smtp/smtp.h, smtp/smtp_chat.c, smtp/smtp_params.c,
smtpd/smtpd.c, smtpd/smtpd.h, smtpd/smtpd_chat.c, and test
data.
+
+20211006
+
+ Documentation: http://tools.ietf.org/html/rfc[0-9]+ sometimes
+ does not redirect to the https site. Max-Julian Pogner.
+ Fixed by updating mantools/postlink and rebuilding the HTML
+ files that reference RFCs.
+
+20211016
+
+ Documentation: clarified the difference between private and
+ public services in master.cf. File: proto/master.
+
+20211022
+
+ Bugfix: the known_tcp_ports setting had no effect. Reported
+ by Peter. It also wasn't fully implemented. Files:
+ config_known_tcp_ports.c, mail_params.c,
+ posttls-finger/posttls-finger.c, smtp/smtp_connect.c,
+ util/find_inet.c, util/myaddrinfo.c.
+++ /dev/null
-Add a note to tlsproxy source why it does not enforce deadlines or
-minimum data rates. Reason: tlsproxy relies on the plaintext client
-to enforce their context-dependent deadlines and data rates. When
-a plaintext client times out, it will close the tlsproxy connection,
-and then tlsproxy will also hang up.
Wish list:
- Add verp=+= to the qmgr "from=" logging.
+ Add a pointer to
+ http://mmogilvi.users.sourceforge.net/software/oauthbearer.html
+ in documentation or on-line howtos.
+
+ Add verp=+= to the qmgr "from=" logging. This is already
+ implemented but not yet integrated.
Need canonical Dovecot example that has virtual_mailbox_domains,
(virtual_mailbox_maps or reject unverified_recipient), and
<h2>Overview </h2>
-<p> Postfix SMTP server supports <a href="http://tools.ietf.org/html/rfc3030">RFC 3030</a> CHUNKING (the BDAT command)
+<p> Postfix SMTP server supports <a href="https://tools.ietf.org/html/rfc3030">RFC 3030</a> CHUNKING (the BDAT command)
without BINARYMIME, in both <a href="smtpd.8.html">smtpd(8)</a> and <a href="postscreen.8.html">postscreen(8)</a>. It is enabled
by default. </p>
<h2> <a name="downsides">Downsides of CHUNKING (BDAT) support</a>
</h2>
-<p> The <a href="http://tools.ietf.org/html/rfc3030">RFC 3030</a> authors did not specify any limitations on how
+<p> The <a href="https://tools.ietf.org/html/rfc3030">RFC 3030</a> authors did not specify any limitations on how
clients may pipeline commands (i.e. send commands without waiting
for a server response). If a server announces PIPELINING support,
like Postfix does, then a remote SMTP client can pipeline all
then turn off Postfix's CHUNKING announcement as described above.
</p>
-<p> In <a href="http://tools.ietf.org/html/rfc4468">RFC 4468</a>, the authors write that a client may pipeline
+<p> In <a href="https://tools.ietf.org/html/rfc4468">RFC 4468</a>, the authors write that a client may pipeline
commands, and that after sending BURL LAST or BDAT LAST, a client
must wait for the server's response. But as this text does not
-appear in <a href="http://tools.ietf.org/html/rfc3030">RFC 3030</a> which defines BDAT, is it a useless restriction
+appear in <a href="https://tools.ietf.org/html/rfc3030">RFC 3030</a> which defines BDAT, is it a useless restriction
that Postfix will not enforce. </p>
</body>
<li> <p> Header/body checks do not decode message headers or message
body content. For example, if text in the message body is BASE64
-encoded (<a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a>) then your regular expressions will have to match
+encoded (<a href="https://tools.ietf.org/html/rfc2045">RFC 2045</a>) then your regular expressions will have to match
the BASE64 encoded form. Likewise, message headers with encoded
-non-ASCII characters (<a href="http://tools.ietf.org/html/rfc2047">RFC 2047</a>) need to be matched in their encoded
+non-ASCII characters (<a href="https://tools.ietf.org/html/rfc2047">RFC 2047</a>) need to be matched in their encoded
form. </p>
<li> <p> Header/body checks cannot filter on a combination of
<h2>Introduction</h2>
<p> Postfix version 2.3 introduces support for Delivery Status
-Notifications as described in <a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a>. This gives senders control
+Notifications as described in <a href="https://tools.ietf.org/html/rfc3464">RFC 3464</a>. This gives senders control
over successful and failed delivery notifications. </p>
<p> Specifically, DSN support gives an email sender the ability to
</p> </blockquote>
<p> The elliptic curve standards are evolving, with new curves
-introduced in <a href="http://tools.ietf.org/html/rfc8031">RFC 8031</a> to augment or replace the NIST curves tarnished
+introduced in <a href="https://tools.ietf.org/html/rfc8031">RFC 8031</a> to augment or replace the NIST curves tarnished
by the Snowden revelations. Fortunately, TLS clients advertise
their list of supported curves to the server so that servers can
choose newer stronger curves when mutually supported. OpenSSL 1.0.2
<li> <p> The SMTP server now requires that IPv6 addresses in SMTP
commands are specified as [ipv6:<i>ipv6address</i>], as
-described in <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a>. </p>
+described in <a href="https://tools.ietf.org/html/rfc2821">RFC 2821</a>. </p>
<li> <p> The IPv6 network address matching code was rewritten from
the ground up, and is expected to be closer to the specification.
search for any directory entries whose mailacceptinggeneralid
attribute is "ldapuser", read the "maildrop" attributes of those
found, and build a list of their maildrops, which will be treated
-as <a href="http://tools.ietf.org/html/rfc822">RFC822</a> addresses to which the message will be delivered. </p>
+as <a href="https://tools.ietf.org/html/rfc822">RFC822</a> addresses to which the message will be delivered. </p>
<h2><a name="example_virtual">Example: virtual domains/addresses</a></h2>
<li>Prabhat K Singh: Wrote the initial Postfix LDAP lookups and connection caching.
-<li>Keith Stevenson: <a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a> escaping in queries.
+<li>Keith Stevenson: <a href="https://tools.ietf.org/html/rfc2254">RFC 2254</a> escaping in queries.
<li>Samuel Tardieu: Noticed that searches could include wildcards, prompting
- the work on <a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a> escaping in queries. Spotted a bug
+ the work on <a href="https://tools.ietf.org/html/rfc2254">RFC 2254</a> escaping in queries. Spotted a bug
in binding.
<li>Sami Haahtinen: Referral chasing and v3 support.
value ("<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> =") to disable this feature. </p>
<li> <p> Lines 6 and 13-15 redirect mail for postmaster to the
-local postmaster. <a href="http://tools.ietf.org/html/rfc821">RFC 821</a> requires that every domain has a postmaster
+local postmaster. <a href="https://tools.ietf.org/html/rfc821">RFC 821</a> requires that every domain has a postmaster
address. </p>
</ul>
<p> SMTP clients outside the SMTP server's network need a different
way to get "same network" privileges. To address this need, Postfix
-supports SASL authentication (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>, formerly <a href="http://tools.ietf.org/html/rfc2554">RFC 2554</a>). With
+supports SASL authentication (<a href="https://tools.ietf.org/html/rfc4954">RFC 4954</a>, formerly <a href="https://tools.ietf.org/html/rfc2554">RFC 2554</a>). With
this a remote SMTP client can authenticate to the Postfix SMTP
server, and the Postfix SMTP client can authenticate to a remote
SMTP server. Once a client is authenticated, a server can give it
<ul>
-<li> <p> Disallowing <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> address syntax (example: "MAIL FROM: the
+<li> <p> Disallowing <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> address syntax (example: "MAIL FROM: the
dude <dude@example.com>"). </p>
<li> <p> Disallowing addresses that are not enclosed with <>
<h2> Overview </h2>
<p> This document describes Postfix support for Email Address
-Internationalization (EAI) as defined in <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a> (SMTPUTF8 extension),
-<a href="http://tools.ietf.org/html/rfc6532">RFC 6532</a> (Internationalized email headers) and <a href="http://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized
+Internationalization (EAI) as defined in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a> (SMTPUTF8 extension),
+<a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a> (Internationalized email headers) and <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized
delivery status notifications). Introduced with Postfix version
3.0, this fully supports UTF-8 email addresses and UTF-8 message
header values. </p>
<h3> No automatic conversions between ASCII and UTF-8 domain names. </h3>
-<p> Some background: According to <a href="http://tools.ietf.org/html/rfc6530">RFC 6530</a> and related documents,
+<p> Some background: According to <a href="https://tools.ietf.org/html/rfc6530">RFC 6530</a> and related documents,
an internationalized domain name can appear in two forms: the UTF-8
form, and the ASCII (xn--mumble) form. An internationalized address
localpart must be encoded in UTF-8; the RFCs do not define an ASCII
non-UTF-8 members. Postfix will try to deliver the non-UTF8 subscribers
over "traditional" non-SMTPUTF8 sessions, as long as the message
has an ASCII envelope sender address and all-ASCII header values.
-The mailing list manager may have to apply <a href="http://tools.ietf.org/html/rfc2047">RFC 2047</a> encoding to
+The mailing list manager may have to apply <a href="https://tools.ietf.org/html/rfc2047">RFC 2047</a> encoding to
satisfy that last condition. </p>
<h3> Pre-existing non-ASCII email flows </h3>
requires that non-ASCII address information is encoded in UTF-8 and
will reject other encodings such as ISO-8859. It is not practical
for Postfix to support multiple encodings at the same time. There
-is no problem with <a href="http://tools.ietf.org/html/rfc2047">RFC 2047</a> encodings such as "=?ISO-8859-1?Q?text?=",
+is no problem with <a href="https://tools.ietf.org/html/rfc2047">RFC 2047</a> encodings such as "=?ISO-8859-1?Q?text?=",
because those use only characters from the ASCII characterset. </p>
<h3> Rejecting non-ASCII addresses in non-SMTPUTF8 transactions </h3>
<li> <p> Lines 2-3: Substitute your fantasy hostname here. Do not
use a domain name that is already in use by real organizations
-on the Internet. See <a href="http://tools.ietf.org/html/rfc2606">RFC 2606</a> for examples of domain
+on the Internet. See <a href="https://tools.ietf.org/html/rfc2606">RFC 2606</a> for examples of domain
names that are guaranteed not to be owned by anyone. </p>
<li> <p> Lines 5, 9, 10: This provides the mapping from
<li> <p> Lines 2-3: Substitute your fantasy hostname here. Do not
use a domain name that is already in use by real organizations
-on the Internet. See <a href="http://tools.ietf.org/html/rfc2606">RFC 2606</a> for examples of domain
+on the Internet. See <a href="https://tools.ietf.org/html/rfc2606">RFC 2606</a> for examples of domain
names that are guaranteed not to be owned by anyone. </p>
<li> <p> Lines 5, 9, 10: This provides the mapping from
SMTP mail or with SASL authentication.
<p> Postfix version 2.2 introduces support for TLS as described in
-<a href="http://tools.ietf.org/html/rfc3207">RFC 3207</a>. TLS Support for older Postfix versions was available as
+<a href="https://tools.ietf.org/html/rfc3207">RFC 3207</a>. TLS Support for older Postfix versions was available as
an add-on patch. The section "<a href="#compat">Compatibility with
Postfix < 2.2 TLS support</a>" below discusses the differences
between these implementations. </p>
<p> You can ENFORCE the use of TLS, so that the Postfix SMTP server
announces STARTTLS and accepts no mail without TLS encryption, by
-setting "<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes". According to <a href="http://tools.ietf.org/html/rfc2487">RFC 2487</a> this MUST
+setting "<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes". According to <a href="https://tools.ietf.org/html/rfc2487">RFC 2487</a> this MUST
NOT be applied in case of a publicly-referenced Postfix SMTP server.
This option is off by default and should only seldom be used. </p>
<p> Cached Postfix SMTP server session information expires after
a certain amount of time. Postfix/TLS does not use the OpenSSL
-default of 300s, but a longer time of 3600sec (=1 hour). <a href="http://tools.ietf.org/html/rfc2246">RFC 2246</a>
+default of 300s, but a longer time of 3600sec (=1 hour). <a href="https://tools.ietf.org/html/rfc2246">RFC 2246</a>
recommends a maximum of 24 hours. </p>
<p> Example: </p>
<p> Cached Postfix SMTP client session information expires after
a certain amount of time. Postfix/TLS does not use the OpenSSL
-default of 300s, but a longer time of 3600s (=1 hour). <a href="http://tools.ietf.org/html/rfc2246">RFC 2246</a>
+default of 300s, but a longer time of 3600s (=1 hour). <a href="https://tools.ietf.org/html/rfc2246">RFC 2246</a>
recommends a maximum of 24 hours. </p>
<p> Example: </p>
<p> Enforcing the use of TLS is useful if you know that you will
only
-connect to servers that support <a href="http://tools.ietf.org/html/rfc2487">RFC 2487</a> _and_ that present server
+connect to servers that support <a href="https://tools.ietf.org/html/rfc2487">RFC 2487</a> _and_ that present server
certificates that meet the above requirements. An example would
be a client only sends email to one specific mailhub that offers
the necessary STARTTLS support. </p>
<h3> <a name="client_tls_nopeer"> Disabling server certificate
verification </a> </h3>
-<p> As of <a href="http://tools.ietf.org/html/rfc2487">RFC 2487</a> the requirements for hostname checking for MTA
+<p> As of <a href="https://tools.ietf.org/html/rfc2487">RFC 2487</a> the requirements for hostname checking for MTA
clients are not set. When TLS is required (<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes),
the option <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> can be set to "no" to disable
strict remote SMTP server hostname checking. In this case, the mail
Most sites only have RSA certificates. You can configure all three
at the same time, in which case the ciphersuite negotiated with the
remote SMTP client determines which certificate is used. If your
-DNS zone is signed, and you want to publish DANE TLSA (<a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a>,
-<a href="http://tools.ietf.org/html/rfc7671">RFC 7671</a>, <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a>) records, these must match all of the configured
+DNS zone is signed, and you want to publish DANE TLSA (<a href="https://tools.ietf.org/html/rfc6698">RFC 6698</a>,
+<a href="https://tools.ietf.org/html/rfc7671">RFC 7671</a>, <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a>) records, these must match all of the configured
certificate chains. Since the best practice is to publish "3 1 1"
certificate associations, create a separate TLSA record to match
each public-key certificate digest. </p>
</pre>
</blockquote>
-<li> <p> If you publish DANE TLSA (<a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a>, <a href="http://tools.ietf.org/html/rfc7671">RFC 7671</a>, <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a>)
+<li> <p> If you publish DANE TLSA (<a href="https://tools.ietf.org/html/rfc6698">RFC 6698</a>, <a href="https://tools.ietf.org/html/rfc7671">RFC 7671</a>, <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a>)
"2 0 1" or "2 1 1" records to specify root CA certificate digests,
you must include the corresponding root CA certificates in the
"server.pem" certificate file. </p>
<p> <a name="server_enforce">You can ENFORCE the use of TLS</a>,
so that the Postfix SMTP server announces STARTTLS and accepts no
mail without TLS encryption, by setting
-"<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = encrypt". According to <a href="http://tools.ietf.org/html/rfc2487">RFC 2487</a> this
+"<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = encrypt". According to <a href="https://tools.ietf.org/html/rfc2487">RFC 2487</a> this
MUST NOT be applied in case
of a publicly-referenced Postfix SMTP server. This option is off
by default and should only seldom be used. </p>
<p> Starting with Postfix 2.11, linked with a compatible OpenSSL
library (at least 0.9.8h, preferably 1.0.0 or later) the Postfix
-SMTP server supports <a href="http://tools.ietf.org/html/rfc5077">RFC 5077</a> TLS session resumption without
-server-side state when the remote SMTP client also supports <a href="http://tools.ietf.org/html/rfc5077">RFC</a>
-<a href="http://tools.ietf.org/html/rfc5077">5077</a>. The session is encrypted by the server in a <i>session
+SMTP server supports <a href="https://tools.ietf.org/html/rfc5077">RFC 5077</a> TLS session resumption without
+server-side state when the remote SMTP client also supports <a href="https://tools.ietf.org/html/rfc5077">RFC</a>
+<a href="https://tools.ietf.org/html/rfc5077">5077</a>. The session is encrypted by the server in a <i>session
ticket</i> returned to client for storage. When a client sends a
valid session ticket, the server decrypts it and resumes the session,
provided neither the ticket nor the session have expired. This
<p> Cached Postfix SMTP server session information expires after
a certain amount of time. Postfix/TLS does not use the OpenSSL
-default of 300s, but a longer time of 3600sec (=1 hour). <a href="http://tools.ietf.org/html/rfc2246">RFC 2246</a>
+default of 300s, but a longer time of 3600sec (=1 hour). <a href="https://tools.ietf.org/html/rfc2246">RFC 2246</a>
recommends a maximum of 24 hours. </p>
<p> Example: </p>
<h4><a name="client_tls_dane">DANE TLS authentication.</a> </h4>
<p> The Postfix SMTP client supports two TLS security levels based
-on DANE TLSA (<a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a>, <a href="http://tools.ietf.org/html/rfc7671">RFC 7671</a>, <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a>) records. The opportunistic
+on DANE TLSA (<a href="https://tools.ietf.org/html/rfc6698">RFC 6698</a>, <a href="https://tools.ietf.org/html/rfc7671">RFC 7671</a>, <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a>) records. The opportunistic
"dane" level and the mandatory "dane-only" level. </p>
<p> The "dane" level is a stronger form of <a
href="#client_tls_may">opportunistic</a> TLS that is resistant to
man in the middle and downgrade attacks when the destination domain
uses DNSSEC to publish DANE TLSA records for its MX hosts. If a
-remote SMTP server has "usable" (see section 3 of <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a>) DANE
+remote SMTP server has "usable" (see section 3 of <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a>) DANE
TLSA records, the server connection will be authenticated. When
DANE authentication fails, there is no fallback to unauthenticated
or plaintext delivery. </p>
configured to send its DNS queries to a recursive DNS nameserver
that is able to validate the signed records. Each MX host's DNS
zone needs to also be signed, and needs to publish DANE TLSA (see
-section 3 of <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a>) records that specify how that MX host's TLS
+section 3 of <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a>) records that specify how that MX host's TLS
certificate is to be verified. </p>
<p> TLSA records do not preempt the normal SMTP MX host
parameter. The <a href="postconf.5.html#tls_dane_digests">tls_dane_digests</a> parameter controls the list of
supported digests. </p>
-<p> As explained in section 3 of <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a>, certificate usages "0"
+<p> As explained in section 3 of <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a>, certificate usages "0"
and "1", which are intended to "constrain" existing Web-PKI trust,
are not supported with MTA-to-MTA SMTP. Rather, TLSA records with
usages "0" and "1" are treated as "unusable". </p>
security level is treated like a "mandatory" TLS security level,
and weak ciphers and protocols are disabled. Since DANE authenticates
server certificates the "aNULL" cipher-suites are transparently
-excluded at this level, no need to configure this manually. <a href="http://tools.ietf.org/html/rfc7672">RFC</a>
-<a href="http://tools.ietf.org/html/rfc7672">7672</a> (DANE) TLS authentication is available with Postfix 2.11 and
+excluded at this level, no need to configure this manually. <a href="https://tools.ietf.org/html/rfc7672">RFC</a>
+<a href="https://tools.ietf.org/html/rfc7672">7672</a> (DANE) TLS authentication is available with Postfix 2.11 and
later. </p>
<p> When a DANE TLSA record specifies a trust-anchor (TA) certificate
<p> Mandatory server certificate verification as a default security
level may be appropriate if you know that you will only connect to
-servers that support <a href="http://tools.ietf.org/html/rfc2487">RFC 2487</a> <i>and</i> that present verifiable
+servers that support <a href="https://tools.ietf.org/html/rfc2487">RFC 2487</a> <i>and</i> that present verifiable
server certificates. An example would be a client that sends all
email to a central mailhub that offers the necessary STARTTLS
support. In such cases, you can often use a <a
<p> Mandatory secure server certificate verification as a default
security level may be appropriate if you know that you will only
-connect to servers that support <a href="http://tools.ietf.org/html/rfc2487">RFC 2487</a> <i>and</i> that present
+connect to servers that support <a href="https://tools.ietf.org/html/rfc2487">RFC 2487</a> <i>and</i> that present
verifiable server certificates. An example would be a client that
sends all email to a central mailhub that offers the necessary
STARTTLS support. </p>
<p> Cached Postfix SMTP client session information expires after
a certain amount of time. Postfix/TLS does not use the OpenSSL
-default of 300s, but a longer time of 3600s (=1 hour). <a href="http://tools.ietf.org/html/rfc2246">RFC 2246</a>
+default of 300s, but a longer time of 3600s (=1 hour). <a href="https://tools.ietf.org/html/rfc2246">RFC 2246</a>
recommends a maximum of 24 hours. </p>
<p> Example: </p>
obtained MX hostname, it is subject to a DNS man-in-the-middle
attack. </p>
-<p> Adoption of DNSSEC and <a href="http://tools.ietf.org/html/rfc6698">RFC6698</a> (DANE) may gradually (as domains
+<p> Adoption of DNSSEC and <a href="https://tools.ietf.org/html/rfc6698">RFC6698</a> (DANE) may gradually (as domains
implement DNSSEC and publish TLSA records for their MX hosts) address
the DNS man-in-the-middle risk and provide scalable key management
for SMTP with TLS. Postfix ≥ 2.11 supports the new <a
href="#client_tls_encrypt">encrypt</a>. When usable TLSA records
are obtained for the remote SMTP server, SSLv2+3 are automatically
disabled (see <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>), and the server certificate
-must match the TLSA records. <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE) TLS authentication
+must match the TLSA records. <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE) TLS authentication
and DNSSEC support is available with Postfix 2.11 and later. </dd>
<dt><b>dane-only</b></dt> <dd><a href="#client_tls_dane">Mandatory DANE TLS</a>.
connection is made to the server. When usable TLSA records are
obtained for the remote SMTP server, SSLv2+3 are automatically disabled
(see <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>), and the server certificate must
-match the TLSA records. <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE) TLS authentication and
+match the TLSA records. <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE) TLS authentication and
DNSSEC support is available with Postfix 2.11 and later. </dd>
<dt><b>fingerprint</b></dt> <dd><a href="#client_tls_fprint">Certificate
and recording of TLS use in the "Received" header. TLS session
caching is also enabled in the Postfix SMTP client. With Postfix
≥ 2.10, the SMTP server does not need an explicit session cache
-since session reuse is better handled via <a href="http://tools.ietf.org/html/rfc5077">RFC 5077</a> TLS session
+since session reuse is better handled via <a href="https://tools.ietf.org/html/rfc5077">RFC 5077</a> TLS session
tickets. </p>
<h3><a name="private-ca">Private Certification Authority</a></h3>
<ul>
- <li> <p> Attribute values are xtext encoded as per <a href="http://tools.ietf.org/html/rfc1891">RFC 1891</a>.
+ <li> <p> Attribute values are xtext encoded as per <a href="https://tools.ietf.org/html/rfc1891">RFC 1891</a>.
</p>
<li> <p> The NAME attribute specifies a remote SMTP client
<h2> References </h2>
<p> Moore, K, "SMTP Service Extension for Delivery Status Notifications",
-<a href="http://tools.ietf.org/html/rfc1891">RFC 1891</a>, January 1996. </p>
+<a href="https://tools.ietf.org/html/rfc1891">RFC 1891</a>, January 1996. </p>
</body>
<ul>
- <li> <p> Attribute values are xtext encoded as per <a href="http://tools.ietf.org/html/rfc1891">RFC 1891</a>.
+ <li> <p> Attribute values are xtext encoded as per <a href="https://tools.ietf.org/html/rfc1891">RFC 1891</a>.
</p>
<li> <p> The NAME attribute specifies the up-stream hostname,
<h2> References </h2>
<p> Moore, K, "SMTP Service Extension for Delivery Status Notifications",
-<a href="http://tools.ietf.org/html/rfc1891">RFC 1891</a>, January 1996. </p>
+<a href="https://tools.ietf.org/html/rfc1891">RFC 1891</a>, January 1996. </p>
</body>
<b>REJECT ACTIONS</b>
Postfix version 2.3 and later support enhanced status codes as defined
- in <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a>. When no code is specified at the beginning of the <i>text</i>
+ in <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a>. When no code is specified at the beginning of the <i>text</i>
below, Postfix inserts a default enhanced status code of "5.7.1" in the
case of reject actions, and "4.7.1" in the case of defer actions. See
"ENHANCED STATUS CODES" below.
<b>ENHANCED STATUS CODES</b>
Postfix version 2.3 and later support enhanced status codes as defined
- in <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a>. When an enhanced status code is specified in an access
+ in <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a>. When an enhanced status code is specified in an access
table, it is subject to modification. The following transformations are
needed when the same access table is used for client, helo, sender, or
recipient access restrictions; they happen regardless of whether Post-
The <i>value</i> contains one or more of the following:
<i>address</i>
- Mail is forwarded to <i>address</i>, which is compatible with the <a href="http://tools.ietf.org/html/rfc822">RFC</a>
- <a href="http://tools.ietf.org/html/rfc822">822</a> standard.
+ Mail is forwarded to <i>address</i>, which is compatible with the <a href="https://tools.ietf.org/html/rfc822">RFC</a>
+ <a href="https://tools.ietf.org/html/rfc822">822</a> standard.
<i>/file/name</i>
Mail is appended to <i>/file/name</i>. See <a href="local.8.html"><b>local</b>(8)</a> for details of
while expanding aliases or .forward files.
<b>STANDARDS</b>
- <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
+ <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
<b>SEE ALSO</b>
<a href="local.8.html">local(8)</a>, local delivery agent
and that depend on retry logic in their own client.
<b>STANDARDS</b>
- <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
- <a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (Format of Internet Message Bodies)
- <a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (Internet Message Format)
- <a href="http://tools.ietf.org/html/rfc3462">RFC 3462</a> (Delivery Status Notifications)
- <a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery Status Notifications)
- <a href="http://tools.ietf.org/html/rfc3834">RFC 3834</a> (Auto-Submitted: message header)
- <a href="http://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
- <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
- <a href="http://tools.ietf.org/html/rfc6532">RFC 6532</a> (Internationalized Message Format)
- <a href="http://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
+ <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
+ <a href="https://tools.ietf.org/html/rfc2045">RFC 2045</a> (Format of Internet Message Bodies)
+ <a href="https://tools.ietf.org/html/rfc2822">RFC 2822</a> (Internet Message Format)
+ <a href="https://tools.ietf.org/html/rfc3462">RFC 3462</a> (Delivery Status Notifications)
+ <a href="https://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery Status Notifications)
+ <a href="https://tools.ietf.org/html/rfc3834">RFC 3834</a> (Auto-Submitted: message header)
+ <a href="https://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
+ <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
+ <a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a> (Internationalized Message Format)
+ <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
<b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
trouble.
<b>STANDARDS</b>
- <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
- <a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (MIME: Format of Internet Message Bodies)
- <a href="http://tools.ietf.org/html/rfc2046">RFC 2046</a> (MIME: Media Types)
- <a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (Internet Message Format)
- <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
- <a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery status notifications)
- <a href="http://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
+ <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
+ <a href="https://tools.ietf.org/html/rfc2045">RFC 2045</a> (MIME: Format of Internet Message Bodies)
+ <a href="https://tools.ietf.org/html/rfc2046">RFC 2046</a> (MIME: Media Types)
+ <a href="https://tools.ietf.org/html/rfc2822">RFC 2822</a> (Internet Message Format)
+ <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
+ <a href="https://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery status notifications)
+ <a href="https://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
<b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
<b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
Enable preliminary SMTPUTF8 support for the protocols described
- in <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
+ in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
<b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
Detect that a message requires SMTPUTF8 support for the speci-
and that depend on retry logic in their own client.
<b>STANDARDS</b>
- <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
- <a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (Format of Internet Message Bodies)
- <a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (Internet Message Format)
- <a href="http://tools.ietf.org/html/rfc3462">RFC 3462</a> (Delivery Status Notifications)
- <a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery Status Notifications)
- <a href="http://tools.ietf.org/html/rfc3834">RFC 3834</a> (Auto-Submitted: message header)
- <a href="http://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
- <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
- <a href="http://tools.ietf.org/html/rfc6532">RFC 6532</a> (Internationalized Message Format)
- <a href="http://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
+ <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
+ <a href="https://tools.ietf.org/html/rfc2045">RFC 2045</a> (Format of Internet Message Bodies)
+ <a href="https://tools.ietf.org/html/rfc2822">RFC 2822</a> (Internet Message Format)
+ <a href="https://tools.ietf.org/html/rfc3462">RFC 3462</a> (Delivery Status Notifications)
+ <a href="https://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery Status Notifications)
+ <a href="https://tools.ietf.org/html/rfc3834">RFC 3834</a> (Auto-Submitted: message header)
+ <a href="https://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
+ <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
+ <a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a> (Internationalized Message Format)
+ <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
<b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
the queue manager. Each request specifies a queue file, a sender
address, a next-hop destination that is treated as the reason for dis-
carding the mail, and recipient information. The reason may be pre-
- fixed with an <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a>-compatible detail code. This program expects to
+ fixed with an <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a>-compatible detail code. This program expects to
be run from the <a href="master.8.html"><b>master</b>(8)</a> process manager.
The <a href="discard.8.html"><b>discard</b>(8)</a> delivery agent pretends to deliver all recipients in the
the network, and can be run chrooted at fixed low privilege.
<b>STANDARDS</b>
- <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
+ <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
<b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
the queue manager. Each request specifies a queue file, a sender
address, the reason for non-delivery (specified as the next-hop desti-
nation), and recipient information. The reason may be prefixed with an
- <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a>-compatible detail code; if none is specified a default 4.0.0
+ <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a>-compatible detail code; if none is specified a default 4.0.0
or 5.0.0 code is used instead. This program expects to be run from the
<a href="master.8.html"><b>master</b>(8)</a> process manager.
network, and can be run chrooted at fixed low privilege.
<b>STANDARDS</b>
- <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
+ <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
<b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
Note 1: the BCC address is added as if it was specified with
NOTIFY=NONE. The sender will not be notified when the BCC
address is undeliverable, as long as all down-stream software
- implements <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a>.
+ implements <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a>.
Note 2: this ignores duplicate addresses (with the same delivery
status notification options).
line at a time. A decision made for one line is not carried over
to the next line.
- <b>o</b> If text in the message body is encoded (<a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a>) then the rules
+ <b>o</b> If text in the message body is encoded (<a href="https://tools.ietf.org/html/rfc2045">RFC 2045</a>) then the rules
need to be specified for the encoded form.
- <b>o</b> Likewise, when message headers are encoded (<a href="http://tools.ietf.org/html/rfc2047">RFC 2047</a>) then the
+ <b>o</b> Likewise, when message headers are encoded (<a href="https://tools.ietf.org/html/rfc2047">RFC 2047</a>) then the
rules need to be specified for the encoded form.
Message headers added by the <a href="cleanup.8.html"><b>cleanup</b>(8)</a> daemon itself are excluded from
<a href="postmap.1.html">postmap(1)</a>, Postfix lookup table management
<a href="postsuper.1.html">postsuper(1)</a>, Postfix janitor
<a href="postcat.1.html">postcat(1)</a>, show Postfix queue file contents
- <a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a>, base64 and quoted-printable encoding rules
- <a href="http://tools.ietf.org/html/rfc2047">RFC 2047</a>, message header encoding for non-ASCII text
+ <a href="https://tools.ietf.org/html/rfc2045">RFC 2045</a>, base64 and quoted-printable encoding rules
+ <a href="https://tools.ietf.org/html/rfc2047">RFC 2047</a>, message header encoding for non-ASCII text
<b>README FILES</b>
<a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview
timeout = 5
<b>search_base (No default; you must configure this)</b>
- The <a href="http://tools.ietf.org/html/rfc2253">RFC2253</a> base DN at which to conduct the search, e.g.
+ The <a href="https://tools.ietf.org/html/rfc2253">RFC2253</a> base DN at which to conduct the search, e.g.
search_base = dc=your, dc=com
<b>%%</b> This is replaced by a literal '%' character.
- <b>%s</b> This is replaced by the input key. <a href="http://tools.ietf.org/html/rfc2253">RFC 2253</a> quoting is
+ <b>%s</b> This is replaced by the input key. <a href="https://tools.ietf.org/html/rfc2253">RFC 2253</a> quoting is
used to make sure that the input key does not add unex-
pected metacharacters.
<b>%u</b> When the input key is an address of the form user@domain,
- <b>%u</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC 2253</a>) quoted local part of the
+ <b>%u</b> is replaced by the (<a href="https://tools.ietf.org/html/rfc2253">RFC 2253</a>) quoted local part of the
address. Otherwise, <b>%u</b> is replaced by the entire search
string. If the localpart is empty, the search is sup-
pressed and returns no results.
<b>%d</b> When the input key is an address of the form user@domain,
- <b>%d</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC 2253</a>) quoted domain part of
+ <b>%d</b> is replaced by the (<a href="https://tools.ietf.org/html/rfc2253">RFC 2253</a>) quoted domain part of
the address. Otherwise, the search is suppressed and
returns no results.
pressed and returns no results.
<b>query_filter (default: mailacceptinggeneralid=%s)</b>
- The <a href="http://tools.ietf.org/html/rfc2254">RFC2254</a> filter used to search the directory, where <b>%s</b> is a
+ The <a href="https://tools.ietf.org/html/rfc2254">RFC2254</a> filter used to search the directory, where <b>%s</b> is a
substitute for the address Postfix is trying to resolve, e.g.
query_filter = (&(mail=%s)(paid_up=true))
<b>%%</b> This is replaced by a literal '%' character. (Postfix 2.2
and later).
- <b>%s</b> This is replaced by the input key. <a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a> quoting is
+ <b>%s</b> This is replaced by the input key. <a href="https://tools.ietf.org/html/rfc2254">RFC 2254</a> quoting is
used to make sure that the input key does not add unex-
pected metacharacters.
<b>%u</b> When the input key is an address of the form user@domain,
- <b>%u</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a>) quoted local part of the
+ <b>%u</b> is replaced by the (<a href="https://tools.ietf.org/html/rfc2254">RFC 2254</a>) quoted local part of the
address. Otherwise, <b>%u</b> is replaced by the entire search
string. If the localpart is empty, the search is sup-
pressed and returns no results.
<b>%d</b> When the input key is an address of the form user@domain,
- <b>%d</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a>) quoted domain part of
+ <b>%d</b> is replaced by the (<a href="https://tools.ietf.org/html/rfc2254">RFC 2254</a>) quoted domain part of
the address. Otherwise, the search is suppressed and
returns no results.
<b>special_result_attribute (default: empty)</b>
The attribute(s) of directory entries that can contain DNs or
- <a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a> LDAP URLs. If found, a recursive search is performed to
+ <a href="https://tools.ietf.org/html/rfc2255">RFC 2255</a> LDAP URLs. If found, a recursive search is performed to
retrieve the entry referenced by the DN, or the entries matched
by the URL query.
special, leaf or terminal) in the Postfix table definition. If
the URL lists any of the table's special result attributes,
these are retrieved and used recursively. A URL that does not
- specify any attribute selection, is equivalent (<a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a>) to a
+ specify any attribute selection, is equivalent (<a href="https://tools.ietf.org/html/rfc2255">RFC 2255</a>) to a
URL that selects all attributes, in which case the selected
attributes will be the full set of result attributes in the
Postfix table.
If an LDAP URL attribute-descriptor or the corresponding Postfix
- LDAP table result attribute (but not both) uses <a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a>
+ LDAP table result attribute (but not both) uses <a href="https://tools.ietf.org/html/rfc2255">RFC 2255</a>
sub-type options ("attr;option"), the attribute requested from
the LDAP server will include the sub-type option. In all other
cases, the URL attribute and the table attribute must match
ing at port 389 on ldap.example.com. It will bind anonymously, search
for any directory entries whose mailacceptinggeneralid attribute is
"ldapuser", read the "maildrop" attributes of those found, and build a
- list of their maildrops, which will be treated as <a href="http://tools.ietf.org/html/rfc822">RFC822</a> addresses to
+ list of their maildrops, which will be treated as <a href="https://tools.ietf.org/html/rfc822">RFC822</a> addresses to
which the message will be delivered.
<b>OBSOLETE MAIN.CF PARAMETERS</b>
low privilege.
<b>STANDARDS</b>
- <a href="http://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol)
- <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
- <a href="http://tools.ietf.org/html/rfc1651">RFC 1651</a> (SMTP service extensions)
- <a href="http://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport)
- <a href="http://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration)
- <a href="http://tools.ietf.org/html/rfc2033">RFC 2033</a> (LMTP protocol)
- <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Error Codes)
- <a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (MIME: Format of Internet Message Bodies)
- <a href="http://tools.ietf.org/html/rfc2046">RFC 2046</a> (MIME: Media Types)
- <a href="http://tools.ietf.org/html/rfc2554">RFC 2554</a> (AUTH command)
- <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol)
- <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining)
- <a href="http://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command)
- <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension)
- <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
- <a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH command)
- <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a> (SMTP protocol)
- <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
- <a href="http://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
- <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a> (SMTP security via opportunistic DANE TLS)
+ <a href="https://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol)
+ <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
+ <a href="https://tools.ietf.org/html/rfc1651">RFC 1651</a> (SMTP service extensions)
+ <a href="https://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport)
+ <a href="https://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration)
+ <a href="https://tools.ietf.org/html/rfc2033">RFC 2033</a> (LMTP protocol)
+ <a href="https://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Error Codes)
+ <a href="https://tools.ietf.org/html/rfc2045">RFC 2045</a> (MIME: Format of Internet Message Bodies)
+ <a href="https://tools.ietf.org/html/rfc2046">RFC 2046</a> (MIME: Media Types)
+ <a href="https://tools.ietf.org/html/rfc2554">RFC 2554</a> (AUTH command)
+ <a href="https://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol)
+ <a href="https://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining)
+ <a href="https://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command)
+ <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension)
+ <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
+ <a href="https://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH command)
+ <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a> (SMTP protocol)
+ <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
+ <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
+ <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (SMTP security via opportunistic DANE TLS)
<b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
<b><a href="postconf.5.html#smtp_quote_rfc821_envelope">smtp_quote_rfc821_envelope</a> (yes)</b>
Quote addresses in Postfix SMTP client MAIL FROM and RCPT TO
- commands as required by <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+ commands as required by <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
<b><a href="postconf.5.html#smtp_reply_filter">smtp_reply_filter</a> (empty)</b>
A mechanism to transform replies from remote SMTP servers one
Available in Postfix version 2.11-3.1:
<b><a href="postconf.5.html#tls_dane_digest_agility">tls_dane_digest_agility</a> (on)</b>
- Configure <a href="http://tools.ietf.org/html/rfc7671">RFC7671</a> DANE TLSA digest algorithm agility.
+ Configure <a href="https://tools.ietf.org/html/rfc7671">RFC7671</a> DANE TLSA digest algorithm agility.
<b><a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">tls_dane_trust_anchor_digest_enable</a> (yes)</b>
- Enable support for <a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE TLSA) DNS records that contain
+ Enable support for <a href="https://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE TLSA) DNS records that contain
digests of trust-anchors with certificate usage "2".
Available in Postfix version 2.11 and later:
<b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
Enable preliminary SMTPUTF8 support for the protocols described
- in <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
+ in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
<b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
Detect that a message requires SMTPUTF8 support for the speci-
follow the conventions defined in <<b>sysexits.h</b>>. Exit status 0 means
normal successful completion.
- Postfix version 2.3 and later support <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a>-style enhanced status
+ Postfix version 2.3 and later support <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a>-style enhanced status
codes. If a command terminates with a non-zero exit status, and the
command output begins with an enhanced status code, this status code
takes precedence over the non-zero exit status.
the <b><a href="postconf.5.html#default_privs">default_privs</a></b> configuration parameter.
<b>STANDARDS</b>
- <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
- <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced status codes)
+ <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
+ <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced status codes)
<b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
This feature is available as of Postfix version 2.5.
<b>Private (default: y)</b>
- Whether or not access is restricted to the mail system. Inter-
- net (type <b>inet</b>) services can't be private.
+ Whether a service is internal to Postfix (pathname starts with
+ <b>private/</b>), or exposed through Postfix command-line tools (path-
+ name starts with <b>public/</b>). Internet (type <b>inet</b>) services can't
+ be private.
<b>Unprivileged (default: y)</b>
Whether the service runs with root privileges or as the owner of
queue manager of the arrival of new mail one would request <b>I</b>.
<b>STANDARDS</b>
- <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced status codes)
- <a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery status notifications)
+ <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced status codes)
+ <a href="https://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery status notifications)
<b>SECURITY</b>
The <a href="qmgr.8.html"><b>oqmgr</b>(8)</a> daemon is not security sensitive. It reads single-charac-
command-line <b>$sender</b>, <b>$original_recipient</b> and <b>$recipient</b>
address localparts (text to the left of the right-most <b>@</b>
character), according to an 8-bit transparent version of
- <a href="http://tools.ietf.org/html/rfc822">RFC 822</a>. This is recommended for delivery via <b>UUCP</b> or
+ <a href="https://tools.ietf.org/html/rfc822">RFC 822</a>. This is recommended for delivery via <b>UUCP</b> or
<b>BSMTP</b>.
The result is compatible with the address parsing of com-
<b>${sasl_sender}</b>
This macro expands to the SASL sender name (i.e. the
- original submitter as per <a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>) in the MAIL FROM com-
+ original submitter as per <a href="https://tools.ietf.org/html/rfc4954">RFC 4954</a>) in the MAIL FROM com-
mand when the Postfix SMTP server received the message.
This feature is available as of Postfix 2.2.
ing.
<b>STANDARDS</b>
- <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced status codes)
+ <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced status codes)
<b>DIAGNOSTICS</b>
Command exit status codes are expected to follow the conventions
<b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
Enable preliminary SMTPUTF8 support for the protocols described
- in <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
+ in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
The initial OpenLDAP LMDB database size limit in bytes.
<b>STANDARDS</b>
- <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
+ <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
<b>SEE ALSO</b>
<a href="aliases.5.html">aliases(5)</a>, format of alias database input file.
</p>
<p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
</p>
<p>
</p>
<p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
</p>
Note: with Postfix 2.3 and later the BCC address is added as if it
was specified with NOTIFY=NONE. The sender will not be notified
when the BCC address is undeliverable, as long as all down-stream
-software implements <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a>.
+software implements <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a>.
</p>
<p>
<p>
Enable interoperability with remote SMTP clients that implement an obsolete
-version of the AUTH command (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>). Examples of such clients
+version of the AUTH command (<a href="https://tools.ietf.org/html/rfc4954">RFC 4954</a>). Examples of such clients
are MicroSoft Outlook Express version 4 and MicroSoft Exchange
version 5.0.
</p>
<a href="postconf.5.html#maps_rbl_reject_code">maps_rbl_reject_code</a> configuration parameter. Note: The numerical
SMTP response code is required, and must appear at the start of the
reply. With Postfix version 2.3 and later this information may be followed
-by an <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> enhanced status code. </dd>
+by an <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> enhanced status code. </dd>
<dt><b>$rbl_domain</b></dt>
</p>
<p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
</p>
(default: no)</b></DT><DD>
<p> Enable a workaround for future libc incompatibility. The Postfix
-implementation of <a href="http://tools.ietf.org/html/rfc2308">RFC 2308</a> negative reply caching relies on the
+implementation of <a href="https://tools.ietf.org/html/rfc2308">RFC 2308</a> negative reply caching relies on the
promise that res_query() and res_search() invoke res_send(), which
returns the server response in an application buffer even if the
requested record does not exist. If this promise is broken, specify
3.3. </p>
<li> <p> In the <b>standard</b> form, the <i>name</i> will be quoted
-if it contains <b>specials</b> as defined in <a href="http://tools.ietf.org/html/rfc5322">RFC 5322</a>, or the "!%"
+if it contains <b>specials</b> as defined in <a href="https://tools.ietf.org/html/rfc5322">RFC 5322</a>, or the "!%"
address operators. </p>
<li> <p> The Postfix <a href="sendmail.1.html">sendmail(1)</a> command gets <i>name</i> information
<p> Note: you MUST stop and start Postfix after changing this
parameter. </p>
-<p> On systems that pre-date IPV6_V6ONLY support (<a href="http://tools.ietf.org/html/rfc3493">RFC 3493</a>), an
+<p> On systems that pre-date IPV6_V6ONLY support (<a href="https://tools.ietf.org/html/rfc3493">RFC 3493</a>), an
IPv6 server will also accept IPv4 connections, even when IPv4 is
turned off with the <a href="postconf.5.html#inet_protocols">inet_protocols</a> parameter. On systems with
IPV6_V6ONLY support, Postfix will use separate server sockets for
Postfix will look up DNS type A records, and will convert
IPv4-in-IPv6 client IP addresses (::ffff:1.2.3.4) to their original
IPv4 form (1.2.3.4). The latter is needed on hosts that pre-date
-IPV6_V6ONLY support (<a href="http://tools.ietf.org/html/rfc3493">RFC 3493</a>). </p>
+IPV6_V6ONLY support (<a href="https://tools.ietf.org/html/rfc3493">RFC 3493</a>). </p>
<p> When IPv6 support is enabled via the <a href="postconf.5.html#inet_protocols">inet_protocols</a> parameter,
Postfix will do DNS type AAAA record lookups. </p>
</p>
<p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
</p>
<dt><b><a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a> </b></dt>
<dd> Append the domain name in $<a href="postconf.5.html#myorigin">myorigin</a> or $<a href="postconf.5.html#mydomain">mydomain</a> when the
-client is successfully authenticated via the <a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH)
+client is successfully authenticated via the <a href="https://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH)
protocol. </dd>
<dt><b><a href="postconf.5.html#permit_tls_clientcerts">permit_tls_clientcerts</a> </b></dt>
</p>
<p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
</p>
</p>
<p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
</p>
<p>
Note: with Postfix 2.3 and later the BCC address is added as if it
was specified with NOTIFY=NONE. The sender will not be notified
when the BCC address is undeliverable, as long as all down-stream
-software implements <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a>.
+software implements <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a>.
</p>
<p>
</p>
<p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
</p>
</p>
<p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
</p>
looking inside quotes. </p>
<p> By default, the Postfix address resolver does not quote the
-address localpart as per <a href="http://tools.ietf.org/html/rfc822">RFC 822</a>, so that additional @ or % or !
+address localpart as per <a href="https://tools.ietf.org/html/rfc822">RFC 822</a>, so that additional @ or % or !
operators remain visible. This behavior is safe but it is also
technically incorrect. </p>
Note: with Postfix 2.3 and later the BCC address is added as if it
was specified with NOTIFY=NONE. The sender will not be notified
when the BCC address is undeliverable, as long as all down-stream
-software implements <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a>.
+software implements <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a>.
</p>
<p>
<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> option. </p>
<p> This option is useful only if you are definitely sure that you
-will only connect to servers that support <a href="http://tools.ietf.org/html/rfc2487">RFC 2487</a> _and_ that
+will only connect to servers that support <a href="https://tools.ietf.org/html/rfc2487">RFC 2487</a> _and_ that
provide valid server certificates. Typical use is for clients that
send all their email to a dedicated mailhub. </p>
<p>
Quote addresses in Postfix SMTP client MAIL FROM and RCPT TO commands
as required
-by <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>. This includes putting quotes around an address localpart
+by <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>. This includes putting quotes around an address localpart
that ends in ".".
</p>
<p>
-The default is to comply with <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>. If you have to send mail to
+The default is to comply with <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>. If you have to send mail to
a broken SMTP server, configure a special SMTP client in <a href="master.5.html">master.cf</a>:
</p>
<p> By default, the Postfix SMTP client moves on the next mail
exchanger. Specify "<a href="postconf.5.html#smtp_skip_5xx_greeting">smtp_skip_5xx_greeting</a> = no" if Postfix should
bounce the mail immediately. Caution: the latter behavior appears
-to contradict <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a>. </p>
+to contradict <a href="https://tools.ietf.org/html/rfc2821">RFC 2821</a>. </p>
</DD>
<p> With mandatory TLS encryption, require that the remote SMTP
server hostname matches the information in the remote SMTP server
-certificate. As of <a href="http://tools.ietf.org/html/rfc2487">RFC 2487</a> the requirements for hostname checking
+certificate. As of <a href="https://tools.ietf.org/html/rfc2487">RFC 2487</a> the requirements for hostname checking
for MTA clients are not specified. </p>
<p> This option can be set to "no" to disable strict peer name
found, but none are usable, the effective security level is <a
href="TLS_README.html#client_tls_encrypt">encrypt</a>. When usable
TLSA records are obtained for the remote SMTP server, the
-server certificate must match the TLSA records. <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE)
+server certificate must match the TLSA records. <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE)
TLS authentication and DNSSEC support is available with Postfix
2.11 and later. The optional "connection_reuse" attribute (Postfix
≥ 3.4) overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter.
obtained via TLSA records in DNSSEC. If no TLSA records are found,
or none are usable, no connection is made to the server. When
usable TLSA records are obtained for the remote SMTP server, the
-server certificate must match the TLSA records. <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE) TLS
+server certificate must match the TLSA records. <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE) TLS
authentication and DNSSEC support is available with Postfix 2.11
and later. The optional "connection_reuse" attribute (Postfix ≥
3.4) overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter.
signed and the Postfix SMTP client's operating system must be
configured to send its DNS queries to a recursive DNS nameserver
that is able to validate the signed records. Each MX host's DNS
-zone should also be signed, and should publish DANE TLSA (<a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a>)
+zone should also be signed, and should publish DANE TLSA (<a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a>)
records that specify how that MX host's TLS certificate is to be
verified. TLSA records do not preempt the normal SMTP MX host
selection algorithm, if some MX hosts support TLSA and others do
is treated like a "mandatory" TLS security level, and weak ciphers
and protocols are disabled. Since DANE authenticates server
certificates the "aNULL" cipher-suites are transparently excluded
-at this level, no need to configure this manually. <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE)
+at this level, no need to configure this manually. <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE)
TLS authentication is available with Postfix 2.11 and later. </dd>
<dt><b><a href="TLS_README.html#client_tls_dane">dane-only</a></b></dt>
<dd>Mandatory DANE TLS. This is just like "dane" above, but DANE
TLSA authentication is required. There is no fallback to "may" or
-"encrypt" when TLSA records are missing or unusable. <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a>
+"encrypt" when TLSA records are missing or unusable. <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a>
(DANE) TLS authentication is available with Postfix 2.11 and later.
</dd>
<p> Optional name to send to the remote SMTP server in the TLS Server
Name Indication (SNI) extension. The SNI extension is always on when
DANE is used to authenticate the server, and in that case the SNI name
-sent is the one required by <a href="http://tools.ietf.org/html/rfc7672">RFC7672</a> and this parameter is ignored. </p>
+sent is the one required by <a href="https://tools.ietf.org/html/rfc7672">RFC7672</a> and this parameter is ignored. </p>
<p> Some SMTP servers use the received SNI name to select an appropriate
certificate chain to present to the client. While this may improve
per-destination basis via the "tafile" attribute of the "verify"
and "secure" levels in <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>. </p>
-<p> The underlying mechanism is in support of <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE TLSA),
+<p> The underlying mechanism is in support of <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE TLSA),
which defines mechanisms for an SMTP client MTA to securely determine
server TLS certificates via DNS. </p>
<dt><b><a name="permit_sasl_authenticated">permit_sasl_authenticated</a></b></dt>
<dd> Permit the request when the client is successfully
-authenticated via the <a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH) protocol. </dd>
+authenticated via the <a href="https://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH) protocol. </dd>
<dt><b><a name="permit_tls_all_clientcerts">permit_tls_all_clientcerts</a></b></dt>
(default: no)</b></DT><DD>
<p> Mandatory TLS: announce STARTTLS support to remote SMTP clients,
-and require that clients use TLS encryption. According to <a href="http://tools.ietf.org/html/rfc2487">RFC 2487</a>
+and require that clients use TLS encryption. According to <a href="https://tools.ietf.org/html/rfc2487">RFC 2487</a>
this MUST NOT be applied in case of a publicly-referenced SMTP
server. This option is therefore off by default. </p>
When the client's "initial response" is longer than the normal limit for
SMTP commands, the client must omit its initial response, and wait for an
empty server challenge; it can then send what would have been its "initial
-response" as a response to the empty server challenge. <a href="http://tools.ietf.org/html/rfc4954">RFC4954</a> requires the
+response" as a response to the empty server challenge. <a href="https://tools.ietf.org/html/rfc4954">RFC4954</a> requires the
server to accept client responses up to at least 12288 octets of
base64-encoded text. The default value is therefore also the minimum value
accepted for this parameter.</p>
<dt><b>encrypt</b></dt> <dd>Mandatory TLS encryption: announce
STARTTLS support to remote SMTP clients, and require that clients use TLS
-encryption. According to <a href="http://tools.ietf.org/html/rfc2487">RFC 2487</a> this MUST NOT be applied in case
+encryption. According to <a href="https://tools.ietf.org/html/rfc2487">RFC 2487</a> this MUST NOT be applied in case
of a publicly-referenced SMTP server. Instead, this option should
be used only on dedicated servers. </dd>
<a href="postconf.5.html#data_directory">data_directory</a>, and a warning is logged. </p>
<p> As of Postfix 2.11 the preferred mechanism for session resumption
-is <a href="http://tools.ietf.org/html/rfc5077">RFC 5077</a> TLS session tickets, which don't require server-side
+is <a href="https://tools.ietf.org/html/rfc5077">RFC 5077</a> TLS session tickets, which don't require server-side
storage. Consequently, for Postfix ≥ 2.11 this parameter should
generally be left empty. TLS session tickets require an OpenSSL
library (at least version 0.9.8h) that provides full support for
<p> As of Postfix 2.11 this setting cannot exceed 100 days. If set
≤ 0, session caching is disabled, not just via the database, but
-also via <a href="http://tools.ietf.org/html/rfc5077">RFC 5077</a> TLS session tickets, which don't require server-side
+also via <a href="https://tools.ietf.org/html/rfc5077">RFC 5077</a> TLS session tickets, which don't require server-side
storage. If set to a positive value less than 2 minutes, the minimum
value of 2 minutes is used instead. TLS session tickets require
an OpenSSL library (at least version 0.9.8h) that provides full
(default: yes)</b></DT><DD>
<p> Enable preliminary SMTPUTF8 support for the protocols described
-in <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533. This requires that Postfix is built to support
+in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533. This requires that Postfix is built to support
these protocols. </p>
<p> This feature is available in Postfix 3.0 and later. </p>
<p>
Require that addresses received in SMTP MAIL FROM and RCPT TO
commands are enclosed with <>, and that those addresses do
-not contain <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> style comments or phrases. This stops mail
+not contain <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> style comments or phrases. This stops mail
from poorly written software.
</p>
<p>
-By default, the Postfix SMTP server accepts <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> syntax in MAIL
+By default, the Postfix SMTP server accepts <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> syntax in MAIL
FROM and RCPT TO addresses.
</p>
<DT><b><a name="tls_dane_digest_agility">tls_dane_digest_agility</a>
(default: on)</b></DT><DD>
-<p> Configure <a href="http://tools.ietf.org/html/rfc7671">RFC7671</a> DANE TLSA digest algorithm agility.
+<p> Configure <a href="https://tools.ietf.org/html/rfc7671">RFC7671</a> DANE TLSA digest algorithm agility.
Do not change this setting from its default value. </p>
-<p> See Section 8 of <a href="http://tools.ietf.org/html/rfc7671">RFC7671</a> for correct key rotation procedures. </p>
+<p> See Section 8 of <a href="https://tools.ietf.org/html/rfc7671">RFC7671</a> for correct key rotation procedures. </p>
<p> This feature is available in Postfix 2.11 through 3.1. Postfix
3.2 and later ignore this configuration parameter and behave as
<DT><b><a name="tls_dane_digests">tls_dane_digests</a>
(default: sha512 sha256)</b></DT><DD>
-<p> DANE TLSA (<a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a>, <a href="http://tools.ietf.org/html/rfc7671">RFC 7671</a>, <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a>) resource-record "matching
+<p> DANE TLSA (<a href="https://tools.ietf.org/html/rfc6698">RFC 6698</a>, <a href="https://tools.ietf.org/html/rfc7671">RFC 7671</a>, <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a>) resource-record "matching
type" digest algorithms in descending preference order. All the
specified algorithms must be supported by the underlying OpenSSL
library, otherwise the Postfix SMTP client will not support DANE
<p> Note: It is unwise to omit sha256 from the digest list. This
digest algorithm is the only mandatory to implement digest algorithm
-in <a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a>, and many servers are expected publish TLSA records
+in <a href="https://tools.ietf.org/html/rfc6698">RFC 6698</a>, and many servers are expected publish TLSA records
with just sha256 digests. Unless one of the standard digests is
seriously compromised and servers have had ample time to update their
TLSA records you should not omit any standard digests, just arrange
<DT><b><a name="tls_dane_trust_anchor_digest_enable">tls_dane_trust_anchor_digest_enable</a>
(default: yes)</b></DT><DD>
-<p> Enable support for <a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE TLSA) DNS records that contain
+<p> Enable support for <a href="https://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE TLSA) DNS records that contain
digests of trust-anchors with certificate usage "2". Do not change
this setting from its default value. </p>
SMTP client and server. These curves are used by the Postfix SMTP
server when "<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> = auto". The selected curves
must be implemented by OpenSSL and be standardized for use in TLS
-(<a href="http://tools.ietf.org/html/rfc4492">RFC 4492</a> or its imminent successor). It is unwise to list only
+(<a href="https://tools.ietf.org/html/rfc4492">RFC 4492</a> or its imminent successor). It is unwise to list only
"bleeding-edge" curves supported by a small subset of clients. The
default list is suitable for most users. </p>
<p> Postfix skips curve names that are unknown to OpenSSL, or that
are known but not yet implemented. This makes it possible to
"anticipate" support for curves that should be used once they become
-available. In particular, in some OpenSSL versions, the new <a href="http://tools.ietf.org/html/rfc8031">RFC</a>
-<a href="http://tools.ietf.org/html/rfc8031">8031</a> curves "X25519" and "X448" may be known by name, but ECDH
+available. In particular, in some OpenSSL versions, the new <a href="https://tools.ietf.org/html/rfc8031">RFC</a>
+<a href="https://tools.ietf.org/html/rfc8031">8031</a> curves "X25519" and "X448" may be known by name, but ECDH
support for either or both may be missing. These curves may appear
in the default value of this parameter, even though they'll only
be usable with later versions of OpenSSL. </p>
strong" means approximately 128-bit security based on best known
attacks. The selected curve must be implemented by OpenSSL (as
reported by ecparam(1) with the "-list_curves" option) and be one
-of the curves listed in Section 5.1.1 of <a href="http://tools.ietf.org/html/rfc4492">RFC 4492</a>. You should not
+of the curves listed in Section 5.1.1 of <a href="https://tools.ietf.org/html/rfc4492">RFC 4492</a>. You should not
generally change this setting. Remote SMTP client implementations
must support this curve for EECDH key exchange to take place. It
is unwise to choose an "bleeding-edge" curve supported by only a
users should instead set "<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> = strong". The selected
curve must be implemented by OpenSSL (as reported by ecparam(1) with the
"-list_curves" option) and be one of the curves listed in Section 5.1.1
-of <a href="http://tools.ietf.org/html/rfc4492">RFC 4492</a>. You should not generally change this setting. </p>
+of <a href="https://tools.ietf.org/html/rfc4492">RFC 4492</a>. You should not generally change this setting. </p>
<p> This default "ultra" curve is rated in NSA <a
href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite
<DT><b><a name="tls_session_ticket_cipher">tls_session_ticket_cipher</a>
(default: Postfix ≥ 3.0: aes-256-cbc, Postfix < 3.0: aes-128-cbc)</b></DT><DD>
-<p> Algorithm used to encrypt <a href="http://tools.ietf.org/html/rfc5077">RFC5077</a> TLS session tickets. This
+<p> Algorithm used to encrypt <a href="https://tools.ietf.org/html/rfc5077">RFC5077</a> TLS session tickets. This
algorithm must use CBC mode, have a 128-bit block size, and must
have a key length between 128 and 256 bits. The default is
aes-256-cbc. Overriding the default to choose a different algorithm
</p>
<p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
</p>
</p>
<p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
</p>
</p>
<p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
</p>
</p>
<p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
</p>
<p>
</p>
<p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
</p>
<p>
</p>
<p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
</p>
<p>
</p>
<p>
-Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
</p>
<p>
will store the base64-encoded result instead of the <i>value</i>.
When the <i>key</i> specifies email address information, the localpart should
- be enclosed with double quotes if required by <a href="http://tools.ietf.org/html/rfc5322">RFC 5322</a>. For example, an
+ be enclosed with double quotes if required by <a href="https://tools.ietf.org/html/rfc5322">RFC 5322</a>. For example, an
address localpart that contains ";", or a localpart that starts or ends
with ".".
<b>COMMAND-LINE ARGUMENTS</b>
<b>-b</b> Enable message body query mode. When reading lookup keys from
standard input with "<b>-q -</b>", process the input as if it is an
- email message in <a href="http://tools.ietf.org/html/rfc5322">RFC 5322</a> format. Each line of body content
+ email message in <a href="https://tools.ietf.org/html/rfc5322">RFC 5322</a> format. Each line of body content
becomes one lookup key.
By default, the <b>-b</b> option starts generating lookup keys at the
<b>-h</b> Enable message header query mode. When reading lookup keys from
standard input with "<b>-q -</b>", process the input as if it is an
- email message in <a href="http://tools.ietf.org/html/rfc5322">RFC 5322</a> format. Each logical header line
+ email message in <a href="https://tools.ietf.org/html/rfc5322">RFC 5322</a> format. Each logical header line
becomes one lookup key. A multi-line header becomes one lookup
key with one or more embedded newline characters.
<b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
Enable preliminary SMTPUTF8 support for the protocols described
- in <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
+ in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b>-s</b> <i>site</i>
Schedule immediate delivery of all mail that is queued for the
- named <i>site</i>. A numerical site must be specified as a valid <a href="http://tools.ietf.org/html/rfc5321">RFC</a>
- <a href="http://tools.ietf.org/html/rfc5321">5321</a> address literal enclosed in [], just like in email
+ named <i>site</i>. A numerical site must be specified as a valid <a href="https://tools.ietf.org/html/rfc5321">RFC</a>
+ <a href="https://tools.ietf.org/html/rfc5321">5321</a> address literal enclosed in [], just like in email
addresses. The site must be eligible for the "fast flush" ser-
vice. See <a href="flush.8.html"><b>flush</b>(8)</a> for more information about the "fast flush"
service.
it can connect to Postfix daemon processes.
<b>STANDARDS</b>
- <a href="http://tools.ietf.org/html/rfc7159">RFC 7159</a> (JSON notation)
+ <a href="https://tools.ietf.org/html/rfc7159">RFC 7159</a> (JSON notation)
<b>DIAGNOSTICS</b>
Problems are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>, and to the standard
fixed low privilege.
<b>STANDARDS</b>
- <a href="http://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol)
- <a href="http://tools.ietf.org/html/rfc1123">RFC 1123</a> (Host requirements)
- <a href="http://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport)
- <a href="http://tools.ietf.org/html/rfc1869">RFC 1869</a> (SMTP service extensions)
- <a href="http://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration)
- <a href="http://tools.ietf.org/html/rfc1985">RFC 1985</a> (ETRN command)
- <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Status Codes)
- <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol)
- Not: <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining)
- <a href="http://tools.ietf.org/html/rfc3030">RFC 3030</a> (CHUNKING without BINARYMIME)
- <a href="http://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command)
- <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension)
- <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
- <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a> (SMTP protocol, including multi-line 220 banners)
+ <a href="https://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol)
+ <a href="https://tools.ietf.org/html/rfc1123">RFC 1123</a> (Host requirements)
+ <a href="https://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport)
+ <a href="https://tools.ietf.org/html/rfc1869">RFC 1869</a> (SMTP service extensions)
+ <a href="https://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration)
+ <a href="https://tools.ietf.org/html/rfc1985">RFC 1985</a> (ETRN command)
+ <a href="https://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Status Codes)
+ <a href="https://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol)
+ Not: <a href="https://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining)
+ <a href="https://tools.ietf.org/html/rfc3030">RFC 3030</a> (CHUNKING without BINARYMIME)
+ <a href="https://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command)
+ <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension)
+ <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
+ <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a> (SMTP protocol, including multi-line 220 banners)
<b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
queue manager of the arrival of new mail one would request <b>I</b>.
<b>STANDARDS</b>
- <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced status codes)
- <a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery status notifications)
+ <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced status codes)
+ <a href="https://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery status notifications)
<b>SECURITY</b>
The <a href="qmgr.8.html"><b>qmgr</b>(8)</a> daemon is not security sensitive. It reads single-character
<b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
Enable preliminary SMTPUTF8 support for the protocols described
- in <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
+ in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
<b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
Detect that a message requires SMTPUTF8 support for the speci-
dom portion of the per-message capture file name.
<i>time-stamp</i>
- A time stamp as defined in <a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a>.
+ A time stamp as defined in <a href="https://tools.ietf.org/html/rfc2822">RFC 2822</a>.
<b>SEE ALSO</b>
<a href="smtp-source.1.html">smtp-source(1)</a>, SMTP/LMTP message generator
low privilege.
<b>STANDARDS</b>
- <a href="http://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol)
- <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
- <a href="http://tools.ietf.org/html/rfc1651">RFC 1651</a> (SMTP service extensions)
- <a href="http://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport)
- <a href="http://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration)
- <a href="http://tools.ietf.org/html/rfc2033">RFC 2033</a> (LMTP protocol)
- <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Error Codes)
- <a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (MIME: Format of Internet Message Bodies)
- <a href="http://tools.ietf.org/html/rfc2046">RFC 2046</a> (MIME: Media Types)
- <a href="http://tools.ietf.org/html/rfc2554">RFC 2554</a> (AUTH command)
- <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol)
- <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining)
- <a href="http://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command)
- <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension)
- <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
- <a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH command)
- <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a> (SMTP protocol)
- <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
- <a href="http://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
- <a href="http://tools.ietf.org/html/rfc7672">RFC 7672</a> (SMTP security via opportunistic DANE TLS)
+ <a href="https://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol)
+ <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
+ <a href="https://tools.ietf.org/html/rfc1651">RFC 1651</a> (SMTP service extensions)
+ <a href="https://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport)
+ <a href="https://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration)
+ <a href="https://tools.ietf.org/html/rfc2033">RFC 2033</a> (LMTP protocol)
+ <a href="https://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Error Codes)
+ <a href="https://tools.ietf.org/html/rfc2045">RFC 2045</a> (MIME: Format of Internet Message Bodies)
+ <a href="https://tools.ietf.org/html/rfc2046">RFC 2046</a> (MIME: Media Types)
+ <a href="https://tools.ietf.org/html/rfc2554">RFC 2554</a> (AUTH command)
+ <a href="https://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol)
+ <a href="https://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining)
+ <a href="https://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command)
+ <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension)
+ <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
+ <a href="https://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH command)
+ <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a> (SMTP protocol)
+ <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
+ <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
+ <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (SMTP security via opportunistic DANE TLS)
<b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
<b><a href="postconf.5.html#smtp_quote_rfc821_envelope">smtp_quote_rfc821_envelope</a> (yes)</b>
Quote addresses in Postfix SMTP client MAIL FROM and RCPT TO
- commands as required by <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>.
+ commands as required by <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
<b><a href="postconf.5.html#smtp_reply_filter">smtp_reply_filter</a> (empty)</b>
A mechanism to transform replies from remote SMTP servers one
Available in Postfix version 2.11-3.1:
<b><a href="postconf.5.html#tls_dane_digest_agility">tls_dane_digest_agility</a> (on)</b>
- Configure <a href="http://tools.ietf.org/html/rfc7671">RFC7671</a> DANE TLSA digest algorithm agility.
+ Configure <a href="https://tools.ietf.org/html/rfc7671">RFC7671</a> DANE TLSA digest algorithm agility.
<b><a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">tls_dane_trust_anchor_digest_enable</a> (yes)</b>
- Enable support for <a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE TLSA) DNS records that contain
+ Enable support for <a href="https://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE TLSA) DNS records that contain
digests of trust-anchors with certificate usage "2".
Available in Postfix version 2.11 and later:
<b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
Enable preliminary SMTPUTF8 support for the protocols described
- in <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
+ in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
<b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
Detect that a message requires SMTPUTF8 support for the speci-
chrooted at fixed low privilege.
<b>STANDARDS</b>
- <a href="http://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol)
- <a href="http://tools.ietf.org/html/rfc1123">RFC 1123</a> (Host requirements)
- <a href="http://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport)
- <a href="http://tools.ietf.org/html/rfc1869">RFC 1869</a> (SMTP service extensions)
- <a href="http://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message size declaration)
- <a href="http://tools.ietf.org/html/rfc1985">RFC 1985</a> (ETRN command)
- <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP enhanced status codes)
- <a href="http://tools.ietf.org/html/rfc2554">RFC 2554</a> (AUTH command)
- <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol)
- <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP pipelining)
- <a href="http://tools.ietf.org/html/rfc3030">RFC 3030</a> (CHUNKING without BINARYMIME)
- <a href="http://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command)
- <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN extension)
- <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced status codes)
- <a href="http://tools.ietf.org/html/rfc3848">RFC 3848</a> (ESMTP transmission types)
- <a href="http://tools.ietf.org/html/rfc4409">RFC 4409</a> (Message submission)
- <a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH command)
- <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a> (SMTP protocol)
- <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
- <a href="http://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
- <a href="http://tools.ietf.org/html/rfc7505">RFC 7505</a> ("Null MX" No Service Resource Record)
+ <a href="https://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol)
+ <a href="https://tools.ietf.org/html/rfc1123">RFC 1123</a> (Host requirements)
+ <a href="https://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport)
+ <a href="https://tools.ietf.org/html/rfc1869">RFC 1869</a> (SMTP service extensions)
+ <a href="https://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message size declaration)
+ <a href="https://tools.ietf.org/html/rfc1985">RFC 1985</a> (ETRN command)
+ <a href="https://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP enhanced status codes)
+ <a href="https://tools.ietf.org/html/rfc2554">RFC 2554</a> (AUTH command)
+ <a href="https://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol)
+ <a href="https://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP pipelining)
+ <a href="https://tools.ietf.org/html/rfc3030">RFC 3030</a> (CHUNKING without BINARYMIME)
+ <a href="https://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command)
+ <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN extension)
+ <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced status codes)
+ <a href="https://tools.ietf.org/html/rfc3848">RFC 3848</a> (ESMTP transmission types)
+ <a href="https://tools.ietf.org/html/rfc4409">RFC 4409</a> (Message submission)
+ <a href="https://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH command)
+ <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a> (SMTP protocol)
+ <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
+ <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
+ <a href="https://tools.ietf.org/html/rfc7505">RFC 7505</a> ("Null MX" No Service Resource Record)
<b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
<b><a href="postconf.5.html#broken_sasl_auth_clients">broken_sasl_auth_clients</a> (no)</b>
Enable interoperability with remote SMTP clients that implement
- an obsolete version of the AUTH command (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>).
+ an obsolete version of the AUTH command (<a href="https://tools.ietf.org/html/rfc4954">RFC 4954</a>).
<b><a href="postconf.5.html#disable_vrfy_command">disable_vrfy_command</a> (no)</b>
Disable the SMTP VRFY command.
<b><a href="postconf.5.html#strict_rfc821_envelopes">strict_rfc821_envelopes</a> (no)</b>
Require that addresses received in SMTP MAIL FROM and RCPT TO
commands are enclosed with <>, and that those addresses do not
- contain <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> style comments or phrases.
+ contain <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> style comments or phrases.
Available in Postfix version 2.1 and later:
ture.
<b>SASL AUTHENTICATION CONTROLS</b>
- Postfix SASL support (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>) can be used to authenticate remote SMTP
+ Postfix SASL support (<a href="https://tools.ietf.org/html/rfc4954">RFC 4954</a>) can be used to authenticate remote SMTP
clients to the Postfix SMTP server, and to authenticate the Postfix
SMTP client to a remote SMTP server. See the <a href="SASL_README.html">SASL_README</a> document for
details.
<b><a href="postconf.5.html#broken_sasl_auth_clients">broken_sasl_auth_clients</a> (no)</b>
Enable interoperability with remote SMTP clients that implement
- an obsolete version of the AUTH command (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>).
+ an obsolete version of the AUTH command (<a href="https://tools.ietf.org/html/rfc4954">RFC 4954</a>).
<b><a href="postconf.5.html#smtpd_sasl_auth_enable">smtpd_sasl_auth_enable</a> (no)</b>
Enable SASL authentication in the Postfix SMTP server.
<b><a href="postconf.5.html#tls_session_ticket_cipher">tls_session_ticket_cipher</a> (Postfix</b> ><b>= 3.0: aes-256-cbc, Postfix</b> < <b>3.0:</b>
<b>aes-128-cbc)</b>
- Algorithm used to encrypt <a href="http://tools.ietf.org/html/rfc5077">RFC5077</a> TLS session tickets.
+ Algorithm used to encrypt <a href="https://tools.ietf.org/html/rfc5077">RFC5077</a> TLS session tickets.
Available in Postfix version 3.2 and later:
<b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
Enable preliminary SMTPUTF8 support for the protocols described
- in <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
+ in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
<b><a href="postconf.5.html#strict_smtputf8">strict_smtputf8</a> (no)</b>
Enable stricter enforcement of the SMTPUTF8 protocol.
Available in Postfix version 2.11-3.1:
<b><a href="postconf.5.html#tls_dane_digest_agility">tls_dane_digest_agility</a> (on)</b>
- Configure <a href="http://tools.ietf.org/html/rfc7671">RFC7671</a> DANE TLSA digest algorithm agility.
+ Configure <a href="https://tools.ietf.org/html/rfc7671">RFC7671</a> DANE TLSA digest algorithm agility.
<b><a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">tls_dane_trust_anchor_digest_enable</a> (yes)</b>
- Enable support for <a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE TLSA) DNS records that contain
+ Enable support for <a href="https://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE TLSA) DNS records that contain
digests of trust-anchors with certificate usage "2".
Available in Postfix version 2.11 and later:
<b><a href="postconf.5.html#tls_session_ticket_cipher">tls_session_ticket_cipher</a> (Postfix</b> ><b>= 3.0: aes-256-cbc, Postfix</b> < <b>3.0:</b>
<b>aes-128-cbc)</b>
- Algorithm used to encrypt <a href="http://tools.ietf.org/html/rfc5077">RFC5077</a> TLS session tickets.
+ Algorithm used to encrypt <a href="https://tools.ietf.org/html/rfc5077">RFC5077</a> TLS session tickets.
<b><a href="postconf.5.html#openssl_path">openssl_path</a> (openssl)</b>
The location of the OpenSSL command line program <b>openssl</b>(1).
and that depend on retry logic in their own client.
<b>STANDARDS</b>
- <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
- <a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (Format of Internet Message Bodies)
- <a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (Internet Message Format)
- <a href="http://tools.ietf.org/html/rfc3462">RFC 3462</a> (Delivery Status Notifications)
- <a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery Status Notifications)
- <a href="http://tools.ietf.org/html/rfc3834">RFC 3834</a> (Auto-Submitted: message header)
- <a href="http://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
- <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
- <a href="http://tools.ietf.org/html/rfc6532">RFC 6532</a> (Internationalized Message Format)
- <a href="http://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
+ <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
+ <a href="https://tools.ietf.org/html/rfc2045">RFC 2045</a> (Format of Internet Message Bodies)
+ <a href="https://tools.ietf.org/html/rfc2822">RFC 2822</a> (Internet Message Format)
+ <a href="https://tools.ietf.org/html/rfc3462">RFC 3462</a> (Delivery Status Notifications)
+ <a href="https://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery Status Notifications)
+ <a href="https://tools.ietf.org/html/rfc3834">RFC 3834</a> (Auto-Submitted: message header)
+ <a href="https://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
+ <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a> (Internationalized SMTP)
+ <a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a> (Internationalized Message Format)
+ <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a> (Internationalized Delivery Status Notifications)
<b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
fatal error.
<b>STANDARDS</b>
- <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
+ <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
<b>DIAGNOSTICS</b>
Mail bounces when the recipient has no mailbox or when the recipient is
This feature is available as of Postfix version 2.5.
.RE
.IP "\fBPrivate (default: y)\fR"
-Whether or not access is restricted to the mail system.
+Whether a service is internal to Postfix (pathname starts
+with \fBprivate/\fR), or exposed through Postfix command\-line
+tools (pathname starts with \fBpublic/\fR).
Internet (type \fBinet\fR) services can't be private.
.IP "\fBUnprivileged (default: y)\fR"
Whether the service runs with root privileges or as the
if (!/href=/) { s/(https?:\/\/[^ ,"\(\)]*[^ ,"\(\):;!?.])/<a href="$1">$1<\/a>/; }
s/(ftp:\/\/[^ ,"\(\)]*[^ ,"\(\):;!?.])/<a href="$1">$1<\/a>/;
- s/\bRFC\s*([1-9]\d*)/<a href="http:\/\/tools.ietf.org\/html\/rfc$1">$&<\/a>/g;
+ s/\bRFC\s*([1-9]\d*)/<a href="https:\/\/tools.ietf.org\/html\/rfc$1">$&<\/a>/g;
# Split README/RFC/parameter/restriction hyperlinks that span line breaks
# This feature is available as of Postfix version 2.5.
# .RE
# .IP "\fBPrivate (default: y)\fR"
-# Whether or not access is restricted to the mail system.
+# Whether a service is internal to Postfix (pathname starts
+# with \fBprivate/\fR), or exposed through Postfix command-line
+# tools (pathname starts with \fBpublic/\fR).
# Internet (type \fBinet\fR) services can't be private.
# .IP "\fBUnprivileged (default: y)\fR"
# Whether the service runs with root privileges or as the
mail_params.o: ../../include/vstream.h
mail_params.o: ../../include/vstring.h
mail_params.o: ../../include/vstring_vstream.h
+mail_params.o: config_known_tcp_ports.h
mail_params.o: compat_level.h
mail_params.o: mail_conf.h
mail_params.o: mail_params.c
ARGV *association;
char **cpp;
+ clear_known_tcp_ports();
+
/*
* The settings is in the form of associations separated by comma. Split
* it into separate associations.
#include <own_inet_addr.h>
#include <mail_params.h>
#include <compat_level.h>
+#include <config_known_tcp_ports.h>
/*
* Special configuration variables.
#endif
util_utf8_enable = var_smtputf8_enable;
+ /*
+ * Configure the known TCP port mappings.
+ */
+ config_known_tcp_ports(VAR_KNOWN_TCP_PORTS, var_known_tcp_ports);
+
/*
* What protocols should we attempt to support? The result is stored in
* the global inet_proto_table variable.
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20211002"
+#define MAIL_RELEASE_DATE "20211022"
#define MAIL_VERSION_NUMBER "3.7"
#ifdef SNAPSHOT
/*
* Convert service to port number, network byte order.
*/
+ service = (char *) filter_known_tcp_port(service);
if (alldig(service)) {
if ((port = atoi(service)) >= 65536 || port == 0)
- msg_fatal("bad network port in destination: %s", destination);
+ msg_fatal("bad network port: %s for destination: %s",
+ service, destination);
*portp = htons(port);
} else {
- if ((sp = getservbyname(filter_known_tcp_port(service), protocol)) != 0)
+ if ((sp = getservbyname(service, protocol)) != 0)
*portp = sp->s_port;
else if (strcmp(service, "smtp") == 0)
*portp = htons(25);
/*
* Convert service to port number, network byte order.
*/
+ service = (char *) filter_known_tcp_port(service);
if (alldig(service)) {
if ((port = atoi(service)) >= 65536 || port == 0)
- msg_fatal("bad network port in destination: %s", destination);
+ msg_fatal("bad network port: %s for destination: %s",
+ service, destination);
*portp = htons(port);
} else {
- if ((sp = getservbyname(filter_known_tcp_port(service), protocol)) == 0)
+ if ((sp = getservbyname(service, protocol)) == 0)
msg_fatal("unknown service: %s/%s", service, protocol);
*portp = sp->s_port;
}
valid_utf8_string ip_match base32_code msg_rate_delay netstring \
vstream timecmp dict_cache midna_domain casefold strcasecmp_utf8 \
vbuf_print split_qnameval vstream msg_logger byte_mask \
- known_tcp_ports dict_stream
+ known_tcp_ports dict_stream find_inet
PLUGIN_MAP_SO = $(LIB_PREFIX)pcre$(LIB_SUFFIX)
LIB_DIR = ../../lib
$(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIB) $(SYSLIBS)
mv junk $@.o
+find_inet: $(LIB)
+ mv $@.o junk
+ $(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIB) $(SYSLIBS)
+ mv junk $@.o
+
stream_test: stream_test.c $(LIB)
$(CC) $(CFLAGS) -o $@ $@.c $(LIB) $(SYSLIBS)
diff dict_inline_cidr.ref dict_inline_cidr.tmp
rm -f dict_inline_cidr.tmp
+find_inet_test: find_inet find_inet.ref
+ $(SHLIB_ENV) ${VALGRIND} ./find_inet >find_inet.tmp 2>&1
+ diff find_inet.ref find_inet.tmp
+ rm -f find_inet.tmp
+
depend: $(MAKES)
(sed '1,/^# do not edit/!d' Makefile.in; \
set -e; for i in [a-z][a-z0-9]*.c; do \
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System libraries. */
#define INADDR_NONE 0xffffffff
#endif
+#ifdef TEST
+extern NORETURN PRINTFLIKE(1, 2) test_msg_fatal(const char *,...);
+
+#define msg_fatal test_msg_fatal
+#endif
+
/* find_inet_addr - translate numerical or symbolic host name */
unsigned find_inet_addr(const char *host)
struct servent *sp;
int port;
+ service = filter_known_tcp_port(service);
if (alldig(service) && (port = atoi(service)) != 0) {
if (port < 0 || port > 65535)
msg_fatal("bad port number: %s", service);
return (htons(port));
} else {
- if ((sp = getservbyname(filter_known_tcp_port(service), protocol)) == 0)
+ if ((sp = getservbyname(service, protocol)) == 0)
msg_fatal("unknown service: %s/%s", service, protocol);
return (sp->s_port);
}
}
+
+#ifdef TEST
+
+#include <stdlib.h>
+#include <setjmp.h>
+#include <string.h>
+
+#include <vstream.h>
+#include <vstring.h>
+#include <msg_vstream.h>
+
+#define STR(x) vstring_str(x)
+
+ /* TODO(wietse) make this a proper VSTREAM interface */
+
+/* vstream_swap - kludge to capture output for testing */
+
+static void vstream_swap(VSTREAM *one, VSTREAM *two)
+{
+ VSTREAM save;
+
+ save = *one;
+ *one = *two;
+ *two = save;
+}
+
+jmp_buf test_fatal_jbuf;
+
+#undef msg_fatal
+
+/* test_msg_fatal - does not return, and does not terminate */
+
+void test_msg_fatal(const char *fmt,...)
+{
+ va_list ap;
+
+ va_start(ap, fmt);
+ vmsg_warn(fmt, ap);
+ va_end(ap);
+ longjmp(test_fatal_jbuf, 1);
+}
+
+struct association {
+ const char *lhs; /* service name */
+ const char *rhs; /* service port */
+};
+
+struct test_case {
+ const char *label; /* identifies test case */
+ struct association associations[10];
+ const char *service;
+ const char *proto;
+ const char *exp_warning; /* expected error */
+ int exp_hport; /* expected port, host byte order */
+};
+
+struct test_case test_cases[] = {
+ {"good-symbolic",
+ /* association */ {{"foobar", "25252"}, 0},
+ /* service */ "foobar",
+ /* proto */ "tcp",
+ /* exp_warning */ "",
+ /* exp_hport */ 25252,
+ },
+ {"good-numeric",
+ /* association */ {{"foobar", "25252"}, 0},
+ /* service */ "25252",
+ /* proto */ "tcp",
+ /* exp_warning */ "",
+ /* exp_hport */ 25252,
+ },
+ {"bad-symbolic",
+ /* association */ {{"foobar", "25252"}, 0},
+ /* service */ "an-impossible-name",
+ /* proto */ "tcp",
+ /* exp_warning */ "find_inet: warning: unknown service: an-impossible-name/tcp\n",
+ },
+ {"bad-numeric",
+ /* association */ {{"foobar", "25252"}, 0},
+ /* service */ "123456",
+ /* proto */ "tcp",
+ /* exp_warning */ "find_inet: warning: bad port number: 123456\n",
+ },
+};
+
+int main(int argc, char **argv) {
+ struct test_case *tp;
+ struct association *ap;
+ int pass = 0;
+ int fail = 0;
+ const char *err;
+ int test_failed;
+ int nport;
+ VSTRING *msg_buf;
+ VSTREAM *memory_stream;
+
+ msg_vstream_init("find_inet", VSTREAM_ERR);
+ msg_buf = vstring_alloc(100);
+
+ for (tp = test_cases; tp->label != 0; tp++) {
+ test_failed = 0;
+ VSTRING_RESET(msg_buf);
+ VSTRING_TERMINATE(msg_buf);
+ clear_known_tcp_ports();
+ for (err = 0, ap = tp->associations; err == 0 && ap->lhs != 0; ap++)
+ err = add_known_tcp_port(ap->lhs, ap->rhs);
+ if (err != 0) {
+ msg_warn("test case %s: got err: \"%s\"", tp->label, err);
+ test_failed = 1;
+ } else {
+ if ((memory_stream = vstream_memopen(msg_buf, O_WRONLY)) == 0)
+ msg_fatal("open memory stream: %m");
+ vstream_swap(VSTREAM_ERR, memory_stream);
+ if (setjmp(test_fatal_jbuf) == 0)
+ nport = find_inet_port(tp->service, tp->proto);
+ vstream_swap(memory_stream, VSTREAM_ERR);
+ if (vstream_fclose(memory_stream))
+ msg_fatal("close memory stream: %m");
+ if (strcmp(STR(msg_buf), tp->exp_warning) != 0) {
+ msg_warn("test case %s: got error: \"%s\", want: \"%s\"",
+ tp->label, STR(msg_buf), tp->exp_warning);
+ test_failed = 1;
+ } else if (tp->exp_warning[0] == 0) {
+ if (ntohs(nport) != tp->exp_hport) {
+ msg_warn("test case %s: got port \"%d\", want: \"%d\"",
+ tp->label, ntohs(nport), tp->exp_hport);
+ test_failed = 1;
+ }
+ }
+ }
+ if (test_failed) {
+ msg_info("%s: FAIL", tp->label);
+ fail++;
+ } else {
+ msg_info("%s: PASS", tp->label);
+ pass++;
+ }
+ }
+ msg_info("PASS=%d FAIL=%d", pass, fail);
+ vstring_free(msg_buf);
+ exit(fail != 0);
+}
+
+#endif
--- /dev/null
+find_inet: good-symbolic: PASS
+find_inet: good-numeric: PASS
+find_inet: bad-symbolic: PASS
+find_inet: bad-numeric: PASS
+find_inet: PASS=4 FAIL=0
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
const char *proto;
unsigned port;
+ service = filter_known_tcp_port(service);
if (alldig(service)) {
port = atoi(service);
return (port < 65536 ? htons(port) : -1);
} else {
return (-1);
}
- if ((sp = getservbyname(filter_known_tcp_port(service), proto)) != 0) {
+ if ((sp = getservbyname(service, proto)) != 0) {
return (sp->s_port);
} else {
return (-1);
}
#endif
}
- err = getaddrinfo(hostname, filter_known_tcp_port(service), &hints, res);
+ if (service) {
+ service = filter_known_tcp_port(service);
+ if (alldig(service))
+ hints.ai_flags |= AI_NUMERICSERV;
+ }
+ err = getaddrinfo(hostname, service, &hints, res);
#if defined(BROKEN_AI_NULL_SERVICE)
if (service == 0 && err == 0) {
struct addrinfo *r;
}
#endif
}
- err = getaddrinfo(hostaddr, filter_known_tcp_port(service), &hints, res);
+ if (service) {
+ service = filter_known_tcp_port(service);
+ if (alldig(service))
+ hints.ai_flags |= AI_NUMERICSERV;
+ }
+ err = getaddrinfo(hostaddr, service, &hints, res);
#if defined(BROKEN_AI_NULL_SERVICE)
if (service == 0 && err == 0) {
struct addrinfo *r;
projects / thirdparty / postfix.git / commitdiff
