum cipher grade for MX hosts on
-the public Internet. Clients that begin the TLS handshake, but are unable
-to agree on a common cipher, may not be able to send any email to the
-SMTP server. Using a restricted cipher list may be more appropriate for a
-dedicated MSA or an internal mailhub, where one can exert some control over
-the TLS software and settings of the connecting clients. Configurations
-with no certificates are also not likely to inter-operate with most
-clients, see the notes for "<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>". </p>
-
-<p> The following cipher grades are supported: </p>
-
-<dl>
-<dt><b>export</b></dt>
-<dd> Enable the mainstream "EXPORT" grade or better OpenSSL ciphers.
-This is the most appropriate setting for public MX hosts. The underlying
-cipherlist is specified via the <a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> configuration
-parameter, which you are strongly encouraged to not change. The default
-value of <a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> includes anonymous ciphers, but these
-are automatically filtered out if the server is configured to ask for
-client certificates. If you must always exclude anonymous ciphers,
-set "<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> = aNULL". </dd>
-
-<dt><b>low</b></dt>
-<dd> Enable the mainstream "LOW" grade or better OpenSSL ciphers. This
-setting is only appropriate for internal mail servers. The underlying
-cipherlist is specified via the <a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> configuration
-parameter, which you are strongly encouraged to not change. The default
-value of <a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> includes anonymous ciphers, but these
-are automatically filtered out if the server is configured to ask for
-client certificates. If you must always exclude anonymous ciphers,
-set "<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> = aNULL". </dd>
-
-<dt><b>medium</b></dt>
-<dd> Enable the mainstream "MEDIUM" grade or better OpenSSL ciphers. This
-setting is only appropriate for internal mail servers. The underlying
-cipherlist is specified via the <a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> configuration
-parameter, which you are strongly encouraged to not change. The default
-value of <a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> includes anonymous ciphers, but these
-are automatically filtered out if the server is configured to ask for
-client certificates. If you must always exclude anonymous ciphers,
-set "<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> = aNULL". </dd>
-
-<dt><b>high</b></dt>
-<dd> Enable only the mainstream "HIGH" grade OpenSSL ciphers. This
-setting is only appropriate for internal mail servers. The underlying
-cipherlist is specified via the <a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a> configuration
-parameter, which you are strongly encouraged to not change. The default
-value of <a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a> includes anonymous ciphers, but these
-are automatically filtered out if the server is configured to ask for
-client certificates. If you must always exclude anonymous ciphers, set
-"<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> = aNULL". </dd>
-
-<dt><b>null</b></dt>
-<dd> Enable only the "NULL" OpenSSL ciphers, these provide authentication
-without encryption. This setting is only appropriate in the rare
-case that all clients are prepared to use NULL ciphers (not normally
-enabled in TLS clients). The underlying cipherlist is specified via the
-<a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> configuration parameter, which you are strongly
-encouraged to not change. The default value of <a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a>
-excludes anonymous ciphers (OpenSSL 0.9.8 has NULL ciphers that offer
-data integrity without encryption or authentication). </dd>
-
-</dl>
-
-<p> This feature is available in Postfix 2.3 and later. </p>
+Postfix 2.3 and later; use <a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a> instead. </p>
</DD>
<p> Your actual source for entropy may differ. Some systems have
/dev/random; on other system you may consider using the "Entropy
-Gathering Daemon EGD", available at <a href="http://www.lothar.com/tech/crypto/">http://www.lothar.com/tech/crypto/</a>.
+Gathering Daemon EGD", available at <a href="http://egd.sourceforge.net/">http://egd.sourceforge.net/</a>
</p>
<p> Example: </p>
(default: empty)</b></DT><DD>
<p> List of ciphers or cipher types to exclude from the SMTP server
-cipher list. This is not an OpenSSL cipherlist; it is a simple list
-separated by whitespace and/or commas. The elements are a single
-cipher, or one or more "+" separated cipher properties, in which
-case only ciphers matching <b>all</b> the properties are excluded. </p>
+cipher list at all TLS security levels. Excluding valid ciphers
+can create interoperability problems. DO NOT exclude ciphers unless it
+is essential to do so. This is not an OpenSSL cipherlist; it is a simple
+list separated by whitespace and/or commas. The elements are a single
+cipher, or one or more "+" separated cipher properties, in which case
+only ciphers matching <b>all</b> the properties are excluded. </p>
<p> Examples (some of these will cause problems): </p>
</DD>
-<DT><b><a name="smtpd_tls_protocols">smtpd_tls_protocols</a>
+<DT><b><a name="smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>
+(default: medium)</b></DT><DD>
+
+<p> The minimum TLS cipher grade that the Postfix SMTP server will
+use with mandatory
+TLS encryption. Cipher types listed in <a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a>
+or <a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> are excluded from the base definition
+of the selected cipher grade. With opportunistic TLS encryption,
+the "export" grade is used unconditionally with exclusions specified
+only via <a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a>. </p>
+
+<p> The following cipher grades are supported: </p>
+
+<dl>
+<dt><b>export</b></dt>
+<dd> Enable the mainstream "EXPORT" grade or better OpenSSL ciphers.
+This is the most appropriate setting for public MX hosts, and is always
+used with opportunistic TLS encryption. The underlying cipherlist
+is specified via the <a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> configuration parameter,
+which you are strongly encouraged to not change. The default value
+of <a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> includes anonymous ciphers, but these are
+automatically filtered out if the server is configured to ask for
+client certificates. If you must always exclude anonymous ciphers,
+set "<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> = aNULL". To exclude anonymous ciphers
+only when TLS is enforced, set "<a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> =
+aNULL". </dd>
+
+<dt><b>low</b></dt>
+<dd> Enable the mainstream "LOW" grade or better OpenSSL ciphers. The
+underlying cipherlist is specified via the <a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a>
+configuration parameter, which you are strongly encouraged to
+not change. The default value of <a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> includes
+anonymous ciphers, but these are automatically filtered out if the
+server is configured to ask for client certificates. If you must
+always exclude anonymous ciphers, set "<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> =
+aNULL". To exclude anonymous ciphers only when TLS is enforced, set
+"<a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> = aNULL". </dd>
+
+<dt><b>medium</b></dt>
+<dd> Enable the mainstream "MEDIUM" grade or better OpenSSL ciphers. These
+are essentially the 128-bit or stronger ciphers. This is the default
+minimum strength for mandatory TLS encryption. MSAs that enforce
+TLS and have clients that do not support any "MEDIUM" or "HIGH"
+grade ciphers, may need to configure a weaker ("low" or "export")
+minimum cipher grade. The underlying cipherlist is specified via the
+<a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> configuration parameter, which you are strongly
+encouraged to not change. The default value of <a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a>
+includes anonymous ciphers, but these are automatically filtered out if
+the server is configured to ask for client certificates. If you must
+always exclude anonymous ciphers, set "<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> =
+aNULL". To exclude anonymous ciphers only when TLS is enforced, set
+"<a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> = aNULL". </dd>
+
+<dt><b>high</b></dt>
+<dd> Enable only the mainstream "HIGH" grade OpenSSL ciphers. The
+underlying cipherlist is specified via the <a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a>
+configuration parameter, which you are strongly encouraged to
+not change. The default value of <a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a> includes
+anonymous ciphers, but these are automatically filtered out if the
+server is configured to ask for client certificates. If you must
+always exclude anonymous ciphers, set "<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> =
+aNULL". To exclude anonymous ciphers only when TLS is enforced, set
+"<a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> = aNULL". </dd>
+
+<dt><b>null</b></dt>
+<dd> Enable only the "NULL" OpenSSL ciphers, these provide authentication
+without encryption. This setting is only appropriate in the rare
+case that all clients are prepared to use NULL ciphers (not normally
+enabled in TLS clients). The underlying cipherlist is specified via the
+<a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> configuration parameter, which you are strongly
+encouraged to not change. The default value of <a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a>
+excludes anonymous ciphers (OpenSSL 0.9.8 has NULL ciphers that offer
+data integrity without encryption or authentication). </dd>
+
+</dl>
+
+<p> This feature is available in Postfix 2.3 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a>
(default: empty)</b></DT><DD>
-<p> The list of TLS protocols supported by the server. If empty the
-default list of protocols is used (i.e. all TLS protocol versions are
-supported). Any non-empty value is interpreted as a list of protocol
-names separated by whitespace, commas or colons. The supported protocol
-names are "SSLv2", "SSLv3" and "TLSv1", and are not
-case-sensitive. </p>
+<p> Additional list of ciphers or cipher types to exclude from the
+SMTP server cipher list at mandatory TLS security levels. This list
+works in addition to the exclusions listed with <a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a>
+(see there for syntax details). </p>
+
+<p> This feature is available in Postfix 2.3 and later. </p>
-<p> DO NOT set this to a non-default value on an MX-host,
-as some clients may not support any of the narrower set of protocols,
-and may be unable to fallback to plaintext sessions. If you restrict
-the protocol list on an MX host, you may lose mail. </p>
+
+</DD>
+
+<DT><b><a name="smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a>
+(default: SSLv3, TLSv1)</b></DT><DD>
+
+<p> The TLS protocols accepted by the Postfix SMTP server with
+mandatory TLS encryption. With opportunistic TLS encryption, all
+protocols are always accepted. If the list is empty, the server
+supports all available TLS protocol versions. A non-empty value
+is a list of protocol names separated by whitespace, commas or
+colons. The supported protocol names are "SSLv2", "SSLv3" and
+"TLSv1", and are not case sensitive. </p>
<p> Example: </p>
<pre>
-<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> = SSLv3, TLSv1
+<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = SSLv3, TLSv1
</pre>
<p> This feature is available in Postfix 2.3 and later. </p>
<DT><b><a name="smtpd_tls_req_ccert">smtpd_tls_req_ccert</a>
(default: no)</b></DT><DD>
-<p> When TLS encryption is enforced, require a remote SMTP client
+<p> With mandatory TLS encryption, require a remote SMTP client
certificate in order to allow TLS connections to proceed. This
option implies "<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> = yes". </p>
<p> This feature is available in Postfix 2.2 and later. </p>
+</DD>
+
+<DT><b><a name="smtpd_tls_security_level">smtpd_tls_security_level</a>
+(default: empty)</b></DT><DD>
+
+<p> The SMTP TLS security level for the Postfix SMTP server; when
+a non-empty value is specified, this overrides the obsolete parameters
+<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>. This parameter is ignored with
+"<a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a> = yes". </p>
+
+<p> Specify one of the following security levels: </p>
+
+<dl>
+
+<dt><b>none</b></dt> <dd> TLS will not be used. </dd>
+
+<dt><b>may</b></dt> <dd> Opportunistic TLS: announce STARTTLS support
+to SMTP clients, but do not require that clients use TLS encryption.
+</dd>
+
+<dt><b>encrypt</b></dt> <dd>Mandatory TLS encryption: announce
+STARTTLS support to SMTP clients, and require that clients use TLS
+encryption. According to <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a> this MUST NOT be applied in case
+of a publicly-referenced SMTP server. Instead, this option should
+be used only on dedicated servers. </dd>
+
+</dl>
+
+<p> Note 1: the "verify" and "secure" levels are not supported.
+The Postfix SMTP server logs a warning and uses "encrypt" instead.
+To verify SMTP client certificates, see <a href="TLS_README.html">TLS_README</a> for a discussion
+of the <a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>, <a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a>, and <a href="postconf.5.html#permit_tls_clientcerts">permit_tls_clientcerts</a>
+features. </p>
+
+<p> Note 2: The parameter setting "<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> =
+encrypt" implies "<a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> = yes".</p>
+
+<p> Note 3: when invoked via "sendmail -bs", Postfix will never
+offer STARTTLS due to insufficient privileges to access the server
+private key. This is intended behavior.</p>
+
+<p> This feature is available in Postfix 2.3 and later. </p>
+
+
</DD>
<DT><b><a name="smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a>
<DT><b><a name="smtpd_use_tls">smtpd_use_tls</a>
(default: no)</b></DT><DD>
-<p> Opportunistic mode: announce STARTTLS support to SMTP clients,
+<p> Opportunistic TLS: announce STARTTLS support to SMTP clients,
but do not require that clients use TLS encryption. </p>
<p> Note: when invoked via "<b>sendmail -bs</b>", Postfix will never offer
STARTTLS due to insufficient privileges to access the server private
key. This is intended behavior. </p>
-<p> This feature is available in Postfix 2.2 and later. </p>
+<p> This feature is available in Postfix 2.2 and later. With
+Postfix 2.3 and later use <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> instead. </p>
</DD>
(default: ALL:+RC4:@STRENGTH)</b></DT><DD>
<p> The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. This
-defines the meaning of the "export" setting in <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>,
+defines the meaning of the "export" setting in <a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>,
<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> and <a href="postconf.5.html#lmtp_tls_mandatory_ciphers">lmtp_tls_mandatory_ciphers</a>. This is
the cipherlist for the opportunistic ("may") TLS client security
level and is the default cipherlist for the SMTP server. You are
(default: !EXPORT:!LOW:!MEDIUM:ALL:+RC4:@STRENGTH)</b></DT><DD>
<p> The OpenSSL cipherlist for "HIGH" grade ciphers. This defines
-the meaning of the "high" setting in <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>,
+the meaning of the "high" setting in <a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>,
<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> and <a href="postconf.5.html#lmtp_tls_mandatory_ciphers">lmtp_tls_mandatory_ciphers</a>. You are
strongly encouraged to not change this setting. </p>
(default: !EXPORT:ALL:+RC4:@STRENGTH)</b></DT><DD>
<p> The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines
-the meaning of the "low" setting in <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>,
+the meaning of the "low" setting in <a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>,
<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> and <a href="postconf.5.html#lmtp_tls_mandatory_ciphers">lmtp_tls_mandatory_ciphers</a>. You are
strongly encouraged to not change this setting. </p>
(default: !EXPORT:!LOW:ALL:+RC4:@STRENGTH)</b></DT><DD>
<p> The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers. This
-defines the meaning of the "medium" setting in <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>,
+defines the meaning of the "medium" setting in <a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>,
<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> and <a href="postconf.5.html#lmtp_tls_mandatory_ciphers">lmtp_tls_mandatory_ciphers</a>. This is
the default cipherlist for mandatory TLS encryption in the TLS
client (with anonymous ciphers disabled when verifying server
<p> The OpenSSL cipherlist for "NULL" grade ciphers that provide
authentication without encryption. This defines the meaning of the "null"
-setting in
<a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>, <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> and
+setting in
smtpd_mandatory_tls_ciphers, <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> and
<a href="postconf.5.html#lmtp_tls_mandatory_ciphers">lmtp_tls_mandatory_ciphers</a>. You are strongly encouraged to not
change this setting. </p>
<a href="regexp_table.5.html"><b>regexp_table</b>(5)</a> or <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a>. For a description of the
TCP client/server table lookup protocol, see <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>.
This feature is not available up to and including Postfix
- version 2.2.
+ version 2.3.
Each pattern is a regular expression that is applied to
the entire address being looked up. Thus, <i>user@domain</i> mail
lookups are directed to a TCP-based server. For a descrip-
tion of the TCP client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_ta-</b></a>
<a href="tcp_table.5.html"><b>ble</b>(5)</a>. This feature is not available up to and including
- Postfix version 2.2.
+ Postfix version 2.3.
Each lookup operation uses the entire address once. Thus,
<i>user@domain</i> mail addresses are not broken up into their
Lookup tables, indexed by the remote SMTP server
address, with case insensitive lists of EHLO key-
words (pipelining, starttls, auth, etc.) that the
- SMTP client will ignore in the EHLO response from a
- remote SMTP server.
+ Postfix SMTP client will ignore in the EHLO
+ response from a remote SMTP server.
<b><a href="postconf.5.html#smtp_discard_ehlo_keywords">smtp_discard_ehlo_keywords</a> (empty)</b>
A case insensitive list of EHLO keywords (pipelin-
- ing, starttls, auth, etc.) that the SMTP client
- will ignore in the EHLO response from a remote SMTP
- server.
+ ing, starttls, auth, etc.) that the Postfix SMTP
+ client will ignore in the EHLO response from a
+ remote SMTP server.
<b><a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a> (empty)</b>
Optional lookup tables that perform address rewrit-
Available in Postfix version 2.3 and later:
+ <b><a href="postconf.5.html#smtp_sasl_auth_enforce">smtp_sasl_auth_enforce</a> (yes)</b>
+ If sender-dependent SASL passwords are turned off,
+ defer mail delivery when an SMTP server does not
+ support SASL authentication, while <a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_pass</a>-
+ <a href="postconf.5.html#smtp_sasl_password_maps">word_maps</a> contains SASL login/password information
+ for that server.
+
<b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b>
- Enable sender-dependent authentication in the SMTP
- client; this is available only with SASL authenti-
- cation, and disables SMTP connection caching to
- ensure that mail from different senders will use
- the appropriate credentials.
+ Enable sender-dependent authentication in the Post-
+ fix SMTP client; this is available only with SASL
+ authentication, and disables SMTP connection
+ caching to ensure that mail from different senders
+ will use the appropriate credentials.
<b><a href="postconf.5.html#smtp_sasl_path">smtp_sasl_path</a> (empty)</b>
Implementation-specific information that is passed
found in the <a href="TLS_README.html">TLS_README</a> document.
<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
- The default SMTP TLS security level for all desti-
- nations; when a non-empty value is specified, this
- overrides the obsolete parameters <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>,
- <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
+ The default SMTP TLS security level for the Postfix
+ SMTP client; when a non-empty value is specified,
+ this overrides the obsolete parameters
+ <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and
+ <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
<b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_secu</a>-</b>
<b><a href="postconf.5.html#smtp_sasl_security_options">rity_options</a>)</b>
- The SASL authentication security options that the
- Postfix SMTP client uses for TLS encrypted SMTP
+ The SASL authentication security options that the
+ Postfix SMTP client uses for TLS encrypted SMTP
sessions.
<b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b>
- Time limit for Postfix SMTP client write and read
- operations during TLS startup and shutdown hand-
+ Time limit for Postfix SMTP client write and read
+ operations during TLS startup and shutdown hand-
shake procedures.
<b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b>
- The file with the certificate of the certification
- authority (CA) that issued the Postfix SMTP client
+ The file with the certificate of the certification
+ authority (CA) that issued the Postfix SMTP client
certificate.
<b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b>
- Directory with PEM format certificate authority
- certificates that the Postfix SMTP client uses to
+ Directory with PEM format certificate authority
+ certificates that the Postfix SMTP client uses to
verify a remote SMTP server certificate.
<b><a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> (empty)</b>
- File with the Postfix SMTP client RSA certificate
+ File with the Postfix SMTP client RSA certificate
in PEM format.
<b><a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> (medium)</b>
- The minimum SMTP client TLS cipher grade that is
- strong enough to be used with the "encrypt" secu-
- rity level and higher.
+ The minimum TLS cipher grade that the Postfix SMTP
+ client will use with mandatory TLS encryption.
<b><a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> (empty)</b>
List of ciphers or cipher types to exclude from the
- SMTP client cipher list at all security levels.
+ Postfix SMTP client cipher list at all TLS security
+ levels.
<b><a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> (empty)</b>
- List of ciphers or cipher types to exclude from the
- SMTP client cipher list at the mandatory TLS secu-
- rity levels: "encrypt", "verify" and "secure".
+ Additional list of ciphers or cipher types to
+ exclude from the SMTP client cipher list at manda-
+ tory TLS security levels.
<b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b>
- File with the Postfix SMTP client DSA certificate
+ File with the Postfix SMTP client DSA certificate
in PEM format.
<b><a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> ($<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b>
- File with the Postfix SMTP client DSA private key
+ File with the Postfix SMTP client DSA private key
in PEM format.
<b><a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> ($<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b>
- File with the Postfix SMTP client RSA private key
+ File with the Postfix SMTP client RSA private key
in PEM format.
<b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b>
- Enable additional Postfix SMTP client logging of
+ Enable additional Postfix SMTP client logging of
TLS activity.
<b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b>
- Log the hostname of a remote SMTP server that
- offers STARTTLS, when TLS is not already enabled
+ Log the hostname of a remote SMTP server that
+ offers STARTTLS, when TLS is not already enabled
for that server.
- <b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> (empty)</b>
- Optional lookup tables with the Postfix SMTP client
- TLS security policy by next-hop destination; when a
- non-empty value is specified, this overrides the
- obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter.
-
- <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b>
- List of TLS protocol versions that are secure
- enough to be used with the "encrypt" security level
- and higher.
-
<b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (5)</b>
The verification depth for remote SMTP server cer-
tificates.
clear.
<b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
- When TLS encryption is enforced, require that the
+ With mandatory TLS encryption, require that the
remote SMTP server hostname matches the information
in the remote SMTP server certificate.
TLS usage policy by next-hop destination and by
remote SMTP server hostname.
+ <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
+ Obsolete Postfix < 2.3 control for the Postfix SMTP
+ client TLS cipher list.
+
<b>RESOURCE AND RATE CONTROLS</b>
<b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destina</a>-</b>
<b><a href="postconf.5.html#default_destination_concurrency_limit">tion_concurrency_limit</a>)</b>
- The maximal number of parallel deliveries to the
- same destination via the smtp message delivery
+ The maximal number of parallel deliveries to the
+ same destination via the smtp message delivery
transport.
<b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destina</a>-</b>
<b><a href="postconf.5.html#default_destination_recipient_limit">tion_recipient_limit</a>)</b>
- The maximal number of recipients per delivery via
+ The maximal number of recipients per delivery via
the smtp message delivery transport.
<b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
- The SMTP client time limit for completing a TCP
+ The SMTP client time limit for completing a TCP
connection, or zero (use the operating system
built-in time limit).
<b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
- The SMTP client time limit for sending the HELO or
- EHLO command, and for receiving the initial server
+ The SMTP client time limit for sending the HELO or
+ EHLO command, and for receiving the initial server
response.
<b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
- The LMTP client time limit for sending the LHLO
+ The LMTP client time limit for sending the LHLO
command, and for receiving the initial server
response.
command, and for receiving the server response.
<b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
- The SMTP client time limit for sending the MAIL
- FROM command, and for receiving the server
+ The SMTP client time limit for sending the MAIL
+ FROM command, and for receiving the server
response.
<b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
- The SMTP client time limit for sending the SMTP
- RCPT TO command, and for receiving the server
+ The SMTP client time limit for sending the SMTP
+ RCPT TO command, and for receiving the server
response.
<b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
- The SMTP client time limit for sending the SMTP
- DATA command, and for receiving the server
+ The SMTP client time limit for sending the SMTP
+ DATA command, and for receiving the server
response.
<b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
- The SMTP client time limit for sending the SMTP
+ The SMTP client time limit for sending the SMTP
message content.
<b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
- The SMTP client time limit for sending the SMTP
+ The SMTP client time limit for sending the SMTP
".", and for receiving the server response.
<b><a href="postconf.5.html#smtp_quit_timeout">smtp_quit_timeout</a> (300s)</b>
- The SMTP client time limit for sending the QUIT
+ The SMTP client time limit for sending the QUIT
command, and for receiving the server response.
Available in Postfix version 2.1 and later:
lookups, or zero (no limit).
<b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
- The maximal number of SMTP sessions per delivery
- request before giving up or delivering to a fall-
+ The maximal number of SMTP sessions per delivery
+ request before giving up or delivering to a fall-
back <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
<b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
- The SMTP client time limit for sending the RSET
+ The SMTP client time limit for sending the RSET
command, and for receiving the server response.
Available in Postfix version 2.2 and earlier:
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
- Permanently enable SMTP connection caching for the
+ Permanently enable SMTP connection caching for the
specified destinations.
<b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
- Temporarily enable SMTP connection caching while a
+ Temporarily enable SMTP connection caching while a
destination has a high volume of mail in the active
queue.
<b><a href="postconf.5.html#smtp_connection_cache_time_limit">smtp_connection_cache_time_limit</a> (2s)</b>
When SMTP connection caching is enabled, the amount
- of time that an unused SMTP client socket is kept
+ of time that an unused SMTP client socket is kept
open before it is closed.
Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
- Time limit for connection cache connect, send or
+ Time limit for connection cache connect, send or
receive operations.
<b>TROUBLE SHOOTING CONTROLS</b>
<b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
- The increment in verbose logging level when a
- remote client or server matches a pattern in the
+ The increment in verbose logging level when a
+ remote client or server matches a pattern in the
<a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
<b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
- Optional list of remote client or server hostname
- or network address patterns that cause the verbose
- logging level to increase by the amount specified
+ Optional list of remote client or server hostname
+ or network address patterns that cause the verbose
+ logging level to increase by the amount specified
in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
<b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
- The recipient of postmaster notifications about
- mail delivery problems that are caused by policy,
+ The recipient of postmaster notifications about
+ mail delivery problems that are caused by policy,
resource, software or protocol errors.
+ <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
+ What categories of Postfix-generated mail are sub-
+ ject to before-queue content inspection by
+ <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
+
<b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
- The list of error classes that are reported to the
+ The list of error classes that are reported to the
postmaster.
<b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
- Where the Postfix SMTP client should deliver mail
+ Where the Postfix SMTP client should deliver mail
when it detects a "mail loops back to myself" error
condition.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
+ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
<a href="master.5.html">master.cf</a> configuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
- How much time a Postfix daemon process may take to
- handle a request before it is terminated by a
+ How much time a Postfix daemon process may take to
+ handle a request before it is terminated by a
built-in watchdog timer.
<b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
- The maximal number of digits after the decimal
+ The maximal number of digits after the decimal
point when logging sub-second delay values.
<b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
- Disable DNS lookups in the Postfix SMTP and LMTP
+ Disable DNS lookups in the Postfix SMTP and LMTP
clients.
<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
tem receives mail on.
<b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b>
- The Internet protocols Postfix will attempt to use
+ The Internet protocols Postfix will attempt to use
when making or accepting connections.
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
over an internal communication channel.
<b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
- The default TCP port that the Postfix LMTP client
+ The default TCP port that the Postfix LMTP client
connects to.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
- The maximum amount of time that an idle Postfix
- daemon process waits for the next service request
+ The maximum amount of time that an idle Postfix
+ daemon process waits for the next service request
before exiting.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
- The maximal number of connection requests before a
+ The maximal number of connection requests before a
Postfix daemon process terminates.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
The network interface addresses that this mail sys-
- tem receives mail on by way of a proxy or network
+ tem receives mail on by way of a proxy or network
address translation unit.
<b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
- An optional numerical network address that the SMTP
- client should bind to when making an IPv4 connec-
- tion.
+ An optional numerical network address that the
+ Postfix SMTP client should bind to when making an
+ IPv4 connection.
<b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
- An optional numerical network address that the SMTP
- client should bind to when making an IPv6 connec-
- tion.
+ An optional numerical network address that the
+ Postfix SMTP client should bind to when making an
+ IPv6 connection.
<b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
- The hostname to send in the SMTP EHLO or HELO com-
+ The hostname to send in the SMTP EHLO or HELO com-
mand.
<b><a href="postconf.5.html#lmtp_lhloname">lmtp_lhlo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
The hostname to send in the LMTP LHLO command.
<b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b>
- What mechanisms when the SMTP client uses to look
- up a host's IP address.
+ What mechanisms when the Postfix SMTP client uses
+ to look up a host's IP address.
<b><a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a> (yes)</b>
- Randomize the order of equal-preference MX host
+ Randomize the order of equal-preference MX host
addresses.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
Available with Postfix 2.2 and earlier:
<b><a href="postconf.5.html#fallback_relay">fallback_relay</a> (empty)</b>
- Optional list of relay hosts for SMTP destinations
+ Optional list of relay hosts for SMTP destinations
that can't be found or that are unreachable.
Available with Postfix 2.3 and later:
<b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b>
- Optional list of relay hosts for SMTP destinations
+ Optional list of relay hosts for SMTP destinations
that can't be found or that are unreachable.
<b>SEE ALSO</b>
<a href="TLS_README.html">TLS_README</a>, Postfix STARTTLS howto
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
Detailed information about STARTTLS configuration may be
found in the <a href="TLS_README.html">TLS_README</a> document.
- <b><a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> (no)</b>
- Opportunistic mode: announce STARTTLS support to
- SMTP clients, but do not require that clients use
- TLS encryption.
-
- <b><a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> (no)</b>
- Enforcement mode: announce STARTTLS support to SMTP
- clients, and require that clients use TLS encryp-
- tion.
+ <b><a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> (empty)</b>
+ The SMTP TLS security level for the Postfix SMTP
+ server; when a non-empty value is specified, this
+ overrides the obsolete parameters <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and
+ <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>.
<b><a href="postconf.5.html#smtpd_sasl_tls_security_options">smtpd_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtpd_sasl_security_options">smtpd_sasl_secu</a>-</b>
<b><a href="postconf.5.html#smtpd_sasl_security_options">rity_options</a>)</b>
- The SASL authentication security options that the
- Postfix SMTP server uses for TLS encrypted SMTP
+ The SASL authentication security options that the
+ Postfix SMTP server uses for TLS encrypted SMTP
sessions.
<b><a href="postconf.5.html#smtpd_starttls_timeout">smtpd_starttls_timeout</a> (300s)</b>
- The time limit for Postfix SMTP server write and
- read operations during TLS startup and shutdown
+ The time limit for Postfix SMTP server write and
+ read operations during TLS startup and shutdown
handshake procedures.
<b><a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> (empty)</b>
- The file with the certificate of the certification
- authority (CA) that issued the Postfix SMTP server
+ The file with the certificate of the certification
+ authority (CA) that issued the Postfix SMTP server
certificate.
<b><a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> (empty)</b>
- The file with the certificate of the certification
- authority (CA) that issued the Postfix SMTP server
+ The file with the certificate of the certification
+ authority (CA) that issued the Postfix SMTP server
certificate.
<b><a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> (no)</b>
- Ask a remote SMTP client for a client certificate.
+ Ask a remote SMTP client for a client certificate.
<b><a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> (no)</b>
When TLS encryption is optional in the Postfix SMTP
- server, do not announce or accept SASL authentica-
+ server, do not announce or accept SASL authentica-
tion over unencrypted connections.
<b><a href="postconf.5.html#smtpd_tls_ccert_verifydepth">smtpd_tls_ccert_verifydepth</a> (5)</b>
- The verification depth for remote SMTP client cer-
+ The verification depth for remote SMTP client cer-
tificates.
<b><a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> (empty)</b>
- File with the Postfix SMTP server RSA certificate
+ File with the Postfix SMTP server RSA certificate
in PEM format.
- <b><a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a> (export)</b>
- The minimum acceptable SMTP server TLS cipher
- grade.
-
<b><a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> (empty)</b>
List of ciphers or cipher types to exclude from the
- SMTP server cipher list.
+ SMTP server cipher list at all TLS security levels.
<b><a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a> (empty)</b>
- File with the Postfix SMTP server DSA certificate
+ File with the Postfix SMTP server DSA certificate
in PEM format.
<b><a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a> (empty)</b>
- File with DH parameters that the Postfix SMTP
+ File with DH parameters that the Postfix SMTP
server should use with EDH ciphers.
<b><a href="postconf.5.html#smtpd_tls_dh512_param_file">smtpd_tls_dh512_param_file</a> (empty)</b>
- File with DH parameters that the Postfix SMTP
+ File with DH parameters that the Postfix SMTP
server should use with EDH ciphers.
<b><a href="postconf.5.html#smtpd_tls_dkey_file">smtpd_tls_dkey_file</a> ($<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>)</b>
- File with the Postfix SMTP server DSA private key
+ File with the Postfix SMTP server DSA private key
in PEM format.
<b><a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> ($<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>)</b>
- File with the Postfix SMTP server RSA private key
+ File with the Postfix SMTP server RSA private key
in PEM format.
<b><a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a> (0)</b>
- Enable additional Postfix SMTP server logging of
+ Enable additional Postfix SMTP server logging of
TLS activity.
- <b><a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> (empty)</b>
- The list of TLS protocols supported by the server.
+ <b><a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a> (medium)</b>
+ The minimum TLS cipher grade that the Postfix SMTP
+ server will use with mandatory TLS encryption.
+
+ <b><a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> (empty)</b>
+ Additional list of ciphers or cipher types to
+ exclude from the SMTP server cipher list at manda-
+ tory TLS security levels.
+
+ <b><a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b>
+ The TLS protocols accepted by the Postfix SMTP
+ server with mandatory TLS encryption.
<b><a href="postconf.5.html#smtpd_tls_received_header">smtpd_tls_received_header</a> (no)</b>
Request that the Postfix SMTP server produces
CommonName.
<b><a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a> (no)</b>
- When TLS encryption is enforced, require a remote
+ With mandatory TLS encryption, require a remote
SMTP client certificate in order to allow TLS con-
nections to proceed.
The OpenSSL cipherlist for "NULL" grade ciphers
that provide authentication without encryption.
+<b>OBSOLETE STARTTLS CONTROLS</b>
+ The following configuration parameters exist for compati-
+ bility with Postfix versions before 2.3. Support for these
+ will be removed in a future release.
+
+ <b><a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> (no)</b>
+ Opportunistic TLS: announce STARTTLS support to
+ SMTP clients, but do not require that clients use
+ TLS encryption.
+
+ <b><a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> (no)</b>
+ Mandatory TLS: announce STARTTLS support to SMTP
+ clients, and require that clients use TLS encryp-
+ tion.
+
+ <b><a href="postconf.5.html#smtpd_tls_cipherlist">smtpd_tls_cipherlist</a> (empty)</b>
+ Obsolete Postfix < 2.3 control for the Postfix SMTP
+ server TLS cipher list.
+
<b>VERP SUPPORT CONTROLS</b>
- With VERP style delivery, each recipient of a message
+ With VERP style delivery, each recipient of a message
receives a customized copy of the message with his/her own
- recipient address encoded in the envelope sender address.
+ recipient address encoded in the envelope sender address.
The <a href="VERP_README.html">VERP_README</a> file describes configuration and operation
- details of Postfix support for variable envelope return
+ details of Postfix support for variable envelope return
path addresses. VERP style delivery is requested with the
- SMTP XVERP command or with the "sendmail -V" command-line
- option and is available in Postfix version 1.1 and later.
+ SMTP XVERP command or with the "sendmail -V" command-line
+ option and is available in Postfix version 1.1 and later.
<b><a href="postconf.5.html#default_verp_delimiters">default_verp_delimiters</a> (+=)</b>
The two default VERP delimiter characters.
<b><a href="postconf.5.html#verp_delimiter_filter">verp_delimiter_filter</a> (-=+)</b>
- The characters Postfix accepts as VERP delimiter
- characters on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command line
+ The characters Postfix accepts as VERP delimiter
+ characters on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command line
and in SMTP commands.
Available in Postfix version 1.1 and 2.0:
<b><a href="postconf.5.html#authorized_verp_clients">authorized_verp_clients</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b>
- What SMTP clients are allowed to specify the XVERP
+ What SMTP clients are allowed to specify the XVERP
command.
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtpd_authorized_verp_clients">smtpd_authorized_verp_clients</a> ($<a href="postconf.5.html#authorized_verp_clients">authorized_verp_clients</a>)</b>
- What SMTP clients are allowed to specify the XVERP
+ What SMTP clients are allowed to specify the XVERP
command.
<b>TROUBLE SHOOTING CONTROLS</b>
- The <a href="DEBUG_README.html">DEBUG_README</a> document describes how to debug parts of
- the Postfix mail system. The methods vary from making the
- software log a lot of detail, to running some daemon pro-
+ The <a href="DEBUG_README.html">DEBUG_README</a> document describes how to debug parts of
+ the Postfix mail system. The methods vary from making the
+ software log a lot of detail, to running some daemon pro-
cesses under control of a call tracer or debugger.
<b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
- The increment in verbose logging level when a
- remote client or server matches a pattern in the
+ The increment in verbose logging level when a
+ remote client or server matches a pattern in the
<a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
<b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
- Optional list of remote client or server hostname
- or network address patterns that cause the verbose
- logging level to increase by the amount specified
+ Optional list of remote client or server hostname
+ or network address patterns that cause the verbose
+ logging level to increase by the amount specified
in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
<b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
- The recipient of postmaster notifications about
- mail delivery problems that are caused by policy,
+ The recipient of postmaster notifications about
+ mail delivery problems that are caused by policy,
resource, software or protocol errors.
+ <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
+ What categories of Postfix-generated mail are sub-
+ ject to before-queue content inspection by
+ <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
+
<b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
- The list of error classes that are reported to the
+ The list of error classes that are reported to the
postmaster.
<b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b>
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtpd_authorized_xclient_hosts">smtpd_authorized_xclient_hosts</a> (empty)</b>
- What SMTP clients are allowed to use the XCLIENT
+ What SMTP clients are allowed to use the XCLIENT
feature.
<b>KNOWN VERSUS UNKNOWN RECIPIENT CONTROLS</b>
- As of Postfix version 2.0, the SMTP server rejects mail
- for unknown recipients. This prevents the mail queue from
- clogging up with undeliverable MAILER-DAEMON messages.
- Additional information on this topic is in the
+ As of Postfix version 2.0, the SMTP server rejects mail
+ for unknown recipients. This prevents the mail queue from
+ clogging up with undeliverable MAILER-DAEMON messages.
+ Additional information on this topic is in the
<a href="LOCAL_RECIPIENT_README.html">LOCAL_RECIPIENT_README</a> and <a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a> documents.
<b><a href="postconf.5.html#show_user_unknown_table_name">show_user_unknown_table_name</a> (yes)</b>
- Display the name of the recipient table in the
+ Display the name of the recipient table in the
"User unknown" responses.
<b><a href="postconf.5.html#canonical_maps">canonical_maps</a> (empty)</b>
- Optional address mapping lookup tables for message
+ Optional address mapping lookup tables for message
headers and envelopes.
<b><a href="postconf.5.html#recipient_canonical_maps">recipient_canonical_maps</a> (empty)</b>
<b><a href="postconf.5.html#mydestination">mydestination</a> ($<a href="postconf.5.html#myhostname">myhostname</a>, localhost.$<a href="postconf.5.html#mydomain">mydomain</a>, local-</b>
<b>host)</b>
- The list of domains that are delivered via the
+ The list of domains that are delivered via the
$<a href="postconf.5.html#local_transport">local_transport</a> mail delivery transport.
<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
The network interface addresses that this mail sys-
- tem receives mail on by way of a proxy or network
+ tem receives mail on by way of a proxy or network
address translation unit.
<b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b>
- The Internet protocols Postfix will attempt to use
+ The Internet protocols Postfix will attempt to use
when making or accepting connections.
<b><a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> (<a href="proxymap.8.html">proxy</a>:unix:passwd.byname</b>
<b>$<a href="postconf.5.html#alias_maps">alias_maps</a>)</b>
- Lookup tables with all names or addresses of local
- recipients: a recipient address is local when its
- domain matches $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or
+ Lookup tables with all names or addresses of local
+ recipients: a recipient address is local when its
+ domain matches $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or
$<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>.
<b><a href="postconf.5.html#unknown_local_recipient_reject_code">unknown_local_recipient_reject_code</a> (550)</b>
- The numerical Postfix SMTP server response code
- when a recipient address is local, and
- $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> specifies a list of lookup
+ The numerical Postfix SMTP server response code
+ when a recipient address is local, and
+ $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> specifies a list of lookup
tables that does not match the recipient.
- Parameters concerning known/unknown recipients of relay
+ Parameters concerning known/unknown recipients of relay
destinations:
<b><a href="postconf.5.html#relay_domains">relay_domains</a> ($<a href="postconf.5.html#mydestination">mydestination</a>)</b>
- What destination domains (and subdomains thereof)
+ What destination domains (and subdomains thereof)
this system will relay mail to.
<b><a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> (empty)</b>
- Optional lookup tables with all valid addresses in
+ Optional lookup tables with all valid addresses in
the domains that match $<a href="postconf.5.html#relay_domains">relay_domains</a>.
<b><a href="postconf.5.html#unknown_relay_recipient_reject_code">unknown_relay_recipient_reject_code</a> (550)</b>
The numerical Postfix SMTP server reply code when a
- recipient address matches $<a href="postconf.5.html#relay_domains">relay_domains</a>, and
- <a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> specifies a list of lookup
+ recipient address matches $<a href="postconf.5.html#relay_domains">relay_domains</a>, and
+ <a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> specifies a list of lookup
tables that does not match the recipient address.
- Parameters concerning known/unknown recipients in virtual
+ Parameters concerning known/unknown recipients in virtual
alias domains:
<b><a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a> ($<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>)</b>
Postfix is final destination for the specified list
- of virtual alias domains, that is, domains for
- which all addresses are aliased to addresses in
+ of virtual alias domains, that is, domains for
+ which all addresses are aliased to addresses in
other local or remote domains.
<b><a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> ($<a href="postconf.5.html#virtual_maps">virtual_maps</a>)</b>
- Optional lookup tables that alias specific mail
- addresses or domains to other local or remote
+ Optional lookup tables that alias specific mail
+ addresses or domains to other local or remote
address.
<b><a href="postconf.5.html#unknown_virtual_alias_reject_code">unknown_virtual_alias_reject_code</a> (550)</b>
The SMTP server reply code when a recipient address
- matches
$<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, and $<a href="postconf.5.html#virtual_alias_maps">vir</a>-
- <a href="postconf.5.html#virtual_alias_maps">tual_alias_maps</a> specifies a list of lookup tables
+ matches
$<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, and $<a href="postconf.5.html#virtual_alias_maps">vir</a>-
+ <a href="postconf.5.html#virtual_alias_maps">tual_alias_maps</a> specifies a list of lookup tables
that does not match the recipient address.
- Parameters concerning known/unknown recipients in virtual
+ Parameters concerning known/unknown recipients in virtual
mailbox domains:
<b><a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> ($<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>)</b>
Postfix is final destination for the specified list
- of
domains; mail is delivered via the $<a href="postconf.5.html#virtual_transport">vir</a>-
+ of
domains; mail is delivered via the $<a href="postconf.5.html#virtual_transport">vir</a>-
<a href="postconf.5.html#virtual_transport">tual_transport</a> mail delivery transport.
<b><a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> (empty)</b>
- Optional lookup tables with all valid addresses in
+ Optional lookup tables with all valid addresses in
the domains that match $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>.
<b><a href="postconf.5.html#unknown_virtual_mailbox_reject_code">unknown_virtual_mailbox_reject_code</a> (550)</b>
The SMTP server reply code when a recipient address
- matches
$<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>, and $<a href="postconf.5.html#virtual_mailbox_maps">vir</a>-
+ matches
$<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>, and $<a href="postconf.5.html#virtual_mailbox_maps">vir</a>-
<a href="postconf.5.html#virtual_mailbox_maps">tual_mailbox_maps</a> specifies a list of lookup tables
that does not match the recipient address.
<b>RESOURCE AND RATE CONTROLS</b>
- The following parameters limit resource usage by the SMTP
+ The following parameters limit resource usage by the SMTP
server and/or control client request rates.
<b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b>
- Upon input, long lines are chopped up into pieces
- of at most this length; upon delivery, long lines
+ Upon input, long lines are chopped up into pieces
+ of at most this length; upon delivery, long lines
are reconstructed.
<b><a href="postconf.5.html#queue_minfree">queue_minfree</a> (0)</b>
- The minimal amount of free space in bytes in the
+ The minimal amount of free space in bytes in the
queue file system that is needed to receive mail.
<b><a href="postconf.5.html#message_size_limit">message_size_limit</a> (10240000)</b>
- The maximal size in bytes of a message, including
+ The maximal size in bytes of a message, including
envelope information.
<b><a href="postconf.5.html#smtpd_recipient_limit">smtpd_recipient_limit</a> (1000)</b>
- The maximal number of recipients that the Postfix
+ The maximal number of recipients that the Postfix
SMTP server accepts per message delivery request.
<b><a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> (300s)</b>
- The time limit for sending a Postfix SMTP server
- response and for receiving a remote SMTP client
+ The time limit for sending a Postfix SMTP server
+ response and for receiving a remote SMTP client
request.
<b><a href="postconf.5.html#smtpd_history_flush_threshold">smtpd_history_flush_threshold</a> (100)</b>
- The maximal number of lines in the Postfix SMTP
- server command history before it is flushed upon
+ The maximal number of lines in the Postfix SMTP
+ server command history before it is flushed upon
receipt of EHLO, RSET, or end of DATA.
Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#smtpd_peername_lookup">smtpd_peername_lookup</a> (yes)</b>
- Attempt to look up the SMTP client hostname, and
- verify that the name matches the client IP address.
+ Attempt to look up the Postfix SMTP client host-
+ name, and verify that the name matches the client
+ IP address.
The per SMTP client connection count and request rate lim-
its are implemented in co-operation with the <a href="anvil.8.html"><b>anvil</b>(8)</a> ser-
- vice, and are available in Postfix version 2.2 and later.
+ vice, and are available in Postfix version 2.2 and later.
<b><a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a> (50)</b>
- How many simultaneous connections any client is
+ How many simultaneous connections any client is
allowed to make to this service.
<b><a href="postconf.5.html#smtpd_client_connection_rate_limit">smtpd_client_connection_rate_limit</a> (0)</b>
The maximal number of connection attempts any
- client is allowed to make to this service per time
+ client is allowed to make to this service per time
unit.
<b><a href="postconf.5.html#smtpd_client_message_rate_limit">smtpd_client_message_rate_limit</a> (0)</b>
- The maximal number of message delivery requests
- that any client is allowed to make to this service
+ The maximal number of message delivery requests
+ that any client is allowed to make to this service
per time unit, regardless of whether or not Postfix
actually accepts those messages.
<b><a href="postconf.5.html#smtpd_client_recipient_rate_limit">smtpd_client_recipient_rate_limit</a> (0)</b>
- The maximal number of recipient addresses that any
- client is allowed to send to this service per time
+ The maximal number of recipient addresses that any
+ client is allowed to send to this service per time
unit, regardless of whether or not Postfix actually
accepts those recipients.
<b><a href="postconf.5.html#smtpd_client_event_limit_exceptions">smtpd_client_event_limit_exceptions</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b>
- Clients that are excluded from connection count,
+ Clients that are excluded from connection count,
connection rate, or SMTP request rate restrictions.
Available in Postfix version 2.3 and later:
tiate with this service per time unit.
<b>TARPIT CONTROLS</b>
- When a remote SMTP client makes errors, the Postfix SMTP
- server can insert delays before responding. This can help
- to slow down run-away software. The behavior is con-
- trolled by an error counter that counts the number of
- errors within an SMTP session that a client makes without
+ When a remote SMTP client makes errors, the Postfix SMTP
+ server can insert delays before responding. This can help
+ to slow down run-away software. The behavior is con-
+ trolled by an error counter that counts the number of
+ errors within an SMTP session that a client makes without
delivering mail.
<b><a href="postconf.5.html#smtpd_error_sleep_time">smtpd_error_sleep_time</a> (1s)</b>
With Postfix version 2.1 and later: the SMTP server
- response delay after a client has made more than
- $<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> errors, and fewer than
- $<a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> errors, without delivering
+ response delay after a client has made more than
+ $<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> errors, and fewer than
+ $<a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> errors, without delivering
mail.
<b><a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> (10)</b>
- The number of errors a remote SMTP client is
- allowed to make without delivering mail before the
+ The number of errors a remote SMTP client is
+ allowed to make without delivering mail before the
Postfix SMTP server slows down all its responses.
<b><a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> (20)</b>
- The maximal number of errors a remote SMTP client
+ The maximal number of errors a remote SMTP client
is allowed to make without delivering mail.
<b><a href="postconf.5.html#smtpd_junk_command_limit">smtpd_junk_command_limit</a> (100)</b>
- The number of junk commands (NOOP, VRFY, ETRN or
+ The number of junk commands (NOOP, VRFY, ETRN or
RSET) that a remote SMTP client can send before the
- Postfix SMTP server starts to increment the error
+ Postfix SMTP server starts to increment the error
counter with each junk command.
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtpd_recipient_overshoot_limit">smtpd_recipient_overshoot_limit</a> (1000)</b>
- The number of recipients that a remote SMTP client
- can send in excess of the limit specified with
+ The number of recipients that a remote SMTP client
+ can send in excess of the limit specified with
$<a href="postconf.5.html#smtpd_recipient_limit">smtpd_recipient_limit</a>, before the Postfix SMTP
- server increments the per-session error count for
+ server increments the per-session error count for
each excess recipient.
<b>ACCESS POLICY DELEGATION CONTROLS</b>
- As of version 2.1, Postfix can be configured to delegate
- access policy decisions to an external server that runs
- outside Postfix. See the file <a href="SMTPD_POLICY_README.html">SMTPD_POLICY_README</a> for
+ As of version 2.1, Postfix can be configured to delegate
+ access policy decisions to an external server that runs
+ outside Postfix. See the file <a href="SMTPD_POLICY_README.html">SMTPD_POLICY_README</a> for
more information.
<b><a href="postconf.5.html#smtpd_policy_service_max_idle">smtpd_policy_service_max_idle</a> (300s)</b>
- The time after which an idle SMTPD policy service
+ The time after which an idle SMTPD policy service
connection is closed.
<b><a href="postconf.5.html#smtpd_policy_service_max_ttl">smtpd_policy_service_max_ttl</a> (1000s)</b>
connection is closed.
<b><a href="postconf.5.html#smtpd_policy_service_timeout">smtpd_policy_service_timeout</a> (100s)</b>
- The time limit for connecting to, writing to or
+ The time limit for connecting to, writing to or
receiving from a delegated SMTPD policy server.
<b>ACCESS CONTROLS</b>
- The <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a> document gives an introduction to
+ The <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a> document gives an introduction to
all the SMTP server access control features.
<b><a href="postconf.5.html#smtpd_delay_reject">smtpd_delay_reject</a> (yes)</b>
- Wait until the RCPT TO command before evaluating
+ Wait until the RCPT TO command before evaluating
$<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a>, $smtpd_helo_restric-
tions and $<a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a>, or wait until
- the ETRN command before evaluating
+ the ETRN command before evaluating
$<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> and $smtpd_helo_restric-
tions.
- <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> (see 'postconf -d' out-</b>
+ <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> (see 'postconf -d' out-</b>
<b>put)</b>
What Postfix features match subdomains of
"domain.tld" automatically, instead of requiring an
explicit ".domain.tld" pattern.
<b><a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> (empty)</b>
- Optional SMTP server access restrictions in the
+ Optional SMTP server access restrictions in the
context of a client SMTP connection request.
<b><a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> (no)</b>
Require that a remote SMTP client introduces itself
- at the beginning of an SMTP session with the HELO
+ at the beginning of an SMTP session with the HELO
or EHLO command.
<b><a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a> (empty)</b>
- Optional restrictions that the Postfix SMTP server
+ Optional restrictions that the Postfix SMTP server
applies in the context of the SMTP HELO command.
<b><a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a> (empty)</b>
- Optional restrictions that the Postfix SMTP server
+ Optional restrictions that the Postfix SMTP server
applies in the context of the MAIL FROM command.
<b><a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> (<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,</b>
<b><a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>)</b>
The access restrictions that the Postfix SMTP
- server applies in the context of the RCPT TO com-
+ server applies in the context of the RCPT TO com-
mand.
<b><a href="postconf.5.html#smtpd_etrn_restrictions">smtpd_etrn_restrictions</a> (empty)</b>
- Optional SMTP server access restrictions in the
+ Optional SMTP server access restrictions in the
context of a client ETRN request.
<b><a href="postconf.5.html#allow_untrusted_routing">allow_untrusted_routing</a> (no)</b>
- Forward mail with sender-specified routing
- (user[@%!]remote[@%!]site) from untrusted clients
+ Forward mail with sender-specified routing
+ (user[@%!]remote[@%!]site) from untrusted clients
to destinations matching $<a href="postconf.5.html#relay_domains">relay_domains</a>.
<b><a href="postconf.5.html#smtpd_restriction_classes">smtpd_restriction_classes</a> (empty)</b>
- User-defined aliases for groups of access restric-
+ User-defined aliases for groups of access restric-
tions.
<b><a href="postconf.5.html#smtpd_null_access_lookup_key">smtpd_null_access_lookup_key</a> (</b><><b>)</b>
- The lookup key to be used in SMTP <a href="access.5.html"><b>access</b>(5)</a> tables
+ The lookup key to be used in SMTP <a href="access.5.html"><b>access</b>(5)</a> tables
instead of the null sender address.
<b><a href="postconf.5.html#permit_mx_backup_networks">permit_mx_backup_networks</a> (empty)</b>
Restrict the use of the <a href="postconf.5.html#permit_mx_backup">permit_mx_backup</a> SMTP
- access feature to only domains whose primary MX
+ access feature to only domains whose primary MX
hosts match the listed networks.
Available in Postfix version 2.0 and later:
<b><a href="postconf.5.html#smtpd_data_restrictions">smtpd_data_restrictions</a> (empty)</b>
- Optional access restrictions that the Postfix SMTP
+ Optional access restrictions that the Postfix SMTP
server applies in the context of the SMTP DATA com-
mand.
<b><a href="postconf.5.html#smtpd_expansion_filter">smtpd_expansion_filter</a> (see 'postconf -d' output)</b>
- What characters are allowed in $name expansions of
+ What characters are allowed in $name expansions of
RBL reply templates.
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtpd_reject_unlisted_sender">smtpd_reject_unlisted_sender</a> (no)</b>
- Request that the Postfix SMTP server rejects mail
- from unknown sender addresses, even when no
- explicit <a href="postconf.5.html#reject_unlisted_sender">reject_unlisted_sender</a> access restriction
+ Request that the Postfix SMTP server rejects mail
+ from unknown sender addresses, even when no
+ explicit <a href="postconf.5.html#reject_unlisted_sender">reject_unlisted_sender</a> access restriction
is specified.
<b><a href="postconf.5.html#smtpd_reject_unlisted_recipient">smtpd_reject_unlisted_recipient</a> (yes)</b>
- Request that the Postfix SMTP server rejects mail
+ Request that the Postfix SMTP server rejects mail
for unknown recipient addresses, even when no
- explicit <a href="postconf.5.html#reject_unlisted_recipient">reject_unlisted_recipient</a> access restric-
+ explicit <a href="postconf.5.html#reject_unlisted_recipient">reject_unlisted_recipient</a> access restric-
tion is specified.
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtpd_end_of_data_restrictions">smtpd_end_of_data_restrictions</a> (empty)</b>
- Optional access restrictions that the Postfix SMTP
- server applies in the context of the SMTP END-OF-
+ Optional access restrictions that the Postfix SMTP
+ server applies in the context of the SMTP END-OF-
DATA command.
<b>SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS</b>
- Postfix version 2.1 introduces sender and recipient
- address verification. This feature is implemented by
- sending probe email messages that are not actually deliv-
- ered.
This feature is requested via the <a href="postconf.5.html#reject_unverified_sender">reject_unveri</a>-
- <a href="postconf.5.html#reject_unverified_sender">fied_sender</a> and <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a> access
- restrictions. The status of verification probes is main-
+ Postfix version 2.1 introduces sender and recipient
+ address verification. This feature is implemented by
+ sending probe email messages that are not actually deliv-
+ ered.
This feature is requested via the <a href="postconf.5.html#reject_unverified_sender">reject_unveri</a>-
+ <a href="postconf.5.html#reject_unverified_sender">fied_sender</a> and <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a> access
+ restrictions. The status of verification probes is main-
tained by the <a href="verify.8.html"><b>verify</b>(8)</a> server. See the file <a href="ADDRESS_VERIFICATION_README.html">ADDRESS_VER</a>-
- <a href="ADDRESS_VERIFICATION_README.html">IFICATION_README</a> for information about how to configure
+ <a href="ADDRESS_VERIFICATION_README.html">IFICATION_README</a> for information about how to configure
and operate the Postfix sender/recipient address verifica-
tion service.
<b><a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> (3)</b>
- How many times to query the <a href="verify.8.html"><b>verify</b>(8)</a> service for
- the completion of an address verification request
+ How many times to query the <a href="verify.8.html"><b>verify</b>(8)</a> service for
+ the completion of an address verification request
in progress.
<b><a href="postconf.5.html#address_verify_poll_delay">address_verify_poll_delay</a> (3s)</b>
- The delay between queries for the completion of an
+ The delay between queries for the completion of an
address verification request in progress.
<b><a href="postconf.5.html#address_verify_sender">address_verify_sender</a> (postmaster)</b>
- The sender address to use in address verification
+ The sender address to use in address verification
probes.
<b><a href="postconf.5.html#unverified_sender_reject_code">unverified_sender_reject_code</a> (450)</b>
- The numerical Postfix SMTP server response code
- when a recipient address is rejected by the
+ The numerical Postfix SMTP server response code
+ when a recipient address is rejected by the
<a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a> restriction.
<b><a href="postconf.5.html#unverified_recipient_reject_code">unverified_recipient_reject_code</a> (450)</b>
- The numerical Postfix SMTP server response when a
+ The numerical Postfix SMTP server response when a
recipient address is rejected by the <a href="postconf.5.html#reject_unverified_recipient">reject_unveri</a>-
<a href="postconf.5.html#reject_unverified_recipient">fied_recipient</a> restriction.
<b>ACCESS CONTROL RESPONSES</b>
- The following parameters control numerical SMTP reply
+ The following parameters control numerical SMTP reply
codes and/or text responses.
<b><a href="postconf.5.html#access_map_reject_code">access_map_reject_code</a> (554)</b>
- The numerical Postfix SMTP server response code
- when a client is rejected by an <a href="access.5.html"><b>access</b>(5)</a> map
+ The numerical Postfix SMTP server response code
+ when a client is rejected by an <a href="access.5.html"><b>access</b>(5)</a> map
restriction.
<b><a href="postconf.5.html#defer_code">defer_code</a> (450)</b>
- The numerical Postfix SMTP server response code
- when a remote SMTP client request is rejected by
+ The numerical Postfix SMTP server response code
+ when a remote SMTP client request is rejected by
the "defer" restriction.
<b><a href="postconf.5.html#invalid_hostname_reject_code">invalid_hostname_reject_code</a> (501)</b>
- The numerical Postfix SMTP server response code
- when the client HELO or EHLO command parameter is
- rejected
by the <a href="postconf.5.html#reject_invalid_helo_hostname">reject_invalid_helo_hostname</a>
+ The numerical Postfix SMTP server response code
+ when the client HELO or EHLO command parameter is
+ rejected
by the <a href="postconf.5.html#reject_invalid_helo_hostname">reject_invalid_helo_hostname</a>
restriction.
<b><a href="postconf.5.html#maps_rbl_reject_code">maps_rbl_reject_code</a> (554)</b>
- The numerical Postfix SMTP server response code
+ The numerical Postfix SMTP server response code
when a remote SMTP client request is blocked by the
<a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a>, <a href="postconf.5.html#reject_rhsbl_client">reject_rhsbl_client</a>,
<a href="postconf.5.html#reject_rhsbl_sender">reject_rhsbl_sender</a> or <a href="postconf.5.html#reject_rhsbl_recipient">reject_rhsbl_recipient</a>
<b><a href="postconf.5.html#non_fqdn_reject_code">non_fqdn_reject_code</a> (504)</b>
The numerical Postfix SMTP server reply code when a
- client request is rejected by the
+ client request is rejected by the
<a href="postconf.5.html#reject_non_fqdn_helo_hostname">reject_non_fqdn_helo_hostname</a>,
<a href="postconf.5.html#reject_non_fqdn_sender">reject_non_fqdn_sender</a> or <a href="postconf.5.html#reject_non_fqdn_recipient">reject_non_fqdn_recipient</a>
restriction.
<b><a href="postconf.5.html#plaintext_reject_code">plaintext_reject_code</a> (450)</b>
- The numerical Postfix SMTP server response code
- when a request is rejected by the <b>reject_plain-</b>
+ The numerical Postfix SMTP server response code
+ when a request is rejected by the <b>reject_plain-</b>
<b>text_session</b> restriction.
<b><a href="postconf.5.html#reject_code">reject_code</a> (554)</b>
- The numerical Postfix SMTP server response code
- when a remote SMTP client request is rejected by
+ The numerical Postfix SMTP server response code
+ when a remote SMTP client request is rejected by
the "reject" restriction.
<b><a href="postconf.5.html#relay_domains_reject_code">relay_domains_reject_code</a> (554)</b>
- The numerical Postfix SMTP server response code
- when a client request is rejected by the
+ The numerical Postfix SMTP server response code
+ when a client request is rejected by the
<a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> recipient restriction.
<b><a href="postconf.5.html#unknown_address_reject_code">unknown_address_reject_code</a> (450)</b>
- The numerical Postfix SMTP server response code
- when a sender or recipient address is rejected by
+ The numerical Postfix SMTP server response code
+ when a sender or recipient address is rejected by
the <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a> or
<a href="postconf.5.html#reject_unknown_recipient_domain">reject_unknown_recipient_domain</a> restriction.
<b><a href="postconf.5.html#unknown_client_reject_code">unknown_client_reject_code</a> (450)</b>
- The numerical Postfix SMTP server response code
- when a client without valid address <=> name map-
+ The numerical Postfix SMTP server response code
+ when a client without valid address <=> name map-
ping is rejected by the reject_unknown_client_host-
name restriction.
<b><a href="postconf.5.html#unknown_hostname_reject_code">unknown_hostname_reject_code</a> (450)</b>
- The numerical Postfix SMTP server response code
- when the hostname specified with the HELO or EHLO
- command is rejected by the
+ The numerical Postfix SMTP server response code
+ when the hostname specified with the HELO or EHLO
+ command is rejected by the
<a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_hostname</a> restriction.
Available in Postfix version 2.0 and later:
<b><a href="postconf.5.html#default_rbl_reply">default_rbl_reply</a> (see 'postconf -d' output)</b>
- The default SMTP server response template for a
- request that is rejected by an RBL-based restric-
+ The default SMTP server response template for a
+ request that is rejected by an RBL-based restric-
tion.
<b><a href="postconf.5.html#multi_recipient_bounce_reject_code">multi_recipient_bounce_reject_code</a> (550)</b>
- The numerical Postfix SMTP server response code
+ The numerical Postfix SMTP server response code
when a remote SMTP client request is blocked by the
<a href="postconf.5.html#reject_multi_recipient_bounce">reject_multi_recipient_bounce</a> restriction.
<b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
+ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
<a href="master.5.html">master.cf</a> configuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
- How much time a Postfix daemon process may take to
- handle a request before it is terminated by a
+ How much time a Postfix daemon process may take to
+ handle a request before it is terminated by a
built-in watchdog timer.
<b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
- The location of all postfix administrative com-
+ The location of all postfix administrative com-
mands.
<b><a href="postconf.5.html#double_bounce_sender">double_bounce_sender</a> (double-bounce)</b>
and most Postfix daemon processes.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
- The maximum amount of time that an idle Postfix
- daemon process waits for the next service request
+ The maximum amount of time that an idle Postfix
+ daemon process waits for the next service request
before exiting.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
- The maximal number of connection requests before a
+ The maximal number of connection requests before a
Postfix daemon process terminates.
<b><a href="postconf.5.html#myhostname">myhostname</a> (see 'postconf -d' output)</b>
The internet hostname of this mail system.
<b><a href="postconf.5.html#mynetworks">mynetworks</a> (see 'postconf -d' output)</b>
- The list of "trusted" SMTP clients that have more
+ The list of "trusted" SMTP clients that have more
privileges than "strangers".
<b><a href="postconf.5.html#myorigin">myorigin</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
The domain name that locally-posted mail appears to
- come from, and that locally posted mail is deliv-
+ come from, and that locally posted mail is deliv-
ered to.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
+ The location of the Postfix top-level queue direc-
tory.
<b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> (empty)</b>
sions (user+foo).
<b><a href="postconf.5.html#smtpd_banner">smtpd_banner</a> ($<a href="postconf.5.html#myhostname">myhostname</a> ESMTP $<a href="postconf.5.html#mail_name">mail_name</a>)</b>
- The text that follows the 220 status code in the
+ The text that follows the 220 status code in the
SMTP greeting banner.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a> (CONNECT, GET, POST)</b>
- List of commands that causes the Postfix SMTP
- server to immediately terminate the session with a
+ List of commands that causes the Postfix SMTP
+ server to immediately terminate the session with a
221 code.
<b>SEE ALSO</b>
<a href="XFORWARD_README.html">XFORWARD_README</a>, Postfix XFORWARD extension
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
lookups are directed to a TCP-based server. For a descrip-
tion of the TCP client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_ta-</b></a>
<a href="tcp_table.5.html"><b>ble</b>(5)</a>. This feature is not available up to and including
- Postfix version 2.2.
+ Postfix version 2.3.
Each lookup operation uses the entire recipient address
once. Thus, <i>some.domain.hierarchy</i> is not looked up via
lookups are directed to a TCP-based server. For a descrip-
tion of the TCP client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_ta-</b></a>
<a href="tcp_table.5.html"><b>ble</b>(5)</a>. This feature is not available up to and including
- Postfix version 2.2.
+ Postfix version 2.3.
Each lookup operation uses the entire address once. Thus,
<i>user@domain</i> mail addresses are not broken up into their
--- /dev/null
+Postfix DSN support implementation notes
+========================================
+
+In delivery status reports, Postfix now properly reports remote
+LMTP/SMTP server replies with Diagnostic-Type: SMTP, with the
+Diagnostic-Code: equal to the server reply, and with Remote-MTA:
+equal to the name of the remote MTA.
+
+Of course Postfix still produces the same "informal" error descriptions
+that it produced before (for example, the error text that appears
+in the first section of a bounce report).
+
+Other error reports are not in the form of SMTP-style replies.
+
+- The Postfix LMTP/SMTP client generates Diagnostic-Type: X-Postfix
+for locally generated errors (host not found, connection timed out
+etc.). It generates Diagnostic-Type: SMTP only for replies from
+an SMTP server.
+
+- The queue manager generates Diagnostic-Type: X-Postfix for errors
+that it detects. It also receives error information from delivery
+agents and reports that information unmodified when it decides to
+"temporarily suspend" a delivery channel.
+
+- The "pipe to command" code in local(8) and pipe(8) produces
+Diagnostic-Type: X-UNIX, and Diagnostic-Code: text that is taken
+from /usr/include/sysexits.h or from the command output.
+
+- The code that delivers to mailbox produces Diagnostic-Type:
+X-Postfix and Diagnostic-Code: text that is the same good old
+Postfix error message that we are already familiar with. Typically
+these are errno-style reports about locking a file or appending a
+file.
convenience, the SMTP client top-level code automatically changes
the initial digit into '4' or '5' as appropriate.
-- The above two points also apply to the LMTP client.
-
- In the SMTP server, don't worry about the initial enhanced status
code digit when an smtpd_mumble_restriction rejects access. For
convenience, the smtpd_check_reject() routine automatically changes
This section describes how the table lookups change when lookups
are directed to a TCP-based server. For a description of the TCP
client/server lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.2.
+This feature is not available up to and including Postfix version 2.3.
Each lookup operation uses the entire query string once.
Depending on the application, that string is an entire client
This section describes how the table lookups change when lookups
are directed to a TCP-based server. For a description of the TCP
client/server lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.2.
+This feature is not available up to and including Postfix version 2.3.
Each lookup operation uses the entire address once. Thus,
\fIuser@domain\fR mail addresses are not broken up into their
This section describes how the table lookups change when lookups
are directed to a TCP-based server. For a description of the TCP
client/server lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.2.
+This feature is not available up to and including Postfix version 2.3.
Each lookup operation uses the entire address once. Thus,
\fIuser@domain\fR mail addresses are not broken up into their
place.
.sp
The files in the examples/chroot-setup subdirectory of the
-Postfix source archive describe how to set up a Postfix
-chroot environment for your type of machine, and
-BASIC_CONFIGURATION_README discusses issues related to
-running daemons chrooted.
+Postfix source archive show set up a Postfix chroot environment
+on a variety of systems. See also BASIC_CONFIGURATION_README
+for issues related to running daemons chrooted.
.IP "\fBWake up time (default: 0)\fR"
Automatically wake up the named service after the specified
number of seconds. The wake up is implemented by connecting
to the service and sending a wake up request. A ? at the
-end of the wake-up time field requests that wake up events
-be sent only to services that are actually being used.
+end of the wake-up time field requests that no wake up
+events be sent before the service is used.
Specify 0 for no automatic wake up.
.sp
The \fBpickup\fR(8), \fBqmgr\fR(8) and \fBflush\fR(8)
the Postfix SMTP client returns such mail as undeliverable.
.PP
Specify, for example, "best_mx_transport = local" to pass the mail
-from the SMTP client to the \fBlocal\fR(8) delivery agent. You can specify
+from the Postfix SMTP client to the \fBlocal\fR(8) delivery agent. You
+can specify
any message delivery "transport" or "transport:nexthop" that is
defined in the master.cf file. See the \fBtransport\fR(5) manual page
for the syntax and meaning of "transport" or "transport:nexthop".
.PP
A better solution for multi-homed firewalls is to leave inet_interfaces
at the default value and instead use explicit IP addresses in
-the master.cf SMTP server definitions. This preserves the SMTP client's
+the master.cf SMTP server definitions. This preserves the Postfix
+SMTP client's
loop detection, by ensuring that each side of the firewall knows that the
other IP address is still the same host. Setting $inet_interfaces to a
single IPv4 and/or IPV6 address is primarily useful with virtual
.PP
Warning: with concurrency of 1, one bad message can be enough to
block all mail to a site.
+.SH internal_mail_filter_classes (default: empty)
+What categories of Postfix-generated mail are subject to
+before-queue content inspection by non_smtpd_milters, header_checks
+and body_checks. Specify zero or more of the following, separated
+by whitespace or comma.
+.IP "\fB bounce \fR"
+Inspect the content of delivery
+status notifications.
+.IP "\fB notify \fR"
+Inspect the content of postmaster
+notifications by the \fBsmtp\fR(8) and \fBsmtpd\fR(8) processes.
+.PP
+NOTE: It's generally not safe to enable content inspection of
+Postfix-generated email messages. The user is warned.
+.PP
+This feature is available in Postfix 2.3 and later.
.SH invalid_hostname_reject_code (default: 501)
The numerical Postfix SMTP server response code when the client
HELO or EHLO command parameter is rejected by the reject_invalid_helo_hostname
The default time unit is s (seconds).
.SH lmtp_sasl_auth_enable (default: no)
Enable SASL authentication in the Postfix LMTP client.
+.SH lmtp_sasl_auth_enforce (default: yes)
+The LMTP-specific version of the smtp_sasl_auth_enforce
+configuration parameter. See there for details.
+.PP
+This feature is available in Postfix 2.3 and later.
.SH lmtp_sasl_mechanism_filter (default: empty)
The LMTP-specific version of the smtp_sasl_mechanism_filter
configuration parameter. See there for details.
lists: Postfix needs to know only if a lookup string is found or
not, but it does not use the result from table lookup.
.PP
-If this parameter is non-empty (the default), then the Postfix SMTP server
-will reject mail for unknown local users.
+If this parameter is non-empty (the default), then the Postfix SMTP
+server will reject mail for unknown local users.
.PP
To turn off local recipient checking in the Postfix SMTP server,
specify "local_recipient_maps =" (i.e. empty).
the word "ESMTP" appears in the server greeting banner (example:
220 spike.porcupine.org ESMTP Postfix).
.SH smtp_bind_address (default: empty)
-An optional numerical network address that the SMTP client should
-bind to when making an IPv4 connection.
+An optional numerical network address that the Postfix SMTP client
+should bind to when making an IPv4 connection.
.PP
This can be specified in the main.cf file for all SMTP clients, or
it can be specified in the master.cf file for a specific client,
Note 2: address information may be enclosed inside [],
but this form is not recommended here.
.SH smtp_bind_address6 (default: empty)
-An optional numerical network address that the SMTP client should
-bind to when making an IPv6 connection.
+An optional numerical network address that the Postfix SMTP client
+should bind to when making an IPv6 connection.
.PP
This feature is available in Postfix 2.2 and later.
.PP
The SMTP client time limit for completing a TCP connection, or
zero (use the operating system built-in time limit).
.PP
-When no connection can be made within the deadline, the SMTP client
+When no connection can be made within the deadline, the Postfix
+SMTP client
tries the next address on the mail exchanger list. Specify 0 to
disable the time limit (i.e. use whatever timeout is implemented by
the operating system).
.SH smtp_data_xfer_timeout (default: 180s)
The SMTP client time limit for sending the SMTP message content.
When the connection makes no progress for more than $smtp_data_xfer_timeout
-seconds the SMTP client terminates the transfer.
+seconds the Postfix SMTP client terminates the transfer.
.PP
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH smtp_discard_ehlo_keyword_address_maps (default: empty)
Lookup tables, indexed by the remote SMTP server address, with
case insensitive lists of EHLO keywords (pipelining, starttls, auth,
-etc.) that the SMTP client will ignore in the EHLO response from a
+etc.) that the Postfix SMTP client will ignore in the EHLO response from a
remote SMTP server. See smtp_discard_ehlo_keywords for details. The
table is not indexed by hostname for consistency with
smtpd_discard_ehlo_keyword_address_maps.
This feature is available in Postfix 2.2 and later.
.SH smtp_discard_ehlo_keywords (default: empty)
A case insensitive list of EHLO keywords (pipelining, starttls,
-auth, etc.) that the SMTP client will ignore in the EHLO response
-from a remote SMTP server.
+auth, etc.) that the Postfix SMTP client will ignore in the EHLO
+response from a remote SMTP server.
.PP
This feature is available in Postfix 2.2 and later.
.PP
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH smtp_host_lookup (default: dns)
-What mechanisms when the SMTP client uses to look up a host's IP
+What mechanisms when the Postfix SMTP client uses to look up a host's IP
address. This parameter is ignored when DNS lookups are disabled.
.PP
Specify one of the following:
.fi
.ad
.ft R
+.SH smtp_sasl_auth_enforce (default: yes)
+If sender-dependent SASL passwords are turned off, defer mail
+delivery when an SMTP server does not support SASL authentication,
+while smtp_sasl_password_maps contains SASL login/password information
+for that server.
+.PP
+This feature is available in Postfix 2.3 and later.
.SH smtp_sasl_mechanism_filter (default: empty)
If non-empty, a Postfix SMTP client filter for the remote SMTP
server's list of offered SASL mechanisms. Different client and
.PP
This feature is available in Postfix 2.3 and later.
.SH smtp_send_xforward_command (default: no)
-Send the non-standard XFORWARD command when the Postfix SMTP server EHLO
-response announces XFORWARD support.
+Send the non-standard XFORWARD command when the Postfix SMTP server
+EHLO response announces XFORWARD support.
.PP
This allows an "smtp" delivery agent, used for injecting mail into
a content filter, to forward the name, address, protocol and HELO
.PP
This feature is available in Postfix 2.1 and later.
.SH smtp_sender_dependent_authentication (default: no)
-Enable sender-dependent authentication in the SMTP client; this is
+Enable sender-dependent authentication in the Postfix SMTP client; this is
available only with SASL authentication, and disables SMTP connection
caching to ensure that mail from different senders will use the
appropriate credentials.
This feature is available in Postfix 2.2 and later.
.SH smtp_tls_cipherlist (default: empty)
Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS
-cipher list. As this feature applies to all security levels, it is easy
+cipher list. As this feature applies to all TLS security levels, it is easy
to create inter-operability problems by choosing a non-default cipher
list. Do not use a non-default TLS cipher list on hosts that deliver email
to the public Internet: you will be unable to send email to servers that
.PP
This feature is available in Postfix 2.2 and later.
.SH smtp_tls_enforce_peername (default: yes)
-When TLS encryption is enforced, require that the remote SMTP
+With mandatory TLS encryption, require that the remote SMTP
server hostname matches the information in the remote SMTP server
certificate. As of RFC 2487 the requirements for hostname checking
for MTA clients are not specified.
This feature is available in Postfix 2.2 and later. With
Postfix 2.3 and later use smtp_tls_security_level instead.
.SH smtp_tls_exclude_ciphers (default: empty)
-List of ciphers or cipher types to exclude from the SMTP client cipher
-list at all security levels. This is not an OpenSSL cipherlist, it is
+List of ciphers or cipher types to exclude from the Postfix
+SMTP client cipher
+list at all TLS security levels. This is not an OpenSSL cipherlist, it is
a simple list separated by whitespace and/or commas. The elements are a
single cipher, or one or more "+" separated cipher properties, in which
case only ciphers matching \fBall\fR the properties are excluded.
.PP
This feature is available in Postfix 2.2 and later.
.SH smtp_tls_mandatory_ciphers (default: medium)
-The minimum SMTP client TLS cipher grade that is strong enough to
-be used with the "encrypt" security level and higher. The default
-value "medium" is suitable for most destinations with which you may
-want to enforce TLS, and is beyond the reach of today's crypt-analytic
-methods. See smtp_tls_policy_maps for information on how to configure
-ciphers on a per-destination basis.
+The minimum TLS cipher grade that the Postfix SMTP client will
+use with
+mandatory TLS encryption. The default value "medium" is suitable
+for most destinations with which you may want to enforce TLS, and
+is beyond the reach of today's crypt-analytic methods. See
+smtp_tls_policy_maps for information on how to configure ciphers
+on a per-destination basis.
.PP
The following cipher grades are supported:
.IP "\fBexport\fR"
.PP
This feature is available in Postfix 2.3 and later.
.SH smtp_tls_mandatory_exclude_ciphers (default: empty)
-List of ciphers or cipher types to exclude from the SMTP client
-cipher list at the mandatory TLS security levels: "encrypt", "verify"
-and "secure". See smtp_tls_exclude_ciphers for syntax details. When
-both "exclude" parameters are defined, the combined list of ciphers is
-excluded (provided the TLS security level is "encrypt" or higher).
+Additional list of ciphers or cipher types to exclude from the
+SMTP client cipher list at mandatory TLS security levels. This list
+works in addition to the exclusions listed with smtp_tls_exclude_ciphers
+(see there for syntax details).
.PP
This feature is available in Postfix 2.3 and later.
.SH smtp_tls_mandatory_protocols (default: SSLv3, TLSv1)
-List of TLS protocol versions that are secure enough to be used
-with the "encrypt" security level and higher. In main.cf the values
+List of TLS protocols that the Postfix SMTP client will use
+with mandatory TLS encryption. In main.cf the values
are separated by whitespace, commas or colons. In the policy table
(see smtp_tls_policy_maps) the only valid separator is colon. An
empty value means allow all protocols. The valid protocol names,
.PP
This feature is available in Postfix 2.3 and later.
.SH smtp_tls_security_level (default: empty)
-The default SMTP TLS security level for all destinations; when
-a non-empty value is specified, this overrides the obsolete parameters
-smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
+The default SMTP TLS security level for the Postfix SMTP client;
+when a non-empty value is specified, this overrides the obsolete
+parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
.PP
Specify one of the following security levels:
.IP "\fBnone\fR"
.PP
See smtpd_data_restrictions for syntax details.
.SH smtpd_enforce_tls (default: no)
-Enforcement mode: announce STARTTLS support to SMTP clients,
+Mandatory TLS: announce STARTTLS support to SMTP clients,
and require that clients use TLS encryption. According to RFC 2487
this MUST NOT be applied in case of a publicly-referenced SMTP
server. This option is off by default and should be used only on
dedicated servers.
.PP
-Note 1: this mode implies "smtpd_tls_auth_only = yes".
+Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes".
.PP
Note 2: when invoked via "\fBsendmail -bs\fR", Postfix will never offer
STARTTLS due to insufficient privileges to access the server private
key. This is intended behavior.
.PP
-This feature is available in Postfix 2.2 and later.
+This feature is available in Postfix 2.2 and later. With
+Postfix 2.3 and later use smtpd_tls_security_level instead.
.SH smtpd_error_sleep_time (default: 1s)
With Postfix version 2.1 and later: the SMTP server response delay after
a client has made more than $smtpd_soft_error_limit errors, and
The lookup key to be used in SMTP \fBaccess\fR(5) tables instead of the
null sender address.
.SH smtpd_peername_lookup (default: yes)
-Attempt to look up the SMTP client hostname, and verify that
+Attempt to look up the Postfix SMTP client hostname, and verify that
the name matches the client IP address. A client name is set to
"unknown" when it cannot be looked up or verified, or when name
lookup is disabled. Turning off name lookup reduces delays due to
is \fBsmtpd\fR, corresponding to a SASL configuration file named
\fBsmtpd.conf\fR.
.PP
-This feature is available in Postfix 2.1 and later.
+This feature is available in Postfix 2.1 and 2.2. With Postfix 2.3
+it was renamed to smtpd_sasl_path.
.SH smtpd_sasl_auth_enable (default: no)
Enable SASL authentication in the Postfix SMTP server. By default,
the Postfix SMTP server does not use authentication.
\fBsmtpd_sasl_type\fR. Typically this specifies the name of a
configuration file or rendezvous point.
.PP
-This feature is available in Postfix 2.3 and later.
+This feature is available in Postfix 2.3 and later. In earlier
+releases it was called smtpd_sasl_application.
.SH smtpd_sasl_security_options (default: noanonymous)
SASL security options; as of Postfix 2.3 the list of available
features depends on the SASL server implementation that is selected
similar software, it will still insist on a server certificate.
.PP
For servers that are \fBnot\fR public Internet MX hosts, Postfix
-2.3 supports configurations with no certificates. This entails the use
-of just the anonymous TLS ciphers, which are not supported by typical
-SMTP clients. Since such clients will not, as a rule, fall back to plain
-text after a TLS handshake failure, the server will be unable to receive
-email from TLS enabled clients. To avoid accidental configurations with
-no certificates, Postfix 2.3 enables certificate-less operation only
-when the administrator explicitly sets "smtpd_tls_cert_file = none". This
-ensures that new Postfix configurations with just "smtpd_use_tls = yes"
-added, will not accidentally run with no certificates.
+2.3 supports configurations with no certificates. This entails the
+use of just the anonymous TLS ciphers, which are not supported by
+typical SMTP clients. Since such clients will not, as a rule, fall
+back to plain text after a TLS handshake failure, the server will
+be unable to receive email from TLS enabled clients. To avoid
+accidental configurations with no certificates, Postfix 2.3 enables
+certificate-less operation only when the administrator explicitly
+sets "smtpd_tls_cert_file = none". This ensures that new Postfix
+configurations will not accidentally run with no certificates.
.PP
Both RSA and DSA certificates are supported. When both types
are present, the cipher used determines which certificate will be
\fBNote:\fR do not use "" quotes around the parameter value.
.PP
This feature is available with Postfix version 2.2. It is not used with
-Postfix 2.3 and later; use smtpd_tls_ciphers instead.
-.SH smtpd_tls_ciphers (default: export)
-The minimum acceptable SMTP server TLS cipher grade. It is easy to
-create inter-operability problems by choosing a non-default cipher grade.
-Do not use a stronger than default minimum cipher grade for MX hosts on
-the public Internet. Clients that begin the TLS handshake, but are unable
-to agree on a common cipher, may not be able to send any email to the
-SMTP server. Using a restricted cipher list may be more appropriate for a
-dedicated MSA or an internal mailhub, where one can exert some control over
-the TLS software and settings of the connecting clients. Configurations
-with no certificates are also not likely to inter-operate with most
-clients, see the notes for "smtpd_tls_cert_file".
-.PP
-The following cipher grades are supported:
-.IP "\fBexport\fR"
-Enable the mainstream "EXPORT" grade or better OpenSSL ciphers.
-This is the most appropriate setting for public MX hosts. The underlying
-cipherlist is specified via the tls_export_cipherlist configuration
-parameter, which you are strongly encouraged to not change. The default
-value of tls_export_cipherlist includes anonymous ciphers, but these
-are automatically filtered out if the server is configured to ask for
-client certificates. If you must always exclude anonymous ciphers,
-set "smtpd_tls_exclude_ciphers = aNULL".
-.IP "\fBlow\fR"
-Enable the mainstream "LOW" grade or better OpenSSL ciphers. This
-setting is only appropriate for internal mail servers. The underlying
-cipherlist is specified via the tls_low_cipherlist configuration
-parameter, which you are strongly encouraged to not change. The default
-value of tls_low_cipherlist includes anonymous ciphers, but these
-are automatically filtered out if the server is configured to ask for
-client certificates. If you must always exclude anonymous ciphers,
-set "smtpd_tls_exclude_ciphers = aNULL".
-.IP "\fBmedium\fR"
-Enable the mainstream "MEDIUM" grade or better OpenSSL ciphers. This
-setting is only appropriate for internal mail servers. The underlying
-cipherlist is specified via the tls_medium_cipherlist configuration
-parameter, which you are strongly encouraged to not change. The default
-value of tls_medium_cipherlist includes anonymous ciphers, but these
-are automatically filtered out if the server is configured to ask for
-client certificates. If you must always exclude anonymous ciphers,
-set "smtpd_tls_exclude_ciphers = aNULL".
-.IP "\fBhigh\fR"
-Enable only the mainstream "HIGH" grade OpenSSL ciphers. This
-setting is only appropriate for internal mail servers. The underlying
-cipherlist is specified via the tls_high_cipherlist configuration
-parameter, which you are strongly encouraged to not change. The default
-value of tls_high_cipherlist includes anonymous ciphers, but these
-are automatically filtered out if the server is configured to ask for
-client certificates. If you must always exclude anonymous ciphers, set
-"smtpd_tls_exclude_ciphers = aNULL".
-.IP "\fBnull\fR"
-Enable only the "NULL" OpenSSL ciphers, these provide authentication
-without encryption. This setting is only appropriate in the rare
-case that all clients are prepared to use NULL ciphers (not normally
-enabled in TLS clients). The underlying cipherlist is specified via the
-tls_null_cipherlist configuration parameter, which you are strongly
-encouraged to not change. The default value of tls_null_cipherlist
-excludes anonymous ciphers (OpenSSL 0.9.8 has NULL ciphers that offer
-data integrity without encryption or authentication).
-.PP
-This feature is available in Postfix 2.3 and later.
+Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead.
.SH smtpd_tls_dcert_file (default: empty)
File with the Postfix SMTP server DSA certificate in PEM format.
This file may also contain the server private key.
.PP
Your actual source for entropy may differ. Some systems have
/dev/random; on other system you may consider using the "Entropy
-Gathering Daemon EGD", available at http://www.lothar.com/tech/crypto/.
+Gathering Daemon EGD", available at http://egd.sourceforge.net/
.PP
Example:
.PP
This feature is available in Postfix 2.2 and later.
.SH smtpd_tls_exclude_ciphers (default: empty)
List of ciphers or cipher types to exclude from the SMTP server
-cipher list. This is not an OpenSSL cipherlist; it is a simple list
-separated by whitespace and/or commas. The elements are a single
-cipher, or one or more "+" separated cipher properties, in which
-case only ciphers matching \fBall\fR the properties are excluded.
+cipher list at all TLS security levels. Excluding valid ciphers
+can create interoperability problems. DO NOT exclude ciphers unless it
+is essential to do so. This is not an OpenSSL cipherlist; it is a simple
+list separated by whitespace and/or commas. The elements are a single
+cipher, or one or more "+" separated cipher properties, in which case
+only ciphers matching \fBall\fR the properties are excluded.
.PP
Examples (some of these will cause problems):
.PP
loglevel 4 is strongly discouraged.
.PP
This feature is available in Postfix 2.2 and later.
-.SH smtpd_tls_protocols (default: empty)
-The list of TLS protocols supported by the server. If empty the
-default list of protocols is used (i.e. all TLS protocol versions are
-supported). Any non-empty value is interpreted as a list of protocol
-names separated by whitespace, commas or colons. The supported protocol
-names are "SSLv2", "SSLv3" and "TLSv1", and are not
-case-sensitive.
-.PP
-DO NOT set this to a non-default value on an MX-host,
-as some clients may not support any of the narrower set of protocols,
-and may be unable to fallback to plaintext sessions. If you restrict
-the protocol list on an MX host, you may lose mail.
+.SH smtpd_tls_mandatory_ciphers (default: medium)
+The minimum TLS cipher grade that the Postfix SMTP server will
+use with mandatory
+TLS encryption. Cipher types listed in smtpd_tls_mandatory_exclude_ciphers
+or smtpd_tls_exclude_ciphers are excluded from the base definition
+of the selected cipher grade. With opportunistic TLS encryption,
+the "export" grade is used unconditionally with exclusions specified
+only via smtpd_tls_exclude_ciphers.
+.PP
+The following cipher grades are supported:
+.IP "\fBexport\fR"
+Enable the mainstream "EXPORT" grade or better OpenSSL ciphers.
+This is the most appropriate setting for public MX hosts, and is always
+used with opportunistic TLS encryption. The underlying cipherlist
+is specified via the tls_export_cipherlist configuration parameter,
+which you are strongly encouraged to not change. The default value
+of tls_export_cipherlist includes anonymous ciphers, but these are
+automatically filtered out if the server is configured to ask for
+client certificates. If you must always exclude anonymous ciphers,
+set "smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers
+only when TLS is enforced, set "smtpd_tls_mandatory_exclude_ciphers =
+aNULL".
+.IP "\fBlow\fR"
+Enable the mainstream "LOW" grade or better OpenSSL ciphers. The
+underlying cipherlist is specified via the tls_low_cipherlist
+configuration parameter, which you are strongly encouraged to
+not change. The default value of tls_low_cipherlist includes
+anonymous ciphers, but these are automatically filtered out if the
+server is configured to ask for client certificates. If you must
+always exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers =
+aNULL". To exclude anonymous ciphers only when TLS is enforced, set
+"smtpd_tls_mandatory_exclude_ciphers = aNULL".
+.IP "\fBmedium\fR"
+Enable the mainstream "MEDIUM" grade or better OpenSSL ciphers. These
+are essentially the 128-bit or stronger ciphers. This is the default
+minimum strength for mandatory TLS encryption. MSAs that enforce
+TLS and have clients that do not support any "MEDIUM" or "HIGH"
+grade ciphers, may need to configure a weaker ("low" or "export")
+minimum cipher grade. The underlying cipherlist is specified via the
+tls_medium_cipherlist configuration parameter, which you are strongly
+encouraged to not change. The default value of tls_medium_cipherlist
+includes anonymous ciphers, but these are automatically filtered out if
+the server is configured to ask for client certificates. If you must
+always exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers =
+aNULL". To exclude anonymous ciphers only when TLS is enforced, set
+"smtpd_tls_mandatory_exclude_ciphers = aNULL".
+.IP "\fBhigh\fR"
+Enable only the mainstream "HIGH" grade OpenSSL ciphers. The
+underlying cipherlist is specified via the tls_high_cipherlist
+configuration parameter, which you are strongly encouraged to
+not change. The default value of tls_high_cipherlist includes
+anonymous ciphers, but these are automatically filtered out if the
+server is configured to ask for client certificates. If you must
+always exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers =
+aNULL". To exclude anonymous ciphers only when TLS is enforced, set
+"smtpd_tls_mandatory_exclude_ciphers = aNULL".
+.IP "\fBnull\fR"
+Enable only the "NULL" OpenSSL ciphers, these provide authentication
+without encryption. This setting is only appropriate in the rare
+case that all clients are prepared to use NULL ciphers (not normally
+enabled in TLS clients). The underlying cipherlist is specified via the
+tls_null_cipherlist configuration parameter, which you are strongly
+encouraged to not change. The default value of tls_null_cipherlist
+excludes anonymous ciphers (OpenSSL 0.9.8 has NULL ciphers that offer
+data integrity without encryption or authentication).
+.PP
+This feature is available in Postfix 2.3 and later.
+.SH smtpd_tls_mandatory_exclude_ciphers (default: empty)
+Additional list of ciphers or cipher types to exclude from the
+SMTP server cipher list at mandatory TLS security levels. This list
+works in addition to the exclusions listed with smtpd_tls_exclude_ciphers
+(see there for syntax details).
+.PP
+This feature is available in Postfix 2.3 and later.
+.SH smtpd_tls_mandatory_protocols (default: SSLv3, TLSv1)
+The TLS protocols accepted by the Postfix SMTP server with
+mandatory TLS encryption. With opportunistic TLS encryption, all
+protocols are always accepted. If the list is empty, the server
+supports all available TLS protocol versions. A non-empty value
+is a list of protocol names separated by whitespace, commas or
+colons. The supported protocol names are "SSLv2", "SSLv3" and
+"TLSv1", and are not case sensitive.
.PP
Example:
.PP
.nf
.na
.ft C
-smtpd_tls_protocols = SSLv3, TLSv1
+smtpd_tls_mandatory_protocols = SSLv3, TLSv1
.fi
.ad
.ft R
.PP
This feature is available in Postfix 2.2 and later.
.SH smtpd_tls_req_ccert (default: no)
-When TLS encryption is enforced, require a remote SMTP client
+With mandatory TLS encryption, require a remote SMTP client
certificate in order to allow TLS connections to proceed. This
option implies "smtpd_tls_ask_ccert = yes".
.PP
a warning written to the mail log.
.PP
This feature is available in Postfix 2.2 and later.
+.SH smtpd_tls_security_level (default: empty)
+The SMTP TLS security level for the Postfix SMTP server; when
+a non-empty value is specified, this overrides the obsolete parameters
+smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with
+"smtpd_tls_wrappermode = yes".
+.PP
+Specify one of the following security levels:
+.IP "\fBnone\fR"
+TLS will not be used.
+.IP "\fBmay\fR"
+Opportunistic TLS: announce STARTTLS support
+to SMTP clients, but do not require that clients use TLS encryption.
+.IP "\fBencrypt\fR"
+Mandatory TLS encryption: announce
+STARTTLS support to SMTP clients, and require that clients use TLS
+encryption. According to RFC 2487 this MUST NOT be applied in case
+of a publicly-referenced SMTP server. Instead, this option should
+be used only on dedicated servers.
+.PP
+Note 1: the "verify" and "secure" levels are not supported.
+The Postfix SMTP server logs a warning and uses "encrypt" instead.
+To verify SMTP client certificates, see TLS_README for a discussion
+of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and permit_tls_clientcerts
+features.
+.PP
+Note 2: The parameter setting "smtpd_tls_security_level =
+encrypt" implies "smtpd_tls_auth_only = yes".
+.PP
+Note 3: when invoked via "sendmail -bs", Postfix will never
+offer STARTTLS due to insufficient privileges to access the server
+private key. This is intended behavior.
+.PP
+This feature is available in Postfix 2.3 and later.
.SH smtpd_tls_session_cache_database (default: empty)
Name of the file containing the optional Postfix SMTP server
TLS session cache. Specify a database type that supports enumeration,
.PP
This feature is available in Postfix 2.2 and later.
.SH smtpd_use_tls (default: no)
-Opportunistic mode: announce STARTTLS support to SMTP clients,
+Opportunistic TLS: announce STARTTLS support to SMTP clients,
but do not require that clients use TLS encryption.
.PP
Note: when invoked via "\fBsendmail -bs\fR", Postfix will never offer
STARTTLS due to insufficient privileges to access the server private
key. This is intended behavior.
.PP
-This feature is available in Postfix 2.2 and later.
+This feature is available in Postfix 2.2 and later. With
+Postfix 2.3 and later use smtpd_tls_security_level instead.
.SH soft_bounce (default: no)
Safety net to keep mail queued that would otherwise be returned to
the sender. This parameter disables locally-generated bounces,
This feature is available in Postfix 2.2 and later.
.SH tls_export_cipherlist (default: ALL:+RC4:@STRENGTH)
The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. This
-defines the meaning of the "export" setting in smtpd_tls_ciphers,
+defines the meaning of the "export" setting in smtpd_tls_mandatory_ciphers,
smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is
the cipherlist for the opportunistic ("may") TLS client security
level and is the default cipherlist for the SMTP server. You are
This feature is available in Postfix 2.3 and later.
.SH tls_high_cipherlist (default: !EXPORT:!LOW:!MEDIUM:ALL:+RC4:@STRENGTH)
The OpenSSL cipherlist for "HIGH" grade ciphers. This defines
-the meaning of the "high" setting in smtpd_tls_ciphers,
+the meaning of the "high" setting in smtpd_tls_mandatory_ciphers,
smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are
strongly encouraged to not change this setting.
.PP
This feature is available in Postfix 2.3 and later.
.SH tls_low_cipherlist (default: !EXPORT:ALL:+RC4:@STRENGTH)
The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines
-the meaning of the "low" setting in smtpd_tls_ciphers,
+the meaning of the "low" setting in smtpd_tls_mandatory_ciphers,
smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are
strongly encouraged to not change this setting.
.PP
This feature is available in Postfix 2.3 and later.
.SH tls_medium_cipherlist (default: !EXPORT:!LOW:ALL:+RC4:@STRENGTH)
The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers. This
-defines the meaning of the "medium" setting in smtpd_tls_ciphers,
+defines the meaning of the "medium" setting in smtpd_tls_mandatory_ciphers,
smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is
the default cipherlist for mandatory TLS encryption in the TLS
client (with anonymous ciphers disabled when verifying server
.SH tls_null_cipherlist (default: !aNULL:eNULL+kRSA)
The OpenSSL cipherlist for "NULL" grade ciphers that provide
authentication without encryption. This defines the meaning of the "null"
-setting in smtpd_tls_ciphers, smtp_tls_mandatory_ciphers and
+setting in smtpd_mandatory_tls_ciphers, smtp_tls_mandatory_ciphers and
lmtp_tls_mandatory_ciphers. You are strongly encouraged to not
change this setting.
.PP
expression lookup table syntax, see \fBregexp_table\fR(5) or
\fBpcre_table\fR(5). For a description of the TCP client/server
table lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.2.
+This feature is not available up to and including Postfix version 2.3.
Each pattern is a regular expression that is applied to the entire
address being looked up. Thus, \fIuser@domain\fR mail addresses are not
This section describes how the table lookups change when lookups
are directed to a TCP-based server. For a description of the TCP
client/server lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.2.
+This feature is not available up to and including Postfix version 2.3.
Each lookup operation uses the entire address once. Thus,
\fIuser@domain\fR mail addresses are not broken up into their
This section describes how the table lookups change when lookups
are directed to a TCP-based server. For a description of the TCP
client/server lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.2.
+This feature is not available up to and including Postfix version 2.3.
Each lookup operation uses the entire recipient address once. Thus,
\fIsome.domain.hierarchy\fR is not looked up via its parent domains,
This section describes how the table lookups change when lookups
are directed to a TCP-based server. For a description of the TCP
client/server lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.2.
+This feature is not available up to and including Postfix version 2.3.
Each lookup operation uses the entire address once. Thus,
\fIuser@domain\fR mail addresses are not broken up into their
.na
.nf
RFC 822 (ARPA Internet Text Messages)
+RFC 2045 (Format of Internet Message Bodies)
RFC 2822 (ARPA Internet Text Messages)
RFC 3462 (Delivery Status Notifications)
RFC 3464 (Delivery Status Notifications)
-RFC 2045 (Format of Internet Message Bodies)
+RFC 3834 (Auto-Submitted: message header)
.SH DIAGNOSTICS
.ad
.fi
.IP "\fBipc_timeout (3600s)\fR"
The time limit for sending or receiving information over an internal
communication channel.
+.IP "\fBinternal_mail_filter_classes (empty)\fR"
+What categories of Postfix-generated mail are subject to
+before-queue content inspection by non_smtpd_milters, header_checks
+and body_checks.
.IP "\fBmail_name (Postfix)\fR"
The mail system name that is displayed in Received: headers, in
the SMTP greeting banner, and in bounced mail.
.IP "\fBsmtp_discard_ehlo_keyword_address_maps (empty)\fR"
Lookup tables, indexed by the remote SMTP server address, with
case insensitive lists of EHLO keywords (pipelining, starttls, auth,
-etc.) that the SMTP client will ignore in the EHLO response from a
+etc.) that the Postfix SMTP client will ignore in the EHLO response from a
remote SMTP server.
.IP "\fBsmtp_discard_ehlo_keywords (empty)\fR"
A case insensitive list of EHLO keywords (pipelining, starttls,
-auth, etc.) that the SMTP client will ignore in the EHLO response
-from a remote SMTP server.
+auth, etc.) that the Postfix SMTP client will ignore in the EHLO
+response from a remote SMTP server.
.IP "\fBsmtp_generic_maps (empty)\fR"
Optional lookup tables that perform address rewriting in the
SMTP client, typically to transform a locally valid address into
.fi
Available in Postfix version 2.1 and later:
.IP "\fBsmtp_send_xforward_command (no)\fR"
-Send the non-standard XFORWARD command when the Postfix SMTP server EHLO
-response announces XFORWARD support.
+Send the non-standard XFORWARD command when the Postfix SMTP server
+EHLO response announces XFORWARD support.
.SH "SASL AUTHENTICATION CONTROLS"
.na
.nf
server's list of offered SASL mechanisms.
.PP
Available in Postfix version 2.3 and later:
+.IP "\fBsmtp_sasl_auth_enforce (yes)\fR"
+If sender-dependent SASL passwords are turned off, defer mail
+delivery when an SMTP server does not support SASL authentication,
+while smtp_sasl_password_maps contains SASL login/password information
+for that server.
.IP "\fBsmtp_sender_dependent_authentication (no)\fR"
-Enable sender-dependent authentication in the SMTP client; this is
+Enable sender-dependent authentication in the Postfix SMTP client; this is
available only with SASL authentication, and disables SMTP connection
caching to ensure that mail from different senders will use the
appropriate credentials.
Detailed information about STARTTLS configuration may be found
in the TLS_README document.
.IP "\fBsmtp_tls_security_level (empty)\fR"
-The default SMTP TLS security level for all destinations; when
-a non-empty value is specified, this overrides the obsolete parameters
-smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
+The default SMTP TLS security level for the Postfix SMTP client;
+when a non-empty value is specified, this overrides the obsolete
+parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
.IP "\fBsmtp_sasl_tls_security_options ($smtp_sasl_security_options)\fR"
The SASL authentication security options that the Postfix SMTP
client uses for TLS encrypted SMTP sessions.
.IP "\fBsmtp_tls_cert_file (empty)\fR"
File with the Postfix SMTP client RSA certificate in PEM format.
.IP "\fBsmtp_tls_mandatory_ciphers (medium)\fR"
-The minimum SMTP client TLS cipher grade that is strong enough to
-be used with the "encrypt" security level and higher.
+The minimum TLS cipher grade that the Postfix SMTP client will
+use with
+mandatory TLS encryption.
.IP "\fBsmtp_tls_exclude_ciphers (empty)\fR"
-List of ciphers or cipher types to exclude from the SMTP client cipher
-list at all security levels.
+List of ciphers or cipher types to exclude from the Postfix
+SMTP client cipher
+list at all TLS security levels.
.IP "\fBsmtp_tls_mandatory_exclude_ciphers (empty)\fR"
-List of ciphers or cipher types to exclude from the SMTP client
-cipher list at the mandatory TLS security levels: "encrypt", "verify"
-and "secure".
+Additional list of ciphers or cipher types to exclude from the
+SMTP client cipher list at mandatory TLS security levels.
.IP "\fBsmtp_tls_dcert_file (empty)\fR"
File with the Postfix SMTP client DSA certificate in PEM format.
.IP "\fBsmtp_tls_dkey_file ($smtp_tls_dcert_file)\fR"
.IP "\fBsmtp_tls_note_starttls_offer (no)\fR"
Log the hostname of a remote SMTP server that offers STARTTLS,
when TLS is not already enabled for that server.
-.IP "\fBsmtp_tls_policy_maps (empty)\fR"
-Optional lookup tables with the Postfix SMTP client TLS security
-policy by next-hop destination; when a non-empty value is specified,
-this overrides the obsolete smtp_tls_per_site parameter.
-.IP "\fBsmtp_tls_mandatory_protocols (SSLv3, TLSv1)\fR"
-List of TLS protocol versions that are secure enough to be used
-with the "encrypt" security level and higher.
.IP "\fBsmtp_tls_scert_verifydepth (5)\fR"
The verification depth for remote SMTP server certificates.
.IP "\fBsmtp_tls_secure_cert_match (nexthop, dot-nexthop)\fR"
Enforcement mode: require that remote SMTP servers use TLS
encryption, and never send mail in the clear.
.IP "\fBsmtp_tls_enforce_peername (yes)\fR"
-When TLS encryption is enforced, require that the remote SMTP
+With mandatory TLS encryption, require that the remote SMTP
server hostname matches the information in the remote SMTP server
certificate.
.IP "\fBsmtp_tls_per_site (empty)\fR"
Optional lookup tables with the Postfix SMTP client TLS usage
policy by next-hop destination and by remote SMTP server hostname.
+.IP "\fBsmtp_tls_cipherlist (empty)\fR"
+Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS
+cipher list.
.SH "RESOURCE AND RATE CONTROLS"
.na
.nf
The recipient of postmaster notifications about mail delivery
problems that are caused by policy, resource, software or protocol
errors.
+.IP "\fBinternal_mail_filter_classes (empty)\fR"
+What categories of Postfix-generated mail are subject to
+before-queue content inspection by non_smtpd_milters, header_checks
+and body_checks.
.IP "\fBnotify_classes (resource, software)\fR"
The list of error classes that are reported to the postmaster.
.SH "MISCELLANEOUS CONTROLS"
The network interface addresses that this mail system receives mail
on by way of a proxy or network address translation unit.
.IP "\fBsmtp_bind_address (empty)\fR"
-An optional numerical network address that the SMTP client should
-bind to when making an IPv4 connection.
+An optional numerical network address that the Postfix SMTP client
+should bind to when making an IPv4 connection.
.IP "\fBsmtp_bind_address6 (empty)\fR"
-An optional numerical network address that the SMTP client should
-bind to when making an IPv6 connection.
+An optional numerical network address that the Postfix SMTP client
+should bind to when making an IPv6 connection.
.IP "\fBsmtp_helo_name ($myhostname)\fR"
The hostname to send in the SMTP EHLO or HELO command.
.IP "\fBlmtp_lhlo_name ($myhostname)\fR"
The hostname to send in the LMTP LHLO command.
.IP "\fBsmtp_host_lookup (dns)\fR"
-What mechanisms when the SMTP client uses to look up a host's IP
+What mechanisms when the Postfix SMTP client uses to look up a host's IP
address.
.IP "\fBsmtp_randomize_addresses (yes)\fR"
Randomize the order of equal-preference MX host addresses.
.fi
Detailed information about STARTTLS configuration may be
found in the TLS_README document.
-.IP "\fBsmtpd_use_tls (no)\fR"
-Opportunistic mode: announce STARTTLS support to SMTP clients,
-but do not require that clients use TLS encryption.
-.IP "\fBsmtpd_enforce_tls (no)\fR"
-Enforcement mode: announce STARTTLS support to SMTP clients,
-and require that clients use TLS encryption.
+.IP "\fBsmtpd_tls_security_level (empty)\fR"
+The SMTP TLS security level for the Postfix SMTP server; when
+a non-empty value is specified, this overrides the obsolete parameters
+smtpd_use_tls and smtpd_enforce_tls.
.IP "\fBsmtpd_sasl_tls_security_options ($smtpd_sasl_security_options)\fR"
The SASL authentication security options that the Postfix SMTP
server uses for TLS encrypted SMTP sessions.
The verification depth for remote SMTP client certificates.
.IP "\fBsmtpd_tls_cert_file (empty)\fR"
File with the Postfix SMTP server RSA certificate in PEM format.
-.IP "\fBsmtpd_tls_ciphers (export)\fR"
-The minimum acceptable SMTP server TLS cipher grade.
.IP "\fBsmtpd_tls_exclude_ciphers (empty)\fR"
List of ciphers or cipher types to exclude from the SMTP server
-cipher list.
+cipher list at all TLS security levels.
.IP "\fBsmtpd_tls_dcert_file (empty)\fR"
File with the Postfix SMTP server DSA certificate in PEM format.
.IP "\fBsmtpd_tls_dh1024_param_file (empty)\fR"
File with the Postfix SMTP server RSA private key in PEM format.
.IP "\fBsmtpd_tls_loglevel (0)\fR"
Enable additional Postfix SMTP server logging of TLS activity.
-.IP "\fBsmtpd_tls_protocols (empty)\fR"
-The list of TLS protocols supported by the server.
+.IP "\fBsmtpd_tls_mandatory_ciphers (medium)\fR"
+The minimum TLS cipher grade that the Postfix SMTP server will
+use with mandatory
+TLS encryption.
+.IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
+Additional list of ciphers or cipher types to exclude from the
+SMTP server cipher list at mandatory TLS security levels.
+.IP "\fBsmtpd_tls_mandatory_protocols (SSLv3, TLSv1)\fR"
+The TLS protocols accepted by the Postfix SMTP server with
+mandatory TLS encryption.
.IP "\fBsmtpd_tls_received_header (no)\fR"
Request that the Postfix SMTP server produces Received: message
headers that include information about the protocol and cipher used,
as well as the client CommonName and client certificate issuer
CommonName.
.IP "\fBsmtpd_tls_req_ccert (no)\fR"
-When TLS encryption is enforced, require a remote SMTP client
+With mandatory TLS encryption, require a remote SMTP client
certificate in order to allow TLS connections to proceed.
.IP "\fBsmtpd_tls_session_cache_database (empty)\fR"
Name of the file containing the optional Postfix SMTP server
.IP "\fBtls_null_cipherlist (!aNULL:eNULL+kRSA)\fR"
The OpenSSL cipherlist for "NULL" grade ciphers that provide
authentication without encryption.
+.SH "OBSOLETE STARTTLS CONTROLS"
+.na
+.nf
+.ad
+.fi
+The following configuration parameters exist for compatibility
+with Postfix versions before 2.3. Support for these will
+be removed in a future release.
+.IP "\fBsmtpd_use_tls (no)\fR"
+Opportunistic TLS: announce STARTTLS support to SMTP clients,
+but do not require that clients use TLS encryption.
+.IP "\fBsmtpd_enforce_tls (no)\fR"
+Mandatory TLS: announce STARTTLS support to SMTP clients,
+and require that clients use TLS encryption.
+.IP "\fBsmtpd_tls_cipherlist (empty)\fR"
+Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS
+cipher list.
.SH "VERP SUPPORT CONTROLS"
.na
.nf
The recipient of postmaster notifications about mail delivery
problems that are caused by policy, resource, software or protocol
errors.
+.IP "\fBinternal_mail_filter_classes (empty)\fR"
+What categories of Postfix-generated mail are subject to
+before-queue content inspection by non_smtpd_milters, header_checks
+and body_checks.
.IP "\fBnotify_classes (resource, software)\fR"
The list of error classes that are reported to the postmaster.
.IP "\fBsoft_bounce (no)\fR"
.PP
Available in Postfix version 2.3 and later:
.IP "\fBsmtpd_peername_lookup (yes)\fR"
-Attempt to look up the SMTP client hostname, and verify that
+Attempt to look up the Postfix SMTP client hostname, and verify that
the name matches the client IP address.
.PP
The per SMTP client connection count and request rate limits are
s;\bhopcount_limit\b;<a href="postconf.5.html#hopcount_limit">$&</a>;g;
s;\bhtml_direc[-</bB>]*\n*[ <bB>]*tory\b;<a href="postconf.5.html#html_directory">$&</a>;g;
s;\bignore_mx_lookup_error\b;<a href="postconf.5.html#ignore_mx_lookup_error">$&</a>;g;
+ s;\binternal_mail_filter_classes\b;<a href="postconf.5.html#internal_mail_filter_classes">$&</a>;g;
s;\bimport_environment\b;<a href="postconf.5.html#import_environment">$&</a>;g;
s;\bin_flow_delay\b;<a href="postconf.5.html#in_flow_delay">$&</a>;g;
s;\binet_inter[-</bB>]*\n*[ <bB>]*faces\b;<a href="postconf.5.html#inet_interfaces">$&</a>;g;
s;\blmtp_rcpt_timeout\b;<a href="postconf.5.html#lmtp_rcpt_timeout">$&</a>;g;
s;\blmtp_rset_timeout\b;<a href="postconf.5.html#lmtp_rset_timeout">$&</a>;g;
s;\blmtp_sasl_auth_enable\b;<a href="postconf.5.html#lmtp_sasl_auth_enable">$&</a>;g;
+ s;\blmtp_sasl_auth_enforce\b;<a href="postconf.5.html#lmtp_sasl_auth_enforce">$&</a>;g;
s;\blmtp_sasl_password_maps\b;<a href="postconf.5.html#lmtp_sasl_password_maps">$&</a>;g;
s;\blmtp_sasl_security_options\b;<a href="postconf.5.html#lmtp_sasl_security_options">$&</a>;g;
s;\blmtp_sasl_type\b;<a href="postconf.5.html#lmtp_sasl_type">$&</a>;g;
s;\bsmtp_rset_timeout\b;<a href="postconf.5.html#smtp_rset_timeout">$&</a>;g;
s;\bsmtp_sasl_auth_enable\b;<a href="postconf.5.html#smtp_sasl_auth_enable">$&</a>;g;
s;\bsmtp_sasl_mechanism_filter\b;<a href="postconf.5.html#smtp_sasl_mechanism_filter">$&</a>;g;
- s;\bsmtp_sasl_password_maps\b;<a href="postconf.5.html#smtp_sasl_password_maps">$&</a>;g;
+ s;\bsmtp_sasl_pass
[-</Bb>]*\n* *[<Bb>]*word_maps\b;<a href="postconf.5.html#smtp_sasl_password_maps">$&</a>;g;
s;\bsmtp_sasl_path\b;<a href="postconf.5.html#smtp_sasl_path">$&</a>;g;
s;\bsmtp_sasl_secu[-</Bb>]*\n* *[<Bb>]*rity_options\b;<a href="postconf.5.html#smtp_sasl_security_options">$&</a>;g;
s;\bsmtp_send_xforward_command\b;<a href="postconf.5.html#smtp_send_xforward_command">$&</a>;g;
s;\bsmtp_[-</Bb>]*\n* *[<Bb>]*sasl_[-</Bb>]*\n* *[<Bb>]*tls_[-</Bb>]*\n* *[<Bb>]*secu[-</Bb>]*\n* *[<Bb>]*rity_options\b;<a href="postconf.5.html#smtp_sasl_tls_security_options">$&</a>;g;
s;\bsmtp_sasl_tls_verified_secu[-</Bb>]*\n* *[<Bb>]*rity_options\b;<a href="postconf.5.html#smtp_sasl_tls_verified_security_options">$&</a>;g;
s;\bsmtp_sasl_type\b;<a href="postconf.5.html#smtp_sasl_type">$&</a>;g;
+ s;\bsmtp_sasl_auth_enforce\b;<a href="postconf.5.html#smtp_sasl_auth_enforce">$&</a>;g;
s;\bsmtp_starttls_timeout\b;<a href="postconf.5.html#smtp_starttls_timeout">$&</a>;g;
s;\bsmtp_tls_CAfile\b;<a href="postconf.5.html#smtp_tls_CAfile">$&</a>;g;
s;\bsmtp_tls_CApath\b;<a href="postconf.5.html#smtp_tls_CApath">$&</a>;g;
s;\bsmtp_tls_cert_file\b;<a href="postconf.5.html#smtp_tls_cert_file">$&</a>;g;
s;\bsmtp_tls_mandatory_ciphers\b;<a href="postconf.5.html#smtp_tls_mandatory_ciphers">$&</a>;g;
+ s;\bsmtp_tls_cipherlist\b;<a href="postconf.5.html#smtp_tls_cipherlist">$&</a>;g;
s;\bsmtp_tls_exclude_ciphers\b;<a href="postconf.5.html#smtp_tls_exclude_ciphers">$&</a>;g;
s;\bsmtp_tls_mandatory_exclude_ciphers\b;<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">$&</a>;g;
s;\bsmtp_tls_dcert_file\b;<a href="postconf.5.html#smtp_tls_dcert_file">$&</a>;g;
s;\bsmtpd_tls_auth_only\b;<a href="postconf.5.html#smtpd_tls_auth_only">$&</a>;g;
s;\bsmtpd_tls_ccert_verifydepth\b;<a href="postconf.5.html#smtpd_tls_ccert_verifydepth">$&</a>;g;
s;\bsmtpd_tls_cert_file\b;<a href="postconf.5.html#smtpd_tls_cert_file">$&</a>;g;
- s;\bsmtpd_tls_ciphers\b;<a href="postconf.5.html#smtpd_tls_ciphers">$&</a>;g;
+ s;\bsmtpd_tls_cipherlist\b;<a href="postconf.5.html#smtpd_tls_cipherlist">$&</a>;g;
s;\bsmtpd_tls_exclude_ciphers\b;<a href="postconf.5.html#smtpd_tls_exclude_ciphers">$&</a>;g;
+ s;\bsmtpd_tls_mandatory_ciphers\b;<a href="postconf.5.html#smtpd_tls_mandatory_ciphers">$&</a>;g;
+ s;\bsmtpd_tls_mandatory_exclude_ciphers\b;<a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">$&</a>;g;
s;\bsmtpd_tls_dcert_file\b;<a href="postconf.5.html#smtpd_tls_dcert_file">$&</a>;g;
s;\bsmtpd_tls_dh1024_param_file\b;<a href="postconf.5.html#smtpd_tls_dh1024_param_file">$&</a>;g;
s;\bsmtpd_tls_dh512_param_file\b;<a href="postconf.5.html#smtpd_tls_dh512_param_file">$&</a>;g;
s;\bsmtpd_tls_dkey_file\b;<a href="postconf.5.html#smtpd_tls_dkey_file">$&</a>;g;
s;\bsmtpd_tls_key_file\b;<a href="postconf.5.html#smtpd_tls_key_file">$&</a>;g;
+ s;\bsmtpd_tls_security_level\b;<a href="postconf.5.html#smtpd_tls_security_level">$&</a>;g;
s;\bsmtpd_tls_loglevel\b;<a href="postconf.5.html#smtpd_tls_loglevel">$&</a>;g;
- s;\bsmtpd_tls_protocols\b;<a href="postconf.5.html#smtpd_tls_protocols">$&</a>;g;
+ s;\bsmtpd_tls_mandatory_protocols\b;<a href="postconf.5.html#smtpd_tls_mandatory_protocols">$&</a>;g;
s;\bsmtpd_tls_received_header\b;<a href="postconf.5.html#smtpd_tls_received_header">$&</a>;g;
s;\bsmtpd_tls_req_ccert\b;<a href="postconf.5.html#smtpd_tls_req_ccert">$&</a>;g;
s;\bsmtpd_tls_session_cache_database\b;<a href="postconf.5.html#smtpd_tls_session_cache_database">$&</a>;g;
rejects mail for the recipient address. If a recipient probe
succeeds, then Postfix accepts mail for the recipient address. </p>
+<p> By default, address verification results are not saved. To avoid
+probing the same address repeatedly, you can store the result in a
+<a href="#caching">persistent database</a> as described later. </p>
+
<blockquote>
<pre>
/etc/postfix/main.cf:
# =============================================================
scan unix - - n - 10 smtp
-o smtp_send_xforward_command=yes
+ -o disable_mime_output_conversion=yes
</pre>
</blockquote>
the real client name IP address. See smtp(8) and XFORWARD_README
for more information. </p>
+<li> <p> With "-o disable_mime_output_conversion=yes", the scan
+delivery agent will not convert 8BITMIME mail to quoted-printable
+form while delivering to the content filter, as that would invalidate
+domainkeys and other digital signatures. This workaround is needed
+because some SMTP-based content filters don't announce 8BITMIME
+support, even though they can handle it just fine. </p>
+
</ul>
<h3>Advanced content filter: running the content filter</h3>
OSF1.V3 - OSF1.V5 (Digital UNIX) <br>
Reliant UNIX 5.x <br>
Rhapsody 5.x <br>
-SunOS 4.1.4 (December 2005) <br>
+SunOS 4.1.4 (July 2006) <br>
SunOS 5.4 - 5.9 (Solaris 2.4..9) <br>
Ultrix 4.x (well, that was long ago) <br>
</p>
<pre>
/etc/postfix/master.cf:
maildrop unix - n n - - pipe
- flags=DRhu user=vmail argv=/path/to/maildrop -d ${recipient}
+ flags=ODRhu user=vmail argv=/path/to/maildrop -d ${recipient}
</pre>
</blockquote>
+<p> The pipe(8) manual page gives a detailed description of the
+above command line arguments, and more. </p>
+
<p> If you want to support user+extension@domain style addresses,
use the following instead: </p>
<pre>
/etc/postfix/master.cf:
maildrop unix - n n - - pipe
- flags=DRhu user=vmail argv=/path/to/maildrop
+ flags=ODRhu user=vmail argv=/path/to/maildrop
-d ${user}@${nexthop} ${extension} ${recipient} ${user} ${nexthop}
</pre>
</blockquote>
<a href="http://sourceforge.net/projects/dk-milter/">Domain keys</a>)
or to digitally sign mail (example: <a
href="http://sourceforge.net/projects/dk-milter/">Domain keys</a>).
-Having yet another MTA-specific version of all that software is a
-poor use of human and system resources. </p>
+Having yet another Postfix-specific version of all that software
+is a poor use of human and system resources. </p>
<p> Postfix 2.3 implements all the requests of Sendmail version 8
Milter protocols up to version 4, except one: message body replacement.
-See, however, the <a href="#limitations">limitations</a> section
-at the end of this document. </p>
+See, however, the <a href="#workarounds">workarounds</a> and <a
+href="#limitations">limitations</a> sections at the end of this
+document. </p>
<p> This document provides information on the following topics: </p>
<blockquote>
<pre>
-$ <b>/some/where/dk-filter -p inet:<i>portnumber</i>@localhost ...<i>other options</i>...</b>
+# <b>/some/where/dk-filter -u <i>userid</i> -p inet:<i>portnumber</i>@localhost ...<i>other options</i>...</b>
</pre>
</blockquote>
+<p> Please specify a <i>userid</i> value that isn't used for other
+applications (not "postfix", not "www", etc.). </p>
+
<h2><a name="config">Configuring Postfix</a></h2>
<p> Like Sendmail, Postfix has a lot of configuration options that
that arrives via the Postfix smtpd(8) server is not filtered by the
non-SMTP filters that are described in the next section. </p>
+<p> NOTE: Do not use the header_checks(5) IGNORE action to remove
+Postfix's own Received: message header. This causes problems with
+mail signing filters. Instead, keep Postfix's own Received: message
+header and use the header_checks(5) REPLACE action to sanitize
+information. </p>
+
<p> You specify SMTP-only Milter applications (there can be more
than one) with the smtpd_milters parameter. Each Milter application
is identified by the name of its listening socket; other Milter
host. The host and port can be specified in numeric or symbolic
form.</p>
-<p> Note: Postfix syntax differs from Milter syntax which has the
+<p> NOTE: Postfix syntax differs from Milter syntax which has the
form <b>inet:</b><i>port</i><b>@</b><i>host</i>. </p> </dd>
</dl>
via the Postfix smtpd(8) server is not filtered by the non-SMTP
filters. </p>
+<p> NOTE: Do not use the header_checks(5) IGNORE action to remove
+Postfix's own Received: message header. This causes problems with
+mail signing filters. Instead, keep Postfix's own Received: message
+header and use the header_checks(5) REPLACE action to sanitize
+information. </p>
+
<p> You specify non-SMTP Milter applications with the non_smtpd_milters
parameter. This parameter uses the same syntax as the smtpd_milters
parameter in the previous section. As with the SMTP-only filters,
<h2><a name="workarounds">Workarounds</a></h2>
+<p> Content filters may break domain key etc. signatures. If you
+use an SMTP-based filter as described in FILTER_README, then you
+should add a line to master.cf with "disable_mime_output_conversion
+= yes", as described in the <a
+href="FILTER_README.html#advanced_filter">advanced content filter</a>
+example. </p>
+
<p> Sendmail Milter applications were originally developed for the
Sendmail version 8 MTA, which has a different architecture than
Postfix. The result is that some Milter applications make assumptions
<ul>
+<li> <p> Some Milter applications use the "<tt>{if_addr}</tt>" macro
+to recognize local mail; this macro does not exist in Postfix.
+Workaround: use the "<tt>{client_addr}</tt>" macro instead. </p>
+
<li> <p> Some Milter applications log a warning that looks like
this: </p>
</pre>
</blockquote>
-<p> This happens because the Milter application expects that the
+<p> This happens because some Milter applications expect that the
queue ID is known <i>before</i> the MTA accepts the MAIL FROM
-(sender) command. Postfix, on the other hand, does not create a
-queue file until <i>after</i> Postfix accepts the first valid RCPT
-TO (recipient) command. This queue file name must be globally unique
-across multiple queue directories, so it cannot be chosen until the
-file is actually created. </p>
+(sender) command. Postfix, on the other hand, does not choose a
+queue file name until <i>after</i> it accepts the first valid RCPT
+TO (recipient) command. Postfix queue file names must be unique
+across multiple directories, so the name can't be chosen before the
+file is created. If multiple messages were to use the same queue
+ID <i>simultaneously</i>, mail would be lost. </p>
<p> To work around the ugly message header from Milter applications,
we add a little code to the Milter source to look up the queue ID
<blockquote>
<pre>
-sic = (Context) smfi_getpriv(ctx);
-assert(sic != NULL);
+dfc = cc->cctx_msg;
+assert(dfc != NULL);
<b>
-/*
-** Determine the job ID for logging.
-*/
-if (sic->ctx_jobid == 0 || strcmp(sic->ctx_jobid, MSGIDUNKNOWN) == 0) {
+/* Determine the job ID for logging. */
+if (dfc->mctx_jobid == 0 || strcmp(dfc->mctx_jobid, JOBIDUNKNOWN) == 0) {
char *jobid = smfi_getsymval(ctx, "i");
if (jobid != 0)
- sic->ctx_jobid = jobid;
+ dfc->mctx_jobid = jobid;
}</b>
+
+/* get hostname; used in the X header and in new MIME boundaries */
</pre>
</blockquote>
-<p> This does not remove the WARNING message, however. </p>
+<p> NOTES: </p>
+
+<ul>
+
+<li> <p> Different mail filters use slightly different names for
+variables. If the above code does not compile, look for the code
+at the start of the <tt>mlfi_eoh()</tt> routine. </p>
+
+<li> <p> This fixes only the ugly message header, but not the WARNING
+message. Fortunately, dk-filter logs that message only once. </p>
+
+</ul>
<p> With some Milter applications we can fix both the WARNING and
the "unknown-msgid" by postponing the call of <tt>mlfi_eoh()</tt>
<h2><a name="limitations">Limitations</a></h2>
<p> This section lists limitations of the Postfix Milter implementation.
-Some limitations will be removed disappear as support is extended
+Some limitations will be removed as the implementation is extended
over time. Of course the usual limitations of before-queue filtering
will always apply. See the CONTENT_INSPECTION_README document for
a discussion. </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
- smtpd_sasl_application_name = smtpd
+ smtpd_sasl_application_name = smtpd (Postfix < 2.3)
+ smtpd_sasl_path = smtpd (Postfix 2.3 and later)
</pre>
</blockquote>
reject_authenticated_sender_login_mismatch and
reject_unauthenticated_sender_login_mismatch, and revised the docs.
-<li> Wietse made another iteration through the code to add
-plug-in support for multiple SASL implementations.
+<li> Wietse made another iteration through the code to add plug-in
+support for multiple SASL implementations, and changed
+smtpd_sasl_application_name into smtpd_sasl_path.
<li> The Dovecot SMTP server-only plug-in was originally implemented by
Timo Sirainen of Procontrol, Finland.
sasl_sender=
size=12345
ccert_subject=solaris9.porcupine.org
-ccert_issuer=Wietse Venema
+ccert_issuer=Wietse+20Venema
ccert_fingerprint=C2:9D:F4:87:71:73:73:D9:18:E7:C2:F3:C1:DA:6E:04
<b>Postfix version 2.3 and later:</b>
encryption_protocol=TLSv1/SSLv3
<li> <p> The "ccert_*" attributes (Postfix 2.2 and later) specify
information about how the client was authenticated via TLS.
These attributes are empty in case of no certificate authentication.
+ As of Postfix 2.2.11 these attribute values are encoded as
+ xtext: some characters are represented by +XX, where XX is the
+ two-digit hecadecimal representation of the character value.
</p>
<li> <p> The "encryption_*" attributes (Postfix 2.3 and later)
be unable to receive email from most TLS enabled clients. To avoid
accidental configurations with no certificates, Postfix 2.3 enables
certificate-less operation only when the administrator explicitly sets
-"smtpd_tls_cert_file = none". This ensures that new Postfix
-configurations with just "smtpd_use_tls = yes" added, will
-not accidentally run with no certificates. </p>
+"smtpd_tls_cert_file = none". This ensures that new Postfix
+configurations will not accidentally run with no certificates. </p>
<p> Both RSA and DSA certificates are supported. Typically you will
only have RSA certificates issued by a commercial CA. In addition,
<p> By default, TLS is disabled in the Postfix SMTP server, so no
difference to plain Postfix is visible. Explicitly switch it on
-using "smtpd_use_tls = yes". </p>
+with "smtpd_tls_security_level = may" (Postfix 2.3 and
+later) or "smtpd_use_tls = yes" (obsolete but still
+supported). </p>
<p> Example: </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
+ # Postfix 2.3 and later
+ smtpd_tls_security_level = may
+ # Obsolete, but still supported
smtpd_use_tls = yes
</pre>
</blockquote>
is never offered due to insufficient privileges to access the server
private key. This is intended behavior. </p>
-<p> <a name="server_enforce">You can ENFORCE the use of TLS</a>, so that
-the Postfix SMTP server announces STARTTLS and accepts no mail without
-TLS encryption, by setting "smtpd_enforce_tls = yes". According
-to RFC 2487 this MUST NOT be applied in case of a publicly-referenced
-Postfix SMTP server. This option is off by default and should only
-seldom be used. </p>
+<p> <a name="server_enforce">You can ENFORCE the use of TLS</a>,
+so that the Postfix SMTP server announces STARTTLS and accepts no
+mail without TLS encryption, by setting
+"smtpd_tls_security_level = encrypt" (Postfix 2.3 and
+later) or "smtpd_enforce_tls = yes" (obsolete but still
+supported). According to RFC 2487 this MUST NOT be applied in case
+of a publicly-referenced Postfix SMTP server. This option is off
+by default and should only seldom be used. </p>
<p> Example: </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
+ # Postfix 2.3 and later
+ smtpd_tls_security_level = encrypt
+ # Obsolete, but still supported
smtpd_enforce_tls = yes
</pre>
</blockquote>
<p> It is strictly discouraged to use this mode from main.cf. If
you want to support this service, enable a special port in master.cf
-and specify "-o smtpd_tls_wrappermode = yes" as an smtpd(8) command
+and specify "-o smtpd_tls_wrappermode = yes" as an smtpd(8) command
line option. Port 465 (smtps) was once chosen for this feature.
</p>
<blockquote>
<pre>
/etc/postfix/main.cf:
- smtpd_use_tls = yes
smtpd_tls_ask_ccert = yes
+ # Postfix 2.3 and later
+ smtpd_tls_security_level = may
+ # Obsolete, but still supported
+ smtpd_use_tls = yes
</pre>
</blockquote>
<p> When TLS is <a href="#server_enforce">enforced</a> you may also decide
to REQUIRE a remote SMTP client certificate for all TLS connections,
-by setting "smtpd_tls_req_ccert = yes". This feature implies
-"smtpd_tls_ask_ccert = yes". When TLS is not enforced,
-"smtpd_tls_req_ccert = yes" is ignored and a warning is
+by setting "smtpd_tls_req_ccert = yes". This feature implies
+"smtpd_tls_ask_ccert = yes". When TLS is not enforced,
+"smtpd_tls_req_ccert = yes" is ignored and a warning is
logged. </p>
<p> Example: </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
- smtpd_enforce_tls = yes
smtpd_tls_req_ccert = yes
+ # Postfix 2.3 and later
+ smtpd_tls_security_level = encrypt
+ # Obsolete, but still supported
+ smtpd_enforce_tls = yes
</pre>
</blockquote>
<h3><a name="server_tls_auth">Supporting AUTH over TLS only</a></h3>
-<p> Sending AUTH data over an unencrypted channel poses a security risk.
-When TLS layer encryption is required (smtpd_enforce_tls = yes),
-the Postfix SMTP server will announce and accept AUTH only
-after the TLS layer has been activated with STARTTLS. When TLS
-layer encryption is optional (smtpd_enforce_tls = no), it may
-however still be useful to only offer AUTH when TLS is active. To
-maintain compatibility with non-TLS clients, the default is to
-accept AUTH without encryption. In order to change this behavior,
-set "smtpd_tls_auth_only = yes". </p>
+<p> Sending AUTH data over an unencrypted channel poses a security
+risk. When TLS layer encryption is required
+("smtpd_tls_security_level = encrypt" or the obsolete
+"smtpd_enforce_tls = yes"), the Postfix SMTP server will
+announce and accept AUTH only after the TLS layer has been activated
+with STARTTLS. When TLS layer encryption is optional
+("smtpd_tls_security_level = may" or the obsolete
+"smtpd_enforce_tls = no"), it may however still be useful
+to only offer AUTH when TLS is active. To maintain compatibility
+with non-TLS clients, the default is to accept AUTH without encryption.
+In order to change this behavior, set
+"smtpd_tls_auth_only = yes". </p>
<p> Example: </p>
<p> The description below is for Postfix 2.3; for Postfix < 2.3 the
smtpd_tls_cipherlist parameter specifies the acceptable ciphers as an
-explicit OpenSSL cipherlist. </p>
+explicit OpenSSL cipherlist. The obsolete setting applies even when TLS
+encryption is not enforced. Use of this control on public MX hosts is
+strongly discouraged. </p>
+
+<p> With mandatory TLS encryption, the Postfix SMTP server will by
+default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption
+is optional. This is controlled by the smtpd_tls_mandatory_protocols
+configuration parameter. </p>
<p> The Postfix SMTP server supports 5 distinct cipher security levels
-as specified by the smtpd_tls_ciphers configuration parameter. The
-default value is "export" which is the only one appropriate for public
-MX hosts. On private MX hosts or MSAs one can further restrict the
-OpenSSL cipherlist selection. </p>
+as specified by the smtpd_tls_mandatory_ciphers configuration parameter,
+which determines the cipher grade with mandatory TLS encryption. The
+default value is "medium" which is essentially 128-bit encryption or better.
+With opportunistic TLS encryption, the minimum accepted cipher grade is
+always "export". </p>
<p> By default anonymous ciphers are allowed, and automatically disabled
when client certificates are requested. If clients are expected to always
verify the server certificate you may want to exclude anonymous ciphers
-by setting "smtpd_tls_exclude_ciphers = aNULL". One can't
-force a client to check the server certificate, so excluding anonymous
-ciphers is generally unnecessary. </p>
+by setting "smtpd_tls_mandatory_exclude_ciphers = aNULL".
+One can't force a client to check the server certificate, so excluding
+anonymous ciphers is generally unnecessary. </p>
<p> For a server that is not a public Internet MX host, Postfix 2.3
supports configurations with no <a href="#server_cert_key">server
certificates</a> that use <b>only</b> the anonymous ciphers. This is
-enabled by explicitly setting "smtpd_tls_cert_file = none"
+enabled by explicitly setting "smtpd_tls_cert_file = none"
and not specifying an smtpd_tls_dcert_file. </p>
-<p> Example: (MSA that requires TLS with reasonably secure ciphers) </p>
+<p> Example: (MSA that requires TLS with high grade ciphers) </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
- smtpd_use_tls = yes
- smtpd_enforce_tls = yes
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_key_file = /etc/postfix/key.pem
- smtpd_tls_ciphers = medium
- smtpd_tls_exclude_ciphers = aNULL, MD5
+ smtpd_tls_mandatory_ciphers = high
+ smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
+ # Postfix 2.3 and later
+ smtpd_tls_security_level = encrypt
+ # Obsolete, but still supported
+ smtpd_enforce_tls = yes
</pre>
</blockquote>
<p> At the "none" TLS security level, TLS encryption is
disabled. This is the default security level. With Postfix 2.3 and later,
-it can be configured explicitly by setting "smtp_tls_security_level = none". </p>
+it can be configured explicitly by setting "smtp_tls_security_level = none". </p>
<p> With Postfix 2.2 and earlier, or when smtp_tls_security_level is set to
its default (backwards compatible) empty value, the appropriate configuration
-settings are "smtp_use_tls = no" and "smtp_enforce_tls = no".
+settings are "smtp_use_tls = no" and "smtp_enforce_tls = no".
With either approach, TLS is not used even if supported by the server.
For LMTP, use the corresponding "lmtp_" parameters. </p>
The SMTP transaction is encrypted if the STARTTLS ESMTP feature
is supported by the server. Otherwise, messages are sent in the clear.
With Postfix 2.3 and later, opportunistic TLS can be configured by
-setting "smtp_tls_security_level = may".
+setting "smtp_tls_security_level = may".
<p> Since sending in the clear is acceptable, demanding stronger
than default TLS security merely reduces inter-operability. For
<p> With Postfix 2.2 and earlier, or when smtp_tls_security_level is
set to its default (backwards compatible) empty value, the appropriate
-configuration settings are "smtp_use_tls = yes" and
-"smtp_enforce_tls = no".
-For LMTP use the corresponding "lmtp" parameters. </p>
+configuration settings are "smtp_use_tls = yes" and
+"smtp_enforce_tls = no".
+For LMTP use the corresponding "lmtp_" parameters. </p>
<p> With opportunistic TLS, mail delivery continues even if the
server certificate is untrusted or bears the wrong name. Starting
<p> At the "encrypt" TLS security level, messages are sent only
over TLS encrypted sessions. The SMTP transaction is aborted unless
-the STARTTLS ESMTP feature is supported by the server. If no
-suitable servers are found, the message will be deferred. With Postfix
-2.3 and later, mandatory TLS encryption can be configured by setting
-"smtp_tls_security_level = encrypt". Even though TLS encryption
-is always used, mail delivery continues if the server certificate is
-untrusted or bears the wrong name. </p>
+the STARTTLS ESMTP feature is supported by the server. If no suitable
+servers are found, the message will be deferred. With Postfix 2.3
+and later, mandatory TLS encryption can be configured by setting
+"smtp_tls_security_level = encrypt". Even though TLS
+encryption is always used, mail delivery continues if the server
+certificate is untrusted or bears the wrong name. </p>
<p> At this security level and higher, the smtp_tls_mandatory_protocols
and smtp_tls_mandatory_ciphers configuration parameters determine
<p> With Postfix 2.2 and earlier, or when smtp_tls_security_level
is set to its default (backwards compatible) empty value, the
-appropriate configuration settings are "smtp_enforce_tls = yes"
-and "smtp_tls_enforce_peername = no". For LMTP use the corresponding
-<i>lmtp_</i> parameters. </p>
+appropriate configuration settings are "smtp_enforce_tls = yes"
+and "smtp_tls_enforce_peername = no". For LMTP use the corresponding
+"lmtp_" parameters. </p>
<p> Despite the potential for eliminating passive eavesdropping attacks,
mandatory TLS encryption is not viable as a default security level for
<h3><a name="client_tls_verify"> Mandatory server certificate verification </a>
</h3>
-<p> At the "verify" TLS security level, messages are sent only
-over TLS encrypted sessions for which server certificate verification
-succeeds. If no suitable servers are found, the message will be
-deferred. With Postfix 2.3 and later, mandatory server certificate
-verification can be configured by setting
-"smtp_tls_security_level = verify", the
+<p> At the "verify" TLS security level, messages are sent only over
+TLS encrypted sessions if the server certificate is valid (not
+expired or revoked, and signed by a trusted certificate authority)
+and if the server certificate name matches a known pattern. Mandatory
+server certificate verification can be configured by setting
+"smtp_tls_security_level = verify". The
smtp_tls_verify_cert_match parameter can override the default
-"hostname" certificate match strategy. Fine-tuning the matching
-strategy is generally only appropriate for <a
+"hostname" certificate name matching strategy. Fine-tuning the
+
matching strategy is generally only appropriate for <a
href="#client_tls_secure">secure-channel</a> destinations. </p>
<p> With Postfix 2.2 and earlier, or when smtp_tls_security_level
is set to its default (backwards compatible) empty value, the
-appropriate configuration settings are "smtp_enforce_tls = yes" and
-"smtp_tls_enforce_peername = yes". For LMTP use the corresponding
-<i>lmtp_</i> parameters. </p>
+appropriate configuration settings are "smtp_enforce_tls = yes" and
+"smtp_tls_enforce_peername = yes". For LMTP use the corresponding
+"lmtp_" parameters. </p>
<p> If the server certificate chain is trusted (see smtp_tls_CAfile
and smtp_tls_CApath), any DNS names in the SubjectAlternativeName
<i>secure-channel</i> TLS sessions where DNS forgery resistant server
certificate verification succeeds. If no suitable servers are found, the
message will be deferred. With Postfix 2.3 and later, secure-channels
-can be configured by setting "smtp_tls_security_level = secure".
+can be configured by setting "smtp_tls_security_level = secure".
The smtp_tls_secure_cert_match parameter can override the default
"nexthop, dot-nexthop" certificate match strategy. </p>
<p> With Postfix 2.2 and earlier, or when smtp_tls_security_level
is set to its default (backwards compatible) empty value, the
-appropriate configuration settings are "smtp_enforce_tls = yes"
-and "smtp_tls_enforce_peername = yes" with additional settings to
+appropriate configuration settings are "smtp_enforce_tls = yes"
+and "smtp_tls_enforce_peername = yes" with additional settings to
<a href="#client_tls_harden">harden</a> peer certificate verification
-against forged DNS data. For LMTP, use the corresponding <i>lmtp_</i>
+against forged DNS data. For LMTP, use the corresponding "lmtp_"
parameters. </p>
<p> If the server certificate chain is trusted (see smtp_tls_CAfile and
<p> The new policy table is specified via the smtp_tls_policy_maps
parameter. This lists optional lookup tables with the Postfix SMTP client
-TLS security policy by next-hop destination. It supersedes the obsolete
-smtp_tls_per_site parameter. When $smtp_tls_policy_maps is not empty,
-the smtp_tls_per_site parameter is ignored (a warning is written to the
-logs if it is also non-empty). </p>
+TLS security policy by next-hop destination. When $smtp_tls_policy_maps
+is not empty, the obsolete smtp_tls_per_site parameter is ignored
+(a warning is written to the logs if both parameter values are
+non-empty). </p>
<p> The TLS policy table is indexed by the full next-hop destination,
which is either the recipient domain, or the verbatim next-hop
<dd>Opportunistic TLS. No additional attributes are supported at this
level. </dd>
-<dt><b>encrypt</b></dt> <dd>Mandatory TLS encryption. At this level and
-higher the optional "ciphers" attribute overrides the main.cf
-smtp_tls_mandatory_ciphers parameter and the optional "protocols"
-keyword overrides the main.cf smtp_tls_mandatory_protocols parameter.
-In the policy table, multiple protocols must be separated by colons,
-as attribute values may not contain whitespace or commas.</dd>
-
-<dt><b>verify</b></dt>
-<dd>Mandatory server certificate verification. The optional "match"
-attribute overrides the main.cf smtp_tls_verify_cert_match parameter.
-In the policy table, multiple match patterns and strategies must
-be separated by colons. </dd>
-
-<dt><b>secure</b></dt> <dd>Secure-channel TLS. The optional "match"
-attribute overrides the main.cf smtp_tls_secure_cert_match parameter. In
-the policy table, multiple match patterns and strategies must be separated
-by colons. The match attribute is useful when additional domains are
-supported by common server, the policy entries for the additional domains
-specify matching rules for the primary domain certificate. While transport
-table overrides routing secondary domains to the primary nexthop also
-allow secure verification, they risk delivery to the wrong destination
-when domains change hands or are re-assigned to new gateways. With the
-"match" attribute approach, routing is not perturbed, and mail is deferred
-if verification of a new MX host fails. </dd>
+<dt><b>encrypt</b></dt> <dd>Mandatory TLS encryption. Mail is
+delivered only if remote SMTP server offers STARTTLS and the TLS
+handshake succeeds. At this level and higher the optional "ciphers"
+attribute overrides the main.cf smtp_tls_mandatory_ciphers parameter
+and the optional "protocols" keyword overrides the main.cf
+smtp_tls_mandatory_protocols parameter. </dd>
+
+<dt><b>verify</b></dt> <dd>Mandatory server certificate verification.
+Mail is delivered only if the TLS handshake succeeds, if the server
+certificate can be validated (not expired or revoked, and signed
+by a trusted certificate authority), and if the server certificate
+name matches the optional "match" attribute (or the main.cf
+smtp_tls_verify_cert_match parameter value when no optional "match"
+attribute is specified). </dd>
+
+<dt><b>secure</b></dt> <dd>Secure-channel TLS. Mail is delivered
+only if the TLS handshake succeeds, if the server certificate can
+be validated (not expired or revoked, and signed by a trusted
+certificate authority), and if the server certificate name matches
+the optional "match" attribute (or the main.cf smtp_tls_secure_cert_match
+parameter value when no optional "match" attribute is specified).
+</dd>
</dl>
+<p> Notes: </p>
+
+<ul>
+
+<li> <p> The "match" attribute is especially useful to verify TLS
+certificates for domains that are hosted on a shared server. In
+that case, specify "match" rules for the shared server's name.
+While secure verification can also be achieved with manual routing
+overrides in Postfix transport(5) tables, that approach can deliver
+mail to the wrong host when domains are assigned to new gateway
+hosts. The "match" attribute approach avoids the problems of manual
+routing overrides; mail is deferred if verification of a new MX
+host fails. </p>
+
+<li> <p> When a policy table entry specifies multiple match patterns,
+multiple match strategies, or multiple protocols, these must be
+separated by colons. </p>
+
+</ul>
+
<p>
Example:
</p>
<dt> MAY </dt> <dd> Opportunistic TLS. This has less precedence than
a more specific result (including "NONE") from the alternate host or
next-hop lookup key, and has less precedence than the more specific global
-"smtp_enforce_tls = yes" or "smtp_tls_enforce_peername = yes". </dd>
+"smtp_enforce_tls = yes" or "smtp_tls_enforce_peername = yes". </dd>
<dt> MUST_NOPEERMATCH </dt> <dd> Mandatory TLS encryption. This
overrides a less secure "NONE" or a less specific "MAY" lookup result
<li> <p> When neither the remote SMTP server hostname nor the
next-hop destination are found in the smtp_tls_per_site table, the
policy is based on smtp_use_tls, smtp_enforce_tls and
-smtp_tls_enforce_peername. Note: "smtp_enforce_tls = yes" and
-"smtp_tls_enforce_peername = yes" imply "smtp_use_tls = yes". </p>
+smtp_tls_enforce_peername. Note: "smtp_enforce_tls = yes" and
+"smtp_tls_enforce_peername = yes" imply "smtp_use_tls = yes". </p>
<li> <p> When both hostname and next-hop destination lookups produce
a result, the more specific per-site policy (NONE, MUST, etc)
<li> <p> After the per-site policy lookups are combined, the result
generally overrides the global policy. The exception is the less
specific "MAY" per-site policy, which is overruled by the more
-specific global "smtp_enforce_tls = yes" with server certificate
+specific global "smtp_enforce_tls = yes" with server certificate
verification as specified with the smtp_tls_enforce_peername
parameter. </p>
verification. </p>
<li> <p> Disallow CNAME hostname overrides. In main.cf, specify
-"smtp_cname_overrides_servername = no". This prevents false hostname
+"smtp_cname_overrides_servername = no". This prevents false hostname
information in DNS CNAME records from changing the server hostname
that Postfix uses for TLS policy lookup and server certificate
verification. This feature requires Postfix 2.2.9 or later. The
ciphers on a per-destination basis. </p>
<p> By default anonymous ciphers are allowed, and automatically
-disabled when server certificates are verified. If you
-want to disable even at the "encrypt" security level, set
-"smtp_tls_mandatory_exclude_ciphers = aNULL",
-to disable anonymous ciphers even with opportunistic TLS, set
-"smtp_tls_exclude_ciphers = aNULL". There is generally no
-need to take these measures. Anonymous ciphers save bandwidth and TLS
-session cache space, if certificates are ignored, there is little point
-in requesting them. </p>
+disabled when server certificates are verified. If you want to
+disable anonymous ciphers even at the "encrypt" security level, set
+"smtp_tls_mandatory_exclude_ciphers = aNULL"; and to
+disable anonymous ciphers even with opportunistic TLS, set
+"smtp_tls_exclude_ciphers = aNULL". There is generally
+no need to take these measures. Anonymous ciphers save bandwidth
+and TLS session cache space, if certificates are ignored, there is
+little point in requesting them. </p>
<p> Example: </p>
<blockquote>
<pre>
-smtp_tls_CAfile = /etc/postfix/cacert.pem
-smtp_tls_session_cache_database =
- btree:/var/spool/postfix/smtp_tls_session_cache
-smtp_use_tls = yes
-smtpd_tls_CAfile = /etc/postfix/cacert.pem
-smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
-smtpd_tls_key_file = /etc/postfix/FOO-key.pem
-smtpd_tls_received_header = yes
-smtpd_tls_session_cache_database =
- btree:/var/spool/postfix/smtpd_tls_session_cache
-smtpd_use_tls = yes
-tls_random_source = dev:/dev/urandom
+/etc/postfix/main.cf:
+ smtp_tls_CAfile = /etc/postfix/cacert.pem
+ smtp_tls_session_cache_database =
+ btree:/var/spool/postfix/smtp_tls_session_cache
+ smtp_use_tls = yes
+ smtpd_tls_CAfile = /etc/postfix/cacert.pem
+ smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
+ smtpd_tls_key_file = /etc/postfix/FOO-key.pem
+ smtpd_tls_received_header = yes
+ smtpd_tls_session_cache_database =
+ btree:/var/spool/postfix/smtpd_tls_session_cache
+ tls_random_source = dev:/dev/urandom
+ # Postfix 2.3 and later
+ smtpd_tls_security_level = may
+ # Obsolete, but still supported
+ smtpd_use_tls = yes
</pre>
</blockquote>
cache databases. Such a protocol cannot be run across fifos. </p>
<li> <p> smtp_tls_per_site: the MUST_NOPEERMATCH per-site policy
-cannot override the global "smtp_tls_enforce_peername = yes" setting.
+cannot override the global "smtp_tls_enforce_peername = yes" setting.
</p>
<li> <p> smtp_tls_per_site: a combined (NONE + MAY) lookup result
for (hostname and next-hop destination) produces counter-intuitive
results for different main.cf settings. TLS is enabled with
-"smtp_tls_enforce_peername = no", but it is disabled when both
-"smtp_enforce_tls = yes" and "smtp_tls_enforce_peername = yes".
+"smtp_tls_enforce_peername = no", but it is disabled when both
+"smtp_enforce_tls = yes" and "smtp_tls_enforce_peername = yes".
</p>
</ul>
# This section describes how the table lookups change when lookups
# are directed to a TCP-based server. For a description of the TCP
# client/server lookup protocol, see \fBtcp_table\fR(5).
-# This feature is not available up to and including Postfix version 2.2.
+# This feature is not available up to and including Postfix version 2.3.
#
# Each lookup operation uses the entire query string once.
# Depending on the application, that string is an entire client
# This section describes how the table lookups change when lookups
# are directed to a TCP-based server. For a description of the TCP
# client/server lookup protocol, see \fBtcp_table\fR(5).
-# This feature is not available up to and including Postfix version 2.2.
+# This feature is not available up to and including Postfix version 2.3.
#
# Each lookup operation uses the entire address once. Thus,
# \fIuser@domain\fR mail addresses are not broken up into their
# This section describes how the table lookups change when lookups
# are directed to a TCP-based server. For a description of the TCP
# client/server lookup protocol, see \fBtcp_table\fR(5).
-# This feature is not available up to and including Postfix version 2.2.
+# This feature is not available up to and including Postfix version 2.3.
#
# Each lookup operation uses the entire address once. Thus,
# \fIuser@domain\fR mail addresses are not broken up into their
# place.
# .sp
# The files in the examples/chroot-setup subdirectory of the
-# Postfix source archive describe how to set up a Postfix
-# chroot environment for your type of machine, and
-# BASIC_CONFIGURATION_README discusses issues related to
-# running daemons chrooted.
+# Postfix source archive show set up a Postfix chroot environment
+# on a variety of systems. See also BASIC_CONFIGURATION_README
+# for issues related to running daemons chrooted.
# .IP "\fBWake up time (default: 0)\fR"
# Automatically wake up the named service after the specified
# number of seconds. The wake up is implemented by connecting
# to the service and sending a wake up request. A ? at the
-# end of the wake-up time field requests that wake up events
-# be sent only to services that are actually being used.
+# end of the wake-up time field requests that no wake up
+# events be sent before the service is used.
# Specify 0 for no automatic wake up.
# .sp
# The \fBpickup\fR(8), \fBqmgr\fR(8) and \fBflush\fR(8)
<p>
Specify, for example, "best_mx_transport = local" to pass the mail
-from the SMTP client to the local(8) delivery agent. You can specify
+from the Postfix SMTP client to the local(8) delivery agent. You
+can specify
any message delivery "transport" or "transport:nexthop" that is
defined in the master.cf file. See the transport(5) manual page
for the syntax and meaning of "transport" or "transport:nexthop".
<p>
A better solution for multi-homed firewalls is to leave inet_interfaces
at the default value and instead use explicit IP addresses in
-the master.cf SMTP server definitions. This preserves the SMTP client's
+the master.cf SMTP server definitions. This preserves the Postfix
+SMTP client's
loop detection, by ensuring that each side of the firewall knows that the
other IP address is still the same host. Setting $inet_interfaces to a
single IPv4 and/or IPV6 address is primarily useful with virtual
not, but it does not use the result from table lookup. </p>
<p>
-If this parameter is non-empty (the default), then the Postfix SMTP server
-will reject mail for unknown local users.
+If this parameter is non-empty (the default), then the Postfix SMTP
+server will reject mail for unknown local users.
</p>
<p>
%PARAM smtp_bind_address
<p>
-An optional numerical network address that the SMTP client should
-bind to when making an IPv4 connection.
+An optional numerical network address that the Postfix SMTP client
+should bind to when making an IPv4 connection.
</p>
<p>
%PARAM smtp_bind_address6
<p>
-An optional numerical network address that the SMTP client should
-bind to when making an IPv6 connection.
+An optional numerical network address that the Postfix SMTP client
+should bind to when making an IPv6 connection.
</p>
<p> This feature is available in Postfix 2.2 and later. </p>
</p>
<p>
-When no connection can be made within the deadline, the SMTP client
+When no connection can be made within the deadline, the Postfix
+SMTP client
tries the next address on the mail exchanger list. Specify 0 to
disable the time limit (i.e. use whatever timeout is implemented by
the operating system).
<p>
The SMTP client time limit for sending the SMTP message content.
When the connection makes no progress for more than $smtp_data_xfer_timeout
-seconds the SMTP client terminates the transfer.
+seconds the Postfix SMTP client terminates the transfer.
</p>
<p>
%PARAM smtp_host_lookup dns
<p>
-What mechanisms when the SMTP client uses to look up a host's IP
+What mechanisms when the Postfix SMTP client uses to look up a host's IP
address. This parameter is ignored when DNS lookups are disabled.
</p>
%PARAM smtp_send_xforward_command no
<p>
-Send the non-standard XFORWARD command when the Postfix SMTP server EHLO
-response announces XFORWARD support.
+Send the non-standard XFORWARD command when the Postfix SMTP server
+EHLO response announces XFORWARD support.
</p>
<p>
</p>
<p>
-This feature is available in Postfix 2.1 and later.
+This feature is available in Postfix 2.1 and 2.2. With Postfix 2.3
+it was renamed to smtpd_sasl_path.
</p>
%PARAM strict_7bit_headers no
%PARAM smtp_discard_ehlo_keywords
<p> A case insensitive list of EHLO keywords (pipelining, starttls,
-auth, etc.) that the SMTP client will ignore in the EHLO response
-from a remote SMTP server. </p>
+auth, etc.) that the Postfix SMTP client will ignore in the EHLO
+response from a remote SMTP server. </p>
<p> This feature is available in Postfix 2.2 and later. </p>
<p> Lookup tables, indexed by the remote SMTP server address, with
case insensitive lists of EHLO keywords (pipelining, starttls, auth,
-etc.) that the SMTP client will ignore in the EHLO response from a
+etc.) that the Postfix SMTP client will ignore in the EHLO response from a
remote SMTP server. See smtp_discard_ehlo_keywords for details. The
table is not indexed by hostname for consistency with
smtpd_discard_ehlo_keyword_address_maps. </p>
similar software, it will still insist on a server certificate. </p>
<p> For servers that are <b>not</b> public Internet MX hosts, Postfix
-2.3 supports configurations with no certificates. This entails the use
-of just the anonymous TLS ciphers, which are not supported by typical
-SMTP clients. Since such clients will not, as a rule, fall back to plain
-text after a TLS handshake failure, the server will be unable to receive
-email from TLS enabled clients. To avoid accidental configurations with
-no certificates, Postfix 2.3 enables certificate-less operation only
-when the administrator explicitly sets "smtpd_tls_cert_file = none". This
-ensures that new Postfix configurations with just "smtpd_use_tls = yes"
-added, will not accidentally run with no certificates. </p>
+2.3 supports configurations with no certificates. This entails the
+use of just the anonymous TLS ciphers, which are not supported by
+typical SMTP clients. Since such clients will not, as a rule, fall
+back to plain text after a TLS handshake failure, the server will
+be unable to receive email from TLS enabled clients. To avoid
+accidental configurations with no certificates, Postfix 2.3 enables
+certificate-less operation only when the administrator explicitly
+sets "smtpd_tls_cert_file = none". This ensures that new Postfix
+configurations will not accidentally run with no certificates. </p>
<p> Both RSA and DSA certificates are supported. When both types
are present, the cipher used determines which certificate will be
%PARAM smtpd_use_tls no
-<p> Opportunistic mode: announce STARTTLS support to SMTP clients,
+<p> Opportunistic TLS: announce STARTTLS support to SMTP clients,
but do not require that clients use TLS encryption. </p>
<p> Note: when invoked via "<b>sendmail -bs</b>", Postfix will never offer
STARTTLS due to insufficient privileges to access the server private
key. This is intended behavior. </p>
-<p> This feature is available in Postfix 2.2 and later. </p>
+<p> This feature is available in Postfix 2.2 and later. With
+Postfix 2.3 and later use smtpd_tls_security_level instead. </p>
%PARAM smtpd_enforce_tls no
-<p> Enforcement mode: announce STARTTLS support to SMTP clients,
+<p> Mandatory TLS: announce STARTTLS support to SMTP clients,
and require that clients use TLS encryption. According to RFC 2487
this MUST NOT be applied in case of a publicly-referenced SMTP
server. This option is off by default and should be used only on
dedicated servers. </p>
-<p> Note 1: this mode implies "smtpd_tls_auth_only = yes". </p>
+<p> Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes". </p>
<p> Note 2: when invoked via "<b>sendmail -bs</b>", Postfix will never offer
STARTTLS due to insufficient privileges to access the server private
key. This is intended behavior. </p>
-<p> This feature is available in Postfix 2.2 and later. </p>
+<p> This feature is available in Postfix 2.2 and later. With
+Postfix 2.3 and later use smtpd_tls_security_level instead. </p>
%PARAM smtpd_tls_wrappermode no
%PARAM smtpd_tls_req_ccert no
-<p> When TLS encryption is enforced, require a remote SMTP client
+<p> With mandatory TLS encryption, require a remote SMTP client
certificate in order to allow TLS connections to proceed. This
option implies "smtpd_tls_ask_ccert = yes". </p>
<p> <b>Note:</b> do not use "" quotes around the parameter value. </p>
<p>This feature is available with Postfix version 2.2. It is not used with
-Postfix 2.3 and later; use smtpd_tls_ciphers instead. </p>
+Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead. </p>
%PARAM smtpd_tls_dh1024_param_file
<p> Your actual source for entropy may differ. Some systems have
/dev/random; on other system you may consider using the "Entropy
-Gathering Daemon EGD", available at http://www.lothar.com/tech/crypto/.
+Gathering Daemon EGD", available at http://egd.sourceforge.net/
</p>
<p> Example: </p>
%PARAM smtp_tls_enforce_peername yes
-<p> When TLS encryption is enforced, require that the remote SMTP
+<p> With mandatory TLS encryption, require that the remote SMTP
server hostname matches the information in the remote SMTP server
certificate. As of RFC 2487 the requirements for hostname checking
for MTA clients are not specified. </p>
%PARAM smtp_tls_cipherlist
<p> Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS
-cipher list. As this feature applies to all security levels, it is easy
+cipher list. As this feature applies to all TLS security levels, it is easy
to create inter-operability problems by choosing a non-default cipher
list. Do not use a non-default TLS cipher list on hosts that deliver email
to the public Internet: you will be unable to send email to servers that
%PARAM smtpd_peername_lookup yes
-<p> Attempt to look up the SMTP client hostname, and verify that
+<p> Attempt to look up the Postfix SMTP client hostname, and verify that
the name matches the client IP address. A client name is set to
"unknown" when it cannot be looked up or verified, or when name
lookup is disabled. Turning off name lookup reduces delays due to
%PARAM smtp_sender_dependent_authentication no
<p>
-Enable sender-dependent authentication in the SMTP client; this is
+Enable sender-dependent authentication in the Postfix SMTP client; this is
available only with SASL authentication, and disables SMTP connection
caching to ensure that mail from different senders will use the
appropriate credentials. </p>
<b>smtpd_sasl_type</b>. Typically this specifies the name of a
configuration file or rendezvous point. </p>
-<p> This feature is available in Postfix 2.3 and later. </p>
+<p> This feature is available in Postfix 2.3 and later. In earlier
+releases it was called smtpd_sasl_application. </p>
%PARAM smtp_sasl_path
%PARAM smtp_tls_mandatory_protocols SSLv3, TLSv1
-<p> List of TLS protocol versions that are secure enough to be used
-with the "encrypt" security level and higher. In main.cf the values
+<p> List of TLS protocols that the Postfix SMTP client will use
+with mandatory TLS encryption. In main.cf the values
are separated by whitespace, commas or colons. In the policy table
(see smtp_tls_policy_maps) the only valid separator is colon. An
empty value means allow all protocols. The valid protocol names,
<p> This feature is available in Postfix 2.3 and later. </p>
-%PARAM smtpd_tls_protocols
-
-<p> The list of TLS protocols supported by the server. If empty the
-default list of protocols is used (i.e. all TLS protocol versions are
-supported). Any non-empty value is interpreted as a list of protocol
-names separated by whitespace, commas or colons. The supported protocol
-names are "SSLv2", "SSLv3" and "TLSv1", and are not
-case-sensitive. </p>
+%PARAM smtpd_tls_mandatory_protocols SSLv3, TLSv1
-<p> DO NOT set this to a non-default value on an MX-host,
-as some clients may not support any of the narrower set of protocols,
-and may be unable to fallback to plaintext sessions. If you restrict
-the protocol list on an MX host, you may lose mail. </p>
+<p> The TLS protocols accepted by the Postfix SMTP server with
+mandatory TLS encryption. With opportunistic TLS encryption, all
+protocols are always accepted. If the list is empty, the server
+supports all available TLS protocol versions. A non-empty value
+is a list of protocol names separated by whitespace, commas or
+colons. The supported protocol names are "SSLv2", "SSLv3" and
+"TLSv1", and are not case sensitive. </p>
<p> Example: </p>
<pre>
-smtpd_tls_protocols = SSLv3, TLSv1
+smtpd_tls_mandatory_protocols = SSLv3, TLSv1
</pre>
<p> This feature is available in Postfix 2.3 and later. </p>
%PARAM smtp_tls_security_level
-<p> The default SMTP TLS security level for all destinations; when
-a non-empty value is specified, this overrides the obsolete parameters
-smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername. </p>
+<p> The default SMTP TLS security level for the Postfix SMTP client;
+when a non-empty value is specified, this overrides the obsolete
+parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
+</p>
<p> Specify one of the following security levels: </p>
<p> This feature is available in Postfix 2.3 and later. </p>
-%PARAM smtpd_tls_ciphers export
+%PARAM smtpd_tls_mandatory_ciphers medium
-<p> The minimum acceptable SMTP server TLS cipher grade. It is easy to
-create inter-operability problems by choosing a non-default cipher grade.
-Do not use a stronger than default minimum cipher grade for MX hosts on
-the public Internet. Clients that begin the TLS handshake, but are unable
-to agree on a common cipher, may not be able to send any email to the
-SMTP server. Using a restricted cipher list may be more appropriate for a
-dedicated MSA or an internal mailhub, where one can exert some control over
-the TLS software and settings of the connecting clients. Configurations
-with no certificates are also not likely to inter-operate with most
-clients, see the notes for "smtpd_tls_cert_file". </p>
+<p> The minimum TLS cipher grade that the Postfix SMTP server will
+use with mandatory
+TLS encryption. Cipher types listed in smtpd_tls_mandatory_exclude_ciphers
+or smtpd_tls_exclude_ciphers are excluded from the base definition
+of the selected cipher grade. With opportunistic TLS encryption,
+the "export" grade is used unconditionally with exclusions specified
+only via smtpd_tls_exclude_ciphers. </p>
<p> The following cipher grades are supported: </p>
<dl>
<dt><b>export</b></dt>
<dd> Enable the mainstream "EXPORT" grade or better OpenSSL ciphers.
-This is the most appropriate setting for public MX hosts. The underlying
-cipherlist is specified via the tls_export_cipherlist configuration
-parameter, which you are strongly encouraged to not change. The default
-value of tls_export_cipherlist includes anonymous ciphers, but these
-are automatically filtered out if the server is configured to ask for
+This is the most appropriate setting for public MX hosts, and is always
+used with opportunistic TLS encryption. The underlying cipherlist
+is specified via the tls_export_cipherlist configuration parameter,
+which you are strongly encouraged to not change. The default value
+of tls_export_cipherlist includes anonymous ciphers, but these are
+automatically filtered out if the server is configured to ask for
client certificates. If you must always exclude anonymous ciphers,
-set "smtpd_tls_exclude_ciphers = aNULL". </dd>
+set "smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers
+only when TLS is enforced, set "smtpd_tls_mandatory_exclude_ciphers =
+aNULL". </dd>
<dt><b>low</b></dt>
-<dd> Enable the mainstream "LOW" grade or better OpenSSL ciphers. This
-setting is only appropriate for internal mail servers. The underlying
-cipherlist is specified via the tls_low_cipherlist configuration
-parameter, which you are strongly encouraged to not change. The default
-value of tls_low_cipherlist includes anonymous ciphers, but these
-are automatically filtered out if the server is configured to ask for
-client certificates. If you must always exclude anonymous ciphers,
-set "smtpd_tls_exclude_ciphers = aNULL". </dd>
+<dd> Enable the mainstream "LOW" grade or better OpenSSL ciphers. The
+underlying cipherlist is specified via the tls_low_cipherlist
+configuration parameter, which you are strongly encouraged to
+not change. The default value of tls_low_cipherlist includes
+anonymous ciphers, but these are automatically filtered out if the
+server is configured to ask for client certificates. If you must
+always exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers =
+aNULL". To exclude anonymous ciphers only when TLS is enforced, set
+"smtpd_tls_mandatory_exclude_ciphers = aNULL". </dd>
<dt><b>medium</b></dt>
-<dd> Enable the mainstream "MEDIUM" grade or better OpenSSL ciphers. This
-setting is only appropriate for internal mail servers. The underlying
-cipherlist is specified via the tls_medium_cipherlist configuration
-parameter, which you are strongly encouraged to not change. The default
-value of tls_medium_cipherlist includes anonymous ciphers, but these
-are automatically filtered out if the server is configured to ask for
-client certificates. If you must always exclude anonymous ciphers,
-set "smtpd_tls_exclude_ciphers = aNULL". </dd>
+<dd> Enable the mainstream "MEDIUM" grade or better OpenSSL ciphers. These
+are essentially the 128-bit or stronger ciphers. This is the default
+minimum strength for mandatory TLS encryption. MSAs that enforce
+TLS and have clients that do not support any "MEDIUM" or "HIGH"
+grade ciphers, may need to configure a weaker ("low" or "export")
+minimum cipher grade. The underlying cipherlist is specified via the
+tls_medium_cipherlist configuration parameter, which you are strongly
+encouraged to not change. The default value of tls_medium_cipherlist
+includes anonymous ciphers, but these are automatically filtered out if
+the server is configured to ask for client certificates. If you must
+always exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers =
+aNULL". To exclude anonymous ciphers only when TLS is enforced, set
+"smtpd_tls_mandatory_exclude_ciphers = aNULL". </dd>
<dt><b>high</b></dt>
-<dd> Enable only the mainstream "HIGH" grade OpenSSL ciphers. This
-setting is only appropriate for internal mail servers. The underlying
-cipherlist is specified via the tls_high_cipherlist configuration
-parameter, which you are strongly encouraged to not change. The default
-value of tls_high_cipherlist includes anonymous ciphers, but these
-are automatically filtered out if the server is configured to ask for
-client certificates. If you must always exclude anonymous ciphers, set
-"smtpd_tls_exclude_ciphers = aNULL". </dd>
+<dd> Enable only the mainstream "HIGH" grade OpenSSL ciphers. The
+underlying cipherlist is specified via the tls_high_cipherlist
+configuration parameter, which you are strongly encouraged to
+not change. The default value of tls_high_cipherlist includes
+anonymous ciphers, but these are automatically filtered out if the
+server is configured to ask for client certificates. If you must
+always exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers =
+aNULL". To exclude anonymous ciphers only when TLS is enforced, set
+"smtpd_tls_mandatory_exclude_ciphers = aNULL". </dd>
<dt><b>null</b></dt>
<dd> Enable only the "NULL" OpenSSL ciphers, these provide authentication
%PARAM smtpd_tls_exclude_ciphers
<p> List of ciphers or cipher types to exclude from the SMTP server
-cipher list. This is not an OpenSSL cipherlist; it is a simple list
-separated by whitespace and/or commas. The elements are a single
-cipher, or one or more "+" separated cipher properties, in which
-case only ciphers matching <b>all</b> the properties are excluded. </p>
+cipher list at all TLS security levels. Excluding valid ciphers
+can create interoperability problems. DO NOT exclude ciphers unless it
+is essential to do so. This is not an OpenSSL cipherlist; it is a simple
+list separated by whitespace and/or commas. The elements are a single
+cipher, or one or more "+" separated cipher properties, in which case
+only ciphers matching <b>all</b> the properties are excluded. </p>
<p> Examples (some of these will cause problems): </p>
<p> This feature is available in Postfix 2.3 and later. </p>
+%PARAM smtpd_tls_mandatory_exclude_ciphers
+
+<p> Additional list of ciphers or cipher types to exclude from the
+SMTP server cipher list at mandatory TLS security levels. This list
+works in addition to the exclusions listed with smtpd_tls_exclude_ciphers
+(see there for syntax details). </p>
+
+<p> This feature is available in Postfix 2.3 and later. </p>
+
%PARAM smtp_tls_mandatory_ciphers medium
-<p> The minimum SMTP client TLS cipher grade that is strong enough to
-be used with the "encrypt" security level and higher. The default
-value "medium" is suitable for most destinations with which you may
-want to enforce TLS, and is beyond the reach of today's crypt-analytic
-methods. See smtp_tls_policy_maps for information on how to configure
-ciphers on a per-destination basis. </p>
+<p> The minimum TLS cipher grade that the Postfix SMTP client will
+use with
+mandatory TLS encryption. The default value "medium" is suitable
+for most destinations with which you may want to enforce TLS, and
+is beyond the reach of today's crypt-analytic methods. See
+smtp_tls_policy_maps for information on how to configure ciphers
+on a per-destination basis. </p>
<p> The following cipher grades are supported: </p>
%PARAM smtp_tls_exclude_ciphers
-<p> List of ciphers or cipher types to exclude from the SMTP client cipher
-list at all security levels. This is not an OpenSSL cipherlist, it is
+<p> List of ciphers or cipher types to exclude from the Postfix
+SMTP client cipher
+list at all TLS security levels. This is not an OpenSSL cipherlist, it is
a simple list separated by whitespace and/or commas. The elements are a
single cipher, or one or more "+" separated cipher properties, in which
case only ciphers matching <b>all</b> the properties are excluded. </p>
%PARAM smtp_tls_mandatory_exclude_ciphers
-<p> List of ciphers or cipher types to exclude from the SMTP client
-cipher list at the mandatory TLS security levels: "encrypt", "verify"
-and "secure". See smtp_tls_exclude_ciphers for syntax details. When
-both "exclude" parameters are defined, the combined list of ciphers is
-excluded (provided the TLS security level is "encrypt" or higher). </p>
+<p> Additional list of ciphers or cipher types to exclude from the
+SMTP client cipher list at mandatory TLS security levels. This list
+works in addition to the exclusions listed with smtp_tls_exclude_ciphers
+(see there for syntax details). </p>
<p> This feature is available in Postfix 2.3 and later. </p>
%PARAM tls_high_cipherlist !EXPORT:!LOW:!MEDIUM:ALL:+RC4:@STRENGTH
<p> The OpenSSL cipherlist for "HIGH" grade ciphers. This defines
-the meaning of the "high" setting in smtpd_tls_ciphers,
+the meaning of the "high" setting in smtpd_tls_mandatory_ciphers,
smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are
strongly encouraged to not change this setting. </p>
%PARAM tls_medium_cipherlist !EXPORT:!LOW:ALL:+RC4:@STRENGTH
<p> The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers. This
-defines the meaning of the "medium" setting in smtpd_tls_ciphers,
+defines the meaning of the "medium" setting in smtpd_tls_mandatory_ciphers,
smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is
the default cipherlist for mandatory TLS encryption in the TLS
client (with anonymous ciphers disabled when verifying server
%PARAM tls_low_cipherlist !EXPORT:ALL:+RC4:@STRENGTH
<p> The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines
-the meaning of the "low" setting in smtpd_tls_ciphers,
+the meaning of the "low" setting in smtpd_tls_mandatory_ciphers,
smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are
strongly encouraged to not change this setting. </p>
%PARAM tls_export_cipherlist ALL:+RC4:@STRENGTH
<p> The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. This
-defines the meaning of the "export" setting in smtpd_tls_ciphers,
+defines the meaning of the "export" setting in smtpd_tls_mandatory_ciphers,
smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is
the cipherlist for the opportunistic ("may") TLS client security
level and is the default cipherlist for the SMTP server. You are
<p> The OpenSSL cipherlist for "NULL" grade ciphers that provide
authentication without encryption. This defines the meaning of the "null"
-setting in smtpd_tls_ciphers, smtp_tls_mandatory_ciphers and
+setting in smtpd_mandatory_tls_ciphers, smtp_tls_mandatory_ciphers and
lmtp_tls_mandatory_ciphers. You are strongly encouraged to not
change this setting. </p>
configuration parameter. See there for details. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
+
+%PARAM smtp_sasl_auth_enforce yes
+
+<p> If sender-dependent SASL passwords are turned off, defer mail
+delivery when an SMTP server does not support SASL authentication,
+while smtp_sasl_password_maps contains SASL login/password information
+for that server. </p>
+
+<p> This feature is available in Postfix 2.3 and later. </p>
+
+%PARAM lmtp_sasl_auth_enforce yes
+
+<p> The LMTP-specific version of the smtp_sasl_auth_enforce
+configuration parameter. See there for details. </p>
+
+<p> This feature is available in Postfix 2.3 and later. </p>
+
+%PARAM smtpd_tls_security_level
+
+<p> The SMTP TLS security level for the Postfix SMTP server; when
+a non-empty value is specified, this overrides the obsolete parameters
+smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with
+"smtpd_tls_wrappermode = yes". </p>
+
+<p> Specify one of the following security levels: </p>
+
+<dl>
+
+<dt><b>none</b></dt> <dd> TLS will not be used. </dd>
+
+<dt><b>may</b></dt> <dd> Opportunistic TLS: announce STARTTLS support
+to SMTP clients, but do not require that clients use TLS encryption.
+</dd>
+
+<dt><b>encrypt</b></dt> <dd>Mandatory TLS encryption: announce
+STARTTLS support to SMTP clients, and require that clients use TLS
+encryption. According to RFC 2487 this MUST NOT be applied in case
+of a publicly-referenced SMTP server. Instead, this option should
+be used only on dedicated servers. </dd>
+
+</dl>
+
+<p> Note 1: the "verify" and "secure" levels are not supported.
+The Postfix SMTP server logs a warning and uses "encrypt" instead.
+To verify SMTP client certificates, see TLS_README for a discussion
+of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and permit_tls_clientcerts
+features. </p>
+
+<p> Note 2: The parameter setting "smtpd_tls_security_level =
+encrypt" implies "smtpd_tls_auth_only = yes".</p>
+
+<p> Note 3: when invoked via "sendmail -bs", Postfix will never
+offer STARTTLS due to insufficient privileges to access the server
+private key. This is intended behavior.</p>
+
+<p> This feature is available in Postfix 2.3 and later. </p>
+
+%PARAM internal_mail_filter_classes
+
+<p> What categories of Postfix-generated mail are subject to
+before-queue content inspection by non_smtpd_milters, header_checks
+and body_checks. Specify zero or more of the following, separated
+by whitespace or comma. </p>
+
+<dl>
+
+<dt> <b> bounce </b> </dt> <dd> Inspect the content of delivery
+status notifications. </dd>
+
+<dt> <b> notify </b> </dt> <dd> Inspect the content of postmaster
+notifications by the smtp(8) and smtpd(8) processes. </dd>
+
+</dl>
+
+<p> NOTE: It's generally not safe to enable content inspection of
+Postfix-generated email messages. The user is warned. </p>
+
+<p> This feature is available in Postfix 2.3 and later. </p>
# expression lookup table syntax, see \fBregexp_table\fR(5) or
# \fBpcre_table\fR(5). For a description of the TCP client/server
# table lookup protocol, see \fBtcp_table\fR(5).
-# This feature is not available up to and including Postfix version 2.2.
+# This feature is not available up to and including Postfix version 2.3.
#
# Each pattern is a regular expression that is applied to the entire
# address being looked up. Thus, \fIuser@domain\fR mail addresses are not
# This section describes how the table lookups change when lookups
# are directed to a TCP-based server. For a description of the TCP
# client/server lookup protocol, see \fBtcp_table\fR(5).
-# This feature is not available up to and including Postfix version 2.2.
+# This feature is not available up to and including Postfix version 2.3.
#
# Each lookup operation uses the entire address once. Thus,
# \fIuser@domain\fR mail addresses are not broken up into their
# This section describes how the table lookups change when lookups
# are directed to a TCP-based server. For a description of the TCP
# client/server lookup protocol, see \fBtcp_table\fR(5).
-# This feature is not available up to and including Postfix version 2.2.
+# This feature is not available up to and including Postfix version 2.3.
#
# Each lookup operation uses the entire recipient address once. Thus,
# \fIsome.domain.hierarchy\fR is not looked up via its parent domains,
# This section describes how the table lookups change when lookups
# are directed to a TCP-based server. For a description of the TCP
# client/server lookup protocol, see \fBtcp_table\fR(5).
-# This feature is not available up to and including Postfix version 2.2.
+# This feature is not available up to and including Postfix version 2.3.
#
# Each lookup operation uses the entire address once. Thus,
# \fIuser@domain\fR mail addresses are not broken up into their
+++ /dev/null
-This patch adds support for microsecond time information in Postfix
-queue files.
-
-*** /var/tmp/postfix-2.3-20051103/auxiliary/qshape/qshape.pl Fri Feb 4 19:41:14 2005
---- auxiliary/qshape/qshape.pl Wed Nov 9 08:43:40 2005
-***************
-*** 204,210 ****
- $dlen = $1 if ($d =~ /^\s*(\d+)\s+\d+\s+\d+/);
- ($r, $l, $d) = rec_get($h);
- return unless (defined $r && $r eq "T");
-! $t = $d;
- } elsif ($r eq "S" || $r eq "F") {
- # For embryonic queue files in the "maildrop" directory the first
- # record is either a REC_TYPE_FULL (F) followed by REC_TYPE_FROM
---- 204,210 ----
- $dlen = $1 if ($d =~ /^\s*(\d+)\s+\d+\s+\d+/);
- ($r, $l, $d) = rec_get($h);
- return unless (defined $r && $r eq "T");
-! ($t) = split(/\s+/, $d);
- } elsif ($r eq "S" || $r eq "F") {
- # For embryonic queue files in the "maildrop" directory the first
- # record is either a REC_TYPE_FULL (F) followed by REC_TYPE_FROM
/* themselves, and that depend on retry logic in their own client.
/* STANDARDS
/* RFC 822 (ARPA Internet Text Messages)
+/* RFC 2045 (Format of Internet Message Bodies)
/* RFC 2822 (ARPA Internet Text Messages)
/* RFC 3462 (Delivery Status Notifications)
/* RFC 3464 (Delivery Status Notifications)
-/* RFC 2045 (Format of Internet Message Bodies)
+/* RFC 3834 (Auto-Submitted: message header)
/* DIAGNOSTICS
/* Problems and transactions are logged to \fBsyslogd\fR(8).
/* CONFIGURATION PARAMETERS
/* .IP "\fBipc_timeout (3600s)\fR"
/* The time limit for sending or receiving information over an internal
/* communication channel.
+/* .IP "\fBinternal_mail_filter_classes (empty)\fR"
+/* What categories of Postfix-generated mail are subject to
+/* before-queue content inspection by non_smtpd_milters, header_checks
+/* and body_checks.
/* .IP "\fBmail_name (Postfix)\fR"
/* The mail system name that is displayed in Received: headers, in
/* the SMTP greeting banner, and in bounced mail.
postmaster = var_2bounce_rcpt;
if ((bounce = post_mail_fopen_nowait(mail_addr_double_bounce(),
postmaster,
- CLEANUP_FLAG_MASK_INTERNAL,
+ INT_FILT_BOUNCE,
NULL_TRACE_FLAGS,
new_id)) != 0) {
*/
else {
if ((bounce = post_mail_fopen_nowait(NULL_SENDER, recipient,
- CLEANUP_FLAG_MASK_INTERNAL,
+ INT_FILT_BOUNCE,
NULL_TRACE_FLAGS,
new_id)) != 0) {
postmaster = var_bounce_rcpt;
if ((bounce = post_mail_fopen_nowait(mail_addr_double_bounce(),
postmaster,
- CLEANUP_FLAG_MASK_INTERNAL,
+ INT_FILT_BOUNCE,
NULL_TRACE_FLAGS,
new_id)) != 0) {
count = -1;
STR(quote_822_local(bounce_info->buf, dest)),
postmaster_copy);
+ /*
+ * Auto-Submitted header, as per RFC 3834.
+ */
+ post_mail_fprintf(bounce, "Auto-Submitted: %s", postmaster_copy ?
+ "auto-generated" : "auto-replied");
+
/*
* MIME header. Use 8bit encoding when either the bounced message or the
* template requires it.
} else {
verp_sender(verp_buf, verp_delims, recipient, rcpt->address);
if ((bounce = post_mail_fopen_nowait(NULL_SENDER, STR(verp_buf),
- CLEANUP_FLAG_MASK_INTERNAL,
+ INT_FILT_BOUNCE,
NULL_TRACE_FLAGS,
new_id)) != 0) {
postmaster = var_bounce_rcpt;
if ((bounce = post_mail_fopen_nowait(mail_addr_double_bounce(),
postmaster,
- CLEANUP_FLAG_MASK_INTERNAL,
+ INT_FILT_BOUNCE,
NULL_TRACE_FLAGS,
new_id)) != 0) {
if (bounce_header(bounce, bounce_info, postmaster,
} else {
if ((bounce = post_mail_fopen_nowait(mail_addr_double_bounce(),
var_2bounce_rcpt,
- CLEANUP_FLAG_MASK_INTERNAL,
+ INT_FILT_BOUNCE,
NULL_TRACE_FLAGS,
new_id)) != 0) {
bounce_status = 0;
} else {
if ((bounce = post_mail_fopen_nowait(NULL_SENDER, orig_sender,
- CLEANUP_FLAG_MASK_INTERNAL,
+ INT_FILT_BOUNCE,
NULL_TRACE_FLAGS,
new_id)) != 0) {
*/
if ((bounce = post_mail_fopen_nowait(mail_addr_double_bounce(),
var_bounce_rcpt,
- CLEANUP_FLAG_MASK_INTERNAL,
+ INT_FILT_BOUNCE,
NULL_TRACE_FLAGS,
new_id)) != 0) {
if (bounce_header(bounce, bounce_info, var_bounce_rcpt,
* a new queue file.
*/
if ((bounce = post_mail_fopen_nowait(NULL_SENDER, recipient,
- CLEANUP_FLAG_MASK_INTERNAL,
+ INT_FILT_BOUNCE,
NULL_TRACE_FLAGS,
new_id)) != 0) {
count = -1;
postmaster = var_delay_rcpt;
if ((bounce = post_mail_fopen_nowait(mail_addr_double_bounce(),
postmaster,
- CLEANUP_FLAG_MASK_INTERNAL,
+ INT_FILT_BOUNCE,
NULL_TRACE_FLAGS,
new_id)) != 0) {
*/
else {
if ((bounce = post_mail_fopen_nowait(NULL_SENDER, recipient,
- CLEANUP_FLAG_MASK_INTERNAL,
+ INT_FILT_BOUNCE,
NULL_TRACE_FLAGS,
new_id)) != 0) {
postmaster = var_delay_rcpt;
if ((bounce = post_mail_fopen_nowait(mail_addr_double_bounce(),
postmaster,
- CLEANUP_FLAG_MASK_INTERNAL,
+ INT_FILT_BOUNCE,
NULL_TRACE_FLAGS,
new_id)) != 0) {
count = -1;
int defer_delay; /* deferred delivery */
#endif
MILTERS *milters; /* mail filters */
+ const char *client_name; /* real or ersatz client */
+ const char *client_addr; /* real or ersatz client */
} CLEANUP_STATE;
/*
/* local call-back functions for macro expansion and for queue
/* file modification.
/*
-/* cleanup_milter_inspect() subjects a message to inspection
-/* by mail filters. Each filter can accept or reject the message
-/* and can request changes to the recipient list, to message
-/* headers, and to replace the message body.
+/* cleanup_milter_inspect() sends the current message headers
+/* and body to the mail filters that were received with
+/* cleanup_milter_receive(), or that are specified with the
+/* cleanup_milters configuration parameter.
/*
/* cleanup_milter_emul_mail() emulates connect, helo and mail
/* events for mail that does not arrive via the smtpd(8) server.
-/* This pretends that mail arrives from localhost/127.0.0.1
-/* via ESMTP. This code reports a server configuration error
-/* condition when the milter rejects the emulated commands.
+/* The emulation pretends that mail arrives from localhost/127.0.0.1
+/* via ESMTP. Milters can reject emulated connect, helo, mail
+/* or data events, but not emulated rcpt events as described
+/* next.
/*
-/* cleanup_milter_emul_rcpt() emulates an rcpt() event for
-/* non-SMTP mail. See cleanup_milter_emul_mail() for the
-/* handling of reject replies.
+/* cleanup_milter_emul_rcpt() emulates an rcpt event for mail
+/* that does not arrive via the smtpd(8) server. This reports
+/* a server configuration error condition when the milter
+/* rejects an emulated rcpt event.
/*
-/* cleanup_milter_emul_data() emulates a data event for non-SMTP
-/* mail. See cleanup_milter_emul_mail() for the handling of
-/* reject replies.
+/* cleanup_milter_emul_data() emulates a data event for mail
+/* that does not arrive via the smtpd(8) server. It's OK for
+/* milters to reject emulated data events.
/* SEE ALSO
/* milter(3) generic mail filter interface
-/* BUGS
-/* Postfix prepends its own Received: header when it receives
-/* mail from outside, or when it forwards mail internally.
-/* This header is seen by mail filters, and is present when
-/* mail filters edit the queue file.
/* DIAGNOSTICS
/* Fatal errors: memory allocation problem.
/* Panic: interface violation.
+/* Warnings: I/O errors (state->errs is updated accordingly).
/* LICENSE
/* .ad
/* .fi
#include <sys_defs.h>
#include <sys/socket.h> /* AF_INET */
#include <string.h>
+#include <errno.h>
#ifdef STRCASECMP_IN_STRINGS_H
#include <strings.h>
#define STR(x) vstring_str(x)
#define LEN(x) VSTRING_LEN(x)
+/* cleanup_milter_set_error - set error flag from errno */
+
+static void cleanup_milter_set_error(CLEANUP_STATE *state, int err)
+{
+ if (err == EFBIG)
+ state->errs |= CLEANUP_STAT_SIZE;
+ else
+ state->errs |= CLEANUP_STAT_WRITE;
+}
+
+/* cleanup_milter_error - return dummy error description */
+
+static const char *cleanup_milter_error(CLEANUP_STATE *state, int err)
+{
+ const char *myname = "cleanup_milter_error";
+
+ /*
+ * For consistency with error reporting within the milter infrastructure,
+ * content manipulation routines return a null pointer on success, and an
+ * SMTP-like response on error.
+ *
+ * However, when cleanup_milter_apply() receives this error response from
+ * the milter infrastructure, it ignores the text since the appropriate
+ * cleanup error flags were already set by cleanup_milter_set_error().
+ *
+ * Specify a null error number when the "errno to error flag" mapping was
+ * already done elsewhere, possibly outside this module.
+ */
+ if (err)
+ cleanup_milter_set_error(state, err);
+ else if (CLEANUP_OUT_OK(state))
+ msg_panic("%s: missing errno to error flag mapping", myname);
+ return ("451 4.3.0 Server internal error");
+}
+
/* cleanup_add_header - append message header */
-static void cleanup_add_header(void *context, char *name, char *value)
+static const char *cleanup_add_header(void *context, char *name, char *value)
{
const char *myname = "cleanup_add_header";
CLEANUP_STATE *state = (CLEANUP_STATE *) context;
* target of the old "header append" pointer record. This reverse pointer
* record becomes the new "header append" pointer record.
*/
- if ((new_hdr_offset = vstream_fseek(state->dst, (off_t) 0, SEEK_END)) < 0)
- msg_fatal("%s: seek file %s: %m", myname, cleanup_path);
+ if ((new_hdr_offset = vstream_fseek(state->dst, (off_t) 0, SEEK_END)) < 0) {
+ msg_warn("%s: seek file %s: %m", myname, cleanup_path);
+ return (cleanup_milter_error(state, errno));
+ }
buf = vstring_alloc(100);
vstring_sprintf(buf, "%s: %s", name, value);
cleanup_out_header(state, buf);
vstring_free(buf);
- if ((reverse_ptr_offset = vstream_ftell(state->dst)) < 0)
- msg_fatal("%s: vstream_ftell file %s: %m", myname, cleanup_path);
+ if ((reverse_ptr_offset = vstream_ftell(state->dst)) < 0) {
+ msg_warn("%s: vstream_ftell file %s: %m", myname, cleanup_path);
+ return (cleanup_milter_error(state, errno));
+ }
cleanup_out_format(state, REC_TYPE_PTR, REC_TYPE_PTR_FORMAT,
(long) state->append_hdr_pt_target);
* Pointer flipping: update the old "header append" pointer record value
* with the location of the new header record.
*/
- if (vstream_fseek(state->dst, state->append_hdr_pt_offset, SEEK_SET) < 0)
- msg_fatal("%s: seek file %s: %m", myname, cleanup_path);
+ if (vstream_fseek(state->dst, state->append_hdr_pt_offset, SEEK_SET) < 0) {
+ msg_warn("%s: seek file %s: %m", myname, cleanup_path);
+ return (cleanup_milter_error(state, errno));
+ }
cleanup_out_format(state, REC_TYPE_PTR, REC_TYPE_PTR_FORMAT,
(long) new_hdr_offset);
* written while Postfix received the message.
*/
state->append_hdr_pt_offset = reverse_ptr_offset;
+
+ /*
+ * In case of error while doing record output.
+ */
+ return (CLEANUP_OUT_OK(state) ? 0 : cleanup_milter_error(state, 0));
}
/* cleanup_find_header - find specific header instance */
static off_t cleanup_find_header(CLEANUP_STATE *state, ssize_t index,
const char *header_label, VSTRING *buf,
int *prec_type,
- int allow_ptr_backup)
+ int allow_ptr_backup,
+ int skip_headers)
{
const char *myname = "cleanup_find_header";
off_t curr_offset; /* offset after found record */
off_t ptr_offset; /* pointer to found record */
- VSTRING *ptr_buf;
+ VSTRING *ptr_buf = 0;
int rec_type;
int last_type;
ssize_t len;
+ int hdr_count = 0;
if (msg_verbose)
msg_info("%s: index %ld name \"%s\"",
* duplicate some of its logic here and in the routines that delete or
* modify header records. To minimize the duplication we define an ugly
* macro that is used in all code that scans for header boundaries.
+ *
+ * XXX Sendmail compatibility (based on Sendmail 8.13.6 measurements).
+ *
+ * - When changing Received: header #1, we change the Received: header that
+ * follows our own one; a request to change Received: header #0 is
+ * silently treated as a request to change Received: header #1.
+ *
+ * - When changing Date: header #1, we change the first Date: header; a
+ * request to change Date: header #0 is silently treated as a request to
+ * change Date: header #1.
+ *
+ * Thus, header change requests are relative to the content as received,
+ * that is, the content after our own Received: header. They can affect
+ * only the headers that the MTA actually exposes to mail filter
+ * applications.
+ *
+ * - However, when inserting a header at position 0, the new header appears
+ * before our own Received: header, and when inserting at position 1, the
+ * new header appears after our own Received: header.
+ *
+ * Thus, header insert operations are relative to the content as delivered,
+ * that is, the content including our own Received: header.
*/
-#define GET_NEXT_TEXT_OR_PTR_RECORD(rec_type, state, buf, curr_offset) \
- if ((rec_type = rec_get_raw(state->dst, buf, 0, REC_FLAG_NONE)) < 0) \
- msg_fatal("%s: read file %s: %m", myname, cleanup_path); \
+#define CLEANUP_FIND_HEADER_NOTFOUND (-1)
+#define CLEANUP_FIND_HEADER_IOERROR (-2)
+
+#define CLEANUP_FIND_HEADER_RETURN(offs) do { \
+ if (ptr_buf) \
+ vstring_free(ptr_buf); \
+ return (offs); \
+ } while (0)
+
+#define GET_NEXT_TEXT_OR_PTR_RECORD(rec_type, state, buf, curr_offset, quit) \
+ if ((rec_type = rec_get_raw(state->dst, buf, 0, REC_FLAG_NONE)) < 0) { \
+ msg_warn("%s: read file %s: %m", myname, cleanup_path); \
+ cleanup_milter_set_error(state, errno); \
+ do { quit; } while (0); \
+ } \
if (msg_verbose > 1) \
msg_info("%s: read: %ld: %.*s", myname, (long) curr_offset, \
- LEN(buf) > 30 ? 30 : LEN(buf), STR(buf)); \
+ LEN(buf) > 30 ? 30 : (int) LEN(buf), STR(buf)); \
if (rec_type == REC_TYPE_DTXT) \
continue; \
if (rec_type != REC_TYPE_NORM && rec_type != REC_TYPE_CONT \
&& rec_type != REC_TYPE_PTR) \
break;
- if (vstream_fseek(state->dst, state->data_offset, SEEK_SET) < 0)
- msg_fatal("%s: seek file %s: %m", myname, cleanup_path);
- for (ptr_buf = 0, ptr_offset = 0, last_type = 0; /* void */ ; /* void */ ) {
- if ((curr_offset = vstream_ftell(state->dst)) < 0)
- msg_fatal("%s: vstream_ftell file %s: %m", myname, cleanup_path);
+ if (vstream_fseek(state->dst, state->data_offset, SEEK_SET) < 0) {
+ msg_warn("%s: seek file %s: %m", myname, cleanup_path);
+ cleanup_milter_set_error(state, errno);
+ CLEANUP_FIND_HEADER_RETURN(CLEANUP_FIND_HEADER_IOERROR);
+ }
+ for (ptr_offset = 0, last_type = 0; /* void */ ; /* void */ ) {
+ if ((curr_offset = vstream_ftell(state->dst)) < 0) {
+ msg_warn("%s: vstream_ftell file %s: %m", myname, cleanup_path);
+ cleanup_milter_set_error(state, errno);
+ CLEANUP_FIND_HEADER_RETURN(CLEANUP_FIND_HEADER_IOERROR);
+ }
/* Caution: this macro terminates the loop at end-of-message. */
/* Don't do complex processing while breaking out of this loop. */
- GET_NEXT_TEXT_OR_PTR_RECORD(rec_type, state, buf, curr_offset);
+ GET_NEXT_TEXT_OR_PTR_RECORD(rec_type, state, buf, curr_offset,
+ CLEANUP_FIND_HEADER_RETURN(CLEANUP_FIND_HEADER_IOERROR));
/* Caution: don't assume ptr->header. This may be header-ptr->body. */
if (rec_type == REC_TYPE_PTR) {
- if (rec_goto(state->dst, STR(buf)) < 0)
- msg_fatal("%s: read file %s: %m",
- myname, cleanup_path);
+ if (rec_goto(state->dst, STR(buf)) < 0) {
+ msg_warn("%s: read file %s: %m", myname, cleanup_path);
+ cleanup_milter_set_error(state, errno);
+ CLEANUP_FIND_HEADER_RETURN(CLEANUP_FIND_HEADER_IOERROR);
+ }
/* Save PTR record, in case it points to the start of a header. */
if (allow_ptr_backup) {
ptr_offset = curr_offset;
break;
}
/* This the start of a message header. */
+ else if (hdr_count++ < skip_headers)
+ continue;
else if ((header_label == 0
|| (strncasecmp(header_label, STR(buf), len) == 0
&& (IS_SPACE_TAB(STR(buf)[len])
* In case of failure, return negative start position.
*/
if (index > 0) {
- curr_offset = -1;
+ curr_offset = CLEANUP_FIND_HEADER_NOTFOUND;
}
/*
}
*prec_type = rec_type;
}
- if (ptr_buf)
- vstring_free(ptr_buf);
if (msg_verbose)
msg_info("%s: index %ld name %s type %d offset %ld",
myname, (long) index, header_label ?
header_label : "(none)", rec_type, (long) curr_offset);
- return (curr_offset);
+ CLEANUP_FIND_HEADER_RETURN(curr_offset);
}
/* cleanup_patch_header - patch new header into an existing header */
-static void cleanup_patch_header(CLEANUP_STATE *state,
- const char *new_hdr_name,
- const char *new_hdr_value,
- off_t old_rec_offset,
- int rec_type,
- VSTRING *old_rec_buf,
- ssize_t avail_space,
- off_t read_offset)
+static const char *cleanup_patch_header(CLEANUP_STATE *state,
+ const char *new_hdr_name,
+ const char *new_hdr_value,
+ off_t old_rec_offset,
+ int rec_type,
+ VSTRING *old_rec_buf,
+ ssize_t avail_space,
+ off_t read_offset)
{
const char *myname = "cleanup_patch_header";
VSTRING *buf = vstring_alloc(100);
off_t saved_read_offset;
off_t write_offset;
+#define CLEANUP_PATCH_HEADER_RETURN(ret) do { \
+ vstring_free(buf); \
+ return (ret); \
+ } while (0)
+
if (msg_verbose)
msg_info("%s: \"%s\" \"%s\" at %ld",
myname, new_hdr_name, new_hdr_value, (long) old_rec_offset);
* Write the new header to a new location after the end of the queue
* file.
*/
- if ((new_hdr_offset = vstream_fseek(state->dst, (off_t) 0, SEEK_END)) < 0)
- msg_fatal("%s: seek file %s: %m", myname, cleanup_path);
+ if ((new_hdr_offset = vstream_fseek(state->dst, (off_t) 0, SEEK_END)) < 0) {
+ msg_warn("%s: seek file %s: %m", myname, cleanup_path);
+ CLEANUP_PATCH_HEADER_RETURN(cleanup_milter_error(state, errno));
+ }
vstring_sprintf(buf, "%s: %s", new_hdr_name, new_hdr_value);
cleanup_out_header(state, buf);
if (msg_verbose > 1)
msg_info("%s: %ld: write %.*s", myname, (long) new_hdr_offset,
- LEN(buf) > 30 ? 30 : LEN(buf), STR(buf));
+ LEN(buf) > 30 ? 30 : (int) LEN(buf), STR(buf));
/*
* Optionally, save the existing text record or pointer record that will
CLEANUP_OUT_BUF(state, rec_type, old_rec_buf);
if (msg_verbose > 1)
msg_info("%s: write %.*s", myname, LEN(old_rec_buf) > 30 ?
- 30 : LEN(old_rec_buf), STR(old_rec_buf));
+ 30 : (int) LEN(old_rec_buf), STR(old_rec_buf));
}
/*
*/
while (rec_type != REC_TYPE_PTR && avail_space < REC_TYPE_PTR_SIZE) {
/* Read existing text or pointer record. */
- if (vstream_fseek(state->dst, read_offset, SEEK_SET) < 0)
- msg_fatal("%s: seek file %s: %m", myname, cleanup_path);
- if ((rec_type = rec_get_raw(state->dst, buf, 0, REC_FLAG_NONE)) < 0)
- msg_fatal("%s: read file %s: %m", myname, cleanup_path);
+ if (vstream_fseek(state->dst, read_offset, SEEK_SET) < 0) {
+ msg_warn("%s: seek file %s: %m", myname, cleanup_path);
+ CLEANUP_PATCH_HEADER_RETURN(cleanup_milter_error(state, errno));
+ }
+ if ((rec_type = rec_get_raw(state->dst, buf, 0, REC_FLAG_NONE)) < 0) {
+ msg_warn("%s: read file %s: %m", myname, cleanup_path);
+ CLEANUP_PATCH_HEADER_RETURN(cleanup_milter_error(state, errno));
+ }
if (msg_verbose > 1)
msg_info("%s: %ld: read %.*s", myname, (long) read_offset,
- LEN(buf) > 30 ? 30 : LEN(buf), STR(buf));
+ LEN(buf) > 30 ? 30 : (int) LEN(buf), STR(buf));
if (rec_type != REC_TYPE_NORM && rec_type != REC_TYPE_CONT
&& rec_type != REC_TYPE_PTR && rec_type != REC_TYPE_DTXT)
msg_panic("%s: non-text/ptr record type %d in header, file %s",
myname, rec_type, cleanup_path);
saved_read_offset = read_offset;
- if ((read_offset = vstream_ftell(state->dst)) < 0)
- msg_fatal("%s: vstream_ftell file %s: %m", myname, cleanup_path);
+ if ((read_offset = vstream_ftell(state->dst)) < 0) {
+ msg_warn("%s: vstream_ftell file %s: %m", myname, cleanup_path);
+ CLEANUP_PATCH_HEADER_RETURN(cleanup_milter_error(state, errno));
+ }
avail_space += (read_offset - saved_read_offset);
/* Save the text or pointer record. */
- if ((write_offset = vstream_fseek(state->dst, (off_t) 0, SEEK_END)) < 0)
- msg_fatal("%s: seek file %s: %m", myname, cleanup_path);
+ if ((write_offset = vstream_fseek(state->dst, (off_t) 0, SEEK_END)) < 0) {
+ msg_warn("%s: seek file %s: %m", myname, cleanup_path);
+ CLEANUP_PATCH_HEADER_RETURN(cleanup_milter_error(state, errno));
+ }
CLEANUP_OUT_BUF(state, rec_type, buf);
if (msg_verbose > 1)
msg_info("%s: %ld: write %.*s", myname, (long) write_offset,
- LEN(buf) > 30 ? 30 : LEN(buf), STR(buf));
+ LEN(buf) > 30 ? 30 : (int) LEN(buf), STR(buf));
/* Update cached location of "append header" pointer record. */
if (saved_read_offset == state->append_hdr_pt_offset)
state->append_hdr_pt_offset = write_offset;
* the queue file before the next record. In other words, we must always
* follow pointer records otherwise we get out of sync with the data.
*/
- if (vstream_fseek(state->dst, old_rec_offset, SEEK_SET) < 0)
- msg_fatal("%s: seek file %s: %m", myname, cleanup_path);
+ if (vstream_fseek(state->dst, old_rec_offset, SEEK_SET) < 0) {
+ msg_warn("%s: seek file %s: %m", myname, cleanup_path);
+ CLEANUP_PATCH_HEADER_RETURN(cleanup_milter_error(state, errno));
+ }
cleanup_out_format(state, REC_TYPE_PTR, REC_TYPE_PTR_FORMAT,
(long) new_hdr_offset);
if (msg_verbose > 1)
msg_info("%s: %ld: write PTR %ld", myname, (long) old_rec_offset,
(long) new_hdr_offset);
+ /*
+ * In case of error while doing record output.
+ */
+ CLEANUP_PATCH_HEADER_RETURN(CLEANUP_OUT_OK(state) ? 0 :
+ cleanup_milter_error(state, 0));
+
/*
* Note: state->append_hdr_pt_target never changes.
*/
- vstring_free(buf);
}
/* cleanup_ins_header - insert message header */
-static void cleanup_ins_header(void *context, ssize_t index,
- char *new_hdr_name,
- char *new_hdr_value)
+static const char *cleanup_ins_header(void *context, ssize_t index,
+ char *new_hdr_name,
+ char *new_hdr_value)
{
const char *myname = "cleanup_ins_header";
CLEANUP_STATE *state = (CLEANUP_STATE *) context;
int old_rec_type;
off_t read_offset;
ssize_t avail_space;
+ const char *ret;
+
+#define CLEANUP_INS_HEADER_RETURN(ret) do { \
+ vstring_free(old_rec_buf); \
+ return (ret); \
+ } while (0)
if (msg_verbose)
msg_info("%s: %ld \"%s\" \"%s\"",
*/
#define NO_HEADER_NAME ((char *) 0)
#define ALLOW_PTR_BACKUP 1
+#define SKIP_ONE_HEADER 1
+#define DONT_SKIP_HEADERS 0
if (index < 1)
index = 1;
old_rec_offset = cleanup_find_header(state, index, NO_HEADER_NAME,
old_rec_buf, &old_rec_type,
- ALLOW_PTR_BACKUP);
+ ALLOW_PTR_BACKUP,
+ DONT_SKIP_HEADERS);
+ if (old_rec_offset == CLEANUP_FIND_HEADER_IOERROR)
+ /* Warning and errno->error mapping are done elsewhere. */
+ CLEANUP_INS_HEADER_RETURN(cleanup_milter_error(state, 0));
if (old_rec_offset < 0) {
- cleanup_add_header(context, new_hdr_name, new_hdr_value);
+ CLEANUP_INS_HEADER_RETURN(cleanup_add_header(context, new_hdr_name,
+ new_hdr_value));
} else {
if (old_rec_type == REC_TYPE_PTR) {
read_offset = -1;
avail_space = -1;
} else {
- if ((read_offset = vstream_ftell(state->dst)) < 0)
- msg_fatal("%s: read file %s: %m", myname, cleanup_path);
+ if ((read_offset = vstream_ftell(state->dst)) < 0) {
+ msg_warn("%s: read file %s: %m", myname, cleanup_path);
+ CLEANUP_INS_HEADER_RETURN(cleanup_milter_error(state, errno));
+ }
avail_space = LEN(old_rec_buf);
}
- cleanup_patch_header(state, new_hdr_name, new_hdr_value,
- old_rec_offset, old_rec_type, old_rec_buf,
- avail_space, read_offset);
+ ret = cleanup_patch_header(state, new_hdr_name, new_hdr_value,
+ old_rec_offset, old_rec_type, old_rec_buf,
+ avail_space, read_offset);
+ CLEANUP_INS_HEADER_RETURN(ret);
}
- vstring_free(old_rec_buf);
}
/* cleanup_upd_header - modify or append message header */
-static void cleanup_upd_header(void *context, ssize_t index,
- char *new_hdr_name,
- char *new_hdr_value)
+static const char *cleanup_upd_header(void *context, ssize_t index,
+ char *new_hdr_name,
+ char *new_hdr_value)
{
const char *myname = "cleanup_upd_header";
CLEANUP_STATE *state = (CLEANUP_STATE *) context;
int rec_type;
int last_type;
int jumped;
+ const char *ret;
if (msg_verbose)
msg_info("%s: %ld \"%s\" \"%s\"",
#define DONT_SAVE_RECORD 0
#define NO_PTR_BACKUP 0
+#define CLEANUP_UPD_HEADER_RETURN(ret) do { \
+ vstring_free(rec_buf); \
+ return (ret); \
+ } while (0)
+
rec_buf = vstring_alloc(100);
old_rec_offset = cleanup_find_header(state, index, new_hdr_name,
rec_buf, &last_type,
- NO_PTR_BACKUP);
+ NO_PTR_BACKUP,
+ SKIP_ONE_HEADER);
+ if (old_rec_offset == CLEANUP_FIND_HEADER_IOERROR)
+ /* Warning and errno->error mapping are done elsewhere. */
+ CLEANUP_UPD_HEADER_RETURN(cleanup_milter_error(state, 0));
if (old_rec_offset < 0) {
- cleanup_add_header(context, new_hdr_name, new_hdr_value);
+ CLEANUP_UPD_HEADER_RETURN(cleanup_add_header(context, new_hdr_name,
+ new_hdr_value));
} else {
/* Find the end of this header. */
avail_space = LEN(rec_buf);
- if ((read_offset = vstream_ftell(state->dst)) < 0)
- msg_fatal("%s: read file %s: %m", myname, cleanup_path);
- for (jumped = 0; /* void */ ; /* void */ ) {
+ if ((read_offset = vstream_ftell(state->dst)) < 0) {
+ msg_warn("%s: read file %s: %m", myname, cleanup_path);
+ CLEANUP_UPD_HEADER_RETURN(cleanup_milter_error(state, errno));
+ }
+ for (jumped = 0, ret = 0; ret == 0; /* void */ ) {
+ if (CLEANUP_OUT_OK(state) == 0)
+ /* Warning and errno->error mapping are done elsewhere. */
+ CLEANUP_UPD_HEADER_RETURN(cleanup_milter_error(state, 0));
saved_read_offset = read_offset;
/* Caution: this macro terminates the loop at end-of-message. */
/* Don't do complex processing while breaking out of this loop. */
- GET_NEXT_TEXT_OR_PTR_RECORD(rec_type, state, rec_buf, read_offset);
- if ((read_offset = vstream_ftell(state->dst)) < 0)
- msg_fatal("%s: read file %s: %m", myname, cleanup_path);
+ GET_NEXT_TEXT_OR_PTR_RECORD(rec_type, state, rec_buf, read_offset,
+ /* Warning and errno->error mapping are done elsewhere. */
+ CLEANUP_UPD_HEADER_RETURN(cleanup_milter_error(state, 0)));
+ if ((read_offset = vstream_ftell(state->dst)) < 0) {
+ msg_warn("%s: read file %s: %m", myname, cleanup_path);
+ CLEANUP_UPD_HEADER_RETURN(cleanup_milter_error(state, errno));
+ }
if (rec_type == REC_TYPE_PTR) {
if (jumped == 0) {
/* Enough contiguous space for writing a PTR record. */
avail_space += read_offset - saved_read_offset;
jumped = 1;
}
- if (rec_goto(state->dst, STR(rec_buf)) < 0)
- msg_fatal("%s: read file %s: %m", myname, cleanup_path);
+ if (rec_goto(state->dst, STR(rec_buf)) < 0) {
+ msg_warn("%s: read file %s: %m", myname, cleanup_path);
+ CLEANUP_UPD_HEADER_RETURN(cleanup_milter_error(state,
+ errno));
+ }
/* Don't update last_type; PTR may follow REC_TYPE_CONT. */
continue;
}
avail_space += read_offset - saved_read_offset;
last_type = rec_type;
}
- cleanup_patch_header(state, new_hdr_name, new_hdr_value,
- old_rec_offset, DONT_SAVE_RECORD, (VSTRING *) 0,
- avail_space, saved_read_offset);
+ ret = cleanup_patch_header(state, new_hdr_name, new_hdr_value,
+ old_rec_offset, DONT_SAVE_RECORD, (VSTRING *) 0,
+ avail_space, saved_read_offset);
+ CLEANUP_UPD_HEADER_RETURN(ret);
}
- vstring_free(rec_buf);
}
/* cleanup_del_header - delete message header */
-static void cleanup_del_header(void *context, ssize_t index, char *hdr_name)
+static const char *cleanup_del_header(void *context, ssize_t index,
+ char *hdr_name)
{
const char *myname = "cleanup_del_header";
CLEANUP_STATE *state = (CLEANUP_STATE *) context;
*/
rec_buf = vstring_alloc(100);
header_offset = cleanup_find_header(state, index, hdr_name, rec_buf,
- &last_type, NO_PTR_BACKUP);
+ &last_type, NO_PTR_BACKUP,
+ SKIP_ONE_HEADER);
+ if (header_offset == CLEANUP_FIND_HEADER_IOERROR) {
+ vstring_free(rec_buf);
+ /* Warning and errno->error mapping are done elsewhere. */
+ return (cleanup_milter_error(state, 0));
+ }
/* Memory usage for header offsets is limited by header_size_limit. */
if (header_offset > 0) {
ssize_t off_len = 1;
off_t *off_list = (off_t *) mymalloc(off_len * sizeof(*off_list));
int n;
+#define CLEANUP_DEL_HEADER_RETURN(ret) do { \
+ vstring_free(rec_buf); \
+ myfree((char *) off_list); \
+ return (ret); \
+ } while (0)
+
off_list[0] = header_offset;
for (;;) {
curr_offset = vstream_ftell(state->dst);
/* Caution: this macro terminates the loop at end-of-message. */
/* Don't do complex processing while breaking out of this loop. */
- GET_NEXT_TEXT_OR_PTR_RECORD(rec_type, state, rec_buf, curr_offset);
+ GET_NEXT_TEXT_OR_PTR_RECORD(rec_type, state, rec_buf, curr_offset,
+ /* Warning and errno->error mapping are done elsewhere. */
+ CLEANUP_DEL_HEADER_RETURN(cleanup_milter_error(state, 0)));
if (rec_type == REC_TYPE_PTR) {
- if (rec_goto(state->dst, STR(rec_buf)) < 0)
- msg_fatal("%s: read file %s: %m", myname, cleanup_path);
+ if (rec_goto(state->dst, STR(rec_buf)) < 0) {
+ msg_warn("%s: read file %s: %m", myname, cleanup_path);
+ CLEANUP_DEL_HEADER_RETURN(cleanup_milter_error(state,
+ errno));
+ }
/* Don't update last_type; PTR may follow REC_TYPE_CONT. */
continue;
}
last_type = rec_type;
}
/* Mark the header text records as deleted. */
- for (n = 0; n < off_used; n++)
- if (rec_put_type(state->dst, REC_TYPE_DTXT, off_list[n]) < 0)
- msg_fatal("%s: write file %s: %m", myname, cleanup_path);
+ for (n = 0; n < off_used; n++) {
+ if (rec_put_type(state->dst, REC_TYPE_DTXT, off_list[n]) < 0) {
+ msg_warn("%s: write file %s: %m", myname, cleanup_path);
+ CLEANUP_DEL_HEADER_RETURN(cleanup_milter_error(state, errno));
+ }
+ }
myfree((char *) off_list);
}
vstring_free(rec_buf);
+
+ /*
+ * In case of error while doing record output.
+ */
+ return (CLEANUP_OUT_OK(state) ? 0 : cleanup_milter_error(state, 0));
}
/* cleanup_add_rcpt - append recipient address */
-static void cleanup_add_rcpt(void *context, char *rcpt)
+static const char *cleanup_add_rcpt(void *context, char *rcpt)
{
const char *myname = "cleanup_add_rcpt";
CLEANUP_STATE *state = (CLEANUP_STATE *) context;
*/
#define NO_DSN_ORCPT ((char *) 0)
- if ((new_rcpt_offset = vstream_fseek(state->dst, (off_t) 0, SEEK_END)) < 0)
- msg_fatal("%s: seek file %s: %m", myname, cleanup_path);
+ if ((new_rcpt_offset = vstream_fseek(state->dst, (off_t) 0, SEEK_END)) < 0) {
+ msg_warn("%s: seek file %s: %m", myname, cleanup_path);
+ return (cleanup_milter_error(state, errno));
+ }
cleanup_addr_bcc(state, rcpt);
- if ((reverse_ptr_offset = vstream_ftell(state->dst)) < 0)
- msg_fatal("%s: vstream_ftell file %s: %m", myname, cleanup_path);
+ if ((reverse_ptr_offset = vstream_ftell(state->dst)) < 0) {
+ msg_warn("%s: vstream_ftell file %s: %m", myname, cleanup_path);
+ return (cleanup_milter_error(state, errno));
+ }
cleanup_out_format(state, REC_TYPE_PTR, REC_TYPE_PTR_FORMAT,
(long) state->append_rcpt_pt_target);
* Pointer flipping: update the old "recipient append" pointer record
* value to the location of the new recipient record.
*/
- if (vstream_fseek(state->dst, state->append_rcpt_pt_offset, SEEK_SET) < 0)
- msg_fatal("%s: seek file %s: %m", myname, cleanup_path);
+ if (vstream_fseek(state->dst, state->append_rcpt_pt_offset, SEEK_SET) < 0) {
+ msg_warn("%s: seek file %s: %m", myname, cleanup_path);
+ return (cleanup_milter_error(state, errno));
+ }
cleanup_out_format(state, REC_TYPE_PTR, REC_TYPE_PTR_FORMAT,
(long) new_rcpt_offset);
* record that was written while Postfix received the message.
*/
state->append_rcpt_pt_offset = reverse_ptr_offset;
+
+ /*
+ * In case of error while doing record output.
+ */
+ return (CLEANUP_OUT_OK(state) ? 0 : cleanup_milter_error(state, 0));
}
/* cleanup_del_rcpt - remove recipient and all its expansions */
-static void cleanup_del_rcpt(void *context, char *rcpt)
+static const char *cleanup_del_rcpt(void *context, char *rcpt)
{
const char *myname = "cleanup_del_rcpt";
CLEANUP_STATE *state = (CLEANUP_STATE *) context;
* but to match against the expanded and rewritten recipient address.
*
* XXX Remove the (dsn_orcpt, dsn_notify, orcpt, recip) tuple from the
- * duplicate recipient filter.
+ * duplicate recipient filter. This requires that we maintain reference
+ * counts.
*/
- if (vstream_fseek(state->dst, 0L, SEEK_SET) < 0)
- msg_fatal("%s: seek file %s: %m", myname, cleanup_path);
+ if (vstream_fseek(state->dst, 0L, SEEK_SET) < 0) {
+ msg_warn("%s: seek file %s: %m", myname, cleanup_path);
+ return (cleanup_milter_error(state, errno));
+ }
+#define CLEANUP_DEL_RCPT_RETURN(ret) do { \
+ if (orig_rcpt != 0) \
+ myfree(orig_rcpt); \
+ if (dsn_orcpt != 0) \
+ myfree(dsn_orcpt); \
+ vstring_free(buf); \
+ return (ret); \
+ } while (0)
+
buf = vstring_alloc(100);
- while (CLEANUP_OUT_OK(state)) {
- if ((curr_offset = vstream_ftell(state->dst)) < 0)
- msg_fatal("%s: vstream_ftell file %s: %m", myname, cleanup_path);
- if ((rec_type = rec_get_raw(state->dst, buf, 0, REC_FLAG_NONE)) <= 0)
- msg_fatal("%s: read file %s: %m", myname, cleanup_path);
+ for (;;) {
+ if (CLEANUP_OUT_OK(state) == 0)
+ /* Warning and errno->error mapping are done elsewhere. */
+ CLEANUP_DEL_RCPT_RETURN(cleanup_milter_error(state, 0));
+ if ((curr_offset = vstream_ftell(state->dst)) < 0) {
+ msg_warn("%s: vstream_ftell file %s: %m", myname, cleanup_path);
+ CLEANUP_DEL_RCPT_RETURN(cleanup_milter_error(state, errno));
+ }
+ if ((rec_type = rec_get_raw(state->dst, buf, 0, REC_FLAG_NONE)) <= 0) {
+ msg_warn("%s: read file %s: %m", myname, cleanup_path);
+ CLEANUP_DEL_RCPT_RETURN(cleanup_milter_error(state, errno));
+ }
if (rec_type == REC_TYPE_END)
break;
/* Skip over message content. */
if (rec_type == REC_TYPE_MESG) {
- if (vstream_fseek(state->dst, state->xtra_offset, SEEK_SET) < 0)
- msg_fatal("%s: seek file %s: %m", myname, cleanup_path);
+ if (vstream_fseek(state->dst, state->xtra_offset, SEEK_SET) < 0) {
+ msg_warn("%s: seek file %s: %m", myname, cleanup_path);
+ CLEANUP_DEL_RCPT_RETURN(cleanup_milter_error(state, errno));
+ }
continue;
}
start = STR(buf);
if (rec_type == REC_TYPE_PTR) {
- if (rec_goto(state->dst, start) < 0)
- msg_fatal("%s: seek file %s: %m", myname, cleanup_path);
+ if (rec_goto(state->dst, start) < 0) {
+ msg_warn("%s: seek file %s: %m", myname, cleanup_path);
+ CLEANUP_DEL_RCPT_RETURN(cleanup_milter_error(state, errno));
+ }
continue;
}
/* Map attribute names to pseudo record type. */
break;
case REC_TYPE_RCPT: /* rewritten RCPT TO address */
if (strcmp(orig_rcpt ? orig_rcpt : start, rcpt) == 0) {
- if (vstream_fseek(state->dst, curr_offset, SEEK_SET) < 0)
- msg_fatal("%s: seek file %s: %m", myname, cleanup_path);
+ if (vstream_fseek(state->dst, curr_offset, SEEK_SET) < 0) {
+ msg_warn("%s: seek file %s: %m", myname, cleanup_path);
+ CLEANUP_DEL_RCPT_RETURN(cleanup_milter_error(state, errno));
+ }
if (REC_PUT_BUF(state->dst, REC_TYPE_DRCP, buf) < 0) {
msg_warn("%s: write queue file: %m", state->queue_id);
- state->errs |= CLEANUP_STAT_WRITE;
+ CLEANUP_DEL_RCPT_RETURN(cleanup_milter_error(state, errno));
}
count++;
}
break;
}
}
- if (orig_rcpt != 0) /* can't happen */
- myfree(orig_rcpt);
- if (dsn_orcpt != 0) /* can't happen */
- myfree(dsn_orcpt);
- vstring_free(buf);
if (msg_verbose)
msg_info("%s: deleted %d records for recipient \"%s\"",
myname, count, rcpt);
+
+ CLEANUP_DEL_RCPT_RETURN(0);
}
/* cleanup_repl_body - replace message body */
-static void cleanup_repl_body(void *context, VSTRING *body)
+static const char *cleanup_repl_body(void *context, VSTRING *body)
{
const char *myname = "cleanup_repl_body";
+ /*
+ * XXX Sendmail compatibility: milters don't see the first body line, so
+ * don't expect they will send one.
+ */
msg_panic("%s: message body replace operation is not implemented", myname);
}
{
CLEANUP_STATE *state = (CLEANUP_STATE *) ptr;
+ /*
+ * Note: if we use XFORWARD attributes here, then consistency requires
+ * that we forward all Sendmail macros via XFORWARD.
+ */
+
/*
* Canonicalize the name.
*/
/* cleanup_milter_apply - apply Milter reponse, non-zero if rejecting */
-static const char *cleanup_milter_apply(CLEANUP_STATE *state, const char *resp)
+static const char *cleanup_milter_apply(CLEANUP_STATE *state, const char *event,
+ const char *resp)
{
const char *myname = "cleanup_milter_apply";
const char *action;
if (msg_verbose)
msg_info("%s: %s", myname, resp);
+
+ /*
+ * We don't report errors that were already reported by the content
+ * editing call-back routines. See cleanup_milter_error() above.
+ */
+ if (CLEANUP_OUT_OK(state) == 0)
+ return (0);
switch (resp[0]) {
case 'H':
/* XXX Should log the reason here. */
default:
msg_panic("%s: unexpected mail filter reply: %s", myname, resp);
}
- vstring_sprintf(state->temp1, "%s: %s;", state->queue_id, action);
+ vstring_sprintf(state->temp1, "%s: %s: %s from %s[%s]: %s;",
+ state->queue_id, action, event, state->client_name,
+ state->client_addr, text);
if (state->sender)
vstring_sprintf_append(state->temp1, " from=<%s>", state->sender);
if (state->recip)
vstring_sprintf_append(state->temp1, " proto=%s", attr);
if ((attr = nvtable_find(state->attr, MAIL_ATTR_LOG_HELO_NAME)) != 0)
vstring_sprintf_append(state->temp1, " helo=<%s>", attr);
- vstring_sprintf_append(state->temp1, ": %s", text);
msg_info("%s", vstring_str(state->temp1));
return (ret);
*/
if ((resp = milter_message(milters, state->handle->stream,
state->data_offset)) != 0)
- cleanup_milter_apply(state, resp);
+ cleanup_milter_apply(state, "END-OF-MESSAGE", resp);
if (msg_verbose)
msg_info("leave %s", myname);
}
const char *addr)
{
const char *resp;
- const char *client_name;
- const char *client_addr;
const char *proto_attr;
const char *client_port;
int client_af;
*/
#define NO_CLIENT_PORT "0"
- client_name = nvtable_find(state->attr, MAIL_ATTR_ACT_CLIENT_NAME);
- client_addr = nvtable_find(state->attr, MAIL_ATTR_ACT_CLIENT_ADDR);
+ state->client_name = nvtable_find(state->attr, MAIL_ATTR_ACT_CLIENT_NAME);
+ state->client_addr = nvtable_find(state->attr, MAIL_ATTR_ACT_CLIENT_ADDR);
+
client_port = nvtable_find(state->attr, MAIL_ATTR_ACT_CLIENT_PORT);
proto_attr = nvtable_find(state->attr, MAIL_ATTR_ACT_CLIENT_AF);
- if (client_name == 0 || client_addr == 0 || proto_attr == 0
+ if (state->client_name == 0 || state->client_addr == 0 || proto_attr == 0
|| !alldig(proto_attr)) {
- client_name = "localhost";
- client_addr = "127.0.0.1";
+ state->client_name = "localhost";
+ state->client_addr = "127.0.0.1";
client_af = AF_INET;
} else
client_af = atoi(proto_attr);
/*
* Emulate SMTP events.
*/
- if ((resp = milter_conn_event(milters, client_name, client_addr,
+ if ((resp = milter_conn_event(milters, state->client_name, state->client_addr,
client_port, client_af)) != 0) {
- cleanup_milter_apply(state, resp);
+ cleanup_milter_apply(state, "CONNECT", resp);
return;
}
#define PRETEND_ESMTP 1
if (CLEANUP_MILTER_OK(state)) {
if ((helo = nvtable_find(state->attr, MAIL_ATTR_ACT_HELO_NAME)) == 0)
- helo = client_name;
+ helo = state->client_name;
if ((resp = milter_helo_event(milters, helo, PRETEND_ESMTP)) != 0) {
- cleanup_milter_apply(state, resp);
+ cleanup_milter_apply(state, "EHLO", resp);
return;
}
}
argv[0] = addr;
argv[1] = 0;
if ((resp = milter_mail_event(milters, argv)) != 0) {
- cleanup_milter_apply(state, resp);
+ cleanup_milter_apply(state, "MAIL", resp);
return;
}
}
argv[0] = addr;
argv[1] = 0;
if ((resp = milter_rcpt_event(milters, argv)) != 0
- && cleanup_milter_apply(state, resp) != 0) {
+ && cleanup_milter_apply(state, "RCPT", resp) != 0) {
msg_warn("%s: milter configuration error: can't reject recipient "
"in non-smtpd(8) submission", state->queue_id);
msg_warn("%s: deferring delivery of this message", state->queue_id);
const char *resp;
if ((resp = milter_data_event(milters)) != 0)
- cleanup_milter_apply(state, resp);
+ cleanup_milter_apply(state, "DATA", resp);
}
#ifdef TEST
/*
- * Queue file editing driver for regression tests.
+ * Queue file editing driver for regression tests. In this case it is OK to
+ * report fatal errors after I/O errors.
*/
#include <stdio.h>
#include <msg_vstream.h>
state->dsn_orcpt = 0;
state->verp_delims = 0;
state->milters = 0;
+ state->client_name = 0;
+ state->client_addr = 0;
return (state);
}
SHELL = /bin/sh
SRCS = abounce.c anvil_clnt.c been_here.c bounce.c bounce_log.c \
canon_addr.c cfg_parser.c cleanup_strerror.c cleanup_strflags.c \
- clnt_stream.c debug_peer.c debug_process.c defer.c db_common.c \
- deliver_completed.c deliver_flock.c deliver_pass.c deliver_request.c \
- dict_ldap.c dict_mysql.c dict_pgsql.c dict_proxy.c domain_list.c \
- dot_lockfile.c dot_lockfile_as.c ext_prop.c file_id.c flush_clnt.c \
- header_opts.c header_token.c input_transp.c \
- is_header.c log_adhoc.c mail_addr.c mail_addr_crunch.c \
- mail_addr_find.c mail_addr_map.c mail_command_client.c \
- mail_command_server.c mail_conf.c mail_conf_bool.c mail_conf_int.c \
- mail_conf_raw.c mail_conf_str.c mail_conf_time.c mail_connect.c \
- mail_copy.c mail_date.c mail_dict.c mail_error.c mail_flush.c \
- mail_open_ok.c mail_params.c mail_pathname.c mail_queue.c \
- mail_run.c mail_scan_dir.c mail_stream.c mail_task.c mail_trigger.c \
- maps.c mark_corrupt.c match_parent_style.c mbox_conf.c \
- mbox_open.c mime_state.c mkmap_db.c mkmap_dbm.c mkmap_open.c \
- mynetworks.c mypwd.c namadr_list.c off_cvt.c opened.c \
- own_inet_addr.c pipe_command.c post_mail.c quote_821_local.c \
- quote_822_local.c rec_streamlf.c rec_type.c recipient_list.c \
- record.c remove.c resolve_clnt.c resolve_local.c rewrite_clnt.c \
+ clnt_stream.c conv_time.c db_common.c debug_peer.c debug_process.c \
+ defer.c deliver_completed.c deliver_flock.c deliver_pass.c \
+ deliver_request.c dict_ldap.c dict_mysql.c dict_pgsql.c \
+ dict_proxy.c domain_list.c dot_lockfile.c dot_lockfile_as.c \
+ dsb_scan.c dsn.c dsn_buf.c dsn_mask.c dsn_print.c dsn_util.c \
+ ehlo_mask.c ext_prop.c file_id.c flush_clnt.c header_opts.c \
+ header_token.c input_transp.c int_filt.c is_header.c log_adhoc.c \
+ mail_addr.c mail_addr_crunch.c mail_addr_find.c mail_addr_map.c \
+ mail_command_client.c mail_command_server.c mail_conf.c \
+ mail_conf_bool.c mail_conf_int.c mail_conf_long.c mail_conf_raw.c \
+ mail_conf_str.c mail_conf_time.c mail_connect.c mail_copy.c \
+ mail_date.c mail_dict.c mail_error.c mail_flush.c mail_open_ok.c \
+ mail_params.c mail_pathname.c mail_queue.c mail_run.c \
+ mail_scan_dir.c mail_stream.c mail_task.c mail_trigger.c maps.c \
+ mark_corrupt.c match_parent_style.c mbox_conf.c mbox_open.c \
+ mime_state.c mkmap_cdb.c mkmap_db.c mkmap_dbm.c mkmap_open.c \
+ mkmap_sdbm.c msg_stats_print.c msg_stats_scan.c mynetworks.c \
+ mypwd.c namadr_list.c off_cvt.c opened.c own_inet_addr.c \
+ pipe_command.c post_mail.c quote_821_local.c quote_822_local.c \
+ rcpt_buf.c rcpt_print.c rec_attr_map.c rec_streamlf.c rec_type.c \
+ recipient_list.c record.c remove.c resolve_clnt.c resolve_local.c \
+ rewrite_clnt.c scache_clnt.c scache_multi.c scache_single.c \
sent.c smtp_stream.c split_addr.c string_list.c strip_addr.c \
sys_exits.c timed_ipc.c tok822_find.c tok822_node.c tok822_parse.c \
- tok822_resolve.c tok822_rewrite.c tok822_tree.c trace.c verify.c \
- verify_clnt.c verp_sender.c xtext.c scache_single.c \
- scache_clnt.c scache_multi.c user_acl.c mkmap_cdb.c mkmap_sdbm.c \
- ehlo_mask.c \
- wildcard_inet_addr.c valid_mailhost_addr.c dsn_util.c dsn_mask.c \
- rec_attr_map.c dsn.c dsn_buf.c rcpt_buf.c rcpt_print.c dsn_print.c \
- dsb_scan.c mail_conf_long.c msg_stats_print.c msg_stats_scan.c \
- conv_time.c
+ tok822_resolve.c tok822_rewrite.c tok822_tree.c trace.c \
+ user_acl.c valid_mailhost_addr.c verify.c verify_clnt.c \
+ verp_sender.c wildcard_inet_addr.c xtext.c
OBJS = abounce.o anvil_clnt.o been_here.o bounce.o bounce_log.o \
canon_addr.o cfg_parser.o cleanup_strerror.o cleanup_strflags.o \
- clnt_stream.o debug_peer.o debug_process.o defer.o db_common.o \
- deliver_completed.o deliver_flock.o deliver_pass.o deliver_request.o \
- dict_ldap.o dict_mysql.o dict_pgsql.o dict_proxy.o domain_list.o \
- dot_lockfile.o dot_lockfile_as.o ext_prop.o file_id.o flush_clnt.o \
- header_opts.o header_token.o input_transp.o \
- is_header.o log_adhoc.o mail_addr.o mail_addr_crunch.o \
- mail_addr_find.o mail_addr_map.o mail_command_client.o \
- mail_command_server.o mail_conf.o mail_conf_bool.o mail_conf_int.o \
- mail_conf_raw.o mail_conf_str.o mail_conf_time.o mail_connect.o \
- mail_copy.o mail_date.o mail_dict.o mail_error.o mail_flush.o \
- mail_open_ok.o mail_params.o mail_pathname.o mail_queue.o \
- mail_run.o mail_scan_dir.o mail_stream.o mail_task.o mail_trigger.o \
- maps.o mark_corrupt.o match_parent_style.o mbox_conf.o \
- mbox_open.o mime_state.o mkmap_db.o mkmap_dbm.o mkmap_open.o \
- mynetworks.o mypwd.o namadr_list.o off_cvt.o opened.o \
- own_inet_addr.o pipe_command.o post_mail.o quote_821_local.o \
- quote_822_local.o rec_streamlf.o rec_type.o recipient_list.o \
- record.o remove.o resolve_clnt.o resolve_local.o rewrite_clnt.o \
+ clnt_stream.o conv_time.o db_common.o debug_peer.o debug_process.o \
+ defer.o deliver_completed.o deliver_flock.o deliver_pass.o \
+ deliver_request.o dict_ldap.o dict_mysql.o dict_pgsql.o \
+ dict_proxy.o domain_list.o dot_lockfile.o dot_lockfile_as.o \
+ dsb_scan.o dsn.o dsn_buf.o dsn_mask.o dsn_print.o dsn_util.o \
+ ehlo_mask.o ext_prop.o file_id.o flush_clnt.o header_opts.o \
+ header_token.o input_transp.o int_filt.o is_header.o log_adhoc.o \
+ mail_addr.o mail_addr_crunch.o mail_addr_find.o mail_addr_map.o \
+ mail_command_client.o mail_command_server.o mail_conf.o \
+ mail_conf_bool.o mail_conf_int.o mail_conf_long.o mail_conf_raw.o \
+ mail_conf_str.o mail_conf_time.o mail_connect.o mail_copy.o \
+ mail_date.o mail_dict.o mail_error.o mail_flush.o mail_open_ok.o \
+ mail_params.o mail_pathname.o mail_queue.o mail_run.o \
+ mail_scan_dir.o mail_stream.o mail_task.o mail_trigger.o maps.o \
+ mark_corrupt.o match_parent_style.o mbox_conf.o mbox_open.o \
+ mime_state.o mkmap_cdb.o mkmap_db.o mkmap_dbm.o mkmap_open.o \
+ mkmap_sdbm.o msg_stats_print.o msg_stats_scan.o mynetworks.o \
+ mypwd.o namadr_list.o off_cvt.o opened.o own_inet_addr.o \
+ pipe_command.o post_mail.o quote_821_local.o quote_822_local.o \
+ rcpt_buf.o rcpt_print.o rec_attr_map.o rec_streamlf.o rec_type.o \
+ recipient_list.o record.o remove.o resolve_clnt.o resolve_local.o \
+ rewrite_clnt.o scache_clnt.o scache_multi.o scache_single.o \
sent.o smtp_stream.o split_addr.o string_list.o strip_addr.o \
sys_exits.o timed_ipc.o tok822_find.o tok822_node.o tok822_parse.o \
- tok822_resolve.o tok822_rewrite.o tok822_tree.o trace.o verify.o \
- verify_clnt.o verp_sender.o xtext.o scache_single.o \
- scache_clnt.o scache_multi.o user_acl.o mkmap_cdb.o mkmap_sdbm.o \
- ehlo_mask.o \
- wildcard_inet_addr.o valid_mailhost_addr.o dsn_util.o dsn_mask.o \
- rec_attr_map.o dsn.o dsn_buf.o rcpt_buf.o rcpt_print.o dsn_print.o \
- dsb_scan.o mail_conf_long.o msg_stats_print.o msg_stats_scan.o \
- conv_time.o
+ tok822_resolve.o tok822_rewrite.o tok822_tree.o trace.o \
+ user_acl.o valid_mailhost_addr.o verify.o verify_clnt.o \
+ verp_sender.o wildcard_inet_addr.o xtext.o
HDRS = abounce.h anvil_clnt.h been_here.h bounce.h bounce_log.h \
canon_addr.h cfg_parser.h cleanup_user.h clnt_stream.h config.h \
- debug_peer.h debug_process.h defer.h deliver_completed.h \
- deliver_flock.h deliver_pass.h deliver_request.h dict_ldap.h \
- dict_mysql.h dict_pgsql.h dict_proxy.h domain_list.h dot_lockfile.h \
- dot_lockfile_as.h ext_prop.h file_id.h flush_clnt.h header_opts.h \
- header_token.h input_transp.h is_header.h \
- lex_822.h log_adhoc.h mail_addr.h mail_addr_crunch.h \
- mail_addr_find.h mail_addr_map.h mail_conf.h mail_copy.h \
- mail_date.h mail_dict.h mail_error.h mail_flush.h mail_open_ok.h \
- mail_params.h mail_proto.h mail_queue.h mail_run.h mail_scan_dir.h \
- mail_stream.h mail_task.h mail_version.h maps.h mark_corrupt.h \
- match_parent_style.h mbox_conf.h mbox_open.h mime_state.h \
- mkmap.h mynetworks.h mypwd.h namadr_list.h off_cvt.h opened.h \
- own_inet_addr.h pipe_command.h post_mail.h qmgr_user.h \
- qmqp_proto.h quote_821_local.h quote_822_local.h quote_flags.h \
- rec_streamlf.h rec_type.h recipient_list.h record.h resolve_clnt.h \
- resolve_local.h rewrite_clnt.h sent.h smtp_stream.h split_addr.h \
+ conv_time.h db_common.h debug_peer.h debug_process.h defer.h \
+ deliver_completed.h deliver_flock.h deliver_pass.h deliver_request.h \
+ dict_ldap.h dict_mysql.h dict_pgsql.h dict_proxy.h domain_list.h \
+ dot_lockfile.h dot_lockfile_as.h dsb_scan.h dsn.h dsn_buf.h \
+ dsn_mask.h dsn_print.h dsn_util.h ehlo_mask.h ext_prop.h \
+ file_id.h flush_clnt.h header_opts.h header_token.h input_transp.h \
+ int_filt.h is_header.h lex_822.h log_adhoc.h mail_addr.h \
+ mail_addr_crunch.h mail_addr_find.h mail_addr_map.h mail_conf.h \
+ mail_copy.h mail_date.h mail_dict.h mail_error.h mail_flush.h \
+ mail_open_ok.h mail_params.h mail_proto.h mail_queue.h mail_run.h \
+ mail_scan_dir.h mail_stream.h mail_task.h mail_version.h maps.h \
+ mark_corrupt.h match_parent_style.h mbox_conf.h mbox_open.h \
+ mime_state.h mkmap.h msg_stats.h mynetworks.h mypwd.h namadr_list.h \
+ off_cvt.h opened.h own_inet_addr.h pipe_command.h post_mail.h \
+ qmgr_user.h qmqp_proto.h quote_821_local.h quote_822_local.h \
+ quote_flags.h rcpt_buf.h rcpt_print.h rec_attr_map.h rec_streamlf.h \
+ rec_type.h recipient_list.h record.h resolve_clnt.h resolve_local.h \
+ rewrite_clnt.h scache.h sent.h smtp_stream.h split_addr.h \
string_list.h strip_addr.h sys_exits.h timed_ipc.h tok822.h \
- trace.h verify.h verify_clnt.h verp_sender.h \
- xtext.h scache.h user_acl.h ehlo_mask.h db_common.h \
- wildcard_inet_addr.h valid_mailhost_addr.h dsn_util.h dsn_mask.h \
- rec_attr_map.h dsn.h dsn_buf.h rcpt_buf.h rcpt_print.h dsn_print.h \
- dsb_scan.h msg_stats.h conv_time.h
+ trace.h user_acl.h valid_mailhost_addr.h verify.h verify_clnt.h \
+ verp_sender.h wildcard_inet_addr.h xtext.h
TESTSRC = rec2stream.c stream2rec.c recdump.c
DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE)
CFLAGS = $(DEBUG) $(OPT) $(DEFS)
input_transp.o: input_transp.c
input_transp.o: input_transp.h
input_transp.o: mail_params.h
+int_filt.o: ../../include/name_mask.h
+int_filt.o: ../../include/sys_defs.h
+int_filt.o: ../../include/vbuf.h
+int_filt.o: ../../include/vstring.h
+int_filt.o: int_filt.c
+int_filt.o: int_filt.h
+int_filt.o: mail_params.h
is_header.o: ../../include/sys_defs.h
is_header.o: is_header.c
is_header.o: is_header.h
/*++
/* NAME
-/* exp_prop 3
+/* ext_prop 3
/* SUMMARY
/* address extension propagation control
/* SYNOPSIS
-/* #include <exp_prop.h>
+/* #include <ext_prop.h>
/*
/* int ext_prop_mask(param_name, pattern)
/* const char *param_name;
/* const char *pattern;
/* DESCRIPTION
-/* This module controld address extension propagation.
+/* This module controls address extension propagation.
/*
/* ext_prop_mask() takes a comma-separated list of names and
/* computes the corresponding mask. The following names are
-#ifndef _EXT_PROP_INCLUDED_
-#define _EXT_PROP_INCLUDED_
+#ifndef _INPUT_TRANSP_INCLUDED_
+#define _INPUT_TRANSP_INCLUDED_
/*++
/* NAME
-/* ext_prop 3h
+/* input_transp 3h
/* SUMMARY
-/* address extension propagation control
+/* receive transparency control
/* SYNOPSIS
-/* #include <ext_prop.h>
+/* #include <input_transp.h>
/* DESCRIPTION
/* .nf
--- /dev/null
+/*++
+/* NAME
+/* int_filt 3
+/* SUMMARY
+/* internal mail filter control
+/* SYNOPSIS
+/* #include <int_filt.h>
+/*
+/* int int_filt_flags(class)
+/* int class;
+/* DESCRIPTION
+/* int_filt_flags() determines the appropriate mail filtering
+/* flags for the cleanup server, depending on the setting of
+/* the internal_mail_filter_classes configuration parameter.
+/*
+/* Specify one of the following:
+/* .IP INT_FILT_NONE
+/* Mail that must be excluded from inspection (address probes, etc.).
+/* .IP INT_FILT_NOTIFY
+/* Postmaster notifications from the smtpd(8) and smtp(8)
+/* protocol adapters.
+/* .IP INT_FILT_BOUNCE
+/* Delivery status notifications from the bounce(8) server.
+/* DIAGNOSTICS
+/* Fatal: invalid mail category name.
+/* LICENSE
+/* .ad
+/* .fi
+/* The Secure Mailer license must be distributed with this software.
+/* AUTHOR(S)
+/* Wietse Venema
+/* IBM T.J. Watson Research
+/* P.O. Box 704
+/* Yorktown Heights, NY 10598, USA
+/*--*/
+
+/* System library. */
+
+#include <sys_defs.h>
+
+/* Utility library. */
+
+#include <name_mask.h>
+#include <msg.h>
+
+/* Global library. */
+
+#include <mail_params.h>
+#include <cleanup_user.h>
+#include <int_filt.h>
+
+/* int_filt_flags - map mail class to submission flags */
+
+int int_filt_flags(int class)
+{
+ static NAME_MASK table[] = {
+ "notify", INT_FILT_NOTIFY,
+ "bounce", INT_FILT_BOUNCE,
+ 0,
+ };
+ int filtered_classes = 0;
+
+ if (class && *var_int_filt_classes) {
+ filtered_classes =
+ name_mask(VAR_INT_FILT_CLASSES, table, var_int_filt_classes);
+ if (filtered_classes == 0)
+ msg_warn("%s: bad input: %s", VAR_INT_FILT_CLASSES,
+ var_int_filt_classes);
+ if (filtered_classes & class)
+ return (CLEANUP_FLAG_FILTER | CLEANUP_FLAG_MILTER);
+ }
+ return (0);
+}
--- /dev/null
+#ifndef _INT_FILT_INCLUDED_
+#define _INT_FILT_INCLUDED_
+
+/*++
+/* NAME
+/* int_filt 3h
+/* SUMMARY
+/* internal mail classification
+/* SYNOPSIS
+/* #include <int_filt.h>
+/* DESCRIPTION
+/* .nf
+
+ /*
+ * External interface.
+ */
+#define INT_FILT_NONE (0)
+#define INT_FILT_NOTIFY (1<<1)
+#define INT_FILT_BOUNCE (1<<2)
+
+extern int int_filt_flags(int);
+
+/* LICENSE
+/* .ad
+/* .fi
+/* The Secure Mailer license must be distributed with this software.
+/* AUTHOR(S)
+/* Wietse Venema
+/* IBM T.J. Watson Research
+/* P.O. Box 704
+/* Yorktown Heights, NY 10598, USA
+/*--*/
+
+#endif
return ((state == IN_CHAR || state == IN_CHAR_SPACE) ? len : 0);
}
}
+ /* Redundant return for future proofing. */
return (0);
}
*
* Don't compute the sdelay (connection setup latency) if there is no time
* stamp for connection setup completion.
+ *
+ * XXX Apparently, Solaris gettimeofday() can return out-of-range
+ * microsecond values.
*/
#define DELTA(x, y, z) \
do { \
(x).dt_sec = (y).tv_sec - (z).tv_sec; \
(x).dt_usec = (y).tv_usec - (z).tv_usec; \
- if ((x).dt_usec < 0) { \
+ while ((x).dt_usec < 0) { \
(x).dt_usec += 1000000; \
(x).dt_sec -= 1; \
} \
+ while ((x).dt_usec >= 1000000) { \
+ (x).dt_usec -= 1000000; \
+ (x).dt_sec += 1; \
+ } \
if ((x).dt_sec < 0) \
(x).dt_sec = (x).dt_usec = 0; \
} while (0)
/* int var_verify_neg_cache;
/* int var_oldlog_compat;
/* int var_delay_max_res;
+/* char *var_int_filt_classes;
/*
/* void mail_params_init()
/*
int var_verify_neg_cache;
int var_oldlog_compat;
int var_delay_max_res;
+char *var_int_filt_classes;
const char null_format_string[1] = "";
VAR_FLUSH_SERVICE, DEF_FLUSH_SERVICE, &var_flush_service, 1, 0,
VAR_VERIFY_SERVICE, DEF_VERIFY_SERVICE, &var_verify_service, 1, 0,
VAR_TRACE_SERVICE, DEF_TRACE_SERVICE, &var_trace_service, 1, 0,
+ VAR_INT_FILT_CLASSES, DEF_INT_FILT_CLASSES, &var_int_filt_classes, 0, 0,
0,
};
static CONFIG_STR_FN_TABLE function_str_defaults_2[] = {
#define DEF_SMTPD_TLS_WRAPPER 0
extern bool var_smtpd_tls_wrappermode;
+#define VAR_SMTPD_TLS_LEVEL "smtpd_tls_security_level"
+#define DEF_SMTPD_TLS_LEVEL ""
+extern char *var_smtpd_tls_level;
+
#define VAR_SMTPD_USE_TLS "smtpd_use_tls"
#define DEF_SMTPD_USE_TLS 0
extern bool var_smtpd_use_tls;
#define DEF_SMTPD_TLS_CA_PATH ""
extern char *var_smtpd_tls_CApath;
-#define VAR_SMTPD_TLS_PROTO "smtpd_tls_protocols"
-#define DEF_SMTPD_TLS_PROTO ""
-extern char *var_smtpd_tls_protocols;
+#define VAR_SMTPD_TLS_MAND_PROTO "smtpd_tls_mandatory_protocols"
+#define DEF_SMTPD_TLS_MAND_PROTO "SSLv3, TLSv1"
+extern char *var_smtpd_tls_mand_proto;
-#define VAR_SMTPD_TLS_CIPHERS "smtpd_tls_ciphers"
-#define DEF_SMTPD_TLS_CIPHERS "export"
-extern char *var_smtpd_tls_ciphers;
+#define VAR_SMTPD_TLS_MAND_CIPH "smtpd_tls_mandatory_ciphers"
+#define DEF_SMTPD_TLS_MAND_CIPH "medium"
+extern char *var_smtpd_tls_mand_ciph;
#define VAR_SMTPD_TLS_EXCL_CIPH "smtpd_tls_exclude_ciphers"
#define DEF_SMTPD_TLS_EXCL_CIPH ""
extern char *var_smtpd_tls_excl_ciph;
+#define VAR_SMTPD_TLS_MAND_EXCL "smtpd_tls_mandatory_exclude_ciphers"
+#define DEF_SMTPD_TLS_MAND_EXCL ""
+extern char *var_smtpd_tls_mand_excl;
+
#define VAR_SMTPD_TLS_512_FILE "smtpd_tls_dh512_param_file"
#define DEF_SMTPD_TLS_512_FILE ""
extern char *var_smtpd_tls_dh512_param_file;
#define DEF_LMTP_TLS_CA_PATH ""
extern char *var_smtp_tls_CApath;
-#define VAR_SMTP_TLS_CIPHERS "smtp_tls_mandatory_ciphers"
-#define DEF_SMTP_TLS_CIPHERS "medium"
-#define VAR_LMTP_TLS_CIPHERS "lmtp_tls_mandatory_ciphers"
-#define DEF_LMTP_TLS_CIPHERS "medium"
-extern char *var_smtp_tls_ciphers;
+#define VAR_SMTP_TLS_MAND_CIPH "smtp_tls_mandatory_ciphers"
+#define DEF_SMTP_TLS_MAND_CIPH "medium"
+#define VAR_LMTP_TLS_MAND_CIPH "lmtp_tls_mandatory_ciphers"
+#define DEF_LMTP_TLS_MAND_CIPH "medium"
+extern char *var_smtp_tls_mand_ciph;
#define VAR_SMTP_TLS_EXCL_CIPH "smtp_tls_exclude_ciphers"
#define DEF_SMTP_TLS_EXCL_CIPH ""
#define DEF_LMTP_TLS_POLICY ""
extern char *var_smtp_tls_policy;
-#define VAR_SMTP_TLS_PROTO "smtp_tls_mandatory_protocols"
-#define DEF_SMTP_TLS_PROTO "SSLv3, TLSv1"
-#define VAR_LMTP_TLS_PROTO "lmtp_tls_mandatory_protocols"
-#define DEF_LMTP_TLS_PROTO "SSLv3, TLSv1"
-extern char *var_smtp_tls_protocols;
+#define VAR_SMTP_TLS_MAND_PROTO "smtp_tls_mandatory_protocols"
+#define DEF_SMTP_TLS_MAND_PROTO "SSLv3, TLSv1"
+#define VAR_LMTP_TLS_MAND_PROTO "lmtp_tls_mandatory_protocols"
+#define DEF_LMTP_TLS_MAND_PROTO "SSLv3, TLSv1"
+extern char *var_smtp_tls_mand_proto;
#define VAR_SMTP_TLS_VFY_CMATCH "smtp_tls_verify_cert_match"
#define DEF_SMTP_TLS_VFY_CMATCH "hostname"
#define DEF_SMTP_SASL_PASSWD ""
extern char *var_smtp_sasl_passwd;
+#define VAR_SMTP_SASL_ENFORCE "smtp_sasl_auth_enforce"
+#define DEF_SMTP_SASL_ENFORCE 1
+extern bool var_smtp_sasl_enforce;
+
#define VAR_SMTP_SASL_OPTS "smtp_sasl_security_options"
#define DEF_SMTP_SASL_OPTS "noplaintext, noanonymous"
extern char *var_smtp_sasl_opts;
#define DEF_LMTP_SASL_TLS_OPTS "$" VAR_LMTP_SASL_OPTS
extern char *var_smtp_sasl_tls_opts;
-#ifdef SNAPSHOT /* XXX: Not yet */
#define VAR_SMTP_SASL_TLSV_OPTS "smtp_sasl_tls_verified_security_options"
#define DEF_SMTP_SASL_TLSV_OPTS "$" VAR_SMTP_SASL_TLS_OPTS
#define VAR_LMTP_SASL_TLSV_OPTS "lmtp_sasl_tls_verified_security_options"
#define DEF_LMTP_SASL_TLSV_OPTS "$" VAR_LMTP_SASL_TLS_OPTS
extern char *var_smtp_sasl_tlsv_opts;
-#endif
-
/*
* LMTP server. The soft error limit determines how many errors an LMTP
* client may make before we start to slow down; the hard error limit
#define DEF_LMTP_SASL_PASSWD ""
extern char *var_lmtp_sasl_passwd;
+#define VAR_LMTP_SASL_ENFORCE "lmtp_sasl_auth_enforce"
+#define DEF_LMTP_SASL_ENFORCE 1
+
#define VAR_LMTP_SASL_OPTS "lmtp_sasl_security_options"
#define DEF_LMTP_SASL_OPTS "noplaintext, noanonymous"
extern char *var_lmtp_sasl_opts;
#define DEF_MILT_V "$" VAR_MAIL_NAME " $" VAR_MAIL_VERSION
extern char *var_milt_v;
+ /*
+ * What internal mail do we inspect/stamp/etc.? This is not yet safe enough
+ * to enable world-wide.
+ */
+#define VAR_INT_FILT_CLASSES "internal_mail_filter_classes"
+#define DEF_INT_FILT_CLASSES ""
+extern char *var_int_filt_classes;
+
/* LICENSE
/* .ad
/* .fi
#define MAIL_ATTR_LABEL "label"
#define MAIL_ATTR_PROP "property"
#define MAIL_ATTR_CCERT_SUBJECT "ccert_subject"
-#define MAIL_ATTR_CCERT_ISSSUER "ccert_issuer"
+#define MAIL_ATTR_CCERT_ISSUER "ccert_issuer"
#define MAIL_ATTR_CCERT_FINGERPRINT "ccert_fingerprint"
#define MAIL_ATTR_CRYPTO_PROTOCOL "encryption_protocol"
#define MAIL_ATTR_CRYPTO_CIPHER "encryption_cipher"
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20060629"
-#define MAIL_VERSION_NUMBER "2.3"
+#define MAIL_RELEASE_DATE "20060711"
+#define MAIL_VERSION_NUMBER "2.4"
#ifdef SNAPSHOT
# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
#else
-# define MAIL_VERSION_DATE
+# define MAIL_VERSION_DATE ""
#endif
#ifdef NONPROD
# define MAIL_VERSION_PROD "-nonprod"
-#endif
-
-#ifndef MAIL_VERSION_PROD
+#else
# define MAIL_VERSION_PROD ""
#endif
/* SYNOPSIS
/* #include <post_mail.h>
/*
-/* VSTREAM *post_mail_fopen(sender, recipient, cleanup_flags, trace_flags,
+/* VSTREAM *post_mail_fopen(sender, recipient, filter_class, trace_flags,
/* queue_id)
/* const char *sender;
/* const char *recipient;
-/* int cleanup_flags;
+/* int filter_class;
/* int trace_flags;
/* VSTRING *queue_id;
/*
/* VSTREAM *post_mail_fopen_nowait(sender, recipient,
-/* cleanup_flags, trace_flags, queue_id)
+/* filter_class, trace_flags, queue_id)
/* const char *sender;
/* const char *recipient;
-/* int cleanup_flags;
+/* int filter_class;
/* int trace_flags;
/* VSTRING *queue_id;
/*
/* void post_mail_fopen_async(sender, recipient,
-/* cleanup_flags, trace_flags,
+/* filter_class, trace_flags,
/* queue_id, notify, context)
/* const char *sender;
/* const char *recipient;
-/* int cleanup_flags;
+/* int filter_class;
/* int trace_flags;
/* VSTRING *queue_id;
/* void (*notify)(VSTREAM *stream, char *context);
/* .IP recipient
/* The recipient envelope address. It is up to the application
/* to produce To: headers.
-/* .IP cleanup_flags
-/* The binary OR of zero or more of the options defined in
-/* \fB<cleanup_user.h>\fR.
+/* .IP filter_class
+/* The internal mail filtering class, as defined in
+/* \fB<int_filt.h>\fR. Depending on the setting of the
+/* internal_mail_filter_classes parameter the message will or
+/* won't be subject to content inspection.
/* .IP trace_flags
/* Message tracing flags as specified in \fB<deliver_request.h>\fR.
/* .IP queue_id
typedef struct {
char *sender;
char *recipient;
- int cleanup_flags;
+ int filter_class;
int trace_flags;
POST_MAIL_NOTIFY notify;
void *context;
static void post_mail_init(VSTREAM *stream, const char *sender,
const char *recipient,
- int cleanup_flags, int trace_flags,
+ int filter_class, int trace_flags,
VSTRING *queue_id)
{
VSTRING *id = queue_id ? queue_id : vstring_alloc(100);
struct timeval now;
const char *date;
+ int cleanup_flags =
+ int_filt_flags(filter_class) | CLEANUP_FLAG_MASK_INTERNAL;
GETTIMEOFDAY(&now);
date = mail_date(now.tv_sec);
/* post_mail_fopen - prepare for posting a message */
VSTREAM *post_mail_fopen(const char *sender, const char *recipient,
- int cleanup_flags, int trace_flags,
+ int filter_class, int trace_flags,
VSTRING *queue_id)
{
VSTREAM *stream;
stream = mail_connect_wait(MAIL_CLASS_PUBLIC, var_cleanup_service);
- post_mail_init(stream, sender, recipient, cleanup_flags, trace_flags,
+ post_mail_init(stream, sender, recipient, filter_class, trace_flags,
queue_id);
return (stream);
}
/* post_mail_fopen_nowait - prepare for posting a message */
VSTREAM *post_mail_fopen_nowait(const char *sender, const char *recipient,
- int cleanup_flags, int trace_flags,
+ int filter_class, int trace_flags,
VSTRING *queue_id)
{
VSTREAM *stream;
if ((stream = mail_connect(MAIL_CLASS_PUBLIC, var_cleanup_service,
BLOCKING)) != 0)
- post_mail_init(stream, sender, recipient, cleanup_flags, trace_flags,
+ post_mail_init(stream, sender, recipient, filter_class, trace_flags,
queue_id);
return (stream);
}
event_cancel_timer(post_mail_open_event, context);
event_disable_readwrite(vstream_fileno(state->stream));
post_mail_init(state->stream, state->sender,
- state->recipient, state->cleanup_flags,
+ state->recipient, state->filter_class,
state->trace_flags, state->queue_id);
myfree(state->sender);
myfree(state->recipient);
/* post_mail_fopen_async - prepare for posting a message */
void post_mail_fopen_async(const char *sender, const char *recipient,
- int cleanup_flags, int trace_flags,
+ int filter_class, int trace_flags,
VSTRING *queue_id,
void (*notify) (VSTREAM *, void *),
void *context)
state = (POST_MAIL_STATE *) mymalloc(sizeof(*state));
state->sender = mystrdup(sender);
state->recipient = mystrdup(recipient);
- state->cleanup_flags = cleanup_flags;
+ state->filter_class = filter_class;
state->trace_flags = trace_flags;
state->notify = notify;
state->context = context;
* Global library.
*/
#include <cleanup_user.h>
+#include <int_filt.h>
/*
* External interface.
* Optionally, restrict the damage that this process can do.
*/
resolve_local_init();
-#ifdef SNAPSHOT
tzset();
-#endif
chroot_uid(root_dir, user_name);
/*
* Optionally, restrict the damage that this process can do.
*/
resolve_local_init();
-#ifdef SNAPSHOT
tzset();
-#endif
chroot_uid(root_dir, user_name);
/*
* Optionally, restrict the damage that this process can do.
*/
resolve_local_init();
-#ifdef SNAPSHOT
tzset();
-#endif
chroot_uid(root_dir, user_name);
/*
mv junk $@.o
test-milter: test-milter.c
- cc -o $@ $? -lmilter -lpthread
+ cc -g -o $@ $? -lmilter -lpthread
depend: $(MAKES)
(sed '1,/^# do not edit/!d' Makefile.in; \
/* ins_header, del_header, add_rcpt,
/* del_rcpt, repl_body, context)
/* MILTERS *milters;
-/* void (*add_header) (void *context, char *name, char *value);
-/* void (*upd_header) (void *context, ssize_t index,
+/* const char *(*add_header) (void *context, char *name, char *value);
+/* const char *(*upd_header) (void *context, ssize_t index,
/* char *name, char *value);
-/* void (*ins_header) (void *context, ssize_t index,
+/* const char *(*ins_header) (void *context, ssize_t index,
/* char *name, char *value);
-/* void (*del_header) (void *context, ssize_t index, char *name);
-/* void (*add_rcpt) (void *context, char *rcpt);
-/* void (*del_rcpt) (void *context, char *rcpt);
-/* void (*repl_body) (void *context, VSTRING *body);
+/* const char *(*del_header) (void *context, ssize_t index, char *name);
+/* const char *(*add_rcpt) (void *context, char *rcpt);
+/* const char *(*del_rcpt) (void *context, char *rcpt);
+/* const char *(*repl_body) (void *context, VSTRING *body);
/* void *context;
/*
/* const char *milter_conn_event(milters, client_name, client_addr,
/* milter_edit_callback - specify queue file edit call-back information */
void milter_edit_callback(MILTERS *milters,
- void (*add_header) (void *, char *, char *),
- void (*upd_header) (void *, ssize_t, char *, char *),
- void (*ins_header) (void *, ssize_t, char *, char *),
- void (*del_header) (void *, ssize_t, char *),
- void (*add_rcpt) (void *, char *),
- void (*del_rcpt) (void *, char *),
- void (*repl_body) (void *, VSTRING *),
+ const char *(*add_header) (void *, char *, char *),
+ const char *(*upd_header) (void *, ssize_t, char *, char *),
+ const char *(*ins_header) (void *, ssize_t, char *, char *),
+ const char *(*del_header) (void *, ssize_t, char *),
+ const char *(*add_rcpt) (void *, char *),
+ const char *(*del_rcpt) (void *, char *),
+ const char *(*repl_body) (void *, VSTRING *),
void *chg_context)
{
milters->add_header = add_header;
return (0);
}
if (head == 0) {
- head = milter;
+ /* Coverity: milter_free() depends on milters->milter_list. */
+ milters->milter_list = head = milter;
} else {
tail->next = milter;
}
tail = milter;
}
- milters->milter_list = head;
(void) attr_print(stream, ATTR_FLAG_NONE,
ATTR_TYPE_INT, MAIL_ATTR_STATUS, 0,
msg_warn("deleting existing milters");
milter_free(milters);
}
- milters = milter_create(args[0], var_milt_conn_time,
- var_milt_cmd_time, var_milt_msg_time,
- var_milt_protocol, var_milt_def_action,
+ milters = milter_create(args[0], var_milt_conn_time,
+ var_milt_cmd_time, var_milt_msg_time,
+ var_milt_protocol, var_milt_def_action,
conn_macros, helo_macros, mail_macros,
rcpt_macros, data_macros, eod_macros,
unk_macros);
char *eod_macros; /* macros for END-OF-DATA command */
char *unk_macros; /* macros for unknown command */
void *chg_context; /* context for queue file changes */
- void (*add_header) (void *, char *, char *);
- void (*upd_header) (void *, ssize_t, char *, char *);
- void (*del_header) (void *, ssize_t, char *);
- void (*ins_header) (void *, ssize_t, char *, char *);
- void (*add_rcpt) (void *, char *);
- void (*del_rcpt) (void *, char *);
- void (*repl_body) (void *, VSTRING *);
+ const char *(*add_header) (void *, char *, char *);
+ const char *(*upd_header) (void *, ssize_t, char *, char *);
+ const char *(*del_header) (void *, ssize_t, char *);
+ const char *(*ins_header) (void *, ssize_t, char *, char *);
+ const char *(*add_rcpt) (void *, char *);
+ const char *(*del_rcpt) (void *, char *);
+ const char *(*repl_body) (void *, VSTRING *);
} MILTERS;
typedef const char *(*MILTER_MAC_LOOKUP_FN) (const char *, void *);
-typedef void (*MILTER_ADD_HEADER_FN) (void *, char *, char *);
-typedef void (*MILTER_EDIT_HEADER_FN) (void *, ssize_t, char *, char *);
-typedef void (*MILTER_DEL_HEADER_FN) (void *, ssize_t, char *);
-typedef void (*MILTER_EDIT_RCPT_FN) (void *, char *);
-typedef void (*MILTER_EDIT_BODY_FN) (void *, VSTRING *);
+typedef const char *(*MILTER_ADD_HEADER_FN) (void *, char *, char *);
+typedef const char *(*MILTER_EDIT_HEADER_FN) (void *, ssize_t, char *, char *);
+typedef const char *(*MILTER_DEL_HEADER_FN) (void *, ssize_t, char *);
+typedef const char *(*MILTER_EDIT_RCPT_FN) (void *, char *);
+typedef const char *(*MILTER_EDIT_BODY_FN) (void *, VSTRING *);
extern MILTERS *milter_create(const char *, int, int, int,
const char *, const char *,
/* MILTER *milter8_receive(stream)
/* VSTREAM *stream;
/* DESCRIPTION
-/* This modulde implements the MTA side of the Sendmail 8 mail
+/* This module implements the MTA side of the Sendmail 8 mail
/* filter protocol.
/*
/* milter8_create() creates a MILTER data structure with virtual
milter->state = MILTER8_STAT_CLOSED;
}
-/* milter8_read_cmd - receive command code now, receive data later */
+/* milter8_read_resp - receive command code now, receive data later */
-static int milter8_read_cmd(MILTER8 *milter, unsigned char *command,
+static int milter8_read_resp(MILTER8 *milter, int event, unsigned char *command,
ssize_t *data_len)
{
UINT32_TYPE len;
ssize_t pkt_len;
+ const char *smfic_name;
int cmd;
/*
*/
if ((vstream_fread(milter->fp, (char *) &len, UINT32_SIZE))
!= UINT32_SIZE) {
- msg_warn("milter %s: can't read packet header: %m", milter->m.name);
+ smfic_name = str_name_code(smfic_table, event);
+ msg_warn("milter %s: can't read %s reply packet header: %m",
+ milter->m.name, smfic_name != 0 ?
+ smfic_name : "(unknown MTA event)");
return (milter8_comm_error(milter));
} else if ((pkt_len = ntohl(len)) < 1) {
msg_warn("milter %s: bad packet length: %ld",
/*
* Sanity checks. We may have excess data when the sender is confused. We
- * may have a negative count when we're confused outselves.
+ * may have a negative count when we're confused ourselves.
*/
if (data_left > 0) {
msg_warn("%s: left-over data %ld bytes", myname, (long) data_left);
VSTRING *buf;
const char *str;
const char **cpp;
- unsigned char ch;
+ char ch;
/*
* Deliver the packet.
const char *smfir_name;
MILTERS *parent;
UINT32_TYPE index;
+ const char *edit_resp;
#define DONT_SKIP_REPLY 0
/*
- * Skip this event if it is not defined for my protocol version.
+ * Skip this event if it doesn't exist in the protocol that I announced.
*/
#ifndef USE_LIBMILTER_INCLUDES
if ((skip_event_flag & milter->np_mask) != 0) {
#endif
/*
- * Send the macros even when the corresponding list is empty. This is not
- * a problem because we're sending macros and event parameters in one
- * transaction.
+ * Send the macros for this event, even when we're not reporting the
+ * event itself. This does not introduce a performance problem because
+ * we're sending macros and event parameters in one VSTREAM transaction.
*/
if (msg_verbose) {
VSTRING *buf = vstring_alloc(100);
}
/*
- * Size the command data.
+ * Compute the command data size. This is necessary because the protocol
+ * sends length before content.
*/
va_start(ap, macros);
data_len = vmilter8_size_data(ap);
/*
* Special feature: don't wait for one reply per header. This allows us
- * to send multiple headers in one transaction, and improves over-all
- * performance.
+ * to send multiple headers in one VSTREAM transaction, and improves
+ * over-all performance.
*/
if (skip_reply) {
if (msg_verbose)
#define IN_CONNECT_EVENT(e) ((e) == SMFIC_CONNECT || (e) == SMFIC_HELO)
for (;;) {
- if (milter8_read_cmd(milter, &cmd, &data_size) != 0)
+ if (milter8_read_resp(milter, event, &cmd, &data_size) != 0)
return (milter->def_reply);
if (msg_verbose)
- msg_info("reply: %s %d",
+ msg_info("reply: %s data %ld bytes",
(smfir_name = str_name_code(smfir_table, cmd)) != 0 ?
- smfir_name : "unknown", data_size);
+ smfir_name : "unknown", (long) data_size);
switch (cmd) {
/*
#endif
milter->state = MILTER8_STAT_REJECT_CON;
return (milter8_def_reply(milter,
- "451 4.7.1 Service unavailable - try again later"));
+ "451 4.7.1 Service unavailable - try again later"));
} else {
return ("451 4.7.1 Service unavailable - try again later");
}
MILTER8_DATA_END) != 0)
return (milter->def_reply);
parent = milter->m.parent;
+ /* XXX Sendmail 8 compatibility. */
+ if (index == 0)
+ index = 1;
if ((ssize_t) index < 1) {
msg_warn("milter %s: bad change header index: %ld",
milter->m.name, (long) index);
return (milter->def_reply);
}
if (STR(milter->body)[0])
- parent->upd_header(parent->chg_context, (ssize_t) index,
- STR(milter->buf),
- STR(milter->body));
+ edit_resp = parent->upd_header(parent->chg_context,
+ (ssize_t) index,
+ STR(milter->buf),
+ STR(milter->body));
else
- parent->del_header(parent->chg_context, (ssize_t) index,
- STR(milter->buf));
+ edit_resp = parent->del_header(parent->chg_context,
+ (ssize_t) index,
+ STR(milter->buf));
+ if (edit_resp)
+ return (milter8_def_reply(milter, edit_resp));
continue;
#endif
MILTER8_DATA_END) != 0)
return (milter->def_reply);
parent = milter->m.parent;
- parent->add_header(parent->chg_context, STR(milter->buf),
- STR(milter->body));
+ edit_resp = parent->add_header(parent->chg_context,
+ STR(milter->buf),
+ STR(milter->body));
+ if (edit_resp)
+ return (milter8_def_reply(milter, edit_resp));
continue;
/*
return (milter->def_reply);
}
parent = milter->m.parent;
- parent->ins_header(parent->chg_context, (ssize_t) index + 1,
- STR(milter->buf), STR(milter->body));
+ edit_resp = parent->ins_header(parent->chg_context,
+ (ssize_t) index + 1,
+ STR(milter->buf),
+ STR(milter->body));
+ if (edit_resp)
+ return (milter8_def_reply(milter, edit_resp));
continue;
#endif
MILTER8_DATA_END) != 0)
return (milter->def_reply);
parent = milter->m.parent;
- parent->add_rcpt(parent->chg_context, STR(milter->buf));
+ edit_resp = parent->add_rcpt(parent->chg_context,
+ STR(milter->buf));
+ if (edit_resp)
+ return (milter8_def_reply(milter, edit_resp));
continue;
/*
MILTER8_DATA_END) != 0)
return (milter->def_reply);
parent = milter->m.parent;
- parent->del_rcpt(parent->chg_context, STR(milter->buf));
+ edit_resp = parent->del_rcpt(parent->chg_context,
+ STR(milter->buf));
+ if (edit_resp)
+ return (milter8_def_reply(milter, edit_resp));
continue;
/*
MILTER8_DATA_END) != 0)
return (milter->def_reply);
parent = milter->m.parent;
- parent->repl_body(parent->chg_context, milter->body);
+ edit_resp = parent->repl_body(parent->chg_context,
+ milter->body);
+ if (edit_resp)
+ return (milter8_def_reply(milter, edit_resp));
continue;
#endif
}
* Get here when the reply was followed by data bytes that weren't
* supposed to be there.
*/
- msg_warn("milter %s: reply %s was followed by %d data bytes",
+ msg_warn("milter %s: reply %s was followed by %ld data bytes",
milter->m.name, (smfir_name = str_name_code(smfir_table, cmd)) != 0 ?
- smfir_name : "unknown", data_len);
+ smfir_name : "unknown", (long) data_len);
milter8_comm_error(milter);
return (milter->def_reply);
}
/*
* Receive the filter's response and verify that we are compatible.
*/
- else if (milter8_read_cmd(milter, &cmd, &data_len) != 0) {
+ else if (milter8_read_resp(milter, SMFIC_OPTNEG, &cmd, &data_len) != 0) {
msg_warn("milter %s: read error in initial handshake", milter->m.name);
- /* milter8_read_cmd() called milter8_comm_error() */
+ /* milter8_read_resp() called milter8_comm_error() */
} else if (cmd != SMFIC_OPTNEG) {
msg_warn("milter %s: unexpected reply \"%c\" in initial handshake",
milter->m.name, cmd);
typedef struct {
MILTER8 *milter; /* milter client */
ARGV *macros; /* end-of-body macros */
+ int first_header; /* first header */
+ int first_body; /* first body line */
const char *resp; /* milter application response */
} MILTER_MSG_CONTEXT;
char *cp;
int skip_reply;
+ /*
+ * XXX Sendmail compatibility. Don't expose our first (received) header
+ * to mail filter applications. See also cleanup_milter.c for code to
+ * ensure that header replace requests are relative to the message
+ * content as received, that is, without our own first (received) header,
+ * while header insert requests are relative to the message as delivered,
+ * that is, including our own first (received) header.
+ *
+ * XXX But this breaks when they delete our own Received: header with
+ * header_checks before it reaches the queue file. Even then we must not
+ * expose the first header to mail filter applications, otherwise the
+ * dk-filter signature will be inserted at the wrong position. It should
+ * precede the headers that it signs.
+ *
+ * XXX Sendmail compatibility. It eats the first space (not tab) after the
+ * header label and ":".
+ */
+ if (msg_ctx->first_header) {
+ msg_ctx->first_header = 0;
+ return;
+ }
+
/*
* Sendmail 8 sends multi-line headers as text separated by newline.
*
if (*cp != ':')
msg_panic("%s: header label not followed by ':'", myname);
*cp++ = 0;
- /* XXX Following matches mime_state.c */
- while (*cp == ' ' || *cp == '\t')
+ /* XXX Sendmail 8.13.6 eats one space (not tab) after colon. */
+ if (*cp == ' ')
cp++;
#ifdef SMFIP_NOHREPL
skip_reply = ((milter->ev_mask & SMFIP_NOHREPL) != 0);
ssize_t space;
ssize_t count;
+ /*
+ * XXX Sendmail compatibility: don't expose our first body line.
+ */
+ if (msg_ctx->first_body) {
+ msg_ctx->first_body = 0;
+ return;
+ }
+
/*
* XXX I thought I was going to delegate all the on-the-wire formatting
* to a common lower layer, but unfortunately it's not practical. If we
*/
if (msg_verbose > 1)
msg_info("%s: body milter %s: %.100s", myname, milter->m.name, buf);
+ /* To append \r\n, simply redirect input to another buffer. */
+ if (rec_type == REC_TYPE_NORM && todo == 0) {
+ bp = "\r\n";
+ todo = 2;
+ rec_type = REC_TYPE_EOF;
+ }
while (todo > 0) {
/* Append one REC_TYPE_NORM or REC_TYPE_CONT to body chunk buffer. */
space = MILTER_CHUNK_SIZE - LEN(milter->body);
}
msg_ctx.milter = milter;
msg_ctx.macros = macros;
+ msg_ctx.first_header = 1;
+ msg_ctx.first_body = 1;
msg_ctx.resp = 0;
mime_state =
mime_state_alloc(MIME_OPT_DISABLE_MIME,
*
* Specifies a non-default reply. The default is to always continue.
*
+ * -d Enable libmilter debugging.
+ *
* -c connect|helo|mail|rcpt|data|header|eoh|body|eom|unknown|close|abort
*
* When to send the non-default reply. The default is "connect".
*
+ * -i "index header-label header-value"
+ *
+ * Insert header at specified position.
+ *
* -p inet:port@host|unix:/path/name
*
* The mail filter listen endpoint.
*
+ * -r "index header-label header-value"
+ *
+ * Replace header at specified position.
+ *
* -C count
*
* Terminate after count connections.
static char *reply_dsn;
static char *reply_message;
+static char *ins_hdr;
+static int ins_idx;
+static char *ins_val;
+
+static char *chg_hdr;
+static int chg_idx;
+static char *chg_val;
+
static int test_reply(SMFICTX *ctx, int code)
{
+ (void) fflush(stdout); /* In case output redirected. */
+
if (code == SMFIR_REPLYCODE) {
if (smfi_setreply(ctx, reply_code, reply_dsn, reply_message) != MI_SUCCESS)
fprintf(stderr, "smfi_setreply failed\n");
static sfsistat test_body(SMFICTX *ctx, unsigned char *data, size_t data_len)
{
- printf("test_body %ld bytes\n", (long) data_len);
+ if (verbose == 0)
+ printf("test_body %ld bytes\n", (long) data_len);
+ else
+ printf("%.*s", (int) data_len, data);
return (test_reply(ctx, test_body_reply));
}
static sfsistat test_eom(SMFICTX *ctx)
{
printf("test_eom\n");
+ if (ins_hdr && smfi_insheader(ctx, ins_idx, ins_hdr, ins_val) == MI_FAILURE)
+ fprintf(stderr, "smfi_insheader failed");
+ if (chg_hdr && smfi_chgheader(ctx, chg_hdr, chg_idx, chg_val) == MI_FAILURE)
+ fprintf(stderr, "smfi_chgheader failed");
return (test_reply(ctx, test_eom_reply));
}
{
"test-milter",
SMFI_VERSION,
- SMFIF_ADDRCPT | SMFIF_DELRCPT | SMFIF_CHGHDRS,
+ SMFIF_ADDRCPT | SMFIF_DELRCPT | SMFIF_ADDHDRS | SMFIF_CHGHDRS,
test_connect,
test_helo,
test_mail,
#endif
};
+static void parse_hdr_info(const char *optarg, int *idx,
+ char **hdr, char **value)
+{
+ int len;
+
+ len = strlen(optarg) + 1;
+ if ((*hdr = malloc(len)) == 0 || (*value = malloc(len)) == 0) {
+ fprintf(stderr, "out of memory\n");
+ exit(1);
+ }
+ if (sscanf(optarg, "%d %s %[^\n]", idx, *hdr, *value) != 3) {
+ fprintf(stderr, "bad header info: %s\n", optarg);
+ exit(1);
+ }
+}
+
int main(int argc, char **argv)
{
char *action = 0;
int ch;
int code;
- while ((ch = getopt(argc, argv, "a:c:d:p:vC:")) > 0) {
+ while ((ch = getopt(argc, argv, "a:c:d:i:p:r:vC:")) > 0) {
switch (ch) {
case 'a':
action = optarg;
exit(1);
}
break;
+ case 'i':
+ if (ins_hdr) {
+ fprintf(stderr, "too many -i options\n");
+ exit(1);
+ }
+ parse_hdr_info(optarg, &ins_idx, &ins_hdr, &ins_val);
+ break;
case 'p':
if (smfi_setconn(optarg) == MI_FAILURE) {
fprintf(stderr, "smfi_setconn failed\n");
exit(1);
}
break;
+ case 'r':
+ if (chg_hdr) {
+ fprintf(stderr, "too many -r options\n");
+ exit(1);
+ }
+ parse_hdr_info(optarg, &chg_idx, &chg_hdr, &chg_val);
+ break;
case 'v':
verbose++;
break;
break;
default:
fprintf(stderr,
- "usage: %s [-a action] [-c command] [-C conn_count] [-d debug] -p port [-v]\n",
+ "usage: %s [-dv] \n"
+ "\t[-a action] non-default action\n"
+ "\t[-c command] non-default action trigger\n"
+ "\t[-i 'index label value'] insert header\n"
+ "\t-p port milter application\n"
+ "\t[-r 'index label value'] replace header\n"
+ "\t[-C conn_count] when to exit\n",
argv[0]);
exit(1);
}
levels.o: ../../include/match_ops.h
levels.o: ../../include/msg.h
levels.o: ../../include/msg_stats.h
+levels.o: ../../include/name_code.h
levels.o: ../../include/name_mask.h
levels.o: ../../include/recipient_list.h
levels.o: ../../include/resolve_clnt.h
smtp_addr.o: ../../include/msg_stats.h
smtp_addr.o: ../../include/myaddrinfo.h
smtp_addr.o: ../../include/mymalloc.h
+smtp_addr.o: ../../include/name_code.h
smtp_addr.o: ../../include/name_mask.h
smtp_addr.o: ../../include/own_inet_addr.h
smtp_addr.o: ../../include/recipient_list.h
smtp_chat.o: ../../include/msg.h
smtp_chat.o: ../../include/msg_stats.h
smtp_chat.o: ../../include/mymalloc.h
+smtp_chat.o: ../../include/name_code.h
smtp_chat.o: ../../include/name_mask.h
smtp_chat.o: ../../include/post_mail.h
smtp_chat.o: ../../include/recipient_list.h
smtp_connect.o: ../../include/msg_stats.h
smtp_connect.o: ../../include/myaddrinfo.h
smtp_connect.o: ../../include/mymalloc.h
+smtp_connect.o: ../../include/name_code.h
smtp_connect.o: ../../include/name_mask.h
smtp_connect.o: ../../include/own_inet_addr.h
smtp_connect.o: ../../include/recipient_list.h
smtp_map11.o: ../../include/match_ops.h
smtp_map11.o: ../../include/msg.h
smtp_map11.o: ../../include/msg_stats.h
+smtp_map11.o: ../../include/name_code.h
smtp_map11.o: ../../include/name_mask.h
smtp_map11.o: ../../include/quote_822_local.h
smtp_map11.o: ../../include/quote_flags.h
smtp_rcpt.o: ../../include/msg.h
smtp_rcpt.o: ../../include/msg_stats.h
smtp_rcpt.o: ../../include/mymalloc.h
+smtp_rcpt.o: ../../include/name_code.h
smtp_rcpt.o: ../../include/name_mask.h
smtp_rcpt.o: ../../include/recipient_list.h
smtp_rcpt.o: ../../include/resolve_clnt.h
smtp_reuse.o: ../../include/msg.h
smtp_reuse.o: ../../include/msg_stats.h
smtp_reuse.o: ../../include/mymalloc.h
+smtp_reuse.o: ../../include/name_code.h
smtp_reuse.o: ../../include/name_mask.h
smtp_reuse.o: ../../include/recipient_list.h
smtp_reuse.o: ../../include/resolve_clnt.h
smtp_sasl_glue.o: ../../include/msg.h
smtp_sasl_glue.o: ../../include/msg_stats.h
smtp_sasl_glue.o: ../../include/mymalloc.h
+smtp_sasl_glue.o: ../../include/name_code.h
smtp_sasl_glue.o: ../../include/name_mask.h
smtp_sasl_glue.o: ../../include/recipient_list.h
smtp_sasl_glue.o: ../../include/resolve_clnt.h
smtp_sasl_proto.o: ../../include/msg.h
smtp_sasl_proto.o: ../../include/msg_stats.h
smtp_sasl_proto.o: ../../include/mymalloc.h
+smtp_sasl_proto.o: ../../include/name_code.h
smtp_sasl_proto.o: ../../include/name_mask.h
smtp_sasl_proto.o: ../../include/recipient_list.h
smtp_sasl_proto.o: ../../include/resolve_clnt.h
smtp_state.o: ../../include/msg.h
smtp_state.o: ../../include/msg_stats.h
smtp_state.o: ../../include/mymalloc.h
+smtp_state.o: ../../include/name_code.h
smtp_state.o: ../../include/name_mask.h
smtp_state.o: ../../include/recipient_list.h
smtp_state.o: ../../include/resolve_clnt.h
smtp_trouble.o: ../../include/match_ops.h
smtp_trouble.o: ../../include/msg.h
smtp_trouble.o: ../../include/msg_stats.h
+smtp_trouble.o: ../../include/name_code.h
smtp_trouble.o: ../../include/name_mask.h
smtp_trouble.o: ../../include/recipient_list.h
smtp_trouble.o: ../../include/resolve_clnt.h
smtp_unalias.o: ../../include/msg.h
smtp_unalias.o: ../../include/msg_stats.h
smtp_unalias.o: ../../include/myaddrinfo.h
+smtp_unalias.o: ../../include/name_code.h
smtp_unalias.o: ../../include/name_mask.h
smtp_unalias.o: ../../include/recipient_list.h
smtp_unalias.o: ../../include/resolve_clnt.h
VAR_LMTP_TLS_DKEY_FILE, DEF_LMTP_TLS_DKEY_FILE, &var_smtp_tls_dkey_file, 0, 0,
VAR_LMTP_TLS_CA_FILE, DEF_LMTP_TLS_CA_FILE, &var_smtp_tls_CAfile, 0, 0,
VAR_LMTP_TLS_CA_PATH, DEF_LMTP_TLS_CA_PATH, &var_smtp_tls_CApath, 0, 0,
- VAR_LMTP_TLS_CIPHERS, DEF_LMTP_TLS_CIPHERS, &var_smtp_tls_ciphers, 1, 0,
+ VAR_LMTP_TLS_MAND_CIPH, DEF_LMTP_TLS_MAND_CIPH, &var_smtp_tls_mand_ciph, 1, 0,
VAR_LMTP_TLS_EXCL_CIPH, DEF_LMTP_TLS_EXCL_CIPH, &var_smtp_tls_excl_ciph, 0, 0,
VAR_LMTP_TLS_MAND_EXCL, DEF_LMTP_TLS_MAND_EXCL, &var_smtp_tls_mand_excl, 0, 0,
VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0,
VAR_TLS_LOW_CLIST, DEF_TLS_LOW_CLIST, &var_tls_low_clist, 1, 0,
VAR_TLS_EXPORT_CLIST, DEF_TLS_EXPORT_CLIST, &var_tls_export_clist, 1, 0,
VAR_TLS_NULL_CLIST, DEF_TLS_NULL_CLIST, &var_tls_null_clist, 1, 0,
- VAR_LMTP_TLS_PROTO, DEF_LMTP_TLS_PROTO, &var_smtp_tls_protocols, 0, 0,
+ VAR_LMTP_TLS_MAND_PROTO, DEF_LMTP_TLS_MAND_PROTO, &var_smtp_tls_mand_proto, 0, 0,
VAR_LMTP_TLS_VFY_CMATCH, DEF_LMTP_TLS_VFY_CMATCH, &var_smtp_tls_vfy_cmatch, 1, 0,
VAR_LMTP_TLS_SEC_CMATCH, DEF_LMTP_TLS_SEC_CMATCH, &var_smtp_tls_sec_cmatch, 1, 0,
#endif
#endif
VAR_LMTP_SENDER_AUTH, DEF_LMTP_SENDER_AUTH, &var_smtp_sender_auth,
VAR_LMTP_CNAME_OVERR, DEF_LMTP_CNAME_OVERR, &var_smtp_cname_overr,
+ VAR_LMTP_SASL_ENFORCE, DEF_LMTP_SASL_ENFORCE, &var_smtp_sasl_enforce,
0,
};
/* .IP "\fBsmtp_discard_ehlo_keyword_address_maps (empty)\fR"
/* Lookup tables, indexed by the remote SMTP server address, with
/* case insensitive lists of EHLO keywords (pipelining, starttls, auth,
-/* etc.) that the SMTP client will ignore in the EHLO response from a
+/* etc.) that the Postfix SMTP client will ignore in the EHLO response from a
/* remote SMTP server.
/* .IP "\fBsmtp_discard_ehlo_keywords (empty)\fR"
/* A case insensitive list of EHLO keywords (pipelining, starttls,
-/* auth, etc.) that the SMTP client will ignore in the EHLO response
-/* from a remote SMTP server.
+/* auth, etc.) that the Postfix SMTP client will ignore in the EHLO
+/* response from a remote SMTP server.
/* .IP "\fBsmtp_generic_maps (empty)\fR"
/* Optional lookup tables that perform address rewriting in the
/* SMTP client, typically to transform a locally valid address into
/* .fi
/* Available in Postfix version 2.1 and later:
/* .IP "\fBsmtp_send_xforward_command (no)\fR"
-/* Send the non-standard XFORWARD command when the Postfix SMTP server EHLO
-/* response announces XFORWARD support.
+/* Send the non-standard XFORWARD command when the Postfix SMTP server
+/* EHLO response announces XFORWARD support.
/* SASL AUTHENTICATION CONTROLS
/* .ad
/* .fi
/* server's list of offered SASL mechanisms.
/* .PP
/* Available in Postfix version 2.3 and later:
+/* .IP "\fBsmtp_sasl_auth_enforce (yes)\fR"
+/* If sender-dependent SASL passwords are turned off, defer mail
+/* delivery when an SMTP server does not support SASL authentication,
+/* while smtp_sasl_password_maps contains SASL login/password information
+/* for that server.
/* .IP "\fBsmtp_sender_dependent_authentication (no)\fR"
-/* Enable sender-dependent authentication in the SMTP client; this is
+/* Enable sender-dependent authentication in the Postfix SMTP client; this is
/* available only with SASL authentication, and disables SMTP connection
/* caching to ensure that mail from different senders will use the
/* appropriate credentials.
/* Detailed information about STARTTLS configuration may be found
/* in the TLS_README document.
/* .IP "\fBsmtp_tls_security_level (empty)\fR"
-/* The default SMTP TLS security level for all destinations; when
-/* a non-empty value is specified, this overrides the obsolete parameters
-/* smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
+/* The default SMTP TLS security level for the Postfix SMTP client;
+/* when a non-empty value is specified, this overrides the obsolete
+/* parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
/* .IP "\fBsmtp_sasl_tls_security_options ($smtp_sasl_security_options)\fR"
/* The SASL authentication security options that the Postfix SMTP
/* client uses for TLS encrypted SMTP sessions.
/* .IP "\fBsmtp_tls_cert_file (empty)\fR"
/* File with the Postfix SMTP client RSA certificate in PEM format.
/* .IP "\fBsmtp_tls_mandatory_ciphers (medium)\fR"
-/* The minimum SMTP client TLS cipher grade that is strong enough to
-/* be used with the "encrypt" security level and higher.
+/* The minimum TLS cipher grade that the Postfix SMTP client will
+/* use with
+/* mandatory TLS encryption.
/* .IP "\fBsmtp_tls_exclude_ciphers (empty)\fR"
-/* List of ciphers or cipher types to exclude from the SMTP client cipher
-/* list at all security levels.
+/* List of ciphers or cipher types to exclude from the Postfix
+/* SMTP client cipher
+/* list at all TLS security levels.
/* .IP "\fBsmtp_tls_mandatory_exclude_ciphers (empty)\fR"
-/* List of ciphers or cipher types to exclude from the SMTP client
-/* cipher list at the mandatory TLS security levels: "encrypt", "verify"
-/* and "secure".
+/* Additional list of ciphers or cipher types to exclude from the
+/* SMTP client cipher list at mandatory TLS security levels.
/* .IP "\fBsmtp_tls_dcert_file (empty)\fR"
/* File with the Postfix SMTP client DSA certificate in PEM format.
/* .IP "\fBsmtp_tls_dkey_file ($smtp_tls_dcert_file)\fR"
/* .IP "\fBsmtp_tls_note_starttls_offer (no)\fR"
/* Log the hostname of a remote SMTP server that offers STARTTLS,
/* when TLS is not already enabled for that server.
-/* .IP "\fBsmtp_tls_policy_maps (empty)\fR"
-/* Optional lookup tables with the Postfix SMTP client TLS security
-/* policy by next-hop destination; when a non-empty value is specified,
-/* this overrides the obsolete smtp_tls_per_site parameter.
-/* .IP "\fBsmtp_tls_mandatory_protocols (SSLv3, TLSv1)\fR"
-/* List of TLS protocol versions that are secure enough to be used
-/* with the "encrypt" security level and higher.
/* .IP "\fBsmtp_tls_scert_verifydepth (5)\fR"
/* The verification depth for remote SMTP server certificates.
/* .IP "\fBsmtp_tls_secure_cert_match (nexthop, dot-nexthop)\fR"
/* Enforcement mode: require that remote SMTP servers use TLS
/* encryption, and never send mail in the clear.
/* .IP "\fBsmtp_tls_enforce_peername (yes)\fR"
-/* When TLS encryption is enforced, require that the remote SMTP
+/* With mandatory TLS encryption, require that the remote SMTP
/* server hostname matches the information in the remote SMTP server
/* certificate.
/* .IP "\fBsmtp_tls_per_site (empty)\fR"
/* Optional lookup tables with the Postfix SMTP client TLS usage
/* policy by next-hop destination and by remote SMTP server hostname.
+/* .IP "\fBsmtp_tls_cipherlist (empty)\fR"
+/* Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS
+/* cipher list.
/* RESOURCE AND RATE CONTROLS
/* .ad
/* .fi
/* The recipient of postmaster notifications about mail delivery
/* problems that are caused by policy, resource, software or protocol
/* errors.
+/* .IP "\fBinternal_mail_filter_classes (empty)\fR"
+/* What categories of Postfix-generated mail are subject to
+/* before-queue content inspection by non_smtpd_milters, header_checks
+/* and body_checks.
/* .IP "\fBnotify_classes (resource, software)\fR"
/* The list of error classes that are reported to the postmaster.
/* MISCELLANEOUS CONTROLS
/* The network interface addresses that this mail system receives mail
/* on by way of a proxy or network address translation unit.
/* .IP "\fBsmtp_bind_address (empty)\fR"
-/* An optional numerical network address that the SMTP client should
-/* bind to when making an IPv4 connection.
+/* An optional numerical network address that the Postfix SMTP client
+/* should bind to when making an IPv4 connection.
/* .IP "\fBsmtp_bind_address6 (empty)\fR"
-/* An optional numerical network address that the SMTP client should
-/* bind to when making an IPv6 connection.
+/* An optional numerical network address that the Postfix SMTP client
+/* should bind to when making an IPv6 connection.
/* .IP "\fBsmtp_helo_name ($myhostname)\fR"
/* The hostname to send in the SMTP EHLO or HELO command.
/* .IP "\fBlmtp_lhlo_name ($myhostname)\fR"
/* The hostname to send in the LMTP LHLO command.
/* .IP "\fBsmtp_host_lookup (dns)\fR"
-/* What mechanisms when the SMTP client uses to look up a host's IP
+/* What mechanisms when the Postfix SMTP client uses to look up a host's IP
/* address.
/* .IP "\fBsmtp_randomize_addresses (yes)\fR"
/* Randomize the order of equal-preference MX host addresses.
char *var_smtp_tls_CAfile;
char *var_smtp_tls_CApath;
char *var_smtp_tls_cert_file;
-char *var_smtp_tls_ciphers;
+char *var_smtp_tls_mand_ciph;
char *var_smtp_tls_excl_ciph;
char *var_smtp_tls_mand_excl;
char *var_smtp_tls_dcert_file;
char *var_smtp_tls_key_file;
int var_smtp_tls_loglevel;
bool var_smtp_tls_note_starttls_offer;
-char *var_smtp_tls_protocols;
+char *var_smtp_tls_mand_proto;
char *var_smtp_tls_sec_cmatch;
int var_smtp_tls_scert_vd;
char *var_smtp_tls_vfy_cmatch;
char *var_lmtp_tcp_port;
int var_scache_proto_tmout;
bool var_smtp_cname_overr;
+bool var_smtp_sasl_enforce;
/*
* Global variables.
#endif
-extern NAME_CODE smtp_tls_levels[]; /* smtp_session.c name_code table */
-
/* deliver_message - deliver message with extreme prejudice */
static int deliver_message(const char *service, DELIVER_REQUEST *request)
static void pre_init(char *unused_name, char **unused_argv)
{
+ int use_tls;
/*
* Turn on per-peer debugging.
VAR_SMTP_SASL_ENABLE);
#endif
+ if (*var_smtp_tls_level)
+ use_tls = tls_level_lookup(var_smtp_tls_level) > TLS_LEV_NONE;
+ else
+ use_tls = var_smtp_enforce_tls || var_smtp_use_tls;
+
/*
* Initialize the TLS data before entering the chroot jail
*/
- if (name_code(smtp_tls_levels, NAME_CODE_FLAG_NONE,
- var_smtp_tls_level) > TLS_LEV_NONE ||
- var_smtp_use_tls || var_smtp_enforce_tls ||
- var_smtp_tls_per_site[0] || var_smtp_tls_policy[0]) {
+ if (use_tls || var_smtp_tls_per_site[0] || var_smtp_tls_policy[0]) {
#ifdef USE_TLS
tls_client_init_props props;
#define CACHE_THIS_SESSION_UNTIL(when) \
(session->expire_time = (when))
+ /*
+ * Encapsulate the following so that we don't expose details of of
+ * connection management and error handling to the SMTP protocol engine.
+ */
+#define RETRY_AS_PLAINTEXT do { \
+ session->tls_retry_plain = 1; \
+ state->misc_flags &= ~SMTP_MISC_FLAG_FINAL_SERVER; \
+ } while (0)
+
/*
* smtp_chat.c
*/
notice = post_mail_fopen_nowait(mail_addr_double_bounce(),
var_error_rcpt,
- CLEANUP_FLAG_MASK_INTERNAL,
+ INT_FILT_NOTIFY,
NULL_TRACE_FLAGS, NO_QUEUE_ID);
if (notice == 0) {
msg_warn("postmaster notify: %m");
/*
* When an opportunistic TLS handshake fails, try the
- * same address again, with TLS disabled.
+ * same address again, with TLS disabled. See also the
+ * RETRY_AS_PLAINTEXT macro.
*/
if ((retry_plain = session->tls_retry_plain) != 0) {
--addr_count;
VAR_SMTP_TLS_DKEY_FILE, DEF_SMTP_TLS_DKEY_FILE, &var_smtp_tls_dkey_file, 0, 0,
VAR_SMTP_TLS_CA_FILE, DEF_SMTP_TLS_CA_FILE, &var_smtp_tls_CAfile, 0, 0,
VAR_SMTP_TLS_CA_PATH, DEF_SMTP_TLS_CA_PATH, &var_smtp_tls_CApath, 0, 0,
- VAR_SMTP_TLS_CIPHERS, DEF_SMTP_TLS_CIPHERS, &var_smtp_tls_ciphers, 1, 0,
+ VAR_SMTP_TLS_MAND_CIPH, DEF_SMTP_TLS_MAND_CIPH, &var_smtp_tls_mand_ciph, 1, 0,
VAR_SMTP_TLS_EXCL_CIPH, DEF_SMTP_TLS_EXCL_CIPH, &var_smtp_tls_excl_ciph, 0, 0,
VAR_SMTP_TLS_MAND_EXCL, DEF_SMTP_TLS_MAND_EXCL, &var_smtp_tls_mand_excl, 0, 0,
VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0,
VAR_TLS_LOW_CLIST, DEF_TLS_LOW_CLIST, &var_tls_low_clist, 1, 0,
VAR_TLS_EXPORT_CLIST, DEF_TLS_EXPORT_CLIST, &var_tls_export_clist, 1, 0,
VAR_TLS_NULL_CLIST, DEF_TLS_NULL_CLIST, &var_tls_null_clist, 1, 0,
- VAR_SMTP_TLS_PROTO, DEF_SMTP_TLS_PROTO, &var_smtp_tls_protocols, 0, 0,
+ VAR_SMTP_TLS_MAND_PROTO, DEF_SMTP_TLS_MAND_PROTO, &var_smtp_tls_mand_proto, 0, 0,
VAR_SMTP_TLS_VFY_CMATCH, DEF_SMTP_TLS_VFY_CMATCH, &var_smtp_tls_vfy_cmatch, 1, 0,
VAR_SMTP_TLS_SEC_CMATCH, DEF_SMTP_TLS_SEC_CMATCH, &var_smtp_tls_sec_cmatch, 1, 0,
#endif
#endif
VAR_SMTP_SENDER_AUTH, DEF_SMTP_SENDER_AUTH, &var_smtp_sender_auth,
VAR_SMTP_CNAME_OVERR, DEF_SMTP_CNAME_OVERR, &var_smtp_cname_overr,
+ VAR_SMTP_SASL_ENFORCE, DEF_SMTP_SASL_ENFORCE, &var_smtp_sasl_enforce,
0,
};
#ifdef USE_SASL_AUTH
if (var_smtp_sasl_enable && (session->features & SMTP_FEATURE_AUTH))
return (smtp_sasl_helo_login(state));
+ else if (var_smtp_sasl_enable
+ && *var_smtp_sasl_passwd
+ && !var_smtp_sender_auth
+ && var_smtp_sasl_enforce
+ && smtp_sasl_passwd_lookup(session) != 0)
+ return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
+ SMTP_RESP_FAKE(&fake, "4.7.0"),
+ "SASL login/password exists, but host %s "
+ "does not announce SASL authentication support",
+ session->namaddr));
#endif
return (0);
*
* - Expiration code would need to selectively delete sessions from a list -
* Re-use code would need to decode many sessions and choose the best -
- * Store code would needs to choose between replace and append.
+ * Store code would need to choose between replace and append.
*
* Note: checking the compatibility of re-activated sessions against the
* cipher requirements of the session under construction requires us to
* store the cipher name in the session cache with the passivated session
- * object, the name is not available when the session is revived until
- * the handshake is complete, which is too late.
+ * object. But the name is not available when the session is revived
+ * until the handshake is complete, which is too late.
*
- * XXX: When cached ciphers are reloaded, their cipher is not available via
+ * XXX: When a cached session is reloaded, its cipher is not available via
* documented APIs until the handshake completes. We need to filter out
* sessions that use the wrong ciphers, but may not peek at the
* undocumented session->cipher_id and cipher->id structure members.
*
* Since cipherlists are typically shared by many domains, we include the
* cipherlist in the session cache lookup key. This avoids false
- * positives results from the session cache.
+ * positives from the TLS session cache.
*
* To support mutually incompatible protocol/cipher combinations, our
* session key must include both the protocol and the cipherlist.
&& session->tls_protocols != 0
&& session->tls_protocols != TLS_ALL_PROTOCOLS)
vstring_sprintf_append(serverid, "&p=%s",
- tls_protocol_names(VAR_SMTP_TLS_PROTO,
+ tls_protocol_names(VAR_SMTP_TLS_MAND_PROTO,
session->tls_protocols));
if (session->tls_level >= TLS_LEV_ENCRYPT && session->tls_cipherlist)
vstring_sprintf_append(serverid, "&c=%s", session->tls_cipherlist);
* Specifically, this session is not final, don't defer any
* recipients yet.
*/
- if (session->tls_level == TLS_LEV_MAY) {
- session->tls_retry_plain = 1;
- state->misc_flags &= ~SMTP_MISC_FLAG_FINAL_SERVER;
- }
+ if (session->tls_level == TLS_LEV_MAY)
+ RETRY_AS_PLAINTEXT;
return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
SMTP_RESP_FAKE(&fake, "4.7.5"),
"Cannot start TLS: handshake failure"));
}
state->session = session;
-#ifdef USE_TLS
-
/*
- * Cached sessions are never TLS encrypted, so they must not be reused
- * when TLS encryption is required.
+ * XXX Temporary fix.
+ *
+ * Cached connections are always plaintext. They must never be reused when
+ * TLS encryption is required.
+ *
+ * As long as we support the legacy smtp_tls_per_site feature, we must
+ * search the connection cache before making TLS policy decisions. This
+ * is because the policy can depend on the server name. For example, a
+ * site could have a global policy that requires encryption, with
+ * per-server exceptions that allow plaintext.
+ *
+ * With the newer smtp_tls_policy_maps feature, the policy depends on the
+ * next-hop destination only. We can avoid unnecessary connection cache
+ * lookups, because we can compute the TLS policy much earlier.
*/
+#ifdef USE_TLS
if (session->tls_level >= TLS_LEV_ENCRYPT) {
if (msg_verbose)
msg_info("%s: skipping plain-text cached session to %s",
/* Zero or more of the following:
/* .RS
/* .IP SMTP_MISC_FLAG_CONN_CACHE
-/* Enable session caching.
+/* Enable SMTP or LMTP connection caching.
/* .RE
/* .IP dest_prop
/* Destination specific session properties: the server is the
#include "smtp.h"
#include "smtp_sasl.h"
-NAME_CODE smtp_tls_levels[] = {
- "none", TLS_LEV_NONE,
- "may", TLS_LEV_MAY,
- "encrypt", TLS_LEV_ENCRYPT,
- "verify", TLS_LEV_VERIFY,
- "secure", TLS_LEV_SECURE,
- 0, TLS_LEV_NOTFOUND,
-};
-
#ifdef USE_TLS
static MAPS *tls_policy; /* lookup table(s) */
/* policy_name - printable tls policy level */
-static const char *policy_name(int level)
+static const char *policy_name(int tls_level)
{
- const char *name = str_name_code(smtp_tls_levels, level);
+ const char *name = str_tls_level(tls_level);
if (name == 0)
name = "unknown";
/* tls_policy_lookup_one - look up destination TLS policy */
static int tls_policy_lookup_one(SMTP_SESSION *session,
- int *site_level, int *cipherlev,
+ int *site_level, int *cipher_level,
const char *site_name,
const char *site_class)
{
msg_warn("ignoring empty tls policy for %s", site_name);
FREE_RETURN(1); /* No further lookups */
}
- *site_level = name_code(smtp_tls_levels, NAME_CODE_FLAG_NONE, tok);
+ *site_level = tls_level_lookup(tok);
if (*site_level == TLS_LEV_NOTFOUND) {
msg_warn("%s: unknown security level '%s' ignored",
str_context(cbuf, site_class, site_name), tok);
name, policy_name(*site_level));
continue;
}
- *cipherlev = tls_cipher_level(val);
- if (*cipherlev == TLS_CIPHER_NONE) {
+ *cipher_level = tls_cipher_level(val);
+ if (*cipher_level == TLS_CIPHER_NONE) {
msg_warn("%s: invalid %s value '%s' ignored",
str_context(cbuf, site_class, site_name),
name, val);
/* tls_policy_lookup - look up destination TLS policy */
static void tls_policy_lookup(SMTP_SESSION *session,
- int *site_level, int *cipherlev,
+ int *site_level, int *cipher_level,
const char *site_name,
const char *site_class)
{
* sub-domains of the recipient domain.
*/
if (!valid_hostname(site_name, DONT_GRIPE)) {
- tls_policy_lookup_one(session, site_level, cipherlev,
+ tls_policy_lookup_one(session, site_level, cipher_level,
site_name, site_class);
return;
}
while (1) {
/* Try the given domain */
- if (tls_policy_lookup_one(session, site_level, cipherlev,
+ if (tls_policy_lookup_one(session, site_level, cipher_level,
site_name, site_class))
return;
/* Re-try with parent domain */
/* set_cipherlist - Choose cipherlist per security level and cipher suite */
-static void set_cipherlist(SMTP_SESSION *session, int level, int lmtp)
+static void set_cipherlist(SMTP_SESSION *session, int cipher_level, int lmtp)
{
const char *cipherlist = 0;
const char *exclude = var_smtp_tls_excl_ciph;
return;
case TLS_LEV_MAY:
- level = TLS_CIPHER_EXPORT; /* Interoperate! */
+ cipher_level = TLS_CIPHER_EXPORT; /* Interoperate! */
break;
case TLS_LEV_ENCRYPT:
also_exclude = "eNULL";
- if (level == TLS_CIPHER_NONE)
- level = tls_cipher_level(var_smtp_tls_ciphers);
+ if (cipher_level == TLS_CIPHER_NONE)
+ cipher_level = tls_cipher_level(var_smtp_tls_mand_ciph);
mand_exclude = var_smtp_tls_mand_excl;
break;
case TLS_LEV_VERIFY:
case TLS_LEV_SECURE:
also_exclude = "aNULL";
- if (level == TLS_CIPHER_NONE)
- level = tls_cipher_level(var_smtp_tls_ciphers);
+ if (cipher_level == TLS_CIPHER_NONE)
+ cipher_level = tls_cipher_level(var_smtp_tls_mand_ciph);
mand_exclude = var_smtp_tls_mand_excl;
break;
}
- cipherlist = tls_cipher_list(level, exclude, mand_exclude, also_exclude,
- TLS_END_EXCLUDE);
+ cipherlist = tls_cipher_list(cipher_level, exclude, mand_exclude,
+ also_exclude, TLS_END_EXCLUDE);
if (cipherlist == 0) {
msg_warn("unknown '%s' value '%s' ignored, using 'medium'",
- lmtp ? VAR_LMTP_TLS_CIPHERS : VAR_SMTP_TLS_CIPHERS,
- var_smtp_tls_ciphers);
+ lmtp ? VAR_LMTP_TLS_MAND_CIPH : VAR_SMTP_TLS_MAND_CIPH,
+ var_smtp_tls_mand_ciph);
cipherlist = tls_cipher_list(TLS_CIPHER_MEDIUM, exclude, mand_exclude,
also_exclude, TLS_END_EXCLUDE);
if (cipherlist == 0)
int global_level;
int site_level;
int lmtp = flags & SMTP_MISC_FLAG_USE_LMTP;
- int cipherlev = TLS_CIPHER_NONE;
+ int cipher_level = TLS_CIPHER_NONE;
/*
* Initialize all TLS related session properties.
* per-site policy.
*/
if (*var_smtp_tls_level) {
- global_level = name_code(smtp_tls_levels, NAME_CODE_FLAG_NONE,
- var_smtp_tls_level);
+ global_level = tls_level_lookup(var_smtp_tls_level);
if (global_level == TLS_LEV_NOTFOUND) {
msg_fatal("%s: unknown TLS security level '%s'",
lmtp ? VAR_LMTP_TLS_LEVEL : VAR_SMTP_TLS_LEVEL,
site_level = TLS_LEV_NOTFOUND;
if (tls_policy) {
- tls_policy_lookup(session, &site_level, &cipherlev,
+ tls_policy_lookup(session, &site_level, &cipher_level,
dest, "next-hop destination");
} else if (tls_per_site) {
tls_site_lookup(&site_level, dest, "next-hop destination");
*/
if (session->tls_level >= TLS_LEV_ENCRYPT
&& session->tls_protocols == 0
- && *var_smtp_tls_protocols)
+ && *var_smtp_tls_mand_proto)
session->tls_protocols =
- tls_protocol_mask(VAR_SMTP_TLS_PROTO, var_smtp_tls_protocols);
+ tls_protocol_mask(VAR_SMTP_TLS_MAND_PROTO, var_smtp_tls_mand_proto);
/*
* Convert cipher level (if set in per-destination table, else
* set_cipherlist uses main.cf settings) to an OpenSSL cipherlist. The
* "lmtp" vs. "smtp" identity is used for error reporting.
*/
- set_cipherlist(session, cipherlev, lmtp);
+ set_cipherlist(session, cipher_level, lmtp);
/*
* Use main.cf cert_match setting if not set in per-destination table
smtpd_chat.o: ../../include/msg.h
smtpd_chat.o: ../../include/myaddrinfo.h
smtpd_chat.o: ../../include/mymalloc.h
+smtpd_chat.o: ../../include/name_code.h
smtpd_chat.o: ../../include/name_mask.h
smtpd_chat.o: ../../include/post_mail.h
smtpd_chat.o: ../../include/rec_type.h
smtpd_check.o: ../../include/myaddrinfo.h
smtpd_check.o: ../../include/mymalloc.h
smtpd_check.o: ../../include/namadr_list.h
+smtpd_check.o: ../../include/name_code.h
smtpd_check.o: ../../include/name_mask.h
smtpd_check.o: ../../include/own_inet_addr.h
smtpd_check.o: ../../include/rec_type.h
smtpd_check.o: ../../include/verify_clnt.h
smtpd_check.o: ../../include/vstream.h
smtpd_check.o: ../../include/vstring.h
+smtpd_check.o: ../../include/xtext.h
smtpd_check.o: smtpd.h
smtpd_check.o: smtpd_check.c
smtpd_check.o: smtpd_check.h
smtpd_milter.o: ../../include/mail_stream.h
smtpd_milter.o: ../../include/milter.h
smtpd_milter.o: ../../include/myaddrinfo.h
+smtpd_milter.o: ../../include/name_code.h
smtpd_milter.o: ../../include/name_mask.h
smtpd_milter.o: ../../include/sys_defs.h
smtpd_milter.o: ../../include/tls.h
smtpd_peer.o: ../../include/msg.h
smtpd_peer.o: ../../include/myaddrinfo.h
smtpd_peer.o: ../../include/mymalloc.h
+smtpd_peer.o: ../../include/name_code.h
smtpd_peer.o: ../../include/name_mask.h
smtpd_peer.o: ../../include/sock_addr.h
smtpd_peer.o: ../../include/stringops.h
smtpd_sasl_glue.o: ../../include/msg.h
smtpd_sasl_glue.o: ../../include/myaddrinfo.h
smtpd_sasl_glue.o: ../../include/mymalloc.h
+smtpd_sasl_glue.o: ../../include/name_code.h
smtpd_sasl_glue.o: ../../include/name_mask.h
smtpd_sasl_glue.o: ../../include/stringops.h
smtpd_sasl_glue.o: ../../include/sys_defs.h
smtpd_sasl_proto.o: ../../include/msg.h
smtpd_sasl_proto.o: ../../include/myaddrinfo.h
smtpd_sasl_proto.o: ../../include/mymalloc.h
+smtpd_sasl_proto.o: ../../include/name_code.h
smtpd_sasl_proto.o: ../../include/name_mask.h
smtpd_sasl_proto.o: ../../include/stringops.h
smtpd_sasl_proto.o: ../../include/sys_defs.h
smtpd_state.o: ../../include/msg.h
smtpd_state.o: ../../include/myaddrinfo.h
smtpd_state.o: ../../include/mymalloc.h
+smtpd_state.o: ../../include/name_code.h
smtpd_state.o: ../../include/name_mask.h
smtpd_state.o: ../../include/sys_defs.h
smtpd_state.o: ../../include/tls.h
smtpd_xforward.o: ../../include/msg.h
smtpd_xforward.o: ../../include/myaddrinfo.h
smtpd_xforward.o: ../../include/mymalloc.h
+smtpd_xforward.o: ../../include/name_code.h
smtpd_xforward.o: ../../include/name_mask.h
smtpd_xforward.o: ../../include/sys_defs.h
smtpd_xforward.o: ../../include/tls.h
/* .fi
/* Detailed information about STARTTLS configuration may be
/* found in the TLS_README document.
-/* .IP "\fBsmtpd_use_tls (no)\fR"
-/* Opportunistic mode: announce STARTTLS support to SMTP clients,
-/* but do not require that clients use TLS encryption.
-/* .IP "\fBsmtpd_enforce_tls (no)\fR"
-/* Enforcement mode: announce STARTTLS support to SMTP clients,
-/* and require that clients use TLS encryption.
+/* .IP "\fBsmtpd_tls_security_level (empty)\fR"
+/* The SMTP TLS security level for the Postfix SMTP server; when
+/* a non-empty value is specified, this overrides the obsolete parameters
+/* smtpd_use_tls and smtpd_enforce_tls.
/* .IP "\fBsmtpd_sasl_tls_security_options ($smtpd_sasl_security_options)\fR"
/* The SASL authentication security options that the Postfix SMTP
/* server uses for TLS encrypted SMTP sessions.
/* The verification depth for remote SMTP client certificates.
/* .IP "\fBsmtpd_tls_cert_file (empty)\fR"
/* File with the Postfix SMTP server RSA certificate in PEM format.
-/* .IP "\fBsmtpd_tls_ciphers (export)\fR"
-/* The minimum acceptable SMTP server TLS cipher grade.
/* .IP "\fBsmtpd_tls_exclude_ciphers (empty)\fR"
/* List of ciphers or cipher types to exclude from the SMTP server
-/* cipher list.
+/* cipher list at all TLS security levels.
/* .IP "\fBsmtpd_tls_dcert_file (empty)\fR"
/* File with the Postfix SMTP server DSA certificate in PEM format.
/* .IP "\fBsmtpd_tls_dh1024_param_file (empty)\fR"
/* File with the Postfix SMTP server RSA private key in PEM format.
/* .IP "\fBsmtpd_tls_loglevel (0)\fR"
/* Enable additional Postfix SMTP server logging of TLS activity.
-/* .IP "\fBsmtpd_tls_protocols (empty)\fR"
-/* The list of TLS protocols supported by the server.
+/* .IP "\fBsmtpd_tls_mandatory_ciphers (medium)\fR"
+/* The minimum TLS cipher grade that the Postfix SMTP server will
+/* use with mandatory
+/* TLS encryption.
+/* .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
+/* Additional list of ciphers or cipher types to exclude from the
+/* SMTP server cipher list at mandatory TLS security levels.
+/* .IP "\fBsmtpd_tls_mandatory_protocols (SSLv3, TLSv1)\fR"
+/* The TLS protocols accepted by the Postfix SMTP server with
+/* mandatory TLS encryption.
/* .IP "\fBsmtpd_tls_received_header (no)\fR"
/* Request that the Postfix SMTP server produces Received: message
/* headers that include information about the protocol and cipher used,
/* as well as the client CommonName and client certificate issuer
/* CommonName.
/* .IP "\fBsmtpd_tls_req_ccert (no)\fR"
-/* When TLS encryption is enforced, require a remote SMTP client
+/* With mandatory TLS encryption, require a remote SMTP client
/* certificate in order to allow TLS connections to proceed.
/* .IP "\fBsmtpd_tls_session_cache_database (empty)\fR"
/* Name of the file containing the optional Postfix SMTP server
/* .IP "\fBtls_null_cipherlist (!aNULL:eNULL+kRSA)\fR"
/* The OpenSSL cipherlist for "NULL" grade ciphers that provide
/* authentication without encryption.
+/* OBSOLETE STARTTLS CONTROLS
+/* .ad
+/* .fi
+/* The following configuration parameters exist for compatibility
+/* with Postfix versions before 2.3. Support for these will
+/* be removed in a future release.
+/* .IP "\fBsmtpd_use_tls (no)\fR"
+/* Opportunistic TLS: announce STARTTLS support to SMTP clients,
+/* but do not require that clients use TLS encryption.
+/* .IP "\fBsmtpd_enforce_tls (no)\fR"
+/* Mandatory TLS: announce STARTTLS support to SMTP clients,
+/* and require that clients use TLS encryption.
+/* .IP "\fBsmtpd_tls_cipherlist (empty)\fR"
+/* Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS
+/* cipher list.
/* VERP SUPPORT CONTROLS
/* .ad
/* .fi
/* The recipient of postmaster notifications about mail delivery
/* problems that are caused by policy, resource, software or protocol
/* errors.
+/* .IP "\fBinternal_mail_filter_classes (empty)\fR"
+/* What categories of Postfix-generated mail are subject to
+/* before-queue content inspection by non_smtpd_milters, header_checks
+/* and body_checks.
/* .IP "\fBnotify_classes (resource, software)\fR"
/* The list of error classes that are reported to the postmaster.
/* .IP "\fBsoft_bounce (no)\fR"
/* .PP
/* Available in Postfix version 2.3 and later:
/* .IP "\fBsmtpd_peername_lookup (yes)\fR"
-/* Attempt to look up the SMTP client hostname, and verify that
+/* Attempt to look up the Postfix SMTP client hostname, and verify that
/* the name matches the client IP address.
/* .PP
/* The per SMTP client connection count and request rate limits are
char *var_smtpd_ehlo_dis_words;
char *var_smtpd_ehlo_dis_maps;
+char *var_smtpd_tls_level;
bool var_smtpd_use_tls;
bool var_smtpd_enforce_tls;
bool var_smtpd_tls_wrappermode;
bool var_smtpd_tls_auth_only;
int var_smtpd_tls_ccert_vd;
char *var_smtpd_tls_cert_file;
-char *var_smtpd_tls_ciphers;
+char *var_smtpd_tls_mand_ciph;
char *var_smtpd_tls_excl_ciph;
+char *var_smtpd_tls_mand_excl;
char *var_smtpd_tls_dcert_file;
char *var_smtpd_tls_dh1024_param_file;
char *var_smtpd_tls_dh512_param_file;
char *var_smtpd_tls_dkey_file;
char *var_smtpd_tls_key_file;
int var_smtpd_tls_loglevel;
-char *var_smtpd_tls_protocols;
+char *var_smtpd_tls_mand_proto;
bool var_smtpd_tls_received_header;
bool var_smtpd_tls_req_ccert;
int var_smtpd_tls_scache_timeout;
static void pre_jail_init(char *unused_name, char **unused_argv)
{
- int enforce_tls = var_smtpd_tls_wrappermode || var_smtpd_enforce_tls;
- int use_tls = var_smtpd_use_tls || enforce_tls;
+ int enforce_tls;
+ int use_tls;
/*
* Initialize blacklist/etc. patterns before entering the chroot jail, in
VAR_SMTPD_SASL_ENABLE);
#endif
+ /*
+ * XXX Temporary fix to pretend that we consistently implement TLS
+ * security levels. We implement only a subset for now. If we implement
+ * more levels, wrappermode should override only weaker TLS security
+ * levels.
+ */
+ if (!var_smtpd_tls_wrappermode && *var_smtpd_tls_level) {
+ switch (tls_level_lookup(var_smtpd_tls_level)) {
+ default:
+ msg_warn("%s: ignoring unknown TLS level \"%s\"",
+ VAR_SMTPD_TLS_LEVEL, var_smtpd_tls_level);
+ break;
+ case TLS_LEV_SECURE:
+ case TLS_LEV_VERIFY:
+ msg_warn("%s: unsupported TLS level \"%s\", using \"encrypt\"",
+ VAR_SMTPD_TLS_LEVEL, var_smtpd_tls_level);
+ /* FALLTHROUGH */
+ case TLS_LEV_ENCRYPT:
+ var_smtpd_enforce_tls = var_smtpd_use_tls = 1;
+ break;
+ case TLS_LEV_MAY:
+ var_smtpd_enforce_tls = 0;
+ var_smtpd_use_tls = 1;
+ break;
+ case TLS_LEV_NONE:
+ var_smtpd_enforce_tls = var_smtpd_use_tls = 0;
+ break;
+ }
+ }
+ enforce_tls = var_smtpd_tls_wrappermode || var_smtpd_enforce_tls;
+ use_tls = var_smtpd_use_tls || enforce_tls;
+
/*
* Keys can only be loaded when running with suitable permissions. When
- * called from "sendmail -bs" this is not the case, but STARTTLS is not
- * used in this scenario anyhow.
+ * called from "sendmail -bs" this is not the case, so we must not
+ * announce STARTTLS support.
*/
if (getuid() == 0 || getuid() == var_owner_uid) {
if (use_tls) {
props.CApath = var_smtpd_tls_CApath;
props.dh1024_param_file = var_smtpd_tls_dh1024_param_file;
props.dh512_param_file = var_smtpd_tls_dh512_param_file;
- props.protocols = *var_smtpd_tls_protocols ?
- tls_protocol_mask(VAR_SMTPD_TLS_PROTO,
- var_smtpd_tls_protocols) : 0;
+ props.protocols = enforce_tls && *var_smtpd_tls_mand_proto ?
+ tls_protocol_mask(VAR_SMTPD_TLS_MAND_PROTO,
+ var_smtpd_tls_mand_proto) : 0;
props.ask_ccert = var_smtpd_tls_ask_ccert;
/*
msg_warn("Can't require client certs unless TLS is required");
props.cipherlist =
- tls_cipher_list(tls_cipher_level(var_smtpd_tls_ciphers),
+ tls_cipher_list(enforce_tls ?
+ tls_cipher_level(var_smtpd_tls_mand_ciph) :
+ TLS_CIPHER_EXPORT,
var_smtpd_tls_excl_ciph,
havecert ? "" : "aRSA aDSS",
wantcert ? "aNULL" : "",
+ enforce_tls ? var_smtpd_tls_mand_excl :
+ TLS_END_EXCLUDE,
TLS_END_EXCLUDE);
+
if (props.cipherlist == 0) {
msg_warn("unknown '%s' value '%s' ignored, using 'export'",
- VAR_SMTPD_TLS_CIPHERS, var_smtpd_tls_ciphers);
+ VAR_SMTPD_TLS_MAND_CIPH, var_smtpd_tls_mand_ciph);
props.cipherlist =
tls_cipher_list(TLS_CIPHER_EXPORT,
var_smtpd_tls_excl_ciph,
havecert ? "" : "aRSA aDSS",
wantcert ? "aNULL" : "",
+ enforce_tls ? var_smtpd_tls_mand_excl :
+ TLS_END_EXCLUDE,
TLS_END_EXCLUDE);
}
if (havecert || oknocert)
VAR_SMTPD_TLS_DKEY_FILE, DEF_SMTPD_TLS_DKEY_FILE, &var_smtpd_tls_dkey_file, 0, 0,
VAR_SMTPD_TLS_CA_FILE, DEF_SMTPD_TLS_CA_FILE, &var_smtpd_tls_CAfile, 0, 0,
VAR_SMTPD_TLS_CA_PATH, DEF_SMTPD_TLS_CA_PATH, &var_smtpd_tls_CApath, 0, 0,
- VAR_SMTPD_TLS_CIPHERS, DEF_SMTPD_TLS_CIPHERS, &var_smtpd_tls_ciphers, 1, 0,
+ VAR_SMTPD_TLS_MAND_CIPH, DEF_SMTPD_TLS_MAND_CIPH, &var_smtpd_tls_mand_ciph, 1, 0,
VAR_SMTPD_TLS_EXCL_CIPH, DEF_SMTPD_TLS_EXCL_CIPH, &var_smtpd_tls_excl_ciph, 0, 0,
+ VAR_SMTPD_TLS_MAND_EXCL, DEF_SMTPD_TLS_MAND_EXCL, &var_smtpd_tls_mand_excl, 0, 0,
VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0,
VAR_TLS_MEDIUM_CLIST, DEF_TLS_MEDIUM_CLIST, &var_tls_medium_clist, 1, 0,
VAR_TLS_LOW_CLIST, DEF_TLS_LOW_CLIST, &var_tls_low_clist, 1, 0,
VAR_TLS_EXPORT_CLIST, DEF_TLS_EXPORT_CLIST, &var_tls_export_clist, 1, 0,
VAR_TLS_NULL_CLIST, DEF_TLS_NULL_CLIST, &var_tls_null_clist, 1, 0,
- VAR_SMTPD_TLS_PROTO, DEF_SMTPD_TLS_PROTO, &var_smtpd_tls_protocols, 0, 0,
+ VAR_SMTPD_TLS_MAND_PROTO, DEF_SMTPD_TLS_MAND_PROTO, &var_smtpd_tls_mand_proto, 0, 0,
VAR_SMTPD_TLS_512_FILE, DEF_SMTPD_TLS_512_FILE, &var_smtpd_tls_dh512_param_file, 0, 0,
VAR_SMTPD_TLS_1024_FILE, DEF_SMTPD_TLS_1024_FILE, &var_smtpd_tls_dh1024_param_file, 0, 0,
#endif
+ VAR_SMTPD_TLS_LEVEL, DEF_SMTPD_TLS_LEVEL, &var_smtpd_tls_level, 0, 0,
VAR_SMTPD_SASL_TYPE, DEF_SMTPD_SASL_TYPE, &var_smtpd_sasl_type, 1, 0,
VAR_SMTPD_MILTERS, DEF_SMTPD_MILTERS, &var_smtpd_milters, 0, 0,
VAR_MILT_CONN_MACROS, DEF_MILT_CONN_MACROS, &var_milt_conn_macros, 0, 0,
/*
* Postfix TLS library.
*/
-#ifdef USE_TLS
#include <tls.h>
-#endif
/*
* Milter library.
notice = post_mail_fopen_nowait(mail_addr_double_bounce(),
var_error_rcpt,
- CLEANUP_FLAG_MASK_INTERNAL,
+ INT_FILT_NOTIFY,
NULL_TRACE_FLAGS, NO_QUEUE_ID);
if (notice == 0) {
msg_warn("postmaster notify: %m");
#include <valid_mailhost_addr.h>
#include <dsn_util.h>
#include <conv_time.h>
+#include <xtext.h>
/* Application-specific. */
static VSTRING *action = 0;
ATTR_CLNT *policy_clnt;
+#ifdef USE_TLS
+ VSTRING *subject_buf;
+ VSTRING *issuer_buf;
+ const char *subject;
+ const char *issuer;
+
+#endif
+ int ret;
+
/*
* Sanity check.
*/
if (action == 0)
action = vstring_alloc(10);
+#ifdef USE_TLS
+#define ENCODE_CN(coded_CN, coded_CN_buf, CN) do { \
+ if (state->tls_context == 0 \
+ || state->tls_context->peer_verified == 0 || (CN) == 0) { \
+ coded_CN_buf = 0; \
+ coded_CN = ""; \
+ } else { \
+ coded_CN_buf = vstring_alloc(strlen(CN)); \
+ xtext_quote(coded_CN_buf, CN, ""); \
+ coded_CN = STR(coded_CN_buf); \
+ } \
+ } while (0);
+
+ ENCODE_CN(subject, subject_buf, state->tls_context->peer_CN);
+ ENCODE_CN(issuer, issuer_buf, state->tls_context->issuer_CN);
+#endif
+
if (attr_clnt_request(policy_clnt,
ATTR_FLAG_NONE, /* Query attributes. */
ATTR_TYPE_STR, MAIL_ATTR_REQ, "smtpd_access_policy",
#define IF_VERIFIED(x) \
((state->tls_context && \
state->tls_context->peer_verified && ((x) != 0)) ? (x) : "")
- ATTR_TYPE_STR, MAIL_ATTR_CCERT_SUBJECT,
- IF_VERIFIED(state->tls_context->peer_CN),
- ATTR_TYPE_STR, MAIL_ATTR_CCERT_ISSSUER,
- IF_VERIFIED(state->tls_context->issuer_CN),
+ ATTR_TYPE_STR, MAIL_ATTR_CCERT_SUBJECT, subject,
+ ATTR_TYPE_STR, MAIL_ATTR_CCERT_ISSUER, issuer,
ATTR_TYPE_STR, MAIL_ATTR_CCERT_FINGERPRINT,
IF_VERIFIED(state->tls_context->peer_fingerprint),
#define IF_ENCRYPTED(x, y) ((state->tls_context && ((x) != 0)) ? (x) : (y))
ATTR_FLAG_MISSING, /* Reply attributes. */
ATTR_TYPE_STR, MAIL_ATTR_ACTION, action,
ATTR_TYPE_END) != 1) {
- return (smtpd_check_reject(state, MAIL_ERROR_POLICY,
- 451, "4.3.5",
- "Server configuration problem"));
+ ret = smtpd_check_reject(state, MAIL_ERROR_POLICY,
+ 451, "4.3.5",
+ "Server configuration problem");
} else {
/*
* XXX This produces bogus error messages when the reply is
* malformed.
*/
- return (check_table_result(state, server, STR(action),
- "policy query", reply_name,
- reply_class, def_acl));
+ ret = check_table_result(state, server, STR(action),
+ "policy query", reply_name,
+ reply_class, def_acl);
}
+#ifdef USE_TLS
+ if (subject_buf)
+ vstring_free(subject_buf);
+ if (issuer_buf)
+ vstring_free(issuer_buf);
+#endif
+ return (ret);
}
/* is_map_command - restriction has form: check_xxx_access type:name */
450, "4.7.0",
"<%s>: %s rejected: defer_if_reject requested",
reply_name, reply_class);
-#ifdef SNAPSHOT
} else if (strcasecmp(name, SLEEP) == 0) {
if (cpp[1] == 0 || alldig(cpp[1]) == 0) {
msg_warn("restriction %s must be followed by number", SLEEP);
"Server configuration error"));
} else
sleep(atoi(*++cpp));
-#endif
} else if (strcasecmp(name, REJECT_PLAINTEXT_SESSION) == 0) {
status = reject_plaintext_session(state);
}
/*
* Look up the peer address information.
+ *
+ * XXX If we make local endpoint (getsockname) information available to
+ * Milter applications as {if_name} and {if_addr}, then we also must be
+ * able to provide this via the XCLIENT command for Milter testing.
+ *
+ * XXX If support were to be added for Milter applications in down-stream
+ * MTAs, then consistency demands that we propagate a lot of Sendmail
+ * macro information via the XFORWARD command. Otherwise we could end up
+ * with a very confusing situation.
*/
if (getpeername(vstream_fileno(state->client), sa, &sa_length) >= 0) {
errno = 0;
SRCS = tls_prng_dev.c tls_prng_egd.c tls_prng_file.c \
tls_prng_exch.c tls_stream.c tls_bio_ops.c tls_misc.c tls_dh.c \
tls_rsa.c tls_verify.c tls_certkey.c tls_session.c \
- tls_client.c tls_server.c tls_scache.c tls_mgr.c tls_seed.c
+ tls_client.c tls_server.c tls_scache.c tls_mgr.c tls_seed.c \
+ tls_level.c
OBJS = tls_prng_dev.o tls_prng_egd.o tls_prng_file.o \
tls_prng_exch.o tls_stream.o tls_bio_ops.o tls_misc.o tls_dh.o \
tls_rsa.o tls_verify.o tls_certkey.o tls_session.o \
- tls_client.o tls_server.o tls_scache.o tls_mgr.o tls_seed.o
+ tls_client.o tls_server.o tls_scache.o tls_mgr.o tls_seed.o \
+ tls_level.o
HDRS = tls.h tls_prng.h tls_scache.h tls_mgr.h
TESTSRC =
DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE)
# do not edit below this line - it is generated by 'make depend'
tls_bio_ops.o: ../../include/iostuff.h
tls_bio_ops.o: ../../include/msg.h
+tls_bio_ops.o: ../../include/name_code.h
tls_bio_ops.o: ../../include/name_mask.h
tls_bio_ops.o: ../../include/sys_defs.h
tls_bio_ops.o: ../../include/vbuf.h
tls_bio_ops.o: tls.h
tls_bio_ops.o: tls_bio_ops.c
tls_certkey.o: ../../include/msg.h
+tls_certkey.o: ../../include/name_code.h
tls_certkey.o: ../../include/name_mask.h
tls_certkey.o: ../../include/sys_defs.h
tls_certkey.o: ../../include/vbuf.h
tls_client.o: ../../include/mail_params.h
tls_client.o: ../../include/msg.h
tls_client.o: ../../include/mymalloc.h
+tls_client.o: ../../include/name_code.h
tls_client.o: ../../include/name_mask.h
tls_client.o: ../../include/stringops.h
tls_client.o: ../../include/sys_defs.h
tls_client.o: tls_client.c
tls_client.o: tls_mgr.h
tls_dh.o: ../../include/msg.h
+tls_dh.o: ../../include/name_code.h
tls_dh.o: ../../include/name_mask.h
tls_dh.o: ../../include/sys_defs.h
tls_dh.o: ../../include/vbuf.h
tls_dh.o: ../../include/vstring.h
tls_dh.o: tls.h
tls_dh.o: tls_dh.c
+tls_level.o: ../../include/name_code.h
+tls_level.o: ../../include/name_mask.h
+tls_level.o: ../../include/sys_defs.h
+tls_level.o: ../../include/vbuf.h
+tls_level.o: ../../include/vstream.h
+tls_level.o: ../../include/vstring.h
+tls_level.o: tls.h
+tls_level.o: tls_level.c
tls_mgr.o: ../../include/attr.h
tls_mgr.o: ../../include/attr_clnt.h
tls_mgr.o: ../../include/iostuff.h
tls_mgr.o: tls_mgr.h
tls_misc.o: ../../include/msg.h
tls_misc.o: ../../include/mymalloc.h
+tls_misc.o: ../../include/name_code.h
tls_misc.o: ../../include/name_mask.h
tls_misc.o: ../../include/stringops.h
tls_misc.o: ../../include/sys_defs.h
tls_prng_file.o: ../../include/sys_defs.h
tls_prng_file.o: tls_prng.h
tls_prng_file.o: tls_prng_file.c
+tls_rsa.o: ../../include/name_code.h
tls_rsa.o: ../../include/name_mask.h
tls_rsa.o: ../../include/sys_defs.h
tls_rsa.o: ../../include/vbuf.h
tls_scache.o: tls_scache.c
tls_scache.o: tls_scache.h
tls_seed.o: ../../include/msg.h
+tls_seed.o: ../../include/name_code.h
tls_seed.o: ../../include/name_mask.h
tls_seed.o: ../../include/sys_defs.h
tls_seed.o: ../../include/vbuf.h
tls_server.o: ../../include/mail_params.h
tls_server.o: ../../include/msg.h
tls_server.o: ../../include/mymalloc.h
+tls_server.o: ../../include/name_code.h
tls_server.o: ../../include/name_mask.h
tls_server.o: ../../include/stringops.h
tls_server.o: ../../include/sys_defs.h
tls_server.o: tls_server.c
tls_session.o: ../../include/msg.h
tls_session.o: ../../include/mymalloc.h
+tls_session.o: ../../include/name_code.h
tls_session.o: ../../include/name_mask.h
tls_session.o: ../../include/sys_defs.h
tls_session.o: ../../include/vbuf.h
tls_session.o: tls_session.c
tls_stream.o: ../../include/iostuff.h
tls_stream.o: ../../include/msg.h
+tls_stream.o: ../../include/name_code.h
tls_stream.o: ../../include/name_mask.h
tls_stream.o: ../../include/sys_defs.h
tls_stream.o: ../../include/vbuf.h
tls_stream.o: tls_stream.c
tls_verify.o: ../../include/msg.h
tls_verify.o: ../../include/mymalloc.h
+tls_verify.o: ../../include/name_code.h
tls_verify.o: ../../include/name_mask.h
tls_verify.o: ../../include/sys_defs.h
tls_verify.o: ../../include/vbuf.h
/* DESCRIPTION
/* .nf
+ /*
+ * Utility library.
+ */
+#include <name_code.h>
+
/*
* TLS enforcement levels. Non-sentinel values also be used to indicate
* the actual security level of a session.
#define TLS_LEV_VERIFY 3 /* certificate verified */
#define TLS_LEV_SECURE 4 /* "secure" verification */
+extern NAME_CODE tls_level_table[];
+
+#define tls_level_lookup(s) name_code(tls_level_table, NAME_CODE_FLAG_NONE, (s))
+#define str_tls_level(l) str_name_code(tls_level_table, (l))
+
#ifdef USE_TLS
/*
name_code(tls_cipher_level_table, NAME_CODE_FLAG_NONE, (str))
#define TLS_END_EXCLUDE ((char *)0)
-extern char *tls_cipher_list(int,...);
+extern const char *tls_cipher_list(int,...);
/*
* tls_client.c
/* SYNOPSIS
/* #include <tls.h>
/*
-/* SSL_CTX *tls_client_init(props)
-/* const tls_client_init_props *props;
+/* SSL_CTX *tls_client_init(init_props)
+/* const tls_client_init_props *init_props;
/*
-/* TLScontext_t *tls_client_start(props)
-/* const tls_client_start_props *props;
+/* TLScontext_t *tls_client_start(start_props)
+/* const tls_client_start_props *start_props;
/*
/* void tls_client_stop(client_ctx, stream, failure, TLScontext)
/* SSL_CTX *client_ctx;
static SSL_SESSION *load_clnt_session(TLScontext_t *TLScontext)
{
+ const char *myname = "load_clnt_session";
SSL_SESSION *session = 0;
VSTRING *session_data = vstring_alloc(2048);
* server SSL context.
*/
if (TLScontext->cache_type == 0)
- msg_panic("null client session cache type in session lookup");
+ msg_panic("%s: null client session cache type in session lookup",
+ myname);
/*
* Look up and activate the SSL_SESSION object. Errors are non-fatal,
static int new_client_session_cb(SSL *ssl, SSL_SESSION *session)
{
+ const char *myname = "new_client_session_cb";
TLScontext_t *TLScontext;
VSTRING *session_data;
* null at this point.
*/
if ((TLScontext = SSL_get_ex_data(ssl, TLScontext_index)) == 0)
- msg_panic("null TLScontext in new session callback");
+ msg_panic("%s: null TLScontext in new session callback", myname);
/*
* We only get here if the cache_type is not empty. This callback is not
* server SSL context.
*/
if (TLScontext->cache_type == 0)
- msg_panic("null session cache type in new session callback");
+ msg_panic("%s: null session cache type in new session callback",
+ myname);
if (TLScontext->log_level >= 2)
msg_info("save session %s to %s cache",
int idlen;
int patlen;
+ /*
+ * Match the peerid against each pattern until we find a match.
+ */
for (i = 0; i < cmatch_argv->argc; ++i) {
sub = 0;
if (!strcasecmp(cmatch_argv->argv[i], "nexthop"))
}
/*
- * Sub-domain match, peerid is any sub-domain of pattern.
+ * Sub-domain match: peerid is any sub-domain of pattern.
*/
- if (sub)
+ if (sub) {
if ((idlen = strlen(peerid)) > (patlen = strlen(pattern)) + 1
&& peerid[idlen - patlen - 1] == '.'
&& !strcasecmp(peerid + (idlen - patlen), pattern))
return (1);
else
continue;
+ }
/*
- * NOT sub-domain match, but "*.domain.tld" in peerid matches any
- * host.domain.tld in the pattern.
+ * Exact match and initial "*" match. The initial "*" in a peerid
+ * matches exactly one hostname component, under the condition that
+ * the peerid contains multiple hostname components.
*/
if (!strcasecmp(peerid, pattern)
|| (peerid[0] == '*' && peerid[1] == '.' && peerid[2] != 0
/* verify_extract_peer - verify peer name and extract peer information */
static void verify_extract_peer(const char *nexthop, const char *hname,
- char *certmatch, X509 *peercert,
+ const char *certmatch, X509 *peercert,
TLScontext_t *TLScontext)
{
int i;
*/
if (!BIO_new_bio_pair(&TLScontext->internal_bio, TLS_BIO_BUFSIZE,
&TLScontext->network_bio, TLS_BIO_BUFSIZE)) {
- msg_info("Could not obtain BIO_pair");
+ msg_warn("Could not obtain BIO_pair");
tls_print_errors();
tls_free_context(TLScontext);
return (0);
--- /dev/null
+/*++
+/* NAME
+/* tls_level 3
+/* SUMMARY
+/* TLS security level conversion
+/* SYNOPSIS
+/* #include <tls.h>
+/*
+/* int tls_level_lookup(name)
+/* const char *name;
+/*
+/* const char *str_tls_level(level)
+/* int level;
+/* DESCRIPTION
+/* The macros in this module convert TLS levels from symbolic
+/* name to internal form and vice versa. The macros are safe
+/* because they evaluate their arguments only once.
+/*
+/* tls_level_lookup() converts a TLS level from symbolic name
+/* to internal form. The result is TLS_NOTFOUND for an unknown
+/* level.
+/*
+/* str_tls_level() converts a TLS level from internal form to
+/* symbolic name. The result is a null pointer for an unknown
+/* level.
+/* SEE ALSO
+/* name_code(3) name to number mapping
+/* LICENSE
+/* .ad
+/* .fi
+/* The Secure Mailer license must be distributed with this software.
+/* AUTHOR(S)
+/* Wietse Venema
+/* IBM T.J. Watson Research
+/* P.O. Box 704
+/* Yorktown Heights, NY 10598, USA
+/*--*/
+
+/* System library. */
+
+#include <sys_defs.h>
+
+/* Utility library. */
+
+#include <name_code.h>
+
+/* TLS library. */
+
+#include <tls.h>
+
+/* Application-specific. */
+
+NAME_CODE tls_level_table[] = {
+ "none", TLS_LEV_NONE,
+ "may", TLS_LEV_MAY,
+ "encrypt", TLS_LEV_ENCRYPT,
+ "verify", TLS_LEV_VERIFY,
+ "secure", TLS_LEV_SECURE,
+ 0, TLS_LEV_NOTFOUND,
+};
while (vstring_fgets_nonl(inbuf, VSTREAM_IN)) {
argv = argv_split(STR(inbuf), " \t\r\n");
- if (argv->argc == 0)
+ if (argv->argc == 0) {
+ argv_free(argv);
continue;
+ }
#define COMMAND(argv, str, len) \
(strcasecmp(argv->argv[0], str) == 0 && argv->argc == len)
if (COMMAND(argv, "policy", 2)) {
int cachable;
- status = tls_mgr_policy(argv[2], &cachable);
+ status = tls_mgr_policy(argv->argv[1], &cachable);
vstream_printf("status=%d cachable=%d\n", status, cachable);
} else if (COMMAND(argv, "seed", 2)) {
VSTRING *buf = vstring_alloc(10);
} else if (COMMAND(argv, "lookup", 3)) {
VSTRING *buf = vstring_alloc(10);
- status = tls_mgr_lookup(argv[1], argv->argv[2], buf);
+ status = tls_mgr_lookup(argv->argv[1], argv->argv[2], buf);
vstream_printf("status=%d session=%.*s\n",
status, LEN(buf), STR(buf));
+ vstring_free(buf);
} else if (COMMAND(argv, "update", 4)) {
- status = tls_mgr_update(argv[1], argv->argv[2],
+ status = tls_mgr_update(argv->argv[1], argv->argv[2],
argv->argv[3], strlen(argv->argv[3]));
vstream_printf("status=%d\n", status);
} else if (COMMAND(argv, "delete", 3)) {
- status = tls_mgr_delete(argv[1], argv->argv[2]);
+ status = tls_mgr_delete(argv->argv[1], argv->argv[2]);
vstream_printf("status=%d\n", status);
} else {
vstream_printf("usage:\n"
"delete smtpd|smtp|lmtp cache_id\n");
}
vstream_fflush(VSTREAM_OUT);
- }
- if (argv)
argv_free(argv);
+ }
vstring_free(inbuf);
return (0);
/*
/* long tls_bug_bits()
/*
+/* const char *tls_cipher_list(cipher_level, ...)
+/* int cipher_level;
+/*
/* void tls_print_errors()
/*
/* void tls_info_callback(ssl, where, ret)
/* for the run-time library. Some of the bug work-arounds are
/* not appropriate for some library versions.
/*
+/* tls_cipher_list() generates a cipher list from the specified
+/* grade, minus any ciphers specified via a null-terminated
+/* list of string-valued exclusions. The result is overwritten
+/* upon each call.
+/*
/* tls_print_errors() queries the OpenSSL error stack,
/* logs the error messages, and clears the error stack.
/*
/* tls_cipher_list - Cipherlist for given grade, less exclusions */
-char *tls_cipher_list(int level,...)
+const char *tls_cipher_list(int cipher_level,...)
{
const char *myname = "tls_cipher_list";
static VSTRING *buf;
buf = buf ? buf : vstring_alloc(10);
VSTRING_RESET(buf);
- switch (level) {
+ switch (cipher_level) {
case TLS_CIPHER_HIGH:
vstring_strcpy(buf, var_tls_high_clist);
break;
case TLS_CIPHER_NONE:
return 0;
default:
- msg_panic("%s: invalid cipher level: %d", myname, level);
+ msg_panic("%s: invalid cipher grade: %d", myname, cipher_level);
}
if (VSTRING_LEN(buf) == 0)
msg_panic("%s: empty cipherlist", myname);
- va_start(ap, level);
+ va_start(ap, cipher_level);
while ((exclude = va_arg(ap, char *)) != 0) {
if (*exclude == '\0')
continue;
int session_id_length,
int *unused_copy)
{
+ const char *myname = "get_server_session_cb";
TLScontext_t *TLScontext;
VSTRING *cache_id;
VSTRING *session_data = vstring_alloc(2048);
SSL_SESSION *session = 0;
if ((TLScontext = SSL_get_ex_data(ssl, TLScontext_index)) == 0)
- msg_panic("null TLScontext in session lookup callback");
+ msg_panic("%s: null TLScontext in session lookup callback", myname);
#define HEX_CACHE_ID(id, len) \
hex_encode(vstring_alloc(2 * (len) + 1), (char *) (id), (len))
static int new_server_session_cb(SSL *ssl, SSL_SESSION *session)
{
+ const char *myname = "new_server_session_cb";
VSTRING *cache_id;
TLScontext_t *TLScontext;
VSTRING *session_data;
if ((TLScontext = SSL_get_ex_data(ssl, TLScontext_index)) == 0)
- msg_panic("null TLScontext in new session callback");
+ msg_panic("%s: null TLScontext in new session callback", myname);
cache_id = HEX_CACHE_ID(session->session_id, session->session_id_length);
SSL_CTX_sess_set_new_cb(server_ctx, new_server_session_cb);
/*
- * OpenSSL ignores timed-out sessions, we need to set the internal
- * cache timeut at least as high as the external cache timeout. This
+ * OpenSSL ignores timed-out sessions. We need to set the internal
+ * cache timeout at least as high as the external cache timeout. This
* applies even if no internal cache is used.
*/
SSL_CTX_set_timeout(server_ctx, props->scache_timeout);
} else {
/*
- * If we have no external cache, disable all caching, no use wasting
- * client memory resources with sessions they are unlikely to be able
+ * If we have no external cache, disable all caching. No use wasting
+ * server memory resources with sessions they are unlikely to be able
* to reuse.
*/
SSL_CTX_set_session_cache_mode(server_ctx, SSL_SESS_CACHE_OFF);
TLScontext->cache_type = SSL_CTX_get_ex_data(server_ctx, TLSscache_index);
if ((TLScontext->con = (SSL *) SSL_new(server_ctx)) == NULL) {
- msg_info("Could not allocate 'TLScontext->con' with SSL_new()");
+ msg_warn("Could not allocate 'TLScontext->con' with SSL_new()");
tls_print_errors();
tls_free_context(TLScontext);
return (0);
}
if (!SSL_set_ex_data(TLScontext->con, TLScontext_index, TLScontext)) {
- msg_info("Could not set application data for 'TLScontext->con'");
+ msg_warn("Could not set application data for 'TLScontext->con'");
tls_print_errors();
tls_free_context(TLScontext);
return (0);
*/
if (!BIO_new_bio_pair(&TLScontext->internal_bio, TLS_BIO_BUFSIZE,
&TLScontext->network_bio, TLS_BIO_BUFSIZE)) {
- msg_info("Could not obtain BIO_pair");
+ msg_warn("Could not obtain BIO_pair");
tls_print_errors();
tls_free_context(TLScontext);
return (0);
tlsmgr.o: ../../include/master_proto.h
tlsmgr.o: ../../include/msg.h
tlsmgr.o: ../../include/mymalloc.h
+tlsmgr.o: ../../include/name_code.h
tlsmgr.o: ../../include/name_mask.h
tlsmgr.o: ../../include/stringops.h
tlsmgr.o: ../../include/sys_defs.h
/*
* If nothing else works then at least this will get us a few bits of
* entropy.
+ *
+ * XXX This is our first call into the OpenSSL library. We should find out
+ * if this can be moved to the post-jail initialization phase, without
+ * breaking compatibility with existing installations.
*/
GETTIMEOFDAY(&tv);
tv.tv_sec ^= getpid();
RAND_seed(&tv, sizeof(struct timeval));
-
/*
* Open the external entropy source. We will not be able to open it again
* after we are sent to chroot jail, so we keep it open. Errors are not
#endif
-#ifdef SNAPSHOT
-
static void check_table_stats(int unused_event, char *unused_context)
{
const char *table;
event_request_timer(check_table_stats, (char *) 0, 10);
}
-#endif
-
/* pre_jail_init - initialize before entering chroot jail */
static void pre_jail_init(char *unused_name, char **unused_argv)
transport_post_init(resolve_regular.transport_info);
if (resolve_verify.transport_info)
transport_post_init(resolve_verify.transport_info);
-#ifdef SNAPSHOT
check_table_stats(0, (char *) 0);
-#endif
/*
* This process is called by clients that already enforce the max_idle
#if (defined(__NetBSD_Version__) && __NetBSD_Version__ >= 104250000)
#define ALIAS_DB_MAP "hash:/etc/mail/aliases" /* sendmail 8.10 */
#endif
+#if (defined(OpenBSD) && OpenBSD >= 200006)
+#define ALIAS_DB_MAP "hash:/etc/mail/aliases" /* OpenBSD 2.7 */
+#endif
#ifndef ALIAS_DB_MAP
#define ALIAS_DB_MAP "hash:/etc/aliases"
#endif
STR(addr), addr_status, now, updated);
post_mail_fopen_async(strcmp(var_verify_sender, "<>") == 0 ?
"" : var_verify_sender, STR(addr),
- CLEANUP_FLAG_MASK_INTERNAL,
+ INT_FILT_NONE,
DEL_REQ_FLAG_MTA_VRFY,
(VSTRING *) 0,
verify_post_mail_action,
projects / thirdparty / postfix.git / commitdiff
