Documentation: replace the obsolete pickup service type
fifo with unix, and fix typos. Dilyan Palauzov. Files:
- HISTORY< proto/BUILTIN_FILTER_README.html,
+ HISTORY, proto/BUILTIN_FILTER_README.html,
proto/STANDARD_CONFIGURATION_README.html
20240418
successful and failed SMTP over TLS connections to that domain's MX hosts.
Support for TLSRPT was added in Postfix 3.10.
-A policy example looks like this:
+A policy for domain example.com could look like this:
_smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=mailto:smtp-tls-
report@example.com"
-Translation: email sending systems are requested to generate daily summaries of
-successful and failed SMTP over TLS connections to domain example.com, and to
-report those summaries via email to the specified address. Instead of mailto:,
-a policy may specify an https: destination.
+Instead of mailto:, a policy may specify an https: destination.
The diagram below shows how Postfix TLS handshake success and failure events
are collected and processed into daily summary reports.
github.com/sys4/libtlsrpt and https://github.com/sys4/tlsrpt-reporter,
respectively.
-The Postfix implementation supports domains with DANE (Postfix built-in) and
-MTA-STS (through an smtp_tls_policy_maps plug-in).
+The Postfix implementation supports TLSRPT or domains with DANE (Postfix built-
+in) and MTA-STS (through an smtp_tls_policy_maps plug-in).
The Postfix smtp(8) client process implements the SMTP client engine. With
"smtp_tls_connection_reuse = no", the smtp(8) client process also implements
Postfix supports MTA-STS though an smtp_tls_policy_maps policy plugin, which
replies with a TLS security level and name=value attributes with certificate
-matching requirements. Postfix 3.10 and later accept additional name=value
-attributes that are needed for TLSRPT.
+matching requirements. Postfix 3.10 and later extend the policy plugin response
+with additional name=value attributes that are needed for TLSRPT.
Examples of smtp_tls_policy_maps plugins with MTA-STS support are:
needs for TLSRPT support (as of February 2025). This is enabled by setting a
tlsrpt boolean in a plugin configuration file. This setting is safe with
Postfix 3.10 and later, even if Postfix TLSRPT support is disabled (at build
-time or at run time).
+time or at run time). Postfix versions 3.9 and earlier will report a policy
+error with "invalid attribute name".
The examples in the text below apply to this MTA-STS policy example given in
RFC 8461 Section 3.2:
Specify sts or no-policy-found.
+ Example: policy_type=sts
+
* policy_domain=name
The domain that the MTA-STS policy applies to.
Example: policy_failure=sts-webpki-invalid
- * policy_ttl=time
+ * policy_ttl=time (deprecated)
This attribute is deprecated. The time value is not used, and support for
this attribute will eventually be removed from the code.
Notes:
* Postfix 3.10 and later will accept these additional attributes in an MTA-
- STS response even if TLSRPT support is disabled (at build time or at run
- time). With TLSRPT support turned off, Postfix may still use the
- policy_failure attribute, and will ignore the attributes that are used only
- for TLSRPT.
+ STS response even if Postfix TLSRPT support is disabled (at build time or
+ at run time). With Postfix TLSRPT support turned off, Postfix may still use
+ the policy_failure attribute, and will ignore the attributes that are used
+ only for TLSRPT.
* It is an error to specify these attributes for a non-STS policy.
to that domain's MX hosts. Support for TLSRPT was added in Postfix
3.10. </p>
-<p> A policy example looks like this: </p>
+<p> A policy for domain <tt>example.com</tt> could look like this: </p>
<blockquote>
<pre>
</pre>
</blockquote>
-<p> Translation: email sending systems are requested to generate daily
-summaries of successful and failed SMTP over TLS connections to domain
-<tt>example.com</tt>, and to report those summaries via email to the
-specified address. Instead of <tt>mailto:</tt>, a policy may specify an
-<tt>https:</tt> destination. </p>
+<p> Instead of <tt>mailto:</tt>, a policy may specify an <tt>https:</tt>
+destination. </p>
<p> The diagram below shows how Postfix TLS handshake success and
failure events are collected and processed into daily summary
by sys4 at <a href="https://github.com/sys4/libtlsrpt">https://github.com/sys4/libtlsrpt</a> and
<a href="https://github.com/sys4/tlsrpt-reporter">https://github.com/sys4/tlsrpt-reporter</a>, respectively. </p>
-<p> The Postfix implementation supports domains with DANE (Postfix
-built-in) and MTA-STS (through an <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> plug-in).
-</p>
+<p> The Postfix implementation supports TLSRPT or domains with DANE
+(Postfix built-in) and MTA-STS (through an <a href="#mta-sts">
+smtp_tls_policy_maps plug-in</a>). </p>
<p> The Postfix <a href="smtp.8.html">smtp(8)</a> client process implements the SMTP client
engine. With "<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> = no", the <a href="smtp.8.html">smtp(8)</a> client
<p> Postfix supports MTA-STS though an <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> policy
plugin, which replies with a TLS security level and name=value
attributes with certificate matching requirements. Postfix 3.10 and
-later accept additional name=value attributes that are needed for
-TLSRPT. </p>
+later extend the policy plugin response with additional name=value
+attributes that are needed for TLSRPT. </p>
<p> Examples of <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> plugins with MTA-STS support
are: </p>
is enabled by setting a <tt>tlsrpt</tt> boolean in a plugin
configuration file. This setting is safe with Postfix 3.10 and
later, even if Postfix TLSRPT support is disabled (at build time
-or at run time). </p>
+or at run time). Postfix versions 3.9 and earlier will report a
+policy error with "<tt>invalid attribute name</tt>". </p>
<p> The examples in the text below apply to this MTA-STS policy example
given in <a
<li> <p> <tt> policy_type=<i>type</i> </tt> </p>
-<p> Specify <tt>sts</tt> or <tt>no-policy-found</tt>. </p> </li>
+<p> Specify <tt>sts</tt> or <tt>no-policy-found</tt>. </p>
+
+<p> Example: <tt>policy_type=sts</tt> </p> </li>
<li> <p> <tt> policy_domain=<i>name</i> </tt> </p>
<p> The domain that the MTA-STS policy applies to. </p>
-
<p> Example: <tt>policy_domain=example.com</tt> </p>
</li>
<p> Example: <tt>policy_failure=sts-webpki-invalid</tt> </p> </li>
-<li> <p> <tt> policy_ttl=<i>time</i> </tt> </p>
+<li> <p> <tt> policy_ttl=<i>time</i> </tt> (deprecated) </p>
<p> This attribute is deprecated. The <i>time</i> value is not used,
and support for this attribute will eventually be removed from the
<ul>
<li> <p> Postfix 3.10 and later will accept these additional
-attributes in an MTA-STS response even if TLSRPT support is disabled
-(at build time or at run time). With TLSRPT support turned off,
-Postfix may still use the <tt>policy_failure</tt>
+attributes in an MTA-STS response even if Postfix TLSRPT support
+is disabled (at build time or at run time). With Postfix TLSRPT
+support turned off, Postfix may still use the <tt>policy_failure</tt>
attribute, and will ignore the attributes that are used only for
TLSRPT. </p>
<p> Optional lookup tables with the Postfix SMTP client TLS security
policy by next-hop destination; when a non-empty value is specified,
this overrides the obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter. See
-<a href="TLS_README.html">TLS_README</a> for a more detailed discussion of TLS security levels.
-</p>
+<a href="TLS_README.html">TLS_README</a> for a more detailed discussion of TLS security levels,
+and see <a href="TLSRPT_README.html">TLSRPT_README</a> for additional configuration that may be
+needed for MTA-STS plugins. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
their MX servers. This feature requires that Postfix is built
with a TLSRPT supporting library. </p>
+<p> See <a href="TLSRPT_README.html">TLSRPT_README</a> for configuration examples and additional
+requirements for MTA-STS <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> plugins. </p>
+
<p> This feature is available in Postfix ≥ 3.10. </p>
handshakes, for example to troubleshoot Postfix TLSRPT support.
</p>
+<p> Note: if an SMTP over TLS connection is reused, there is no
+second etc. TLS handshake to report. </p>
+
<p> This feature is available in Postfix ≥ 3.10. </p>
pathname (absolute, or relative to $<a href="postconf.5.html#queue_directory">queue_directory</a>) when
"<a href="postconf.5.html#smtp_tlsrpt_enable">smtp_tlsrpt_enable</a> = yes". </p>
+<p> See <a href="TLSRPT_README.html">TLSRPT_README</a> for configuration examples and additional
+requirements for MTA-STS <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> plugins. </p>
+
<p> This feature is available in Postfix ≥ 3.10. </p>
Optional lookup tables with the Postfix SMTP client TLS security
policy by next\-hop destination; when a non\-empty value is specified,
this overrides the obsolete smtp_tls_per_site parameter. See
-TLS_README for a more detailed discussion of TLS security levels.
+TLS_README for a more detailed discussion of TLS security levels,
+and see TLSRPT_README for additional configuration that may be
+needed for MTA\-STS plugins.
.PP
Specify zero or more "type:name" lookup tables, separated by
whitespace or comma. Tables will be searched in the specified order
their MX servers. This feature requires that Postfix is built
with a TLSRPT supporting library.
.PP
+See TLSRPT_README for configuration examples and additional
+requirements for MTA\-STS smtp_tls_policy_maps plugins.
+.PP
This feature is available in Postfix >= 3.10.
.SH smtp_tlsrpt_skip_reused_handshakes (default: yes)
Do not report the TLSRPT status for TLS protocol handshakes
sessions. Set this to "no" to log the TLSRPT status of all TLS
handshakes, for example to troubleshoot Postfix TLSRPT support.
.PP
+Note: if an SMTP over TLS connection is reused, there is no
+second etc. TLS handshake to report.
+.PP
This feature is available in Postfix >= 3.10.
.SH smtp_tlsrpt_socket_name (default: empty)
The pathname of a UNIX\-domain datagram socket that is managed
pathname (absolute, or relative to $queue_directory) when
"smtp_tlsrpt_enable = yes".
.PP
+See TLSRPT_README for configuration examples and additional
+requirements for MTA\-STS smtp_tls_policy_maps plugins.
+.PP
This feature is available in Postfix >= 3.10.
.SH smtp_use_tls (default: no)
Opportunistic mode: use TLS when a remote SMTP server announces
#
# Input format: the leader text is copied verbatim; each section
# starts with "Incompatible changes with snapshot YYYYMMDD" or "Major
-# changes with snapshot YYYYMMDD"; each paragraph starts with [class,
-# class] where a class specifies one or more categories that the
-# change should be listed under. Adding class info is the only manual
-# processing needed to go from a RELEASE_NOTES file to the transformed
-# representation.
+# changes with snapshot YYYYMMDD" underlined with "=======..."; each
+# paragraph starts with [class, class] where a class specifies one or
+# more categories that the change should be listed under. Adding class
+# info is the only manual processing needed to go from a RELEASE_NOTES
+# file to the transformed representation.
#
-# Output format: each category is printed with a little header and
-# each paragraph is tagged with [Incompat yyyymmdd] or with [Feature
-# yyyymmdd].
+# Output format: each category is printed with a little header and each
+# paragraph is tagged with [Incompat yyyymmdd] or with [Feature yyyymmdd].
%leader = (); %body = ();
$append_to = \%leader;
to that domain's MX hosts. Support for TLSRPT was added in Postfix
3.10. </p>
-<p> A policy example looks like this: </p>
+<p> A policy for domain <tt>example.com</tt> could look like this: </p>
<blockquote>
<pre>
</pre>
</blockquote>
-<p> Translation: email sending systems are requested to generate daily
-summaries of successful and failed SMTP over TLS connections to domain
-<tt>example.com</tt>, and to report those summaries via email to the
-specified address. Instead of <tt>mailto:</tt>, a policy may specify an
-<tt>https:</tt> destination. </p>
+<p> Instead of <tt>mailto:</tt>, a policy may specify an <tt>https:</tt>
+destination. </p>
<p> The diagram below shows how Postfix TLS handshake success and
failure events are collected and processed into daily summary
by sys4 at https://github.com/sys4/libtlsrpt and
https://github.com/sys4/tlsrpt-reporter, respectively. </p>
-<p> The Postfix implementation supports domains with DANE (Postfix
-built-in) and MTA-STS (through an smtp_tls_policy_maps plug-in).
-</p>
+<p> The Postfix implementation supports TLSRPT or domains with DANE
+(Postfix built-in) and MTA-STS (through an <a href="#mta-sts">
+smtp_tls_policy_maps plug-in</a>). </p>
<p> The Postfix smtp(8) client process implements the SMTP client
engine. With "smtp_tls_connection_reuse = no", the smtp(8) client
<p> Postfix supports MTA-STS though an smtp_tls_policy_maps policy
plugin, which replies with a TLS security level and name=value
attributes with certificate matching requirements. Postfix 3.10 and
-later accept additional name=value attributes that are needed for
-TLSRPT. </p>
+later extend the policy plugin response with additional name=value
+attributes that are needed for TLSRPT. </p>
<p> Examples of smtp_tls_policy_maps plugins with MTA-STS support
are: </p>
is enabled by setting a <tt>tlsrpt</tt> boolean in a plugin
configuration file. This setting is safe with Postfix 3.10 and
later, even if Postfix TLSRPT support is disabled (at build time
-or at run time). </p>
+or at run time). Postfix versions 3.9 and earlier will report a
+policy error with "<tt>invalid attribute name</tt>". </p>
<p> The examples in the text below apply to this MTA-STS policy example
given in <a
<li> <p> <tt> policy_type=<i>type</i> </tt> </p>
-<p> Specify <tt>sts</tt> or <tt>no-policy-found</tt>. </p> </li>
+<p> Specify <tt>sts</tt> or <tt>no-policy-found</tt>. </p>
+
+<p> Example: <tt>policy_type=sts</tt> </p> </li>
<li> <p> <tt> policy_domain=<i>name</i> </tt> </p>
<p> The domain that the MTA-STS policy applies to. </p>
-
<p> Example: <tt>policy_domain=example.com</tt> </p>
</li>
<p> Example: <tt>policy_failure=sts-webpki-invalid</tt> </p> </li>
-<li> <p> <tt> policy_ttl=<i>time</i> </tt> </p>
+<li> <p> <tt> policy_ttl=<i>time</i> </tt> (deprecated) </p>
<p> This attribute is deprecated. The <i>time</i> value is not used,
and support for this attribute will eventually be removed from the
<ul>
<li> <p> Postfix 3.10 and later will accept these additional
-attributes in an MTA-STS response even if TLSRPT support is disabled
-(at build time or at run time). With TLSRPT support turned off,
-Postfix may still use the <tt>policy_failure</tt>
+attributes in an MTA-STS response even if Postfix TLSRPT support
+is disabled (at build time or at run time). With Postfix TLSRPT
+support turned off, Postfix may still use the <tt>policy_failure</tt>
attribute, and will ignore the attributes that are used only for
TLSRPT. </p>
<p> Optional lookup tables with the Postfix SMTP client TLS security
policy by next-hop destination; when a non-empty value is specified,
this overrides the obsolete smtp_tls_per_site parameter. See
-TLS_README for a more detailed discussion of TLS security levels.
-</p>
+TLS_README for a more detailed discussion of TLS security levels,
+and see TLSRPT_README for additional configuration that may be
+needed for MTA-STS plugins. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
their MX servers. This feature requires that Postfix is built
with a TLSRPT supporting library. </p>
+<p> See TLSRPT_README for configuration examples and additional
+requirements for MTA-STS smtp_tls_policy_maps plugins. </p>
+
<p> This feature is available in Postfix ≥ 3.10. </p>
%PARAM smtp_tlsrpt_socket_name
pathname (absolute, or relative to $queue_directory) when
"smtp_tlsrpt_enable = yes". </p>
+<p> See TLSRPT_README for configuration examples and additional
+requirements for MTA-STS smtp_tls_policy_maps plugins. </p>
+
<p> This feature is available in Postfix ≥ 3.10. </p>
%PARAM smtp_tlsrpt_skip_reused_handshakes yes
handshakes, for example to troubleshoot Postfix TLSRPT support.
</p>
+<p> Note: if an SMTP over TLS connection is reused, there is no
+second etc. TLS handshake to report. </p>
+
<p> This feature is available in Postfix ≥ 3.10. </p>
%PARAM full_name_encoding_charset utf-8
requiretls
sendopts
tz
+GID
+SIGKILL
+URI
+URIs
+bugfix
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20250205"
+#define MAIL_RELEASE_DATE "20250206"
#define MAIL_VERSION_NUMBER "3.10"
#ifdef SNAPSHOT
projects / thirdparty / postfix.git / commitdiff
