headers, when the Postfix SMTP server or the remote SMTP
client presents a raw public key. Viktor Dukhovni. File:
smtpd/smtpd.c.
+
+20230923
+
+ Documentation: updated descriptions of the postscreen_*_ttl
+ and postscreen_dnsbl_allowlist_threshold parameters. Files:
+ proto/postconf.proto, postscreen/postscreen.c.
+
+20230916
+
+ Documentation: fixed missing and misplaced quotes in "see
+ 'postconf -d' output". Reported by наб. Files: Makefile.in,
+ mantools/check-see-postconf-d-output, proto/postconf.proto,
+ global/maillog_client.c, master/master.c, smtp/smtp.c,
+ smtpd/smtpd.c.
# Some checks require a bin/postconf executable.
pre-release-checks: typo-check missing-proxy-read-maps-check \
postlink-check postfix-files-check check-spell-history \
- check-double-history check-table-proto
+ check-double-history check-table-proto check-see-postconf-d-output
postfix-files-check:
mantools/check-postfix-files | diff /dev/null -
check-table-proto:
mantools/check-table-proto | diff /dev/null -
+check-see-postconf-d-output:
+ mantools/check-see-postconf-d-output | diff /dev/null -
+
# The build-time shlib_directory setting must take precedence over
# the installed main.cf settings, otherwise we can't update an
# installed system from dynamicmaps=yes<->dynamicmaps=no or from
Available in Postfix version 2.6 and later:
- <b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (see postconf -d output)</b>
+ <b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (see 'postconf -d' output)</b>
TLS protocols that the Postfix SMTP client will use with oppor-
tunistic TLS encryption.
The local network interface addresses that this mail system
receives mail on.
- <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d output')</b>
+ <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d' output)</b>
The Internet protocols Postfix will attempt to use when making
or accepting connections.
The local network interface addresses that this mail system
receives mail on.
- <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d output')</b>
+ <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d' output)</b>
The Internet protocols Postfix will attempt to use when making
or accepting connections.
</DD>
<DT><b><a name="inet_protocols">inet_protocols</a>
-(default: see 'postconf -d output')</b></DT><DD>
+(default: see 'postconf -d' output)</b></DT><DD>
<p> The Internet protocols Postfix will attempt to use when making
or accepting connections. Specify one or more of "ipv4"
</DD>
<DT><b><a name="lmtp_tls_mandatory_protocols">lmtp_tls_mandatory_protocols</a>
-(default: see postconf -d output)</b></DT><DD>
+(default: see 'postconf -d' output)</b></DT><DD>
<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>
configuration parameter. See there for details. </p>
</DD>
<DT><b><a name="lmtp_tls_protocols">lmtp_tls_protocols</a>
-(default: see postconf -d output)</b></DT><DD>
+(default: see 'postconf -d' output)</b></DT><DD>
<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> configuration
parameter. See there for details. </p>
<DT><b><a name="postscreen_bare_newline_ttl">postscreen_bare_newline_ttl</a>
(default: 30d)</b></DT><DD>
-<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from
-a successful "bare newline" SMTP protocol test. During this
-time, the client IP address is excluded from this test. The default
+<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a client
+IP address passed a "bare newline" SMTP protocol test, before it
+address is required to pass that test again. The default
is long because a remote SMTP client must disconnect after it passes
the test,
before it can talk to a real Postfix SMTP server. </p>
<p> Specify a negative value to enable this feature. When a client
passes the <a href="postconf.5.html#postscreen_dnsbl_allowlist_threshold">postscreen_dnsbl_allowlist_threshold</a> without having
failed other tests, all pending or disabled tests are flagged as
-completed with a time-to-live value equal to <a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>.
-When a test was already completed, its time-to-live value is updated
-if it was less than <a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>. </p>
+completed with an expiration time based on the DNS reply TTL.
+When a test was already completed, its expiration time is updated
+if it was less than the value based on the DNS reply TTL. See
+also <a href="postconf.5.html#postscreen_dnsbl_max_ttl">postscreen_dnsbl_max_ttl</a> and <a href="postconf.5.html#postscreen_dnsbl_min_ttl">postscreen_dnsbl_min_ttl</a>. </p>
<p> This feature is available in Postfix 3.6 and later. </p>
<DT><b><a name="postscreen_dnsbl_max_ttl">postscreen_dnsbl_max_ttl</a>
(default: ${<a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>?{$<a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>}:{1}}h)</b></DT><DD>
-<p> The maximum amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the
-result from a successful DNS-based reputation test before a
-client IP address is required to pass that test again. If the DNS
+<p> The maximum amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a
+client IP address passed a DNS-based reputation test, before it is
+required to pass that test again. If the DNS
reply specifies a shorter TTL value, that value will be used unless
it would be smaller than <a href="postconf.5.html#postscreen_dnsbl_min_ttl">postscreen_dnsbl_min_ttl</a>. </p>
<DT><b><a name="postscreen_dnsbl_min_ttl">postscreen_dnsbl_min_ttl</a>
(default: 60s)</b></DT><DD>
-<p> The minimum amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the
-result from a successful DNS-based reputation test before a
-client IP address is required to pass that test again. If the DNS
+<p> The minimum amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a
+client IP address passed a DNS-based reputation test, before it
+is required to pass that test again. If the DNS
reply specifies a larger TTL value, that value will be used unless
it would be larger than <a href="postconf.5.html#postscreen_dnsbl_max_ttl">postscreen_dnsbl_max_ttl</a>. </p>
<DT><b><a name="postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>
(default: 1h)</b></DT><DD>
-<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from
-a successful DNS-based reputation test before a client
-IP address is required to pass that test again. </p>
+<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a client
+IP address passed a DNS-based reputation test, before it is required
+to pass that test again. </p>
<p> Specify a non-zero time value (an integral value plus an optional
one-letter suffix that specifies the time unit). Time units: s
<DT><b><a name="postscreen_greet_ttl">postscreen_greet_ttl</a>
(default: 1d)</b></DT><DD>
-<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from
-a successful PREGREET test. During this time, the client IP address
-is excluded from this test. The default is relatively short, because
+<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a client
+IP address passed a PREGREET test, before it is required to pass
+that test again. The default is relatively short, because
a good client can immediately talk to a real Postfix SMTP server. </p>
<p> Specify a non-zero time value (an integral value plus an optional
<DT><b><a name="postscreen_non_smtp_command_ttl">postscreen_non_smtp_command_ttl</a>
(default: 30d)</b></DT><DD>
-<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from
-a successful "non_smtp_command" SMTP protocol test. During this
-time, the client IP address is excluded from this test. The default
+<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a client
+IP address passed a "non_smtp_command" SMTP protocol test, before
+it is required to pass that test again. The default
is long because a client must disconnect after it passes the test,
before it can talk to a real Postfix SMTP server. </p>
<DT><b><a name="postscreen_pipelining_ttl">postscreen_pipelining_ttl</a>
(default: 30d)</b></DT><DD>
-<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from
-a successful "pipelining" SMTP protocol test. During this time, the
-client IP address is excluded from this test. The default is
+<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a client
+IP address passed a "pipelining" SMTP protocol test, before it is
+required to pass that test again. The default is
long because a good client must disconnect after it passes the test,
before it can talk to a real Postfix SMTP server. </p>
</DD>
<DT><b><a name="smtp_tls_protocols">smtp_tls_protocols</a>
-(default: see postconf -d output)</b></DT><DD>
+(default: see 'postconf -d' output)</b></DT><DD>
<p> TLS protocols that the Postfix SMTP client will use with
opportunistic TLS encryption. In <a href="postconf.5.html">main.cf</a> the values are separated by
</DD>
<DT><b><a name="smtpd_tls_protocols">smtpd_tls_protocols</a>
-(default: see postconf -d output)</b></DT><DD>
+(default: see 'postconf -d' output)</b></DT><DD>
<p> TLS protocols accepted by the Postfix SMTP server with opportunistic
TLS encryption. If the list is empty, the server supports all available
porary allowlist entry before it is removed.
<b><a href="postconf.5.html#postscreen_bare_newline_ttl">postscreen_bare_newline_ttl</a> (30d)</b>
- The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a
- successful "bare newline" SMTP protocol test.
+ The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> remembers that a client IP
+ address passed a "bare newline" SMTP protocol test, before it
+ address is required to pass that test again.
<b><a href="postconf.5.html#postscreen_dnsbl_max_ttl">postscreen_dnsbl_max_ttl</a></b>
<b>(${<a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>?{$<a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>}:{1}}h)</b>
- The maximum amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the
- result from a successful DNS-based reputation test before a
- client IP address is required to pass that test again.
+ The maximum amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> remembers that a
+ client IP address passed a DNS-based reputation test, before it
+ is required to pass that test again.
<b><a href="postconf.5.html#postscreen_dnsbl_min_ttl">postscreen_dnsbl_min_ttl</a> (60s)</b>
- The minimum amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the
- result from a successful DNS-based reputation test before a
- client IP address is required to pass that test again.
+ The minimum amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> remembers that a
+ client IP address passed a DNS-based reputation test, before it
+ is required to pass that test again.
<b><a href="postconf.5.html#postscreen_greet_ttl">postscreen_greet_ttl</a> (1d)</b>
- The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a
- successful PREGREET test.
+ The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> remembers that a client IP
+ address passed a PREGREET test, before it is required to pass
+ that test again.
<b><a href="postconf.5.html#postscreen_non_smtp_command_ttl">postscreen_non_smtp_command_ttl</a> (30d)</b>
- The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a
- successful "non_smtp_command" SMTP protocol test.
+ The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> remembers that a client IP
+ address passed a "non_smtp_command" SMTP protocol test, before
+ it is required to pass that test again.
<b><a href="postconf.5.html#postscreen_pipelining_ttl">postscreen_pipelining_ttl</a> (30d)</b>
- The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a
- successful "pipelining" SMTP protocol test.
+ The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> remembers that a client IP
+ address passed a "pipelining" SMTP protocol test, before it is
+ required to pass that test again.
<b>RESOURCE CONTROLS</b>
<b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b>
Available in Postfix version 2.6 and later:
- <b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (see postconf -d output)</b>
+ <b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (see 'postconf -d' output)</b>
TLS protocols that the Postfix SMTP client will use with oppor-
tunistic TLS encryption.
The local network interface addresses that this mail system
receives mail on.
- <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d output')</b>
+ <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d' output)</b>
The Internet protocols Postfix will attempt to use when making
or accepting connections.
Available in Postfix version 2.6 and later:
- <b><a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> (see postconf -d output)</b>
+ <b><a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> (see 'postconf -d' output)</b>
TLS protocols accepted by the Postfix SMTP server with oppor-
tunistic TLS encryption.
receives mail on by way of a proxy or network address transla-
tion unit.
- <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d output')</b>
+ <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d' output)</b>
The Internet protocols Postfix will attempt to use when making
or accepting connections.
.fi
.ad
.ft R
-.SH inet_protocols (default: see 'postconf \-d output')
+.SH inet_protocols (default: see 'postconf \-d' output)
The Internet protocols Postfix will attempt to use when making
or accepting connections. Specify one or more of "ipv4"
or "ipv6", separated by whitespace or commas. The form
configuration parameter. See there for details.
.PP
This feature is available in Postfix 2.3 and later.
-.SH lmtp_tls_mandatory_protocols (default: see postconf \-d output)
+.SH lmtp_tls_mandatory_protocols (default: see 'postconf \-d' output)
The LMTP\-specific version of the smtp_tls_mandatory_protocols
configuration parameter. See there for details.
.PP
configuration parameter. See there for details.
.PP
This feature is available in Postfix 2.3 and later.
-.SH lmtp_tls_protocols (default: see postconf \-d output)
+.SH lmtp_tls_protocols (default: see 'postconf \-d' output)
The LMTP\-specific version of the smtp_tls_protocols configuration
parameter. See there for details.
.PP
.PP
This feature is available in Postfix 2.8.
.SH postscreen_bare_newline_ttl (default: 30d)
-The amount of time that \fBpostscreen\fR(8) will use the result from
-a successful "bare newline" SMTP protocol test. During this
-time, the client IP address is excluded from this test. The default
+The amount of time that \fBpostscreen\fR(8) remembers that a client
+IP address passed a "bare newline" SMTP protocol test, before it
+address is required to pass that test again. The default
is long because a remote SMTP client must disconnect after it passes
the test,
before it can talk to a real Postfix SMTP server.
Specify a negative value to enable this feature. When a client
passes the postscreen_dnsbl_allowlist_threshold without having
failed other tests, all pending or disabled tests are flagged as
-completed with a time\-to\-live value equal to postscreen_dnsbl_ttl.
-When a test was already completed, its time\-to\-live value is updated
-if it was less than postscreen_dnsbl_ttl.
+completed with an expiration time based on the DNS reply TTL.
+When a test was already completed, its expiration time is updated
+if it was less than the value based on the DNS reply TTL. See
+also postscreen_dnsbl_max_ttl and postscreen_dnsbl_min_ttl.
.PP
This feature is available in Postfix 3.6 and later.
.PP
Available as postscreen_dnsbl_whitelist_threshold in Postfix 2.11
\- 3.5.
.SH postscreen_dnsbl_max_ttl (default: ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h)
-The maximum amount of time that \fBpostscreen\fR(8) will use the
-result from a successful DNS\-based reputation test before a
-client IP address is required to pass that test again. If the DNS
+The maximum amount of time that \fBpostscreen\fR(8) remembers that a
+client IP address passed a DNS\-based reputation test, before it is
+required to pass that test again. If the DNS
reply specifies a shorter TTL value, that value will be used unless
it would be smaller than postscreen_dnsbl_min_ttl.
.PP
This feature is available in Postfix 3.1. The default setting
is backwards\-compatible with older Postfix versions.
.SH postscreen_dnsbl_min_ttl (default: 60s)
-The minimum amount of time that \fBpostscreen\fR(8) will use the
-result from a successful DNS\-based reputation test before a
-client IP address is required to pass that test again. If the DNS
+The minimum amount of time that \fBpostscreen\fR(8) remembers that a
+client IP address passed a DNS\-based reputation test, before it
+is required to pass that test again. If the DNS
reply specifies a larger TTL value, that value will be used unless
it would be larger than postscreen_dnsbl_max_ttl.
.PP
.PP
This feature is available in Postfix 3.0.
.SH postscreen_dnsbl_ttl (default: 1h)
-The amount of time that \fBpostscreen\fR(8) will use the result from
-a successful DNS\-based reputation test before a client
-IP address is required to pass that test again.
+The amount of time that \fBpostscreen\fR(8) remembers that a client
+IP address passed a DNS\-based reputation test, before it is required
+to pass that test again.
.PP
Specify a non\-zero time value (an integral value plus an optional
one\-letter suffix that specifies the time unit). Time units: s
.PP
This feature is available in Postfix 2.8.
.SH postscreen_greet_ttl (default: 1d)
-The amount of time that \fBpostscreen\fR(8) will use the result from
-a successful PREGREET test. During this time, the client IP address
-is excluded from this test. The default is relatively short, because
+The amount of time that \fBpostscreen\fR(8) remembers that a client
+IP address passed a PREGREET test, before it is required to pass
+that test again. The default is relatively short, because
a good client can immediately talk to a real Postfix SMTP server.
.PP
Specify a non\-zero time value (an integral value plus an optional
.PP
This feature is available in Postfix 2.8.
.SH postscreen_non_smtp_command_ttl (default: 30d)
-The amount of time that \fBpostscreen\fR(8) will use the result from
-a successful "non_smtp_command" SMTP protocol test. During this
-time, the client IP address is excluded from this test. The default
+The amount of time that \fBpostscreen\fR(8) remembers that a client
+IP address passed a "non_smtp_command" SMTP protocol test, before
+it is required to pass that test again. The default
is long because a client must disconnect after it passes the test,
before it can talk to a real Postfix SMTP server.
.PP
.PP
This feature is available in Postfix 2.8.
.SH postscreen_pipelining_ttl (default: 30d)
-The amount of time that \fBpostscreen\fR(8) will use the result from
-a successful "pipelining" SMTP protocol test. During this time, the
-client IP address is excluded from this test. The default is
+The amount of time that \fBpostscreen\fR(8) remembers that a client
+IP address passed a "pipelining" SMTP protocol test, before it is
+required to pass that test again. The default is
long because a good client must disconnect after it passes the test,
before it can talk to a real Postfix SMTP server.
.PP
configurations in environments where DNS security is not assured.
.PP
This feature is available in Postfix 2.3 and later.
-.SH smtp_tls_protocols (default: see postconf \-d output)
+.SH smtp_tls_protocols (default: see 'postconf \-d' output)
TLS protocols that the Postfix SMTP client will use with
opportunistic TLS encryption. In main.cf the values are separated by
whitespace, commas or colons. In the policy table "protocols" attribute
.ft R
.PP
This feature is available in Postfix 2.3 and later.
-.SH smtpd_tls_protocols (default: see postconf \-d output)
+.SH smtpd_tls_protocols (default: see 'postconf \-d' output)
TLS protocols accepted by the Postfix SMTP server with opportunistic
TLS encryption. If the list is empty, the server supports all available
TLS protocol versions. A non\-empty value is a list of protocol names to
.IP "\fBinet_interfaces (all)\fR"
The local network interface addresses that this mail system
receives mail on.
-.IP "\fBinet_protocols (see 'postconf -d output')\fR"
+.IP "\fBinet_protocols (see 'postconf -d' output)\fR"
The Internet protocols Postfix will attempt to use when making
or accepting connections.
.IP "\fBimport_environment (see 'postconf -d' output)\fR"
The amount of time that \fBpostscreen\fR(8) will cache an expired
temporary allowlist entry before it is removed.
.IP "\fBpostscreen_bare_newline_ttl (30d)\fR"
-The amount of time that \fBpostscreen\fR(8) will use the result from
-a successful "bare newline" SMTP protocol test.
+The amount of time that \fBpostscreen\fR(8) remembers that a client
+IP address passed a "bare newline" SMTP protocol test, before it
+address is required to pass that test again.
.IP "\fBpostscreen_dnsbl_max_ttl (${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h)\fR"
-The maximum amount of time that \fBpostscreen\fR(8) will use the
-result from a successful DNS\-based reputation test before a
-client IP address is required to pass that test again.
+The maximum amount of time that \fBpostscreen\fR(8) remembers that a
+client IP address passed a DNS\-based reputation test, before it is
+required to pass that test again.
.IP "\fBpostscreen_dnsbl_min_ttl (60s)\fR"
-The minimum amount of time that \fBpostscreen\fR(8) will use the
-result from a successful DNS\-based reputation test before a
-client IP address is required to pass that test again.
+The minimum amount of time that \fBpostscreen\fR(8) remembers that a
+client IP address passed a DNS\-based reputation test, before it
+is required to pass that test again.
.IP "\fBpostscreen_greet_ttl (1d)\fR"
-The amount of time that \fBpostscreen\fR(8) will use the result from
-a successful PREGREET test.
+The amount of time that \fBpostscreen\fR(8) remembers that a client
+IP address passed a PREGREET test, before it is required to pass
+that test again.
.IP "\fBpostscreen_non_smtp_command_ttl (30d)\fR"
-The amount of time that \fBpostscreen\fR(8) will use the result from
-a successful "non_smtp_command" SMTP protocol test.
+The amount of time that \fBpostscreen\fR(8) remembers that a client
+IP address passed a "non_smtp_command" SMTP protocol test, before
+it is required to pass that test again.
.IP "\fBpostscreen_pipelining_ttl (30d)\fR"
-The amount of time that \fBpostscreen\fR(8) will use the result from
-a successful "pipelining" SMTP protocol test.
+The amount of time that \fBpostscreen\fR(8) remembers that a client
+IP address passed a "pipelining" SMTP protocol test, before it is
+required to pass that test again.
.SH "RESOURCE CONTROLS"
.na
.nf
certificate fingerprints.
.PP
Available in Postfix version 2.6 and later:
-.IP "\fBsmtp_tls_protocols (see postconf -d output)\fR"
+.IP "\fBsmtp_tls_protocols (see 'postconf -d' output)\fR"
TLS protocols that the Postfix SMTP client will use with
opportunistic TLS encryption.
.IP "\fBsmtp_tls_ciphers (medium)\fR"
.IP "\fBinet_interfaces (all)\fR"
The local network interface addresses that this mail system
receives mail on.
-.IP "\fBinet_protocols (see 'postconf -d output')\fR"
+.IP "\fBinet_protocols (see 'postconf -d' output)\fR"
The Internet protocols Postfix will attempt to use when making
or accepting connections.
.IP "\fBipc_timeout (3600s)\fR"
\fBcheck_ccert_access\fR and \fBpermit_tls_clientcerts\fR.
.PP
Available in Postfix version 2.6 and later:
-.IP "\fBsmtpd_tls_protocols (see postconf -d output)\fR"
+.IP "\fBsmtpd_tls_protocols (see 'postconf -d' output)\fR"
TLS protocols accepted by the Postfix SMTP server with opportunistic
TLS encryption.
.IP "\fBsmtpd_tls_ciphers (medium)\fR"
.IP "\fBproxy_interfaces (empty)\fR"
The remote network interface addresses that this mail system receives mail
on by way of a proxy or network address translation unit.
-.IP "\fBinet_protocols (see 'postconf -d output')\fR"
+.IP "\fBinet_protocols (see 'postconf -d' output)\fR"
The Internet protocols Postfix will attempt to use when making
or accepting connections.
.IP "\fBlocal_recipient_maps (proxy:unix:passwd.byname $alias_maps)\fR"
--- /dev/null
+#!/bin/sh
+
+# check-see-postconf-d-output - find missing is misplaced quotes
+
+grep -r "see *'*postconf -d'* *output'*" proto html man |
+ grep -v "see 'postconf -d' output"
inet_interfaces = 192.168.1.2, 127.0.0.1
</pre>
-%PARAM inet_protocols see 'postconf -d output'
+%PARAM inet_protocols see 'postconf -d' output
<p> The Internet protocols Postfix will attempt to use when making
or accepting connections. Specify one or more of "ipv4"
<p> This feature is available in Postfix 2.3 and later. </p>
-%PARAM lmtp_tls_mandatory_protocols see postconf -d output
+%PARAM lmtp_tls_mandatory_protocols see 'postconf -d' output
<p> The LMTP-specific version of the smtp_tls_mandatory_protocols
configuration parameter. See there for details. </p>
<p> This feature is available in Postfix 2.5 and later. </p>
-%PARAM smtp_tls_protocols see postconf -d output
+%PARAM smtp_tls_protocols see 'postconf -d' output
<p> TLS protocols that the Postfix SMTP client will use with
opportunistic TLS encryption. In main.cf the values are separated by
<p> This feature is available in Postfix 2.6 and later. </p>
-%PARAM smtpd_tls_protocols see postconf -d output
+%PARAM smtpd_tls_protocols see 'postconf -d' output
<p> TLS protocols accepted by the Postfix SMTP server with opportunistic
TLS encryption. If the list is empty, the server supports all available
<p> This feature is available in Postfix 2.6 and later. </p>
-%PARAM lmtp_tls_protocols see postconf -d output
+%PARAM lmtp_tls_protocols see 'postconf -d' output
<p> The LMTP-specific version of the smtp_tls_protocols configuration
parameter. See there for details. </p>
%PARAM postscreen_greet_ttl 1d
-<p> The amount of time that postscreen(8) will use the result from
-a successful PREGREET test. During this time, the client IP address
-is excluded from this test. The default is relatively short, because
+<p> The amount of time that postscreen(8) remembers that a client
+IP address passed a PREGREET test, before it is required to pass
+that test again. The default is relatively short, because
a good client can immediately talk to a real Postfix SMTP server. </p>
<p> Specify a non-zero time value (an integral value plus an optional
<p> Specify a negative value to enable this feature. When a client
passes the postscreen_dnsbl_allowlist_threshold without having
failed other tests, all pending or disabled tests are flagged as
-completed with a time-to-live value equal to postscreen_dnsbl_ttl.
-When a test was already completed, its time-to-live value is updated
-if it was less than postscreen_dnsbl_ttl. </p>
+completed with an expiration time based on the DNS reply TTL.
+When a test was already completed, its expiration time is updated
+if it was less than the value based on the DNS reply TTL. See
+also postscreen_dnsbl_max_ttl and postscreen_dnsbl_min_ttl. </p>
<p> This feature is available in Postfix 3.6 and later. </p>
%PARAM postscreen_dnsbl_ttl 1h
-<p> The amount of time that postscreen(8) will use the result from
-a successful DNS-based reputation test before a client
-IP address is required to pass that test again. </p>
+<p> The amount of time that postscreen(8) remembers that a client
+IP address passed a DNS-based reputation test, before it is required
+to pass that test again. </p>
<p> Specify a non-zero time value (an integral value plus an optional
one-letter suffix that specifies the time unit). Time units: s
%PARAM postscreen_dnsbl_min_ttl 60s
-<p> The minimum amount of time that postscreen(8) will use the
-result from a successful DNS-based reputation test before a
-client IP address is required to pass that test again. If the DNS
+<p> The minimum amount of time that postscreen(8) remembers that a
+client IP address passed a DNS-based reputation test, before it
+is required to pass that test again. If the DNS
reply specifies a larger TTL value, that value will be used unless
it would be larger than postscreen_dnsbl_max_ttl. </p>
%PARAM postscreen_dnsbl_max_ttl ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h
-<p> The maximum amount of time that postscreen(8) will use the
-result from a successful DNS-based reputation test before a
-client IP address is required to pass that test again. If the DNS
+<p> The maximum amount of time that postscreen(8) remembers that a
+client IP address passed a DNS-based reputation test, before it is
+required to pass that test again. If the DNS
reply specifies a shorter TTL value, that value will be used unless
it would be smaller than postscreen_dnsbl_min_ttl. </p>
%PARAM postscreen_pipelining_ttl 30d
-<p> The amount of time that postscreen(8) will use the result from
-a successful "pipelining" SMTP protocol test. During this time, the
-client IP address is excluded from this test. The default is
+<p> The amount of time that postscreen(8) remembers that a client
+IP address passed a "pipelining" SMTP protocol test, before it is
+required to pass that test again. The default is
long because a good client must disconnect after it passes the test,
before it can talk to a real Postfix SMTP server. </p>
%PARAM postscreen_non_smtp_command_ttl 30d
-<p> The amount of time that postscreen(8) will use the result from
-a successful "non_smtp_command" SMTP protocol test. During this
-time, the client IP address is excluded from this test. The default
+<p> The amount of time that postscreen(8) remembers that a client
+IP address passed a "non_smtp_command" SMTP protocol test, before
+it is required to pass that test again. The default
is long because a client must disconnect after it passes the test,
before it can talk to a real Postfix SMTP server. </p>
%PARAM postscreen_bare_newline_ttl 30d
-<p> The amount of time that postscreen(8) will use the result from
-a successful "bare newline" SMTP protocol test. During this
-time, the client IP address is excluded from this test. The default
+<p> The amount of time that postscreen(8) remembers that a client
+IP address passed a "bare newline" SMTP protocol test, before it
+address is required to pass that test again. The default
is long because a remote SMTP client must disconnect after it passes
the test,
before it can talk to a real Postfix SMTP server. </p>
plaintext Problem reported by Serg File smtp smtp h
cleanup cleanup c cleanup cleanup_init c proto postconf proto
smtpd smtpd c
+ proto postconf proto postscreen postscreen c
+ global maillog_client c master master c smtp smtp c
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20230912"
+#define MAIL_RELEASE_DATE "20230916"
#define MAIL_VERSION_NUMBER "3.9"
#ifdef SNAPSHOT
/* unitialized and the process environment does not specify
/* POSTLOG_SERVICE, the program will log to the syslog service
/* instead.
-/* .IP "myhostname (default: see postconf -d output)"
+/* .IP "myhostname (default: see 'postconf -d' output)"
/* The internet hostname of this mail system.
/* .IP "postlog_service_name (postlog)"
/* The name of the internal postlog logging service.
/* .IP "\fBinet_interfaces (all)\fR"
/* The local network interface addresses that this mail system
/* receives mail on.
-/* .IP "\fBinet_protocols (see 'postconf -d output')\fR"
+/* .IP "\fBinet_protocols (see 'postconf -d' output)\fR"
/* The Internet protocols Postfix will attempt to use when making
/* or accepting connections.
/* .IP "\fBimport_environment (see 'postconf -d' output)\fR"
/* The amount of time that \fBpostscreen\fR(8) will cache an expired
/* temporary allowlist entry before it is removed.
/* .IP "\fBpostscreen_bare_newline_ttl (30d)\fR"
-/* The amount of time that \fBpostscreen\fR(8) will use the result from
-/* a successful "bare newline" SMTP protocol test.
+/* The amount of time that \fBpostscreen\fR(8) remembers that a client
+/* IP address passed a "bare newline" SMTP protocol test, before it
+/* address is required to pass that test again.
/* .IP "\fBpostscreen_dnsbl_max_ttl (${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h)\fR"
-/* The maximum amount of time that \fBpostscreen\fR(8) will use the
-/* result from a successful DNS-based reputation test before a
-/* client IP address is required to pass that test again.
+/* The maximum amount of time that \fBpostscreen\fR(8) remembers that a
+/* client IP address passed a DNS-based reputation test, before it is
+/* required to pass that test again.
/* .IP "\fBpostscreen_dnsbl_min_ttl (60s)\fR"
-/* The minimum amount of time that \fBpostscreen\fR(8) will use the
-/* result from a successful DNS-based reputation test before a
-/* client IP address is required to pass that test again.
+/* The minimum amount of time that \fBpostscreen\fR(8) remembers that a
+/* client IP address passed a DNS-based reputation test, before it
+/* is required to pass that test again.
/* .IP "\fBpostscreen_greet_ttl (1d)\fR"
-/* The amount of time that \fBpostscreen\fR(8) will use the result from
-/* a successful PREGREET test.
+/* The amount of time that \fBpostscreen\fR(8) remembers that a client
+/* IP address passed a PREGREET test, before it is required to pass
+/* that test again.
/* .IP "\fBpostscreen_non_smtp_command_ttl (30d)\fR"
-/* The amount of time that \fBpostscreen\fR(8) will use the result from
-/* a successful "non_smtp_command" SMTP protocol test.
+/* The amount of time that \fBpostscreen\fR(8) remembers that a client
+/* IP address passed a "non_smtp_command" SMTP protocol test, before
+/* it is required to pass that test again.
/* .IP "\fBpostscreen_pipelining_ttl (30d)\fR"
-/* The amount of time that \fBpostscreen\fR(8) will use the result from
-/* a successful "pipelining" SMTP protocol test.
+/* The amount of time that \fBpostscreen\fR(8) remembers that a client
+/* IP address passed a "pipelining" SMTP protocol test, before it is
+/* required to pass that test again.
/* RESOURCE CONTROLS
/* .ad
/* .fi
/* certificate fingerprints.
/* .PP
/* Available in Postfix version 2.6 and later:
-/* .IP "\fBsmtp_tls_protocols (see postconf -d output)\fR"
+/* .IP "\fBsmtp_tls_protocols (see 'postconf -d' output)\fR"
/* TLS protocols that the Postfix SMTP client will use with
/* opportunistic TLS encryption.
/* .IP "\fBsmtp_tls_ciphers (medium)\fR"
/* .IP "\fBinet_interfaces (all)\fR"
/* The local network interface addresses that this mail system
/* receives mail on.
-/* .IP "\fBinet_protocols (see 'postconf -d output')\fR"
+/* .IP "\fBinet_protocols (see 'postconf -d' output)\fR"
/* The Internet protocols Postfix will attempt to use when making
/* or accepting connections.
/* .IP "\fBipc_timeout (3600s)\fR"
/* \fBcheck_ccert_access\fR and \fBpermit_tls_clientcerts\fR.
/* .PP
/* Available in Postfix version 2.6 and later:
-/* .IP "\fBsmtpd_tls_protocols (see postconf -d output)\fR"
+/* .IP "\fBsmtpd_tls_protocols (see 'postconf -d' output)\fR"
/* TLS protocols accepted by the Postfix SMTP server with opportunistic
/* TLS encryption.
/* .IP "\fBsmtpd_tls_ciphers (medium)\fR"
/* .IP "\fBproxy_interfaces (empty)\fR"
/* The remote network interface addresses that this mail system receives mail
/* on by way of a proxy or network address translation unit.
-/* .IP "\fBinet_protocols (see 'postconf -d output')\fR"
+/* .IP "\fBinet_protocols (see 'postconf -d' output)\fR"
/* The Internet protocols Postfix will attempt to use when making
/* or accepting connections.
/* .IP "\fBlocal_recipient_maps (proxy:unix:passwd.byname $alias_maps)\fR"
projects / thirdparty / postfix.git / commitdiff
