20240229
- Clenup: moved the new DNS_RR.flags structure member to the
- location of a "padding" hole (two bytes for ILP32 systems,
- 6 bytes for LP64). File: dns/dns.h.
+ Compatibility: moved the new DNS_RR.flags structure member
+ to the location of a "padding" hole (two bytes for ILP32
+ systems, 6 bytes for LP64). File: dns/dns.h.
Deprecation: removed permit_naked_ip_address, reject_maps_rbl,
and check_relay_domains. These have been logging deprecation
Files: smtpd/smtpd_check.c, smtpd/smtpd_check_backup.ref,
smtpd/smtpd_exp.ref, smtpd/smtpd_deprecated.in,
smtpd/smtpd_deprecated.ref.
+
+20240302
+
+ Cleanup: fixed inconsistent formatting of deprecation warning
+ messages. Files: postconf/postconf_unused.c, postconf/test76.ref,
+ smtpd/smtpd_check.
+
+ Documentation: DEPRECATION_README suggests replacements for
+ features that will be removed or than have been removed.
+ Files: proto/DEPRECATION_README.html, conf/postfix-files,
+ html/index.html, proto/Makefile.in.
+
+20240305
+
+ Documentation: in the master.cf documentation, added text
+ for "quoting" a command-line argument that starts with "{".
+ File: proto/master.
* SMTPUTF8_README: SMTPUTF8 Support
* MAILLOG_README: Postfix logging to file or stdout
* COMPATIBILITY_README: Backwards-Compatibility Safety Net
+ * DEPRECATION_README: Deprecated features and alternatives
* INSTALL: Installation from source code
P\bPr\bro\bob\bbl\ble\bem\bm s\bso\bol\blv\bvi\bin\bng\bg
--- /dev/null
+P\bPo\bos\bst\btf\bfi\bix\bx R\bRe\bep\bpl\bla\bac\bce\bem\bme\ben\bnt\bts\bs f\bfo\bor\br D\bDe\bep\bpr\bre\bec\bca\bat\bte\bed\bd F\bFe\bea\bat\btu\bur\bre\bes\bs
+
+-------------------------------------------------------------------------------
+
+P\bPu\bur\brp\bpo\bos\bse\be o\bof\bf t\bth\bhi\bis\bs d\bdo\boc\bcu\bum\bme\ben\bnt\bt
+
+This document describes Postfix features that are deprecated (will be removed)
+or that have already been removed. It also has tips for making an existing
+Postfix configuration more future-proof.
+
+Overview:
+
+ * Why deprecate?
+ * Deprecation process
+ * Deprecated features
+
+W\bWh\bhy\by d\bde\bep\bpr\bre\bec\bca\bat\bte\be?\b?
+
+Sometimes, a Postfix feature needs to be replaced with a different one. To give
+an example:
+
+ * The initial Postfix TLS implementation used multiple boolean parameters:
+ one parameter to enable opportunistic TLS (for example, "smtp_enforce_tls =
+ yes") and one parameter to enable mandatory TLS (for example,
+ "smtp_require_tls = yes").
+
+ * As we added support more features such as fingerprint, dane, and so on, we
+ decided not to add more boolean parameters. Instead we introduced one
+ configuration parameter to select from multiple deployment models (for
+ example, smtp_tls_security_level = may | encrypt | dane, etc...).
+
+Having both the "old" and "new" way to configure Postfix is convenient for
+existing Postfix installations, because their configuration does not break
+after an upgrade to a new version. Unfortunately, there are also disadvantages.
+Having multiple ways to do similar things is not only confusing for newcomers,
+it also makes Postfix harder to change.
+
+D\bDe\bep\bpr\bre\bec\bca\bat\bti\bio\bon\bn p\bpr\bro\boc\bce\bes\bss\bs
+
+The basic process steps are:
+
+ 1. Inform humans that a feature will be removed, and suggest replacements, in
+ logging and documentation.
+
+ 2. Remove the feature, and update logging and documentation.
+
+Disclaimer: it has taken 20 years for some features to be removed. This past is
+not a guarantee for the future.
+
+D\bDe\bep\bpr\bre\bec\bca\bat\bte\bed\bd f\bfe\bea\bat\btu\bur\bre\bes\bs
+
+The table summarizes removed or deprecated features and replacements. Click on
+the "obsolete feature" name for a more detailed description.
+
+ _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b
+ | |W\bWa\bar\brn\bni\bin\bng\bg| | |
+ |O\bOb\bbs\bso\bol\ble\bet\bte\be f\bfe\bea\bat\btu\bur\bre\be n\bna\bam\bme\be |a\bas\bs |R\bRe\bem\bmo\bov\bve\bed\bd |R\bRe\bep\bpl\bla\bac\bce\bem\bme\ben\bnt\bt |
+ | |o\bof\bf |i\bin\bn v\bve\ber\brs\bsi\bio\bon\bn| |
+ | |v\bve\ber\brs\bsi\bio\bon\bn| | |
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |disable_dns_lookups | 3.9 | - |smtp_dns_support_level |
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |xxx_use_tls | 3.9 | - |xxx_tls_security_level |
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |xxx_enforce_tls | 3.9 | - |xxx_tls_security_level |
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |xxx_per_site | 3.9 | - |xxx_policy_maps |
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |smtpd_tls_dh1024_param_file| 3.9 | - |do not specify (leave at |
+ | | | |default) |
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |smtpd_tls_eecdh_grade | 3.9 | - |do not specify (leave at |
+ | | | |default) |
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |permit_mx_backup | 3.9 | - |relay_domains |
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |check_relay_domains | 2.2 | 3.9 |permit_mynetworks, |
+ | | | |reject_unauth_destination|
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |reject_maps_rbl | 2.1 | 3.9 |reject_rbl_client |
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |permit_naked_ip_address | 2.0 | 3.9 |permit_mynetworks, |
+ | | | |permit_sasl_authenticated|
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+
+O\bOb\bbs\bso\bol\ble\bet\bte\be D\bDN\bNS\bS o\bon\bn/\b/o\bof\bff\bf c\bco\bon\bnf\bfi\big\bgu\bur\bra\bat\bti\bio\bon\bn
+
+The postconf(1) command logs the following:
+
+ * support for parameter "disable_dns_lookups" will be removed; instead,
+ specify "smtp_dns_support_level"
+
+Replace obsolete configuration with its replacement:
+
+ _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b
+ |G\bGo\boa\bal\bl |O\bOb\bbs\bso\bol\ble\bet\bte\be c\bco\bon\bnf\bfi\big\bgu\bur\bra\bat\bti\bio\bon\bn |R\bRe\bep\bpl\bla\bac\bce\bem\bme\ben\bnt\bt |
+ | | |c\bco\bon\bnf\bfi\big\bgu\bur\bra\bat\bti\bio\bon\bn |
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |To disable DNS lookups|disable_dns_lookups = |smtp_dns_support_level =|
+ |in the Postfix SMTP/ |yes |disabled |
+ |LMTP client | | |
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ | | |Leave |
+ | | |smtp_dns_support_level |
+ |To enable DNS lookups | |at the implicit default |
+ |in the Postfix SMTP/ |disable_dns_lookups = no|which is empty, unless |
+ |LMTP client | |you need a higher |
+ | | |support level such as |
+ | | |DNSSEC. |
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+
+O\bOb\bbs\bso\bol\ble\bet\bte\be o\bop\bpp\bpo\bor\brt\btu\bun\bni\bis\bst\bti\bic\bc T\bTL\bLS\bS c\bco\bon\bnf\bfi\big\bgu\bur\bra\bat\bti\bio\bon\bn
+
+The postconf(1) command logs one of the following:
+
+ * support for parameter "lmtp_use_tls" will be removed; instead, specify
+ "lmtp_tls_security_level"
+ * support for parameter "smtp_use_tls" will be removed; instead, specify
+ "smtp_tls_security_level"
+ * support for parameter "smtpd_use_tls" will be removed; instead, specify
+ "smtpd_tls_security_level"
+
+There are similarly-named parameters and warnings for postscreen(8) and
+tlsproxy(8), but those parameters should rarely be specified by hand.
+
+Replace obsolete configuration with its replacement:
+
+ _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b
+ |G\bGo\boa\bal\bl |O\bOb\bbs\bso\bol\ble\bet\bte\be c\bco\bon\bnf\bfi\big\bgu\bur\bra\bat\bti\bio\bon\bn|R\bRe\bep\bpl\bla\bac\bce\bem\bme\ben\bnt\bt c\bco\bon\bnf\bfi\big\bgu\bur\bra\bat\bti\bio\bon\bn|
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |To turn off TLS |xxx_use_tls = no |xxx_security_level = none|
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |To turn on opportunistic|xxx_use_tls = yes |xxx_security_level = may |
+ |TLS | | |
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+
+O\bOb\bbs\bso\bol\ble\bet\bte\be m\bma\ban\bnd\bda\bat\bto\bor\bry\by T\bTL\bLS\bS c\bco\bon\bnf\bfi\big\bgu\bur\bra\bat\bti\bio\bon\bn
+
+The postconf(1) command logs one of the following:
+
+ * support for parameter "lmtp_enforce_tls" will be removed; instead, specify
+ "lmtp_tls_security_level"
+ * support for parameter "smtp_enforce_tls" will be removed; instead, specify
+ "smtp_tls_security_level"
+ * support for parameter "smtpd_enforce_tls" will be removed; instead, specify
+ "smtpd_tls_security_level"
+
+There are similarly-named parameters and warnings for postscreen(8) and
+tlsproxy(8), but those parameters should rarely be specified by hand.
+
+Replace obsolete configuration with its replacement:
+
+ _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b
+ |G\bGo\boa\bal\bl |O\bOb\bbs\bso\bol\ble\bet\bte\be c\bco\bon\bnf\bfi\big\bgu\bur\bra\bat\bti\bio\bon\bn|R\bRe\bep\bpl\bla\bac\bce\bem\bme\ben\bnt\bt c\bco\bon\bnf\bfi\big\bgu\bur\bra\bat\bti\bio\bon\bn|
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |To turn off mandatory |xxx_enforce_tls = no |xxx_security_level = may |
+ |TLS | | |
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |To turn on mandatory TLS|xxx_enforce_tls = yes |xxx_security_level = |
+ | | |encrypt |
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+
+O\bOb\bbs\bso\bol\ble\bet\bte\be T\bTL\bLS\bS p\bpo\bol\bli\bic\bcy\by t\bta\bab\bbl\ble\be c\bco\bon\bnf\bfi\big\bgu\bur\bra\bat\bti\bio\bon\bn
+
+The postconf(1) command logs one of the following:
+
+ * support for parameter "lmtp_tls_per_site" will be removed; instead, specify
+ "lmtp_tls_policy_maps"
+ * support for parameter "smtp_tls_per_site" will be removed; instead, specify
+ "smtp_tls_policy_maps"
+
+There is similarly-named parameter and warning for tlsproxy(8), but that
+parameter should rarely be specified by hand.
+
+Unfortunately, this is more than a name change: the table format has changed
+too, as has the table search process. There is no simple conversion of the
+obsolete form to its replacement.
+
+c\bch\bhe\bec\bck\bk_\b_r\bre\bel\bla\bay\by_\b_d\bdo\bom\bma\bai\bin\bns\bs
+
+Depending on the Postfix version, the Postfix SMTP daemon logs following
+warning:
+
+ * support for restriction "check_relay_domains" has been removed in Postfix
+ 3.9"; instead, specify "reject_unauth_destination"
+ * support for restriction "check_relay_domains" will be removed from Postfix;
+ use "reject_unauth_destination" instead
+
+This feature was removed because it would relay based on the client domain
+name, which is not robust.
+
+Recommended configuration to prevent an "open relay" problem with the SMTP
+service on port 25:
+
+ main.cf:
+ smtpd_recipient_restrictions =
+ permit_mynetworks,
+ permit_sasl_authenticated,
+ reject_unauth_destination
+ ...other restrictions...
+
+Or equivalent in smtpd_relay_restrictions.
+
+p\bpe\ber\brm\bmi\bit\bt_\b_m\bmx\bx_\b_b\bba\bac\bck\bku\bup\bp
+
+The Postfix version 3.9 and later SMTP daemon logs the following warning:
+
+ * support for restriction "permit_mx_backup" will be removed from Postfix;
+ instead, specify "relay_domains"
+
+This feature will be removed because it is too difficult to configure recipient
+address validation, making Postfix a source of backscatter bounces.
+
+To specify the domains that Postfix will provide MX backup service for, see
+Configuring Postfix as primary or backup MX host for a remote site.
+
+r\bre\bej\bje\bec\bct\bt_\b_m\bma\bap\bps\bs_\b_r\brb\bbl\bl
+
+Depending on the Postfix version, the SMTP daemon logs one of the following
+warnings:
+
+ * support for restriction "reject_maps_rbl" has been removed in Postfix 3.9";
+ instead, specify "reject_rbl_client domain-name"
+ * support for restriction "reject_maps_rbl" will be removed from Postfix; use
+ "reject_rbl_client domain-name" instead
+
+This feature was replaced because "MAPS RBL" is the name of a specific
+reputation service. The reject_rbl_client feature provides a superset of the
+reject_maps_rbl functionality.
+
+Recommended configuration:
+
+ main.cf:
+ smtpd_recipient_restrictions =
+ permit_mynetworks,
+ permit_sasl_authenticated,
+ reject_unauth_destination
+ reject_rbl_client domain-name
+ ...other restrictions...
+
+Where domain-name is the domain name of a DNS reputation service.
+
+p\bpe\ber\brm\bmi\bit\bt_\b_n\bna\bak\bke\bed\bd_\b_i\bip\bp_\b_a\bad\bdd\bdr\bre\bes\bss\bs
+
+Depending on the Postfix version, the SMTP daemon logs one of the following
+warnings:
+
+ * support for restriction "permit_naked_ip_address" has been removed in
+ Postfix 3.9"; instead, specify "permit_mynetworks" or
+ "permit_sasl_authenticated"
+ * restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or
+ permit_sasl_authenticated instead
+
+This feature was removed because it was easy to get a false match when
+smtpd_recipient_restrictions was intended to match a remote SMTP client IP
+address.
+
+Recommended configuration:
+
+ main.cf:
+ smtpd_recipient_restrictions =
+ permit_mynetworks,
+ permit_sasl_authenticated,
+ reject_unauth_destination
+ reject_rbl_client domain-name
+ ...other restrictions...
+
+That is, no restriction on HELO or EHLO syntax. Such restrictions ar rarely
+useful nowadays.
+
$readme_directory/DATABASE_README:f:root:-:644
$readme_directory/DB_README:f:root:-:644
$readme_directory/DEBUG_README:f:root:-:644
+$readme_directory/DEPRECATION_README:f:root:-:644
$readme_directory/DSN_README:f:root:-:644
$readme_directory/ETRN_README:f:root:-:644
$readme_directory/FILTER_README:f:root:-:644
$html_directory/DATABASE_README.html:f:root:-:644
$html_directory/DB_README.html:f:root:-:644
$html_directory/DEBUG_README.html:f:root:-:644
+$html_directory/DEPRECATION_README.html:f:root:-:644
$html_directory/DSN_README.html:f:root:-:644
$html_directory/ETRN_README.html:f:root:-:644
$html_directory/FILTER_README.html:f:root:-:644
--- /dev/null
+<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
+ "http://www.w3.org/TR/html4/loose.dtd">
+
+<html>
+
+<head>
+
+<title>Postfix Replacements for Deprecated Features </title>
+
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<link rel='stylesheet' type='text/css' href='postfix-doc.css'>
+
+</head>
+
+<body>
+
+<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix
+Replacements for Deprecated Features</h1>
+
+<hr>
+
+<h2>Purpose of this document </h2>
+
+<p> This document describes Postfix features that are deprecated
+(will be removed) or that have already been removed. It also has
+tips for making an existing Postfix configuration more future-proof.
+</p>
+
+<p> Overview: </p>
+
+<ul>
+
+<li> <a href="#why"> Why deprecate? </a>
+
+<li> <a href="#process"> Deprecation process </a>
+
+<li> <a href="#features"> Deprecated features </a>
+
+</ul>
+
+<h2> <a name="why"> Why deprecate? </a> </h2>
+
+<p> Sometimes, a Postfix feature needs to be replaced with a different
+one. To give an example: </p>
+
+<ul>
+
+<li> <p> The initial Postfix TLS implementation used multiple boolean
+parameters: one parameter to enable opportunistic TLS (for example,
+"<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes") and one parameter to enable mandatory TLS
+(for example, "smtp_require_tls = yes"). </p>
+
+<li> <p> As we added support more features such as fingerprint,
+dane, and so on, we decided not to add more boolean parameters.
+Instead we introduced one configuration parameter to select from
+multiple deployment models (for example, <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> =
+may | encrypt | dane, etc...). </p>
+
+</ul>
+
+<!--
+
+<p> Over time it has become clear that 'level' is too rigid, so this may
+have to change again. Wietse and Viktor have been discussing a way to
+specify a range with minimum properties that are required (e.g., encrypt)
+and nice-to-have properties if they are available (dane or mta-sts). </p>
+
+-->
+
+<p> Having both the "old" and "new" way to configure Postfix is
+convenient for existing Postfix installations, because their
+configuration does not break after an upgrade to a new version.
+Unfortunately, there are also disadvantages. Having multiple ways
+to do similar things is not only confusing for newcomers, it also
+makes Postfix harder to change. </p>
+
+<h2> <a name="process"> Deprecation process </a> </h2>
+
+<p> The basic process steps are: </p>
+
+<ol>
+
+<li> <p> Inform humans that a feature will be removed, and suggest
+replacements, in logging and documentation. </p>
+
+<li> <p> Remove the feature, and update logging and documentation. </p>
+
+</ol>
+
+<p> Disclaimer: it has taken 20 years for some features to be
+removed. This past is not a guarantee for the future. </p>
+
+<h2> <a name="features"> Deprecated features </a> </h2>
+
+<p> The table summarizes removed or deprecated features and
+replacements. Click on the "obsolete feature" name for a more
+detailed description. </p>
+
+<blockquote>
+
+<table border="1">
+
+<tr> <th> Obsolete feature name </th> <th> Warning as <br> of version
+</th> <th> Removed <br> in version </th> <th> Replacement </th>
+</tr>
+
+<tr> <td> <a href="#disable_dns_lookups"> disable_dns_lookups </a>
+</td> <td align="center"> 3.9 </td> <td align="center"> - </td>
+<td> <a href="postconf.5.html#smtp_dns_support_level">smtp_dns_support_level</a> </td> </tr>
+
+<tr> <td> <a href="#xxx_enforce_tls"> <i>xxx</i>_use_tls </a> </td>
+<td align="center"> 3.9 </td> <td align="center"> - </td> <td>
+<i>xxx</i>_tls_security_level </td> </tr>
+
+<tr> <td> <a href="#xxx_enforce_tls"> <i>xxx</i>_enforce_tls </a>
+</td> <td align="center"> 3.9 </td> <td align="center"> - </td>
+<td> <i>xxx</i>_tls_security_level </td> </tr>
+
+<tr> <td> <a href="#xxx_per_site"> <i>xxx</i>_per_site </a> </td>
+<td align="center"> 3.9 </td> <td align="center"> - </td> <td>
+<i>xxx</i>_policy_maps </td> </tr>
+
+<tr> <td> <a href="#smtpd_tls_dh1024_param_file">
+smtpd_tls_dh1024_param_file </a> </td> <td align="center"> 3.9 </td>
+<td align="center"> - </td> <td> do not specify (leave at default)
+</td> </tr>
+
+<tr> <td> <a href="#smtpd_tls_eecdh_grade"> smtpd_tls_eecdh_grade
+</a> </td> <td align="center"> 3.9 </td> <td align="center"> - </td>
+<td> do not specify (leave at default) </td> </tr>
+
+<tr> <td> <a href="#permit_mx_backup"> permit_mx_backup </a> </td>
+<td align="center"> 3.9 </td> <td align="center"> - </td> <td>
+<a href="postconf.5.html#relay_domains">relay_domains</a> </td> </tr>
+
+<tr> <td> <a href="#check_relay_domains"> check_relay_domains </a>
+</td> <td align="center"> 2.2 </td> <td align="center"> 3.9 </td>
+<td> <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> </td> </tr>
+
+<tr> <td> <a href="#reject_maps_rbl"> reject_maps_rbl </a> </td>
+<td align="center"> 2.1 </td> <td align="center"> 3.9 </td> <td>
+<a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> </td> </tr>
+
+<tr> <td> <a href="#permit_naked_ip_address"> permit_naked_ip_address
+</a> </td> <td align="center"> 2.0 </td> <td align="center"> 3.9
+</td> <td> <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a> </td> </tr>
+
+</table>
+
+</blockquote>
+
+<h3> <a name="disable_dns_lookups"> Obsolete DNS on/off configuration
+</a> </h3>
+
+<p> The <a href="postconf.1.html">postconf(1)</a> command logs the following: </p>
+
+<ul>
+
+<li> support for parameter "<a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a>" will be removed; instead, specify "<a href="postconf.5.html#smtp_dns_support_level">smtp_dns_support_level</a>"
+
+</ul>
+
+<p> Replace obsolete configuration with its replacement: </p>
+
+<blockquote>
+
+<table border="1">
+
+<tr> <th width="33%"> Goal </th> <th width="33%"> Obsolete configuration
+</th> <th> Replacement configuration </th> </tr>
+
+<tr> <td> To disable DNS lookups in the Postfix SMTP/LMTP client
+</td> <td> <a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> = yes </td> <td> <a href="postconf.5.html#smtp_dns_support_level">smtp_dns_support_level</a>
+= disabled </td> </tr>
+
+<tr> <td> To enable DNS lookups in the Postfix SMTP/LMTP client </td> <td>
+<a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> = no </td> <td>
+Leave <a href="postconf.5.html#smtp_dns_support_level">smtp_dns_support_level</a> at the implicit default which is empty, unless
+you need a higher support level such as DNSSEC. </td> </tr>
+
+</table>
+
+</blockquote>
+
+<h3> <a name="xxx_use_tls"> Obsolete opportunistic TLS configuration
+</a> </h3>
+
+<p> The <a href="postconf.1.html">postconf(1)</a> command logs one of the following: </p>
+
+<ul>
+
+<li> support for parameter "<a href="postconf.5.html#lmtp_use_tls">lmtp_use_tls</a>" will be removed; instead, specify "<a href="postconf.5.html#lmtp_tls_security_level">lmtp_tls_security_level</a>"
+
+<li> support for parameter "<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>" will be removed; instead, specify "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>"
+
+<li> support for parameter "<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>" will be removed; instead, specify "<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>"
+
+</ul>
+
+<p> There are similarly-named parameters and warnings for <a href="postscreen.8.html">postscreen(8)</a>
+and <a href="tlsproxy.8.html">tlsproxy(8)</a>, but those parameters should rarely be specified
+by hand. </p>
+
+<p> Replace obsolete configuration with its replacement: </p>
+
+<blockquote>
+
+<table border="1">
+
+<tr> <th width="33%"> Goal </th> <th width="33%"> Obsolete configuration </th> <th> Replacement configuration </th> </tr>
+
+<tr> <td> To turn off TLS </td> <td> <i>xxx</i>_use_tls = no </td>
+<td> <i>xxx</i>_security_level = none </td> </tr>
+
+<tr> <td> To turn on opportunistic TLS </td> <td> <i>xxx</i>_use_tls
+= yes </td> <td> <i>xxx</i>_security_level = may </td> </tr>
+
+</table>
+
+</blockquote>
+
+<h3> <a name="xxx_enforce_tls"> Obsolete mandatory TLS configuration
+</a> </h3>
+
+<p> The <a href="postconf.1.html">postconf(1)</a> command logs one of the following: </p>
+
+<ul>
+
+<li> support for parameter "<a href="postconf.5.html#lmtp_enforce_tls">lmtp_enforce_tls</a>" will be removed; instead, specify "<a href="postconf.5.html#lmtp_tls_security_level">lmtp_tls_security_level</a>"
+
+<li> support for parameter "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>" will be removed; instead, specify "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>"
+
+<li> support for parameter "<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>" will be removed; instead, specify "<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>"
+
+</ul>
+
+<p> There are similarly-named parameters and warnings for <a href="postscreen.8.html">postscreen(8)</a>
+and <a href="tlsproxy.8.html">tlsproxy(8)</a>, but those parameters should rarely be specified
+by hand. </p>
+
+<p> Replace obsolete configuration with its replacement: </p>
+
+<blockquote>
+
+<table border="1">
+
+<tr> <th width="33%"> Goal </th> <th width="33%"> Obsolete configuration </th> <th> Replacement configuration </th> </tr>
+
+<tr> <td> To turn off mandatory TLS </td> <td> <i>xxx</i>_enforce_tls
+= no </td> <td> <i>xxx</i>_security_level = may </td> </tr>
+
+<tr> <td> To turn on mandatory TLS </td> <td> <i>xxx</i>_enforce_tls
+= yes </td> <td> <i>xxx</i>_security_level = encrypt </td> </tr>
+
+</table>
+
+</blockquote>
+
+<h3> <a name="xxx_per_site"> Obsolete TLS policy table configuration
+</a> </h3>
+
+<p> The <a href="postconf.1.html">postconf(1)</a> command logs one of the following: </p>
+
+<ul>
+
+<li> support for parameter "<a href="postconf.5.html#lmtp_tls_per_site">lmtp_tls_per_site</a>" will be removed;
+instead, specify "<a href="postconf.5.html#lmtp_tls_policy_maps">lmtp_tls_policy_maps</a>"
+
+<li> support for parameter "<a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>" will be removed;
+instead, specify "<a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>"
+
+</ul>
+
+<p> There is similarly-named parameter and warning for <a href="tlsproxy.8.html">tlsproxy(8)</a>,
+but that parameter should rarely be specified by hand. </p>
+
+<p> Unfortunately, this is more than a name change: the table format
+has changed too, as has the table search process. There is no simple
+conversion of the obsolete form to its replacement. </p>
+
+<h3> <a name="check_relay_domains"> check_relay_domains </a> </h3>
+
+<p> Depending on the Postfix version, the Postfix SMTP daemon logs
+following warning: </p>
+
+<ul>
+
+<li> support for restriction "check_relay_domains" has been removed
+in Postfix 3.9"; instead, specify "<a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>"
+
+<li> support for restriction "check_relay_domains" will be removed
+from Postfix; use "<a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>" instead
+
+</ul>
+
+<p> This feature was removed because it would relay based on the
+client domain name, which is not robust. </p>
+
+<p> Recommended configuration to prevent an "open relay" problem
+with the SMTP service on port 25:
+</p>
+
+<blockquote>
+<pre>
+<a href="postconf.5.html">main.cf</a>:
+ <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
+ <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,
+ <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>,
+ <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
+ ...other restrictions...
+</pre>
+</blockquote>
+
+<p> Or equivalent in <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>. </p>
+
+<h3> <a name="permit_mx_backup"> permit_mx_backup</a> </h3>
+
+<p> The Postfix version 3.9 and later SMTP daemon logs the following
+warning: </p>
+
+<ul>
+
+<li> support for restriction "<a href="postconf.5.html#permit_mx_backup">permit_mx_backup</a>" will be removed
+from Postfix; instead, specify "<a href="postconf.5.html#relay_domains">relay_domains</a>"
+
+</ul>
+
+<p> This feature will be removed because it is too difficult to
+configure recipient address validation, making Postfix a source of
+backscatter bounces. </p>
+
+<p> To specify the domains that Postfix will provide MX backup
+service for, see <a href="STANDARD_CONFIGURATION_README.html#backup">
+Configuring Postfix as primary or backup MX host for a remote
+site</a>. </p>
+
+<h3> <a name="reject_maps_rbl"> reject_maps_rbl</a> </h3>
+
+<p> Depending on the Postfix version, the SMTP daemon logs one of
+the following warnings: </p>
+
+<ul>
+
+<li> support for restriction "reject_maps_rbl" has been removed in
+Postfix 3.9"; instead, specify "<a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> domain-name"
+
+<li> support for restriction "reject_maps_rbl" will be removed from
+Postfix; use "<a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> domain-name" instead
+
+</ul>
+
+<p> This feature was replaced because "MAPS RBL" is the name of a
+specific reputation service. The <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> feature provides
+a superset of the reject_maps_rbl functionality. </p>
+
+<p> Recommended configuration: </p>
+
+<blockquote>
+<pre>
+<a href="postconf.5.html">main.cf</a>:
+ <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
+ <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,
+ <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>,
+ <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
+ <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> <i>domain-name</i>
+ ...other restrictions...
+</pre>
+</blockquote>
+
+<p> Where <i>domain-name</i> is the domain name of a DNS reputation service. </p>
+
+<h3> <a name="permit_naked_ip_address"> permit_naked_ip_address</a> </h3>
+
+<p> Depending on the Postfix version, the SMTP daemon logs one of
+the following warnings: </p>
+
+<ul>
+
+<li> support for restriction "permit_naked_ip_address" has been
+removed in Postfix 3.9"; instead, specify "<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>" or
+"<a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>"
+
+<li> restriction permit_naked_ip_address is deprecated. Use
+<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a> or <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a> instead
+
+</ul>
+
+<p> This feature was removed because it was easy to get a false
+match when <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> was intended to match a
+remote SMTP client IP address. </p>
+
+<p> Recommended configuration: </p>
+
+<blockquote>
+<pre>
+<a href="postconf.5.html">main.cf</a>:
+ <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
+ <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,
+ <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>,
+ <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
+ <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> <i>domain-name</i>
+ ...other restrictions...
+</pre>
+</blockquote>
+
+<p> That is, no restriction on HELO or EHLO syntax. Such restrictions
+ar rarely useful nowadays.
+
+</body>
+
+</html>
<li> <a href="COMPATIBILITY_README.html"> Backwards-Compatibility Safety Net</a>
+<li> <a href="DEPRECATION_README.html"> Deprecated features and alternatives </a>
+
<li> <a href="INSTALL.html"> Installation from source code </a>
</ul>
verbose.
Other command-line arguments
- Specify "{" and "}" around command arguments that contain
- whitespace (Postfix 3.0 and later). Whitespace after "{"
- and before "}" is ignored.
+ Specify "{" and "}" around command arguments that must
+ start with "{" or that must contain whitespace (Postfix
+ 3.0 and later). The outer "{" and "}" are removed from
+ the input, together with any leading or trailing white-
+ space.
<b>SEE ALSO</b>
<a href="master.8.html">master(8)</a>, process manager
Increase the verbose logging level. Specify multiple \fB\-v\fR
options to make a Postfix daemon process increasingly verbose.
.IP "Other command\-line arguments"
-Specify "{" and "}" around command arguments that contain
-whitespace (Postfix 3.0 and later). Whitespace
-after "{" and before "}" is ignored.
+Specify "{" and "}" around command arguments that must start
+with "{" or that must contain whitespace (Postfix 3.0 and
+later). The outer "{" and "}" are removed from the input,
+together with any leading or trailing whitespace.
.SH "SEE ALSO"
.na
.nf
--- /dev/null
+<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
+ "http://www.w3.org/TR/html4/loose.dtd">
+
+<html>
+
+<head>
+
+<title>Postfix Replacements for Deprecated Features </title>
+
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<link rel='stylesheet' type='text/css' href='postfix-doc.css'>
+
+</head>
+
+<body>
+
+<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix
+Replacements for Deprecated Features</h1>
+
+<hr>
+
+<h2>Purpose of this document </h2>
+
+<p> This document describes Postfix features that are deprecated
+(will be removed) or that have already been removed. It also has
+tips for making an existing Postfix configuration more future-proof.
+</p>
+
+<p> Overview: </p>
+
+<ul>
+
+<li> <a href="#why"> Why deprecate? </a>
+
+<li> <a href="#process"> Deprecation process </a>
+
+<li> <a href="#features"> Deprecated features </a>
+
+</ul>
+
+<h2> <a name="why"> Why deprecate? </a> </h2>
+
+<p> Sometimes, a Postfix feature needs to be replaced with a different
+one. To give an example: </p>
+
+<ul>
+
+<li> <p> The initial Postfix TLS implementation used multiple boolean
+parameters: one parameter to enable opportunistic TLS (for example,
+"smtp_enforce_tls = yes") and one parameter to enable mandatory TLS
+(for example, "smtp_require_tls = yes"). </p>
+
+<li> <p> As we added support more features such as fingerprint,
+dane, and so on, we decided not to add more boolean parameters.
+Instead we introduced one configuration parameter to select from
+multiple deployment models (for example, smtp_tls_security_level =
+may | encrypt | dane, etc...). </p>
+
+</ul>
+
+<!--
+
+<p> Over time it has become clear that 'level' is too rigid, so this may
+have to change again. Wietse and Viktor have been discussing a way to
+specify a range with minimum properties that are required (e.g., encrypt)
+and nice-to-have properties if they are available (dane or mta-sts). </p>
+
+-->
+
+<p> Having both the "old" and "new" way to configure Postfix is
+convenient for existing Postfix installations, because their
+configuration does not break after an upgrade to a new version.
+Unfortunately, there are also disadvantages. Having multiple ways
+to do similar things is not only confusing for newcomers, it also
+makes Postfix harder to change. </p>
+
+<h2> <a name="process"> Deprecation process </a> </h2>
+
+<p> The basic process steps are: </p>
+
+<ol>
+
+<li> <p> Inform humans that a feature will be removed, and suggest
+replacements, in logging and documentation. </p>
+
+<li> <p> Remove the feature, and update logging and documentation. </p>
+
+</ol>
+
+<p> Disclaimer: it has taken 20 years for some features to be
+removed. This past is not a guarantee for the future. </p>
+
+<h2> <a name="features"> Deprecated features </a> </h2>
+
+<p> The table summarizes removed or deprecated features and
+replacements. Click on the "obsolete feature" name for a more
+detailed description. </p>
+
+<blockquote>
+
+<table border="1">
+
+<tr> <th> Obsolete feature name </th> <th> Warning as <br> of version
+</th> <th> Removed <br> in version </th> <th> Replacement </th>
+</tr>
+
+<tr> <td> <a href="#disable_dns_lookups"> disable_dns_lookups </a>
+</td> <td align="center"> 3.9 </td> <td align="center"> - </td>
+<td> smtp_dns_support_level </td> </tr>
+
+<tr> <td> <a href="#xxx_enforce_tls"> <i>xxx</i>_use_tls </a> </td>
+<td align="center"> 3.9 </td> <td align="center"> - </td> <td>
+<i>xxx</i>_tls_security_level </td> </tr>
+
+<tr> <td> <a href="#xxx_enforce_tls"> <i>xxx</i>_enforce_tls </a>
+</td> <td align="center"> 3.9 </td> <td align="center"> - </td>
+<td> <i>xxx</i>_tls_security_level </td> </tr>
+
+<tr> <td> <a href="#xxx_per_site"> <i>xxx</i>_per_site </a> </td>
+<td align="center"> 3.9 </td> <td align="center"> - </td> <td>
+<i>xxx</i>_policy_maps </td> </tr>
+
+<tr> <td> <a href="#smtpd_tls_dh1024_param_file">
+smtpd_tls_dh1024_param_file </a> </td> <td align="center"> 3.9 </td>
+<td align="center"> - </td> <td> do not specify (leave at default)
+</td> </tr>
+
+<tr> <td> <a href="#smtpd_tls_eecdh_grade"> smtpd_tls_eecdh_grade
+</a> </td> <td align="center"> 3.9 </td> <td align="center"> - </td>
+<td> do not specify (leave at default) </td> </tr>
+
+<tr> <td> <a href="#permit_mx_backup"> permit_mx_backup </a> </td>
+<td align="center"> 3.9 </td> <td align="center"> - </td> <td>
+relay_domains </td> </tr>
+
+<tr> <td> <a href="#check_relay_domains"> check_relay_domains </a>
+</td> <td align="center"> 2.2 </td> <td align="center"> 3.9 </td>
+<td> permit_mynetworks, reject_unauth_destination </td> </tr>
+
+<tr> <td> <a href="#reject_maps_rbl"> reject_maps_rbl </a> </td>
+<td align="center"> 2.1 </td> <td align="center"> 3.9 </td> <td>
+reject_rbl_client </td> </tr>
+
+<tr> <td> <a href="#permit_naked_ip_address"> permit_naked_ip_address
+</a> </td> <td align="center"> 2.0 </td> <td align="center"> 3.9
+</td> <td> permit_mynetworks, permit_sasl_authenticated </td> </tr>
+
+</table>
+
+</blockquote>
+
+<h3> <a name="disable_dns_lookups"> Obsolete DNS on/off configuration
+</a> </h3>
+
+<p> The postconf(1) command logs the following: </p>
+
+<ul>
+
+<li> support for parameter "disable_dns_lookups" will be removed; instead, specify "smtp_dns_support_level"
+
+</ul>
+
+<p> Replace obsolete configuration with its replacement: </p>
+
+<blockquote>
+
+<table border="1">
+
+<tr> <th width="33%"> Goal </th> <th width="33%"> Obsolete configuration
+</th> <th> Replacement configuration </th> </tr>
+
+<tr> <td> To disable DNS lookups in the Postfix SMTP/LMTP client
+</td> <td> disable_dns_lookups = yes </td> <td> smtp_dns_support_level
+= disabled </td> </tr>
+
+<tr> <td> To enable DNS lookups in the Postfix SMTP/LMTP client </td> <td>
+disable_dns_lookups = no </td> <td>
+Leave smtp_dns_support_level at the implicit default which is empty, unless
+you need a higher support level such as DNSSEC. </td> </tr>
+
+</table>
+
+</blockquote>
+
+<h3> <a name="xxx_use_tls"> Obsolete opportunistic TLS configuration
+</a> </h3>
+
+<p> The postconf(1) command logs one of the following: </p>
+
+<ul>
+
+<li> support for parameter "lmtp_use_tls" will be removed; instead, specify "lmtp_tls_security_level"
+
+<li> support for parameter "smtp_use_tls" will be removed; instead, specify "smtp_tls_security_level"
+
+<li> support for parameter "smtpd_use_tls" will be removed; instead, specify "smtpd_tls_security_level"
+
+</ul>
+
+<p> There are similarly-named parameters and warnings for postscreen(8)
+and tlsproxy(8), but those parameters should rarely be specified
+by hand. </p>
+
+<p> Replace obsolete configuration with its replacement: </p>
+
+<blockquote>
+
+<table border="1">
+
+<tr> <th width="33%"> Goal </th> <th width="33%"> Obsolete configuration </th> <th> Replacement configuration </th> </tr>
+
+<tr> <td> To turn off TLS </td> <td> <i>xxx</i>_use_tls = no </td>
+<td> <i>xxx</i>_security_level = none </td> </tr>
+
+<tr> <td> To turn on opportunistic TLS </td> <td> <i>xxx</i>_use_tls
+= yes </td> <td> <i>xxx</i>_security_level = may </td> </tr>
+
+</table>
+
+</blockquote>
+
+<h3> <a name="xxx_enforce_tls"> Obsolete mandatory TLS configuration
+</a> </h3>
+
+<p> The postconf(1) command logs one of the following: </p>
+
+<ul>
+
+<li> support for parameter "lmtp_enforce_tls" will be removed; instead, specify "lmtp_tls_security_level"
+
+<li> support for parameter "smtp_enforce_tls" will be removed; instead, specify "smtp_tls_security_level"
+
+<li> support for parameter "smtpd_enforce_tls" will be removed; instead, specify "smtpd_tls_security_level"
+
+</ul>
+
+<p> There are similarly-named parameters and warnings for postscreen(8)
+and tlsproxy(8), but those parameters should rarely be specified
+by hand. </p>
+
+<p> Replace obsolete configuration with its replacement: </p>
+
+<blockquote>
+
+<table border="1">
+
+<tr> <th width="33%"> Goal </th> <th width="33%"> Obsolete configuration </th> <th> Replacement configuration </th> </tr>
+
+<tr> <td> To turn off mandatory TLS </td> <td> <i>xxx</i>_enforce_tls
+= no </td> <td> <i>xxx</i>_security_level = may </td> </tr>
+
+<tr> <td> To turn on mandatory TLS </td> <td> <i>xxx</i>_enforce_tls
+= yes </td> <td> <i>xxx</i>_security_level = encrypt </td> </tr>
+
+</table>
+
+</blockquote>
+
+<h3> <a name="xxx_per_site"> Obsolete TLS policy table configuration
+</a> </h3>
+
+<p> The postconf(1) command logs one of the following: </p>
+
+<ul>
+
+<li> support for parameter "lmtp_tls_per_site" will be removed;
+instead, specify "lmtp_tls_policy_maps"
+
+<li> support for parameter "smtp_tls_per_site" will be removed;
+instead, specify "smtp_tls_policy_maps"
+
+</ul>
+
+<p> There is similarly-named parameter and warning for tlsproxy(8),
+but that parameter should rarely be specified by hand. </p>
+
+<p> Unfortunately, this is more than a name change: the table format
+has changed too, as has the table search process. There is no simple
+conversion of the obsolete form to its replacement. </p>
+
+<h3> <a name="check_relay_domains"> check_relay_domains </a> </h3>
+
+<p> Depending on the Postfix version, the Postfix SMTP daemon logs
+following warning: </p>
+
+<ul>
+
+<li> support for restriction "check_relay_domains" has been removed
+in Postfix 3.9"; instead, specify "reject_unauth_destination"
+
+<li> support for restriction "check_relay_domains" will be removed
+from Postfix; use "reject_unauth_destination" instead
+
+</ul>
+
+<p> This feature was removed because it would relay based on the
+client domain name, which is not robust. </p>
+
+<p> Recommended configuration to prevent an "open relay" problem
+with the SMTP service on port 25:
+</p>
+
+<blockquote>
+<pre>
+main.cf:
+ smtpd_recipient_restrictions =
+ permit_mynetworks,
+ permit_sasl_authenticated,
+ reject_unauth_destination
+ ...other restrictions...
+</pre>
+</blockquote>
+
+<p> Or equivalent in smtpd_relay_restrictions. </p>
+
+<h3> <a name="permit_mx_backup"> permit_mx_backup</a> </h3>
+
+<p> The Postfix version 3.9 and later SMTP daemon logs the following
+warning: </p>
+
+<ul>
+
+<li> support for restriction "permit_mx_backup" will be removed
+from Postfix; instead, specify "relay_domains"
+
+</ul>
+
+<p> This feature will be removed because it is too difficult to
+configure recipient address validation, making Postfix a source of
+backscatter bounces. </p>
+
+<p> To specify the domains that Postfix will provide MX backup
+service for, see <a href="STANDARD_CONFIGURATION_README.html#backup">
+Configuring Postfix as primary or backup MX host for a remote
+site</a>. </p>
+
+<h3> <a name="reject_maps_rbl"> reject_maps_rbl</a> </h3>
+
+<p> Depending on the Postfix version, the SMTP daemon logs one of
+the following warnings: </p>
+
+<ul>
+
+<li> support for restriction "reject_maps_rbl" has been removed in
+Postfix 3.9"; instead, specify "reject_rbl_client domain-name"
+
+<li> support for restriction "reject_maps_rbl" will be removed from
+Postfix; use "reject_rbl_client domain-name" instead
+
+</ul>
+
+<p> This feature was replaced because "MAPS RBL" is the name of a
+specific reputation service. The reject_rbl_client feature provides
+a superset of the reject_maps_rbl functionality. </p>
+
+<p> Recommended configuration: </p>
+
+<blockquote>
+<pre>
+main.cf:
+ smtpd_recipient_restrictions =
+ permit_mynetworks,
+ permit_sasl_authenticated,
+ reject_unauth_destination
+ reject_rbl_client <i>domain-name</i>
+ ...other restrictions...
+</pre>
+</blockquote>
+
+<p> Where <i>domain-name</i> is the domain name of a DNS reputation service. </p>
+
+<h3> <a name="permit_naked_ip_address"> permit_naked_ip_address</a> </h3>
+
+<p> Depending on the Postfix version, the SMTP daemon logs one of
+the following warnings: </p>
+
+<ul>
+
+<li> support for restriction "permit_naked_ip_address" has been
+removed in Postfix 3.9"; instead, specify "permit_mynetworks" or
+"permit_sasl_authenticated"
+
+<li> restriction permit_naked_ip_address is deprecated. Use
+permit_mynetworks or permit_sasl_authenticated instead
+
+</ul>
+
+<p> This feature was removed because it was easy to get a false
+match when smtpd_recipient_restrictions was intended to match a
+remote SMTP client IP address. </p>
+
+<p> Recommended configuration: </p>
+
+<blockquote>
+<pre>
+main.cf:
+ smtpd_recipient_restrictions =
+ permit_mynetworks,
+ permit_sasl_authenticated,
+ reject_unauth_destination
+ reject_rbl_client <i>domain-name</i>
+ ...other restrictions...
+</pre>
+</blockquote>
+
+<p> That is, no restriction on HELO or EHLO syntax. Such restrictions
+ar rarely useful nowadays.
+
+</body>
+
+</html>
../html/CONTENT_INSPECTION_README.html \
../html/DATABASE_README.html ../html/DB_README.html \
../html/DEBUG_README.html \
+ ../html/DEPRECATION_README.html \
../html/DSN_README.html \
../html/ETRN_README.html ../html/FILTER_README.html \
../html/FORWARD_SECRECY_README.html \
../README_FILES/DATABASE_README ../README_FILES/DB_README \
../README_FILES/DEBUG_README \
../README_FILES/DSN_README \
+ ../README_FILES/DEPRECATION_README \
../README_FILES/ETRN_README ../README_FILES/FILTER_README \
../README_FILES/FORWARD_SECRECY_README \
../README_FILES/INSTALL ../README_FILES/IPV6_README \
../html/DEBUG_README.html: DEBUG_README.html
$(DETAB) $? | $(POSTLINK) >$@
+../html/DEPRECATION_README.html: DEPRECATION_README.html
+ $(DETAB) $? | $(POSTLINK) >$@
+
../html/DSN_README.html: DSN_README.html
$(DETAB) $? | $(POSTLINK) >$@
../README_FILES/DSN_README: DSN_README.html
$(DETAB) $? | $(HT2READ) >$@
+../README_FILES/DEPRECATION_README: DEPRECATION_README.html
+ $(DETAB) $? | $(HT2READ) >$@
+
../README_FILES/ETRN_README: ETRN_README.html
$(DETAB) $? | $(HT2READ) >$@
# Increase the verbose logging level. Specify multiple \fB-v\fR
# options to make a Postfix daemon process increasingly verbose.
# .IP "Other command-line arguments"
-# Specify "{" and "}" around command arguments that contain
-# whitespace (Postfix 3.0 and later). Whitespace
-# after "{" and before "}" is ignored.
+# Specify "{" and "}" around command arguments that must start
+# with "{" or that must contain whitespace (Postfix 3.0 and
+# later). The outer "{" and "}" are removed from the input,
+# together with any leading or trailing whitespace.
# SEE ALSO
# master(8), process manager
# postconf(5), configuration parameters
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20240229"
+#define MAIL_RELEASE_DATE "20240305"
#define MAIL_VERSION_NUMBER "3.9"
#ifdef SNAPSHOT
* disable_dns_lookups parameter was documented as deprecated since
* Postfix 2.11 but nothing was logged.
*/
- "disable_dns_lookups", "specify smtp_dns_support_level",
- "lmtp_use_tls", "specify lmtp_tls_security_level",
- "postscreen_use_tls", "specify postscreen_tls_security_level",
- "smtp_use_tls", "specify smtp_tls_security_level",
- "smtpd_use_tls", "specify smtpd_tls_security_level",
- "tlsproxy_client_use_tls", "specify tlsproxy_client_security_level",
- "tlsproxy_use_tls", "specify tlsproxy_tls_security_level",
+ "disable_dns_lookups", "specify \"smtp_dns_support_level\"",
+ "lmtp_use_tls", "specify \"lmtp_tls_security_level\"",
+ "postscreen_use_tls", "specify \"postscreen_tls_security_level\"",
+ "smtp_use_tls", "specify \"smtp_tls_security_level\"",
+ "smtpd_use_tls", "specify \"smtpd_tls_security_level\"",
+ "tlsproxy_client_use_tls", "specify \"tlsproxy_client_security_level\"",
+ "tlsproxy_use_tls", "specify \"tlsproxy_tls_security_level\"",
"lmtp_enforce_tls", "lmtp_tls_security_level",
- "postscreen_enforce_tls", "specify postscreen_tls_security_level",
- "smtp_enforce_tls", "specify smtp_tls_security_level",
- "smtpd_enforce_tls", "specify smtpd_tls_security_level",
- "tlsproxy_client_enforce_tls", "specify tlsproxy_client_security_level",
- "tlsproxy_enforce_tls", "specify tlsproxy_tls_security_level",
- "lmtp_tls_per_site", "specify lmtp_tls_policy_maps",
- "smtp_tls_per_site", "specify smtp_tls_policy_maps",
- "tlsproxy_client_per_site", "specify tlsproxy_client_policy_maps",
+ "postscreen_enforce_tls", "specify \"postscreen_tls_security_level\"",
+ "smtp_enforce_tls", "specify \"smtp_tls_security_level\"",
+ "smtpd_enforce_tls", "specify \"smtpd_tls_security_level\"",
+ "tlsproxy_client_enforce_tls", "specify \"tlsproxy_client_security_level\"",
+ "tlsproxy_enforce_tls", "specify \"tlsproxy_tls_security_level\"",
+ "lmtp_tls_per_site", "specify \"lmtp_tls_policy_maps\"",
+ "smtp_tls_per_site", "specify \"smtp_tls_policy_maps\"",
+ "tlsproxy_client_per_site", "specify \"tlsproxy_client_policy_maps\"",
"smtpd_tls_dh1024_param_file", "do not specify (leave at default)",
"smtpd_tls_eecdh_grade", "do not specify (leave at default)",
"deleted-test-only", "do not specify", /* For testing */
else if ((dp = (const PCF_DEPR_PARAM_INFO *)
htable_find(pcf_depr_param_table, param_name)) != 0) {
vstream_fflush(VSTREAM_OUT);
- msg_warn("%s/%s: support for parameter %s will be removed;"
+ msg_warn("%s/%s: support for parameter \"%s\" will be removed;"
" instead, %s", var_config_dir, conf_name,
param_name, dp->alternative);
}
disable_dns_lookups = no
lmtp_use_tls = no
smtpd_tls_dh1024_param_file = auto
-./postconf: warning: ./main.cf: support for parameter disable_dns_lookups will be removed; instead, specify smtp_dns_support_level
-./postconf: warning: ./main.cf: support for parameter lmtp_use_tls will be removed; instead, specify lmtp_tls_security_level
-./postconf: warning: ./main.cf: support for parameter smtpd_tls_dh1024_param_file will be removed; instead, do not specify (leave at default)
+./postconf: warning: ./main.cf: support for parameter "disable_dns_lookups" will be removed; instead, specify "smtp_dns_support_level"
+./postconf: warning: ./main.cf: support for parameter "lmtp_use_tls" will be removed; instead, specify "lmtp_tls_security_level"
+./postconf: warning: ./main.cf: support for parameter "smtpd_tls_dh1024_param_file" will be removed; instead, do not specify (leave at default)
./postconf: warning: ./main.cf: support for parameter deleted-test-only has been removed; instead, do not specify
-./postconf: warning: ./master.cf: support for parameter smtp_enforce_tls will be removed; instead, specify smtp_tls_security_level
+./postconf: warning: ./master.cf: support for parameter "smtp_enforce_tls" will be removed; instead, specify "smtp_tls_security_level"
msg_info("%s: %s", myname, recipient);
msg_warn("support for restriction \"%s\" has been removed in %s 3.9; "
- "use \"%s\" instead",
+ "instead, specify \"%s\"",
CHECK_RELAY_DOMAINS, var_mail_name, REJECT_UNAUTH_DEST);
reject_server_error(state);
}
if (once == 0) {
once = 1;
msg_warn("support for restriction \"%s\" will be removed from %s; "
- "instead, use \"%s\"",
+ "instead, specify \"%s\"",
PERMIT_MX_BACKUP, var_mail_name, VAR_RELAY_DOMAINS);
}
* Restriction reject_maps_rbl is deprecated as of Postfix 2.1.
*/
msg_warn("support for restriction \"%s\" has been removed in %s 3.9; "
- "use \"%s domain-name\" instead",
+ "instead, specify \"%s domain-name\"",
REJECT_MAPS_RBL, var_mail_name, REJECT_RBL_CLIENT);
reject_server_error(state);
}
} else if (strcasecmp(name, PERMIT_NAKED_IP_ADDR) == 0) {
/* permit_naked_ip_addr is deprecated as of Postfix 2.0. */
- msg_warn("restriction %s has been removed in %s 3.9;"
- " use %s or %s instead",
+ msg_warn("support for restriction \"%s\" has been removed in %s"
+ " 3.9; instead, specify \"%s\" or \"%s\"",
PERMIT_NAKED_IP_ADDR, var_mail_name,
PERMIT_MYNETWORKS, PERMIT_SASL_AUTH);
reject_server_error(state);
projects / thirdparty / postfix.git / commitdiff
