setting from "yes" to "no". The new default is enabled with
compatibility level >= 3.11. Files: smtp/smtp_tlsrpt.c,
global/mail_params.[hc], proto/COMPATIBILITY_README.html.
- proto/memcache_table, global/dict_memcache.c, util/hex_code.[hc].
20250608
and DANE policies. This prevents TLSRPT notifications for
all SMTP deliveries that do not require TLS. File:
smtp/smtp_connect.c.
+
+20250806
+
+ Documentation: updated the smtpd_hide_client_session
+ description with specific reference to RFC 5321 section
+ 4.4. File: proto/postconf.proto.
+
+20250807
+
+ Bugfix (defect introduced: 20250803): "TLS-Required: no" was
+ no longer in effect for LMTP deliveries. Viktor Dukhovni.
+ File: smtp/smtp_connect.c.
<li> <p> The default setting, "<a href="postconf.5.html#smtpd_hide_client_session">smtpd_hide_client_session</a> = no",
must be used for the port 25 MTA service. It provides information
-that is required by <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>. </p>
+that is required by <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a> section 4.4. </p>
<li> <p> The setting "<a href="postconf.5.html#smtpd_hide_client_session">smtpd_hide_client_session</a> = yes" may be used
for the port 587 and 465 MUA services. This hides the SMTP client
</blockquote>
<p> The redacted form hides that a message was received with SMTP,
-and therefore it does not need to provide the information required by
-<a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>. The form does still meet <a href="https://tools.ietf.org/html/rfc5322">RFC 5322</a> requirements. </p>
+and therefore it does not need to provide the FROM clause according
+to <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a> section 4.4. The redacted form still meets <a href="https://tools.ietf.org/html/rfc5322">RFC 5322</a>
+requirements. </p>
<p> This feature is available in Postfix ≥ 3.10. </p>
.IP \(bu
The default setting, "smtpd_hide_client_session = no",
must be used for the port 25 MTA service. It provides information
-that is required by RFC 5321.
+that is required by RFC 5321 section 4.4.
.IP \(bu
The setting "smtpd_hide_client_session = yes" may be used
for the port 587 and 465 MUA services. This hides the SMTP client
.in -4
.PP
The redacted form hides that a message was received with SMTP,
-and therefore it does not need to provide the information required by
-RFC 5321. The form does still meet RFC 5322 requirements.
+and therefore it does not need to provide the FROM clause according
+to RFC 5321 section 4.4. The redacted form still meets RFC 5322
+requirements.
.PP
This feature is available in Postfix >= 3.10.
.SH smtpd_history_flush_threshold (default: 100)
<li> <p> The default setting, "smtpd_hide_client_session = no",
must be used for the port 25 MTA service. It provides information
-that is required by RFC 5321. </p>
+that is required by RFC 5321 section 4.4. </p>
<li> <p> The setting "smtpd_hide_client_session = yes" may be used
for the port 587 and 465 MUA services. This hides the SMTP client
</blockquote>
<p> The redacted form hides that a message was received with SMTP,
-and therefore it does not need to provide the information required by
-RFC 5321. The form does still meet RFC 5322 requirements. </p>
+and therefore it does not need to provide the FROM clause according
+to RFC 5321 section 4.4. The redacted form still meets RFC 5322
+requirements. </p>
<p> This feature is available in Postfix ≥ 3.10. </p>
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20250803"
+#define MAIL_RELEASE_DATE "20250807"
#define MAIL_VERSION_NUMBER "3.11"
#ifdef SNAPSHOT
SMTP_ITER_INIT(iter, path, var_myhostname, path, NO_PORT, state);
+ /*
+ * If a "TLS-Required: no" header is in effect, update the iterator to
+ * override TLS policy selection and to limit the security level to
+ * "may". Do not reset the security level after policy selection, as that
+ * would result in errors. For example, when TLSA records are looked up
+ * for security level "dane", and then the security level is reset to
+ * "may", the activation of those TLSA records will fail.
+ *
+ * Note that the REQUIRETLS verb in ESMTP overrides the "TLS-Required: no"
+ * header.
+ */
+#ifdef USE_TLS
+ if (var_tls_required_enable
+ && (state->request->sendopts & SOPT_REQUIRETLS_HEADER)) {
+ iter->tlsreqno = 1;
+ }
+#endif
+
/*
* Opportunistic TLS for unix domain sockets does not make much sense,
* since the channel is private, mere encryption without authentication
projects / thirdparty / postfix.git / commitdiff
